CCNA Social Engineering and Physical Security Questions

17 questions · Social Engineering and Physical Security · All types, answers revealed

1
MCQeasy

Refer to the exhibit. An attacker gains access to the user's workstation and wants to find a file containing passwords. Which file is most likely to contain credentials?

A.User profile (C:\Users\jdoe)
B.Home directory on \\fileserver\home\jdoe
C.logon.bat script
D.Active Directory database (NTDS.dit)
AnswerC

Logon scripts may contain credentials for network resources.

Why this answer

Option C is correct because logon.bat scripts are commonly used in Windows environments to map network drives or perform startup tasks, and administrators often embed plaintext credentials in such scripts for automation. An attacker who compromises the workstation can read this batch file to extract stored passwords, making it a high-value target for credential theft.

Exam trap

EC-Council often tests the misconception that credentials are always stored in system databases like NTDS.dit or SAM, but the trap here is that attackers target easily accessible, plaintext files like logon scripts that users or administrators create for convenience.

How to eliminate wrong answers

Option A is wrong because the user profile (C:\Users\jdoe) contains personal files and settings but not typically stored credentials in plaintext; passwords are usually hashed and stored in the SAM hive, not in profile folders. Option B is wrong because the home directory on \\fileserver\home\jdoe is a network share that may contain user data but is not a default location for credential files; accessing it requires network authentication, and it is less likely to contain plaintext passwords than a local script. Option D is wrong because the Active Directory database (NTDS.dit) contains domain credential hashes, but it resides on a domain controller, not on the user's workstation, and an attacker with only local workstation access cannot directly read it without privilege escalation or network traversal.

2
Multi-Selecthard

Which TWO of the following are effective physical security controls to prevent tailgating?

Select 2 answers
A.Biometric door lock
B.Mantrap
C.CCTV cameras
D.Security guard
E.Turnstile with one-way access
AnswersB, E

Mantrap requires one person to pass through and door to close before next opens, preventing tailgating.

Why this answer

A mantrap is a physical security control consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, and the system verifies that only one person enters before allowing the second door to open. This design directly prevents tailgating by trapping unauthorized individuals who attempt to follow an authorized person through the first door.

Exam trap

The trap here is that candidates often confuse 'preventive' controls (like mantrap and turnstile) with 'detective' controls (like CCTV) or 'deterrent' controls (like security guards), leading them to select CCTV or guards as effective tailgating prevention measures.

3
MCQmedium

A penetration tester calls an employee claiming to be from the IT help desk and asks for their password to perform a 'security update'. The employee provides the password. Which social engineering technique is being used?

A.Pretexting
B.Tailgating
C.Quid pro quo
D.Phishing
AnswerA

Pretexting uses a fabricated scenario to obtain information.

Why this answer

The attacker is fabricating a scenario (IT help desk performing a security update) to manipulate the target into revealing sensitive information. This is the essence of pretexting, where the attacker creates a false identity or situation to gain trust and extract data. Unlike phishing, which typically uses malicious links or attachments, this attack relies purely on verbal impersonation and social manipulation.

Exam trap

The trap here is that candidates confuse pretexting with phishing because both involve deception, but phishing specifically uses electronic channels (email, fake login pages) while pretexting can occur over voice or in person without any technical payload.

How to eliminate wrong answers

Option B is wrong because tailgating involves physically following an authorized person into a restricted area without their consent, not deceiving someone over the phone. Option C is wrong because quid pro quo involves offering a service or benefit in exchange for information (e.g., 'I'll fix your computer if you give me your password'), whereas here the attacker simply demands the password under a false pretense. Option D is wrong because phishing typically uses electronic communication (email, SMS, fake websites) to trick victims into clicking a link or downloading malware, not a direct phone call asking for credentials.

4
Matchingmedium

Match each wireless attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exploiting weak encryption in older Wi-Fi

Rogue access point mimicking a legitimate one

Forcing clients to disconnect from AP

Intercepting the 4-way handshake for cracking

Unauthorized access to Bluetooth devices

Why these pairings

These attacks target wireless networks and devices.

5
Multi-Selectmedium

Which TWO of the following are effective methods to prevent dumpster diving attacks? (Choose two.)

