Certified Ethical Hacker CEH (CEH) — Questions 451525

1010 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQeasy

What is the primary purpose of using the Nmap flag -sS?

A.Enable OS detection
B.Perform a SYN stealth scan
C.Perform a UDP scan
D.Perform a TCP connect scan
AnswerB

-sS is the SYN stealth scan flag.

Why this answer

The Nmap flag -sS instructs Nmap to perform a SYN stealth scan, also known as a half-open scan. It sends a TCP SYN packet to the target port and, if a SYN/ACK is received, the port is considered open; the scanner then sends a RST to tear down the connection before the full TCP three-way handshake completes. This technique avoids completing the connection, making it less likely to be logged by the target's application layer and is the default scan type when run with root privileges.

Exam trap

EC-Council often tests the distinction between -sS (SYN stealth) and -sT (TCP connect), where candidates mistakenly think -sS completes the handshake or that -sT is the stealthier option.

How to eliminate wrong answers

Option A is wrong because OS detection is enabled with the -O flag, not -sS. Option C is wrong because a UDP scan is performed using the -sU flag, which sends UDP packets to target ports. Option D is wrong because a TCP connect scan uses the -sT flag, which completes the full three-way handshake using the operating system's connect() system call, unlike the half-open SYN scan.

452
MCQmedium

Refer to the exhibit. A security auditor reviews the password hashes. Which user has the weakest password hash?

A.admin
B.root
C.user
D.All are equally strong
AnswerC

User uses MD5 ($1$), which is weaker.

Why this answer

The hash prefix $1$ indicates MD5, which is significantly weaker than SHA-512 ($6$). The user 'user' uses MD5.

453
MCQeasy

A user reports that their computer is infected with ransomware. Which of the following is the BEST immediate action for the security team to take?

A.Disconnect the computer from the network
B.Pay the ransom to regain access
C.Run a full antivirus scan
D.Restore the system from a recent backup
AnswerA

Isolation prevents further damage.

Why this answer

The first step is to isolate the infected machine from the network to prevent the ransomware from spreading to other systems.

454
MCQmedium

A web application uses user input in the following PHP code: include($_GET['page'] . '.php');. An attacker submits the URL: http://example.com/index.php?page=../../../../etc/passwd%00. Which two vulnerabilities are being attempted?

A.RFI and command injection
B.LFI and null byte injection
C.SQL injection and XSS
D.Directory traversal and IDOR
AnswerB

Directory traversal allows including local files, and null byte injection attempts to bypass the appended extension.

Why this answer

The attacker is using '../' for directory traversal to access files outside the web root, and a null byte injection (%00) to truncate the '.php' extension. This targets LFI (local file inclusion) via directory traversal.

455
MCQmedium

Which of the following is the most effective defense against SQL injection attacks?

A.Parameterized queries
B.Escaping all user input
C.Input validation using blacklists
D.Stored procedures
AnswerA

Parameterized queries (prepared statements) separate SQL logic from data, effectively preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) ensure user input is treated as data, not executable code, preventing SQL injection.

456
MCQmedium

An attacker gains access to a cloud environment and attempts to move laterally by assuming an IAM role with higher privileges. Which cloud attack vector is the attacker exploiting?

A.SSRF attack
B.S3 bucket misconfiguration
C.IAM misuse
D.Container escape
AnswerC

Assuming an IAM role with higher privileges is a form of IAM misuse, often due to over-permissive trust policies.

Why this answer

IAM misuse involves exploiting misconfigured IAM roles or policies to escalate privileges. Assuming a role with higher privileges is a form of privilege escalation via IAM abuse.

457
MCQmedium

Which cryptographic algorithm is classified as symmetric and uses a block cipher with key sizes of 128, 192, or 256 bits?

A.AES
B.ECC
C.Diffie-Hellman
D.RSA
AnswerA

AES is symmetric, block cipher, with key sizes 128, 192, or 256 bits.

Why this answer

AES is a symmetric block cipher that supports key sizes of 128, 192, and 256 bits, and is widely used for encryption.

458
MCQeasy

Which of the following cryptographic hash functions is known to be vulnerable to collision attacks and should be avoided for security applications?

A.RIPEMD-160
B.MD5
C.SHA-256
D.SHA-1
AnswerB

MD5 has proven collision vulnerabilities (e.g., 2004 collisions) and is considered broken.

Why this answer

MD5 is known to be vulnerable to collision attacks, making it unsuitable for security applications like digital signatures.

459
MCQeasy

Which of the following is a passive OS fingerprinting technique?

A.Using nmap -O
B.Performing a ping sweep
C.Sending SYN packets and analyzing responses
D.Capturing packets and analyzing TTL values
AnswerD

TTL analysis is passive and does not generate traffic.

Why this answer

Passive OS fingerprinting involves observing network traffic without actively sending packets to the target. Option D is correct because capturing packets and analyzing TTL (Time to Live) values allows an attacker to infer the operating system, as different OSes use default TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255). This technique does not generate any probe traffic, making it passive.

Exam trap

The trap here is that candidates confuse 'passive' with 'stealthy' scanning, often picking nmap -O with stealth flags (e.g., -sS) as passive, but any active packet injection, regardless of stealth, constitutes active fingerprinting.

How to eliminate wrong answers

Option A is wrong because nmap -O actively sends a series of probes (e.g., TCP SYN, ICMP echo) to the target and analyzes responses to determine the OS, which is active fingerprinting. Option B is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts to check liveness, which is an active scanning technique that generates traffic. Option C is wrong because sending SYN packets and analyzing responses (e.g., SYN/ACK vs RST) is the basis of active TCP stack fingerprinting, as it requires injecting packets into the network.

460
MCQeasy

Which of the following tools is specifically designed to enumerate SMB shares and user information from Windows systems using the SMB protocol?

A.snmpwalk
B.nmap
C.enum4linux
D.hping3
AnswerC

enum4linux is a wrapper around tools like smbclient, rpcclient, and net, specifically for SMB enumeration.

Why this answer

enum4linux is a tool specifically designed to enumerate SMB shares, user lists, OS information, and other details from Windows systems by leveraging the SMB protocol (typically over TCP/445 or TCP/139). It automates queries using SMB RPC calls, such as those from the `samr` and `lsarpc` pipes, making it the correct choice for targeted SMB enumeration.

Exam trap

The trap here is that candidates confuse nmap's broad scanning capabilities (including SMB scripts) with a tool that is purpose-built for SMB enumeration, leading them to select nmap instead of enum4linux.

How to eliminate wrong answers

Option A is wrong because snmpwalk is an SNMP enumeration tool that queries MIB data over UDP/161, not SMB shares or user information. Option B is wrong because nmap is a general-purpose port scanner and service detection tool; while it can detect open SMB ports and perform basic SMB script scans (e.g., smb-os-discovery), it is not specifically designed for deep SMB share and user enumeration like enum4linux. Option D is wrong because hping3 is a packet crafting and network stress testing tool that manipulates TCP/IP packets (e.g., for firewall testing or DoS), and it has no capability to enumerate SMB shares or user accounts.

461
Multi-Selecthard

Which TWO of the following are valid methods to exploit or test for Server-Side Request Forgery (SSRF)?

Select 2 answers
A.Injecting SQL commands into input fields
B.Using the file:// protocol to read local files
C.Submitting a URL pointing to http://127.0.0.1/admin
D.Sending a payload that includes <script>alert(1)</script>
E.Submitting a URL targeting http://169.254.169.254/latest/meta-data/
AnswersC, E

Accessing internal services via loopback is classic SSRF.

Why this answer

SSRF can be tested by making the server fetch internal resources like localhost or cloud metadata endpoints (e.g., AWS).

