Certified Ethical Hacker CEH (CEH) — Questions 601675

1010 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?

A.Spying
B.Executing applications
C.Hiding files
D.Erasing tracks
AnswerD

Correct. Erasing tracks includes clearing logs, removing evidence, and covering traces.

Why this answer

The correct answer is D, 'Erasing tracks,' because after gaining access, the attacker's goal is to cover their footprints by modifying or deleting log files, clearing event logs, or using tools like `wevtutil` or `clearev` to remove evidence of their activities. This phase ensures the system administrator cannot detect the intrusion or trace the attacker's actions.

Exam trap

The trap here is that candidates confuse 'Hiding files' (option C) with 'Erasing tracks,' but hiding files focuses on concealing payloads, while erasing tracks specifically targets log files and audit trails to cover the attacker's digital footprint.

How to eliminate wrong answers

Option A is wrong because 'Spying' is not a recognized phase in the CEH system hacking methodology; it is a vague term that does not correspond to any specific phase like reconnaissance or maintaining access. Option B is wrong because 'Executing applications' refers to running tools or payloads during the 'Gaining Access' or 'Maintaining Access' phases, not the post-exploitation cleanup of logs. Option C is wrong because 'Hiding files' involves concealing malicious files using techniques like NTFS alternate data streams or rootkits, which is part of the 'Maintaining Access' phase, not the specific act of erasing log evidence.

602
MCQeasy

A security analyst suspects an attacker has used a rainbow table to crack password hashes from a compromised system. Which password cracking technique involves precomputed hash chains?

A.Rainbow table attack
B.Dictionary attack
C.Brute force attack
D.Hybrid attack
AnswerA

Correct. Rainbow tables are precomputed tables for fast hash reversal.

Why this answer

A rainbow table attack is the correct answer because it specifically uses precomputed hash chains to reverse cryptographic hash functions. Rainbow tables are a form of time-memory trade-off where chains of hashes are computed and stored, allowing an attacker to look up a hash and quickly find the original plaintext without recomputing all possible hashes. This technique is distinct from other methods because it relies on precomputation rather than real-time guessing or dictionary lookups.

Exam trap

The trap here is that candidates often confuse 'precomputed hash chains' with a dictionary attack, thinking that a dictionary file is a form of precomputation, but a dictionary attack still requires real-time hashing of each word, whereas rainbow tables store the chain endpoints for instant lookup.

How to eliminate wrong answers

Option B (Dictionary attack) is wrong because it uses a list of likely passwords (words from a dictionary) and hashes each in real time, not precomputed hash chains. Option C (Brute force attack) is wrong because it tries every possible combination of characters sequentially, without any precomputation or stored chains. Option D (Hybrid attack) is wrong because it combines dictionary words with variations (e.g., appending numbers or symbols) but still performs real-time hashing, not precomputed chains.

603
MCQeasy

Which of the following is a symmetric encryption algorithm that uses a block cipher with a fixed block size of 128 bits and key sizes of 128, 192, or 256 bits?

A.3DES
B.RC4
C.AES
D.RSA
AnswerC

AES meets the description: symmetric, 128-bit block, key sizes 128/192/256.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that operates as a block cipher with a fixed block size of 128 bits and supports key sizes of 128, 192, or 256 bits. It was established by NIST in 2001 (FIPS 197) and is widely used in modern cryptographic systems, including wireless security (WPA2/WPA3) and TLS.

Exam trap

The trap here is that candidates often confuse AES with 3DES due to both being symmetric block ciphers, but they fail to recall that 3DES uses a 64-bit block size (not 128 bits) and lacks the specific key size options of AES, leading them to select 3DES incorrectly.

How to eliminate wrong answers

Option A is wrong because 3DES (Triple DES) uses a block size of 64 bits, not 128 bits, and its key size is effectively 112 or 168 bits (using three 56-bit DES keys), not the specified 128/192/256-bit options. Option B is wrong because RC4 is a stream cipher, not a block cipher, and it does not have a fixed block size or support key sizes of 128/192/256 bits in the manner described; it uses variable-length keys (typically 40–2048 bits) and is deprecated due to known vulnerabilities. Option D is wrong because RSA is an asymmetric (public-key) encryption algorithm, not a symmetric one, and it does not use a fixed block size or the specified key sizes; it relies on key pairs (public/private) based on large prime numbers.

604
MCQeasy

Which of the following is a primary defense against SQL injection attacks?

A.Prepared statements
B.HTTPS encryption
C.Input blacklisting
D.Output encoding
AnswerA

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Prepared statements with parameterized queries ensure user input is treated as data, not executable SQL code.

605
Multi-Selecthard

Which THREE of the following are common indicators of an SQL injection attack? (Choose 3.)

Select 3 answers
A.Frequent 302 redirects to login pages
B.Multiple failed connection attempts in server logs
C.Unexpected rows or columns in query results
D.Unusually slow database responses
E.Database error messages in the application response
AnswersC, D, E

Union-based injection often adds extra rows or columns to the output.

Why this answer

SQL injection often causes slow queries due to heavy operations (e.g., UNION, subqueries), unexpected rows in output, and database error messages revealing syntax details. D. and E. are not typical indicators; redirects are not SQLi specific, and dropped connections could be network issues.

606
MCQmedium

A penetration tester needs to perform a brute-force attack on a web application login form. Which Burp Suite tool is specifically designed for automating parameterized attacks like password guessing?

A.Repeater
B.Scanner
C.Intruder
D.Proxy
AnswerC

Intruder automates parameterized attacks with payloads.

Why this answer

Burp Suite Intruder is specifically designed for automating parameterized attacks, such as brute-forcing login credentials, by allowing the tester to define payload positions and iterate through a list of values (e.g., passwords) against a target endpoint. Unlike other tools in Burp Suite, Intruder supports multiple attack types (Sniper, Battering Ram, Pitchfork, Cluster Bomb) and can handle rate limiting and session handling, making it ideal for password guessing.

Exam trap

EC-Council often tests the misconception that Repeater can be used for brute-forcing because it can resend requests, but Repeater lacks the automated payload iteration and response analysis features that Intruder provides.

How to eliminate wrong answers

Option A is wrong because Repeater is used for manually resending and modifying individual HTTP requests to observe responses, not for automating multiple iterations of parameterized attacks. Option B is wrong because Scanner is designed for automated vulnerability detection (e.g., SQL injection, XSS) and does not support custom payload lists or brute-force sequencing. Option D is wrong because Proxy is an intercepting proxy that captures and forwards traffic between the browser and target, but it lacks the automation and payload iteration capabilities required for brute-force attacks.

607
MCQeasy

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

A.TCP SYN scan using `nmap -sS`
B.ARP scan using `nmap -PR`
C.Ping sweep using `nmap -sn`
D.UDP scan using `nmap -sU`
AnswerC

`-sn` disables port scan and sends only ICMP echo, TCP SYN to port 443, etc., minimizing traffic.

Why this answer

Option C is correct because `nmap -sn` (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default, allowing the analyst to discover live hosts without scanning every port or sending packets to every IP individually. This minimizes network traffic compared to full port scans while still efficiently identifying active devices on the 192.168.1.0/24 subnet.

Exam trap

The trap here is that candidates often confuse 'minimizing network traffic' with using a stealth scan like `-sS`, but the question specifically asks for host discovery, not port scanning, and `-sn` is the correct low-traffic option for that purpose.

How to eliminate wrong answers

Option A is wrong because TCP SYN scan (`-sS`) performs a half-open scan on all specified ports, generating significantly more packets than a simple host discovery scan, which contradicts the goal of minimizing traffic. Option B is wrong because ARP scan (`-PR`) is only effective on the local Ethernet segment and cannot discover hosts across routers or subnets, making it unsuitable for a /24 network that may span multiple Layer 2 domains. Option D is wrong because UDP scan (`-sU`) sends UDP packets to many ports, often requiring retransmissions due to packet loss, and generates excessive traffic while being slower and less reliable for host discovery.

608
MCQhard

A security engineer observes that an internal web application uses XML to transmit data between systems. The engineer discovers that by sending a crafted XML payload, they can read sensitive files from the server's filesystem. Which attack is being performed?

A.SSRF
B.Command injection
C.XXE injection
D.XPath injection
AnswerC

XXE injection exploits XML parsers that process external entities, allowing file disclosure.

Why this answer

XXE (XML External Entity) injection allows reading files via external entities in XML.

609
Multi-Selectmedium

Which TWO of the following are examples of active reconnaissance techniques? (Select two)

Select 2 answers
A.Querying Shodan for open ports on a target
B.Running an Nmap SYN scan against a target
C.Searching for sensitive files using Google dorks
D.Performing a WHOIS lookup
E.Using Netcat to grab banners from a web server
AnswersB, E

Nmap sends packets to the target.

Why this answer

Option B is correct because an Nmap SYN scan (also known as a half-open scan) sends a TCP SYN packet to a target port and analyzes the response. If a SYN/ACK is received, the port is open; if an RST is received, the port is closed. This scan actively interacts with the target system by sending network traffic, making it an active reconnaissance technique.

