CCNA Ceh Advanced Topics Questions

75 of 129 questions · Page 1/2 · Ceh Advanced Topics topic · Answers revealed

1
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RSA
B.3DES
C.SHA-256
D.AES
AnswerA

RSA is an asymmetric cryptosystem using public/private key pairs.

Why this answer

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that uses a pair of keys (public and private) for encryption and digital signatures, making it an asymmetric algorithm. Unlike symmetric ciphers, RSA relies on the mathematical difficulty of factoring large prime numbers to secure communications.

Exam trap

The trap here is that candidates confuse 'asymmetric' with 'symmetric' algorithms or mistakenly classify hash functions (like SHA-256) as encryption, when in fact asymmetric algorithms always involve a key pair (public/private) and RSA is the classic example tested on the CEH exam.

How to eliminate wrong answers

Option B (3DES) is wrong because it is a symmetric block cipher that uses the same key for both encryption and decryption, operating on 64-bit blocks with a key size of 168 bits (effective). Option C (SHA-256) is wrong because it is a cryptographic hash function, not an encryption algorithm; it produces a fixed 256-bit digest and is used for integrity verification, not confidentiality. Option D (AES) is wrong because it is a symmetric encryption algorithm standardized by NIST, using the same secret key for both encryption and decryption, with block sizes of 128 bits and key sizes of 128, 192, or 256 bits.

2
Multi-Selectmedium

Which THREE of the following are common IoT attack vectors?

Select 3 answers
A.Default credentials
B.SQL injection
C.Insecure protocols (MQTT, CoAP)
D.Firmware reversing
E.ARP spoofing
AnswersA, C, D

Many IoT devices use default usernames/passwords.

Why this answer

Default credentials, insecure protocols, and firmware reversing are common IoT attack vectors.

3
Multi-Selecthard

Which THREE of the following are valid defenses against WPA2 attacks? (Select three)

Select 3 answers
A.Disable WPS
B.Implement 802.1X/EAP with RADIUS
C.Use WEP instead of WPA2
D.Enable WPA2-Mixed mode
E.Use a strong, complex pre-shared key
AnswersA, B, E

WPS PIN brute-force is a common attack vector; disabling it removes that risk.

Why this answer

Using a strong passphrase makes dictionary attacks harder. 802.1X/EAP provides enterprise authentication. Disabling WPS removes PIN brute-force vector. WPA2-Mixed mode still allows TKIP clients, reducing security.

4
MCQmedium

A security team is evaluating wireless security for a corporate network. They want to implement the strongest current encryption standard for Wi-Fi. Which of the following should they choose?

A.WEP with 128-bit key
B.WPA2 with CCMP
C.802.1X with EAP-TLS
D.WPA3 with SAE
AnswerD

Correct: WPA3 is the most secure Wi-Fi standard.

Why this answer

WPA3 is the latest Wi-Fi security standard, offering stronger encryption with SAE (Simultaneous Authentication of Equals) and replacing WPA2.

5
MCQmedium

An IoT device uses MQTT protocol with default credentials 'admin/admin' and no TLS encryption. An attacker on the same network captures MQTT packets and extracts sensor data. Which two vulnerabilities are being exploited? (Choose the best combination)

A.Buffer overflow and command injection
B.Default credentials and cleartext communication
C.Insecure firmware and hardcoded backdoor
D.Weak encryption and replay attack
AnswerB

Default credentials allow easy access, and no TLS means traffic is sent in cleartext, enabling packet capture and data extraction.

Why this answer

The use of default credentials and lack of encryption (no TLS) are the vulnerabilities. MQTT itself is not insecure when properly configured; the issues are weak authentication and cleartext communication.

6
MCQmedium

A security engineer wants to ensure that a wireless network uses the most secure encryption available. Which of the following should be configured on the access point?

A.WEP
C.WPA2 with TKIP
D.WPA2 with AES
AnswerB

WPA3 is the current strongest standard.

Why this answer

WPA3 is the latest Wi-Fi security standard, providing stronger encryption (GCMP-256) and protection against dictionary attacks via SAE.

7
MCQeasy

A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they use to perform a dictionary attack on the captured handshake to recover the PSK?

A.Reaver
B.aircrack-ng
C.Hydra
D.John the Ripper
AnswerB

aircrack-ng is designed to crack WEP and WPA/WPA2 PSK from captured handshake files.

Why this answer

The correct answer is aircrack-ng, which is the standard tool for cracking WPA2 PSK from a captured handshake using a dictionary file.

8
MCQmedium

An attacker sets up a fake access point with the same SSID as a legitimate corporate network. Clients connecting to this AP are prompted to enter their network credentials. Which type of attack is this?

A.Replay attack
B.Evil twin attack
C.WPS PIN attack
D.De-authentication attack
AnswerB

Evil twin replicates a legitimate SSID to trick users into connecting.

Why this answer

The attack is an evil twin attack, where a rogue AP mimics a legitimate one to capture credentials or perform man-in-the-middle.

9
MCQmedium

An IoT device uses the MQTT protocol without TLS. A security tester connects to the broker and subscribes to all topics using '#'. What is the tester MOST likely able to accomplish?

A.Perform a denial of service on the broker
B.Eavesdrop on all MQTT communications
C.Inject malicious control commands
D.Replay previously captured messages
AnswerB

By subscribing to '#' (wildcard), the tester receives all messages published to the broker, enabling full eavesdropping.

