CCNA Enumeration and System Hacking Questions

75 of 189 questions · Page 1/3 · Enumeration and System Hacking · Answers revealed

1
MCQmedium

During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?

A.The root user exists but is disabled, the admin mailing list exists, and unknown@domain.com does not exist
B.The server has open relay enabled
C.The server is vulnerable to SMTP injection
D.The server is not running SMTP
AnswerA

VRFY 252 indicates existence but disabled, EXPN 250 indicates existence, RCPT TO 550 indicates non-existence.

Why this answer

VRFY returns 252 if the user exists but is disabled (or ambiguous), EXPN returns 250 if the mailing list/alias exists, RCPT TO returns 550 if the mailbox does not exist. This allows enumerating valid users on the server.

2
MCQmedium

During a password cracking session, a pentester uses a wordlist combined with rules to generate variations of each word. This approach is called a hybrid attack. Which tool, when used with a rule file, can perform such an attack?

A.RainbowCrack
B.Ophcrack
C.Hydra
D.Hashcat
AnswerD

Hashcat's -a 6 (hybrid wordlist + mask) and -a 7 (hybrid mask + wordlist) perform hybrid attacks. Rule-based attacks are also supported with -r.

Why this answer

Hashcat supports multiple attack modes, including a hybrid attack (mode 6 and 7) that combines a dictionary with rules or masks. John the Ripper also supports rules, but Hashcat is explicitly known for hybrid attacks.

3
MCQmedium

After successfully exploiting a system, an attacker uses the command 'wevtutil cl system' on a Windows target. What is the MOST likely purpose of this command?

A.To export event logs to a file
B.To disable Windows event logging
C.To clear the system event log
D.To create a new event log entry
AnswerC

wevtutil cl system clears the system log.

Why this answer

The command 'wevtutil cl system' is used to clear the System event log on a Windows system. After successfully exploiting a target, an attacker would use this command to erase traces of their activities, such as log entries generated by their tools or actions, thereby hindering forensic analysis. The 'cl' parameter stands for 'clear log', and 'system' specifies the System log.

Exam trap

The trap here is that candidates may confuse 'wevtutil cl' with exporting or disabling logs, but the 'cl' parameter specifically means 'clear', and the command is a common post-exploitation anti-forensics technique tested in CEH.

How to eliminate wrong answers

Option A is wrong because 'wevtutil cl system' clears the log, not exports it; exporting logs would use 'wevtutil epl' or 'wevtutil export-log'. Option B is wrong because disabling Windows event logging would require stopping the Event Log service (e.g., 'net stop EventLog') or modifying registry settings, not clearing a log. Option D is wrong because creating a new event log entry is done with 'EventCreate' or 'wevtutil' with the 'epl' parameter, not the 'cl' parameter.

4
MCQmedium

A penetration tester wants to enumerate user accounts on a Linux system running SMTP service. Which commands are commonly used for this purpose?

A.USER, PASS, QUIT
B.VRFY, EXPN, RCPT TO
C.AUTH LOGIN, STARTTLS, EHLO
D.HELO, MAIL FROM, DATA
AnswerB

Why this answer

The VRFY command verifies whether a user mailbox exists on the SMTP server, EXPN expands a mailing list or alias to reveal individual member addresses, and RCPT TO specifies the recipient for a mail message and can be used to validate addresses during the SMTP conversation. These three commands are the standard SMTP enumeration techniques for discovering valid user accounts on a Linux system running an SMTP service.

Exam trap

The trap here is that candidates often confuse SMTP enumeration commands (VRFY, EXPN, RCPT TO) with SMTP session commands (HELO, MAIL FROM, DATA) or with authentication commands (AUTH LOGIN, STARTTLS), leading them to select options that are valid SMTP commands but not designed for user enumeration.

How to eliminate wrong answers

Option A is wrong because USER, PASS, and QUIT are POP3 commands used for mailbox access and authentication, not for SMTP user enumeration. Option C is wrong because AUTH LOGIN, STARTTLS, and EHLO are SMTP commands used for authentication negotiation and secure connection initiation, not for enumerating user accounts. Option D is wrong because HELO, MAIL FROM, and DATA are SMTP commands used to initiate a session, specify the sender, and begin message content transfer, respectively; they do not directly reveal user account existence.

5
MCQhard

An attacker gains access to a Linux web server as the 'www-data' user. They run `find / -perm -4000 -type f 2>/dev/null` and see that `/usr/bin/passwd` has the SUID bit set. Which privilege escalation technique is this command checking for?

A.SUID abuse
B.Password cracking
C.Kernel exploit
D.Token impersonation
AnswerA

SUID bit abuse allows running a binary with elevated privileges, potential for escalation.

Why this answer

The find command searches for files with SUID bit set (4000). SUID binaries run with the file owner's privileges, often root. Checking for SUID files is a common technique to find potential privilege escalation vectors, e.g., exploiting a vulnerable SUID binary.

6
Multi-Selectmedium

Which TWO of the following are examples of privilege escalation on Linux? (Select 2)

Select 2 answers
A.Pass-the-Hash
B.Token impersonation
C.SUID bit abuse
D.Exploiting a local vulnerability in a setuid binary
E.DLL hijacking
AnswersC, D

SUID programs run with the file owner's privileges.

Why this answer

SUID bit abuse (C) is a privilege escalation technique because when the SUID (Set User ID) bit is set on an executable, it runs with the permissions of the file owner (often root), regardless of the user who executes it. An attacker can exploit misconfigured SUID binaries to execute commands with elevated privileges, gaining root access.

Exam trap

EC-Council often tests the distinction between Windows and Linux privilege escalation techniques, and the trap here is that candidates confuse cross-platform attacks like token impersonation or DLL hijacking as applicable to Linux, when they are strictly Windows-based.

7
Multi-Selecthard

A penetration tester obtains password hashes from a Windows system. Which TWO methods would be most efficient for cracking NTLM hashes offline? (Choose two.)

Select 2 answers
A.Using RainbowCrack with precomputed rainbow tables for NTLM
B.Performing an online brute-force against the SAM database
C.Using Ophcrack with rainbow tables for NTLM
D.Using Hashcat with a brute-force attack on GPU
E.Using John the Ripper with a dictionary and rules
AnswersD, E

Hashcat leverages GPU for high-speed cracking of NTLM hashes.

Why this answer

Option D is correct because Hashcat, when used with a GPU, can perform massively parallel brute-force attacks against NTLM hashes, achieving billions of hash calculations per second. This makes it one of the most efficient tools for offline password cracking of NTLM hashes, especially when the password is not in a dictionary.

Exam trap

EC-Council often tests the distinction between tools optimized for LM vs. NTLM hashes, and candidates mistakenly choose Ophcrack (option C) because they confuse its LM rainbow table capability with NTLM support.

8
MCQhard

A penetration tester uses `smbclient -L //192.168.1.30 -N` and receives a list of shares including a hidden administrative share (C$) and a user share named "Backup". What is the most immediate security concern?

A.The Backup share may contain sensitive data
B.SMB signing is not enabled
C.Null session enumeration is possible, allowing information gathering
D.The C$ share is a default administrative share
AnswerC

Why this answer

The `-N` flag in the `smbclient` command suppresses password prompts, enabling a null session connection. The fact that the command successfully lists shares without authentication indicates that null session enumeration is permitted, which is a critical security flaw. This allows an attacker to gather sensitive information (share names, user lists, etc.) without any credentials, often serving as the first step in a targeted attack.

Exam trap

The trap here is that candidates focus on the existence of the C$ administrative share or the Backup share's name, rather than recognizing that the ability to enumerate any shares without authentication (null session) is the most critical and immediate vulnerability.

How to eliminate wrong answers

Option A is wrong because while the Backup share might contain sensitive data, the most immediate security concern is the ability to enumerate shares at all without authentication, not the content of a specific share. Option B is wrong because SMB signing is a separate security feature that prevents man-in-the-middle attacks; its absence is a concern but not directly indicated by the successful null session enumeration shown in the command output. Option D is wrong because the C$ share being a default administrative share is a known fact, but its presence alone is not the immediate security issue—the ability to list it via a null session is the real problem.

9
MCQeasy

Which tool is specifically designed to perform SNMP enumeration by walking the MIB tree using a known community string?

A.enum4linux
B.SNMPwalk
C.nbtstat
D.smbclient
AnswerB

SNMPwalk walks the MIB tree.

Why this answer

SNMPwalk is the correct tool because it is specifically designed to perform SNMP enumeration by walking the Management Information Base (MIB) tree using a known community string (e.g., 'public' or 'private'). It sends successive GETNEXT requests to retrieve all OID values from the SNMP agent, effectively dumping the entire MIB tree for reconnaissance.

Exam trap

The trap here is that candidates often confuse SNMPwalk with enum4linux because both are enumeration tools, but enum4linux targets SMB/NetBIOS, not SNMP, and the question specifically requires walking the MIB tree with a community string.

How to eliminate wrong answers

Option A is wrong because enum4linux is a tool for enumerating information from Windows and Samba systems via SMB, RPC, and NetBIOS, not SNMP. Option C is wrong because nbtstat is a Windows command-line tool that displays NetBIOS over TCP/IP statistics and name tables, not SNMP MIB walking. Option D is wrong because smbclient is an FTP-like client for accessing SMB/CIFS shares on Windows systems, not for SNMP enumeration.