Exam trap

The trap here is that candidates often confuse passive information-gathering tools (like Shodan, Google dorks, or WHOIS) with active techniques, because they involve querying external databases rather than directly engaging the target's systems.

610
MCQeasy

A junior penetration tester runs the command: whois example.com. What type of information are they MOST likely trying to obtain?

A.DNS zone transfer information
B.The IP address of the web server
C.Open ports on the target server
D.Domain registration details such as registrar, creation date, and contact information
AnswerD

WHOIS returns domain registration information, which is useful for footprinting.

Why this answer

The `whois` command queries a WHOIS server (typically operated by a Regional Internet Registry or domain registrar) to retrieve domain registration details. This includes the registrar name, creation and expiration dates, name servers, and often administrative/technical contact information. It is a core footprinting technique used to gather publicly available metadata about a domain owner and infrastructure.

Exam trap

EC-Council often tests the distinction between WHOIS (domain registration metadata) and DNS lookups (IP resolution), leading candidates to mistakenly associate WHOIS with IP addresses or server configuration details.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer information is obtained using the `dig axfr` or `nslookup -type=axfr` command against an authoritative DNS server, not via WHOIS. Option B is wrong because while WHOIS may list name servers, it does not directly return the IP address of the web server; that requires a DNS A-record lookup using `nslookup` or `dig`. Option C is wrong because open ports are discovered through port scanning tools like Nmap, not through the WHOIS protocol, which only returns registration metadata.

611
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms? (Select TWO.)

Select 2 answers
A.ECC
B.AES
C.RSA
D.3DES
E.SHA-256
AnswersB, D

AES is a symmetric block cipher.

Why this answer

AES and 3DES are both symmetric block ciphers. RSA and ECC are asymmetric algorithms, and SHA-256 is a hash function.

612
MCQmedium

A tester runs 'snmpwalk -v2c -c public 192.168.1.1' and receives a large amount of system information. What does this command do?

A.It walks the SNMP MIB tree using version 2c and the public community string.
B.It performs a brute-force attack on SNMP community strings.
C.It enumerates users on a Windows domain.
D.It sets SNMP values using the private community string.
AnswerA

This is the correct description.

Why this answer

The `snmpwalk` command is used to retrieve a subtree of management values from an SNMP agent. The `-v2c` flag specifies SNMP version 2c, which uses community-based security, and `-c public` provides the community string 'public' (often the default read-only community). The command walks the entire MIB tree starting from the root, returning all available OID values, which explains the large amount of system information received.

Exam trap

The trap here is that candidates may confuse `snmpwalk` with a brute-force tool or think it can modify SNMP values, but the command strictly performs read-only enumeration using the specified community string.

How to eliminate wrong answers

Option B is wrong because `snmpwalk` does not perform brute-force attacks; tools like `onesixtyone` or `hydra` are used for brute-forcing SNMP community strings. Option C is wrong because `snmpwalk` enumerates SNMP MIB objects, not Windows domain users; tools like `enum4linux` or `ldapsearch` are used for domain user enumeration. Option D is wrong because `snmpwalk` only reads values (GET/GETNEXT requests) and does not set or write SNMP values; setting values requires `snmpset` with a read-write community string like 'private'.

613
MCQmedium

A penetration tester wants to perform a ping sweep on a /24 subnet to identify live hosts. Which command would accomplish this efficiently?

A.nmap -sn 192.168.1.0/24
B.nmap -O 192.168.1.0/24
C.nmap -p- 192.168.1.0/24
D.nmap -sV 192.168.1.0/24
AnswerA

-sn is the Nmap ping sweep flag that discovers live hosts without scanning ports.

Why this answer

Option A is correct because `nmap -sn` performs a ping sweep (host discovery) without port scanning, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. This efficiently identifies live hosts on a /24 subnet without the overhead of port scanning or OS detection.

Exam trap

The trap here is that candidates often confuse `-sn` (ping sweep) with `-sP` (deprecated alias) or assume that `-O` or `-sV` are faster because they provide more information, but they actually add significant overhead and are not designed for simple host discovery.

How to eliminate wrong answers

Option B is wrong because `-O` enables OS detection, which requires open ports and sends additional probes, making it slower and not focused on simple host discovery. Option C is wrong because `-p-` scans all 65535 TCP ports, which is a full port scan and extremely time-consuming for a /24 subnet, not a ping sweep. Option D is wrong because `-sV` performs service version detection on open ports, which requires a prior port scan and is not designed for host discovery.

614
MCQmedium

A security analyst performs a passive reconnaissance of a target domain using public resources. Which of the following techniques would be considered passive reconnaissance?

A.Using Netcat to grab banners from the target's email server
B.Running Nmap SYN scan on the target's web server
C.Performing a WHOIS lookup for the target domain
D.Sending a ping sweep to the target's public IP range
AnswerC

WHOIS queries use public databases, not direct interaction with the target.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target's systems, thus avoiding any network traffic that could be detected. A WHOIS lookup queries a public registry database (e.g., whois.arin.net) over port 43 or via a web interface, retrieving domain registration details without sending any packets to the target's own infrastructure. This makes it a purely passive technique.

Exam trap

The trap here is that candidates confuse 'using public resources' (like WHOIS databases) with 'sending network probes' (like banner grabbing or pings), assuming any information-gathering tool is passive if it doesn't exploit vulnerabilities.

How to eliminate wrong answers

Option A is wrong because using Netcat to grab banners requires establishing a TCP connection to the target's email server (e.g., port 25), which sends packets and is an active interaction. Option B is wrong because running an Nmap SYN scan sends crafted TCP SYN packets to the target's web server and analyzes responses, which is active reconnaissance and can be logged by intrusion detection systems. Option D is wrong because sending a ping sweep involves transmitting ICMP Echo Request packets to the target's IP range, directly probing live hosts and generating detectable traffic.

615
MCQeasy

A web application allows users to view documents by specifying a filename in the URL, e.g., /getDocument?file=report.pdf. A tester changes the file parameter to '../../etc/passwd' and retrieves the system password file. Which vulnerability is being exploited?

A.Local File Inclusion (LFI)
B.Directory traversal
C.Remote File Inclusion (RFI)
D.Command injection
AnswerB

Directory traversal exploits insufficient input validation to access arbitrary files.

Why this answer

Directory traversal (path traversal) occurs when user input is used to access files outside the intended directory. The use of '../' sequences indicates directory traversal.

616
MCQmedium

An analyst wants to perform a SYN flood attack test against a server to evaluate its resilience. Which of the following tools would be the MOST appropriate for this task?

A.Nmap
B.Shodan
C.Wireshark
D.hping3
AnswerD

hping3 can generate a high volume of SYN packets with spoofed IPs, ideal for simulating SYN flood attacks.

Why this answer

hping3 is the most appropriate tool because it is a command-line packet crafting tool that allows the user to generate custom TCP SYN packets with spoofed source IP addresses, making it ideal for simulating a SYN flood attack. Unlike other tools, hping3 can send a high volume of SYN packets without completing the three-way handshake, which is the core mechanism of a SYN flood that exhausts the server's connection queue.

Exam trap

EC-Council often tests the misconception that Nmap's SYN scan (-sS) is equivalent to a SYN flood attack, but Nmap is designed for stealthy reconnaissance with low packet rates, not for overwhelming a target with high-volume traffic.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port discovery and service enumeration, not for generating high-volume attack traffic; it can send SYN packets for scanning but lacks the rate control and spoofing capabilities needed for a sustained SYN flood. Option B is wrong because Shodan is a search engine for internet-connected devices and does not generate any network traffic or perform attacks; it is used for reconnaissance, not exploitation. Option C is wrong because Wireshark is a packet analyzer used for capturing and inspecting network traffic, not for generating or injecting packets; it cannot initiate a SYN flood.

617
Multi-Selecteasy

A web application tester encounters a parameter that is reflected in the response without sanitization. The tester suspects XSS. Which TWO types of XSS could be present in this scenario? (Choose TWO.)

Select 2 answers
A.DOM-based XSS
B.Reflected XSS
C.Self-XSS
D.Stored (persistent) XSS
E.Blind XSS
AnswersA, B

If the client-side JavaScript uses the parameter unsafely, it could be DOM-based.

Why this answer

Reflected XSS occurs when the input is immediately reflected in the response. DOM-based XSS occurs when client-side JavaScript processes the input unsafely. Stored XSS requires data to be saved on the server, which is not indicated here.

618
Multi-Selecteasy

Which TWO of the following are common OSINT tools for passive reconnaissance? (Select 2)

Select 2 answers
A.Metasploit
B.theHarvester
C.hping3
D.Maltego
E.Nmap
AnswersB, D

Passively gathers information from search engines, PGP keys, etc.

Why this answer

theHarvester is a passive OSINT tool that gathers email addresses, subdomains, IPs, and virtual hosts from public sources like search engines (Google, Bing), PGP key servers, and the SHODAN database without sending any packets directly to the target. This aligns with passive reconnaissance, which relies on publicly available information rather than active probing.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse tools like Nmap or hping3 (which are active) with passive OSINT tools because they are commonly used in the early stages of an engagement.

