CCNA Ceh Advanced Topics Questions

54 of 129 questions · Page 2/2 · Ceh Advanced Topics topic · Answers revealed

76
MCQhard

A penetration tester discovers that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is a potential impact of this vulnerability?

A.Cross-site scripting (XSS) in the browser
B.Remote code execution via command injection
C.Access to cloud instance metadata
D.SQL injection in the database
AnswerC

SSRF can be used to query internal metadata services that may contain credentials.

Why this answer

SSRF allows the attacker to make requests from the server, potentially accessing internal services like metadata endpoints (e.g., http://169.254.169.254) that are not publicly accessible.

77
MCQeasy

Which of the following is a hashing algorithm that produces a 160-bit (20-byte) hash value?

A.MD5
B.SHA-256
C.SHA-1
D.SHA-512
AnswerC

SHA-1 produces a 160-bit hash.

Why this answer

SHA-1 produces a 160-bit hash. MD5 produces 128 bits, SHA-256 produces 256 bits, and SHA-512 produces 512 bits.

78
MCQeasy

Which cryptographic algorithm is classified as symmetric and uses a block cipher with a fixed block size of 128 bits, supporting key sizes of 128, 192, and 256 bits?

A.RC4
B.3DES
C.AES
D.RSA
AnswerC

Correct. AES is a symmetric block cipher with 128-bit blocks and variable key sizes.

Why this answer

AES is a symmetric block cipher with a block size of 128 bits and supports key sizes of 128, 192, and 256 bits. It is the most widely used symmetric encryption standard.

79
MCQmedium

A security analyst captures a WPA2 4-way handshake using airodump-ng. To crack the PSK, which tool would they MOST likely use next?

A.Kismet
B.Aircrack-ng
C.John the Ripper
D.Reaver
AnswerB

Aircrack-ng is the standard tool for performing dictionary attacks on captured WPA2 handshakes.

Why this answer

The correct tool for cracking a WPA2 PSK from a captured handshake is aircrack-ng, which performs dictionary attacks against the handshake file.

80
MCQmedium

A penetration tester uses the following command to attack a WPS-enabled AP: 'reaver -i mon0 -b 00:11:22:33:44:55 -vv'. What is the primary goal of this attack?

A.Perform a de-authentication attack on all clients
B.Capture a WPA2 4-way handshake for offline cracking
C.Scan for hidden SSIDs in the area
D.Obtain the WPS PIN and subsequently the WPA2 PSK
AnswerD

Reaver brute-forces the WPS PIN to recover the PSK.

Why this answer

Reaver is used to brute force the WPS PIN, recovering the PIN and ultimately the WPA2 PSK.

81
MCQhard

A security team discovers that an S3 bucket configured for static website hosting is exposing sensitive documents. The bucket policy allows public read access. Which AWS misconfiguration is MOST likely present?

A.The bucket policy allows s3:GetObject for all principals
B.The bucket versioning is disabled
C.The bucket is not using server-side encryption
D.The bucket ACL grants write access to authenticated users
AnswerA

This grants public read access to all objects.

Why this answer

Public read access to the bucket and objects is the direct cause. Blocking public access would prevent this.

82
Multi-Selectmedium

Which TWO of the following are symmetric encryption algorithms? (Select 2)

Select 2 answers
A.ECC
B.RSA
C.3DES
D.AES
E.MD5
AnswersC, D

3DES is a symmetric block cipher.

Why this answer

AES and 3DES are symmetric algorithms; RSA and ECC are asymmetric; MD5 is a hash function.

83
MCQmedium

During a wireless penetration test, a tester captures the 4-way handshake between a client and WPA2-PSK access point. Which tool would the tester MOST likely use to attempt to recover the pre-shared key?

A.Aircrack-ng
B.Wireshark
C.Kismet
D.Reaver
AnswerA

Aircrack-ng uses captured handshakes to perform dictionary attacks against WPA/WPA2 PSK.

Why this answer

The correct tool is aircrack-ng, which is specifically designed to crack WPA/WPA2 PSK by performing dictionary attacks on captured handshakes. It is part of the aircrack-ng suite widely used for wireless security auditing.

84
Multi-Selecthard

A security analyst is investigating a potential container escape in a Kubernetes cluster. Which THREE of the following are common indicators of a container escape?

Select 3 answers
A.A process running inside the container with CAP_SYS_ADMIN capability
B.The container is running in privileged mode
C.The container is using a hostPath volume that mounts the host's /var/run/docker.sock
D.The container has a read-only root filesystem
E.The container is running as a non-root user
AnswersA, B, C

Correct: CAP_SYS_ADMIN grants many privileges that can be used to escape.

