CCNA Ceh Enum System Hacking Questions

75 of 189 questions · Page 2/3 · Ceh Enum System Hacking topic · Answers revealed

76
Multi-Selecthard

A security team is investigating a compromised Linux server. They suspect the attacker used privilege escalation via SUID binaries. Which THREE techniques should the team check as potential attack vectors? (Choose THREE.)

Select 3 answers
A.Injecting a malicious shared library via LD_PRELOAD into a SUID binary
B.Using token impersonation with SeDebugPrivilege
C.Leveraging a SUID shell script that calls a user-controlled command
D.Performing a DDoS attack on the server
E.Exploiting a vulnerable SUID binary such as 'nmap' or 'find'
AnswersA, C, E

LD_PRELOAD can load arbitrary libraries if the binary runs with elevated privs.

Why this answer

Common SUID escalation vectors include exploiting known vulnerable SUID binaries, using shared library injection, and abusing SUID shell scripts that call unsafe commands.

77
MCQeasy

Which of the following is a passive OS fingerprinting technique?

A.Using nmap -O
B.Performing a ping sweep
C.Sending SYN packets and analyzing responses
D.Capturing packets and analyzing TTL values
AnswerD

TTL analysis is passive and does not generate traffic.

Why this answer

Passive OS fingerprinting involves observing network traffic without actively sending packets to the target. Option D is correct because capturing packets and analyzing TTL (Time to Live) values allows an attacker to infer the operating system, as different OSes use default TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255). This technique does not generate any probe traffic, making it passive.

Exam trap

The trap here is that candidates confuse 'passive' with 'stealthy' scanning, often picking nmap -O with stealth flags (e.g., -sS) as passive, but any active packet injection, regardless of stealth, constitutes active fingerprinting.

How to eliminate wrong answers

Option A is wrong because nmap -O actively sends a series of probes (e.g., TCP SYN, ICMP echo) to the target and analyzes responses to determine the OS, which is active fingerprinting. Option B is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts to check liveness, which is an active scanning technique that generates traffic. Option C is wrong because sending SYN packets and analyzing responses (e.g., SYN/ACK vs RST) is the basis of active TCP stack fingerprinting, as it requires injecting packets into the network.

78
MCQeasy

Which of the following tools is specifically designed to enumerate SMB shares and user information from Windows systems using the SMB protocol?

A.snmpwalk
B.nmap
C.enum4linux
D.hping3
AnswerC

enum4linux is a wrapper around tools like smbclient, rpcclient, and net, specifically for SMB enumeration.

Why this answer

enum4linux is a tool specifically designed to enumerate SMB shares, user lists, OS information, and other details from Windows systems by leveraging the SMB protocol (typically over TCP/445 or TCP/139). It automates queries using SMB RPC calls, such as those from the `samr` and `lsarpc` pipes, making it the correct choice for targeted SMB enumeration.

Exam trap

The trap here is that candidates confuse nmap's broad scanning capabilities (including SMB scripts) with a tool that is purpose-built for SMB enumeration, leading them to select nmap instead of enum4linux.

How to eliminate wrong answers

Option A is wrong because snmpwalk is an SNMP enumeration tool that queries MIB data over UDP/161, not SMB shares or user information. Option B is wrong because nmap is a general-purpose port scanner and service detection tool; while it can detect open SMB ports and perform basic SMB script scans (e.g., smb-os-discovery), it is not specifically designed for deep SMB share and user enumeration like enum4linux. Option D is wrong because hping3 is a packet crafting and network stress testing tool that manipulates TCP/IP packets (e.g., for firewall testing or DoS), and it has no capability to enumerate SMB shares or user accounts.

79
MCQeasy

A security analyst runs `nbtstat -A 192.168.1.10` and receives output showing a table with names like COMPUTER<00>, COMPUTER<20>, and DOMAIN<1B>. What type of information has the analyst gathered?

A.NetBIOS names and their associated service types
B.SMB share lists and open sessions
C.DNS records for the host and domain
D.ARP cache entries for the subnet
AnswerA

nbtstat -A shows the NetBIOS name table with 16-character names where the suffix indicates the service type.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against the target IP address using the NetBIOS over TCP/IP (NBT) protocol. The output displays NetBIOS names (e.g., COMPUTER<00>, COMPUTER<20>, DOMAIN<1B>) along with their associated service type suffixes (hex bytes), which identify the services running on the host, such as Workstation Service (<00>), Server Service (<20>), and Domain Master Browser (<1B>). This allows the analyst to enumerate the host's NetBIOS names and their corresponding service types.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with commands that enumerate SMB shares or DNS records, but the key differentiator is the NetBIOS name table output with hex suffixes that explicitly indicate service types.

How to eliminate wrong answers

Option B is wrong because `nbtstat -A` does not list SMB share names or open sessions; those are obtained with commands like `net view` or `smbclient -L`. Option C is wrong because DNS records are queried via `nslookup` or `dig`, not through NetBIOS name resolution, which operates at a different layer (NetBIOS over TCP/IP, port 137). Option D is wrong because ARP cache entries are displayed with `arp -a`, not `nbtstat`, which deals with NetBIOS name tables, not MAC-to-IP mappings.

80
MCQmedium

A security analyst captures the following SMTP conversation: 220 mail.example.com ESMTP; HELO client; 250 Hello; VRFY root; 250 Super-User; VRFY admin; 252 Cannot VRFY user; VRFY user1; 550 User unknown. Which attack is the analyst performing?

A.SMTP header injection
B.SMTP open relay testing
C.SMTP user enumeration via VRFY
D.SMTP DDoS attack
AnswerC

VRFY queries verify if a mailbox exists; responses reveal valid usernames.

Why this answer

Option C is correct. The VRFY command is used to verify email addresses. A successful response (250) indicates the user exists; 252 indicates ambiguous; 550 indicates no such user.

This is enumeration of valid usernames.

81
MCQmedium

An attacker uses a tool that precomputes hash chains for common passwords to crack password hashes quickly. Which technique is the attacker employing?

A.Dictionary attack
B.Brute-force attack
C.Hybrid attack
D.Rainbow table attack
AnswerD

Rainbow tables use precomputed hash chains to crack hashes quickly.

Why this answer

The correct answer is D, Rainbow table attack. This technique involves precomputing hash chains for common passwords and storing them in a table, allowing the attacker to reverse password hashes quickly by looking up the hash in the table rather than computing hashes on the fly. The tool described matches the core concept of a rainbow table, which uses a time-memory trade-off to crack hashes efficiently.

Exam trap

The trap here is that candidates confuse a rainbow table attack with a dictionary attack, because both involve lists of passwords, but the key distinction is precomputation versus real-time hashing.

How to eliminate wrong answers

Option A is wrong because a dictionary attack uses a list of plaintext passwords, hashing each one and comparing to the target hash in real time, not precomputed hash chains. Option B is wrong because a brute-force attack tries every possible combination of characters sequentially, without any precomputation or stored hash chains. Option C is wrong because a hybrid attack combines dictionary words with variations (e.g., appending numbers or symbols), but it still computes hashes on the fly rather than relying on precomputed chains.

82
Multi-Selectmedium

During a penetration test, a tester runs enum4linux against a Windows server and receives the following output: 'S-1-5-21-3623811015-3361044348-30300820-500' and 'S-1-5-21-3623811015-3361044348-30300820-501'. Which TWO conclusions can be drawn from this output?

Select 2 answers
A.The Guest account is enabled
B.The Guest account SID was enumerated
C.The Administrator account SID was enumerated
D.The server is a domain controller
E.Password policy was retrieved
AnswersB, C

RID 501 corresponds to the Guest account.

Why this answer

Options A and C are correct. SID ending in -500 is the built-in Administrator account. SID ending in -501 is the Guest account.

These are well-known RIDs.

83
MCQhard

A security team has collected a hash file from a compromised Windows server that contains NTLM hashes. They want to crack the passwords as quickly as possible using a precomputed lookup table. Which tool and technique combination is BEST suited for this task?

A.Use John the Ripper in incremental mode
B.Use Hydra with a dictionary of common passwords
C.Use RainbowCrack with precomputed rainbow tables
D.Use Hashcat with a rules-based attack
AnswerC

RainbowCrack uses rainbow tables to crack hashes in seconds. It is the most efficient method for precomputed attacks.

Why this answer

Rainbow tables are precomputed hash chains that allow rapid password lookups. RainbowCrack is a tool that implements rainbow table attacks, ideal for quickly cracking NTLM hashes.

84
MCQmedium

A penetration tester uses the following command to extract the contents of a SAM file: 'samdump2 SYSTEM /mnt/windows/Windows/System32/config/SAM'. What is the primary purpose of this action?

A.To escalate privileges on the system
B.To enumerate users via LDAP
C.To capture NTLM hashes for offline cracking
D.To perform a pass-the-hash attack
AnswerC

SAM file contains hashed passwords; extracting them allows offline cracking.

Why this answer

The `samdump2` tool extracts password hash data from the SAM (Security Account Manager) registry hive file. By providing the SYSTEM hive (which contains the boot key) and the SAM file, the tool decrypts and dumps the NTLM hashes of local user accounts. These hashes can then be used in offline cracking attacks (e.g., with John the Ripper or Hashcat) to recover plaintext passwords, making option C correct.

Exam trap

The trap here is that candidates may confuse the purpose of dumping hashes (offline cracking) with the subsequent attack technique (pass-the-hash), but the question asks for the primary purpose of the `samdump2` command itself, which is hash extraction for cracking, not immediate authentication.

How to eliminate wrong answers

Option A is wrong because `samdump2` does not perform privilege escalation; it simply reads already-obtained files from a compromised system. Option B is wrong because LDAP enumeration is used for querying Active Directory directory services, not for extracting local SAM database hashes. Option D is wrong because pass-the-hash attacks use captured NTLM hashes directly for authentication without cracking them, whereas the primary purpose of dumping hashes with `samdump2` is to obtain them for offline cracking.