10
MCQmedium

During an internal penetration test, you run 'smbclient -L //192.168.1.100 -N' and get an empty response. Which of the following is the MOST likely reason?

A.The target is not running SMB
B.Null sessions are disabled on the target
C.The target requires NTLM authentication
D.The target is a Linux server
AnswerB

Windows disables null sessions by default since XP SP2, causing smbclient -N to fail.

Why this answer

The `-N` flag in smbclient suppresses password prompts, attempting a null session. An empty response (no error, no output) typically indicates the SMB service is running but null sessions are explicitly disabled, often via the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous` set to 1 or 2. This prevents anonymous enumeration of shares and users, which is a common security hardening measure on Windows systems.

Exam trap

The trap here is that candidates assume an empty response means the service is down or not SMB, but CEH expects you to recognize that a silent empty output from `smbclient -L -N` is a classic indicator of null session restrictions being enabled.

How to eliminate wrong answers

Option A is wrong because if the target were not running SMB, smbclient would return a connection error (e.g., 'Connection refused' or 'NT_STATUS_CONNECTION_REFUSED'), not an empty response. Option C is wrong because NTLM authentication is the default for SMB on Windows; the `-N` flag attempts a null session without credentials, and if NTLM were required but null sessions disabled, the tool would still prompt for credentials or return an access denied error, not an empty response. Option D is wrong because a Linux server running Samba would typically respond to a null session attempt with either a share list or an explicit 'NT_STATUS_ACCESS_DENIED' error, not a completely empty response; the empty response is characteristic of a Windows target with RestrictAnonymous enforced.

11
MCQeasy

Which type of password cracking attack uses a precomputed table of hash chains to reverse hashes quickly?

A.Rainbow table attack
B.Dictionary attack
C.Brute-force attack
D.Hybrid attack
AnswerA

Why this answer

Rainbow tables are precomputed hash chains that allow fast reversal of hashes. They are stored in files and used by tools like RainbowCrack and Ophcrack.

12
MCQhard

After gaining initial access to a Linux server, an attacker runs `find / -perm -4000 -o -perm -2000 2>/dev/null`. What is the primary objective of this command?

A.Locate world-writable files for data exfiltration
B.List all files owned by the root user
C.Find configuration files containing passwords
D.Identify files with SUID or GUID bits set for privilege escalation
AnswerD

SUID/GUID binaries run with elevated privileges.

Why this answer

The -perm -4000 finds SUID files, -perm -2000 finds GUID files. These are often exploited for privilege escalation.

13
Multi-Selectmedium

Which TWO of the following are techniques used to escalate privileges on a Linux system?

Select 2 answers
A.SMB relay attack
B.Pass-the-hash attack
C.Token impersonation
D.Exploiting a SUID binary
E.Kernel exploit
AnswersD, E

SUID binaries run with the owner's privileges, allowing escalation.

Why this answer

Option D is correct because SUID (Set User ID) binaries execute with the file owner's privileges, typically root. If a misconfigured SUID binary (e.g., one that allows command injection or arbitrary file reads) is exploited, an attacker can escalate from a low-privileged user to root. Common examples include exploiting SUID on binaries like `find`, `nmap`, or custom scripts with weak permissions.

Exam trap

The trap here is that candidates confuse Windows-specific privilege escalation techniques (SMB relay, pass-the-hash, token impersonation) with Linux-specific methods, assuming they are cross-platform.

14
MCQeasy

Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB protocol?

A.Enum4linux
B.Wireshark
C.Nmap
D.Hydra
AnswerA

Correct tool for SMB enumeration.

Why this answer

enum4linux is a Perl script that wraps Samba tools (like smbclient, rpclient, net) to enumerate SMB shares, users, groups, and more from Windows hosts.

15
MCQmedium

A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system descriptions, uptime, and contact information. Which type of information is the tester primarily gathering?

A.SMB share names and permissions
B.System information and version details
C.Network topology and routing tables
D.Active directory users and groups
AnswerB

The system group OID provides hostname, OS version, uptime, and contact info.

Why this answer

The `snmpwalk` command with the OID `1.3.6.1.2.1.1` (the system group in MIB-II, defined in RFC 1213) queries the SNMP agent for system-level information. The output includes system description, uptime, contact, and version details, which are all part of the system group. This is a classic enumeration technique to gather system information and version details from a target device using SNMP with the default public community string.

Exam trap

The trap here is that candidates often confuse the system group OID (1.3.6.1.2.1.1) with other MIB branches like the interfaces group or IP group, leading them to incorrectly select network topology or routing tables, but the system group specifically returns device identity and version information.

How to eliminate wrong answers

Option A is wrong because SMB share names and permissions are enumerated using tools like `smbclient` or `enum4linux`, not via SNMP OID 1.3.6.1.2.1.1, which is the system group. Option C is wrong because network topology and routing tables are obtained from OIDs under 1.3.6.1.2.1.4 (IP group) and 1.3.6.1.2.1.4.21 (ipRouteTable), not the system group. Option D is wrong because Active Directory users and groups are typically enumerated via LDAP queries or tools like `ldapsearch`, not through SNMP, which does not expose AD object data via the system group OID.

16
MCQmedium

During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalate privileges to root. Which of the following techniques is MOST likely to achieve privilege escalation on a misconfigured Linux system?

A.Use the `netcat` tool to establish a reverse shell back to the attacker
B.Search for and exploit a SUID binary that allows privilege escalation
C.Use a password cracking tool like John the Ripper on the system's shadow file
D.Perform a brute force attack on the root password
AnswerB

SUID binaries execute with the owner's privileges. If a binary like `find` or `vim` has SUID set, it can be exploited to run commands as root.

Why this answer

Option B is correct because SUID (Set User ID) binaries execute with the privileges of the file owner, typically root. On a misconfigured Linux system, a low-privileged user can run a SUID-root binary (e.g., `find`, `vim`, `nmap`) to spawn a shell with root privileges, directly achieving privilege escalation without needing credentials or additional exploits.

Exam trap

The trap here is that candidates confuse establishing a reverse shell (which maintains the current privilege level) with privilege escalation, or they assume password cracking is feasible without first obtaining the hashed password file.

How to eliminate wrong answers

Option A is wrong because `netcat` is a network utility for establishing reverse shells or listening for connections; it does not escalate privileges—it only provides a remote shell at the current privilege level. Option C is wrong because John the Ripper cracking the shadow file requires read access to `/etc/shadow`, which a low-privileged shell typically does not have (shadow file is readable only by root or the shadow group). Option D is wrong because brute-forcing the root password is impractical: it requires network or console access, risks account lockout, and is noisy; moreover, the goal is to exploit a misconfiguration, not guess credentials.

17
MCQmedium

During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account names, group memberships, and share listings. Which protocol is primarily being enumerated?

A.NFS
B.SMB
C.SNMP
D.SMTP
AnswerB

Correct. enum4linux performs SMB enumeration, extracting information like users, shares, and policies from Windows systems.

Why this answer

enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via the SMB (Server Message Block) protocol. The command `enum4linux -a 192.168.1.10` performs a comprehensive scan that retrieves user accounts, group memberships, and share listings, all of which are exposed through SMB's named pipe and RPC mechanisms. SMB is the correct protocol because it is the primary means for file and printer sharing in Windows networks, and enum4linux leverages SMB's IPC$ share and SAMR/LSA RPC services to extract this data.

Exam trap

The trap here is that candidates often confuse enum4linux with tools like 'showmount' for NFS or 'snmpwalk' for SNMP, but the key is that enum4linux is explicitly built for SMB enumeration, and the output of user accounts and shares is a hallmark of SMB, not NFS or SNMP.

How to eliminate wrong answers

Option A is wrong because NFS (Network File System) is a Unix/Linux-based file-sharing protocol that does not expose user account or group membership details via enum4linux; enum4linux is designed for SMB/CIFS environments, not NFS mounts. Option C is wrong because SNMP (Simple Network Management Protocol) is used for network device monitoring and management, not for enumerating user accounts or shares; enum4linux does not interact with SNMP agents. Option D is wrong because SMTP (Simple Mail Transfer Protocol) is an email delivery protocol and has no mechanism for listing user accounts, group memberships, or file shares; enum4linux targets SMB services, not mail servers.

18
Multi-Selectmedium

Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Select 2)

Select 2 answers
A.HELO
B.RCPT TO
C.EXPN
D.ATRN
E.VRFY
AnswersC, E

EXPN expands a mailing list, revealing member addresses.

Why this answer

EXPN is a valid SMTP command that requests the server to expand a mailing list or alias, revealing the individual email addresses that belong to it. This enumeration technique is useful for discovering valid email addresses without sending a message, as defined in RFC 821.

Exam trap

The trap here is that candidates confuse RCPT TO with VRFY or EXPN, thinking that specifying a recipient during mail delivery is the same as a dedicated enumeration command, but RCPT TO is part of the mail transaction flow and not a standalone enumeration command.

19
MCQeasy

A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and domain. Which protocol is being queried?

A.NetBIOS
B.SNMP
C.LDAP
D.SMTP
AnswerA

Why this answer

The `nbtstat -A` command performs a NetBIOS name service query (NBNS) against the target IP address using UDP port 137. It retrieves the NetBIOS name table, which includes the computer name, logged-in user, and domain membership, directly from the NetBIOS over TCP/IP (NetBT) protocol stack.