Why this answer

Container escape often involves breaking out of the container's isolation by exploiting misconfigurations or vulnerabilities. These indicators are common.

85
Multi-Selecthard

Which THREE of the following are valid methods for exploiting cloud misconfigurations? (Select 3)

Select 3 answers
A.Using a container escape to access the host OS
B.Exploiting an S3 bucket with public read access to download sensitive files
C.Performing a SQL injection on a web application
D.Launching a DDoS attack from a botnet
E.Abusing overly permissive IAM roles to escalate privileges
AnswersA, B, E

Container escape is a cloud infrastructure misconfiguration.

Why this answer

S3 bucket public read access, overly permissive IAM roles, and container escape are all cloud misconfiguration exploitation vectors. SQL injection is a web app vulnerability, not cloud-specific. DDoS is an attack type, not a misconfiguration.

86
MCQeasy

Which of the following tools is specifically designed for assessing the security of AWS environments by checking for misconfigurations in services like S3, IAM, and EC2?

A.ScoutSuite
B.Aircrack-ng
C.Nmap
D.Wireshark
AnswerA

Correct. ScoutSuite audits AWS, Azure, and GCP for security misconfigurations.

Why this answer

ScoutSuite is an open-source security auditing tool for cloud environments, including AWS. It checks for misconfigurations across multiple services and provides a detailed report.

87
MCQeasy

Which of the following is a symmetric encryption algorithm that uses a block cipher with a fixed block size of 128 bits and key sizes of 128, 192, or 256 bits?

A.3DES
B.RC4
C.AES
D.RSA
AnswerC

AES meets the description: symmetric, 128-bit block, key sizes 128/192/256.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that operates as a block cipher with a fixed block size of 128 bits and supports key sizes of 128, 192, or 256 bits. It was established by NIST in 2001 (FIPS 197) and is widely used in modern cryptographic systems, including wireless security (WPA2/WPA3) and TLS.

Exam trap

The trap here is that candidates often confuse AES with 3DES due to both being symmetric block ciphers, but they fail to recall that 3DES uses a 64-bit block size (not 128 bits) and lacks the specific key size options of AES, leading them to select 3DES incorrectly.

How to eliminate wrong answers

Option A is wrong because 3DES (Triple DES) uses a block size of 64 bits, not 128 bits, and its key size is effectively 112 or 168 bits (using three 56-bit DES keys), not the specified 128/192/256-bit options. Option B is wrong because RC4 is a stream cipher, not a block cipher, and it does not have a fixed block size or support key sizes of 128/192/256 bits in the manner described; it uses variable-length keys (typically 40–2048 bits) and is deprecated due to known vulnerabilities. Option D is wrong because RSA is an asymmetric (public-key) encryption algorithm, not a symmetric one, and it does not use a fixed block size or the specified key sizes; it relies on key pairs (public/private) based on large prime numbers.

88
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms? (Select TWO.)

Select 2 answers
A.ECC
B.AES
C.RSA
D.3DES
E.SHA-256
AnswersB, D

AES is a symmetric block cipher.

Why this answer

AES and 3DES are both symmetric block ciphers. RSA and ECC are asymmetric algorithms, and SHA-256 is a hash function.

89
MCQeasy

A security analyst captures a large number of weak initialization vectors (IVs) using airodump-ng. Which attack does this preparation indicate?

A.WPS PIN brute force
B.WPA2 dictionary attack
C.WEP key cracking
D.Evil twin attack
AnswerC

Weak IVs are characteristic of WEP encryption; capturing enough allows aircrack-ng to derive the key.

Why this answer

WEP (Wired Equivalent Privacy) uses the RC4 stream cipher with a 24-bit initialization vector (IV) that is transmitted in plaintext. Weak IVs, such as those identified by tools like airodump-ng, are predictable or repeatable, allowing an attacker to capture enough packets to recover the WEP key using statistical attacks like the FMS (Fluhrer, Mantin, Shamir) or KoreK attacks. This preparation directly indicates an attempt to crack the WEP key.

Exam trap

EC-Council often tests the distinction between WEP and WPA/WPA2 by having candidates confuse weak IVs (a WEP-specific vulnerability) with the 4-way handshake (required for WPA/WPA2 cracking), leading them to incorrectly select the WPA2 dictionary attack option.