85
Multi-Selectmedium

A security analyst is investigating a compromised Linux system and finds the following: - A binary with SUID bit set owned by root that is not a standard system binary - The file /etc/ld.so.preload contains a reference to a shared object in /tmp - The system logs show gaps of several minutes during peak hours. Which TWO techniques has the attacker MOST likely used to maintain access and evade detection?

Select 2 answers
A.SUID privilege escalation
B.Password cracking
C.Kernel module rootkit
D.LD_PRELOAD rootkit
E.Steganography
AnswersA, D

Setting SUID on a root-owned binary allows any user to run it with root privileges.

Why this answer

Options A and B are correct. SUID abuse allows executing a binary with root privileges. LD_PRELOAD via ld.so.preload can be used to hook system calls and hide files/processes (a rootkit technique).

Log manipulation (gaps) is another covering tracks method.

86
MCQmedium

A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?

A.Spying
B.Executing applications
C.Cracking passwords
D.Erasing tracks
AnswerD

Deleting log entries is a classic example of erasing tracks to avoid detection.

Why this answer

The log deletion represents the 'Erasing tracks' step in the CHPSET methodology. After gaining unauthorized access, attackers must cover their footprints by removing evidence of their activities, such as clearing system logs, modifying timestamps, or deleting audit trails. This ensures the intrusion remains undetected by system administrators or security monitoring tools.

Exam trap

The trap here is confusing 'Erasing tracks' with 'Spying' because both involve post-exploitation actions, but spying focuses on data collection while erasing tracks specifically targets log and evidence removal.

How to eliminate wrong answers

Option A is wrong because 'Spying' refers to passive monitoring or data exfiltration after access is established, not the act of removing forensic evidence. Option B is wrong because 'Executing applications' involves running tools or payloads to achieve objectives like privilege escalation or backdoor installation, not log manipulation. Option C is wrong because 'Cracking passwords' is part of the initial access phase (e.g., brute-forcing or hash cracking) and occurs before successful login, not after the attacker has already authenticated.

87
MCQhard

An attacker has gained access to a Windows server and wants to crack the password hashes extracted from the SAM file. The attacker knows the passwords are complex but wants to maximize speed. Which tool is BEST suited for high-speed password cracking using GPU acceleration?

A.Ophcrack
B.RainbowCrack
C.John the Ripper
D.Hashcat
AnswerD

Hashcat is specifically designed for high-speed GPU-accelerated password cracking and is the best choice for speed.

Why this answer

Hashcat is the correct answer because it is specifically designed for high-speed password cracking using GPU acceleration, leveraging OpenCL or CUDA to offload computation to the GPU. This allows it to achieve millions of hashes per second, making it ideal for cracking complex passwords from SAM hashes (NTLM) when speed is the priority.

Exam trap

The trap here is that candidates often confuse 'rainbow table' tools (Ophcrack, RainbowCrack) with GPU-accelerated crackers, or assume John the Ripper is always the fastest, but Hashcat is the explicit choice for maximum GPU speed in CEH scenarios.

How to eliminate wrong answers

Option A is wrong because Ophcrack uses rainbow tables (precomputed hash chains) and is CPU-based, not GPU-accelerated, so it is slower for complex passwords and less efficient for on-the-fly cracking. Option B is wrong because RainbowCrack also relies on rainbow tables and is primarily CPU-based; while it can use some GPU acceleration in newer versions, it is not optimized for high-speed GPU cracking like Hashcat and requires precomputation time. Option C is wrong because John the Ripper can use GPU acceleration (via its 'john-gpu' variant), but its default mode is CPU-based and it is generally slower and less feature-rich for GPU cracking compared to Hashcat, which is the industry standard for GPU-accelerated password recovery.

88
MCQmedium

During a penetration test, a tester uses the SMTP VRFY command against a mail server. The server responds with '252 Cannot VRFY user, but will accept message' for most usernames. Which action should the tester take to enumerate valid email addresses more effectively?

A.Use the EXPN command to expand mailing lists and verify addresses
B.Use the NetBIOS nbtstat command to query the mail server
C.Run a brute-force attack on the SMTP service using Hydra
D.Switch to SNMP enumeration to gather email addresses
AnswerA

EXPN can reveal valid addresses from mailing lists; RCPT TO is another alternative.

Why this answer

The SMTP VRFY command is used to verify whether a specific user exists on the mail server. When the server responds with '252 Cannot VRFY user, but will accept message', it indicates that VRFY is disabled or restricted, but the server still supports the EXPN command. EXPN (Expand) reveals the actual members of a mailing list or alias, allowing the tester to enumerate valid email addresses indirectly by querying known or guessed list names.

Exam trap

The trap here is that candidates assume a '252' response to VRFY means the user does not exist, when in fact it indicates VRFY is disabled, and they overlook the EXPN command as an alternative enumeration method.

How to eliminate wrong answers

Option B is wrong because nbtstat is a NetBIOS over TCP/IP command used to query NetBIOS name tables and WINS servers, not SMTP servers; it cannot enumerate email addresses. Option C is wrong because a brute-force attack on SMTP with Hydra would target authentication credentials (e.g., SMTP AUTH), not enumerate valid usernames via VRFY/EXPN; it is also noisy and likely to trigger account lockouts. Option D is wrong because SNMP enumeration can gather system information (e.g., user lists from SNMP MIBs) but is not a direct or effective method for enumerating email addresses from an SMTP server; it requires SNMP to be enabled and accessible.

89
MCQhard

A penetration tester discovers a service running on UDP port 161 with a default community string 'public'. They use `snmpwalk -v2c -c public 192.168.1.10` and retrieve extensive system information. Which enumeration technique is being performed?

A.SMB enumeration
B.LDAP enumeration
C.SMTP enumeration
D.SNMP enumeration
AnswerD

SNMP uses UDP 161, and snmpwalk retrieves the entire MIB tree.

Why this answer

The correct answer is D because the question describes using SNMP (Simple Network Management Protocol) over UDP port 161 with the default community string 'public' and the `snmpwalk` command to retrieve system information. This is a classic SNMP enumeration technique, where an attacker queries MIB (Management Information Base) data to extract details like running processes, user accounts, and network configurations.

Exam trap

The trap here is that candidates may confuse SNMP enumeration with other enumeration techniques because they see 'enumeration' in the question, but the specific use of UDP port 161 and the `snmpwalk` command uniquely identifies SNMP enumeration.

How to eliminate wrong answers

Option A is wrong because SMB enumeration uses TCP ports 139 or 445 and tools like `enum4linux` or `smbclient`, not UDP port 161 or SNMP commands. Option B is wrong because LDAP enumeration uses TCP/UDP port 389 and queries directory services via `ldapsearch`, not SNMP or the `snmpwalk` command. Option C is wrong because SMTP enumeration uses TCP port 25 and commands like `VRFY` or `EXPN` to verify email users, not UDP port 161 or SNMP protocols.

90
MCQmedium

An attacker has gained initial access to a Windows system and wants to escalate privileges to SYSTEM. They find that the SeImpersonatePrivilege is enabled for their current user. Which tool or technique is specifically designed to leverage this privilege for elevation?

A.Token impersonation using RottenPotato
B.Pass-the-hash attack
C.Kerberoasting
D.SUID abuse
AnswerA

RottenPotato (and variants) exploit SeImpersonatePrivilege to impersonate SYSTEM tokens.

Why this answer

The SeImpersonatePrivilege allows a process to impersonate a user after obtaining a token. RottenPotato (and its variants like JuicyPotato) exploits this privilege by forcing a high-integrity service (e.g., DCOM or RPC) to authenticate to a malicious server under the attacker's control, capturing a SYSTEM-level token and using it to execute code with elevated privileges.

Exam trap

EC-Council often tests the distinction between Windows token impersonation attacks (SeImpersonatePrivilege) and Linux SUID abuse, leading candidates to mistakenly select SUID abuse when the question explicitly mentions a Windows system.

How to eliminate wrong answers

Option B (Pass-the-hash) is wrong because it reuses NTLM hashes to authenticate as another user over the network, not to escalate from a local user to SYSTEM via token impersonation. Option C (Kerberoasting) is wrong because it targets service account Kerberos tickets for offline cracking, requiring domain credentials and not leveraging SeImpersonatePrivilege. Option D (SUID abuse) is wrong because it is a Linux/Unix privilege escalation technique involving set-user-ID executables, not applicable to Windows token manipulation.

91
MCQmedium

A penetration tester runs `nbtstat -A 192.168.1.10` on a Windows machine. The output reveals the NetBIOS name table and shows a <20> entry. What does this indicate?

A.The target is a printer
B.The target is a file server
C.The target is a domain controller
D.The target is a workstation
AnswerB

<20> indicates the file server service.

Why this answer

NetBIOS <20> identifies a file server service (SMB). The tester can now attempt SMB enumeration or brute-force attacks.

92
Multi-Selecthard

Which THREE of the following are components of the CHPSET system hacking methodology?

Select 3 answers
A.Port scanning
B.Vulnerability scanning
C.Cracking passwords
D.Privilege escalation
E.Erasing tracks
AnswersC, D, E

Cracking is the first step.

Why this answer

Options A, B, and E are correct. CHPSET stands for Cracking passwords, Hiding files, Privilege escalation, Executing applications, Spying, and Erasing tracks.

93
Multi-Selectmedium

Which TWO of the following are common techniques for covering tracks after compromising a system? (Select 2)

Select 2 answers
A.Increasing the frequency of password changes
B.Enabling verbose logging for future attacks
C.Manipulating event logs to remove evidence of intrusion
D.Using steganography to hide exfiltrated data in image files
E.Setting up a honeypot to distract defenders
AnswersC, D

Attackers often clear or modify logs to hide their activities.

Why this answer

Log manipulation (clearing or altering logs) and using steganography (hiding data in plain sight) are common cover-tracks techniques. Deletion of logs is also common, but manipulation is more specific.

94
MCQmedium

An analyst observes the following SNMP walk output on a network device: `SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.5.1 = STRING: "cisco"`. Which finding is most significant?

A.The SNMP community string is "cisco" and likely weak
B.The SNMP service is using version 2c
C.The device is running Cisco IOS version 12.0
D.The device is configured for read-write access
AnswerA

Why this answer

The string "cisco" indicates the community string is default or easily guessable. SNMP community strings are used as authentication; public/private defaults are a well-known vulnerability.