Exam trap

The trap here is that candidates confuse `nbtstat -A` (which queries NetBIOS over TCP/IP) with `nbtstat -a` (which queries by name) or assume it uses a different protocol like SMB, but the command specifically targets the NetBIOS name service on UDP 137.

How to eliminate wrong answers

Option B is wrong because SNMP (Simple Network Management Protocol) uses UDP ports 161/162 and is queried with tools like `snmpget` or `snmwalk`, not `nbtstat`. Option C is wrong because LDAP (Lightweight Directory Access Protocol) operates over TCP port 389 and is used to query directory services like Active Directory, not to retrieve NetBIOS names. Option D is wrong because SMTP (Simple Mail Transfer Protocol) uses TCP port 25 for email transfer and has no role in NetBIOS name resolution or enumeration.

20
Multi-Selecthard

Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)

Select 3 answers
A.Anti-virus software is disabled and cannot be restarted
B.Hidden processes that do not appear in process lists
C.Unexplained network connections to known command-and-control servers
D.Event logs show repeated successful logins from unknown IPs
E.Increased disk space usage without explanation
AnswersA, B, C

Rootkits may disable security software to avoid detection.

Why this answer

Rootkits hide processes, files, and registry keys. Common signs include hidden processes, unexplained network connections, and disabled security tools. Altered file hashes are also indicators but are more generic.

21
MCQhard

A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lists shares including 'IPC$', 'ADMIN$', and 'data'. Which of the following is the BEST next step to enumerate the 'data' share?

A.Run `nmap --script smb-enum-shares -p 445 192.168.1.10`
B.Run `enum4linux -a 192.168.1.10` to gather more information
C.Use `rpcclient -U '' 192.168.1.10` to enumerate users
D.Use `smbclient //192.168.1.10/data -N` to attempt a null session connection
AnswerD

This attempts to access the share anonymously; if successful, the tester can list files.

Why this answer

The command `smbclient -L //192.168.1.10 -N` performs a null session (no password) listing of SMB shares. The output shows that the 'data' share exists and is accessible without authentication (since the -N flag succeeded). The best next step is to attempt a null session connection to that specific share using `smbclient //192.168.1.10/data -N`, which will mount the share and allow file enumeration.

This directly leverages the null session already confirmed by the initial scan.

Exam trap

The trap here is that candidates often choose a broad enumeration tool like enum4linux or an nmap script, thinking they need more information first, when the direct connection to the already-discovered share is the logical and efficient next step in a penetration test.

How to eliminate wrong answers

Option A is wrong because `nmap --script smb-enum-shares -p 445` would re-enumerate shares, which is redundant after already discovering the 'data' share via smbclient. Option B is wrong because `enum4linux -a` is a comprehensive enumeration tool that gathers users, groups, shares, and policies, but it is a broader, slower step that does not directly access the 'data' share; the immediate goal is to connect to the share, not gather more metadata. Option C is wrong because `rpcclient -U ''` is used for RPC-based enumeration (e.g., users, SIDs) via the IPC$ share, not for accessing a file share like 'data'; it would not list or retrieve files from the 'data' share.

22
MCQeasy

During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?

A.Execute applications to extract data
B.Hide files to conceal tools and data
C.Erase event logs to avoid detection
D.Escalate privileges to gain higher-level access
AnswerD

Privilege escalation is the third step in CHPSET, following cracking passwords and hiding files, and is appropriate after initial low-privileged access.

Why this answer

The CEH methodology follows: Cracking passwords, Hiding files, Privilege escalation, Executing applications, Spying, Erasing tracks. After gaining initial access as a low-privileged user, the next logical step is to escalate privileges to gain higher access (e.g., administrator or root).

23
MCQhard

During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following enumeration techniques would provide the MOST comprehensive information about the directory structure?

A.Run nmap with the smb-enum-shares script
B.Perform a DNS zone transfer
C.Use ldapsearch to query the directory for all attributes
D.Use net view to list domain resources
AnswerC

ldapsearch can retrieve all objects and attributes from an LDAP directory, especially with anonymous bind.

Why this answer

Option C is correct because `ldapsearch` with anonymous bind allows querying the LDAP directory for all attributes and entries, providing comprehensive information about the directory structure, including user accounts, groups, organizational units, and other objects. LDAP servers on port 389 often expose the entire directory tree when anonymous binds are permitted, making `ldapsearch` the most effective enumeration technique.

Exam trap

The trap here is that candidates confuse LDAP enumeration with SMB or DNS enumeration, assuming any network discovery tool will work, but only LDAP-specific queries (like `ldapsearch`) can extract directory structure from an LDAP server.

How to eliminate wrong answers

Option A is wrong because `nmap` with the `smb-enum-shares` script targets SMB (port 445) and enumerates Windows file shares, not LDAP directory structure on port 389. Option B is wrong because DNS zone transfer (using `dig` or `nslookup`) retrieves DNS records (A, MX, CNAME, etc.) from a DNS server, not LDAP directory attributes or objects. Option D is wrong because `net view` is a Windows command that lists SMB shared resources on a network, not LDAP directory entries.

24
MCQhard

After gaining initial access, an attacker attempts to escalate privileges by exploiting a misconfigured service running as SYSTEM. They find that the service's binary path is writable by the Everyone group. Which privilege escalation technique is the attacker MOST likely using?

A.SUID/GUID abuse
B.Unquoted service path
C.Weak service permissions
D.Token impersonation
AnswerC

Writable service binary is a weak permission vulnerability.

Why this answer

A writable service binary allows an attacker to replace the executable with a malicious one, which will run with the service's privileges (SYSTEM).

25
MCQmedium

A penetration tester is enumerating an SMTP server on port 25. They issue the command `VRFY root` and receive a 250 response, then `VRFY admin` also returns 250. What does this indicate about the SMTP server?

A.Both root and admin are valid email accounts on the server
B.The SMTP server supports password authentication
C.The command failed due to syntax errors
D.The SMTP server has disabled user verification
AnswerA

250 means the user exists. Thus both root and admin are valid.

Why this answer

The VRFY command verifies if a user exists. A 250 response indicates the user exists. This allows an attacker to enumerate valid usernames on the system.

26
Multi-Selecthard

Which THREE of the following are password cracking techniques that can be used with Hashcat? (Select 3)

Select 3 answers
A.Token impersonation
B.Brute-force attack
C.Rainbow table attack
D.Dictionary attack
E.Hybrid attack
AnswersB, D, E

Hashcat can perform brute-force attacks by iterating through all possible character combinations.

Why this answer

Hashcat is a GPU-accelerated password recovery tool that supports multiple attack modes. A brute-force attack (option B) systematically tries every possible combination of characters from a defined keyspace until the correct password is found. Hashcat implements this via its '?a' mask or direct brute-force mode, making it a core technique for cracking hashes when no prior knowledge of the password exists.

Exam trap

EC-Council often tests the misconception that rainbow table attacks are a core Hashcat feature, but Hashcat does not implement rainbow tables; it uses GPU-accelerated brute-force, dictionary, and hybrid modes instead.

27
MCQmedium

Which of the following tools is specifically designed to perform password cracking using rainbow tables?

A.John the Ripper
B.Ophcrack
C.RainbowCrack
D.Hashcat
AnswerC

RainbowCrack is specifically designed to perform password cracking using rainbow tables.

Why this answer

RainbowCrack is specifically designed to perform password cracking using precomputed rainbow tables, which are time-memory trade-off structures that allow hashes to be reversed quickly without brute-forcing each password. Unlike other tools that rely on brute force, dictionary attacks, or hybrid methods, RainbowCrack's core functionality is built around generating and using rainbow tables to crack LM, NTLM, MD5, SHA1, and other hash types.

Exam trap

EC-Council often tests the distinction between tools that use rainbow tables (RainbowCrack) versus tools that use brute-force or dictionary methods (John the Ripper, Hashcat), and candidates mistakenly associate Ophcrack with general rainbow table cracking when it is actually limited to LM hashes.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that primarily uses dictionary, brute-force, and incremental modes, not rainbow tables. Option B is wrong because Ophcrack is a Windows password cracker that uses LM hash rainbow tables but is limited to Windows LAN Manager hashes and is not a general-purpose rainbow table tool like RainbowCrack. Option D is wrong because Hashcat is a high-speed password cracker that uses GPU acceleration for brute-force, dictionary, and rule-based attacks, but it does not natively use rainbow tables for cracking.

28
MCQeasy

Which of the following commands is used to enumerate SNMP information from a network device using a specific community string?

A.ldapsearch -x -h 192.168.1.1 -b dc=domain,dc=com
B.enum4linux -a 192.168.1.1
C.snmpwalk -c public -v 2c 192.168.1.1
D.nbtstat -a 192.168.1.1
AnswerC

This command walks the MIB tree using the 'public' community string on SNMPv2c.

Why this answer

Option C is correct because `snmpwalk` is the standard command-line tool for enumerating SNMP (Simple Network Management Protocol) information from a network device. By specifying the community string (`-c public`) and SNMP version (`-v 2c`), it retrieves the entire Management Information Base (MIB) tree from the target IP address, allowing an attacker to discover system details, running processes, and network interfaces.