Why this answer

MQTT without encryption allows anyone to subscribe to topics. Subscribing to '#' captures all messages, leading to interception of sensitive data. This is a passive eavesdropping attack, not active manipulation like replay or injection.

10
MCQmedium

A penetration tester executes the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. Which attack is being performed?

A.WEP IV attack
B.Evil twin attack
C.De-authentication attack
D.WPS PIN brute-force attack
AnswerD

Reaver performs brute-force attacks against the WPS PIN to recover the PSK.

Why this answer

Reaver is a tool used for brute-forcing WPS PINs to recover the WPA/WPA2 pre-shared key. The command specifies the interface and BSSID, indicating a WPS attack.

11
Multi-Selectmedium

Which TWO of the following are common attack vectors against IoT devices? (Select 2)

Select 2 answers
A.Default credentials
B.Firmware extraction via JTAG
C.Insecure protocols like MQTT without encryption
D.Replay attacks on encrypted sessions
E.SQL injection
AnswersA, C

Many IoT devices ship with default usernames/passwords that remain unchanged.

Why this answer

Default credentials and insecure protocols (e.g., MQTT without TLS) are common IoT attack vectors; firmware extraction is a technique, not a vector; SQL injection is more common in web apps; replay attacks can occur but are not specific to IoT.

12
MCQmedium

Which of the following is a cryptographic attack that exploits collisions in hash functions?

A.Dictionary attack
B.Downgrade attack
C.Birthday attack
D.Replay attack
AnswerC

The birthday attack finds collisions in hash functions.

Why this answer

A birthday attack exploits the birthday paradox to find two different inputs that produce the same hash output (collision).

13
Multi-Selectmedium

Which THREE of the following are characteristics of asymmetric encryption?

Select 3 answers
A.Uses a single shared key for both encryption and decryption
B.Supports digital signatures
C.Provides key exchange without prior shared secret
D.Involves a public key and a private key
E.Typically faster than symmetric encryption
AnswersB, C, D

Private key signing and public key verification enable digital signatures.

Why this answer

Asymmetric encryption uses two keys (public/private), provides key exchange, and supports digital signatures.

14
MCQmedium

During a penetration test, a tester captures a WPA2 4-way handshake. Which of the following is the NEXT step to attempt to recover the Wi-Fi passphrase?

A.Use aircrack-ng to crack the WEP key from the handshake
B.Run a dictionary attack using aircrack-ng with a wordlist
C.Brute-force the WPS PIN using Reaver
D.De-authenticate the client from the network again to capture another handshake
AnswerB

Correct. The handshake is used to attempt offline password cracking against a wordlist.

Why this answer

After capturing the handshake, the tester must perform a dictionary attack against the handshake file. Tools like aircrack-ng or hashcat can compare the handshake against a wordlist of potential passphrases.

15
MCQmedium

During a penetration test, an ethical hacker runs the following command: aireplay-ng -0 5 -a 00:11:22:33:44:55 -c 66:77:88:99:AA:BB wlan0mon. What is the immediate effect of this command?

A.It performs a WEP injection attack to generate traffic
B.It cracks the pre-shared key using a dictionary
C.It forces the client to disconnect and reconnect, capturing the WPA handshake
D.It initiates a brute force attack on the WPS PIN
AnswerC

Deauthentication attack (aireplay-ng -0) disconnects a client; reconnection allows capture of the 4-way handshake.

Why this answer

The -0 flag sends deauthentication packets to force a client to reconnect, enabling capture of the WPA handshake.

16
MCQhard

An IoT device uses the MQTT protocol without TLS. An attacker on the same network captures messages and publishes a fake temperature reading. Which attack is being executed?

A.Replay attack
B.Firmware reversing attack
C.Man-in-the-middle attack
D.Denial of service attack
AnswerC

The attacker intercepts and injects messages, which is MITM on an unencrypted MQTT session.

Why this answer

MQTT over plain TCP allows message interception and injection (man-in-the-middle) because no encryption or authentication is enforced.

17
MCQeasy

What is the primary purpose of the 4-way handshake in WPA/WPA2-Personal?

A.To establish encryption keys without transmitting the pre-shared key
B.To authenticate the user with a username and password
C.To synchronize the beacon intervals between client and AP
D.To exchange digital certificates between client and AP
AnswerA

The handshake derives keys from the PSK without sending the PSK itself.

Why this answer

The 4-way handshake confirms that both client and AP possess the pre-shared key (PSK) without exposing it, and generates temporal keys for encryption.

18
Multi-Selectmedium

Which TWO of the following are common attack vectors against IoT devices? (Select TWO.)

Select 2 answers
A.Default credentials left unchanged
B.Regular firmware updates
C.Insecure protocols such as plaintext MQTT
D.Use of strong encryption protocols
E.Use of certificate-based authentication
AnswersA, C

Many IoT devices ship with default usernames/passwords that users fail to change.

Why this answer

IoT devices often have default credentials that are not changed, and they use insecure protocols like MQTT without encryption. These are common entry points for attackers.

19
MCQhard

An analyst notices that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is the MOST effective mitigation against SSRF attacks in a cloud environment?

A.Implement strict input validation on all user-supplied URLs
B.Block outbound traffic to internal IP ranges except through a configured forward proxy
C.Disable the use of external URLs in application features
D.Use a web application firewall (WAF) with SSRF signatures
AnswerB

This prevents the application from reaching internal services like the metadata endpoint, directly mitigating SSRF.

Why this answer

Restricting the application from making requests to internal IP ranges (e.g., 169.254.169.254 is the AWS metadata endpoint) is a key defense against SSRF.