95
MCQmedium

A security analyst observes repeated attempts to validate user accounts via SMTP using VRFY commands from an external IP. What is the BEST immediate action to mitigate this reconnaissance?

A.Upgrade to the latest version of the SMTP server
B.Enable SMTP authentication for all incoming connections
C.Block the external IP address at the firewall
D.Disable VRFY and EXPN commands in the SMTP server configuration
AnswerD

This prevents the enumeration technique entirely.

Why this answer

The VRFY command is an SMTP protocol feature (RFC 821) that allows a client to verify whether a specific email address exists on the server. Attackers use VRFY and EXPN to enumerate valid user accounts during the reconnaissance phase. Disabling these commands in the SMTP server configuration directly stops this enumeration technique without affecting legitimate mail delivery.

Exam trap

The trap here is that candidates often choose to block the IP address (Option C) as a quick fix, failing to recognize that the root cause is the enabled VRFY/EXPN commands, which must be disabled at the server configuration level for a permanent mitigation.

How to eliminate wrong answers

Option A is wrong because upgrading the SMTP server version does not disable VRFY/EXPN by default; the commands remain functional unless explicitly configured otherwise. Option B is wrong because SMTP authentication applies to mail submission (port 587) or after the initial connection, but VRFY is typically processed before authentication, so enabling auth does not block unauthenticated VRFY queries. Option C is wrong because blocking a single external IP is a temporary, reactive measure; the attacker can easily switch IPs, and the underlying vulnerability (enabled VRFY/EXPN) remains unaddressed.

96
MCQmedium

A security analyst runs `ldapsearch -x -h 10.0.0.3 -b "dc=company,dc=com"` and receives a large number of entries including user objects. What type of information is being collected?

A.SMB share listings
B.SNMP MIB values
C.NetBIOS names and MAC addresses
D.Active Directory users and attributes
AnswerD

LDAP queries against domain controllers return AD objects.

Why this answer

LDAP enumeration retrieves directory information, such as user accounts, groups, and other objects from an LDAP server.

97
MCQhard

An attacker has obtained password hashes from a Windows system. They plan to use rainbow tables to crack them. Which tool would be most appropriate for generating and using rainbow tables?

A.Hashcat
B.Ophcrack
C.John the Ripper
D.RainbowCrack
AnswerD

RainbowCrack is the standard tool for generating and using rainbow tables with time-memory tradeoff.

Why this answer

RainbowCrack is the tool specifically designed for generating and using rainbow tables, which are precomputed hash chains used to reverse cryptographic hash functions. The question explicitly asks for the tool most appropriate for generating and using rainbow tables, and RainbowCrack directly supports both creating rainbow tables (with rtgen) and performing lookups (with rcsort and rcrack).

Exam trap

EC-Council often tests the distinction between tools that crack passwords via brute-force/dictionary (Hashcat, John the Ripper) versus tools that specifically leverage precomputed rainbow tables (RainbowCrack, Ophcrack), and candidates mistakenly choose Hashcat because it is the most popular GPU cracker, ignoring the explicit 'rainbow tables' requirement.

How to eliminate wrong answers

Option A is wrong because Hashcat is a GPU-accelerated password cracker that uses brute-force, dictionary, or rule-based attacks, not rainbow tables; it does not generate or use precomputed rainbow tables. Option B is wrong because Ophcrack is a specialized tool for cracking Windows LM and NTLM hashes using its own precomputed rainbow tables, but it is not designed for generating custom rainbow tables; it relies on tables from the Ophcrack project. Option C is wrong because John the Ripper is a versatile password cracker that supports multiple attack modes (dictionary, brute-force, incremental) but does not natively generate or use rainbow tables; its 'john --format=nt --make-charset' is for Markov mode, not rainbow tables.

98
Multi-Selecthard

Which THREE of the following are methods attackers use to cover their tracks after compromising a system?

Select 3 answers
A.Modifying file timestamps
B.Deleting event logs
C.Installing a rootkit
D.Performing a dictionary attack
E.Running a vulnerability scanner
AnswersA, B, C

Timestamp manipulation hides forensic artifacts.

Why this answer

Modifying file timestamps (A) is a common anti-forensic technique used to hide the evidence of file creation, modification, or access. Attackers use tools like `touch` on Linux or `SetFileTime` on Windows to alter the MAC (Modify, Access, Change) timestamps, making malicious files appear as legitimate system files. This prevents forensic investigators from identifying when the compromise occurred or which files were altered.

Exam trap

EC-Council often tests the distinction between attack phases, so candidates mistakenly associate dictionary attacks and vulnerability scanning with post-exploitation activities, when they actually belong to the enumeration and system hacking phases, not the covering tracks phase.

99
MCQeasy

Which enumeration technique would be MOST effective for gathering usernames from an SMTP server that supports the VRFY command?

A.SNMP enumeration using SNMPwalk
B.SMTP VRFY enumeration
C.NetBIOS enumeration using nbtstat
D.LDAP anonymous queries
AnswerB

VRFY verifies usernames directly.

Why this answer

The VRFY command asks the server to verify a username. Attackers can use it to enumerate valid accounts.

100
MCQmedium

During a penetration test, a tester gains a low-privilege shell on a Linux server. The command `sudo -l` reveals that the user can run `/usr/bin/find` as root. Which technique can the tester use to escalate privileges?

A.Abuse the SUID bit on find
B.Use find with the -exec flag to spawn a shell
C.Exploit a kernel vulnerability
D.Run a buffer overflow on the find binary
AnswerB

Why this answer

The `find` command has a `-exec` option that can execute arbitrary commands. With sudo access, the tester can run `sudo find . -exec /bin/sh \;` to obtain a root shell.

101
Multi-Selecteasy

Which TWO of the following are common tools used for SMB enumeration? (Select 2)

Select 2 answers
A.ldapsearch
B.snmpwalk
C.enum4linux
D.nbtstat
E.smbclient
AnswersC, E

enum4linux is a tool for enumerating information from Windows SMB systems.

Why this answer

enum4linux is a wrapper tool that leverages SMB/CIFS operations (via smbclient, rpcclient, and net) to enumerate user lists, share listings, OS information, and password policies from Windows and Samba targets. It directly queries the SMB protocol (port 445/139) and is a standard tool for SMB enumeration in penetration testing.

Exam trap

EC-Council often tests the distinction between tools that operate at different protocol layers—candidates confuse NetBIOS name resolution tools (nbtstat) with SMB enumeration tools, or mistake LDAP/SNMP tools for SMB-specific ones.

102
MCQmedium

During a penetration test, you execute the command `enum4linux -a 192.168.1.20`. The output reveals that the 'backup' account has a blank password and belongs to the 'Domain Admins' group. Which phase of the CHPSET methodology does identifying this vulnerability belong to?

A.Privilege escalation
B.Cracking passwords
C.Spying
D.Executing applications
AnswerB

Discovering a blank password is essentially identifying a weak/absent password, falling under password cracking.

Why this answer

The command `enum4linux -a` enumerates SMB shares, users, and password policies from a Windows target. Discovering that the 'backup' account has a blank password directly identifies a weak or missing credential, which falls under the 'Cracking passwords' phase of the CHPSET methodology. This phase involves identifying and exploiting weak, default, or blank passwords to gain unauthorized access.

Exam trap

The trap here is confusing the 'Cracking passwords' phase with 'Privilege escalation' because discovering a blank password on a high-privilege account seems like a privilege escalation vector, but the CHPSET methodology defines password cracking as the phase where weak or blank credentials are identified and exploited.

How to eliminate wrong answers

Option A is wrong because privilege escalation occurs after initial access is obtained, not during the identification of a blank password vulnerability. Option C is wrong because spying refers to monitoring or eavesdropping on network traffic or user activity, not discovering account credentials. Option D is wrong because executing applications involves running tools or payloads to achieve a specific goal, whereas this step is about identifying a credential weakness.

103
MCQmedium

A security team discovers that an attacker has been using steganography to exfiltrate data from the corporate network. The attacker hid data inside image files and uploaded them to a public image hosting site. Which of the following is the BEST method to detect this type of exfiltration?

A.Compare file hashes of uploaded images to known-good baselines
B.Deploy a steganography detection tool that analyzes image pixel patterns for statistical anomalies
C.Block all image uploads to external sites
D.Use network-based DLP to inspect image file headers for hidden data
AnswerB

Steganalysis tools look for statistical irregularities introduced by data embedding.

Why this answer

Steganography detection often involves statistical analysis of image files to identify anomalies. Advanced persistent threat (APT) detection systems may use machine learning to detect steganographic content.

104
MCQmedium

After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?

A.Spying
B.Executing applications
C.Hiding files
D.Erasing tracks
AnswerD

Correct. Erasing tracks includes clearing logs, removing evidence, and covering traces.

Why this answer

The correct answer is D, 'Erasing tracks,' because after gaining access, the attacker's goal is to cover their footprints by modifying or deleting log files, clearing event logs, or using tools like `wevtutil` or `clearev` to remove evidence of their activities. This phase ensures the system administrator cannot detect the intrusion or trace the attacker's actions.

Exam trap

The trap here is that candidates confuse 'Hiding files' (option C) with 'Erasing tracks,' but hiding files focuses on concealing payloads, while erasing tracks specifically targets log files and audit trails to cover the attacker's digital footprint.

How to eliminate wrong answers

Option A is wrong because 'Spying' is not a recognized phase in the CEH system hacking methodology; it is a vague term that does not correspond to any specific phase like reconnaissance or maintaining access. Option B is wrong because 'Executing applications' refers to running tools or payloads during the 'Gaining Access' or 'Maintaining Access' phases, not the post-exploitation cleanup of logs. Option C is wrong because 'Hiding files' involves concealing malicious files using techniques like NTFS alternate data streams or rootkits, which is part of the 'Maintaining Access' phase, not the specific act of erasing log evidence.