619
MCQeasy

A security analyst captures a large number of weak initialization vectors (IVs) using airodump-ng. Which attack does this preparation indicate?

A.WPS PIN brute force
B.WPA2 dictionary attack
C.WEP key cracking
D.Evil twin attack
AnswerC

Weak IVs are characteristic of WEP encryption; capturing enough allows aircrack-ng to derive the key.

Why this answer

WEP (Wired Equivalent Privacy) uses the RC4 stream cipher with a 24-bit initialization vector (IV) that is transmitted in plaintext. Weak IVs, such as those identified by tools like airodump-ng, are predictable or repeatable, allowing an attacker to capture enough packets to recover the WEP key using statistical attacks like the FMS (Fluhrer, Mantin, Shamir) or KoreK attacks. This preparation directly indicates an attempt to crack the WEP key.

Exam trap

EC-Council often tests the distinction between WEP and WPA/WPA2 by having candidates confuse weak IVs (a WEP-specific vulnerability) with the 4-way handshake (required for WPA/WPA2 cracking), leading them to incorrectly select the WPA2 dictionary attack option.

How to eliminate wrong answers

Option A is wrong because WPS PIN brute force targets the Wi-Fi Protected Setup (WPS) PIN, not weak IVs; it involves brute-forcing the 8-digit PIN via the registrar protocol, not capturing IVs with airodump-ng. Option B is wrong because a WPA2 dictionary attack uses captured 4-way handshake packets (not weak IVs) and attempts to derive the Pairwise Master Key (PMK) from a passphrase, relying on PBKDF2-SHA1 hashing, not RC4 IV weaknesses. Option D is wrong because an evil twin attack involves setting up a rogue access point to trick clients into connecting, often for credential harvesting or man-in-the-middle, and does not require capturing weak IVs from a target network.

620
MCQhard

A penetration tester is attempting to escalate privileges on a Linux target. The tester runs `find / -perm -4000 -type f 2>/dev/null` and discovers that `/usr/bin/pkexec` has the SUID bit set. The target runs Ubuntu 20.04 with default configurations. Which of the following is the MOST likely next step?

A.Exploit the pkexec vulnerability (CVE-2021-4034) to gain root access
B.Change the ownership of the pkexec binary to root:root
C.Use pkexec to execute a command as root directly
D.Remove the SUID bit from pkexec to prevent misuse
AnswerA

CVE-2021-4034 is a local privilege escalation in pkexec that affects many Linux systems, including Ubuntu 20.04.

Why this answer

CVE-2021-4034 (PwnKit) is a well-known vulnerability in pkexec on many Linux distributions, including Ubuntu 20.04. It allows local privilege escalation to root. The tester should exploit this vulnerability.

621
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

Select 2 answers
A.It spreads via email attachments only
B.It changes its code signature each time it replicates
C.It requires a host file to attach
D.It self-replicates without user interaction
E.It uses encryption to hide its payload
AnswersB, E

Why this answer

Polymorphic viruses change their code with each infection to evade signature detection, and they use encryption or mutation engines.

622
MCQhard

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

A.The DNS server is using DNSSEC to secure zone transfers
B.The DNS server is vulnerable to zone transfer attacks, allowing unauthorized users to retrieve the entire zone file
C.The DNS server is properly configured and only allows zone transfers to authorized secondary servers
D.The target uses a split-DNS configuration with internal and external views
AnswerB

A successful AXFR to an unauthenticated client indicates a misconfiguration that exposes internal network details.

Why this answer

The successful execution of `dnsrecon -d example.com -t axfr` and the receipt of an AXFR (full zone transfer) response indicates that the target DNS server is misconfigured to allow zone transfers from any host. A properly secured DNS server should restrict AXFR queries to only authorized secondary (slave) servers, typically by IP address or TSIG (Transaction Signature) keys. Since the command was run from an unauthorized client, this confirms a zone transfer vulnerability, allowing an attacker to retrieve the entire DNS zone file, which reveals all hostnames, IP addresses, and service records.

Exam trap

The trap here is that candidates may confuse DNSSEC with access control mechanisms, or assume that a successful zone transfer implies proper authorization, when in fact the CEH exam emphasizes that any successful AXFR from an unauthorized client is a critical misconfiguration and vulnerability.

How to eliminate wrong answers

Option A is wrong because DNSSEC (DNS Security Extensions) does not control or restrict zone transfers; it provides data origin authentication and integrity via digital signatures, but does not prevent AXFR queries. Option C is wrong because a properly configured DNS server would not respond to an AXFR request from an unauthorized source; the fact that the zone transfer succeeded proves the configuration is insecure, not properly configured. Option D is wrong because split-DNS (split-horizon) is a design where internal and external DNS views serve different records; it does not inherently prevent zone transfers, and the successful AXFR indicates a lack of access control, not a split configuration.

623
MCQeasy

Which of the following is the PRIMARY purpose of steganography in the context of covering tracks after a system compromise?

A.To hide data within other files to avoid detection
B.To create a backdoor for future access
C.To delete system logs permanently
D.To encrypt log files so they cannot be read
AnswerA

Steganography conceals data in plain sight.

Why this answer

The primary purpose of steganography in covering tracks is to hide stolen data or malicious payloads within innocuous files (e.g., images, audio, video) so that forensic tools and analysts do not detect the exfiltration or persistence. Unlike encryption, which makes data unreadable but still visible, steganography conceals the very existence of the hidden data, allowing an attacker to bypass network monitoring and file inspection. This aligns with the CEH objective of covering tracks by avoiding detection of unauthorized data transfers.

Exam trap

The trap here is that candidates confuse steganography with encryption or log manipulation, mistakenly thinking its primary purpose is to secure data (like encryption) or to remove evidence (like log deletion), rather than to conceal the existence of the data itself.

How to eliminate wrong answers

Option B is wrong because creating a backdoor is a separate post-exploitation activity (e.g., using netcat or Meterpreter) and not a function of steganography, which focuses on hiding data rather than providing access. Option C is wrong because permanently deleting system logs is typically achieved with log-wiping tools (e.g., `wevtutil` on Windows or `shred` on Linux), not steganography, which does not delete files. Option D is wrong because encrypting log files (e.g., with AES) makes them unreadable but still visible as encrypted blobs, whereas steganography hides data within other files to avoid suspicion entirely.

624
Multi-Selectmedium

Which TWO of the following are techniques used in session hijacking? (Choose 2)

Select 2 answers
A.Cookie theft
B.MAC flooding
C.ARP poisoning
D.TCP sequence prediction
E.DNS spoofing
AnswersA, D

Stealing session cookies allows an attacker to impersonate a user.

Why this answer

Session hijacking involves stealing or predicting session tokens. TCP sequence prediction allows an attacker to inject packets, and cookie theft reveals session identifiers.

625
MCQhard

An analyst runs the following command: `tcpdump -i eth0 src host 192.168.1.10 and dst port 80 -w http_traffic.pcap`. What is the primary purpose of this command?

A.To perform a man-in-the-middle attack on HTTP traffic
B.To capture all traffic on eth0 and display it in real-time
C.To capture only HTTP traffic from a specific source IP and save it to a file
D.To analyze the payload of HTTP packets in real-time
AnswerC

Correct. src host 192.168.1.10 and dst port 80 filter traffic; -w saves to file.

Why this answer

The command captures packets from source IP 192.168.1.10 with destination port 80 (HTTP) and writes them to a file for later analysis.

626
MCQhard

A penetration tester runs 'nmap -sS -p 80 --script http-title 192.168.1.100' and receives output indicating port 80 is 'filtered'. What does the 'filtered' state imply?

A.The port is open and a service is listening
B.A firewall is likely blocking the probe packets
C.The service is running but the script failed
D.The port is closed and no service is listening
AnswerB

Filtered indicates that probes are being dropped or blocked, often by a firewall.

Why this answer

The 'filtered' state in Nmap indicates that the probe packets (SYN packets for a SYN scan) were dropped or did not elicit any response, typically due to a firewall or packet filter. Since no SYN/ACK or RST was received, Nmap cannot determine if the port is open or closed, so it marks it as 'filtered'. This is distinct from an 'open' state (SYN/ACK received) or 'closed' state (RST received).

Exam trap

The trap here is that candidates confuse 'filtered' with 'closed' or assume it means the service is running but unreachable, when in fact 'filtered' specifically indicates the probe was blocked by a filtering device.

How to eliminate wrong answers

Option A is wrong because an open port would return a SYN/ACK, causing Nmap to report it as 'open', not 'filtered'. Option C is wrong because the 'filtered' state is determined by the scan probe response, not by the success or failure of the http-title script; the script would only run if the port were open. Option D is wrong because a closed port would send back an RST packet, leading Nmap to report it as 'closed', not 'filtered'.

627
MCQmedium

Refer to the exhibit. A security analyst captured the HTTP request and response shown. What type of vulnerability is present?