462
Drag & Dropmedium

Drag and drop the steps to perform a SQL injection attack manually into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identify vulnerability, test, find columns, use UNION, extract data.

463
Multi-Selecthard

Which THREE of the following are common security risks associated with cloud computing?

Select 3 answers
A.Physical theft of servers from the data center.
B.Misconfigured cloud storage leading to data exposure.
C.Shared technology vulnerabilities in multi-tenant environments.
D.Insecure application programming interfaces (APIs).
E.Hypervisor compromise due to unpatched vulnerabilities.
AnswersB, C, D

Common misconfiguration.

Why this answer

Option B is correct because misconfigured cloud storage, such as an Amazon S3 bucket with overly permissive ACLs or a publicly accessible Azure Blob container, is one of the most common cloud security risks. This misconfiguration can expose sensitive data to the internet without authentication, leading to data breaches. The Cloud Security Alliance (CSA) consistently lists misconfiguration as a top cloud threat.

Exam trap

The trap here is that candidates often confuse 'hypervisor compromise' (Option E) as a common risk, but the CEH exam emphasizes that misconfiguration, shared technology vulnerabilities, and insecure APIs are the three most prevalent cloud security risks according to the CSA and NIST guidelines.

464
Multi-Selectmedium

Which TWO OSINT tools are commonly used to gather email addresses and subdomains associated with a target domain? (Select 2)

Select 2 answers
A.Nmap
B.Nessus
C.theHarvester
D.Maltego
E.Shodan
AnswersC, D

theHarvester collects emails, subdomains, and names from search engines, PGP key servers, etc.

Why this answer

theHarvester is a dedicated OSINT tool designed to gather email addresses, subdomains, IPs, and virtual hosts from public sources such as search engines (Google, Bing), PGP key servers, and the SHODAN database. It directly queries these sources to enumerate email addresses and subdomains associated with a target domain, making it a primary choice for passive reconnaissance.

Exam trap

The trap here is that candidates often confuse Shodan as an OSINT tool for email/subdomain gathering because it is a well-known reconnaissance resource, but Shodan specifically indexes internet-facing devices and services, not domain-associated emails or subdomains.

465
MCQeasy

A security analyst runs `nbtstat -A 192.168.1.10` and receives output showing a table with names like COMPUTER<00>, COMPUTER<20>, and DOMAIN<1B>. What type of information has the analyst gathered?

A.NetBIOS names and their associated service types
B.SMB share lists and open sessions
C.DNS records for the host and domain
D.ARP cache entries for the subnet
AnswerA

nbtstat -A shows the NetBIOS name table with 16-character names where the suffix indicates the service type.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against the target IP address using the NetBIOS over TCP/IP (NBT) protocol. The output displays NetBIOS names (e.g., COMPUTER<00>, COMPUTER<20>, DOMAIN<1B>) along with their associated service type suffixes (hex bytes), which identify the services running on the host, such as Workstation Service (<00>), Server Service (<20>), and Domain Master Browser (<1B>). This allows the analyst to enumerate the host's NetBIOS names and their corresponding service types.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with commands that enumerate SMB shares or DNS records, but the key differentiator is the NetBIOS name table output with hex suffixes that explicitly indicate service types.

How to eliminate wrong answers

Option B is wrong because `nbtstat -A` does not list SMB share names or open sessions; those are obtained with commands like `net view` or `smbclient -L`. Option C is wrong because DNS records are queried via `nslookup` or `dig`, not through NetBIOS name resolution, which operates at a different layer (NetBIOS over TCP/IP, port 137). Option D is wrong because ARP cache entries are displayed with `arp -a`, not `nbtstat`, which deals with NetBIOS name tables, not MAC-to-IP mappings.

466
Multi-Selecthard

A penetration tester runs `nmap -sS -sV -O -p- 192.168.1.10` and receives the following output snippet: 'PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 80/tcp open http Apache httpd 2.4.6 443/tcp open ssl/http Apache httpd 2.4.6'. Which THREE pieces of information can the tester derive from this output? (Choose 3)

Select 3 answers
A.The target has a vulnerability in OpenSSH 7.4
B.The -sV flag was used for version detection
C.The Apache server version is 2.4.6
D.The target is vulnerable to the Heartbleed bug
E.The target is running a Linux-based operating system
AnswersB, C, E

The presence of version numbers in the output indicates -sV was used.

Why this answer

Option B is correct because the `-sV` flag in Nmap explicitly enables version detection, which probes open ports to determine the service and version information displayed in the output (e.g., 'OpenSSH 7.4', 'Apache httpd 2.4.6'). Without `-sV`, Nmap would only report the service name based on its port mapping (e.g., 'ssh', 'http'), not the specific version numbers.

Exam trap

The trap here is that candidates assume version numbers automatically imply a vulnerability (like Heartbleed or an OpenSSH flaw) without recognizing that Nmap output only reports versions, not exploitability, and that Heartbleed is specific to OpenSSL, not Apache or OpenSSH.

467
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet capture and analysis

Exploitation framework

Password cracking

Web application security testing

Why these pairings

These tools are commonly used in penetration testing and ethical hacking.

468
MCQmedium

A forensic analyst examines a firmware image extracted from an IoT thermostat and finds hardcoded credentials for a cloud backend. Which phase of the IoT attack lifecycle does this represent?

A.Weaponization
B.Installation
C.Reconnaissance
D.Exploitation
AnswerD

Identifying hardcoded credentials allows an attacker to exploit them for unauthorized access.

Why this answer

Hardcoded credentials in firmware represent a vulnerability in the device itself. This is part of the exploitation phase, where attackers use discovered credentials to gain unauthorized access to backend systems.

469
MCQmedium

A web application allows users to submit feedback that is stored in a database and displayed to other users without proper sanitization. A tester inputs '<script>alert(1)</script>' and it executes when other users view the feedback. Which type of XSS is this?

A.Self-XSS
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerC

The script is stored on the server and executed for every user viewing the feedback, which is stored XSS.

Why this answer

The payload is stored in the database and executed when other users load the page, which is stored (persistent) XSS.

470
MCQhard

An attacker uses the Social Engineering Toolkit (SET) to craft a phishing email that appears to come from the company's CEO, requesting the recipient to urgently wire funds to a new vendor. This attack is BEST described as which type of social engineering?

A.Pretexting
B.Spear phishing
C.Whaling
D.Quid pro quo
AnswerC

Whaling is a phishing attack directed at senior executives or high-value targets. The impersonation of the CEO fits.

Why this answer

Whaling targets senior executives or high-profile individuals. The email impersonates the CEO, a typical whaling scenario. Spear phishing is targeted but not necessarily at executives.

471
MCQmedium

A user receives a phone call from someone claiming to be from IT support, asking for their password to perform a system update. This is an example of which social engineering technique?

A.Baiting
B.Pretexting
C.Phishing
D.Vishing
AnswerB

Pretexting involves impersonation to gain trust.

Why this answer

Pretexting involves creating a fabricated scenario to obtain information. The caller pretends to be IT support.

472
MCQmedium

An analyst is analyzing a suspicious file using VirusTotal and observes that only 3 out of 60 antivirus engines detect it as malicious. The file has been submitted before but with no detections. What should the analyst conclude?

A.The file is a clean file with a rare hash
B.The file is safe because most engines don't detect it
C.The file is likely a false positive
D.The file is likely malicious and requires further analysis
AnswerD

Low detection rate suggests it may be new malware; further analysis is warranted.

Why this answer

Low detection rate suggests the file may be a zero-day or heavily obfuscated. The fact that previous submission had no detections and now some detect indicates it might be a new variant or the file is not widely known. The best action is to treat as potentially malicious and perform dynamic analysis.