105
MCQeasy

A security analyst suspects an attacker has used a rainbow table to crack password hashes from a compromised system. Which password cracking technique involves precomputed hash chains?

A.Rainbow table attack
B.Dictionary attack
C.Brute force attack
D.Hybrid attack
AnswerA

Correct. Rainbow tables are precomputed tables for fast hash reversal.

Why this answer

A rainbow table attack is the correct answer because it specifically uses precomputed hash chains to reverse cryptographic hash functions. Rainbow tables are a form of time-memory trade-off where chains of hashes are computed and stored, allowing an attacker to look up a hash and quickly find the original plaintext without recomputing all possible hashes. This technique is distinct from other methods because it relies on precomputation rather than real-time guessing or dictionary lookups.

Exam trap

The trap here is that candidates often confuse 'precomputed hash chains' with a dictionary attack, thinking that a dictionary file is a form of precomputation, but a dictionary attack still requires real-time hashing of each word, whereas rainbow tables store the chain endpoints for instant lookup.

How to eliminate wrong answers

Option B (Dictionary attack) is wrong because it uses a list of likely passwords (words from a dictionary) and hashes each in real time, not precomputed hash chains. Option C (Brute force attack) is wrong because it tries every possible combination of characters sequentially, without any precomputation or stored chains. Option D (Hybrid attack) is wrong because it combines dictionary words with variations (e.g., appending numbers or symbols) but still performs real-time hashing, not precomputed chains.

106
MCQmedium

A tester runs 'snmpwalk -v2c -c public 192.168.1.1' and receives a large amount of system information. What does this command do?

A.It walks the SNMP MIB tree using version 2c and the public community string.
B.It performs a brute-force attack on SNMP community strings.
C.It enumerates users on a Windows domain.
D.It sets SNMP values using the private community string.
AnswerA

This is the correct description.

Why this answer

The `snmpwalk` command is used to retrieve a subtree of management values from an SNMP agent. The `-v2c` flag specifies SNMP version 2c, which uses community-based security, and `-c public` provides the community string 'public' (often the default read-only community). The command walks the entire MIB tree starting from the root, returning all available OID values, which explains the large amount of system information received.

Exam trap

The trap here is that candidates may confuse `snmpwalk` with a brute-force tool or think it can modify SNMP values, but the command strictly performs read-only enumeration using the specified community string.

How to eliminate wrong answers

Option B is wrong because `snmpwalk` does not perform brute-force attacks; tools like `onesixtyone` or `hydra` are used for brute-forcing SNMP community strings. Option C is wrong because `snmpwalk` enumerates SNMP MIB objects, not Windows domain users; tools like `enum4linux` or `ldapsearch` are used for domain user enumeration. Option D is wrong because `snmpwalk` only reads values (GET/GETNEXT requests) and does not set or write SNMP values; setting values requires `snmpset` with a read-write community string like 'private'.

107
MCQhard

A penetration tester is attempting to escalate privileges on a Linux target. The tester runs `find / -perm -4000 -type f 2>/dev/null` and discovers that `/usr/bin/pkexec` has the SUID bit set. The target runs Ubuntu 20.04 with default configurations. Which of the following is the MOST likely next step?

A.Exploit the pkexec vulnerability (CVE-2021-4034) to gain root access
B.Change the ownership of the pkexec binary to root:root
C.Use pkexec to execute a command as root directly
D.Remove the SUID bit from pkexec to prevent misuse
AnswerA

CVE-2021-4034 is a local privilege escalation in pkexec that affects many Linux systems, including Ubuntu 20.04.

Why this answer

CVE-2021-4034 (PwnKit) is a well-known vulnerability in pkexec on many Linux distributions, including Ubuntu 20.04. It allows local privilege escalation to root. The tester should exploit this vulnerability.

108
MCQeasy

Which of the following is the PRIMARY purpose of steganography in the context of covering tracks after a system compromise?

A.To hide data within other files to avoid detection
B.To create a backdoor for future access
C.To delete system logs permanently
D.To encrypt log files so they cannot be read
AnswerA

Steganography conceals data in plain sight.

Why this answer

The primary purpose of steganography in covering tracks is to hide stolen data or malicious payloads within innocuous files (e.g., images, audio, video) so that forensic tools and analysts do not detect the exfiltration or persistence. Unlike encryption, which makes data unreadable but still visible, steganography conceals the very existence of the hidden data, allowing an attacker to bypass network monitoring and file inspection. This aligns with the CEH objective of covering tracks by avoiding detection of unauthorized data transfers.

Exam trap

The trap here is that candidates confuse steganography with encryption or log manipulation, mistakenly thinking its primary purpose is to secure data (like encryption) or to remove evidence (like log deletion), rather than to conceal the existence of the data itself.

How to eliminate wrong answers

Option B is wrong because creating a backdoor is a separate post-exploitation activity (e.g., using netcat or Meterpreter) and not a function of steganography, which focuses on hiding data rather than providing access. Option C is wrong because permanently deleting system logs is typically achieved with log-wiping tools (e.g., `wevtutil` on Windows or `shred` on Linux), not steganography, which does not delete files. Option D is wrong because encrypting log files (e.g., with AES) makes them unreadable but still visible as encrypted blobs, whereas steganography hides data within other files to avoid suspicion entirely.

109
MCQhard

An attacker uses 'rpcclient -U '' -N 192.168.1.10' followed by 'enumdomusers' and 'enumdomgroups'. What type of enumeration is being performed, and which protocol does it rely on?

A.LDAP enumeration over port 389
B.SMB/RPC enumeration over port 445
C.NetBIOS enumeration over port 139
D.SNMP enumeration over port 161
AnswerB

rpcclient uses MS-RPC over SMB, typically port 445.

Why this answer

The `rpcclient` tool with the `-U '' -N` flags performs a null session connection to a Windows system over the SMB protocol. The subsequent `enumdomusers` and `enumdomgroups` commands enumerate domain users and groups via MS-RPC (Remote Procedure Call) functions, which are transported over SMB. By default, modern Windows systems use SMB over port 445, making option B the correct choice.

Exam trap

The trap here is that candidates confuse the underlying protocol (SMB/RPC on port 445) with the older NetBIOS session service (port 139), or mistakenly associate user/group enumeration solely with LDAP, not realizing that `rpcclient` uses MS-RPC over SMB.

How to eliminate wrong answers

Option A is wrong because LDAP enumeration typically uses `ldapsearch` or similar tools over port 389, not `rpcclient` commands like `enumdomusers`. Option C is wrong because NetBIOS enumeration uses `nbtstat` or `nbtscan` over port 139, and while older SMB could run over NetBIOS, the given command targets port 445 directly (default for modern SMB). Option D is wrong because SNMP enumeration uses tools like `snmpwalk` over UDP port 161, and `rpcclient` does not interact with SNMP at all.

110
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM hashes using rainbow tables?

A.Hashcat
B.Ophcrack
C.RainbowCrack
D.John the Ripper
AnswerB

Ophcrack cracks Windows LM/NTLM hashes using precomputed rainbow tables.

Why this answer

Ophcrack is a tool that cracks Windows LM/NTLM hashes using rainbow tables. John the Ripper and Hashcat are general password crackers but not rainbow-table-specific; RainbowCrack is a generic rainbow table tool but not Windows-specific.

111
MCQeasy

A security analyst uses the nbtstat -a command against a target IP address. What information is the analyst MOST likely attempting to retrieve?

A.Active directory domain controllers
B.List of all open TCP ports
C.NetBIOS name table of the remote machine
D.The MAC address of the target
AnswerC

The -a flag lists the remote machine's NetBIOS name table.

Why this answer

The nbtstat -a command is used to query the NetBIOS name table of a remote machine by its IP address. This table contains the NetBIOS names registered by the remote host, such as the computer name, workgroup/domain, and any services running over NetBIOS (e.g., file sharing). The analyst is most likely attempting to enumerate these names for reconnaissance or to identify potential targets for further exploitation.

Exam trap

The trap here is that candidates often confuse nbtstat -a with retrieving only the MAC address, because the output does display a MAC address line, but the command's primary function is to enumerate the NetBIOS name table.

How to eliminate wrong answers

Option A is wrong because nbtstat does not query Active Directory domain controllers; that would require tools like nslookup or dsquery. Option B is wrong because nbtstat does not list open TCP ports; port scanning is done with tools like Nmap or netstat. Option D is wrong because while nbtstat can display the MAC address in its output (under the 'MAC Address' field), the primary purpose of the -a switch is to retrieve the NetBIOS name table, not just the MAC address.

112
MCQmedium

A penetration tester has obtained a copy of the SAM database from a Windows system. The hashes extracted include both LM and NTLM hashes. Which of the following tools would be MOST efficient to crack the NTLM hashes using a dictionary attack with GPU acceleration?

A.John the Ripper
B.Ophcrack
C.Hashcat
D.RainbowCrack
AnswerC

Hashcat with -m 1000 cracks NTLM hashes using GPU acceleration efficiently.

Why this answer

Hashcat is the most efficient tool for GPU-accelerated dictionary attacks against NTLM hashes because it is purpose-built for high-speed password cracking using OpenCL and CUDA, directly leveraging GPU parallelism. It supports the NTLM hash mode (1000) and can process millions of hashes per second, far outperforming CPU-based tools like John the Ripper for this specific task.

Exam trap

The trap here is that candidates confuse Ophcrack's LM hash rainbow table capability with NTLM cracking, or assume John the Ripper's general-purpose nature makes it equally efficient for GPU-accelerated tasks, when Hashcat is the de facto standard for GPU-based password cracking.

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of cracking NTLM hashes, primarily runs on CPU and does not natively support GPU acceleration as efficiently as Hashcat; its GPU support is limited and requires separate builds or patches. Option B is wrong because Ophcrack is a specialized tool for cracking LM hashes using rainbow tables, not NTLM hashes, and it does not support GPU acceleration or dictionary attacks. Option D is wrong because RainbowCrack is designed for rainbow table attacks, not dictionary attacks, and while it can use GPU acceleration, it is not optimized for NTLM hash cracking via dictionary methods.