A.Cross-Site Request Forgery (CSRF)
B.SQL Injection
C.Reflected Cross-Site Scripting (XSS)
D.Directory Traversal
AnswerC

The input is reflected in the response and executed as script.

Why this answer

The HTTP response contains the search query parameter directly reflected in the HTML body without proper sanitization or encoding. Specifically, the request includes `?search=<script>alert('XSS')</script>` and the response echoes this payload verbatim in the page content, allowing the browser to execute the injected JavaScript. This is the classic signature of a reflected cross-site scripting (XSS) vulnerability, where the malicious script is immediately reflected off the web server and executed in the user's browser.

Exam trap

EC-Council often tests the distinction between reflected XSS and stored XSS, but the trap here is confusing reflected XSS with CSRF because both involve crafted URLs, but CSRF does not execute JavaScript in the response—it forges a state-changing request using the victim's session.

How to eliminate wrong answers

Option A is wrong because Cross-Site Request Forgery (CSRF) requires a forged request that changes state (e.g., a POST to transfer funds) and relies on the victim's authenticated session, not on reflected script execution in the response body. Option B is wrong because SQL Injection involves manipulating SQL queries via input fields (e.g., `' OR 1=1--`), but the exhibited payload is a JavaScript alert, not a SQL syntax-breaking string, and the response shows no database error or data leakage. Option D is wrong because Directory Traversal exploits path traversal sequences (e.g., `../etc/passwd`) to access files outside the web root, but the request parameter is `search` and the response contains HTML with the injected script, not file contents or directory listings.

628
MCQmedium

An organization wants to test its employees' susceptibility to social engineering by sending fake emails that appear to come from the IT department, requesting password resets. Which tool would be MOST effective for conducting this test?

A.Social Engineering Toolkit (SET)
B.Wireshark
C.Metasploit
D.Nmap
AnswerA

SET is designed for social engineering attacks, including spear phishing and credential harvesting.

Why this answer

The Social Engineering Toolkit (SET) is a dedicated framework for social engineering attacks, including phishing campaigns. PhishMe and KnowBe4 are commercial platforms, but SET is the well-known open-source tool for this purpose.

629
Matchingmedium

Match each vulnerability assessment tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability scanning

Open-source vulnerability scanner

Cloud-based vulnerability management

Network vulnerability scanner

Web server vulnerability scanner

Why these pairings

These tools are used for identifying security weaknesses.

630
MCQhard

An incident response team discovers a suspicious executable on a compromised workstation. They want to analyze the malware without executing it. Which of the following techniques would be MOST appropriate for this initial analysis?

A.Capturing network traffic with Wireshark during execution
B.Using the 'strings' command to extract embedded text
C.Monitoring process behavior with Process Monitor
D.Running the executable in a sandboxed environment
AnswerB

Strings is a static analysis tool that extracts ASCII and Unicode strings from the binary.

Why this answer

Static analysis involves examining the malware without executing it. Using strings to extract readable characters is a common static analysis technique.

631
Multi-Selecteasy

Which TWO vulnerabilities are associated with buffer overflow attacks?

Select 2 answers
A.Arbitrary code execution
B.Stack smashing
C.Authentication bypass via SQL injection
D.Cross-site scripting (XSS)
E.Race condition
AnswersA, B

Successful buffer overflow attacks often lead to arbitrary code execution.

Why this answer

Buffer overflow attacks occur when a program writes more data to a buffer than it can hold, overwriting adjacent memory. This can corrupt the stack and allow an attacker to inject and execute arbitrary code (option A) by overwriting the return address or function pointers. Stack smashing (option B) is a specific technique that deliberately corrupts the call stack to hijack control flow, often as part of a buffer overflow exploit.

Exam trap

The trap here is that candidates often confuse buffer overflow with other injection or concurrency flaws, but the CEH exam specifically pairs arbitrary code execution and stack smashing as the two direct consequences of a buffer overflow.

632
MCQhard

A penetration tester is analyzing a Windows 10 system and runs the following command to dump password hashes from the SAM database. The output shows hashes for local users but some are missing. Which step is most likely missing?

A.Run the tool as Administrator
B.Use reg.exe save to export SAM hive
C.Create a Volume Shadow Copy to access SAM file
D.Enable SeDebugPrivilege for the current process
AnswerC

VSS provides a read-only snapshot of the SAM file, bypassing the OS lock.

Why this answer

On Windows 10, the SAM file is locked by the operating system while the system is running, preventing direct read access even with Administrator privileges. Creating a Volume Shadow Copy (VSS) allows the penetration tester to access a point-in-time snapshot of the SAM file, bypassing the lock. This is the standard technique for dumping password hashes from a live system without rebooting or using a boot disk.

Exam trap

The trap here is that candidates assume Administrator privileges alone are sufficient to read the SAM file, overlooking the fact that Windows locks the file even for administrators, and that VSS is the required bypass.

How to eliminate wrong answers

Option A is wrong because running the tool as Administrator is necessary but not sufficient; the SAM file is still locked by the OS even for administrators. Option B is wrong because reg.exe save can export registry hives like SAM, but it requires the SeBackupPrivilege and still may fail if the hive is in use or if the tool does not handle the locked file correctly; VSS is the more reliable method. Option D is wrong because SeDebugPrivilege is used for debugging processes and accessing process memory, not for reading the locked SAM file directly; it does not bypass the file system lock.

633
MCQmedium

A security analyst notices that a web application returns different error messages for valid and invalid usernames during login. Which type of attack is this application MOST vulnerable to?

A.Directory traversal
B.Username enumeration
C.SQL injection
D.Cross-site scripting (XSS)
AnswerB

Different responses for valid vs invalid usernames directly enable username enumeration, a form of information disclosure.

Why this answer

The different error messages allow an attacker to enumerate valid usernames, which is a common precursor to brute-force or credential-stuffing attacks.

634
MCQmedium

An analyst sees the following in a log: Client sends a request to https://victim.com/api?url=http://169.254.169.254/latest/meta-data/. This is MOST indicative of which attack?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Directory traversal
D.SQL injection
AnswerB

SSRF forces the server to request internal resources.

Why this answer

The IP 169.254.169.254 is the AWS metadata endpoint. SSRF attacks target internal services by manipulating the url parameter.

635
MCQhard

During a penetration test, an ethical hacker needs to evade an IDS that detects port scans based on the number of packets per second. Which technique would be most effective to avoid detection?

A.Use random source ports
B.Use a decoy scan
C.Slow down the scan rate
D.Use fragmented packets
AnswerC

Reducing packets per second avoids triggering rate-based IDS thresholds.

Why this answer

Option C is correct because slowing down the scan rate reduces the number of packets sent per second below the IDS threshold, allowing the scan to blend in with normal traffic. IDS systems like Snort use packet-per-second (pps) counters to detect port scans; by spacing out packets over a longer period, the scan avoids triggering these rate-based alerts.

Exam trap

EC-Council often tests the misconception that fragmentation alone evades IDS, but candidates must remember that rate-based detection counts packets regardless of fragmentation, so slowing the scan is the direct countermeasure.

How to eliminate wrong answers

Option A is wrong because randomizing source ports does not affect the packet-per-second rate; the IDS still counts the same number of packets in the same time window, so detection is not avoided. Option B is wrong because a decoy scan (e.g., using -D in Nmap) sends spoofed packets from multiple IPs, but the total packet rate from the attacker's IP remains unchanged, so the IDS can still detect the scan based on pps. Option D is wrong because fragmented packets (e.g., using -f in Nmap) split TCP headers across multiple IP fragments, but the IDS can reassemble them and still count the total number of packets per second, so the rate-based detection is not bypassed.

636
MCQmedium

Which of the following tools is specifically designed to exploit WPS vulnerabilities on wireless networks?

A.John the Ripper
B.aircrack-ng
C.Kismet
D.Reaver
AnswerD

Reaver performs brute-force attacks against WPS registrar PINs.

Why this answer

Reaver is specifically designed to exploit the WPS (Wi-Fi Protected Setup) PIN brute-force vulnerability. It targets the WPS registrar's lack of rate limiting and the fact that the PIN is split into two halves, making it feasible to guess the 8-digit PIN in under 10,000 attempts. This allows an attacker to recover the WPA/WPA2 pre-shared key without needing to crack the actual encryption.

Exam trap

The trap here is that candidates confuse aircrack-ng (which cracks WPA handshakes) with tools that exploit the WPS PIN vulnerability, but aircrack-ng has no WPS brute-force capability.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool for offline hash files, not a wireless attack tool for exploiting WPS vulnerabilities. Option B is wrong because aircrack-ng is a suite for capturing and cracking WEP/WPA/WPA2 handshakes, but it does not target the WPS PIN brute-force mechanism. Option C is wrong because Kismet is a wireless network detector, sniffer, and intrusion detection system, not a tool for exploiting WPS vulnerabilities.

637
MCQhard

A penetration tester is testing an IIS web server and wants to exploit a WebDAV misconfiguration to upload a web shell. Which HTTP method should the tester check to determine if WebDAV is enabled and allows file uploads?