Select 2 answers
A.Storing all data on encrypted digital media only
B.Shredding sensitive documents before disposal
C.Using locked bins for discarded materials
D.Placing documents in recycling bins
E.Burning all discarded paper documents
AnswersB, C

Shredding renders documents unreadable.

Why this answer

Shredding sensitive documents before disposal (Option B) is effective because it physically destroys the information, making it impossible to reconstruct from discarded paper. This directly counters dumpster diving, where attackers retrieve documents to extract confidential data like passwords or network diagrams.

Exam trap

EC-Council often tests the misconception that any form of destruction (like burning) is equally acceptable, but the CEH exam emphasizes shredding and locked bins as the standard, practical controls, while burning is considered excessive and not a recommended baseline security practice.

6
MCQeasy

Which of the following is the BEST defense against tailgating attacks in a secure facility?

A.Hiring security guards
B.Reviewing keycard access logs
C.Installing CCTV cameras
D.Implementing a mantrap at the entrance
AnswerD

Mantraps physically enforce one-person entry, preventing tailgating.

Why this answer

A mantrap is a physical security access control system consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, and authentication (e.g., keycard + biometric) is required to pass through both. This design physically prevents an unauthorized person from following an authorized person into the facility, directly mitigating tailgating attacks by enforcing strict one-person-per-authentication entry.

Exam trap

EC-Council often tests the distinction between preventive, detective, and corrective controls; the trap here is that candidates mistake surveillance (CCTV) or logging (access logs) for active prevention, when only a mantrap provides a physical barrier that stops tailgating in real time.

How to eliminate wrong answers

Option A is wrong because hiring security guards relies on human vigilance, which is fallible and can be bypassed through distraction or social engineering, and does not provide a mechanical barrier against tailgating. Option B is wrong because reviewing keycard access logs is a detective control that identifies tailgating incidents after they occur, not a preventive defense that stops the attack in real time. Option C is wrong because installing CCTV cameras provides surveillance and evidence but does not physically prevent an unauthorized person from entering behind an authorized person; it is a passive monitoring control, not an active access control.

7
Multi-Selectmedium

An organization is implementing a social engineering defense program. Which TWO measures are most effective in reducing the risk of phishing attacks? (Choose two.)

Select 2 answers
A.Implement strong password policies with multi-factor authentication.
B.Enforce regular software updates and patch management.
C.Conduct regular security awareness training for all employees.
D.Deploy network segmentation and access control lists.
E.Install advanced email filtering and anti-malware solutions.
AnswersC, E

Training helps users identify and report phishing attempts.

Why this answer

Option C is correct because regular security awareness training directly addresses the human factor in phishing attacks. Employees learn to identify suspicious emails, avoid clicking malicious links, and report incidents promptly, which is critical since technical controls alone cannot prevent all phishing attempts. This training reinforces behaviors like verifying sender addresses and not bypassing security protocols, reducing the likelihood of successful social engineering.

Exam trap

The trap here is that candidates often confuse technical controls (like MFA or patching) with social engineering defenses, failing to recognize that phishing primarily exploits human behavior, not system vulnerabilities, so the most effective measures are those that address the human element and the delivery channel (email).

8
Drag & Dropmedium

Drag and drop the steps to perform a successful social engineering attack in a penetration test into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Research, craft pretext, choose channel, execute, document.

9
Multi-Selecthard

Which THREE of the following are common indicators of a social engineering attack? (Choose three.)

Select 3 answers
A.The communication includes verifiable contact information
B.The sender uses a generic greeting like 'Dear Customer'
C.The communication creates a sense of urgency
D.The message contains spelling or grammatical errors
E.The request comes from someone claiming to be in authority
AnswersC, D, E

Attackers often pressure targets to act quickly.

Why this answer

Option C is correct because social engineers frequently fabricate a sense of urgency to bypass the victim's rational decision-making. By claiming an immediate deadline or threat (e.g., 'Your account will be locked in 24 hours'), the attacker pressures the target into acting without verifying the request, a tactic rooted in the psychological principle of scarcity.

Exam trap

The trap here is that candidates mistake generic greetings (Option B) as a definitive indicator, when in fact the CEH emphasizes that urgency, authority, and errors are the three most reliable technical indicators of a social engineering attempt.

10
MCQmedium

An employee receives an email that appears to be from the CEO, asking the employee to urgently wire funds to a vendor. The email address is slightly misspelled. What type of social engineering attack is this?