How to eliminate wrong answers

Option A is wrong because WPS PIN brute force targets the Wi-Fi Protected Setup (WPS) PIN, not weak IVs; it involves brute-forcing the 8-digit PIN via the registrar protocol, not capturing IVs with airodump-ng. Option B is wrong because a WPA2 dictionary attack uses captured 4-way handshake packets (not weak IVs) and attempts to derive the Pairwise Master Key (PMK) from a passphrase, relying on PBKDF2-SHA1 hashing, not RC4 IV weaknesses. Option D is wrong because an evil twin attack involves setting up a rogue access point to trick clients into connecting, often for credential harvesting or man-in-the-middle, and does not require capturing weak IVs from a target network.

90
MCQmedium

An analyst sees the following in a log: Client sends a request to https://victim.com/api?url=http://169.254.169.254/latest/meta-data/. This is MOST indicative of which attack?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Directory traversal
D.SQL injection
AnswerB

SSRF forces the server to request internal resources.

Why this answer

The IP 169.254.169.254 is the AWS metadata endpoint. SSRF attacks target internal services by manipulating the url parameter.

91
MCQmedium

Which of the following tools is specifically designed to exploit WPS vulnerabilities on wireless networks?

A.John the Ripper
B.aircrack-ng
C.Kismet
D.Reaver
AnswerD

Reaver performs brute-force attacks against WPS registrar PINs.

Why this answer

Reaver is specifically designed to exploit the WPS (Wi-Fi Protected Setup) PIN brute-force vulnerability. It targets the WPS registrar's lack of rate limiting and the fact that the PIN is split into two halves, making it feasible to guess the 8-digit PIN in under 10,000 attempts. This allows an attacker to recover the WPA/WPA2 pre-shared key without needing to crack the actual encryption.

Exam trap

The trap here is that candidates confuse aircrack-ng (which cracks WPA handshakes) with tools that exploit the WPS PIN vulnerability, but aircrack-ng has no WPS brute-force capability.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool for offline hash files, not a wireless attack tool for exploiting WPS vulnerabilities. Option B is wrong because aircrack-ng is a suite for capturing and cracking WEP/WPA/WPA2 handshakes, but it does not target the WPS PIN brute-force mechanism. Option C is wrong because Kismet is a wireless network detector, sniffer, and intrusion detection system, not a tool for exploiting WPS vulnerabilities.

92
MCQhard

A security engineer analyzes a cloud environment and finds that an S3 bucket named 'company-backups' is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. Which of the following is the MOST likely risk?

A.An attacker can read any object in the bucket without authentication
B.An attacker can modify the bucket policy
C.An attacker can delete objects in the bucket
D.An attacker can enumerate all objects in the bucket
AnswerA

The policy allows anyone (Principal: *) to perform GetObject, making objects publicly readable.

Why this answer

A bucket policy allowing anonymous GetObject makes all objects publicly readable, leading to data exposure.

93
MCQhard

A security team uses ScoutSuite to assess their AWS environment. The tool reports that an S3 bucket policy allows access from any IP address. What is the MOST likely misconfiguration?

A.The bucket has versioning enabled
B.The bucket ACL grants 'FullControl' to 'AuthenticatedUsers' group
C.The bucket is encrypted with SSE-S3
D.The bucket policy uses 'Principal': '*' and 'Condition': {'IpAddress': {'aws:SourceIp': '0.0.0.0/0'}}
AnswerD

This policy allows all principals from any IP, making the bucket public.

Why this answer

ScoutSuite identifies overly permissive bucket policies; allowing access from any IP (0.0.0.0/0) is a common misconfiguration.

94
MCQhard

A cloud security engineer notices that an S3 bucket named 'company-backup' is configured to allow 's3:GetObject' access to 'Principal: *'. Which attack is this misconfiguration MOST likely to enable?

A.Denial of service by deleting objects
B.SSRF attack to internal metadata
C.Privilege escalation via IAM role
D.Unauthorized data access and exfiltration
AnswerD

Public read access to an S3 bucket allows anyone to download its contents, leading to data breach.

Why this answer

When an S3 bucket allows GetObject access to any principal (public), anyone can list and download objects, leading to data exposure. This is a classic unauthorized data access scenario, not privileged escalation or DoS.

95
Multi-Selectmedium

An organization is using a cloud IAM policy that allows all actions on all resources. Which TWO security issues are MOST directly related to this configuration? (Choose two.)

Select 2 answers
A.Excessive privileges
B.Vulnerable software libraries
C.Weak encryption algorithms
D.Data exposure via S3 bucket
E.Insecure MQTT configuration
AnswersA, D

Allowing all actions grants more permissions than necessary.

Why this answer

A permissive IAM policy directly leads to excessive privileges and potential privilege escalation, as well as data exposure via unauthorized access.

96
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms?