A.OPTIONS
B.MOVE
C.PUT
D.PROPFIND
AnswerA

OPTIONS returns the list of allowed methods, revealing if PUT or other WebDAV methods are enabled.

Why this answer

The OPTIONS method queries the server for supported HTTP methods. If WebDAV is enabled, the response will include methods like PUT, DELETE, PROPFIND, etc. PUT is used for upload, but OPTIONS first confirms availability.

638
MCQhard

A security engineer analyzes a cloud environment and finds that an S3 bucket named 'company-backups' is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. Which of the following is the MOST likely risk?

A.An attacker can read any object in the bucket without authentication
B.An attacker can modify the bucket policy
C.An attacker can delete objects in the bucket
D.An attacker can enumerate all objects in the bucket
AnswerA

The policy allows anyone (Principal: *) to perform GetObject, making objects publicly readable.

Why this answer

A bucket policy allowing anonymous GetObject makes all objects publicly readable, leading to data exposure.

639
Multi-Selectmedium

Which THREE of the following are valid Nmap port states?

Select 3 answers
A.Open
B.Filtered
C.Blocked
D.Stealth
E.Unfiltered
AnswersA, B, E

An open port has a service listening.

Why this answer

Option A is correct because Nmap classifies a port as 'open' when it receives a SYN/ACK response to a SYN probe, indicating that an application is actively listening on that port. This is the standard TCP three-way handshake behavior defined in RFC 793, and it is the most fundamental port state in Nmap's scanning logic.

Exam trap

The trap here is that candidates confuse Nmap's scanning techniques (like stealth scan) with port states, or assume 'blocked' is a valid state when it is actually a synonym for 'filtered' that Nmap does not officially use.

640
MCQhard

An attacker uses 'rpcclient -U '' -N 192.168.1.10' followed by 'enumdomusers' and 'enumdomgroups'. What type of enumeration is being performed, and which protocol does it rely on?

A.LDAP enumeration over port 389
B.SMB/RPC enumeration over port 445
C.NetBIOS enumeration over port 139
D.SNMP enumeration over port 161
AnswerB

rpcclient uses MS-RPC over SMB, typically port 445.

Why this answer

The `rpcclient` tool with the `-U '' -N` flags performs a null session connection to a Windows system over the SMB protocol. The subsequent `enumdomusers` and `enumdomgroups` commands enumerate domain users and groups via MS-RPC (Remote Procedure Call) functions, which are transported over SMB. By default, modern Windows systems use SMB over port 445, making option B the correct choice.

Exam trap

The trap here is that candidates confuse the underlying protocol (SMB/RPC on port 445) with the older NetBIOS session service (port 139), or mistakenly associate user/group enumeration solely with LDAP, not realizing that `rpcclient` uses MS-RPC over SMB.

How to eliminate wrong answers

Option A is wrong because LDAP enumeration typically uses `ldapsearch` or similar tools over port 389, not `rpcclient` commands like `enumdomusers`. Option C is wrong because NetBIOS enumeration uses `nbtstat` or `nbtscan` over port 139, and while older SMB could run over NetBIOS, the given command targets port 445 directly (default for modern SMB). Option D is wrong because SNMP enumeration uses tools like `snmpwalk` over UDP port 161, and `rpcclient` does not interact with SNMP at all.

641
MCQhard

An organization experiences a DDoS attack where the attacker sends many incomplete HTTP requests that keep connections open, exhausting the server's connection pool. Which attack technique is being used?

A.UDP flood
B.HTTP flood
C.SYN flood
D.Slowloris
AnswerD

Slowloris sends partial HTTP headers slowly, holding connections open until the server's limit is reached.

Why this answer

Slowloris is an application-layer DDoS attack that sends partial HTTP requests to keep many connections open, eventually exhausting the server's resources.

642
MCQmedium

A security analyst issues the command `dnsenum example.com` and receives a list of subdomains, mail servers, and name servers. What information is revealed by the presence of multiple MX records?

A.The domain has been compromised
B.The domain uses a single mail server with multiple aliases
C.The domain uses multiple mail servers for load balancing and failover
D.The domain is participating in a DDoS attack
AnswerC

Multiple MX records with different priorities provide failover.

Why this answer

Multiple MX records in a DNS zone file indicate that the domain is configured with more than one mail exchange server. This setup provides redundancy and load balancing for email delivery, as defined in RFC 5321. The `dnsenum` tool enumerates these records from the DNS server, revealing the domain's email infrastructure design.

Exam trap

The trap here is that candidates may confuse multiple MX records with multiple A records for a single hostname, or incorrectly assume that any multiplicity in DNS records indicates a security issue, rather than recognizing it as a standard high-availability design.

How to eliminate wrong answers

Option A is wrong because the presence of multiple MX records is a standard configuration for resilience, not an indicator of compromise. Option B is wrong because multiple MX records point to distinct mail servers (with different hostnames or IPs), not a single server with multiple aliases (which would be CNAME records). Option D is wrong because multiple MX records are used for legitimate email routing, not for participating in a DDoS attack; DDoS involvement would be inferred from traffic patterns, not DNS record counts.

643
Multi-Selectmedium

Which TWO of the following are characteristics of a SYN flood attack? (Select 2)

Select 2 answers
A.It exploits the TCP three-way handshake
B.It uses UDP amplification
C.It sends a large number of ICMP echo requests
D.It requires the attacker to have a botnet
E.It results in a backlog of incomplete connections
AnswersA, E

SYN flood targets the handshake by sending SYN packets without completing it.

Why this answer

SYN flood attacks send many SYN packets (often with spoofed IPs) and do not complete the handshake, leaving half-open connections that exhaust server resources.

644
MCQhard

A penetration tester runs the following Nmap command: nmap -sU -sS -p 53,161,162,500 10.0.0.1 and receives no responses for UDP scans but standard results for TCP. The tester suspects the target is dropping all UDP packets. Which Nmap option could help increase the likelihood of UDP responses by fragmenting the probe?

A.-f
B.-T4
C.--reason
D.-Pn
AnswerA

-f fragments the probe packets, potentially helping to evade detection or filters that drop undifferentiated UDP traffic.

Why this answer

The -f option fragments the probe packets into smaller IP fragments. When a target drops unfragmented UDP packets, fragmenting the probes can sometimes bypass simple packet filters or IDS/IPS that drop larger or complete UDP datagrams, increasing the chance that the target will process and respond to the fragments.

Exam trap

The trap here is that candidates often confuse -f (fragmentation) with -T4 (timing) or -Pn (no ping), assuming any option that makes the scan 'faster' or 'more aggressive' will also bypass packet drops, when in fact fragmentation is the specific technique to alter packet structure.

How to eliminate wrong answers

Option B is wrong because -T4 sets the timing template to aggressive, which increases scan speed but does not fragment packets or alter UDP probe structure. Option C is wrong because --reason simply displays the reason for Nmap's port state determination and has no effect on packet fragmentation or UDP response behavior. Option D is wrong because -Pn skips host discovery and treats the target as alive, but it does not fragment probes or change how UDP packets are constructed.

645
Multi-Selectmedium

Which TWO of the following tools are commonly used for passive reconnaissance?

Select 2 answers
A.theHarvester
B.nmap
C.Netcat
D.Metasploit
E.Shodan
AnswersA, E

theHarvester gathers information from public sources passively.

Why this answer

theHarvester is a passive reconnaissance tool that gathers information from public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API without directly interacting with the target network. It collects email addresses, subdomains, IPs, and employee names by querying publicly available data, making it a purely passive technique.

Exam trap

EC-Council often tests the distinction that tools like nmap and Netcat are active because they send packets to the target, while theHarvester and Shodan (when querying its database) rely on third-party collected data, making them passive.

646
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM hashes using rainbow tables?

A.Hashcat
B.Ophcrack
C.RainbowCrack
D.John the Ripper
AnswerB

Ophcrack cracks Windows LM/NTLM hashes using precomputed rainbow tables.

Why this answer

Ophcrack is a tool that cracks Windows LM/NTLM hashes using rainbow tables. John the Ripper and Hashcat are general password crackers but not rainbow-table-specific; RainbowCrack is a generic rainbow table tool but not Windows-specific.

647
MCQhard

A security team uses ScoutSuite to assess their AWS environment. The tool reports that an S3 bucket policy allows access from any IP address. What is the MOST likely misconfiguration?

A.The bucket has versioning enabled
B.The bucket ACL grants 'FullControl' to 'AuthenticatedUsers' group
C.The bucket is encrypted with SSE-S3
D.The bucket policy uses 'Principal': '*' and 'Condition': {'IpAddress': {'aws:SourceIp': '0.0.0.0/0'}}
AnswerD

This policy allows all principals from any IP, making the bucket public.

Why this answer

ScoutSuite identifies overly permissive bucket policies; allowing access from any IP (0.0.0.0/0) is a common misconfiguration.

648
MCQhard

A web application uses a parameter 'file' to include server-side files. The following request is intercepted: GET /page.php?file=../../../etc/passwd HTTP/1.1. The response contains the contents of /etc/passwd. This vulnerability is most likely which of the following?