A.Pharming
B.Spear phishing
C.Whaling
D.Vishing
AnswerC

Whaling targets senior executives or impersonates them.

Why this answer

This is a whaling attack because it specifically targets a high-profile individual (the CEO) to deceive another employee into performing a financial action. The slight misspelling of the email address is a classic whaling technique, as the attacker impersonates a senior executive to exploit authority and urgency. Unlike generic phishing, whaling focuses on C-level executives or decision-makers.

Exam trap

EC-Council often tests the distinction between spear phishing and whaling by emphasizing that whaling specifically targets senior executives, while spear phishing can target any individual or role within an organization.

How to eliminate wrong answers

Option A is wrong because pharming redirects users from legitimate websites to fraudulent ones by manipulating DNS or host files, not by sending deceptive emails. Option B is wrong because spear phishing targets a specific individual or organization but does not necessarily involve impersonating a senior executive; the key differentiator here is the impersonation of the CEO, which is the hallmark of whaling. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to trick victims.

11
MCQhard

You are a security consultant hired by a mid-sized company with 500 employees. The company has a central office with a lobby, reception, and two secure areas: the server room (requires keycard and PIN) and the executive floor (requires keycard only). Recently, employees have reported seeing unfamiliar people in restricted areas. Security logs show keycard access for the server room only during business hours, but no anomalies. However, the executive floor logs show multiple entries by a single employee, John from Sales, at odd hours. John claims he was working late. The company has a policy that all employees must wear ID badges visibly. You observe that employees often hold doors open for colleagues, and the receptionist does not verify visitor badges. Which of the following actions should you recommend FIRST to address the most likely attack vector?

A.Investigate John's activities and consider disciplinary action
B.Upgrade keycard readers to biometric scanners
C.Implement mantraps and enforce a policy of one person per keycard entry
D.Install additional CCTV cameras in hallways
AnswerC

Mantraps physically prevent tailgating, addressing the most likely attack vector.

Why this answer

The most likely attack vector is tailgating (piggybacking), where unauthorized individuals gain physical access by following an authorized employee through a secured door without using their own credentials. Option C directly addresses this by implementing mantraps (a small room with two interlocking doors that only allows one person to pass at a time) and enforcing a strict one-person-per-keycard-entry policy, which physically prevents tailgating. This is the first and most effective control because it mitigates the root cause—social engineering exploiting human courtesy—rather than focusing on symptoms like John's after-hours access or adding surveillance that doesn't prevent the act.

Exam trap

EC-Council often tests the distinction between authentication (e.g., biometrics) and access control (e.g., mantraps), and the trap here is that candidates confuse improving credential verification with preventing the social engineering technique of tailgating, leading them to choose a more expensive but ineffective solution like biometric readers.

How to eliminate wrong answers

Option A is wrong because investigating John's activities focuses on a single employee's behavior (which may be legitimate) rather than addressing the systemic vulnerability of tailgating that allows unfamiliar people into restricted areas. Option B is wrong because upgrading to biometric scanners improves authentication but does not prevent tailgating; an unauthorized person can still follow an authenticated employee through the door after the biometric scan. Option D is wrong because installing additional CCTV cameras only provides passive monitoring and evidence collection after an incident, not active prevention of the tailgating attack vector.

12
MCQmedium

A penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?

A.Shoulder surfing the authorized user's fingerprint pattern
B.Picking the lock on the server room door
C.Using a gelatin mold of an authorized user's fingerprint
D.Tailgating behind an authorized employee
AnswerC

Gelatin molds can create replicas of fingerprints that may be accepted by some scanners.

Why this answer

Option C is correct because gelatin molds can replicate the exact ridge and valley patterns of a fingerprint, which many capacitive and optical fingerprint scanners read. This bypasses the biometric authentication without requiring the user's cooperation, making it the most direct method to defeat the scanner itself.

Exam trap

The trap here is that candidates often choose tailgating (Option D) as the easiest social engineering method, but the question specifically asks for bypassing the biometric scanner, not the door lock or human controls.

How to eliminate wrong answers

Option A is wrong because shoulder surfing captures only a visual pattern, not the three-dimensional ridge details or capacitance differences needed to spoof a fingerprint scanner. Option B is wrong because picking the lock bypasses the door lock but does not address the biometric scanner, which would still need to be defeated to gain access. Option D is wrong because tailgating relies on following an authorized person through the door, but it does not bypass the biometric scanner itself and may be prevented by mantraps or security awareness.