20
MCQmedium

A security analyst observes repeated de-authentication packets targeting clients on a corporate Wi-Fi network. What is the MOST likely goal of the attacker?

A.To perform a denial-of-service attack and disrupt all wireless connectivity
B.To capture the WPA2 4-way handshake for offline password cracking
C.To install malware on the client devices
D.To exploit a vulnerability in the RADIUS server
AnswerB

De-auth forces reconnection, enabling capture of the handshake if the attacker is running airodump-ng.

Why this answer

De-authentication attacks force clients to reconnect, allowing the attacker to capture the 4-way handshake for offline cracking of the PSK.

21
Multi-Selecteasy

Which TWO of the following are cloud-specific security threats?

Select 2 answers
A.SQL injection
B.De-authentication attack
C.ARP spoofing
D.S3 bucket misconfiguration
E.SSRF in cloud
AnswersD, E

Misconfigured S3 buckets can expose data publicly.

Why this answer

S3 bucket misconfiguration is a cloud-specific threat because it involves improper access control settings on Amazon S3 storage, such as public read/write permissions, which can lead to data exposure or unauthorized access. This threat is unique to cloud environments where object storage is managed via APIs and IAM policies, unlike traditional on-premises storage.

Exam trap

EC-Council often tests the distinction between general web/network attacks and those that exploit cloud-specific features like metadata services or object storage permissions, leading candidates to mistakenly classify SQL injection or ARP spoofing as cloud threats.

22
MCQeasy

A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they most likely use next to attempt to crack the PSK using a wordlist?

A.John the Ripper
B.ScoutSuite
C.Aircrack-ng
D.Reaver
AnswerC

Correct tool for dictionary-based cracking of WPA2 handshakes.

Why this answer

Aircrack-ng is the standard tool for cracking WEP/WPA keys from captured packets, including WPA2 handshakes using a dictionary attack.

23
MCQmedium

A security analyst notices that after a user connects to a corporate Wi-Fi network, all HTTP traffic is redirected to a fake login page that captures credentials. The analyst suspects a rogue access point. Which attack is most likely being used to force client connections to the rogue AP?

A.Evil twin attack using a stronger signal
B.WPA2 dictionary attack on the handshake
C.WPS PIN brute-force attack
D.De-authentication attack followed by evil twin
AnswerD

De-auth packets disconnect clients; they then connect to the rogue AP (evil twin) which serves a fake login page.

Why this answer

De-authentication packets force clients to disconnect from the legitimate AP, after which they may automatically reconnect to a rogue AP with the same SSID. Evil twin is the fake AP, but the mechanism to disconnect clients is de-authentication.

24
MCQeasy

Which tool is specifically designed to assess the security configuration of AWS, Azure, and GCP cloud environments by scanning for misconfigurations in services like S3, IAM, and EC2?

A.ScoutSuite
B.Pacu
C.Reaver
D.Aircrack-ng
AnswerA

ScoutSuite scans cloud infrastructure for security misconfigurations across AWS, Azure, and GCP.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that checks for misconfigurations across AWS, Azure, and GCP. Pacu is an AWS exploitation framework; Aircrack-ng is for wireless; Reaver is for WPS.

25
MCQeasy

In PKI, what is the primary role of a Certificate Authority (CA)?

A.To issue and digitally sign certificates
B.To revoke user passwords
C.To generate random session keys
D.To encrypt data between client and server
AnswerA

This is the core function of a CA.

Why this answer

A CA issues and signs digital certificates, validating the identity of certificate requestors.

26
MCQeasy

Which wireless security standard introduced in 2018 uses Simultaneous Authentication of Equals (SAE) to replace the pre-shared key exchange in WPA2, providing forward secrecy and resistance to offline dictionary attacks?

B.802.1X/EAP
C.WEP
AnswerA

WPA3 introduces SAE (Simultaneous Authentication of Equals), providing forward secrecy and resistance to offline dictionary attacks.

Why this answer

WPA3 uses SAE (Dragonfly handshake) to provide forward secrecy and protect against offline dictionary attacks. WPA2 used PSK which is vulnerable to dictionary attacks. WEP and 802.1X are older or different.

27
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RC4
B.3DES
C.AES
D.RSA
AnswerD

Correct: RSA is asymmetric, using public and private keys.

Why this answer

RSA is an asymmetric algorithm using a public/private key pair. AES, 3DES, and RC4 are symmetric algorithms.

28
Multi-Selectmedium

Which TWO tools are specifically designed for cloud security auditing and exploitation? (Choose two.)

Select 2 answers
A.ScoutSuite
B.Nessus
C.Aircrack-ng
D.Nmap
E.Pacu
AnswersA, E

ScoutSuite is a multi-cloud security auditing tool.

Why this answer

ScoutSuite is an open-source multi-cloud security-auditing tool that assesses the security posture of AWS, Azure, and GCP environments by checking for misconfigurations, excessive permissions, and compliance violations. Pacu is an AWS exploitation framework designed for offensive security testing, allowing penetration testers to enumerate resources, escalate privileges, and execute post-exploitation modules against cloud accounts. Both tools are purpose-built for cloud security auditing and exploitation, making them the correct choices.

Exam trap

EC-Council often tests the distinction between general-purpose security tools (Nessus, Nmap) and cloud-specific frameworks (ScoutSuite, Pacu), expecting candidates to recognize that tools like Aircrack-ng are strictly for wireless, not cloud, environments.