A.Local File Inclusion (LFI)
B.Directory Traversal
C.Command Injection
D.Remote File Inclusion (RFI)
AnswerB

Using ../ to navigate directories to access restricted files is directory traversal.

Why this answer

The request uses path traversal sequences (../) to include a file outside the web root, which is a classic path traversal (directory traversal) vulnerability.

649
MCQeasy

A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?

A.Phishing
B.Pretexting
C.Baiting
D.Vishing
AnswerB

Correct. The attacker uses a false pretext (IT support) to obtain sensitive information.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain information. Here the attacker pretends to be IT support to trick the user into revealing their password.

650
MCQmedium

During a vulnerability assessment, a security analyst receives an alert from the IDS that a scan with fragmented packets and spoofed source IPs is targeting the internal network. Which Nmap command MOST likely caused this alert?

A.nmap -sS -O 192.168.1.1
B.nmap -sV -p 80 192.168.1.1
C.nmap -sU 192.168.1.1
D.nmap -f -D 10.0.0.1,10.0.0.2 192.168.1.1
AnswerD

-f fragments packets, -D adds decoy IPs. This matches the IDS alert description.

Why this answer

Option D is correct because the `-f` flag fragments the packets into smaller IP fragments, and the `-D` flag performs a decoy scan by spoofing source IPs. This combination causes the IDS to detect fragmented packets with spoofed source addresses, matching the alert description.

Exam trap

The trap here is that candidates may confuse `-f` with other scan types like SYN or UDP scans, but the key is recognizing that fragmentation and spoofed source IPs are explicitly enabled by `-f` and `-D` respectively.

How to eliminate wrong answers

Option A is wrong because `-sS` (SYN scan) and `-O` (OS detection) do not fragment packets or spoof source IPs; they use raw packets with the real source IP. Option B is wrong because `-sV` (version detection) and `-p 80` target a single port without fragmentation or spoofing, generating normal TCP traffic. Option C is wrong because `-sU` (UDP scan) sends unfragmented UDP packets from the real source IP, not fragmented or spoofed traffic.

651
MCQeasy

A security analyst uses the nbtstat -a command against a target IP address. What information is the analyst MOST likely attempting to retrieve?

A.Active directory domain controllers
B.List of all open TCP ports
C.NetBIOS name table of the remote machine
D.The MAC address of the target
AnswerC

The -a flag lists the remote machine's NetBIOS name table.

Why this answer

The nbtstat -a command is used to query the NetBIOS name table of a remote machine by its IP address. This table contains the NetBIOS names registered by the remote host, such as the computer name, workgroup/domain, and any services running over NetBIOS (e.g., file sharing). The analyst is most likely attempting to enumerate these names for reconnaissance or to identify potential targets for further exploitation.

Exam trap

The trap here is that candidates often confuse nbtstat -a with retrieving only the MAC address, because the output does display a MAC address line, but the command's primary function is to enumerate the NetBIOS name table.

How to eliminate wrong answers

Option A is wrong because nbtstat does not query Active Directory domain controllers; that would require tools like nslookup or dsquery. Option B is wrong because nbtstat does not list open TCP ports; port scanning is done with tools like Nmap or netstat. Option D is wrong because while nbtstat can display the MAC address in its output (under the 'MAC Address' field), the primary purpose of the -a switch is to retrieve the NetBIOS name table, not just the MAC address.

652
MCQhard

During a web application assessment, a tester intercepts a request and modifies the 'Referer' header. The application then performs a state-changing action without requiring a token. Which vulnerability is most likely present?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Cross-site request forgery (CSRF)
D.Clickjacking
AnswerC

CSRF occurs when the application does not verify the request's legitimacy, allowing an attacker to forge requests on behalf of an authenticated user.

Why this answer

Cross-Site Request Forgery (CSRF) attacks rely on the application not verifying the origin of the request; a missing CSRF token and lack of Referer validation make the application vulnerable.

653
MCQhard

During a penetration test, a security analyst observes that Nmap SYN scans to a target server are not returning any results, but TCP connect scans succeed. The server is running an IDS. Which evasion technique is the analyst MOST likely encountering?

A.The IDS is dropping packets with the SYN flag set
B.The server is using a firewall that blocks all inbound SYN packets
C.The analyst's packets are being fragmented, causing them to be dropped
D.The target is using a honeypot that responds to all connection attempts
AnswerA

IDS can be configured to drop packets based on flags. SYN scans send only SYN, while connect scans send a full handshake; the IDS may allow the latter.

Why this answer

The IDS is configured to drop packets with only the SYN flag set, which is the hallmark of a SYN scan. This evasion technique forces the attacker to use a full TCP connect scan (which completes the three-way handshake) to bypass the IDS detection. The IDS drops the initial SYN packet, preventing the scan from receiving any response, while a full connect scan is allowed because it mimics legitimate traffic.

Exam trap

The trap here is that candidates often assume a firewall is blocking the SYN packets, but the question specifies an IDS is running, and the key distinction is that a firewall would block both scan types, while an IDS can selectively drop only half-open SYN packets to evade detection.

How to eliminate wrong answers

Option B is wrong because a firewall that blocks all inbound SYN packets would also block TCP connect scans, which rely on sending a SYN to initiate the handshake; the question states connect scans succeed, so this cannot be the case. Option C is wrong because packet fragmentation is an evasion technique used to bypass IDS/IPS signature matching, not to cause packets to be dropped; fragmented packets can still be reassembled and processed. Option D is wrong because a honeypot would respond to all connection attempts, including SYN scans, but the question states SYN scans return no results, indicating the packets are being dropped before reaching the target.

654
MCQeasy

A web application tester uses the following Burp Suite feature to automatically send multiple requests with different payloads to test for common vulnerabilities. Which feature is being used?

A.Intruder
B.Repeater
C.Proxy
D.Scanner
AnswerA

Intruder automates sending many requests with variable payloads for vulnerability testing.

Why this answer

Burp Intruder is designed for automated request customization and repetition, allowing fuzzing of parameters for injection flaws, brute-force attacks, and other vulnerability testing.

655
Multi-Selecteasy

Which TWO of the following are common methods to detect SQL injection vulnerabilities in a web application? (Select 2)

Select 2 answers
A.Reviewing the robots.txt file for hidden directories
B.Scanning with a vulnerability scanner like Nikto
C.Submitting a single quote (') and observing error messages
D.Checking for XSS payloads in input fields
E.Using boolean-based payloads and observing page content differences
AnswersC, E

A single quote often breaks the SQL query, leading to database errors that reveal injection points.

Why this answer

Using single quotes to cause errors and timing delays are classic SQLi detection techniques.

656
MCQmedium

A penetration tester has obtained a copy of the SAM database from a Windows system. The hashes extracted include both LM and NTLM hashes. Which of the following tools would be MOST efficient to crack the NTLM hashes using a dictionary attack with GPU acceleration?

A.John the Ripper
B.Ophcrack
C.Hashcat
D.RainbowCrack
AnswerC

Hashcat with -m 1000 cracks NTLM hashes using GPU acceleration efficiently.

Why this answer

Hashcat is the most efficient tool for GPU-accelerated dictionary attacks against NTLM hashes because it is purpose-built for high-speed password cracking using OpenCL and CUDA, directly leveraging GPU parallelism. It supports the NTLM hash mode (1000) and can process millions of hashes per second, far outperforming CPU-based tools like John the Ripper for this specific task.

Exam trap

The trap here is that candidates confuse Ophcrack's LM hash rainbow table capability with NTLM cracking, or assume John the Ripper's general-purpose nature makes it equally efficient for GPU-accelerated tasks, when Hashcat is the de facto standard for GPU-based password cracking.

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of cracking NTLM hashes, primarily runs on CPU and does not natively support GPU acceleration as efficiently as Hashcat; its GPU support is limited and requires separate builds or patches. Option B is wrong because Ophcrack is a specialized tool for cracking LM hashes using rainbow tables, not NTLM hashes, and it does not support GPU acceleration or dictionary attacks. Option D is wrong because RainbowCrack is designed for rainbow table attacks, not dictionary attacks, and while it can use GPU acceleration, it is not optimized for NTLM hash cracking via dictionary methods.

657
MCQmedium

Refer to the exhibit. An analyst suspects that the downloaded file 'update.exe' may have been tampered with. The vendor's official website lists the SHA256 hash as 4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f. What should the analyst conclude?

A.The file has been tampered with because the hash is from a different file.
B.The SHA256 hash is not reliable; the analyst should use MD5 instead.
C.The file is authentic and has not been tampered with.
D.The file is malicious because the hash is too long.
AnswerC

The hash matches the official value, confirming integrity.

Why this answer

Option C is correct because the SHA256 hash provided by the vendor exactly matches the hash of the downloaded file. SHA256 is a cryptographically strong hash function that produces a fixed 256-bit (64-character hexadecimal) output. A matching hash confirms the file's integrity and authenticity, indicating it has not been tampered with.