113
MCQmedium

During a network assessment, you use SNMPwalk against a target. Which of the following is a prerequisite for successful SNMP enumeration?

A.An open TCP port 161
B.The target must be running Linux
C.Knowledge of the SNMP community string
D.A valid username and password
AnswerC

The community string acts like a password for SNMP access.

Why this answer

Option D is correct. SNMPwalk requires a valid community string (often 'public') to query the MIB.

114
Multi-Selecthard

A penetration tester is tasked with performing privilege escalation on a Windows system. Which THREE of the following methods are commonly used for Windows privilege escalation? (Select 3)

Select 3 answers
A.SUID bit abuse
B.Token impersonation (e.g., SeImpersonatePrivilege)
C.Exploiting unquoted service paths
D.Pass-the-hash attack
E.Exploiting weak service permissions (e.g., service misconfigurations)
AnswersB, C, E

If a process has the SeImpersonatePrivilege, it can impersonate other users, potentially gaining higher privileges.

Why this answer

Windows privilege escalation techniques include exploiting unquoted service paths (where spaces in path allow execution hijacking), token impersonation (e.g., SeImpersonatePrivilege), and weak service permissions (allowing modification of service binaries). SUID abuse is Linux-specific, and pass-the-hash is for lateral movement, not escalation.

115
MCQmedium

A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?

A.Information disclosure; read sensitive files
B.Privilege escalation; gain root access
C.Denial of service; crash the system
D.Buffer overflow; execute arbitrary code
AnswerB

SUID binaries allow execution with elevated permissions; a root-owned SUID binary can be used to escalate to root.

Why this answer

A SUID binary owned by root that is not part of the standard OS distribution (like /usr/bin/evil) is a classic indicator of a privilege escalation backdoor. The SUID bit allows any user who executes the binary to run it with the owner's permissions—in this case, root—so the attacker's objective is to gain root access by executing this binary.

Exam trap

EC-Council often tests the distinction between a vulnerability (like a buffer overflow) and an indicator of a completed exploit (like a SUID binary), causing candidates to confuse the attack vector with the attacker's objective.

How to eliminate wrong answers

Option A is wrong because information disclosure typically involves reading sensitive files via misconfigured permissions or services (e.g., world-readable /etc/shadow), not a custom SUID binary. Option C is wrong because a denial of service attack aims to crash or exhaust system resources, whereas a SUID binary is specifically designed to grant elevated privileges, not disrupt availability. Option D is wrong because a buffer overflow exploits memory corruption to execute arbitrary code, but the presence of a suspicious SUID binary itself does not indicate a buffer overflow; it indicates a pre-placed privilege escalation mechanism.

116
MCQhard

During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?

A.Create a symbolic link to /etc/shadow on the server from the client
B.Use 'showmount -e' to list exports and then mount the share with 'mount -t nfs -o vers=3'
C.Mount the share, create a setuid binary owned by root, then execute it on the client
D.Run 'sudo nmap --script nfs-ls' to list files on the export
AnswerC

Since no_root_squash is disabled, files created as root on the client retain root ownership on the server. A setuid binary executes with root privileges.

Why this answer

Option D is correct. With 'no_root_squash', a root user on the client can create files owned by root on the server. By mounting the share and creating a setuid binary owned by root, any local user on the client can execute it with root privileges.

117
Multi-Selectmedium

Which TWO of the following are valid methods for enumerating SMB shares on a target system? (Select 2)

Select 2 answers
A.smbclient -L //target -U ''
B.snmpwalk -v2c -c public target
C.nmap -sU -p 445 target
D.nbtstat -A target
E.enum4linux -a target
AnswersA, E

smbclient -L lists available shares.

Why this answer

Option A is correct because `smbclient -L //target -U ''` attempts to list SMB shares on the target by connecting with a null session (empty username). This is a classic enumeration technique that exploits default or weak SMB configurations, allowing an attacker to retrieve share names without authentication.

Exam trap

The trap here is that candidates often confuse NetBIOS enumeration (using `nbtstat`) with SMB share enumeration, or they mistakenly think UDP scans on port 445 (which is TCP-only) are valid for SMB discovery.

118
MCQmedium

A penetration tester uses the SMTP commands VRFY and EXPN on a mail server. What is the tester MOST likely trying to accomplish?

A.To enumerate valid email addresses and distribution lists
B.To extract email content from the server
C.To perform a mail relay attack
D.To test for open relay
AnswerA

VRFY and EXPN reveal valid users and lists.

Why this answer

The VRFY command asks the mail server to verify whether a given email address exists, while EXPN requests the members of a mailing list or alias. By issuing these commands, the tester can enumerate valid user accounts and distribution lists on the server, which is a key step in building a target list for further attacks such as password guessing or phishing.

Exam trap

The trap here is that candidates confuse VRFY/EXPN with open relay testing, but open relay is verified using the RCPT TO command with an external domain, not address verification or list expansion.

How to eliminate wrong answers

Option B is wrong because VRFY and EXPN only return address existence or list membership, not the content of stored emails; extracting email content would require protocols like IMAP or POP3 with valid credentials. Option C is wrong because a mail relay attack involves using the server to send unauthorized email to external domains, which is tested with the SMTP 'RCPT TO' command, not VRFY or EXPN. Option D is wrong because testing for open relay is done by sending a test email with a RCPT TO pointing to an external domain and observing if the server accepts it without authentication; VRFY and EXPN do not test relay behavior.

119
MCQhard

After gaining initial access to a Windows server, a penetration tester wants to escalate privileges. The tester finds that the current user has the 'SeImpersonatePrivilege' enabled. Which attack technique could the tester use to abuse this privilege?

A.SUID bit abuse
B.Pass-the-Hash attack
C.Token impersonation via Juicy Potato
D.Log manipulation to hide tracks
AnswerC

Juicy Potato abuses SeImpersonatePrivilege to impersonate SYSTEM tokens.

Why this answer

The SeImpersonatePrivilege allows a process to impersonate a user after obtaining a token. Juicy Potato (and its variants like RoguePotato) exploits this by coercing the SYSTEM account to connect to a malicious named pipe, capturing its token, and using it to spawn a process with SYSTEM privileges. This is a well-known privilege escalation technique on Windows systems where the user has the SeImpersonatePrivilege.

Exam trap

The trap here is that candidates confuse SeImpersonatePrivilege with other Windows privileges (like SeDebugPrivilege) or mistakenly associate it with Linux-based SUID attacks, leading them to choose option A or B.

How to eliminate wrong answers

Option A is wrong because SUID bit abuse is a Linux/Unix privilege escalation technique that relies on the set-user-ID permission bit, which has no equivalent on Windows. Option B is wrong because Pass-the-Hash is a lateral movement or credential reuse attack that uses NTLM hashes to authenticate, not a technique to abuse the SeImpersonatePrivilege for local privilege escalation. Option D is wrong because log manipulation is a post-exploitation stealth technique to cover tracks, not a method to escalate privileges using a specific user right.

120
MCQmedium

A security analyst observes repeated log entries showing `EXPN` commands from an external IP address to the company's mail server. What is the MOST likely objective of this activity?

A.Testing SMTP authentication mechanisms
B.Attempting to perform a denial-of-service attack
C.Enumerating valid email addresses and mailing list members
D.Delivering spam emails through open relay
AnswerC

EXPN reveals list members.

Why this answer

EXPN expands mailing lists, revealing member email addresses. This aids in social engineering or further attacks.

121
MCQhard

A forensic analyst discovers that an attacker used a rootkit to hide malicious processes and files on a compromised Linux system. The rootkit also intercepts system calls to `open()` and `stat()` to return clean results. Which of the following techniques is the rootkit using to cover its tracks?

A.Steganography to conceal malicious files in image metadata
B.Token impersonation to gain administrator privileges
C.Syscall hooking to modify the return values of userland commands
D.Log manipulation by clearing entries in /var/log
AnswerC

Syscall hooking intercepts system calls like open() and stat() and returns fake data, hiding the rootkit's presence.

Why this answer

The rootkit intercepts system calls like `open()` and `stat()` to return clean results, which is a classic example of syscall hooking. By hooking these kernel-level functions, the rootkit can filter out any information about its own malicious files and processes, making them invisible to userland commands such as `ls`, `ps`, or `cat`. This technique operates at the kernel level, not in user space, allowing it to control what data is returned to any process that makes those syscalls.

Exam trap

The trap here is that candidates may confuse syscall hooking with log manipulation or steganography, not realizing that the question specifically describes intercepting system calls to return clean results, which is the hallmark of kernel-level rootkit hiding, not file-level or log-level concealment.

How to eliminate wrong answers

Option A is wrong because steganography hides data within other files (e.g., image metadata) but does not intercept system calls or hide running processes; it is a data concealment technique, not a rootkit hiding mechanism. Option B is wrong because token impersonation is a Windows-specific privilege escalation technique that involves duplicating access tokens, not a Linux rootkit method for hiding files or processes via syscall interception. Option D is wrong because log manipulation (clearing /var/log entries) removes evidence from log files but does not intercept system calls or hide active processes and files from commands like `ps` or `ls`; it is a post-exploitation cleanup step, not the core hiding technique described.

122
MCQhard

A penetration tester captures the following output from a command: 'smb: \> ls \\192.168.1.20\C$'. The tester is able to list the contents of the C$ share without providing credentials. Which of the following is the MOST likely reason for this access?

A.The C$ share is intentionally shared with Everyone
B.The target is running a Samba server with weak permissions
C.The target has a null session vulnerability that allows access to admin shares
D.The tester is using a pass-the-hash attack
AnswerC

Older Windows versions or misconfigured systems allow null sessions to admin shares.

Why this answer

The output shows the tester successfully listing the C$ share (a default administrative share) without providing credentials. This is a classic indicator of a null session vulnerability, where Windows allows unauthenticated access to IPC$ and, in some configurations, admin shares via SMB. The tester is leveraging the default null session to enumerate or access these shares, which is a well-known weakness in older Windows systems or misconfigured Samba servers.

Exam trap

The trap here is that candidates often confuse null session access with pass-the-hash or weak permissions, but the key clue is the absence of any credential usage in the command, which directly points to the null session vulnerability.