29
MCQhard

A security analyst captures network traffic and sees the following: Client sends a SYN, server responds with SYN-ACK, then client sends ACK. Immediately after, the client sends an encrypted payload. This traffic is consistent with which phase of a WPA2 attack?

A.De-authentication attack
B.WPA2 4-way handshake exchange
C.WPS PIN exchange
D.WEP initialization vector capture
AnswerB

The sequence matches the 4-way handshake: first two messages (nonces) then third (encrypted GTK) and fourth (ACK).

Why this answer

The TCP handshake shown is for the 4-way handshake messages: first two messages (AP nonce and supplicant nonce) are exchanged, then the third message is the encrypted GTK, followed by ACK. The encrypted payload indicates the handshake is complete.

30
MCQmedium

In the cloud shared responsibility model, which of the following is typically the responsibility of the customer when using AWS EC2 (IaaS)?

A.Configuring security groups and firewall rules
B.Patching the hypervisor
C.Network infrastructure redundancy
D.Physical security of data centers
AnswerA

Security groups are a customer-configurable virtual firewall.

Why this answer

AWS is responsible for the physical host and network infrastructure; the customer manages the guest OS, applications, and security groups.

31
Multi-Selecthard

Which THREE of the following are common attack vectors against IoT devices? (Choose three.)

Select 3 answers
A.Firmware reversing
B.Container escape
C.SQL injection
D.Default credentials
E.Insecure protocols (e.g., MQTT, CoAP)
AnswersA, D, E

Reverse engineering firmware can reveal vulnerabilities and backdoors.

Why this answer

Default credentials, insecure protocols like MQTT, and firmware reversing are all common IoT attack vectors. SQL injection is more typical for web applications.

32
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RC4
B.3DES
C.RSA
D.AES
AnswerC

RSA is asymmetric, using public/private key pairs.

Why this answer

Asymmetric cryptography uses key pairs (public and private). RSA is a well-known asymmetric algorithm. AES, 3DES, and RC4 are symmetric algorithms.

33
MCQmedium

During a penetration test, a tester captures the WPA2 4-way handshake with airodump-ng and then uses aircrack-ng with a wordlist. However, the PSK is not found. Which of the following is the MOST likely reason?

A.Aircrack-ng does not support WPA2 cracking
B.The handshake was not captured correctly
C.The wordlist does not contain the PSK
D.The network uses WPA3 instead of WPA2
AnswerC

Dictionary attacks only succeed if the password is in the wordlist.

Why this answer

If the PSK is not in the wordlist, dictionary attacks will fail. Other steps (capture, cracking) were done correctly.

34
Multi-Selecteasy

Which TWO of the following are asymmetric encryption algorithms? (Choose two.)

Select 2 answers
A.3DES
B.ECC
C.SHA-256
D.RSA
E.AES
AnswersB, D

ECC (Elliptic Curve Cryptography) is asymmetric.

Why this answer

RSA and ECC are asymmetric algorithms. AES and 3DES are symmetric. SHA-256 is a hash function.

35
MCQmedium

Which of the following attacks is characterized by an attacker placing a fake wireless access point with the same SSID as a legitimate network to capture client credentials?

A.De-authentication attack
B.Evil twin attack
C.WPS PIN brute force attack
D.Replay attack
AnswerB

An evil twin is a rogue AP that mimics a legitimate one to trick users into connecting.

Why this answer

An evil twin attack involves setting up a rogue access point that mimics a legitimate SSID to intercept traffic and capture credentials.

36
MCQmedium

An attacker uses Reaver against a Wi-Fi network. What vulnerability is the attacker primarily exploiting?

A.Weak WPA2 passphrase
B.WPS PIN vulnerability
C.Deauthentication attack
D.IV weakness in WEP
AnswerB

Correct: Reaver attacks the WPS PIN to crack the network.

Why this answer

Reaver is designed to exploit the WPS PIN brute-force vulnerability, where an attacker can recover the WPS PIN and then derive the WPA/WPA2 PSK.

37
Multi-Selecthard

Which THREE of the following are cryptanalysis attacks that target hash functions? (Choose three.)

Select 3 answers
A.Man-in-the-middle attack
B.Preimage attack
C.Collision attack
D.Birthday attack
E.Dictionary attack
AnswersB, C, D

Preimage attack finds an input that hashes to a specific hash value.

Why this answer

Birthday attack exploits hash collisions, preimage attack finds an input that hashes to a given output, and collision attack finds two inputs with same hash. Man-in-the-middle is not specific to hash functions, and dictionary attack is a password cracking technique, not pure cryptanalysis.

38
MCQeasy

In the shared responsibility model for cloud computing, which of the following is typically the customer's responsibility?

A.Physical security of data centers
B.Hypervisor security
C.Network infrastructure security
D.Configuration of IAM roles and permissions
AnswerD

Customers manage their own IAM settings.

Why this answer

The customer is responsible for security IN the cloud, including configuring IAM policies, encryption, and access controls.

39
Multi-Selectmedium

Which TWO of the following are common attack vectors for IoT devices? (Select two)

Select 2 answers
A.SQL injection
B.Default credentials
C.Insecure protocols (e.g., plain MQTT)
D.Side-channel attacks
E.ARP spoofing
AnswersB, C

Many IoT devices ship with hardcoded or weak default passwords.

Why this answer

Default credentials (e.g., admin/admin) and insecure protocols (e.g., MQTT without TLS) are frequently exploited in IoT.