Select 2 answers
A.Diffie-Hellman
B.RSA
C.AES
D.ECC
E.3DES
AnswersC, E

Advanced Encryption Standard is symmetric.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that uses the same key for both encryption and decryption. It is widely adopted for securing sensitive data and is a block cipher with key sizes of 128, 192, or 256 bits.

Exam trap

The trap here is that candidates often confuse key exchange protocols (like Diffie-Hellman) and asymmetric algorithms (like RSA and ECC) with symmetric encryption, because all are used in cryptography but serve fundamentally different roles in securing communications.

97
Multi-Selectmedium

Which TWO of the following are valid attacks against wireless networks? (Choose two.)

Select 2 answers
A.De-authentication attack
B.SSRF
C.Dictionary attack
D.Evil twin
E.Replay attack
AnswersA, D

De-authentication attack disconnects clients from an AP, often to capture handshakes.

Why this answer

Evil twin involves a rogue AP, and de-authentication disconnects clients. Dictionary attacks are for cracking, not network attacks. SSRF is cloud-based.

Replay attacks are generic but not wireless-specific. The question asks for attacks against wireless networks, so evil twin and de-authentication are correct.

98
Multi-Selectmedium

Which TWO of the following are common defense measures against wireless de-authentication attacks? (Select 2)

Select 2 answers
A.Changing the default SSID
B.Enabling 802.11w (Management Frame Protection)
C.Implementing MAC address filtering
D.Using WPA3 instead of WPA2
E.Disabling SSID broadcast
AnswersB, D

802.11w protects management frames including de-auth.

Why this answer

Using WPA3 (SAE) mitigates de-auth because management frame protection is mandatory. 802.11w (MFP) also protects de-auth frames. Changing default SSID and disabling SSID broadcast do not prevent de-auth.

99
MCQmedium

In an IoT environment, a researcher finds that the firmware of a smart lock can be extracted via UART and reversed to reveal hardcoded encryption keys. Which type of vulnerability is this?

A.Insecure firmware update mechanism
B.Insufficient entropy in random number generation
C.Use of deprecated cryptographic algorithm
D.Hardcoded backdoor credentials
AnswerD

Hardcoded encryption keys serve as a backdoor, allowing attackers to decrypt or spoof communications.

Why this answer

Hardcoded keys in firmware are a classic example of a backdoor or hardcoded credential vulnerability, allowing attackers to decrypt traffic or authenticate without proper authorization.

100
MCQeasy

Which cloud security assessment tool is specifically designed to audit AWS environments for misconfigurations and provides a detailed report of findings?

A.ScoutSuite
B.Pacu
C.Metasploit
D.Nmap
AnswerA

ScoutSuite audits cloud configurations and reports vulnerabilities.

Why this answer

ScoutSuite is an open-source tool that audits cloud environments (AWS, Azure, GCP) for security misconfigurations. It generates a comprehensive HTML report. Pacu is an exploitation framework, not an audit tool.

101
MCQmedium

During a cloud security audit, a tool reports that an AWS IAM role has a policy allowing 'ec2:RunInstances' with a condition 'aws:SourceIp': '0.0.0.0/0'. What is the most immediate risk?

A.An attacker can delete all EC2 instances
B.An attacker can launch expensive EC2 instances from any IP
C.An attacker can modify VPC security groups
D.An attacker can read data from any S3 bucket
AnswerB

With unrestricted source IP, any authenticated user can launch instances, leading to resource abuse and cost.

Why this answer

The condition allows all IP addresses (0.0.0.0/0) to launch EC2 instances, meaning any user who can assume this role can create instances from anywhere, potentially for cryptocurrency mining or other malicious purposes.

102
Multi-Selectmedium

Which TWO of the following are common weaknesses in IoT devices that are often exploited by attackers?

Select 2 answers
A.Use of hardware security modules (HSM)
B.Implementation of secure boot
C.Use of default or hard-coded credentials
D.Use of insecure protocols such as MQTT without TLS
E.Firmware update mechanism with signed updates
AnswersC, D

Correct: Many IoT devices ship with default usernames/passwords that are not changed.

Why this answer

Option C is correct because many IoT devices ship with default usernames and passwords (e.g., 'admin/admin') or hard-coded credentials embedded in firmware. Attackers can easily discover these through simple web searches or Shodan scans, then gain unauthorized access to the device and potentially the entire network.

Exam trap

EC-Council often tests the distinction between security controls (HSM, secure boot, signed updates) and actual vulnerabilities (default credentials, cleartext protocols), so candidates mistakenly select secure features as weaknesses.

103
Multi-Selecteasy

Which TWO of the following correctly describe aspects of the shared responsibility model in cloud computing?