Exam trap

The trap here is that candidates confuse SNMP enumeration tools with other network enumeration tools (like LDAP, SMB, or NetBIOS), leading them to pick a command that targets a different protocol entirely.

How to eliminate wrong answers

Option A is wrong because `ldapsearch` is used for querying LDAP directories (port 389), not for SNMP enumeration; it requires a base DN and is unrelated to community strings. Option B is wrong because `enum4linux` is a tool for enumerating SMB/CIFS shares, users, and policies from Windows systems (port 445), not for SNMP queries. Option D is wrong because `nbtstat` is a Windows utility for NetBIOS over TCP/IP name resolution and cache management (port 137), not for SNMP enumeration.

29
MCQmedium

A penetration tester wants to crack Windows NTLM hashes using rainbow tables. Which tool is specifically designed for this purpose?

A.Hashcat
B.John the Ripper
C.RainbowCrack
D.Ophcrack
AnswerC

RainbowCrack is a tool that uses rainbow tables for hash cracking.

Why this answer

Option A is correct. RainbowCrack uses rainbow tables to crack hashes, including NTLM.

30
MCQmedium

Which of the following commands would a tester use to enumerate NetBIOS names and their associated IP addresses on a local subnet?

A.nbtstat -n
B.nbtstat -c
C.nbtstat -a 192.168.1.10
D.nbtstat -A 192.168.1.10
AnswerD

Correct. nbtstat -A <IP> displays the NetBIOS name table for that IP.

Why this answer

Option D is correct because the `nbtstat -A` command (with a capital 'A') performs a NetBIOS name table lookup against a remote IP address, listing the NetBIOS names registered by that host along with their associated IP addresses. This is the standard method for enumerating NetBIOS names on a specific target within a local subnet, as it queries the NetBIOS name service (UDP port 137) directly.

Exam trap

The trap here is that candidates often confuse the lowercase `-a` (which expects a hostname) with the uppercase `-A` (which expects an IP address), leading them to incorrectly select option C when the question specifies an IP address.

How to eliminate wrong answers

Option A is wrong because `nbtstat -n` displays only the local NetBIOS names registered on the tester's own machine, not names from other hosts on the subnet. Option B is wrong because `nbtstat -c` shows the local NetBIOS name cache, which contains recently resolved names and their IP addresses, but does not actively enumerate all hosts on the subnet. Option C is wrong because `nbtstat -a` (lowercase 'a') performs a NetBIOS name table lookup using a hostname, not an IP address, so it would fail or produce incorrect results when given an IP address.

31
MCQhard

A security analyst runs `snmpwalk -v2c -c public 192.168.1.1` and receives extensive output about the device's configuration. Which of the following is the MOST effective countermeasure against this enumeration?

A.Disable SNMP entirely
B.Use SNMPv3 with encryption
C.Change the default community string and restrict SNMP access to specific IPs
D.Block ICMP echo requests
AnswerC

Correct. Changing community strings from defaults and using ACLs prevents unauthorized enumeration.

Why this answer

Option C is correct because the most effective countermeasure against SNMP enumeration via a default community string is to change the default 'public' (or 'private') string to a strong, non-guessable value and restrict SNMP access to trusted management IPs using an access control list (ACL). This prevents unauthorized querying of the MIB tree while still allowing legitimate SNMP monitoring.

Exam trap

The trap here is that candidates often choose SNMPv3 with encryption (Option B) because it sounds more secure, but the question specifically targets the misconfiguration of using the default 'public' community string on SNMPv2c, which is best remedied by changing the community string and restricting access, not by upgrading the protocol version alone.

How to eliminate wrong answers

Option A is wrong because disabling SNMP entirely may break legitimate network monitoring and management functions, making it an overly drastic and often impractical solution. Option B is wrong because while SNMPv3 with encryption provides authentication and privacy, the question specifies the attacker is using SNMPv2c with the 'public' community string; switching to SNMPv3 does not directly address the misconfiguration of using a default community string on v2c devices, and the question asks for the most effective countermeasure against this specific enumeration. Option D is wrong because blocking ICMP echo requests (ping) only prevents network discovery via ICMP, not SNMP enumeration over UDP port 161.

32
MCQeasy

A security analyst wants to enumerate users and groups from a Windows domain controller using LDAP. Which of the following queries would return all objects of class 'user' from the domain 'example.com'?

A.ldapsearch -x -b "dc=example,dc=com" "(cn=*)"
B.ldapsearch -x -b "dc=example,dc=com" "(objectClass=user)"
C.ldapsearch -x -b "dc=example,dc=com" "(objectClass=person)"
D.ldapsearch -x -b "dc=example,dc=com" "(&(objectClass=user)(objectCategory=person))"
AnswerB

Correct query to list all user objects in the domain.

Why this answer

Option B is correct. The LDAP query '(&(objectClass=user))' filters for user objects. The base DN 'dc=example,dc=com' specifies the domain.

Options A, C, and D use incorrect syntax or filters.

33
MCQmedium

An analyst observes repeated failed login attempts to a Windows server from an internal IP, followed by a successful login using the account 'admin' from the same IP. The analyst checks the Security log and finds Event ID 4624 with Logon Type 3. What type of attack is MOST likely occurring?

A.SMB relay attack
B.Kerberos golden ticket attack
C.Pass-the-hash attack
D.Dictionary attack on the admin account
AnswerD

Multiple failed attempts suggest a dictionary/brute-force attack; success indicates correct password found.

Why this answer

Event ID 4624 with Logon Type 3 indicates a network logon (typically SMB or other network resource access). The sequence of repeated failed attempts followed by a successful login from the same internal IP strongly suggests a dictionary (brute-force) attack against the 'admin' account. The attacker systematically tried passwords until one succeeded, which is the hallmark of a dictionary attack.

Exam trap

The trap here is that candidates see 'successful login' and 'Event ID 4624' and incorrectly assume a pass-the-hash or relay attack, but the presence of repeated failed attempts before success is the key indicator of a dictionary attack, not a credential theft technique.

How to eliminate wrong answers

Option A is wrong because an SMB relay attack intercepts and relays authentication traffic to impersonate a user, not by trying multiple passwords from a single IP; it would not produce repeated failed logins followed by a success from the same IP. Option B is wrong because a Kerberos golden ticket attack forges a Ticket Granting Ticket (TGT) using the KRBTGT hash, allowing domain-wide access without any failed login attempts; it would not generate Event ID 4624 with Logon Type 3 from a single IP. Option C is wrong because a pass-the-hash attack uses a stolen NTLM hash to authenticate without knowing the plaintext password, so it would not cause multiple failed login attempts; it typically succeeds on the first try if the hash is valid.

34
MCQhard

During a security assessment, you find a Linux binary with the SUID bit set and owned by root. You execute it and obtain a root shell. This is an example of which privilege escalation technique?

A.DLL hijacking
B.Kernel exploit
C.Token impersonation
D.SUID abuse
AnswerD

Correct. SUID bit abuse allows executing a binary with the owner's (root) privileges.

Why this answer

Option D is correct because the SUID (Set User ID) bit on a binary owned by root allows it to execute with root privileges regardless of the user running it. When you execute such a binary and it spawns a shell, that shell inherits the elevated privileges, effectively granting you a root shell. This is a classic example of SUID abuse, a common privilege escalation technique on Linux systems.

Exam trap

The trap here is that candidates may confuse SUID abuse with a kernel exploit, thinking any root shell from a binary must involve a kernel vulnerability, but SUID abuse is a misconfiguration-based technique that does not require exploiting kernel code.

How to eliminate wrong answers

Option A is wrong because DLL hijacking is a Windows-specific technique that exploits the search order for Dynamic Link Libraries to load a malicious DLL, which is not applicable to Linux binaries. Option B is wrong because a kernel exploit targets vulnerabilities in the operating system kernel to gain elevated privileges, whereas this scenario involves a legitimate SUID binary, not a kernel flaw. Option C is wrong because token impersonation is a Windows privilege escalation method that manipulates access tokens (e.g., using SeImpersonatePrivilege), which does not apply to Linux's SUID mechanism.

35
MCQmedium

A security analyst notices that an attacker has gained SYSTEM privileges on a Windows server after compromising a service running as LOCAL SYSTEM. The attacker then uses `whoami /priv` and finds the SeTcbPrivilege (Act as part of the operating system) is enabled. Which privilege escalation technique might the attacker use next?

A.Sticky keys exploit
B.Token impersonation
C.DLL injection
D.Pass-the-hash
AnswerB

SeTcbPrivilege enables token impersonation attacks.

Why this answer

SeTcbPrivilege allows impersonating any user, including SYSTEM. It can be used to execute processes under arbitrary identities, enabling further privilege escalation.

36
Multi-Selectmedium

Which THREE of the following are valid techniques in the system hacking methodology (CHPSET)? (Choose three.)

Select 3 answers
A.Privilege escalation
B.Social engineering
C.Erasing tracks
D.Network sniffing
E.Cracking passwords
AnswersA, C, E

Why this answer

Privilege escalation is a core phase in the CEH system hacking methodology (CHPSET), which stands for Cracking, Hacking, Privilege Escalation, System Hacking, Erasing Tracks, and Tunneling. After initial access is gained, an attacker must escalate privileges (e.g., from a standard user to root or SYSTEM) to gain full control over the target system. This is achieved through techniques like exploiting kernel vulnerabilities, token manipulation, or using tools such as Metasploit's getsystem.