473
MCQmedium

A security analyst notices repeated TCP SYN packets sent to a server without corresponding SYN-ACK replies. The source IP addresses are spoofed and appear to be random. Which type of attack is MOST likely occurring?

A.SYN flood
B.UDP flood
C.ICMP flood
D.Ping of Death
AnswerA

The description matches a SYN flood: spoofed SYN packets without completing the handshake.

Why this answer

SYN flood attacks exploit the TCP three-way handshake by sending many SYN requests with spoofed IPs, exhausting the server's connection queue.

474
Drag & Dropmedium

Drag and drop the steps to conduct a penetration test using the CEH methodology into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The CEH methodology follows: Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks.

475
MCQmedium

A web application uses XML to transmit data between client and server. A tester submits the following payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'. The application returns the content of the /etc/passwd file in the response. Which vulnerability is present?

A.SQL injection
B.XML External Entity (XXE) injection
C.Command injection
D.Cross-Site Scripting (XSS)
AnswerB

XXE exploits XML parsers to include external entities, often to read files or perform SSRF.

Why this answer

This is an XML External Entity (XXE) injection, where an external entity is used to read a local file and return its contents.

476
MCQmedium

A security analyst notices unusual traffic from a smart thermostat to an external IP address. The thermostat is on a separate IoT VLAN. Which action should the analyst take to investigate and mitigate the threat?

A.Disconnect the thermostat from the network.
B.Block all outbound traffic from the IoT VLAN.
C.Uninstall the companion app from the user's smartphone.
D.Create a firewall rule to block traffic from the thermostat's MAC address to the external IP.
AnswerD

This precisely blocks the suspicious traffic without affecting other devices.

Why this answer

Option D is correct because creating a firewall rule to block traffic from the thermostat's MAC address to the specific external IP is a targeted, least-disruptive mitigation. It preserves the IoT VLAN's functionality for other devices while stopping the suspicious communication. This approach allows the analyst to investigate further without losing visibility into the threat, as the thermostat remains on the network for forensic analysis.

Exam trap

The trap here is that candidates often choose Option A (disconnect) because it seems like an immediate containment step, but CEH emphasizes that disconnecting destroys forensic evidence and prevents further analysis, whereas a targeted firewall rule allows both mitigation and investigation.

How to eliminate wrong answers

Option A is wrong because disconnecting the thermostat removes the device from the network, preventing further monitoring and forensic analysis of the suspicious traffic; it also disrupts legitimate functionality without confirming the threat. Option B is wrong because blocking all outbound traffic from the IoT VLAN is overly broad and would break legitimate IoT services (e.g., firmware updates, cloud connectivity) for all devices on that VLAN, causing unnecessary operational impact. Option C is wrong because uninstalling the companion app from the user's smartphone does not address the network-level traffic from the thermostat itself; the thermostat communicates directly with the external IP, independent of the app, and the app may be unrelated to the malicious activity.

477
Multi-Selectmedium

Which THREE of the following are components of PKI (Public Key Infrastructure)?

Select 3 answers
A.Certificate Authority (CA)
B.WPA3
C.Private key and public key pair
D.Digital certificates
E.RADIUS server
AnswersA, C, D

CA issues and revokes certificates.

Why this answer

Certificate Authority, digital certificates, and private/public key pairs are core PKI components.

478
MCQmedium

A security analyst captures the following SMTP conversation: 220 mail.example.com ESMTP; HELO client; 250 Hello; VRFY root; 250 Super-User; VRFY admin; 252 Cannot VRFY user; VRFY user1; 550 User unknown. Which attack is the analyst performing?

A.SMTP header injection
B.SMTP open relay testing
C.SMTP user enumeration via VRFY
D.SMTP DDoS attack
AnswerC

VRFY queries verify if a mailbox exists; responses reveal valid usernames.

Why this answer

Option C is correct. The VRFY command is used to verify email addresses. A successful response (250) indicates the user exists; 252 indicates ambiguous; 550 indicates no such user.

This is enumeration of valid usernames.

479
Multi-Selecthard

Which THREE of the following are effective mitigations against brute force attacks on web application login forms? (Select 3)

Select 3 answers
A.Account lockout after failed attempts
B.Implementing CAPTCHA
C.Rate limiting on login endpoints
D.Enforcing strong password policies
E.Using HTTP basic authentication
AnswersA, B, C

Locking accounts after a few failures prevents further attempts.

Why this answer

Account lockout, rate limiting, and CAPTCHA all hinder automated brute force attempts. Strong password policies help but are not a direct mitigation against brute force rate.

480
MCQmedium

Which of the following is a recommended countermeasure against WPA2 KRACK attacks?

A.Enable MAC filtering
B.Patch all clients and access points
C.Disable WPS
D.Switch to WEP encryption
AnswerB

Patches implement fixes against key reinstallation attacks.

Why this answer

KRACK attacks exploit vulnerabilities in the WPA2 4-way handshake key reinstallation. The primary fix is to install security patches on clients and APs that implement the IEEE 802.11 standard update. Disabling WPS does not prevent KRACK, and switching to WEP is less secure.

481
MCQmedium

An attacker uses a tool that precomputes hash chains for common passwords to crack password hashes quickly. Which technique is the attacker employing?

A.Dictionary attack
B.Brute-force attack
C.Hybrid attack
D.Rainbow table attack
AnswerD

Rainbow tables use precomputed hash chains to crack hashes quickly.

Why this answer

The correct answer is D, Rainbow table attack. This technique involves precomputing hash chains for common passwords and storing them in a table, allowing the attacker to reverse password hashes quickly by looking up the hash in the table rather than computing hashes on the fly. The tool described matches the core concept of a rainbow table, which uses a time-memory trade-off to crack hashes efficiently.

Exam trap

The trap here is that candidates confuse a rainbow table attack with a dictionary attack, because both involve lists of passwords, but the key distinction is precomputation versus real-time hashing.

How to eliminate wrong answers

Option A is wrong because a dictionary attack uses a list of plaintext passwords, hashing each one and comparing to the target hash in real time, not precomputed hash chains. Option B is wrong because a brute-force attack tries every possible combination of characters sequentially, without any precomputation or stored hash chains. Option C is wrong because a hybrid attack combines dictionary words with variations (e.g., appending numbers or symbols), but it still computes hashes on the fly rather than relying on precomputed chains.

482
MCQmedium

A company wants to ensure that data in transit between its IoT devices and the cloud server is encrypted. Which protocol combination is BEST suited for this purpose?

A.MQTT without encryption
B.HTTP with SSL
C.MQTT with TLS
D.CoAP with DTLS
AnswerC

MQTT over TLS provides encrypted communication for IoT devices.

Why this answer

TLS (Transport Layer Security) provides encryption for data in transit, and CoAP can use DTLS (a variant of TLS) for secure communication.

483
MCQeasy

A penetration tester uses theHarvester to gather information about a target domain. Which of the following data types is theHarvester PRIMARILY designed to collect?

A.Live network traffic captures
B.Passwords hashes
C.Email addresses and subdomains
D.Vulnerability scan results
AnswerC

Its primary purpose is to gather emails and subdomains associated with a domain.

Why this answer

theHarvester is an open-source intelligence (OSINT) tool designed to perform passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API. Its primary function is to collect email addresses, subdomains, IP addresses, and virtual hosts associated with a target domain, aiding in the footprinting phase of a penetration test.

Exam trap

The trap here is that candidates confuse theHarvester's passive OSINT collection with active scanning or exploitation tools, leading them to select options related to network traffic, password cracking, or vulnerability scanning.