Select 2 answers
A.The cloud provider is responsible for managing customer application encryption keys
B.The customer is responsible for network firewall configuration in PaaS
C.The customer is responsible for securing data stored in the cloud
D.The cloud provider is responsible for patching the guest operating system in IaaS
E.The cloud provider is responsible for physical security of data centers
AnswersC, E

Customers must protect their data through encryption, access controls, etc.

Why this answer

The customer is responsible for securing data and application configurations (security IN the cloud). The provider is responsible for the physical infrastructure (security OF the cloud). Option B is incorrect because customers are responsible for OS patching in IaaS.

Option E is wrong because providers do not manage customer-applied encryption.

104
MCQmedium

A penetration tester uses the tool 'Pacu' during an AWS security assessment. Which phase of testing is Pacu most commonly associated with?

A.Reporting and documentation
B.Vulnerability scanning
C.Exploitation and post-exploitation
D.Reconnaissance
AnswerC

Pacu provides modules for privilege escalation, backdooring, and lateral movement in AWS environments.

Why this answer

Pacu is an exploitation framework for AWS, used after initial access to escalate privileges, pivot, and maintain access. It is not typically used for initial reconnaissance (Nmap, ScoutSuite) or reporting.

105
MCQmedium

During a wireless penetration test, the tester runs `airodump-ng wlan0mon` and sees numerous beacon frames from a network. The tester then sends deauthentication packets using `aireplay-ng -0 5 -a <BSSID> wlan0mon`. What is the PRIMARY purpose of this deauthentication attack?

A.To crash the access point and cause a denial of service
B.To force a client to reconnect and capture the WPA/WPA2 handshake
C.To obtain the WPS PIN of the access point
D.To perform a rogue AP attack by spoofing the BSSID
AnswerB

Correct: The attack forces reauthentication, enabling capture of the 4-way handshake for cracking.

Why this answer

Deauthentication attacks force clients to reconnect, allowing capture of the WPA/WPA2 4-way handshake during reconnection, which is needed for offline cracking.

106
Multi-Selectmedium

A penetration tester is assessing the security of a cloud application and discovers that it is vulnerable to Server-Side Request Forgery (SSRF). Which TWO of the following are potential impacts of this vulnerability?

Select 2 answers
A.Ability to perform a man-in-the-middle attack on the user's browser
B.Access to cloud instance metadata (e.g., AWS IMDS)
C.Direct modification of DNS records
D.Remote code execution on internal servers
E.Direct access to the database without authentication
AnswersB, D

Correct: SSRF can query internal metadata services to retrieve credentials.

Why this answer

SSRF can allow access to internal services (like metadata endpoints) and potentially lead to remote code execution if internal services are compromised.

107
MCQeasy

A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?

A.WPS PIN brute-force attack
B.Evil twin AP deployment
C.WEP key recovery using aircrack-ng
D.WPA handshake capture
AnswerC

Correct. WEP cracking relies on collecting many unique IVs to exploit statistical weaknesses in the RC4 algorithm.

Why this answer

WEP encryption is vulnerable to statistical attacks that require capturing many unique IVs to recover the WEP key. The large number of unique IVs indicates preparation for a WEP cracking attack using a tool like aircrack-ng.

108
MCQhard

A security analyst observes an SSL/TLS handshake where the client and server negotiate TLS 1.0 instead of TLS 1.2, despite the server supporting TLS 1.2. Which attack BEST describes the manipulation of the handshake to force weaker encryption?

A.Man-in-the-middle attack
B.Replay attack
C.Downgrade attack
D.Birthday attack
AnswerC

A downgrade attack forces the protocol to use an older, weaker version (e.g., TLS 1.0) by interfering with the handshake.

Why this answer

A downgrade attack occurs when an attacker forces the client and server to negotiate a lower, less secure version of a protocol (e.g., from TLS 1.2 to TLS 1.0) to exploit vulnerabilities in the older version.

109
Multi-Selecthard

Which TWO of the following attacks are specifically associated with wireless networks?

Select 2 answers
A.Man-in-the-middle attack
B.De-authentication attack
C.Evil twin attack
D.Replay attack
E.Birthday attack
AnswersB, C

De-auth attacks disconnect clients from a WLAN.

Why this answer

A de-authentication attack targets the management frames in IEEE 802.11 wireless networks. An attacker sends forged de-authentication frames to disconnect a client from an access point, often as a precursor to capturing the WPA handshake or launching an evil twin attack. This is a wireless-specific attack because it exploits the unencrypted nature of 802.11 management frames.

Exam trap

EC-Council often tests the distinction between attacks that are 'specific to wireless' versus those that are 'general network attacks' — the trap is that candidates confuse a common attack vector (like man-in-the-middle) with a protocol-specific vulnerability unique to 802.11.