Exam trap

The trap here is that candidates may mistakenly think a hash that matches is suspicious or that SHA256 is unreliable, when in fact a matching hash is the definitive proof of file integrity; the exam tests whether you understand that hash length and format are fixed and correct for SHA256.

How to eliminate wrong answers

Option A is wrong because the hash matches the vendor's official hash, so it is not from a different file; a mismatch would indicate tampering. Option B is wrong because SHA256 is more secure and collision-resistant than MD5; MD5 is deprecated due to known vulnerabilities and should not be used for integrity verification. Option D is wrong because the hash length (64 hex characters) is exactly correct for SHA256; a 256-bit hash is always 64 characters in hexadecimal representation, so it is not 'too long'.

658
MCQmedium

During a network assessment, you use SNMPwalk against a target. Which of the following is a prerequisite for successful SNMP enumeration?

A.An open TCP port 161
B.The target must be running Linux
C.Knowledge of the SNMP community string
D.A valid username and password
AnswerC

The community string acts like a password for SNMP access.

Why this answer

Option D is correct. SNMPwalk requires a valid community string (often 'public') to query the MIB.

659
MCQhard

A cloud security engineer notices that an S3 bucket named 'company-backup' is configured to allow 's3:GetObject' access to 'Principal: *'. Which attack is this misconfiguration MOST likely to enable?

A.Denial of service by deleting objects
B.SSRF attack to internal metadata
C.Privilege escalation via IAM role
D.Unauthorized data access and exfiltration
AnswerD

Public read access to an S3 bucket allows anyone to download its contents, leading to data breach.

Why this answer

When an S3 bucket allows GetObject access to any principal (public), anyone can list and download objects, leading to data exposure. This is a classic unauthorized data access scenario, not privileged escalation or DoS.

660
Multi-Selecthard

A penetration tester is tasked with performing privilege escalation on a Windows system. Which THREE of the following methods are commonly used for Windows privilege escalation? (Select 3)

Select 3 answers
A.SUID bit abuse
B.Token impersonation (e.g., SeImpersonatePrivilege)
C.Exploiting unquoted service paths
D.Pass-the-hash attack
E.Exploiting weak service permissions (e.g., service misconfigurations)
AnswersB, C, E

If a process has the SeImpersonatePrivilege, it can impersonate other users, potentially gaining higher privileges.

Why this answer

Windows privilege escalation techniques include exploiting unquoted service paths (where spaces in path allow execution hijacking), token impersonation (e.g., SeImpersonatePrivilege), and weak service permissions (allowing modification of service binaries). SUID abuse is Linux-specific, and pass-the-hash is for lateral movement, not escalation.

661
MCQmedium

A security analyst observes a sudden surge in incoming UDP traffic to the company's DNS servers from multiple external IP addresses. The packets appear to be DNS queries with spoofed source IPs. Which type of DDoS attack is MOST likely occurring?

A.SYN flood
B.DNS amplification
C.UDP flood
D.ICMP flood
AnswerB

DNS amplification uses open resolvers to send large responses to spoofed victims.

Why this answer

A DNS amplification attack uses spoofed source IPs and small queries that generate large responses, amplifying traffic to the victim.

662
Multi-Selecteasy

Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)

Select 2 answers
A.Brute Force
B.Cross-Site Scripting (XSS)
C.Path Traversal
D.SQL Injection
E.Cross-Site Request Forgery (CSRF)
AnswersB, D

XSS injects client-side scripts.

Why this answer

Cross-Site Scripting (XSS) is a common web application vulnerability that allows an attacker to inject malicious client-side scripts (typically JavaScript) into web pages viewed by other users. This occurs when an application includes untrusted data in a web page without proper validation or escaping, enabling the attacker to execute arbitrary code in the victim's browser within the context of the trusted site.

Exam trap

The trap here is that candidates often confuse Cross-Site Request Forgery (CSRF) with an injection vulnerability, but CSRF does not inject code into the application; it forges requests using the victim's authenticated session, whereas XSS and SQL Injection directly inject malicious code (scripts or SQL commands) into the application's execution context.

663
MCQeasy

A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?

A.Update Log4j to version 2.17.1 or later
B.Remove the JndiLookup class from the Log4j jar
C.Disable JDBC appender in Log4j configuration
D.Block outbound traffic from the server to the internet
AnswerA

Patching directly addresses the vulnerability.

Why this answer

Option A is correct because CVE-2021-44228 (Log4Shell) is a remote code execution vulnerability in Apache Log4j versions 2.0 through 2.14.1, triggered by JNDI lookups in log messages. Updating to Log4j 2.17.1 or later fully patches the flaw by disabling JNDI lookups by default and fixing the LDAP deserialization vector. This is the vendor-recommended immediate remediation step as it addresses the root cause without relying on workarounds.

Exam trap

The trap here is that candidates often choose Option B (removing JndiLookup) because it was widely publicized as a quick fix, but the CEH exam expects you to know that only a full version update to 2.17.1 or later is the complete and recommended remediation, as the class removal is version-dependent and does not address all attack surfaces.

How to eliminate wrong answers

Option B is wrong because removing the JndiLookup class from the Log4j JAR file is a temporary mitigation that only works for Log4j versions 2.10 to 2.14.1; it does not fix other attack vectors like JDBC appender or Thread Context Map lookups, and the fix is not persistent across updates. Option C is wrong because disabling the JDBC appender does not address the core JNDI lookup vulnerability; the JDBC appender is a separate feature and not the primary attack vector for CVE-2021-44228. Option D is wrong because blocking outbound traffic from the server is a network-level containment measure that may limit exfiltration but does not prevent the initial RCE exploitation; the vulnerability can still be triggered internally or via reverse connections.

664
MCQmedium

A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?

A.Information disclosure; read sensitive files
B.Privilege escalation; gain root access
C.Denial of service; crash the system
D.Buffer overflow; execute arbitrary code
AnswerB

SUID binaries allow execution with elevated permissions; a root-owned SUID binary can be used to escalate to root.

Why this answer

A SUID binary owned by root that is not part of the standard OS distribution (like /usr/bin/evil) is a classic indicator of a privilege escalation backdoor. The SUID bit allows any user who executes the binary to run it with the owner's permissions—in this case, root—so the attacker's objective is to gain root access by executing this binary.

Exam trap

EC-Council often tests the distinction between a vulnerability (like a buffer overflow) and an indicator of a completed exploit (like a SUID binary), causing candidates to confuse the attack vector with the attacker's objective.

How to eliminate wrong answers

Option A is wrong because information disclosure typically involves reading sensitive files via misconfigured permissions or services (e.g., world-readable /etc/shadow), not a custom SUID binary. Option C is wrong because a denial of service attack aims to crash or exhaust system resources, whereas a SUID binary is specifically designed to grant elevated privileges, not disrupt availability. Option D is wrong because a buffer overflow exploits memory corruption to execute arbitrary code, but the presence of a suspicious SUID binary itself does not indicate a buffer overflow; it indicates a pre-placed privilege escalation mechanism.

665
MCQmedium

During a penetration test, you run the command: nmap -sU -p 161,162 --script=snmp-brute 192.168.1.100. Which of the following is the PRIMARY goal of this scan?

A.Discover SNMP community strings via brute-force
B.Perform a ping sweep to discover live hosts
C.Identify open TCP ports and services on the target
D.Enumerate SNMP MIB tree values
AnswerA

The combination of UDP scan on SNMP ports with the snmp-brute script is used to brute-force community strings.

Why this answer

The command uses the `-sU` flag for a UDP scan and targets ports 161 and 162, which are the standard SNMP ports. The `--script=snmp-brute` script attempts to brute-force SNMP community strings (the equivalent of passwords for SNMPv1/v2c). Therefore, the primary goal is to discover valid community strings, which is option A.

Exam trap

The trap here is that candidates confuse the `snmp-brute` script with SNMP MIB enumeration or general service discovery, but the script's explicit purpose is to brute-force community strings, not to read MIB values or scan TCP ports.

How to eliminate wrong answers

Option B is wrong because a ping sweep typically uses ICMP echo requests (or TCP SYN to common ports) and does not involve scanning UDP ports 161/162 or running an SNMP brute-force script. Option C is wrong because `-sU` scans UDP ports, not TCP ports, and the script is specifically for SNMP brute-forcing, not service enumeration. Option D is wrong because enumerating SNMP MIB tree values is done with scripts like `snmp-info` or `snmp-interfaces`, not the `snmp-brute` script, which focuses on guessing community strings.

666
MCQhard

A company's internal PKI uses an offline root CA and an online issuing CA. A security engineer needs to revoke a compromised certificate issued by the online CA. Which CRL distribution point should the engineer update?

A.The CRL published by the certificate authority that signed the issuing CA's certificate
B.The CRL published by the intermediate CA, if any
C.The CRL published by the online issuing CA
D.The CRL published by the offline root CA
AnswerC

The issuing CA is responsible for revoking certificates it issued.