How to eliminate wrong answers

Option A is wrong because the C$ share is a hidden administrative share that is not shared with Everyone by default; it is only accessible to members of the Administrators group. Option B is wrong because while a Samba server with weak permissions could allow unauthorized access, the specific command accessing C$ without credentials points to a null session vulnerability, not merely weak permissions. Option D is wrong because a pass-the-hash attack requires a captured NTLM hash and is used to authenticate as a specific user, not to gain unauthenticated access to admin shares; the tester did not provide any credentials or hashes.

123
Multi-Selectmedium

Which TWO of the following are valid methods for enumerating users on a SMTP server? (Select 2)

Select 2 answers
A.EXPN
B.MAIL FROM
C.RCPT TO
D.VRFY
E.AUTH
AnswersA, D

EXPN expands mailing lists and can reveal valid addresses.

Why this answer

EXPN (Expand) and VRFY (Verify) are SMTP commands defined in RFC 821 that allow an attacker to enumerate valid email addresses and mailing list members on a mail server. EXPN reveals the members of a mailing list, while VRFY confirms whether a specific mailbox exists. Both commands are often disabled in production to prevent user enumeration.

Exam trap

The trap here is that candidates confuse RCPT TO (which can indirectly reveal user existence through response codes) with a dedicated enumeration command, but the CEH exam specifically expects VRFY and EXPN as the two valid SMTP enumeration methods.

124
MCQmedium

An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?

A.EXPN enumeration
B.SMTP banner grabbing
C.RCPT TO enumeration
D.VRFY enumeration
AnswerD

The VRFY command verifies whether a mailbox exists, and the response codes confirm this technique.

Why this answer

The VRFY command is an SMTP command defined in RFC 821 that asks the server to verify whether a given email address exists. When the server responds with '250 OK' for a valid address and '550 No such user' for an invalid one, the attacker is directly using the VRFY command to enumerate valid users. This is explicitly known as VRFY enumeration.

Exam trap

The trap here is that candidates confuse VRFY with RCPT TO, but the question explicitly states the VRFY command is used, making 'VRFY enumeration' the only correct answer.

How to eliminate wrong answers

Option A is wrong because EXPN (Expand) is used to list members of a mailing list or alias, not to verify individual email addresses. Option B is wrong because SMTP banner grabbing involves reading the server's initial greeting banner to identify software/version, not sending VRFY commands. Option C is wrong because RCPT TO enumeration uses the RCPT TO command during the mail transaction to verify recipients, not the standalone VRFY command.

125
Multi-Selecteasy

Which TWO of the following are password cracking techniques? (Select 2)

Select 2 answers
A.SQL injection
B.Rainbow table attack
C.Phishing
D.ARP spoofing
E.Dictionary attack
AnswersB, E

Uses precomputed hash tables.

Why this answer

Dictionary attack and rainbow table attack are both password cracking techniques. SQL injection is a web attack, not password cracking. Phishing is social engineering.

ARP spoofing is network attack.

126
MCQhard

A forensic analyst examining a compromised Linux system finds the following entry in /var/log/auth.log: `Mar 15 10:23:45 server sshd[1234]: Accepted password for root from 10.0.0.5 port 54321 ssh2`. However, the analyst also notices that /var/log/auth.log has been truncated and the /etc/ssh/sshd_config file contains `LogLevel QUIET`. Which attack phase is most likely being obscured?

A.Privilege escalation
B.Executing applications
C.Spying
D.Erasing tracks
AnswerD

Truncating logs and reducing logging levels are classic techniques to cover tracks.

Why this answer

The presence of `LogLevel QUIET` in sshd_config suppresses all authentication log entries, and the truncation of /var/log/auth.log indicates an attempt to remove evidence of unauthorized access. Together, these actions are classic examples of erasing tracks, as the attacker is modifying logs and configuration to hide their activities from forensic analysis.

Exam trap

The trap here is that candidates may confuse log manipulation with privilege escalation or execution phases, but the CEH exam specifically tests the 'Erasing Tracks' phase (part of the System Hacking domain) where attackers modify or delete logs, alter timestamps, or disable auditing to avoid detection.

How to eliminate wrong answers

Option A is wrong because privilege escalation involves gaining higher-level permissions (e.g., via SUID exploits or kernel vulnerabilities), not manipulating SSH logging or truncating auth logs. Option B is wrong because executing applications refers to running malicious code or tools on the system, which is a separate phase after access is obtained. Option C is wrong because spying (or exfiltration) involves covertly monitoring or stealing data, whereas the evidence here points to covering up the intrusion itself, not ongoing surveillance.

127
Multi-Selecthard

During a penetration test, the tester successfully cracks a password hash using a hybrid attack. Which THREE characteristics describe a hybrid attack? (Select three.)

Select 3 answers
A.Applies mutations like appending numbers or symbols
B.Tries every possible combination of characters
C.Combines dictionary and brute-force mutations
D.Relies on precomputed hash chains
E.Uses a wordlist as a base
AnswersA, C, E

Why this answer

A hybrid attack combines a dictionary with mutations (e.g., appending numbers, prefixing symbols). It does not try all combinations (that's brute-force) and does not use precomputed tables (rainbow tables).

128
Multi-Selecthard

A security auditor runs SNMPwalk against a network device using the default community string 'public' and obtains extensive system information. Which THREE of the following are effective countermeasures to prevent unauthorized SNMP enumeration?

Select 3 answers
A.Disable SNMP entirely on all devices
B.Implement an access control list (ACL) limiting SNMP access to management hosts
C.Set the community string to 'private' for read-only access
D.Change the community string from 'public' to a complex string
E.Upgrade SNMP to version 3 with authentication and encryption
AnswersB, D, E

ACLs restrict which IPs can query SNMP, reducing exposure.

Why this answer

Options A, C, and D are correct. Changing default community strings is a basic step. Using SNMPv3 provides encryption and authentication.

Restricting SNMP access to specific IP addresses reduces exposure. B and E are incorrect as they increase risk or are unrelated.

129
MCQhard

An attacker has gained access to a Linux server and wants to cover their tracks. They edit the `.bash_history` file, modify system logs in `/var/log`, and install a kernel module that hides their processes. Which two steps of the system hacking methodology (CHPSET) are being performed?

A.Erasing tracks and Privilege escalation
B.Cracking passwords and Covering tracks
C.Erasing tracks and Spying
D.Executing applications and Spying
AnswerC

Cleaning logs and history is erasing tracks; installing a kernel module to hide processes is spying (maintaining access).

Why this answer

The attacker is performing 'Erasing tracks' by editing .bash_history and modifying logs in /var/log, and 'Spying' by installing a kernel module to hide processes, which allows continued covert monitoring. These correspond to the 'Erasing tracks' and 'Spying' steps in the CHPSET (Cracking, Hacking, Privilege escalation, Spying, Executing applications, Erasing tracks) methodology.

Exam trap

The trap here is confusing 'Erasing tracks' with 'Covering tracks' (they are the same step) and failing to recognize that installing a kernel module to hide processes is a spying/monitoring activity, not privilege escalation or executing applications.

How to eliminate wrong answers

Option A is wrong because privilege escalation involves gaining higher-level permissions (e.g., via SUID exploits or kernel vulnerabilities), not modifying logs or hiding processes. Option B is wrong because cracking passwords is a separate step involving tools like John the Ripper or hashcat, and while 'Covering tracks' is synonymous with 'Erasing tracks', the pair does not match the two actions described (spying is also performed). Option D is wrong because executing applications refers to running malware or payloads (e.g., backdoors), not hiding processes with a kernel module, and spying is only one of the two actions.

130
MCQmedium

A penetration tester obtains a list of password hashes and uses RainbowCrack. Which statement BEST describes how RainbowCrack works?

A.It uses a dictionary attack with word mangling rules
B.It uses online password guessing against the target service
C.It uses a brute-force attack by trying all possible character combinations
D.It uses time-memory trade-off with precomputed hash chains
AnswerD

Rainbow tables are a time-memory trade-off technique.

Why this answer

RainbowCrack implements a time-memory trade-off attack by precomputing hash chains for a given set of passwords and storing them in rainbow tables. When a password hash is provided, the tool looks up the hash in these tables to reverse it, avoiding the need to recompute hashes for every possible password. This makes it far faster than brute-force for cracking hashes, provided the password is covered by the precomputed chains.

Exam trap

EC-Council often tests the distinction between offline hash-cracking tools (like RainbowCrack) and online password-guessing attacks, so the trap here is confusing a precomputed table attack (time-memory trade-off) with a brute-force or dictionary attack that computes hashes in real time.

How to eliminate wrong answers

Option A is wrong because a dictionary attack with word mangling rules (e.g., using John the Ripper or Hashcat with rules) does not rely on precomputed tables; it generates candidate passwords on the fly and hashes them. Option B is wrong because RainbowCrack works offline against captured hashes, not by guessing passwords against a live service (that would be an online brute-force or password spraying attack). Option C is wrong because a brute-force attack tries all possible character combinations sequentially, which is computationally expensive and does not use the time-memory trade-off or precomputed hash chains that define RainbowCrack.

131
MCQmedium

A security analyst runs the following command: 'smbclient -L //192.168.1.50 -N'. What is the purpose of this command?

A.Connect to the remote host's SMB share with a null password
B.Perform a dictionary attack on SMB passwords
C.Enumerate users via SMB
D.List available SMB shares on the remote host anonymously
AnswerD

-L lists shares, -N indicates anonymous access.

Why this answer

Option B is correct. smbclient -L lists shares on a remote SMB server, and -N uses a null session (no password).

132
MCQmedium

A security analyst runs `nbtstat -A 192.168.1.50` from a Windows command prompt and receives output showing a table with names like 'WORKGROUP<00>', 'PC01<20>', and 'USER<03>'. What is the MOST likely purpose of this command?