110
MCQhard

In a cloud environment, an attacker exploits a vulnerability in a web application to make the server send requests to internal metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). This yields IAM temporary credentials. Which attack is this?

A.Server-Side Request Forgery (SSRF) targeting cloud metadata
B.XML External Entity (XXE) injection
C.Insecure Direct Object Reference (IDOR) on metadata
D.Cross-Site Request Forgery (CSRF) targeting cloud APIs
AnswerA

SSRF allows the attacker to make the server request internal resources like the metadata service, leaking credentials.

Why this answer

SSRF occurs when an application fetches user-controlled URLs without proper validation. The attacker used it to access cloud metadata endpoints (like AWS IMDS) to retrieve temporary credentials.

111
MCQhard

A security analyst observes that a server running an IoT device management platform is sending MQTT traffic to an unexpected IP address. The analyst also notes that the device's firmware contains hardcoded credentials. Which attack vector is MOST likely being exploited?

A.CoAP protocol attack
B.Insecure MQTT protocol exploitation via default credentials
C.Firmware reversing attack
D.Container escape attack
AnswerB

MQTT often lacks authentication; combining hardcoded credentials allows attacker control and data exfiltration.

Why this answer

The combination of hardcoded credentials and unexpected MQTT traffic suggests an attacker has used default credentials to compromise the device and is exfiltrating data via MQTT.

112
MCQhard

An IoT device uses the MQTT protocol without any authentication or encryption. An attacker on the same network subscribes to all topics on the MQTT broker. Which of the following is the MOST effective immediate countermeasure?

A.Disable the MQTT broker entirely and switch to HTTP
B.Implement client authentication and enable TLS encryption
C.Change the default topic names to obfuscated strings
D.Use a VPN for all IoT device communication
AnswerB

Correct. Enforcing authentication and TLS protects the MQTT communication from unauthorized access and sniffing.

Why this answer

MQTT without authentication and encryption can be secured by enabling TLS for transport encryption and requiring credentials for clients. This prevents unauthorized access and eavesdropping.

113
MCQhard

A penetration tester is assessing an AWS environment and discovers an S3 bucket with the following bucket policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}`. Which of the following is the MOST likely security issue?

A.The bucket policy allows public read access to all objects
B.The bucket policy allows only GetObject, which is too restrictive
C.The bucket policy should use a Principal of AWS instead of *
D.The bucket policy is missing a Deny statement for write operations
AnswerA

Correct: The policy grants anonymous read access, which is a security risk.

Why this answer

The policy allows anyone (Principal: *) to read any object in the bucket, making it publicly accessible and a common misconfiguration.

114
MCQeasy

During a cloud penetration test, a tester discovers an S3 bucket that allows public listing and write access. Which of the following is the MOST likely misconfiguration?

A.The bucket is in a different region than the EC2 instance
B.The bucket policy grants 's3:GetObject' and 's3:PutObject' to 'Principal': *
C.IAM roles attached to the bucket allow anonymous access
D.Server-side encryption is disabled
AnswerB

This policy allows anyone (Principal: *) to read and write objects, making the bucket publicly accessible.

Why this answer

The correct answer is that the bucket policy or ACL is set to 'Everyone' with write permissions, a common misconfiguration leading to data exposure.

115
MCQhard

During a cloud penetration test, a tester discovers that an AWS IAM role has the following policy: `{"Effect":"Allow","Action":"*","Resource":"*"}`. This policy is attached to an EC2 instance. Which of the following attacks is the tester MOST likely to perform next?

A.Perform a dictionary attack against the root user password
B.SSRF attack to access the instance metadata service and obtain the IAM credentials
C.Use Pacu to enumerate S3 buckets
D.Exploit a container escape vulnerability in Docker
AnswerB

Correct: SSRF can be used to query the metadata service (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/) to retrieve the role's temporary credentials and then leverage the full admin privileges.

Why this answer

With full admin privileges, the tester can attempt to enumerate and abuse the permissions, such as creating users, accessing data, or escalating privileges further.

116
MCQmedium

During a penetration test, an analyst runs the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. What is the PRIMARY purpose of this command?

A.Perform a de-authentication attack on the target AP
B.Capture the 4-way handshake for WPA cracking
C.Brute-force the WPS PIN to recover the Wi-Fi passphrase
D.Scan for nearby access points and their BSSIDs
AnswerC

Correct. Reaver performs a brute-force attack on the WPS PIN, exploiting the weak PIN-based authentication.