Why this answer

The compromised certificate was issued by the online issuing CA, so only that CA has the authority to revoke it and publish the updated CRL. Clients validating the certificate will check the CRL distribution point (CDP) embedded in the certificate, which points to the issuing CA's CRL. Updating the CRL on the online issuing CA ensures that revocation status is immediately available to relying parties.

Exam trap

EC-Council often tests the misconception that the root CA must be involved in revocation of end-entity certificates, but in reality only the issuing CA that signed the certificate can revoke it and update its own CRL.

How to eliminate wrong answers

Option A is wrong because the CRL published by the CA that signed the issuing CA's certificate (the offline root CA) contains only revocation information for the issuing CA's certificate itself, not for end-entity certificates issued by the online CA. Option B is wrong because in this two-tier hierarchy there is no intermediate CA; even if one existed, the intermediate CA's CRL would cover certificates it issued, not those issued by the online issuing CA. Option D is wrong because the offline root CA is typically kept offline and does not publish a CRL for end-entity certificates; its CRL (if any) only covers subordinate CA certificates, not user or device certificates.

667
MCQhard

A security analyst captures network traffic and sees a sequence of ARP replies with the same IP address mapping to different MAC addresses within a short period. Which attack is indicated?

A.DNS spoofing
B.ARP poisoning
C.DHCP starvation
D.MAC flooding
AnswerB

ARP poisoning sends fake ARP replies to redirect traffic to attacker's MAC.

Why this answer

ARP poisoning involves sending spoofed ARP replies to associate an IP with multiple MACs, enabling MITM.

668
MCQmedium

A penetration tester discovers that a web application's search functionality reflects user input directly in the page source without sanitization. The tester crafts a URL like http://example.com/search?q=<script>alert('XSS')</script> and the script executes. This is an example of which type of XSS?

A.Stored (persistent) XSS
B.Blind XSS
C.DOM-based XSS
D.Reflected XSS
AnswerD

The payload is part of the request and is reflected back in the response, which is characteristic of reflected XSS.

Why this answer

Reflected XSS occurs when user input is immediately returned by the server in the response, without being stored, and the example shows the payload in the URL parameter.

669
MCQhard

You are a penetration tester assessing a client's internal network. The client has provided you with a non-administrative domain user account. The target network consists of 200 Windows workstations and 5 Windows servers (one domain controller, one file server, two application servers, and one database server). All systems are fully patched and have host-based firewalls enabled. The client wants you to identify vulnerabilities that could be exploited from the internal network. After initial reconnaissance, you discover that all servers have SMB (port 445) open only to the domain controller and the file server has SMB open to all workstations. You have gained a foothold on a workstation via a phishing attack. From this workstation, you can reach the file server on port 445. What is the most effective next step to enumerate potential vulnerabilities on the file server?

A.Attempt to connect to the file server via RDP (port 3389) using the compromised user's credentials.
B.Use PsExec to execute commands remotely on the file server using the compromised user account.
C.Run a full vulnerability scan (e.g., Nessus) against the entire subnet to identify weaknesses.
D.Enumerate SMB shares and session information using `net view \\fileserver` and `smbclient -L //fileserver`.
AnswerD

This reveals accessible shares and potential misconfigurations like null sessions.

Why this answer

Option D is correct because the client's objective is to enumerate potential vulnerabilities on the file server from the compromised workstation. Since SMB (port 445) is open between workstations and the file server, using `net view \\fileserver` and `smbclient -L //fileserver` allows you to list SMB shares, sessions, and other information without requiring administrative privileges or additional tools. This is a standard enumeration technique that reveals accessible resources, which can then be tested for misconfigurations or weak permissions.

Exam trap

The trap here is that candidates often assume a full vulnerability scan (Option C) is always the best next step, but in a stealthy penetration test with limited credentials, targeted SMB enumeration (Option D) is more effective and less likely to be detected.

How to eliminate wrong answers

Option A is wrong because RDP (port 3389) is not mentioned as open on the file server, and even if it were, connecting via RDP with a non-administrative user would not provide the necessary enumeration of SMB-based vulnerabilities. Option B is wrong because PsExec requires administrative privileges on the target system, and the compromised user is non-administrative, so the command would fail. Option C is wrong because running a full vulnerability scan (e.g., Nessus) against the entire subnet is noisy, time-consuming, and may trigger alerts; the question asks for the most effective next step after initial reconnaissance, and targeted SMB enumeration is more appropriate.

670
Multi-Selectmedium

An organization is using a cloud IAM policy that allows all actions on all resources. Which TWO security issues are MOST directly related to this configuration? (Choose two.)

Select 2 answers
A.Excessive privileges
B.Vulnerable software libraries
C.Weak encryption algorithms
D.Data exposure via S3 bucket
E.Insecure MQTT configuration
AnswersA, D

Allowing all actions grants more permissions than necessary.

Why this answer

A permissive IAM policy directly leads to excessive privileges and potential privilege escalation, as well as data exposure via unauthorized access.

671
MCQmedium

A penetration tester wants to evade an IDS while scanning a target network. The tester uses the Nmap command: nmap -sS -f 10.10.10.1. What does the -f flag accomplish?

A.It increases the timing template to T5 (insane)
B.It uses an idle scan by bouncing off a zombie host
C.It sends packets with a spoofed source IP address
D.It fragments the IP packets into 8-byte fragments
AnswerD

-f fragments the packet, often into 8-byte fragments (or 24 for -ff).

Why this answer

The -f flag in Nmap instructs the tool to fragment the IP packets into 8-byte fragments (or smaller, depending on the MTU). This is a common evasion technique used to bypass Intrusion Detection Systems (IDS) and firewalls by splitting the TCP header across multiple packets, making it harder for signature-based detection to reassemble and match the scan pattern.

Exam trap

The trap here is that candidates often confuse the -f flag with other Nmap options like -T (timing), -sI (idle scan), or -S (spoofing), because they all start with a single dash and are used for evasion or stealth, but each has a distinct function.

How to eliminate wrong answers

Option A is wrong because the -f flag does not control timing; timing templates are set with -T0 through -T5 (e.g., -T5 for insane). Option B is wrong because an idle scan is performed using the -sI flag, not -f, and requires specifying a zombie host. Option C is wrong because spoofing a source IP address is achieved with the -S flag (e.g., -S 192.168.1.100), not -f.

672
MCQmedium

Which of the following OSINT techniques would be MOST effective for discovering email addresses and employee names associated with a target organization?

A.Nmap scan
B.theHarvester
C.WHOIS lookup
D.Shodan search
AnswerB

theHarvester aggregates emails and names from public sources.

Why this answer

theHarvester is specifically designed to gather emails, subdomains, IPs, and employee names from public sources like search engines, PGP key servers, and social networks.

673
Multi-Selectmedium

A network administrator notices unusual traffic patterns: the internal DNS server is receiving large DNS queries with the source IP spoofed to appear as the internal DNS server itself. The queries appear to be amplification requests. Which TWO characteristics describe this attack?

Select 2 answers
A.It is a protocol-specific attack targeting TCP SYN packets
B.It relies on open DNS resolvers to amplify traffic
C.It exploits the ARP protocol to redirect traffic
D.It is a form of DDoS attack
E.It requires the attacker to be on the same subnet as the victim
AnswersB, D

Open resolvers respond with large records, amplifying traffic.

Why this answer

DNS amplification uses spoofed source IP and open resolvers to amplify traffic. The large response overwhelms the victim. It is a type of DDoS, not a protocol attack like SYN flood.

674
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms?

Select 2 answers
A.Diffie-Hellman
B.RSA
C.AES
D.ECC
E.3DES
AnswersC, E

Advanced Encryption Standard is symmetric.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that uses the same key for both encryption and decryption. It is widely adopted for securing sensitive data and is a block cipher with key sizes of 128, 192, or 256 bits.

Exam trap

The trap here is that candidates often confuse key exchange protocols (like Diffie-Hellman) and asymmetric algorithms (like RSA and ECC) with symmetric encryption, because all are used in cryptography but serve fundamentally different roles in securing communications.

675
Multi-Selectmedium

A malware analyst is investigating a suspicious executable that appears to be a Trojan. The analyst runs the executable in a sandbox and observes the following behavior: it creates a hidden file in the %AppData% directory, modifies the Windows registry to add a startup entry, and attempts to connect to an external IP address on port 443 using HTTPS. Which TWO of the following techniques are likely being used by this malware?

Select 2 answers
A.Keylogging
B.Fileless execution
C.Persistence mechanism
D.Privilege escalation
E.Command and control communication
AnswersC, E

Adding a startup registry entry is a common persistence technique.

Why this answer

The malware adds a startup entry in the Windows registry (e.g., Run or RunOnce keys), which ensures the executable is automatically launched each time the user logs in. This is a classic persistence mechanism, as defined by MITRE ATT&CK technique T1547.003, because it maintains the malware's presence across system reboots.

Exam trap

EC-Council often tests the distinction between persistence and privilege escalation, where candidates mistakenly think modifying the registry requires elevated privileges, but HKCU keys are user-writable without admin rights.

Page 8

Page 9 of 14

Page 10