Exam trap

The trap here is that candidates often confuse the CHPSET system hacking methodology with the broader ethical hacking phases (reconnaissance, scanning, gaining access, etc.), leading them to incorrectly select social engineering or network sniffing as valid CHPSET steps.

37
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM password hashes using rainbow tables?

A.Hashcat
B.RainbowCrack
C.Ophcrack
D.John the Ripper
AnswerC

Correct. Ophcrack is widely used for cracking Windows hashes with rainbow tables.

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM password hashes using precomputed rainbow tables. It leverages the time-memory trade-off technique to rapidly reverse these hashes without brute-forcing each password individually, making it the correct choice for this targeted task.

Exam trap

EC-Council often tests the distinction between tools that use rainbow tables (Ophcrack) versus those that use brute-force or dictionary attacks (Hashcat, John the Ripper), leading candidates to mistakenly choose a general-purpose cracker for a rainbow-table-specific question.

How to eliminate wrong answers

Option A is wrong because Hashcat is a general-purpose password cracker that supports many hash types (including LM/NTLM) but relies on GPU-accelerated brute-force or dictionary attacks, not rainbow tables. Option B is wrong because RainbowCrack is a tool that generates and uses rainbow tables for various hash types, but it is not specifically designed for Windows LM/NTLM hashes; it requires separate table generation or download for those formats. Option D is wrong because John the Ripper is a versatile password cracking tool that uses dictionary, brute-force, and incremental modes, but it does not natively use rainbow tables for LM/NTLM cracking.

38
MCQmedium

During a system hacking phase, a tester successfully gains access to a Windows machine and wants to hide a malicious executable. Which of the following techniques is MOST effective for hiding files from standard directory listings without using third-party tools?

A.Use the `attrib +h +s` command to set hidden and system attributes
B.Rename the file to a system filename like svchost.exe and place it in C:\Windows\System32
C.Encrypt the file using EFS
D.Store the executable in an Alternate Data Stream (ADS)
AnswerA

This hides the file from `dir` without /a flags, making it effectively invisible to most users.

Why this answer

The `attrib +h +s` command sets both the hidden and system file attributes, which by default causes Windows Explorer and standard `dir` commands to omit the file from directory listings. This is a built-in, native technique that requires no third-party tools and is effective for basic concealment from casual inspection.

Exam trap

The trap here is that candidates may overthink and choose ADS (Option D) as a more 'advanced' hiding technique, but the question explicitly requires no third-party tools and ADS creation typically requires additional commands or tools, whereas `attrib` is a simple, built-in command that directly achieves the goal.

How to eliminate wrong answers

Option B is wrong because simply renaming a file to svchost.exe and placing it in C:\Windows\System32 does not hide it from directory listings; it remains visible unless its attributes are changed, and it may be flagged by security tools due to behavioral anomalies. Option C is wrong because Encrypting File System (EFS) encrypts the file content but does not hide the file from directory listings; the filename remains visible. Option D is wrong because while Alternate Data Streams (ADS) can hide data within a file, they require third-party tools or specific commands (e.g., `type` with redirection) to create and access, and the host file itself is still visible in directory listings.

39
MCQmedium

A security administrator notices repeated failed login attempts from a single IP address targeting the SSH service. The attempts use common usernames (root, admin, test) and a list of passwords from a dictionary. What type of password attack is being conducted?

A.Rainbow table attack
B.Dictionary attack
C.Hybrid attack
D.Brute-force attack
AnswerB

Using a list of common passwords against usernames is a dictionary attack.

Why this answer

This is a dictionary attack because the attacker uses a predefined list of common usernames and passwords (a dictionary) against the SSH service. Unlike a brute-force attack that tries all possible combinations, a dictionary attack only tests likely entries from a wordlist, making it faster but limited to the dictionary's contents.

Exam trap

The trap here is confusing a dictionary attack with a brute-force attack; CEH emphasizes that a dictionary attack uses a wordlist of likely passwords, while a brute-force attack exhaustively tries all possible character combinations, regardless of likelihood.

How to eliminate wrong answers

Option A is wrong because a rainbow table attack uses precomputed hash chains to reverse hashes, not live login attempts with plaintext passwords. Option C is wrong because a hybrid attack combines dictionary words with modifications (e.g., appending numbers or symbols), but the scenario describes only a static list of passwords without any mutation. Option D is wrong because a brute-force attack systematically tries every possible character combination (e.g., aaa, aab, aac), which is far more exhaustive and computationally expensive than using a predefined wordlist.

40
MCQeasy

During a penetration test, you receive a list of password hashes from a Windows server. Which of the following tools would be BEST suited to perform a dictionary attack against these hashes?

A.Nmap
B.John the Ripper
C.Wireshark
D.Metasploit
AnswerB

John the Ripper is designed for password cracking.

Why this answer

John the Ripper is a dedicated password cracking tool that supports dictionary attacks against various hash types, including Windows NTLM hashes. It takes the list of hashes and compares them against a wordlist of candidate passwords, making it the best choice for this task.

Exam trap

EC-Council often tests the distinction between tools that capture hashes (like Metasploit's hashdump) versus tools that crack them (like John the Ripper), leading candidates to mistakenly choose Metasploit for the cracking phase.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port discovery and service enumeration, not for cracking password hashes. Option C is wrong because Wireshark is a packet analyzer used for network traffic inspection, not for offline hash cracking. Option D is wrong because Metasploit is an exploitation framework; while it can capture hashes via modules like psexec or hashdump, it is not designed for performing dictionary attacks against already-obtained hashes.

41
MCQhard

A Linux system has a script named 'backup' owned by root with the SUID bit set and world-executable permissions. A standard user executes the script and discovers it runs a command that reads /etc/shadow and writes output to a world-readable file. What is the most likely intended exploitation path?

A.GUID abuse
B.LD_PRELOAD injection
C.SUID abuse to read sensitive files
D.Token impersonation
AnswerC

The SUID bit makes the script run as root, so it can read /etc/shadow. Users can exploit this to get hashes.

Why this answer

Option C is correct because the SUID bit on the 'backup' script, owned by root and world-executable, allows any user to execute it with root privileges. If the script reads /etc/shadow (which is normally root-only) and writes the output to a world-readable file, an attacker can exploit this to exfiltrate password hashes. This is a classic SUID abuse scenario where a privileged binary or script is used to access sensitive files.

Exam trap

The trap here is that candidates may confuse SUID with SGID or think LD_PRELOAD works on scripts, but the key is recognizing that SUID on a root-owned executable enables privilege escalation to read /etc/shadow, while LD_PRELOAD only applies to dynamically linked binaries, not scripts.

How to eliminate wrong answers

Option A is wrong because GUID (Group ID) abuse would involve the SGID bit, which grants group-level privileges, not root-level access to /etc/shadow; the question specifies the SUID bit, not SGID. Option B is wrong because LD_PRELOAD injection requires the attacker to control environment variables and the target binary to be dynamically linked, but a script (not a compiled binary) does not honor LD_PRELOAD; it runs via an interpreter like bash, which ignores such environment overrides. Option D is wrong because token impersonation is a Windows-specific attack involving access tokens (e.g., SeImpersonatePrivilege), not applicable to Linux systems.

42
MCQmedium

A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?

A.Use enum4linux -a 192.168.1.10 to enumerate users and policies
B.Attempt to crack the administrator password using a dictionary attack
C.Perform a port scan to check for open ports
D.Run snmpwalk to retrieve SNMP community strings
AnswerA

enum4linux is a tool for SMB enumeration; -a runs all enumeration options, which is appropriate after discovering shares.

Why this answer

The `smbclient -L` command with the `-N` flag (null session) successfully lists SMB shares on the target, including administrative shares like `Admin$`, `C$`, and `IPC$`. This indicates that null session authentication is enabled, which is a classic entry point for SMB enumeration. The most logical next step is to use `enum4linux -a` to extract detailed information such as user lists, group policies, and share permissions, leveraging the same null session to deepen the enumeration without yet attempting password attacks.

Exam trap

The trap here is that candidates often jump to password cracking (Option B) or port scanning (Option C) because they assume administrative shares require credentials, but the question tests the understanding that null sessions allow further enumeration without authentication, making `enum4linux` the correct next step.

How to eliminate wrong answers

Option B is wrong because attempting a dictionary attack on the administrator password is premature at this stage; the penetration tester has not yet identified valid usernames or password policies, and null session enumeration should be exhausted first. Option C is wrong because a port scan was already implicitly performed (the tester knew to target SMB on port 445/139), and further port scanning would not leverage the null session access already obtained. Option D is wrong because `snmpwalk` is used to query SNMP MIB data, which requires SNMP community strings and is unrelated to SMB null session enumeration; it would be a separate reconnaissance step, not the immediate next step.

43
Multi-Selectmedium

Which TWO of the following tools are used for password cracking?

Select 2 answers
A.Wireshark
B.Hashcat
C.John the Ripper
D.Snmpwalk
E.Nmap
AnswersB, C

Hashcat is a GPU-accelerated password cracker.

Why this answer

Options B and D are correct. John the Ripper and Hashcat are well-known password cracking tools.