40
MCQhard

An analyst captures the following output from a wireless adapter: `[00:1A:2B:3C:4D:5E] 54 Mbps WPA2 CCMP PSK`. The analyst suspects a malicious rogue AP is impersonating a legitimate network. Which of the following indicators would MOST strongly confirm a rogue AP?

A.The channel number is different from the legitimate AP
B.The SSID is broadcasted with the same name as the corporate network
C.The BSSID matches a known manufacturer, but the signal strength is unusually high
D.The encryption type is WPA2 with CCMP
AnswerC

Correct: A high signal strength combined with a BSSID that might be spoofed suggests a rogue AP placed nearby.

Why this answer

A rogue AP often has a higher signal strength than expected, especially if it's placed closer to users. Additionally, a mismatch between the BSSID and the known legitimate AP can indicate spoofing.

41
MCQeasy

Which of the following is a well-known attack against the MD5 hash function that allows two different inputs to produce the same hash value?

A.Birthday attack
B.Replay attack
C.Downgrade attack
D.Dictionary attack
AnswerA

Correct: The birthday attack exploits the birthday paradox to find collisions in hash functions like MD5.

Why this answer

The birthday attack exploits the birthday paradox in probability theory to find two different inputs that produce the same MD5 hash value (a collision) with significantly less effort than a brute-force preimage attack. For an n-bit hash, the birthday attack requires only about 2^(n/2) operations, making MD5's 128-bit output vulnerable to collisions in roughly 2^64 attempts, which is computationally feasible today.

Exam trap

The trap here is that candidates often confuse the birthday attack with a dictionary attack because both involve generating many inputs, but the birthday attack specifically targets collision resistance (two different inputs, same hash) while a dictionary attack targets preimage resistance (finding an input that matches a given hash).

How to eliminate wrong answers

Option B is wrong because a replay attack involves intercepting and retransmitting valid data transmissions (e.g., captured authentication tokens) to impersonate a user, not finding hash collisions. Option C is wrong because a downgrade attack forces a system to fall back to a weaker, less secure protocol or cipher (e.g., SSL stripping to HTTP), not exploiting hash function weaknesses. Option D is wrong because a dictionary attack uses a precomputed list of likely passwords or phrases to guess a password or find a preimage, but it does not find collisions between two arbitrary inputs.

42
MCQeasy

Which of the following tools is specifically designed for auditing cloud environments (AWS, Azure, GCP) for security misconfigurations?

A.John the Ripper
B.ScoutSuite
C.Aircrack-ng
D.Reaver
AnswerB

Correct: ScoutSuite audits cloud environments.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that checks for common misconfigurations.

43
MCQmedium

A security analyst runs the following command: 'wget http://example.com/bucket?list-type=2' and receives a listing of objects. Which cloud misconfiguration is this MOST likely exploiting?

A.SSRF vulnerability in the cloud application
B.Container escape vulnerability
C.Misconfigured IAM roles allowing privilege escalation
D.Publicly accessible S3 bucket with list permissions enabled
AnswerD

The command uses HTTP to list bucket objects, indicating public list access.

Why this answer

An S3 bucket with public listing enabled allows anyone to list objects via HTTP GET requests.

44
MCQmedium

Which of the following is the PRIMARY reason that MD5 is no longer recommended for use in digital signatures?

A.MD5 is a symmetric algorithm, not a hash function
B.MD5 is computationally too slow for large data
C.MD5 produces a 128-bit hash, which is too short for modern security
D.MD5 is vulnerable to collision attacks
AnswerD

Correct. Practical collision attacks against MD5 have been demonstrated, making it unsuitable for digital signatures.

Why this answer

MD5 is vulnerable to collision attacks, where two different inputs produce the same hash. This undermines the integrity and non-repudiation properties required for digital signatures.

45
MCQmedium

An attacker performs a downgrade attack on a TLS connection, forcing the client and server to negotiate a weaker cipher suite. This attack exploits which of the following?

A.A vulnerability in the TLS 1.3 handshake
B.A known weakness in the Diffie-Hellman key exchange
C.The fallback mechanism in SSL/TLS implementations
D.The ability to modify the ClientHello message
AnswerC

Correct: Attackers exploit the fallback to force weaker security.

Why this answer

Downgrade attacks exploit the fallback mechanism in TLS where, if a handshake fails, the client retries with a lower version or weaker suite. The attacker forces failure to degrade security.

46
MCQmedium

A penetration tester uses the tool 'Pacu' during an assessment. Which of the following actions is Pacu designed to perform?

A.Exploit vulnerabilities in Azure cloud infrastructure
B.Automate penetration testing tasks in AWS environments
C.Perform network scanning and service enumeration
D.Crack WPA2 handshakes using dictionary attacks
AnswerB

Correct. Pacu is an AWS exploitation framework for testing and exploitation.

Why this answer

Pacu is an open-source AWS exploitation framework that allows security professionals to test the security of AWS environments. It can perform various attacks, such as IAM privilege escalation, S3 bucket enumeration, and metadata service exploitation.

47
Multi-Selecthard

Which THREE of the following are common attack vectors against IoT devices?

Select 3 answers
A.Container escape
B.Insecure protocols (e.g., MQTT, CoAP without encryption)
C.Firmware reversing and extraction of hardcoded secrets
D.TLS stripping attack
E.Default credentials
AnswersB, C, E

Insecure protocols allow eavesdropping and manipulation of communications.

Why this answer

Default credentials, insecure protocols (e.g., MQTT without TLS), and firmware reversing (to find hardcoded secrets) are common IoT attack vectors. TLS stripping is a network attack, and container escape is a cloud/container attack.