How to eliminate wrong answers

Option A is wrong because theHarvester does not capture live network traffic; that is the function of packet sniffers like tcpdump or Wireshark, which operate at the data-link layer. Option B is wrong because theHarvester does not extract password hashes; hash retrieval is typically performed by tools like Hashcat or John the Ripper after obtaining a password database dump. Option D is wrong because theHarvester does not perform vulnerability scanning; vulnerability assessment is done by tools like Nessus or OpenVAS, which actively probe services for known CVEs.

484
MCQmedium

An attacker sets up a rogue access point with the same SSID as a legitimate corporate network and broadcasts a stronger signal. Clients connect to the rogue AP. What type of attack is this?

A.WPS PIN attack
B.De-authentication attack
C.Evil twin attack
D.MAC spoofing attack
AnswerC

This describes an evil twin attack exactly.

Why this answer

An evil twin attack involves a rogue AP mimicking a legitimate SSID to intercept traffic.

485
Multi-Selecteasy

Which TWO of the following are characteristics of a Bluetooth Low Energy (BLE) IoT device that make it suitable for a battery-powered sensor?

Select 2 answers
A.High data throughput.
B.Long range (up to 1 km).
C.Low energy consumption.
D.Low data transfer rates.
E.Operates in unlicensed spectrum like Wi-Fi.
AnswersC, D

BLE is optimized for low power.

Why this answer

Option C is correct because BLE is specifically designed for ultra-low power consumption, enabling battery-powered sensors to operate for months or years on a coin cell battery. BLE achieves this by using short bursts of data transmission and then entering a deep sleep mode, drastically reducing energy usage compared to classic Bluetooth or Wi-Fi.

Exam trap

EC-Council often tests the misconception that 'low energy' means low data rate, but the trap here is that candidates might incorrectly select 'High data throughput' (A) or 'Long range' (B) because they confuse BLE with classic Bluetooth or other IoT protocols, overlooking BLE's explicit design trade-off for power efficiency over speed and distance.

486
MCQhard

A penetration tester is trying to evade an IDS that detects out-of-order TCP packets. The tester uses Nmap with the -f flag. What is the PRIMARY effect of this flag?

A.Splits the TCP header into multiple packets to bypass simple packet filters
B.Slows down the scan to avoid triggering rate-based alarms
C.Sends packets from multiple decoy IP addresses to obscure the source
D.Spoofs the source IP address to hide the attacker's identity
AnswerA

Fragmenting packets can evade IDS that don't reassemble fragments before inspection.

Why this answer

The `-f` flag in Nmap fragments the IP packet into smaller pieces, typically 8-byte fragments, which splits the TCP header across multiple packets. This fragmentation causes the IDS to see out-of-order or incomplete TCP headers, making it harder for signature-based detection to reassemble and match malicious patterns, thus bypassing simple packet filters that do not perform full TCP reassembly.

Exam trap

The trap here is that candidates often confuse the `-f` flag with decoy or spoofing techniques, but the primary effect is fragmentation to evade packet filters and simple IDS, not to hide the source IP or slow the scan.

How to eliminate wrong answers

Option B is wrong because the `-f` flag does not control scan timing; slowing down to avoid rate-based alarms is achieved with the `-T` (timing) flags, such as `-T0` or `-T1`. Option C is wrong because sending packets from multiple decoy IP addresses is the function of the `-D` (decoy) flag, not `-f`. Option D is wrong because spoofing the source IP address is done with the `-S` flag or by using a spoofed source address in raw packets, not by fragmentation.

487
Multi-Selecthard

Which THREE of the following are examples of application-layer DDoS attacks? (Select 3)

Select 3 answers
A.Slowloris
B.HTTP flood
C.SYN flood
D.DNS amplification
E.UDP flood
AnswersA, B, D

Slowloris holds connections open to exhaust server resources.

Why this answer

Application-layer attacks target the OSI layer 7. Slowloris keeps many connections open, HTTP flood sends many requests, and DNS amplification (though often considered volumetric) can be application-layer when using DNS queries.

488
Multi-Selectmedium

During a penetration test, a tester runs enum4linux against a Windows server and receives the following output: 'S-1-5-21-3623811015-3361044348-30300820-500' and 'S-1-5-21-3623811015-3361044348-30300820-501'. Which TWO conclusions can be drawn from this output?

Select 2 answers
A.The Guest account is enabled
B.The Guest account SID was enumerated
C.The Administrator account SID was enumerated
D.The server is a domain controller
E.Password policy was retrieved
AnswersB, C

RID 501 corresponds to the Guest account.

Why this answer

Options A and C are correct. SID ending in -500 is the built-in Administrator account. SID ending in -501 is the Guest account.

These are well-known RIDs.

489
Multi-Selectmedium

Which TWO of the following techniques are considered passive reconnaissance? (Select exactly 2.)

Select 2 answers
A.Performing a WHOIS lookup
B.Connecting to a web server to grab its banner
C.Sending ICMP echo requests to a target
D.Using Google dorks to find exposed files
E.Running a Nmap SYN scan
AnswersA, D

WHOIS queries public databases, no direct interaction with target.

Why this answer

A WHOIS lookup queries public databases (e.g., whois.arin.net) to retrieve registration details for domains or IP blocks. This process does not send any packets directly to the target system; it relies on third-party servers, making it a passive reconnaissance technique.

Exam trap

EC-Council often tests the distinction that any technique involving direct interaction with the target's network stack (even a single packet or connection) is active, while passive methods rely on third-party sources or pre-existing data.

490
MCQmedium

A security analyst notices that a web application returns different HTTP responses for valid and invalid usernames during login. Which attack is this behavior most likely facilitating?

A.Username enumeration
B.Cross-site scripting (XSS)
C.Directory traversal
D.SQL injection
AnswerA

Different responses for valid vs invalid usernames allow an attacker to enumerate valid accounts.

Why this answer

The difference in responses (e.g., 'User not found' vs 'Invalid password') allows an attacker to enumerate valid usernames, which is a common first step in credential stuffing or brute-force attacks.

491
MCQeasy

Which type of social engineering attack involves a malicious actor impersonating a legitimate organization in a voicemail message to trick the victim into revealing sensitive information?

A.SMiShing
B.Pharming
C.Baiting
D.Vishing
AnswerD

Vishing uses voice communication to deceive.

Why this answer

Vishing (voice phishing) uses phone calls or voicemail to deceive victims. SMiShing uses SMS, pharming redirects websites, and baiting offers something enticing.

492
MCQhard

A security team has collected a hash file from a compromised Windows server that contains NTLM hashes. They want to crack the passwords as quickly as possible using a precomputed lookup table. Which tool and technique combination is BEST suited for this task?

A.Use John the Ripper in incremental mode
B.Use Hydra with a dictionary of common passwords
C.Use RainbowCrack with precomputed rainbow tables
D.Use Hashcat with a rules-based attack
AnswerC

RainbowCrack uses rainbow tables to crack hashes in seconds. It is the most efficient method for precomputed attacks.

Why this answer

Rainbow tables are precomputed hash chains that allow rapid password lookups. RainbowCrack is a tool that implements rainbow table attacks, ideal for quickly cracking NTLM hashes.

493
MCQeasy

A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?

A.Query the Netcraft site for the domain
B.Perform a WHOIS lookup against the domain
C.Use nslookup to query the authoritative name servers
D.Run a traceroute to the target web server
AnswerB

WHOIS provides IP range and ISP info.

Why this answer

A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.

Exam trap

The trap here is that candidates confuse DNS resolution (nslookup) or path tracing (traceroute) with ownership data, but only WHOIS provides the authoritative registration records for network blocks and ISPs.