44
Multi-Selectmedium

Which TWO of the following are valid enumeration techniques? (Select 2)

Select 2 answers
A.LDAP enumeration
B.NetBIOS enumeration using nbtstat
C.ARP poisoning
D.DNS cache poisoning
E.ICMP flooding
AnswersA, B

LDAP enumeration queries directory services.

Why this answer

LDAP enumeration is a valid enumeration technique because it involves querying a Lightweight Directory Access Protocol (LDAP) service to extract information about users, groups, computers, and other objects from a directory service like Microsoft Active Directory. Attackers use tools such as ldapsearch or ADExplorer to anonymously or authenticatedly browse the directory tree, revealing usernames, group memberships, and organizational units, which are critical for planning further attacks.

Exam trap

EC-Council often tests the distinction between active reconnaissance techniques (like enumeration) and attack techniques (like ARP poisoning or DoS), so candidates mistakenly select options that are network attacks rather than information-gathering methods.

45
MCQmedium

An attacker attempts to enumerate valid email users by connecting to an SMTP server and issuing the following commands: EHLO example.com, VRFY root, VRFY admin, VRFY user1. Which SMTP enumeration technique is being used?

A.RCPT TO
B.MAIL FROM
C.EXPN
D.VRFY
AnswerD

VRFY asks the server to verify a mailbox name.

Why this answer

Option D is correct because the VRFY command is specifically designed to verify whether a mailbox exists on an SMTP server. By issuing VRFY followed by usernames (root, admin, user1), the attacker can enumerate valid email users based on the server's responses (e.g., 250 or 251 for valid, 550 for invalid). This is a classic SMTP user enumeration technique.

Exam trap

The trap here is that candidates confuse VRFY with EXPN, thinking both verify users, but EXPN expands aliases/groups while VRFY checks individual mailboxes.

How to eliminate wrong answers

Option A is wrong because RCPT TO is used to specify a recipient for a mail message during the SMTP DATA phase, not to verify user existence in isolation; it can be used for enumeration but requires a MAIL FROM first and is not the command shown. Option B is wrong because MAIL FROM identifies the sender of an email, not the recipient, and does not directly enumerate users. Option C is wrong because EXPN expands a mailing list or alias, returning membership details, not verifying individual user accounts like VRFY does.

46
MCQmedium

A security analyst is investigating a potential SMB-based attack. They notice unusual traffic on port 445 from a host running `enum4linux`. Which of the following enumeration actions could `enum4linux` perform that would generate such traffic?

A.Scanning for open ports on the target system
B.Enumerating SMB shares and user accounts
C.Performing a DNS zone transfer
D.Querying SNMP MIB values using community strings
AnswerB

enum4linux specifically enumerates SMB shares, users, groups, and other information via SMB (port 445).

Why this answer

enum4linux uses SMB and RPC calls to enumerate shares, users, groups, and other information. It can enumerate SMB shares via smbclient or rpcclient.

47
MCQmedium

During a penetration test, you need to enumerate all users and groups from a Windows domain controller. Which tool is BEST suited for this task?

A.ldapsearch
B.nbtstat
C.smbclient
D.snmpwalk
AnswerA

Correct. ldapsearch is a command-line tool for LDAP directory queries, ideal for enumerating AD users and groups.

Why this answer

ldapsearch is the best tool for enumerating users and groups from a Windows domain controller because it directly queries the Active Directory LDAP directory service (port 389 or 636 for LDAPS) using standard LDAP search filters. This allows retrieval of all user and group objects, including their attributes, without relying on NetBIOS or SMB file sharing. It is the most efficient and comprehensive method for structured directory enumeration in a domain environment.

Exam trap

The trap here is that candidates often confuse nbtstat or smbclient as tools for user enumeration because they associate them with Windows networking, but neither can query Active Directory's LDAP directory for user and group objects.

How to eliminate wrong answers

Option B (nbtstat) is wrong because it only resolves NetBIOS names to IP addresses and displays local NetBIOS name tables; it cannot enumerate users or groups from a domain controller. Option C (smbclient) is wrong because it is a file-sharing client for SMB/CIFS protocol, used to access shared files and printers, not to query directory services for user and group objects. Option D (snmpwalk) is wrong because it retrieves SNMP MIB data from network devices, which does not include Active Directory user or group information unless specifically configured with custom MIBs, which is not standard for domain controllers.

48
MCQmedium

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
B.Perform a full TCP connect scan with UDP service detection on all ports
C.Perform an aggressive scan of all open ports and enumerate SMB shares
D.Perform a UDP scan on the four specified ports and identify running services
AnswerA

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option C is correct. The -sS flag performs a TCP SYN (stealth) scan, -sV detects service versions, -O attempts OS fingerprinting, and -p restricts scanning to ports 22, 80, 443, and 3389. This combination identifies open ports, service versions, and OS on the target subnet.

49
MCQmedium

In the context of privilege escalation on Windows, what is token impersonation, and which tool is commonly used to exploit it?

A.A technique to dump hashes; Hashcat
B.A technique to assume another user's security context; Incognito
C.A technique to steal session cookies; Mimikatz
D.A technique to bypass UAC; Metasploit
AnswerB

Why this answer

Token impersonation allows a process to assume the security context of another user. Tools like `incognito` can list available tokens and impersonate them, often to gain administrator privileges.

50
MCQeasy

A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?

A.The current routing table on the host
B.Active network connections and listening ports
C.DNS records for the host
D.NetBIOS names and services of the remote system
AnswerD

The -A flag lists the NetBIOS name table for the specified IP address, including MAC addresses and registered names.

Why this answer

`nbtstat -A` with a target IP address displays the NetBIOS name table for that remote system, revealing computer names, logged-in users, and domain/workgroup membership.

51
MCQeasy

Which of the following is a method of hiding files on a system using steganography?

A.Encrypting a file with AES
B.Renaming a file to a system filename
C.Embedding a secret message in an image file
D.Using a rootkit to hide processes
AnswerC

Steganography hides data within cover media.

Why this answer

Option A is correct. Steganography hides data within other media like images, audio, or video.

52
MCQhard

A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?

A.Token impersonation
B.DLL injection
C.Rootkit installation
D.Steganography
AnswerC

Correct. Rootkits replace system files to hide presence and log cleaners erase evidence.

Why this answer

The presence of a hidden directory containing a modified `sshd` binary and a log cleaner script is a classic sign of a rootkit installation. Rootkits replace core system binaries (like `sshd`) to maintain backdoor access and use log cleaners to erase evidence of their activity, directly aligning with the technique of erasing tracks.

Exam trap

EC-Council often tests the distinction between platform-specific techniques, and the trap here is that candidates may confuse rootkit installation with steganography because both involve 'hiding,' but steganography hides data, not system binaries or logs.

How to eliminate wrong answers

Option A is wrong because token impersonation is a Windows-specific privilege escalation technique that involves duplicating access tokens, not hiding files or modifying binaries on a Linux server. Option B is wrong because DLL injection is a Windows technique for injecting code into running processes via dynamic-link libraries, which does not apply to Linux systems that use shared objects (.so) and have no concept of DLLs. Option D is wrong because steganography hides data within other data (e.g., images or audio) and is not used to replace system binaries or clean logs to erase tracks.

53
MCQmedium

Which of the following commands would a penetration tester use to enumerate SMB shares on a target Windows machine from a Linux system?

A.ldapsearch -x -h <IP>
B.smbclient -L //<IP> -N
C.snmpwalk -v2c -c public <IP>
D.nbtstat -A <IP>
AnswerB

-L lists shares, -N uses null session.

Why this answer

smbclient -L lists SMB shares on a remote server. It is a standard SMB enumeration tool.

54
MCQhard

A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?

A.Timestamp manipulation tool
B.Rootkit
C.Steganography
D.Log cleaner script
AnswerB

Rootkits replace system binaries and manipulate logs to hide the attacker's presence.

Why this answer

The attacker is most likely using a rootkit to cover tracks because rootkits are designed to hide malicious activity by intercepting system calls (e.g., via LD_PRELOAD or kernel modules) to hide processes, files, and network connections. The truncated auth.log and modified timestamps on binaries in /bin/ indicate the rootkit is actively tampering with system logs and file metadata to evade detection, which aligns with rootkit behavior rather than simpler tools.

Exam trap

The trap here is that candidates often confuse a simple log cleaner script (Option D) with the full capability of a rootkit, failing to recognize that only a rootkit can simultaneously hide processes, modify binary timestamps, and intercept log writes at the system call level.

How to eliminate wrong answers

Option A is wrong because timestamp manipulation tools (e.g., touch -t) can modify file timestamps but do not truncate logs or hide ongoing malicious activity; they are a one-off action, not a persistent concealment technique. Option C is wrong because steganography hides data within other files (e.g., images) and is unrelated to log truncation or binary timestamp modification; it is a data exfiltration or covert communication method, not a track-covering mechanism. Option D is wrong because a log cleaner script (e.g., logrotate abuse or sed on auth.log) can delete or truncate logs but cannot modify timestamps on system binaries or hide processes; it is a simpler tool that lacks the system-level interception capabilities of a rootkit.

55
MCQmedium

An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?

A.Disabling the Windows Firewall
B.Installing a rootkit
C.Clearing the Security event log
D.Changing the administrator password
AnswerC

Event logs contain evidence of logins and activities.