Why this answer

Reaver is a tool designed to exploit the WPS PIN authentication mechanism. The command targets a specific BSSID to perform a brute-force attack on the WPS PIN, which can reveal the WPA/WPA2 passphrase if successful.

117
MCQmedium

A security analyst observes the following log entry on a web server: 'GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1'. This request appears to originate from a compromised web application. Which cloud attack technique is being attempted?

A.Server-Side Request Forgery (SSRF)
B.SQL Injection
C.Container escape
D.Cross-Site Scripting (XSS)
AnswerA

Correct. The request to the cloud metadata service is a classic SSRF attack to obtain instance credentials.

Why this answer

The IP address 169.254.169.254 is the AWS instance metadata service endpoint. An attacker using a Server-Side Request Forgery (SSRF) vulnerability can force the server to request this URL and retrieve sensitive instance metadata, such as IAM credentials.

118
Multi-Selecthard

Which THREE of the following attacks target cryptographic weaknesses?

Select 3 answers
A.Downgrade attack
B.Replay attack
C.Cross-site scripting
D.Birthday attack
E.SQL injection
AnswersA, B, D

Forces a system to use weaker, more vulnerable encryption.

Why this answer

A downgrade attack is correct because it forces a system to use a weaker, less secure cryptographic protocol or algorithm (e.g., forcing TLS 1.2 down to SSL 3.0 or using export-grade ciphers). This exploits the cryptographic weakness of the older protocol, making it easier for an attacker to decrypt or manipulate the communication. The attack directly targets the cryptographic strength of the negotiated security parameters.

Exam trap

The trap here is that candidates often confuse 'replay attack' (option B) as purely a cryptographic attack, but it is actually a protocol-level attack that can succeed even with strong cryptography if no nonce or timestamp is used, while the Birthday attack (option D) is a direct cryptographic weakness based on hash collision probability.

119
MCQmedium

Which cloud security assessment tool is specifically designed to audit AWS environments against best practices and CIS benchmarks?

A.Pacu
B.ScoutSuite
C.Nessus
D.Metasploit
AnswerB

ScoutSuite performs cloud security audits.

Why this answer

ScoutSuite is an open-source tool that audits cloud environments (AWS, Azure, GCP) for security misconfigurations.

120
MCQmedium

During a penetration test, you capture the following 4-way handshake using airodump-ng. Which tool would you use to attempt a dictionary attack to recover the WPA2 passphrase?

A.Reaver
B.Aircrack-ng
C.Kismet
D.John the Ripper
AnswerB

Aircrack-ng can perform dictionary attacks on captured 4-way handshakes.

Why this answer

Aircrack-ng is the standard tool for cracking WPA/WPA2 handshakes using dictionary attacks.

121
MCQmedium

In a cloud environment, which of the following is an example of a Server-Side Request Forgery (SSRF) attack?

A.An attacker exploits a web application to send HTTP requests from the server to an internal metadata endpoint
B.An attacker intercepts traffic between a load balancer and backend servers
C.An attacker uses a SQL injection to extract database contents
D.An attacker uploads a malicious file to an S3 bucket that executes code on the server
AnswerA

SSRF allows the attacker to use the server as a proxy to access internal systems like the cloud metadata service (169.254.169.254).

Why this answer

SSRF occurs when an attacker tricks the server into making requests to internal resources, such as a cloud metadata service, to obtain credentials.

122
Multi-Selectmedium

Which TWO of the following tools are used for cloud security auditing or exploitation?

Select 2 answers
A.ScoutSuite
B.John the Ripper
C.Pacu
D.Nessus
E.Aircrack-ng
AnswersA, C

ScoutSuite is a security auditing tool for cloud environments.

Why this answer

ScoutSuite is an auditing tool and Pacu is an exploitation framework for cloud environments.

123
MCQmedium

A penetration tester uses the tool Reaver to target a Wi-Fi network. What vulnerability is the tester attempting to exploit?

A.WPA2 4-way handshake capture
B.WPS PIN brute-force weakness
C.Weak WEP encryption keys
D.RADIUS authentication bypass
AnswerB

Reaver performs a brute-force attack on the WPS PIN (typically 8 digits) to recover PSK.

Why this answer

Reaver is a tool specifically designed to exploit the WPS (Wi-Fi Protected Setup) PIN brute-force vulnerability. It targets the WPS registrar's lack of rate-limiting and the fact that the PIN is split into two halves (first half 4 digits, second half 3 digits with a checksum), allowing an attacker to recover the WPS PIN and subsequently the WPA2 pre-shared key in a matter of hours.