A.Perform a reverse DNS lookup
B.Display the NetBIOS name table of the remote host
C.Test connectivity to the remote host using ICMP
D.Enumerate DNS records for the domain
AnswerB

The -A option queries the remote host's NetBIOS name table by IP address.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against a remote host using its IP address. The output shows NetBIOS names and their associated suffixes (e.g., <00> for Workstation service, <20> for File Server service, <03> for Messenger service), which are used for NetBIOS over TCP/IP (NBT) name resolution and service discovery. This is the correct purpose because the command specifically queries the remote host's NetBIOS name table, not DNS or ICMP.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with DNS-related commands or ICMP-based tools, because they see an IP address in the command and assume it is performing a reverse lookup or connectivity test, rather than recognizing it as a NetBIOS-specific enumeration technique.

How to eliminate wrong answers

Option A is wrong because `nbtstat -A` does not perform a reverse DNS lookup; reverse DNS lookups are done with `nslookup` or `dig -x` and query PTR records in DNS, not NetBIOS names. Option C is wrong because testing connectivity using ICMP is the function of the `ping` command, not `nbtstat`, which operates at the NetBIOS session layer over TCP/UDP ports 137-139. Option D is wrong because enumerating DNS records for a domain is performed with tools like `nslookup`, `dig`, or `dnsrecon`, not with `nbtstat`, which only deals with NetBIOS names and their associated IP addresses on a local network segment.

133
Multi-Selectmedium

Which TWO of the following are effective countermeasures against SNMP enumeration attacks? (Select 2)

Select 2 answers
A.Restrict SNMP access to trusted IP addresses using ACLs
B.Disable SNMP on all devices
C.Change default community strings to strong, unique values
D.Enable SNMPv3 with default passwords
E.Use SNMPv1 with community string 'private'
AnswersA, C

ACLs limit which hosts can query SNMP agents.

Why this answer

Restricting SNMP access to trusted IP addresses using ACLs is effective because it limits the attack surface by allowing only authorized management stations to query SNMP agents. This prevents unauthorized hosts from performing SNMP enumeration, even if they know the community string or exploit default configurations.

Exam trap

The trap here is that candidates may think disabling SNMP is always the best countermeasure, but the CEH exam expects you to recognize that practical environments need SNMP for monitoring, so ACLs and strong community strings are the realistic, effective countermeasures.

134
Multi-Selectmedium

Which TWO of the following are valid enumeration techniques used to identify user accounts on a system? (Select 2)

Select 2 answers
A.Port scanning with nmap
B.DNS zone transfer
C.SMTP VRFY command
D.SNMPwalk of the entire MIB
E.SMB enumeration using enum4linux
AnswersC, E

VRFY checks whether a user mailbox exists on the SMTP server.

Why this answer

SMTP VRFY (verifies user existence) and SMB enumeration (via tools like enum4linux) can both reveal user accounts. SNMPwalk retrieves system information but not directly usernames; DNS and port scanning do not enumerate users.

135
MCQhard

A penetration tester finds that a Linux binary has the SUID bit set and is owned by root. Which of the following does this indicate?

A.The binary is immutable and cannot be deleted
B.The binary can be executed only by the root user
C.The binary is a symbolic link to a root-owned file
D.The binary will run with root privileges when executed by any user
AnswerD

SUID bit causes the program to run with the file owner's permissions.

Why this answer

When the SUID (Set User ID) bit is set on a binary owned by root, the binary executes with the effective user ID of the file owner (root), regardless of which user runs it. This allows any user to run the binary with root privileges, which is why option D is correct. The SUID bit is represented by an 's' in the owner's execute position (e.g., -rwsr-xr-x).

Exam trap

The trap here is that candidates often confuse the SUID bit with execution restrictions (option B) or file immutability (option A), but the SUID bit specifically grants privilege escalation, not access control or file protection.

How to eliminate wrong answers

Option A is wrong because the SUID bit does not make a file immutable; immutability is controlled by the 'chattr +i' command, which sets the immutable attribute (i flag) on a Linux filesystem. Option B is wrong because the SUID bit allows any user to execute the binary, not just root; execution restrictions are enforced by file permissions (e.g., 700 for owner-only execute). Option C is wrong because the SUID bit is a permission attribute on the binary itself, not a property of symbolic links; symbolic links inherit the permissions of the target file, but the SUID bit is set on the binary, not the link.

136
Multi-Selectmedium

Which TWO tools are commonly used for enumerating NFS exports on a target system? (Select 2 correct answers)

Select 2 answers
A.enum4linux
B.nmap (with script nfs-ls)
C.smbclient
D.showmount
E.ldapsearch
AnswersB, D

nmap's nfs-ls script can list NFS exports.

Why this answer

B is correct because nmap's nfs-ls script is specifically designed to enumerate NFS exports by querying the NFS service (port 2049) and listing the available shares. It works by sending MOUNT protocol requests to the target, which reveals the exported file systems and their access permissions, making it a standard tool for NFS enumeration in penetration testing.

Exam trap

The trap here is that candidates often confuse SMB enumeration tools (like enum4linux or smbclient) with NFS enumeration tools, because both involve file sharing, but they operate on entirely different protocols (SMB vs. NFS/RPC) and require distinct command sets.

137
MCQmedium

During a penetration test, you run `smtp-user-enum -M VRFY -U users.txt -t 10.0.0.10` and receive responses '252 2.5.2 User <username>' for some users and '550 5.1.1 User unknown' for others. What does this indicate?

A.The SMTP server is using EXPN instead of VRFY
B.The SMTP server is revealing valid usernames via the VRFY command
C.The SMTP server is vulnerable to command injection
D.The SMTP server is properly configured to prevent enumeration
AnswerB

The differing responses allow an attacker to identify valid users, which is a security issue.

Why this answer

The VRFY command in SMTP (RFC 821) asks the server to verify whether a mailbox exists. A response starting with '252' indicates the user is valid, while '550 5.1.1' means the user does not exist. By comparing these responses, the attacker can enumerate valid usernames on the mail server, which is exactly what the output shows.

Exam trap

EC-Council often tests the distinction between VRFY and EXPN, where candidates mistakenly think EXPN is being used when the output clearly shows VRFY responses, or they assume any non-250 response means the server is secure.

How to eliminate wrong answers

Option A is wrong because EXPN (expand) returns mailing list members, not individual user verification, and the tool explicitly used the VRFY command, not EXPN. Option C is wrong because command injection would require the server to execute arbitrary commands from the input, which is not indicated by standard VRFY responses. Option D is wrong because a properly configured server to prevent enumeration would either disable VRFY entirely or return a generic response (e.g., '252' for all users) to avoid revealing which users exist.

138
MCQeasy

A penetration tester obtains a hash dump from a compromised Windows system and wants to crack LM and NTLM hashes quickly using precomputed tables. Which tool would be most efficient for this task?

A.Hashcat
B.John the Ripper
C.Ophcrack
D.RainbowCrack
AnswerC

Ophcrack uses rainbow tables to crack LM/NTLM hashes efficiently.

Why this answer

Option A is correct. Ophcrack is specifically designed to crack LM and NTLM hashes using rainbow tables. John the Ripper and Hashcat are also good but Ophcrack is optimized for Windows hashes and precomputed tables.

139
Multi-Selectmedium

A penetration tester is enumerating services on a target Windows server. Which TWO tools are specifically designed for SMB enumeration? (Select two.)

Select 2 answers
A.John the Ripper
B.SNMPwalk
C.Nmap
D.enum4linux
E.smbclient
AnswersD, E

Why this answer

enum4linux and smbclient are tools that interact with SMB/CIFS services to enumerate shares, users, and other information. John the Ripper is a password cracker, Nmap is a port scanner (can perform SMB enumeration via scripts but is not specifically designed for it), and SNMPwalk is for SNMP.

140
MCQmedium

A penetration tester is attempting to enumerate user accounts on a mail server. They connect to port 25 and issue the commands `VRFY root` and `EXPN support`. Which protocol is being targeted?

A.LDAP
C.SMB
AnswerB

Correct. VRFY and EXPN are SMTP commands used for user enumeration.

Why this answer

The commands VRFY and EXPN are SMTP (Simple Mail Transfer Protocol) commands defined in RFC 821 and RFC 5321. VRFY is used to verify whether a mailbox exists on the server, while EXPN expands a mailing list alias to reveal its members. Since the tester connected to port 25 (the default SMTP port) and issued these commands, SMTP is the protocol being targeted.

Exam trap

The trap here is that candidates may confuse SMTP commands with other protocol operations, such as associating VRFY with LDAP directory lookups or EXPN with SNMP expansion, because they focus on the word 'enumerate' rather than the specific port and command syntax.

How to eliminate wrong answers

Option A is wrong because LDAP (Lightweight Directory Access Protocol) uses port 389 or 636 for directory queries, not port 25, and its commands are based on LDAP operations like bind, search, and compare, not SMTP commands like VRFY or EXPN. Option C is wrong because SMB (Server Message Block) uses ports 139 and 445 for file and printer sharing, and its enumeration involves commands like net use or smbclient, not SMTP mail commands. Option D is wrong because SNMP (Simple Network Management Protocol) uses ports 161 and 162 for network device management via GET, SET, and TRAP operations, not SMTP commands on port 25.

141
MCQeasy

Which tool is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

A.John the Ripper
B.RainbowCrack
C.Hashcat
D.Ophcrack
AnswerD

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM hashes using precomputed rainbow tables. It relies on the time-memory trade-off technique, where rainbow tables allow rapid reversal of hashes without brute-forcing each password individually. This makes it the correct choice for the scenario described.

Exam trap

The trap here is that candidates confuse 'rainbow table' tools with general hash crackers like Hashcat or John the Ripper, but the question specifically asks for a tool designed for Windows LM/NTLM hashes using rainbow tables, which is Ophcrack's unique niche.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a general-purpose password cracker that supports many hash types and modes (dictionary, brute-force, incremental), but it does not natively use rainbow tables as its primary attack vector. Option B is wrong because RainbowCrack is a tool that generates and uses rainbow tables for hash cracking, but it is not specifically designed for Windows LM/NTLM hashes; it supports multiple hash algorithms (e.g., MD5, SHA1) and requires separate table generation. Option C is wrong because Hashcat is a high-speed GPU-accelerated password recovery tool that supports many hash modes (including NTLM), but it relies on dictionary, brute-force, or rule-based attacks, not precomputed rainbow tables.