48
Multi-Selecthard

Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)

Select 3 answers
A.Disable TLS 1.0 and 1.1 on the server
B.Use the TLS_FALLBACK_SCSV cipher suite
C.Use self-signed certificates to avoid CA trust issues
D.Enforce a minimum TLS version of 1.2 in server configuration
E.Disable all cipher suites except those using RC4
AnswersA, B, D

Prevents downgrade to vulnerable versions.

Why this answer

Disabling older TLS versions, enforcing TLS 1.2+, and using TLS_FALLBACK_SCSV prevent downgrade; disabling cipher suites does not prevent downgrade directly; using self-signed certificates increases risk.

49
MCQhard

Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effective security to 64 bits against collision resistance?

A.SHA-256
B.SHA-1
C.MD5
D.RC4
AnswerC

MD5 output is 128 bits, birthday attack complexity ~2^64.

Why this answer

MD5 produces 128-bit hashes. Birthday attack complexity for collision is 2^(n/2) = 2^64 for n=128. SHA-1 is 160-bit, SHA-256 is 256-bit, RC4 is a stream cipher not a hash.

50
MCQhard

During a cloud penetration test, you discover an S3 bucket that allows listing objects. You find a file named 'config.json' that contains an IAM access key and secret key. Which of the following is the BEST next step?

A.Delete the bucket to prevent further data exposure
B.Use the keys to call sts:GetCallerIdentity and then enumerate permissions via IAM
C.Download all objects from the bucket and exfiltrate them
D.Immediately rotate the keys in the AWS console
AnswerB

This validates the keys and determines what actions they allow, a standard post-exploitation step.

Why this answer

The correct action is to use the discovered credentials to enumerate permissions via the AWS CLI, as they may grant further access.

51
MCQhard

A security team finds that a web application accepts a user-supplied URL and fetches it server-side without validation. The application runs on AWS EC2 with a metadata endpoint at 169.254.169.254. Which attack is MOST likely to succeed?

A.SQL injection
B.Server-Side Request Forgery (SSRF)
C.Remote file inclusion (RFI)
D.Cross-site scripting (XSS)
AnswerB

SSRF allows the attacker to make the server request internal resources like the metadata endpoint.

Why this answer

SSRF (Server-Side Request Forgery) occurs when an application fetches a user-controlled URL. By supplying the metadata endpoint, an attacker can retrieve IAM credentials, making this the most likely attack.

52
Multi-Selecteasy

Which TWO of the following are characteristics of symmetric encryption? (Select two)

Select 2 answers
A.Uses a single shared key for encryption and decryption
B.Faster than asymmetric encryption
C.Slower than asymmetric encryption
D.Provides non-repudiation
E.Uses a pair of public and private keys
AnswersA, B

The same key is used by both parties.

Why this answer

Symmetric encryption uses a single shared key for both encryption and decryption, and is generally faster than asymmetric.

53
MCQhard

A security analyst discovers that a containerized application running in a cloud environment can access the host's file system by mounting /var/run/docker.sock inside the container. Which type of attack does this configuration enable?

A.Server-Side Request Forgery (SSRF)
B.Privilege escalation within the container only
C.Container escape to the host
D.Denial-of-Service (DoS) attack against the container runtime
AnswerC

Correct. Access to the Docker socket allows full control over the host's Docker daemon, enabling container escape.

Why this answer

Mounting the Docker socket inside a container allows the container to communicate with the Docker daemon on the host, potentially allowing the attacker to create new containers, escape the container, and execute commands on the host.

54
MCQhard

An attacker intercepts a TLS-encrypted session and attempts to force the client and server to use a weaker cipher suite. Which type of attack is being performed?

A.Man-in-the-middle (MITM) attack
B.Birthday attack
C.Replay attack
D.Downgrade attack
AnswerD

Correct. The attacker forces the use of weaker encryption by interfering with the handshake.

Why this answer

A downgrade attack tricks the communicating parties into negotiating a less secure version of TLS or a weaker cipher suite, making it easier for the attacker to break the encryption.

55
MCQmedium

A penetration tester uses the tool 'ScoutSuite' against an AWS target. Which of the following BEST describes the purpose of this tool?

A.Enumerate IAM users and roles for privilege escalation
B.Perform automated penetration testing of web applications
C.Exploit vulnerabilities in cloud services
D.Audit cloud infrastructure for misconfigurations and compliance
AnswerD

ScoutSuite identifies security issues like open S3 buckets, weak IAM policies, etc.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that assesses cloud environments (AWS, Azure, GCP) by scanning for misconfigurations and compliance violations. It does not perform exploitation or penetration testing; instead, it checks for issues like overly permissive security groups, unencrypted S3 buckets, or unused IAM roles, aligning with option D's description of auditing cloud infrastructure for misconfigurations and compliance.

Exam trap

EC-Council often tests the distinction between auditing and exploitation, so the trap here is that candidates confuse 'auditing for misconfigurations' with 'exploiting vulnerabilities,' leading them to choose option C, even though ScoutSuite is purely a read-only assessment tool.

How to eliminate wrong answers

Option A is wrong because ScoutSuite does not specifically enumerate IAM users and roles for privilege escalation; it audits all cloud resources for misconfigurations, and while it may report IAM issues, its primary purpose is not targeted enumeration for privilege escalation. Option B is wrong because ScoutSuite is not a web application penetration testing tool; it focuses on cloud infrastructure configuration, not web application vulnerabilities like SQL injection or XSS. Option C is wrong because ScoutSuite does not exploit vulnerabilities; it is a read-only auditing tool that identifies misconfigurations without performing any exploitation actions.