Exam trap

EC-Council often tests the distinction between WPS PIN brute-force (Reaver) and WPA2 handshake capture (aircrack-ng), so candidates mistakenly associate any wireless attack with handshake capture rather than recognizing the specific tool-to-vulnerability mapping.

How to eliminate wrong answers

Option A is wrong because capturing a WPA2 4-way handshake is performed with tools like airodump-ng or Wireshark, not Reaver; Reaver does not capture handshakes but instead brute-forces the WPS PIN. Option C is wrong because weak WEP encryption keys are exploited using tools like aircrack-ng or WEP cracking techniques (e.g., ARP replay attacks), not Reaver, which is designed for WPS attacks on WPA/WPA2 networks. Option D is wrong because RADIUS authentication bypass typically targets enterprise 802.1X networks using tools like asleap or hostapd-wpe, not Reaver, which operates on the WPS protocol used in personal (PSK) mode.

124
MCQmedium

An IoT device uses MQTT for communication. An attacker intercepts MQTT packets and observes that the publish messages are not encrypted and contain plaintext sensor data. Which of the following is the BEST recommendation to secure MQTT traffic?

A.Base64-encode the payload
B.Switch to CoAP protocol
C.Use MQTT over TLS
D.Implement a VPN on the device
AnswerC

Correct: MQTT over TLS (MQTTS) encrypts the connection, preventing eavesdropping.

Why this answer

MQTT itself does not provide encryption; using TLS (MQTT over TLS) encrypts the entire communication channel, protecting data in transit.

125
MCQmedium

A cloud security engineer discovers that an S3 bucket named 'acme-backups' is accessible to anyone with the bucket URL. The bucket contains sensitive customer data. Which AWS shared responsibility model component does this misconfiguration primarily violate?

A.AWS is responsible for physical security of data centers
B.The customer is responsible for patching the S3 service
C.The customer is responsible for configuring access controls and permissions
D.AWS is responsible for network infrastructure; the customer for data classification
AnswerC

Correct. S3 bucket policies and permissions are customer-managed security controls.

Why this answer

Under the AWS shared responsibility model, the customer is responsible for configuring S3 bucket policies and access controls. The misconfiguration is a customer-side issue, not an infrastructure vulnerability.

126
MCQhard

A security engineer observes the following log event: 'Certificate for www.example.com was issued by an intermediate CA that chains to a root CA not in the trusted store.' Which type of attack might this indicate?

A.Birthday attack on the certificate signature
B.Downgrade attack to SSLv3
C.Man-in-the-middle using a rogue certificate
D.Replay attack on the TLS handshake
AnswerC

An untrusted root CA indicates the certificate is not validated, which could be from an attacker's proxy issuing its own cert.

Why this answer

A certificate from an untrusted root CA suggests a rogue or misissued certificate, possibly from a malicious CA or a man-in-the-middle attack using a proxy with its own CA certificate not trusted by the client.

127
MCQhard

A penetration tester performs a container escape by exploiting a misconfigured capability and mounts the host filesystem. Which cloud service model is MOST directly affected?

A.Platform as a Service (PaaS)
B.Software as a Service (SaaS)
C.Function as a Service (FaaS)
D.Infrastructure as a Service (IaaS)
AnswerD

IaaS gives users control over containers, and escape impacts the host.

Why this answer

Container escape compromises the host, affecting the underlying infrastructure in IaaS. In PaaS/SaaS, the provider may manage containers differently.

128
MCQhard

A penetration tester performs a container escape from a Docker container running in a cloud environment. Which of the following is the MOST likely cause?

A.The container uses default credentials for SSH
B.The container image has a known vulnerability in the MQTT library
C.The host OS is running an outdated kernel version
D.The container is running with the --privileged flag
AnswerD

Privileged mode gives the container access to host devices and kernel, enabling escape.

Why this answer

Container escape often occurs when the container is run with the --privileged flag, granting elevated capabilities that allow access to the host kernel.

129
MCQeasy

Which asymmetric encryption algorithm is based on the algebraic structure of elliptic curves over finite fields and provides equivalent security to RSA with smaller key sizes?

A.SHA-256
B.Diffie-Hellman (DH)
C.Triple DES (3DES)
D.Elliptic Curve Cryptography (ECC)
AnswerD

ECC is an asymmetric encryption algorithm using elliptic curves, offering smaller key sizes than RSA for equivalent security.

Why this answer

ECC (Elliptic Curve Cryptography) offers strong security with smaller keys compared to RSA. Diffie-Hellman is a key exchange protocol, 3DES is symmetric, and SHA-256 is a hash function.

← PreviousPage 2 of 2 · 129 questions total

Ready to test yourself?

Try a timed practice session using only Ceh Advanced Topics questions.