142
Multi-Selectmedium

Which THREE of the following are common techniques used in the 'Cracking passwords' phase of system hacking? (Select 3)

Select 3 answers
A.Brute force attack
B.Rainbow table attack
C.Keylogging
D.Social engineering
E.Dictionary attack
AnswersA, B, E

Brute force tries all possible character combinations.

Why this answer

A brute force attack systematically tries every possible combination of characters until the correct password is found. This is a fundamental technique in the password cracking phase, often used when no prior knowledge of the password exists. It is computationally expensive but guaranteed to succeed given enough time.

Exam trap

The trap here is confusing password capturing techniques (like keylogging or social engineering) with password cracking techniques that operate on captured hashes or encrypted passwords.

143
MCQmedium

During a penetration test, you gain access to a Linux server as a low-privileged user. Which of the following is an effective technique to escalate privileges by exploiting misconfigured file permissions?

A.Pass-the-hash
B.Token impersonation
C.SUID/GUID abuse
D.Kerberoasting
AnswerC

SUID/GUID binaries can allow privilege escalation if misconfigured.

Why this answer

SUID (Set User ID) and GUID (Group ID) bits allow a binary to execute with the privileges of the file owner (often root) rather than the calling user. If a low-privileged user can run a binary with the SUID bit set that performs unsafe operations (e.g., spawning a shell, reading arbitrary files, or executing commands), they can leverage it to gain root-level access. This is a classic privilege escalation vector on Linux systems when file permissions are misconfigured.

Exam trap

The trap here is that candidates may confuse SUID/GUID abuse with Windows-specific techniques like token impersonation or pass-the-hash, because the CEH exam often intermixes cross-platform attack vectors to test your ability to match the technique to the correct operating system.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is a Windows-based attack that reuses NTLM hashes to authenticate to remote systems; it does not apply to Linux file permission misconfigurations. Option B is wrong because token impersonation is a Windows privilege escalation technique that manipulates access tokens (e.g., SeImpersonatePrivilege) to assume another user's identity; it is not relevant to Linux SUID/GUID abuse. Option D is wrong because Kerberoasting is an Active Directory attack that requests Kerberos service tickets to crack service account passwords; it targets Windows domain environments, not local Linux file permissions.

144
Multi-Selectmedium

During a penetration test, an analyst detects that an SNMP agent on a network device is using the default community string 'public'. Which TWO actions can the analyst perform using this information? (Choose TWO.)

Select 2 answers
A.Enumerate user accounts and system details
B.Extract encrypted passwords from the device
C.Write new configuration to the device
D.Perform SNMPwalk to enumerate the MIB tree
E.Disable the SNMP agent remotely
AnswersA, D

MIB values often contain system info and user list.

Why this answer

With 'public' (read-only) access, the analyst can read MIB values (SNMPwalk) and enumerate system information using tools like snmpcheck. Writing is not possible with read-only community.

145
MCQhard

During a penetration test, the tester runs `ldapsearch -x -H ldap://192.168.1.20 -b 'dc=domain,dc=com' '(objectclass=*)'`. The output reveals user objects with 'userPassword' attributes in clear text. Which type of enumeration is being performed, and what is the security implication?

A.NFS enumeration; it indicates that NFS shares are world-readable
B.LDAP enumeration; it indicates that the LDAP server stores passwords in plaintext, posing a credential theft risk
C.SNMP enumeration; it indicates that the community string is weak
D.SMTP enumeration; it indicates that the mail server is misconfigured
AnswerB

Correct identification and implication.

Why this answer

The `ldapsearch` command is used to query an LDAP directory service. The option `-x` specifies simple authentication, and the filter `(objectclass=*)` retrieves all entries. The output revealing `userPassword` attributes in clear text indicates that the LDAP server is storing passwords in plaintext, which is a severe security risk because an attacker can directly harvest credentials for lateral movement or privilege escalation.

Exam trap

The trap here is that candidates may confuse the `ldapsearch` command with other enumeration tools (like `snmpwalk` or `smtp-user-enum`) and fail to recognize that the specific command and output directly indicate LDAP enumeration with plaintext password exposure.

How to eliminate wrong answers

Option A is wrong because NFS enumeration uses commands like `showmount -e` or `rpcinfo`, not `ldapsearch`, and the output would show exported shares, not user objects with passwords. Option C is wrong because SNMP enumeration uses tools like `snmpwalk` with community strings, and the output would contain OIDs and MIB values, not LDAP directory entries. Option D is wrong because SMTP enumeration uses commands like `VRFY` or `EXPN` to verify email addresses, and the output would be SMTP response codes, not LDAP attributes.

146
Multi-Selectmedium

Which TWO of the following are enumeration techniques used to gather information from Windows systems? (Select 2)

Select 2 answers
A.SMB enumeration using enum4linux
B.SMTP enumeration using VRFY
C.LDAP enumeration using ldapsearch
D.NFS enumeration using showmount
E.NetBIOS enumeration using nbtstat
AnswersA, E

SMB is primarily Windows file sharing.

Why this answer

NetBIOS enumeration (nbtstat) and SMB enumeration (enum4linux, smbclient) are both Windows-oriented. LDAP enumeration is for directory services, not exclusively Windows; SMTP is mail; NFS is Unix/Linux.

147
MCQhard

During a penetration test, you discover a Windows service running with SYSTEM privileges that has a weak file permission allowing the 'Everyone' group to modify its executable. Which privilege escalation technique is MOST directly applicable here?

A.Token impersonation
B.Weak service binary permissions
C.DLL hijacking
D.Unquoted service path
AnswerB

Modifiable service binary allows privilege escalation by replacing the executable.

Why this answer

Option B is correct because the scenario describes a Windows service executable with weak file permissions that allow the 'Everyone' group to modify it. This directly enables an attacker to replace the legitimate executable with a malicious one, which will then be executed with SYSTEM privileges when the service starts. This is the classic 'weak service binary permissions' privilege escalation vector, often exploited using tools like `icacls` or `accesschk` to identify the vulnerability.

Exam trap

EC-Council often tests the distinction between modifying the service binary itself (weak binary permissions) versus exploiting path parsing (unquoted service path) or dependency loading (DLL hijacking), so candidates must focus on the specific permission weakness described.

How to eliminate wrong answers

Option A is wrong because token impersonation typically requires an existing token (e.g., from a named pipe or RPC) to steal or duplicate, not a writable service binary. Option C is wrong because DLL hijacking involves placing a malicious DLL in a path where the service searches for missing DLLs, not modifying the service's primary executable. Option D is wrong because an unquoted service path exploits spaces in the service binary path to execute an unintended executable, not the modification of the existing binary itself.

148
MCQmedium

An attacker modifies system logs to remove entries related to their activities. Which technique is being used to cover tracks?

A.Token impersonation
B.Steganography
C.Log manipulation
D.Rootkit installation
AnswerC

Why this answer

Log manipulation is the act of altering or deleting log entries to hide evidence of an intrusion. This is part of the covering tracks phase.

149
MCQmedium

During a penetration test, you successfully execute a privilege escalation attack by abusing a service running with SYSTEM privileges on a Windows machine. Which of the following techniques is MOST likely being used?

A.Pass-the-hash
B.SUID abuse
C.Token impersonation
D.DLL hijacking
AnswerC

Token impersonation allows a process to assume the security context of another user, such as SYSTEM, enabling privilege escalation.

Why this answer

Token impersonation is the correct technique because it allows an attacker to steal or duplicate an access token from a process running with SYSTEM privileges. Once the attacker has a token with SYSTEM integrity level, they can use Windows API calls such as ImpersonateLoggedOnUser or DuplicateTokenEx to execute code in the security context of that token, effectively escalating privileges to SYSTEM.

Exam trap

EC-Council often tests the distinction between local privilege escalation techniques (token impersonation) and lateral movement or persistence techniques (pass-the-hash, DLL hijacking), so candidates mistakenly choose DLL hijacking because it is a common Windows attack, but it does not directly provide SYSTEM privileges without the target process already running as SYSTEM.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is a lateral movement technique that reuses NTLM hashes to authenticate to remote systems, not a local privilege escalation method to gain SYSTEM from a lower-privileged process. Option B is wrong because SUID abuse is a Unix/Linux privilege escalation technique involving the setuid bit on executables; Windows does not have a SUID mechanism. Option D is wrong because DLL hijacking exploits the search order of DLLs to load a malicious DLL into a process, which can achieve code execution but does not inherently grant SYSTEM privileges unless the target process already runs as SYSTEM.

150
MCQmedium

A security engineer runs SNMPwalk on a network device and receives community strings as 'public' and 'private'. What is the PRIMARY concern?

A.The device is vulnerable to buffer overflow attacks
B.The device is infected with malware
C.The device may be exposing sensitive configuration information
D.The device is using outdated encryption protocols
AnswerC

Default community strings enable information leakage.

Why this answer

The SNMP community strings 'public' and 'private' are default read-only and read-write credentials defined in SNMPv1 and SNMPv2c. An attacker who can SNMPwalk the device with these strings can enumerate the entire MIB tree, including system configuration, routing tables, interface details, and user accounts. This directly exposes sensitive configuration information, making C the primary concern.

Exam trap

EC-Council often tests the distinction between 'default credentials' and 'exploitation vectors'—candidates mistakenly associate 'public/private' with encryption or malware, when the real risk is unauthorized information disclosure via SNMP enumeration.

How to eliminate wrong answers

Option A is wrong because SNMP community strings are authentication credentials, not a vector for buffer overflow attacks; buffer overflows exploit memory corruption in protocol parsing or application code, not weak default strings. Option B is wrong because the presence of default community strings indicates poor security configuration, not malware infection; malware would require evidence of malicious processes or network behavior. Option D is wrong because SNMPv1 and SNMPv2c do not use encryption at all—they transmit community strings in cleartext; the issue is lack of encryption, not outdated encryption protocols.

← PreviousPage 2 of 3 · 189 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ceh Enum System Hacking questions.