56
Multi-Selecthard

Which THREE of the following are effective countermeasures against evil twin attacks in wireless networks? (Select THREE.)

Select 3 answers
A.Implementing client-side certificate validation for network authentication
B.Using WPA3-Enterprise with 802.1X authentication
C.Enabling MAC address filtering on the AP
D.Disabling SSID broadcast on the legitimate AP
E.Using a VPN over the wireless connection
AnswersA, B, E

Client-side certificates ensure the client verifies the AP's identity, preventing connection to rogue APs.

Why this answer

Evil twin attacks involve a rogue AP impersonating a legitimate one. Countermeasures include using WPA3-Enterprise with 802.1X for mutual authentication, implementing client-side certificate validation, and using VPNs to encrypt traffic even over rogue APs.

57
MCQhard

During a cloud penetration test, a tester discovers an AWS S3 bucket that allows public 's3:PutObject' access. The tester uploads a file containing JavaScript that steals cookies. Which type of attack is this an example of?

A.Cross-Site Scripting (XSS) via uploaded file
B.Server-Side Request Forgery (SSRF)
C.Insecure Direct Object Reference (IDOR)
D.S3 bucket privilege escalation
AnswerA

The tester uploaded JavaScript to a public S3 bucket. When users browse the bucket or link to the file, the script executes in their browser, stealing cookies.

Why this answer

Uploading malicious content to an S3 bucket with public write access enables storage of attacker-controlled files. When users access these files, a client-side attack (like XSS) can occur. This is a classic example of a storage-based attack via misconfigured S3 bucket.

58
MCQeasy

A security analyst captures network traffic and sees multiple ARP packets with the same source MAC address but different IP addresses. Which attack is MOST likely occurring?

A.WPS PIN attack
B.De-authentication attack
C.Evil twin attack
D.ARP spoofing attack
AnswerD

The attacker sends forged ARP replies, linking their MAC to multiple IPs to intercept traffic.

Why this answer

An evil twin attack involves a rogue AP impersonating a legitimate one, but it does not typically cause ARP packets with varied IPs. ARP spoofing involves an attacker sending forged ARP replies to associate their MAC with another IP, causing traffic to be misdirected. The described behavior matches ARP spoofing, where the attacker's MAC appears with multiple IPs.

59
MCQmedium

An attacker gains access to a cloud environment and attempts to move laterally by assuming an IAM role with higher privileges. Which cloud attack vector is the attacker exploiting?

A.SSRF attack
B.S3 bucket misconfiguration
C.IAM misuse
D.Container escape
AnswerC

Assuming an IAM role with higher privileges is a form of IAM misuse, often due to over-permissive trust policies.

Why this answer

IAM misuse involves exploiting misconfigured IAM roles or policies to escalate privileges. Assuming a role with higher privileges is a form of privilege escalation via IAM abuse.

60
MCQmedium

Which cryptographic algorithm is classified as symmetric and uses a block cipher with key sizes of 128, 192, or 256 bits?

A.AES
B.ECC
C.Diffie-Hellman
D.RSA
AnswerA

AES is symmetric, block cipher, with key sizes 128, 192, or 256 bits.

Why this answer

AES is a symmetric block cipher that supports key sizes of 128, 192, and 256 bits, and is widely used for encryption.

61
MCQeasy

Which of the following cryptographic hash functions is known to be vulnerable to collision attacks and should be avoided for security applications?

A.RIPEMD-160
B.MD5
C.SHA-256
D.SHA-1
AnswerB

MD5 has proven collision vulnerabilities (e.g., 2004 collisions) and is considered broken.

Why this answer

MD5 is known to be vulnerable to collision attacks, making it unsuitable for security applications like digital signatures.

62
MCQmedium

A forensic analyst examines a firmware image extracted from an IoT thermostat and finds hardcoded credentials for a cloud backend. Which phase of the IoT attack lifecycle does this represent?

A.Weaponization
B.Installation
C.Reconnaissance
D.Exploitation
AnswerD

Identifying hardcoded credentials allows an attacker to exploit them for unauthorized access.

Why this answer

Hardcoded credentials in firmware represent a vulnerability in the device itself. This is part of the exploitation phase, where attackers use discovered credentials to gain unauthorized access to backend systems.

63
Multi-Selectmedium

Which THREE of the following are components of PKI (Public Key Infrastructure)?

Select 3 answers
A.Certificate Authority (CA)
C.Private key and public key pair
D.Digital certificates
E.RADIUS server
AnswersA, C, D

CA issues and revokes certificates.

Why this answer

Certificate Authority, digital certificates, and private/public key pairs are core PKI components.

64
MCQmedium

Which of the following is a recommended countermeasure against WPA2 KRACK attacks?

A.Enable MAC filtering
B.Patch all clients and access points
C.Disable WPS
D.Switch to WEP encryption
AnswerB

Patches implement fixes against key reinstallation attacks.

Why this answer

KRACK attacks exploit vulnerabilities in the WPA2 4-way handshake key reinstallation. The primary fix is to install security patches on clients and APs that implement the IEEE 802.11 standard update. Disabling WPS does not prevent KRACK, and switching to WEP is less secure.

65
MCQmedium

A company wants to ensure that data in transit between its IoT devices and the cloud server is encrypted. Which protocol combination is BEST suited for this purpose?