How to eliminate wrong answers

Option A is wrong because Netcraft provides web server and hosting history, but its primary output is server software, uptime, and hosting provider, not the specific network range or ISP in a structured WHOIS format. Option C is wrong because nslookup queries DNS records (A, MX, NS, etc.) to resolve domain names to IP addresses or find name servers; it does not reveal the network range or ISP ownership of those IPs. Option D is wrong because traceroute maps the path packets take to a destination, revealing intermediate routers, but it does not directly disclose the target's network range or ISP; it only shows hop IPs, which require additional WHOIS lookups to interpret.

494
MCQmedium

A security team discovers that an attacker has been intercepting and modifying traffic between a client and server by impersonating both endpoints. Which type of cryptographic attack is this?

A.Man-in-the-middle attack
B.Replay attack
C.Downgrade attack
D.Birthday attack
AnswerA

MITM involves intercepting and potentially modifying traffic between two parties.

Why this answer

A man-in-the-middle (MITM) attack involves the attacker positioning themselves between the client and server to intercept and modify traffic.

495
MCQhard

You are a penetration tester for a financial institution. During the reconnaissance phase, you discover that the target network uses a firewall that only allows inbound TCP connections on ports 80, 443, and 8080. You need to identify live hosts and running services on the internal network (192.168.1.0/24) from an external perspective. To avoid detection, you must minimize the number of packets sent and ensure that your scanning technique does not complete the TCP three-way handshake. Additionally, you have limited time and need to scan all 65535 ports on the most promising target. Based on the firewall rules and the need for stealth, which of the following approaches should you take?

A.Perform a TCP connect scan (-sT) on all ports of the subnet to identify open ports and services.
B.Perform an Xmas scan (-sX) on all ports of the subnet to evade detection by sending packets with invalid flag combinations.
C.First, perform a TCP SYN scan (-sS) on the three allowed ports across the subnet. Once a live host is identified, perform a TCP SYN scan (-sS) on all 65535 ports of that host.
D.Perform a UDP scan (-sU) on all ports of the subnet because UDP is connectionless and less likely to be logged.
AnswerC

TCP SYN scan is stealthy (half-open) and efficient. Scanning only allowed ports first reduces traffic, then full port scan on the live host.

Why this answer

Option C is correct because a TCP SYN scan (-sS) sends only a SYN packet and does not complete the three-way handshake, making it stealthy. First scanning only the three allowed ports (80, 443, 8080) across the subnet minimizes packets and identifies live hosts. Once a promising target is found, a full SYN scan on all 65535 ports efficiently maps services while evading the firewall's restrictions.

Exam trap

The trap here is that candidates may choose an Xmas scan (Option B) thinking it is stealthy due to invalid flags, but fail to realize that modern firewalls and IDS systems easily detect and drop such anomalous packets, making it ineffective against port-based allow rules.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan (-sT) completes the full three-way handshake, generating more packets and logs, which increases detection risk and violates the requirement to avoid completing the handshake. Option B is wrong because an Xmas scan (-sX) sends packets with FIN, URG, and PSH flags set, which many firewalls and intrusion detection systems (IDS) drop or log as anomalous; it is also ineffective against firewalls that only allow specific TCP ports (80, 443, 8080) and may not elicit responses from filtered ports. Option D is wrong because a UDP scan (-sU) is connectionless but is slow, unreliable, and often blocked or rate-limited by firewalls; it does not leverage the allowed TCP ports and would generate excessive packets without stealth benefits.

496
MCQeasy

Which malware analysis approach involves running the suspicious file in a controlled environment to observe its behavior?

A.Dynamic analysis
B.Code review
C.Signature detection
D.Static analysis
AnswerA

Dynamic analysis involves execution to observe runtime behavior.

Why this answer

Dynamic analysis is the correct approach because it involves executing the suspicious file in a controlled, isolated environment (such as a sandbox or virtual machine) to monitor its runtime behavior, including file system changes, registry modifications, network connections, and process injections. This allows analysts to observe actual malicious actions without risking the production environment, making it essential for understanding zero-day threats and obfuscated malware that static analysis might miss.

Exam trap

EC-Council often tests the misconception that static analysis is sufficient for all malware types, but the trap here is that candidates confuse 'static analysis' (which examines code without execution) with 'dynamic analysis' (which requires execution), leading them to pick static analysis when the question explicitly asks for observing behavior in a controlled environment.

How to eliminate wrong answers

Option B is wrong because code review is a manual or automated examination of the malware's source code or disassembled instructions without execution, which falls under static analysis and cannot reveal runtime behaviors like API calls or network traffic. Option C is wrong because signature detection relies on pre-defined patterns (e.g., hash values or byte sequences) to identify known malware, but it fails against polymorphic or novel malware that lacks matching signatures. Option D is wrong because static analysis examines the file's structure, strings, and code without execution, missing dynamic behaviors such as self-modification, anti-debugging tricks, or delayed payload activation.

497
MCQmedium

A penetration tester uses the following command to extract the contents of a SAM file: 'samdump2 SYSTEM /mnt/windows/Windows/System32/config/SAM'. What is the primary purpose of this action?

A.To escalate privileges on the system
B.To enumerate users via LDAP
C.To capture NTLM hashes for offline cracking
D.To perform a pass-the-hash attack
AnswerC

SAM file contains hashed passwords; extracting them allows offline cracking.

Why this answer

The `samdump2` tool extracts password hash data from the SAM (Security Account Manager) registry hive file. By providing the SYSTEM hive (which contains the boot key) and the SAM file, the tool decrypts and dumps the NTLM hashes of local user accounts. These hashes can then be used in offline cracking attacks (e.g., with John the Ripper or Hashcat) to recover plaintext passwords, making option C correct.

Exam trap

The trap here is that candidates may confuse the purpose of dumping hashes (offline cracking) with the subsequent attack technique (pass-the-hash), but the question asks for the primary purpose of the `samdump2` command itself, which is hash extraction for cracking, not immediate authentication.

How to eliminate wrong answers

Option A is wrong because `samdump2` does not perform privilege escalation; it simply reads already-obtained files from a compromised system. Option B is wrong because LDAP enumeration is used for querying Active Directory directory services, not for extracting local SAM database hashes. Option D is wrong because pass-the-hash attacks use captured NTLM hashes directly for authentication without cracking them, whereas the primary purpose of dumping hashes with `samdump2` is to obtain them for offline cracking.

498
Multi-Selecthard

Which THREE of the following are common methods used to mitigate DDoS attacks? (Select 3)

Select 3 answers
A.MAC flooding
B.Rate limiting
C.Scrubbing centers
D.ARP poisoning
E.Anycast network distribution
AnswersB, C, E

Rate limiting restricts the number of requests accepted from a source.

Why this answer

Rate limiting reduces traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple nodes to absorb attacks. Black hole routing is also used but is a more drastic measure.

499
Multi-Selectmedium

A penetration tester is analyzing a captured TCP session that includes a successful SQL injection attack. Which TWO of the following indicators would most likely confirm that the attack was successful?

Select 2 answers
A.The server redirects to a login page (302)
B.The server returns a 500 Internal Server Error
C.The response contains database error messages or unexpected data
D.The server returns a 200 OK status code
E.The client receives no response (timeout)
AnswersC, D

Database error messages or extra data in the response are strong indicators of successful injection.

Why this answer

Option C is correct because a successful SQL injection often results in the database returning error messages or unexpected data directly in the HTTP response, confirming that the attacker's injected SQL statements were executed and returned results. This is a direct indicator of a successful attack, as the server processes the malicious input and includes database output in the response body.

Exam trap

The trap here is that candidates often mistake a 500 Internal Server Error (Option B) as a sign of success, but in CEH and real-world analysis, a 500 error usually indicates a failed or crashing injection, not a successful data extraction.