Why this answer

Clearing the Security event log (C) is the most effective action for covering tracks on a Windows system because it removes all logged security events, such as logon attempts, privilege use, and audit failures, which are the primary records that would reveal an attacker's activities. The Security log is maintained by the Windows Event Log service and is the default location for audit records under the Local Security Policy; deleting it eliminates forensic evidence of unauthorized access or changes.

Exam trap

EC-Council often tests the distinction between covering tracks (erasing evidence) and maintaining access or evading detection; the trap here is that candidates confuse installing a rootkit (which hides ongoing activity) with clearing logs (which removes past evidence), leading them to choose B instead of C.

How to eliminate wrong answers

Option A is wrong because disabling the Windows Firewall does not erase existing evidence of an attack; it only removes a network defense layer, which may actually draw attention by breaking connectivity or triggering alerts. Option B is wrong because installing a rootkit is a method for maintaining persistent access and hiding files/processes, not for erasing existing logs or evidence; it does not clear the Security event log and may itself be detected by advanced anti-rootkit tools. Option D is wrong because changing the administrator password does not delete any logged events; it only prevents the original administrator from logging in, but the Security log still contains records of the attacker's previous actions.

56
MCQhard

During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?

A.Perform an SMTP VRFY attack to enumerate users
B.Exploit the SUID binary to execute commands as root
C.Use enum4linux to enumerate SMB shares
D.Run 'sudo -l' to list sudo privileges
AnswerB

Exploiting a vulnerable SUID binary is a direct privilege escalation vector.

Why this answer

Option C is correct. Exploiting a vulnerable SUID binary is a classic privilege escalation technique that allows a low-privileged user to run the binary with root privileges.

57
MCQmedium

A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?

A.By using 'find' to delete log files
B.By using 'find' to search for files owned by root
C.By using 'find' to mount a remote share
D.By running 'find / -exec /bin/sh \;' to spawn a root shell
AnswerD

If find has SUID root, the -exec option runs commands with root privileges, spawning a root shell.

Why this answer

When the SUID bit is set on the 'find' command, it executes with the privileges of the file owner (typically root). The '-exec' option allows arbitrary command execution. Running 'find / -exec /bin/sh \;' spawns a shell with root privileges, enabling full system compromise.

Exam trap

The trap here is that candidates may think SUID only applies to obvious binaries like 'passwd' or 'sudo', but CEH tests the lesser-known fact that any binary with SUID and command execution capability (like 'find' with '-exec') can be exploited for privilege escalation.

How to eliminate wrong answers

Option A is wrong because deleting log files does not leverage the SUID bit for privilege escalation; it only removes audit trails and does not grant elevated privileges. Option B is wrong because searching for files owned by root is a normal operation that does not exploit the SUID bit to gain a root shell. Option C is wrong because 'find' does not have built-in functionality to mount remote shares; mounting requires the 'mount' command or similar utilities, and the SUID bit on 'find' does not enable network filesystem mounting.

58
MCQhard

During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?

A.Only the domain admins and local admins
B.User list, share list, OS information, password policy, and group memberships
C.Only the SMB shares and open sessions
D.Only the NetBIOS name table
AnswerB

-a performs all enumeration functions.

Why this answer

enum4linux with the -a flag performs a comprehensive enumeration against a target, leveraging SMB, RPC, and NetBIOS over TCP/IP. It retrieves user lists, share lists, OS information, password policy details, and group memberships by querying the remote Windows system via SMB RPC calls (e.g., SAMR, LSA, SRVSVC). This makes it the most complete set of information obtainable from a single command, as the -a flag essentially runs all available enumeration modules.

Exam trap

The trap here is that candidates often assume enum4linux -a only retrieves shares or NetBIOS data, underestimating its full scope of SMB/RPC-based enumeration that includes users, groups, OS details, and password policy.

How to eliminate wrong answers

Option A is wrong because enum4linux -a retrieves far more than just domain admins and local admins; it enumerates all users, groups, shares, OS details, and password policy, not just administrative accounts. Option C is wrong because enum4linux -a does not limit itself to SMB shares and open sessions; it also retrieves user lists, OS information, password policy, and group memberships, making this option incomplete. Option D is wrong because enum4linux -a goes well beyond the NetBIOS name table; it performs deep SMB and RPC enumeration, including user and share enumeration, which is not captured by NetBIOS alone.

59
MCQeasy

Which password cracking technique involves trying every possible combination of characters until the correct password is found?

A.Rainbow table attack
B.Dictionary attack
C.Brute force attack
D.Hybrid attack
AnswerC

Correct. Brute force tries all possible combinations.

Why this answer

A brute force attack systematically tries every possible combination of characters from a defined character set (e.g., lowercase, uppercase, digits, special symbols) until the correct password is found. This method guarantees eventual success but is computationally expensive and time-consuming, especially for long or complex passwords. It is the most exhaustive form of password cracking, as it does not rely on any precomputed data or wordlists.

Exam trap

The trap here is that candidates often confuse 'brute force' with 'dictionary attack' because both involve guessing passwords, but the key distinction is that brute force exhaustively tries all combinations while dictionary attacks rely on a precompiled list of likely passwords.

How to eliminate wrong answers

Option A is wrong because a rainbow table attack uses precomputed hash chains to reverse cryptographic hash functions, not by trying every possible character combination. Option B is wrong because a dictionary attack uses a predefined list of likely passwords (e.g., common words, leaked passwords) rather than exhaustive character-by-character guessing. Option D is wrong because a hybrid attack combines dictionary words with common mutations (e.g., appending numbers or symbols) but does not attempt every possible combination of characters.

60
MCQhard

An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?

A.nmap -sT 192.168.1.1
B.enum4linux 192.168.1.1
C.snmpwalk -v 2c 192.168.1.1
D.ldapsearch -h 192.168.1.1
AnswerB

enum4linux performs extensive SMB enumeration.

Why this answer

Option B is correct. enum4linux is a tool specifically designed for SMB enumeration on Linux systems, often used to enumerate shares, users, and OS information.

61
MCQeasy

In the context of system hacking methodology (CHPSET), which phase involves removing evidence of the attacker's activities from logs and system files?

A.Spying
B.Privilege escalation
C.Erasing tracks
D.Cracking passwords
AnswerC

Erasing tracks covers evidence.

Why this answer

Erasing tracks is the final phase where attackers cover their tracks by manipulating logs, deleting files, or using rootkits.

62
MCQeasy

A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?

A.SNMP with public community string
B.SMB null session
C.SMTP VRFY
D.LDAP anonymous query
AnswerD

LDAP can query directory services like AD; anonymous queries may reveal basic user info if not restricted.

Why this answer

Option D is correct because LDAP anonymous queries allow unauthenticated users to query an Active Directory domain for directory information, including user enumeration. By default, AD permits anonymous LDAP binds to retrieve attributes like sAMAccountName, userPrincipalName, and group memberships, making it a standard technique for enumerating users without credentials.

Exam trap

The trap here is that candidates often confuse SMB null sessions (a deprecated attack) with LDAP anonymous queries (a current, often-valid technique), or they mistakenly think SMTP VRFY is relevant to domain user enumeration instead of email address verification.

How to eliminate wrong answers

Option A is wrong because SNMP with a public community string is used for reading device configuration and statistics, not for enumerating Active Directory users; it targets network devices, not domain user objects. Option B is wrong because SMB null sessions were a legacy Windows vulnerability that allowed unauthenticated access to shares and user lists, but this has been disabled by default since Windows 2003 SP1 and is not a reliable modern enumeration technique. Option C is wrong because SMTP VRFY is used to verify email addresses on a mail server, not to enumerate Active Directory users; it operates at the application layer for email routing, not directory services.

63
MCQhard

An attacker has compromised a Linux machine and wants to hide a rootkit by replacing system binaries with trojaned versions. Which technique is being used to maintain persistent access while evading detection?

A.Log manipulation
B.Token impersonation
C.Steganography
D.Rootkit installation via binary replacement
AnswerD

Rootkits often replace system binaries to hide malicious activity.

Why this answer

Replacing system binaries (e.g., ls, ps, netstat) with trojaned versions that hide the attacker's processes is a classic rootkit technique to cover tracks.

64
MCQmedium

During a penetration test, an analyst obtains a dump of password hashes from a Windows server. The hashes are in LM:NT format. The analyst wants to crack the NT portion using a brute-force attack on 8-character alphanumeric passwords. Which tool is BEST suited for this task?

A.Hashcat
B.John the Ripper
C.RainbowCrack
D.Ophcrack
AnswerA

Hashcat supports GPU brute-force on NTLM.

Why this answer

Hashcat is a high-performance password cracker that supports GPU-accelerated brute-force attacks on NTLM hashes.

65
MCQeasy

Which of the following tools is used to crack Windows LAN Manager (LM) and NTLM password hashes using rainbow tables?

A.RainbowCrack
B.Hashcat
C.John the Ripper
D.Hydra
AnswerA

RainbowCrack specifically uses rainbow tables for cracking.

Why this answer

RainbowCrack is a tool that uses rainbow tables (precomputed hash chains) to crack password hashes, including LM and NTLM. Ophcrack also uses rainbow tables but is specifically for LM hashes; RainbowCrack is more general.

66
MCQeasy

Which of the following tools is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

A.Hashcat
B.RainbowCrack
C.John the Ripper
D.Ophcrack
AnswerD

Ophcrack uses rainbow tables to crack LM and NTLM hashes efficiently.