13
MCQhard

A security auditor is assessing the physical security of a corporate office building that houses a data center. The building has a single main entrance with a reception desk staffed during business hours (8 AM to 6 PM). After hours, employees use a keycard reader to access the building. The data center itself requires a separate keycard and a 6-digit PIN. The auditor notices that during lunch hours (12-1 PM), the reception desk is often unattended, and employees frequently hold the door for others to avoid using their keycard. Additionally, a recent social engineering test revealed that an attacker was able to call the help desk, claim to be a new employee, and request a password reset, which was granted without proper verification. Based on this scenario, which of the following is the MOST effective combination of controls to mitigate both the physical and social engineering weaknesses?

A.Install a mantrap at the main entrance and require two-factor authentication for the data center door.
B.Install a mantrap at the main entrance and require multi-factor authentication (MFA) for all password reset requests.
C.Deploy security guards at the entrance 24/7 and implement a policy that all visitors must be escorted.
D.Implement a callback verification process for all password reset requests and require a manager approval.
AnswerB

Mantrap prevents physical tailgating; MFA on password resets mitigates social engineering.

Why this answer

Option B is correct because it addresses both weaknesses: a mantrap prevents tailgating at the main entrance (physical security), and requiring MFA for password reset requests mitigates the social engineering attack by adding an authentication factor beyond just a phone call. This combination directly counters the observed vulnerabilities—unattended reception and weak identity verification—without over-engineering or leaving gaps.

Exam trap

The trap here is that candidates focus on the most obvious single weakness (e.g., tailgating or password reset) and choose a control that only fixes that one, missing the requirement for a combination that addresses both physical and social engineering flaws simultaneously.

How to eliminate wrong answers

Option A is wrong because while a mantrap stops tailgating, requiring two-factor authentication only for the data center door does nothing to prevent the social engineering attack on the help desk (password reset). Option C is wrong because deploying 24/7 guards and an escort policy is costly and does not address the social engineering weakness; the attacker called the help desk, not the physical entrance. Option D is wrong because a callback verification process and manager approval only address the social engineering vector, leaving the physical tailgating problem during lunch hours completely unmitigated.

14
MCQhard

Refer to the exhibit. A security analyst reviews the firewall log and notices that user jdoe accessed a file server via SMB (port 445) from an internal IP (10.0.0.45) that is not the usual file server subnet. Which type of social engineering attack is most likely being attempted?

A.Phishing
B.Vishing
C.Tailgating
D.Baiting
AnswerC

Tailgating allows an attacker to physically enter a secured area and connect to the internal network from an unauthorized IP.

Why this answer

The firewall log shows user jdoe accessing a file server via SMB (port 445) from an internal IP (10.0.0.45) that is not on the usual file server subnet. This indicates the attacker has physically entered the building or restricted area by following an authorized person (tailgating) and then connected a rogue device to the internal network to perform lateral movement. Tailgating is the social engineering attack that relies on gaining physical access by exploiting trust or courtesy, which aligns with the unauthorized internal IP and SMB activity.

Exam trap

The trap here is that candidates see SMB and internal IP and immediately think of a technical attack like phishing or baiting, but the key clue is the physical access implied by the unusual subnet, which points to tailgating as the social engineering vector.

How to eliminate wrong answers

Option A is wrong because phishing involves sending deceptive emails or messages to trick users into revealing credentials or installing malware, not physically accessing a network and using SMB from an unusual internal IP. Option B is wrong because vishing (voice phishing) uses phone calls to extract sensitive information, not physical intrusion or network-level SMB connections. Option D is wrong because baiting involves offering something enticing (e.g., infected USB drives) to lure victims, not directly following someone into a restricted area to gain network access.

15
MCQhard

During a social engineering engagement, a tester calls the help desk posing as an employee from the IT department. The tester claims to be working on a critical system update and needs the employee's password to proceed. Which type of social engineering attack is being executed?

A.Quid pro quo
B.Baiting
C.Pretexting
D.Phishing
AnswerC

Pretexting involves creating a false identity or scenario to extract information.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to manipulate a target into divulging information. In this case, the tester falsely claims to be from the IT department working on a critical system update, which is a classic pretext to gain trust and obtain the employee's password. This differs from other social engineering types because it relies on a constructed identity and false narrative rather than a technical lure or direct exchange.