500
Multi-Selectmedium

A security analyst is investigating a compromised Linux system and finds the following: - A binary with SUID bit set owned by root that is not a standard system binary - The file /etc/ld.so.preload contains a reference to a shared object in /tmp - The system logs show gaps of several minutes during peak hours. Which TWO techniques has the attacker MOST likely used to maintain access and evade detection?

Select 2 answers
A.SUID privilege escalation
B.Password cracking
C.Kernel module rootkit
D.LD_PRELOAD rootkit
E.Steganography
AnswersA, D

Setting SUID on a root-owned binary allows any user to run it with root privileges.

Why this answer

Options A and B are correct. SUID abuse allows executing a binary with root privileges. LD_PRELOAD via ld.so.preload can be used to hook system calls and hide files/processes (a rootkit technique).

Log manipulation (gaps) is another covering tracks method.

501
MCQmedium

A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?

A.Spying
B.Executing applications
C.Cracking passwords
D.Erasing tracks
AnswerD

Deleting log entries is a classic example of erasing tracks to avoid detection.

Why this answer

The log deletion represents the 'Erasing tracks' step in the CHPSET methodology. After gaining unauthorized access, attackers must cover their footprints by removing evidence of their activities, such as clearing system logs, modifying timestamps, or deleting audit trails. This ensures the intrusion remains undetected by system administrators or security monitoring tools.

Exam trap

The trap here is confusing 'Erasing tracks' with 'Spying' because both involve post-exploitation actions, but spying focuses on data collection while erasing tracks specifically targets log and evidence removal.

How to eliminate wrong answers

Option A is wrong because 'Spying' refers to passive monitoring or data exfiltration after access is established, not the act of removing forensic evidence. Option B is wrong because 'Executing applications' involves running tools or payloads to achieve objectives like privilege escalation or backdoor installation, not log manipulation. Option C is wrong because 'Cracking passwords' is part of the initial access phase (e.g., brute-forcing or hash cracking) and occurs before successful login, not after the attacker has already authenticated.

502
Multi-Selecthard

A security engineer is reviewing web server logs and finds the following request: GET /files/../../../etc/passwd HTTP/1.1. Which THREE attacks could be associated with this request? (Choose THREE.)

Select 3 answers
A.Directory traversal
B.File disclosure
C.SQL injection
D.Command injection
E.Local File Inclusion (LFI)
AnswersA, B, E

The ../ patterns indicate traversal out of the web root.

Why this answer

The request uses path traversal to access /etc/passwd (directory traversal/LFI). It can be used for file disclosure, and if the file is included in a script, it could be LFI. Command injection is not related.

503
MCQhard

An attacker has gained access to a Windows server and wants to crack the password hashes extracted from the SAM file. The attacker knows the passwords are complex but wants to maximize speed. Which tool is BEST suited for high-speed password cracking using GPU acceleration?

A.Ophcrack
B.RainbowCrack
C.John the Ripper
D.Hashcat
AnswerD

Hashcat is specifically designed for high-speed GPU-accelerated password cracking and is the best choice for speed.

Why this answer

Hashcat is the correct answer because it is specifically designed for high-speed password cracking using GPU acceleration, leveraging OpenCL or CUDA to offload computation to the GPU. This allows it to achieve millions of hashes per second, making it ideal for cracking complex passwords from SAM hashes (NTLM) when speed is the priority.

Exam trap

The trap here is that candidates often confuse 'rainbow table' tools (Ophcrack, RainbowCrack) with GPU-accelerated crackers, or assume John the Ripper is always the fastest, but Hashcat is the explicit choice for maximum GPU speed in CEH scenarios.

How to eliminate wrong answers

Option A is wrong because Ophcrack uses rainbow tables (precomputed hash chains) and is CPU-based, not GPU-accelerated, so it is slower for complex passwords and less efficient for on-the-fly cracking. Option B is wrong because RainbowCrack also relies on rainbow tables and is primarily CPU-based; while it can use some GPU acceleration in newer versions, it is not optimized for high-speed GPU cracking like Hashcat and requires precomputation time. Option C is wrong because John the Ripper can use GPU acceleration (via its 'john-gpu' variant), but its default mode is CPU-based and it is generally slower and less feature-rich for GPU cracking compared to Hashcat, which is the industry standard for GPU-accelerated password recovery.

504
MCQeasy

A security analyst wants to gather information about a target domain using publicly available sources without directly interacting with the target’s systems. Which type of reconnaissance is being performed?

A.Vulnerability scanning
B.Social engineering
C.Active reconnaissance
D.Passive reconnaissance
AnswerD

Passive reconnaissance uses publicly available information without direct interaction.

Why this answer

Passive reconnaissance involves collecting information about a target from publicly available sources without sending any packets or making direct contact with the target's systems. This approach relies on open-source intelligence (OSINT) such as WHOIS records, DNS lookups, search engines, and social media, ensuring no footprint is left on the target's network.

Exam trap

The trap here is confusing passive reconnaissance with active reconnaissance; candidates often think any information gathering is 'active' because it involves tools, but the key distinction is whether the target's systems are directly contacted (active) or not (passive).

How to eliminate wrong answers

Option A is wrong because vulnerability scanning is an active process that sends probes (e.g., SYN packets, HTTP requests) to identify weaknesses, directly interacting with target systems. Option B is wrong because social engineering involves manipulating people to divulge information, which requires direct interaction (e.g., phishing emails, phone calls) and is not a reconnaissance technique based solely on public sources. Option C is wrong because active reconnaissance involves direct engagement with the target's systems (e.g., port scanning with Nmap, banner grabbing), generating traffic that can be logged or detected.

505
Multi-Selectmedium

Which TWO of the following are valid cryptanalytic attacks?

Select 2 answers
A.SQL injection
B.Replay attack
C.Downgrade attack
D.Cross-site scripting (XSS)
E.Birthday attack
AnswersB, E

Replay attack captures and retransmits valid data to impersonate or deceive.

Why this answer

Birthday attack exploits hash collisions; replay attack reuses captured data. Downgrade attack forces weaker protocol (not cryptanalytic per se, but relevant). SQL injection and XSS are web application attacks, not cryptanalytic.

506
MCQeasy

A security analyst receives an email that appears to be from the CEO, urgently requesting a wire transfer. The email address is slightly misspelled (ceo@cornpany.com instead of ceo@company.com). Which type of social engineering attack is this?

A.Vishing
B.Whaling
C.Spear phishing
D.Phishing
AnswerC

Targeted at a specific individual with personalized content.

Why this answer

Spear phishing is a targeted phishing attack aimed at a specific individual or organization, often using personalized information to appear legitimate. This email targets the analyst specifically and uses a spoofed domain, making it spear phishing, not generic phishing or whaling (which targets high-level executives, though the CEO is impersonated, the recipient is the analyst).

507
MCQmedium

During a web application test, an analyst intercepts a request containing a 'Referer' header that points to a different domain. The analyst modifies the request by removing the 'Referer' header and the action still executes successfully. Which type of attack is the analyst testing?

A.Server-Side Request Forgery (SSRF)
B.Clickjacking
C.Cross-Site Request Forgery (CSRF)
D.Cross-Site Scripting (XSS)
AnswerC

CSRF defenses often use Referer checks; bypassing them indicates vulnerability.

Why this answer

CSRF protection often relies on checking the Referer header; if it can be removed or spoofed, the application is vulnerable to CSRF.

508
Multi-Selecthard

Which THREE of the following are correct statements about DNS zone transfers?

Select 3 answers
A.A successful zone transfer reveals all DNS records for the domain
B.The tool dnsrecon can attempt a zone transfer
C.Zone transfers are encrypted by default
D.Zone transfers should be restricted to authorized secondary DNS servers
E.Zone transfers use UDP port 53
AnswersA, B, D

Zone transfers provide a complete copy of the zone data.