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM hashes using precomputed rainbow tables. It leverages the time-memory trade-off technique to rapidly reverse these hashes without brute-forcing, making it the correct choice for this targeted task.

Exam trap

The trap here is that candidates often confuse RainbowCrack (a generic rainbow table tool) with Ophcrack (which is specifically designed for Windows LM/NTLM hashes), leading them to select RainbowCrack despite Ophcrack being the correct answer due to its Windows-specific focus.

How to eliminate wrong answers

Option A is wrong because Hashcat is a general-purpose password recovery tool that uses GPU acceleration and supports many hash types, but it is not specifically designed for rainbow table attacks; it primarily uses brute-force, dictionary, and rule-based attacks. Option B is wrong because RainbowCrack is a generic rainbow table implementation that can crack various hash types, but it is not specifically tailored to Windows LM/NTLM hashes and lacks the integrated Windows-focused features of Ophcrack. Option C is wrong because John the Ripper is a versatile password cracking tool that supports many hash formats, but it does not natively use rainbow tables; its primary methods are dictionary and brute-force attacks.

67
Multi-Selectmedium

Which TWO techniques are commonly used for privilege escalation on Linux systems? (Select two.)

Select 2 answers
A.Kernel exploits
B.SUID/GUID abuse
C.Token impersonation
D.DLL hijacking
E.Pass-the-hash
AnswersA, B

Exploiting kernel vulnerabilities to gain root.

Why this answer

Kernel exploits (A) are a common privilege escalation technique on Linux because they target vulnerabilities in the kernel itself, allowing an attacker to execute arbitrary code with root privileges. By exploiting flaws such as buffer overflows or race conditions in kernel modules, an attacker can elevate from a low-privileged user to full root access. This is a classic method because the kernel runs with the highest system privileges, and a successful exploit bypasses all user-level security controls.

Exam trap

EC-Council often tests the distinction between Windows-specific and Linux-specific privilege escalation techniques, and the trap here is that candidates may confuse token impersonation or pass-the-hash as cross-platform methods, when they are strictly tied to Windows authentication and security models.

68
Multi-Selecteasy

Which THREE of the following are password cracking techniques? (Select 3)

Select 3 answers
A.Dictionary attack
B.Brute-force attack
C.Phishing
D.Steganography
E.Rainbow table attack
AnswersA, B, E

Uses a wordlist to guess passwords.

Why this answer

A dictionary attack is a password cracking technique where an attacker uses a precompiled list of likely passwords (a dictionary file) to attempt authentication against a target system. It relies on the fact that many users choose common words or phrases as passwords, making it effective against weak passwords but ineffective against strong, random ones.

Exam trap

The trap here is that candidates may confuse password cracking techniques with broader attack categories like social engineering (phishing) or data hiding (steganography), which are distinct concepts in the CEH exam's enumeration and system hacking domain.

69
MCQhard

An attacker successfully escalates privileges on a Windows server using a known vulnerability in the Print Spooler service (PrintNightmare). Which type of privilege escalation does this represent?

A.Local exploit in a service
B.DLL hijacking
C.SUID abuse
D.Token impersonation
AnswerA

PrintNightmare is a local exploit in the Print Spooler service.

Why this answer

PrintNightmare is a local exploit that allows an unprivileged user to gain SYSTEM privileges. It is a classic local privilege escalation vulnerability.

70
MCQmedium

An ethical hacker needs to crack a set of NTLM hashes obtained from a Windows system. Which tool would be MOST efficient for performing a dictionary attack with hybrid rules?

A.John the Ripper
B.Hashcat
C.Ophcrack
D.RainbowCrack
AnswerB

Hashcat supports GPU acceleration, hybrid attacks, and is optimized for speed.

Why this answer

Hashcat is the most efficient tool for performing a dictionary attack with hybrid rules because it is GPU-accelerated, supports the NTLM hash mode (1000), and allows the application of rule-based mutations (e.g., appending digits or special characters) directly to dictionary words. Its speed and flexibility in handling large wordlists with complex rule sets make it superior for cracking NTLM hashes in a professional penetration test.

Exam trap

EC-Council often tests the misconception that John the Ripper is the best all-around password cracker, but for GPU-accelerated hybrid dictionary attacks on NTLM hashes, Hashcat is the industry standard due to its speed and rule engine.

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of dictionary and hybrid attacks, is primarily CPU-based and significantly slower than Hashcat for large-scale NTLM cracking, making it less efficient for this specific task. Option C is wrong because Ophcrack is designed specifically for LM and NTLM hashes using rainbow tables, not for dictionary attacks with hybrid rules; it lacks rule-based mutation capabilities. Option D is wrong because RainbowCrack is a tool for precomputed rainbow table attacks, not for dictionary attacks with hybrid rules; it requires tables to be generated beforehand and cannot apply real-time rule mutations.

71
MCQmedium

A security analyst runs 'nbtstat -A 192.168.1.105' and sees a table with the computer name 'FILESERVER' and a logged-in user 'admin'. Which of the following BEST describes the purpose of this command?

A.Perform an SNMP walk to enumerate the remote host's MIB
B.Execute a dictionary attack against the remote host's passwords
C.Enumerate all SMB shares on the remote host
D.Perform a NetBIOS name table lookup of the remote host
AnswerD

nbtstat -A displays the NetBIOS name table of the remote host, including computer and user names.

Why this answer

Option A is correct. nbtstat -A performs a NetBIOS name table lookup of a remote machine using its IP address, revealing computer names, logged-in users, and services.

72
MCQhard

After compromising a Windows system, an attacker wants to cover tracks by deleting event logs. Which command would achieve this?

A.wevtutil cl Security
B.del *.log
C.rm -rf /var/log/*
D.clear-eventlog -Log Security
AnswerA

wevtutil cl clears the specified event log.

Why this answer

The wevtutil cl Security command clears the Windows Security event log, which is a standard method for an attacker to cover tracks by removing evidence of their activities. This command is built into Windows and can be executed from the command line with administrative privileges, making it a direct and effective way to delete event logs without relying on external tools.

Exam trap

The trap here is that candidates may confuse the Windows command wevtutil with the Linux command rm -rf or the PowerShell cmdlet Clear-EventLog, assuming any log-clearing command works across platforms, but the CEH exam tests knowledge of OS-specific utilities.

How to eliminate wrong answers

Option B (del *.log) is wrong because it attempts to delete files with a .log extension, but Windows event logs are stored in a proprietary format (Evtx files) in the C:\Windows\System32\winevt\Logs directory, not as simple .log files; this command would not target the correct files and would likely fail due to permissions. Option C (rm -rf /var/log/*) is wrong because it is a Linux/Unix command for removing logs from /var/log, which does not exist on a Windows system; this reflects a confusion between operating systems. Option D (clear-eventlog -Log Security) is wrong because it is a PowerShell cmdlet, not a native command-line tool, and while it can clear logs, the question asks for a command that would achieve this, and wevtutil is the more direct and commonly used utility in CEH contexts; however, the primary reason it is incorrect here is that the correct answer is A, and D is not the standard command for this purpose in exam scenarios.

73
MCQhard

A forensic analyst finds a system where the user's password hash was obtained and cracked offline. The attacker then used stolen credentials to log in and run `wevtutil cl system`. What is the purpose of this command?

A.Remove scheduled tasks
B.Delete the SAM database
C.Disable Windows Defender
D.Clear the System event log
AnswerD

Why this answer

`wevtutil cl system` clears the System event log on Windows. This is a common technique to erase evidence of the attacker's activities.

74
Multi-Selectmedium

Which TWO tools are commonly used for password cracking against hashed passwords? (Select two.)

Select 2 answers
A.Wireshark
B.John the Ripper
C.Nmap
D.Hashcat
E.Metasploit
AnswersB, D

John is a classic password cracker.

Why this answer

John the Ripper and Hashcat are both widely used password cracking tools.

75
MCQmedium

A security analyst suspects an attacker has replaced system binaries with a rootkit to hide malicious processes. Which covering tracks technique is the attacker using?

A.Timestomping
B.Steganography
C.Rootkit installation
D.Log manipulation
AnswerC

Rootkits often replace system binaries to conceal their presence.

Why this answer

The attacker is using rootkit installation to replace system binaries (e.g., ps, ls, netstat) with trojaned versions that filter out malicious processes from system calls like readdir() or /proc listings. This is a classic covering tracks technique because the rootkit hides evidence of compromise by intercepting and modifying kernel or user-space output, making the attacker's activities invisible to standard monitoring tools.

Exam trap

EC-Council often tests the distinction between 'rootkit installation' as a covering tracks technique and 'log manipulation' as a separate method, trapping candidates who confuse hiding processes (rootkit) with hiding log entries (log manipulation).

How to eliminate wrong answers

Option A is wrong because timestomping is a technique to alter file timestamps (e.g., using touch -t or SetFileTime) to hide when files were created or modified, not to replace binaries or hide processes. Option B is wrong because steganography hides data within other media (e.g., images, audio) for covert communication, not for replacing system binaries to conceal processes. Option D is wrong because log manipulation involves deleting, modifying, or clearing log entries (e.g., using /var/log/messages or event log clearing) to remove evidence of intrusion, but it does not involve replacing system binaries to hide running processes.

Page 1 of 3 · 189 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Enumeration and System Hacking questions.