A.MQTT without encryption
B.HTTP with SSL
C.MQTT with TLS
D.CoAP with DTLS
AnswerC

MQTT over TLS provides encrypted communication for IoT devices.

Why this answer

TLS (Transport Layer Security) provides encryption for data in transit, and CoAP can use DTLS (a variant of TLS) for secure communication.

66
MCQmedium

An attacker sets up a rogue access point with the same SSID as a legitimate corporate network and broadcasts a stronger signal. Clients connect to the rogue AP. What type of attack is this?

A.WPS PIN attack
B.De-authentication attack
C.Evil twin attack
D.MAC spoofing attack
AnswerC

This describes an evil twin attack exactly.

Why this answer

An evil twin attack involves a rogue AP mimicking a legitimate SSID to intercept traffic.

67
MCQmedium

A security team discovers that an attacker has been intercepting and modifying traffic between a client and server by impersonating both endpoints. Which type of cryptographic attack is this?

A.Man-in-the-middle attack
B.Replay attack
C.Downgrade attack
D.Birthday attack
AnswerA

MITM involves intercepting and potentially modifying traffic between two parties.

Why this answer

A man-in-the-middle (MITM) attack involves the attacker positioning themselves between the client and server to intercept and modify traffic.

68
Multi-Selectmedium

Which TWO of the following are valid cryptanalytic attacks?

Select 2 answers
A.SQL injection
B.Replay attack
C.Downgrade attack
D.Cross-site scripting (XSS)
E.Birthday attack
AnswersB, E

Replay attack captures and retransmits valid data to impersonate or deceive.

Why this answer

Birthday attack exploits hash collisions; replay attack reuses captured data. Downgrade attack forces weaker protocol (not cryptanalytic per se, but relevant). SQL injection and XSS are web application attacks, not cryptanalytic.

69
MCQeasy

In the shared responsibility model for cloud computing, which of the following is typically the responsibility of the customer?

A.Physical security of data centers
B.Patch management of the virtualization platform
C.Data classification and encryption of customer data
D.Network infrastructure security (e.g., hypervisor, network cables)
AnswerC

Customers are responsible for classifying and encrypting their own data.

Why this answer

The customer is responsible for data classification and account management, while the provider secures the physical infrastructure.

70
MCQmedium

A security analyst captures WPA2 handshake packets using airodump-ng and then runs aircrack-ng with a wordlist. After several minutes, aircrack-ng reports 'KEY FOUND!' followed by a hex string. Which attack was successfully performed?

A.Dictionary attack on the 4-way handshake
B.Hash length extension attack on the MIC
C.Rainbow table attack on the WPA2 handshake
D.Brute-force attack against the PSK
AnswerA

Aircrack-ng compares each word in the wordlist against the handshake's PMKID/PTK to find the passphrase.

Why this answer

The analyst captured the 4-way handshake and used a dictionary attack (wordlist) to recover the PSK. This is a dictionary attack, not brute force (which tries all combinations), rainbow table, or hash length extension (which is for hash-based MACs).

71
Multi-Selectmedium

Which TWO of the following are examples of asymmetric cryptography? (Select 2)

Select 2 answers
A.RSA
B.ECC
C.3DES
D.MD5
E.AES
AnswersA, B

RSA is asymmetric.

Why this answer

RSA and ECC are asymmetric algorithms. AES and 3DES are symmetric. MD5 is a hash function.

72
MCQeasy

A security analyst captures a large number of initialization vectors (IVs) on a WEP-protected network. Which tool is most commonly used to crack the WEP key using IVs?

A.Aircrack-ng
B.Reaver
C.Kismet
D.John the Ripper
AnswerA

Aircrack-ng is designed to crack WEP keys using captured IVs.

Why this answer

Aircrack-ng is the standard tool for cracking WEP keys by capturing IVs. Reaver is for WPS, Kismet is a sniffer, and John the Ripper is a general password cracker.

73
MCQmedium

An IoT device uses the MQTT protocol without TLS. An attacker on the same network subscribes to all topics and captures messages. What is the MOST significant security risk?

A.Firmware corruption
B.Denial of service
C.Replay attacks
D.Loss of message confidentiality
AnswerD

Cleartext transmission exposes message content.

Why this answer

Without TLS, MQTT traffic is sent in cleartext, allowing interception and reading of sensitive data.

74
MCQmedium

A security analyst notices that a web application's SSL/TLS certificate is issued by a CA that is not trusted by modern browsers. Which type of attack could this enable?

A.Man-in-the-middle attack
B.Downgrade attack
C.Birthday attack
D.Replay attack
AnswerA

An untrusted CA can be used to issue fake certificates, enabling MITM if the client trusts it.

Why this answer

Using a self-signed or untrusted CA certificate can allow an attacker to perform a man-in-the-middle attack by presenting their own certificate that the browser may accept with user warning.

75
MCQhard

During an IoT assessment, a tester examines a smart thermostat that uses the MQTT protocol. The tester finds that the device connects to a broker without any authentication. Which of the following attacks is MOST likely to succeed?

A.Publishing arbitrary messages to control the device and subscribing to data topics
B.Firmware extraction via UART
C.Reversing the firmware to find hardcoded credentials
D.Performing a dictionary attack on the Wi-Fi PSK
AnswerA

Unauthenticated MQTT allows anyone to publish/subscribe, leading to control and data leakage.

Why this answer

Without authentication on MQTT, an attacker can publish malicious commands (e.g., change temperature) and subscribe to all topics to eavesdrop on sensor data.

Page 1 of 2 · 129 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ceh Advanced Topics questions.