Why this answer

A successful DNS zone transfer (AXFR) returns the complete zone file, which contains all DNS records for the domain, including A, AAAA, MX, CNAME, NS, and TXT records. This is why it is a critical information-gathering step during reconnaissance.

Exam trap

The trap here is that candidates confuse DNS query transport (UDP 53) with zone transfer transport (TCP 53), and assume zone transfers are encrypted by default when they are not.

509
MCQeasy

In the shared responsibility model for cloud computing, which of the following is typically the responsibility of the customer?

A.Physical security of data centers
B.Patch management of the virtualization platform
C.Data classification and encryption of customer data
D.Network infrastructure security (e.g., hypervisor, network cables)
AnswerC

Customers are responsible for classifying and encrypting their own data.

Why this answer

The customer is responsible for data classification and account management, while the provider secures the physical infrastructure.

510
MCQmedium

A security analyst captures WPA2 handshake packets using airodump-ng and then runs aircrack-ng with a wordlist. After several minutes, aircrack-ng reports 'KEY FOUND!' followed by a hex string. Which attack was successfully performed?

A.Dictionary attack on the 4-way handshake
B.Hash length extension attack on the MIC
C.Rainbow table attack on the WPA2 handshake
D.Brute-force attack against the PSK
AnswerA

Aircrack-ng compares each word in the wordlist against the handshake's PMKID/PTK to find the passphrase.

Why this answer

The analyst captured the 4-way handshake and used a dictionary attack (wordlist) to recover the PSK. This is a dictionary attack, not brute force (which tries all combinations), rainbow table, or hash length extension (which is for hash-based MACs).

511
Multi-Selectmedium

Which THREE of the following are valid methods to prevent DNS zone transfer attacks? (Select 3)

Select 3 answers
A.Increase the SOA refresh interval
B.Disable recursive queries for external hosts
C.Use TSIG (Transaction Signatures) for authentication
D.Restrict zone transfers to specific IP addresses
E.Block all inbound traffic on UDP port 53
AnswersB, C, D

This prevents external hosts from using the DNS server as a resolver, but indirect benefit.

Why this answer

Option B is correct because disabling recursive queries for external hosts prevents DNS servers from being used in amplification attacks and also limits the information that can be obtained via zone transfers. Recursive queries are not required for zone transfers (which use TCP port 53), but disabling recursion for external hosts reduces the attack surface by preventing unauthorized users from querying the server for all records in a domain.

Exam trap

The trap here is that candidates often confuse the roles of UDP and TCP in DNS, incorrectly assuming that blocking UDP port 53 will stop zone transfers, when in fact zone transfers use TCP port 53 and blocking UDP 53 only breaks normal queries.

512
MCQmedium

During a penetration test, a tester uses the SMTP VRFY command against a mail server. The server responds with '252 Cannot VRFY user, but will accept message' for most usernames. Which action should the tester take to enumerate valid email addresses more effectively?

A.Use the EXPN command to expand mailing lists and verify addresses
B.Use the NetBIOS nbtstat command to query the mail server
C.Run a brute-force attack on the SMTP service using Hydra
D.Switch to SNMP enumeration to gather email addresses
AnswerA

EXPN can reveal valid addresses from mailing lists; RCPT TO is another alternative.

Why this answer

The SMTP VRFY command is used to verify whether a specific user exists on the mail server. When the server responds with '252 Cannot VRFY user, but will accept message', it indicates that VRFY is disabled or restricted, but the server still supports the EXPN command. EXPN (Expand) reveals the actual members of a mailing list or alias, allowing the tester to enumerate valid email addresses indirectly by querying known or guessed list names.

Exam trap

The trap here is that candidates assume a '252' response to VRFY means the user does not exist, when in fact it indicates VRFY is disabled, and they overlook the EXPN command as an alternative enumeration method.

How to eliminate wrong answers

Option B is wrong because nbtstat is a NetBIOS over TCP/IP command used to query NetBIOS name tables and WINS servers, not SMTP servers; it cannot enumerate email addresses. Option C is wrong because a brute-force attack on SMTP with Hydra would target authentication credentials (e.g., SMTP AUTH), not enumerate valid usernames via VRFY/EXPN; it is also noisy and likely to trigger account lockouts. Option D is wrong because SNMP enumeration can gather system information (e.g., user lists from SNMP MIBs) but is not a direct or effective method for enumerating email addresses from an SMTP server; it requires SNMP to be enabled and accessible.

513
Multi-Selectmedium

Which TWO of the following are examples of asymmetric cryptography? (Select 2)

Select 2 answers
A.RSA
B.ECC
C.3DES
D.MD5
E.AES
AnswersA, B

RSA is asymmetric.

Why this answer

RSA and ECC are asymmetric algorithms. AES and 3DES are symmetric. MD5 is a hash function.

514
MCQmedium

A security analyst receives an alert from the IDS indicating a port scan originating from IP 10.0.0.5. Upon investigation, the analyst finds that 10.0.0.5 is a legitimate internal server. Which type of scan is the attacker likely using to evade detection?

A.SYN scan
B.Idle scan
C.Decoy scan
D.Fragmentation scan
AnswerC

Decoy scan includes multiple fake source IPs to hide the real attacker. The IDS may flag a decoy IP.

Why this answer

A decoy scan (option C) is the correct answer because it allows the attacker to blend their real IP address with multiple spoofed IP addresses, making it appear as though the scan originates from several hosts. In this scenario, the IDS alerts on IP 10.0.0.5, which is a legitimate internal server, indicating that the attacker is using that server's IP as a decoy to evade detection and misdirect the analyst's investigation.

Exam trap

The trap here is that candidates often confuse a decoy scan with an idle scan, mistakenly thinking that using a legitimate internal server as a decoy is the same as using a zombie host, but idle scans rely on IP ID side-channel analysis and do not involve spoofing the attacker's own traffic.

How to eliminate wrong answers

Option A is wrong because a SYN scan sends raw SYN packets and does not spoof the source IP; the attacker's real IP would be directly visible in the IDS logs, not a legitimate internal server. Option B is wrong because an idle scan (also known as a zombie scan) uses a third-party host (the zombie) with a predictable IP ID sequence to indirectly probe the target, but the scan traffic appears to come from the zombie, not from a legitimate internal server like 10.0.0.5. Option D is wrong because a fragmentation scan splits TCP headers into multiple small IP fragments to evade simple packet filters, but it does not alter the source IP address, so the attacker's real IP would still be logged.

515
MCQhard

A penetration tester discovers a service running on UDP port 161 with a default community string 'public'. They use `snmpwalk -v2c -c public 192.168.1.10` and retrieve extensive system information. Which enumeration technique is being performed?

A.SMB enumeration
B.LDAP enumeration
C.SMTP enumeration
D.SNMP enumeration
AnswerD

SNMP uses UDP 161, and snmpwalk retrieves the entire MIB tree.

Why this answer

The correct answer is D because the question describes using SNMP (Simple Network Management Protocol) over UDP port 161 with the default community string 'public' and the `snmpwalk` command to retrieve system information. This is a classic SNMP enumeration technique, where an attacker queries MIB (Management Information Base) data to extract details like running processes, user accounts, and network configurations.

Exam trap

The trap here is that candidates may confuse SNMP enumeration with other enumeration techniques because they see 'enumeration' in the question, but the specific use of UDP port 161 and the `snmpwalk` command uniquely identifies SNMP enumeration.