Exam trap

The trap here is that candidates confuse pretexting with phishing because both involve deception, but phishing specifically refers to electronic communication (email, SMS) while pretexting can occur over the phone or in person, and the CEH exam tests this distinction by presenting a phone call scenario without any digital lure.

How to eliminate wrong answers

Option A is wrong because quid pro quo involves offering a service or benefit in exchange for information (e.g., 'I'll fix your computer if you give me your password'), not simply claiming a false identity. Option B is wrong because baiting uses a physical or digital lure (e.g., infected USB drive or free download) to entice the victim, not a fabricated story. Option D is wrong because phishing is a mass-deceptive technique using electronic communication (e.g., email, SMS) to trick victims into clicking malicious links or providing credentials, not a direct phone call with a crafted pretext.

16
MCQhard

Refer to the exhibit. A security analyst runs ping and arp commands. What is the most likely attack occurring?

A.Distributed denial of service (DDoS) attack
B.MAC flooding attack
C.ARP spoofing attack
D.Ping flood attack
AnswerC

Duplicate MAC addresses for different IPs indicate ARP spoofing.

Why this answer

The correct answer is C because the combination of `ping` and `arp` commands reveals an ARP spoofing attack. The `arp -a` output shows the same MAC address (00-11-22-33-44-55) mapped to multiple IP addresses (192.168.1.1 and 192.168.1.2), which is a classic indicator of ARP cache poisoning. The `ping` commands confirm that both IPs are reachable, but the duplicate MAC entry proves an attacker is intercepting traffic by associating their MAC with multiple IPs.

Exam trap

The trap here is that candidates confuse MAC flooding (which targets switch CAM tables) with ARP spoofing (which targets host ARP caches), but the exhibit's `arp -a` output showing multiple IPs for one MAC is the definitive sign of ARP cache poisoning, not a switch-level attack.

How to eliminate wrong answers

Option A is wrong because a DDoS attack would overwhelm the target with traffic from multiple sources, not cause duplicate MAC entries in the ARP cache. Option B is wrong because a MAC flooding attack fills the switch's CAM table with fake MAC addresses to force it into hub mode, but the exhibit shows ARP table entries, not switch behavior or CAM table overflow. Option D is wrong because a ping flood attack sends a high volume of ICMP echo requests to consume bandwidth, but the exhibit shows only a few ping replies and no indication of resource exhaustion or abnormal traffic volume.

17
MCQeasy

You are a security consultant for a mid-sized company with 500 employees. The company has a secure data center with a biometric access control system. Recently, a contractor was able to enter the data center without authorization by claiming he forgot his badge and an employee held the door for him. The contractor then accessed sensitive servers and exfiltrated data. The company wants to prevent such incidents. Which physical security control would be most effective in preventing this type of attack?

A.Install CCTV cameras to monitor the entrance.
B.Require employees to wear RFID badges at all times.
C.Implement a mantrap with biometric and badge authentication.
D.Hire additional security guards at the entrance.
AnswerC

Mantraps physically prevent tailgating by requiring one person at a time.

Why this answer

Option C is correct because a mantrap with biometric and badge authentication enforces strict two-person authentication: both the contractor and the employee must independently authenticate before the mantrap doors unlock. This prevents tailgating (piggybacking) by ensuring only one person enters per authentication cycle, eliminating the social engineering vector where an employee holds the door for an unauthorized individual.

Exam trap

The trap here is that candidates often choose CCTV or guards because they seem like obvious physical security measures, but the question specifically targets tailgating/piggybacking, which only a mantrap with dual authentication can reliably prevent.

How to eliminate wrong answers

Option A is wrong because CCTV cameras are passive monitoring tools; they do not prevent unauthorized entry, only record it after the fact, and cannot stop tailgating in real time. Option B is wrong because requiring RFID badges at all times does not prevent an employee from holding the door for an unauthorized person; badges alone cannot enforce one-person-per-entry. Option D is wrong because additional security guards can still be socially engineered or fail to notice tailgating, and guards introduce human error and cost without the deterministic access control of a mantrap.

Ready to test yourself?

Try a timed practice session using only Social Engineering and Physical Security questions.