How to eliminate wrong answers

Option A is wrong because SMB enumeration uses TCP ports 139 or 445 and tools like `enum4linux` or `smbclient`, not UDP port 161 or SNMP commands. Option B is wrong because LDAP enumeration uses TCP/UDP port 389 and queries directory services via `ldapsearch`, not SNMP or the `snmpwalk` command. Option C is wrong because SMTP enumeration uses TCP port 25 and commands like `VRFY` or `EXPN` to verify email users, not UDP port 161 or SNMP protocols.

516
Multi-Selectmedium

Which TWO of the following are effective countermeasures against rogue access point attacks on a corporate wireless network?

Select 2 answers
A.Deploy a Wireless Intrusion Prevention System (WIPS).
B.Use WPA2-PSK with a strong passphrase.
C.Implement MAC address filtering on the access points.
D.Use 802.1X authentication with a RADIUS server.
E.Disable SSID broadcast on the corporate network.
AnswersA, D

WIPS detects and blocks rogues.

Why this answer

A Wireless Intrusion Prevention System (WIPS) continuously monitors the radio frequency spectrum to detect, locate, and block rogue access points. It can automatically classify devices based on their behavior and signatures, and when a rogue AP is identified, the WIPS can launch a de-authentication attack against the rogue device or its clients, effectively neutralizing the threat. This makes WIPS the most direct and proactive countermeasure against rogue APs.

Exam trap

EC-Council often tests the misconception that encryption or authentication methods (like WPA2-PSK or 802.1X) alone can prevent rogue APs, when in fact they only secure the legitimate network and do not address the rogue device's ability to operate on the same frequency.

517
MCQeasy

A security analyst captures a large number of initialization vectors (IVs) on a WEP-protected network. Which tool is most commonly used to crack the WEP key using IVs?

A.Aircrack-ng
B.Reaver
C.Kismet
D.John the Ripper
AnswerA

Aircrack-ng is designed to crack WEP keys using captured IVs.

Why this answer

Aircrack-ng is the standard tool for cracking WEP keys by capturing IVs. Reaver is for WPS, Kismet is a sniffer, and John the Ripper is a general password cracker.

518
MCQmedium

An attacker has gained initial access to a Windows system and wants to escalate privileges to SYSTEM. They find that the SeImpersonatePrivilege is enabled for their current user. Which tool or technique is specifically designed to leverage this privilege for elevation?

A.Token impersonation using RottenPotato
B.Pass-the-hash attack
C.Kerberoasting
D.SUID abuse
AnswerA

RottenPotato (and variants) exploit SeImpersonatePrivilege to impersonate SYSTEM tokens.

Why this answer

The SeImpersonatePrivilege allows a process to impersonate a user after obtaining a token. RottenPotato (and its variants like JuicyPotato) exploits this privilege by forcing a high-integrity service (e.g., DCOM or RPC) to authenticate to a malicious server under the attacker's control, capturing a SYSTEM-level token and using it to execute code with elevated privileges.

Exam trap

EC-Council often tests the distinction between Windows token impersonation attacks (SeImpersonatePrivilege) and Linux SUID abuse, leading candidates to mistakenly select SUID abuse when the question explicitly mentions a Windows system.

How to eliminate wrong answers

Option B (Pass-the-hash) is wrong because it reuses NTLM hashes to authenticate as another user over the network, not to escalate from a local user to SYSTEM via token impersonation. Option C (Kerberoasting) is wrong because it targets service account Kerberos tickets for offline cracking, requiring domain credentials and not leveraging SeImpersonatePrivilege. Option D (SUID abuse) is wrong because it is a Linux/Unix privilege escalation technique involving set-user-ID executables, not applicable to Windows token manipulation.

519
MCQmedium

A penetration tester runs `nbtstat -A 192.168.1.10` on a Windows machine. The output reveals the NetBIOS name table and shows a <20> entry. What does this indicate?

A.The target is a printer
B.The target is a file server
C.The target is a domain controller
D.The target is a workstation
AnswerB

<20> indicates the file server service.

Why this answer

NetBIOS <20> identifies a file server service (SMB). The tester can now attempt SMB enumeration or brute-force attacks.

520
Multi-Selecthard

Which THREE of the following are effective countermeasures against DNS poisoning attacks? (Select exactly 3)

Select 3 answers
A.Use a single DNS server for all queries
B.Restrict recursive queries to trusted sources
C.Disable DNS caching
D.Use a split DNS architecture
E.Implement DNSSEC
AnswersB, D, E

Limiting recursion prevents unauthorized use.

Why this answer

Option B is correct because restricting recursive queries to trusted sources prevents attackers from using your DNS server as an open resolver to cache forged responses. By limiting recursion to authorized clients only, the server will not accept and cache DNS data from external, potentially malicious queries, which is a primary vector for DNS cache poisoning.

Exam trap

The trap here is that candidates may think disabling DNS caching (Option C) is a valid countermeasure, but CEH expects you to recognize that it is not a security best practice and that DNSSEC, split DNS, and restricting recursion are the standard, effective defenses.

521
MCQhard

During a penetration test, you run the command: 'macof -i eth0 -s 192.168.1.1 -d 192.168.2.1 -e 00:11:22:33:44:55'. What is the intended effect of this command?

A.Execute a SYN flood against the target
B.Perform MAC flooding to cause switch to fail open
C.Perform ARP poisoning
D.Spoof DNS responses
AnswerB

macof floods with random MACs to exhaust CAM table, enabling sniffing.

Why this answer

macof is a tool used for MAC flooding, which floods a switch with fake MAC addresses to overflow the CAM table, causing the switch to fail open and operate like a hub, allowing packet sniffing.

522
MCQmedium

An IoT device uses the MQTT protocol without TLS. An attacker on the same network subscribes to all topics and captures messages. What is the MOST significant security risk?

A.Firmware corruption
B.Denial of service
C.Replay attacks
D.Loss of message confidentiality
AnswerD

Cleartext transmission exposes message content.

Why this answer

Without TLS, MQTT traffic is sent in cleartext, allowing interception and reading of sensitive data.

523
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

Select 2 answers
A.HTTP flood
B.ICMP flood
C.SYN flood
D.UDP flood
E.Slowloris
AnswersA, E

HTTP flood sends many legitimate-looking HTTP requests.

Why this answer

HTTP flood is an application-layer DDoS attack because it targets the HTTP protocol (Layer 7) by overwhelming a web server with seemingly legitimate GET or POST requests. Unlike network-layer attacks, HTTP flood exploits the server's processing of application-layer requests, often mimicking normal user behavior to bypass basic rate limiting. This forces the server to allocate resources for each request, eventually exhausting connection pools or CPU cycles.

Exam trap

The trap here is that candidates often confuse network-layer attacks (ICMP, SYN, UDP floods) with application-layer attacks, mistakenly thinking any flood of traffic qualifies as application-layer, when in fact application-layer attacks specifically target protocols like HTTP, DNS, or SMTP at Layer 7.

524
MCQmedium

A security analyst notices that a web application's SSL/TLS certificate is issued by a CA that is not trusted by modern browsers. Which type of attack could this enable?

A.Man-in-the-middle attack
B.Downgrade attack
C.Birthday attack
D.Replay attack
AnswerA

An untrusted CA can be used to issue fake certificates, enabling MITM if the client trusts it.

Why this answer

Using a self-signed or untrusted CA certificate can allow an attacker to perform a man-in-the-middle attack by presenting their own certificate that the browser may accept with user warning.

525
MCQeasy

Which Burp Suite tool is specifically designed to automate customized attacks against web applications, such as brute-forcing login credentials or fuzzing parameters?

A.Repeater
B.Scanner
C.Intruder
D.Proxy
AnswerC

Intruder performs automated attacks with payloads and positions.

Why this answer

Burp Intruder is used for automating customized attacks, including brute force and fuzzing.

Page 6

Page 7 of 14

Page 8