CCNA Ceh Enum System Hacking Questions

39 of 189 questions · Page 3/3 · Ceh Enum System Hacking topic · Answers revealed

151
Multi-Selecthard

Which THREE of the following are components of the CHPSET system hacking methodology? (Select three.)

Select 3 answers
A.Sniffing network traffic
B.Hiding files
C.Cracking passwords
D.Scanning ports
E.Executing applications
AnswersB, C, E

H is for Hiding.

Why this answer

B is correct because 'Hiding files' is a key phase in the CHPSET (Cracking, Hiding, Privilege Escalation, Sniffing, Executing, Targeting) system hacking methodology. After gaining access and escalating privileges, the attacker must hide malicious files, processes, or evidence to avoid detection by security tools or administrators. This step often involves techniques like file attribute manipulation, rootkits, or steganography to conceal the presence of the attacker on the compromised system.

Exam trap

EC-Council often tests the distinction between pre-exploitation phases (scanning, sniffing) and the actual system hacking methodology (CHPSET), so candidates mistakenly select 'Sniffing network traffic' or 'Scanning ports' because they associate them with hacking, but they are not part of the CHPSET steps.

152
Multi-Selecteasy

Which TWO of the following are common techniques used to cover tracks after compromising a system? (Choose TWO.)

Select 2 answers
A.Running a vulnerability scanner
B.Enabling firewall rules
C.Installing a rootkit
D.Creating new user accounts
E.Clearing event logs
AnswersC, E

Rootkits hide attacker presence.

Why this answer

Clearing event logs removes evidence of attacker activity. Using rootkits hides malicious processes and files. Both are standard covering tracks techniques.

153
MCQmedium

During an internal penetration test, an analyst uses `enum4linux -a 10.0.0.5` and retrieves a list of local users, including an account named 'sqlsvc'. The analyst then attempts to crack the password using a dictionary attack. Which password cracking tool would be most efficient for this task?

A.RainbowCrack
B.SNMPwalk
C.John the Ripper
D.Ophcrack
AnswerC

John the Ripper supports dictionary attacks on many hash types, including those from SMB.

Why this answer

John the Ripper is the most efficient tool for performing a dictionary attack against password hashes retrieved from a system, such as those obtained from the SAM database or via enum4linux. It supports a wide range of hash types and can be configured to use custom wordlists, making it ideal for cracking the 'sqlsvc' account password in an internal penetration test.

Exam trap

EC-Council often tests the distinction between dictionary attacks and rainbow table attacks, leading candidates to choose RainbowCrack or Ophcrack when the question explicitly specifies a dictionary attack method.

How to eliminate wrong answers

Option A is wrong because RainbowCrack uses precomputed rainbow tables for time-memory trade-off attacks, not dictionary attacks; it is inefficient for targeted cracking of a single account without a matching table. Option B is wrong because SNMPwalk is a tool for querying SNMP-enabled devices to enumerate MIB values, not a password cracking tool. Option D is wrong because Ophcrack specializes in cracking Windows LM and NTLM hashes using rainbow tables, not general dictionary attacks, and requires specific table sets.

154
MCQmedium

An incident responder finds that the Windows Event Logs on a compromised server have been cleared, and the Security log shows gaps in coverage. Additionally, a rootkit is suspected. Which phase of the hacking methodology does the clearing of logs represent?

A.Privilege escalation
B.Cracking passwords
C.Erasing tracks
D.Executing applications
AnswerC

Clearing logs is a classic covering tracks technique.

Why this answer

Clearing Windows Event Logs and creating gaps in the Security log is a classic post-exploitation step to remove forensic evidence of the attacker's actions. In the CEH hacking methodology, this falls under 'Erasing tracks' (also known as covering tracks), which is the final phase after maintaining access. The rootkit suspicion further supports this, as rootkits often include log-wiping or log-modification capabilities to hide their presence.

Exam trap

The trap here is that candidates confuse 'Erasing tracks' with 'Privilege escalation' because clearing logs often requires administrative privileges, but the phase is defined by the intent to hide evidence, not the permission level used.

How to eliminate wrong answers

Option A is wrong because privilege escalation is the phase where an attacker gains higher-level permissions (e.g., from user to administrator), not the act of removing logs. Option B is wrong because cracking passwords is a technique used during the 'Gaining Access' phase to obtain credentials, not a phase for hiding evidence. Option D is wrong because executing applications is a generic action that can occur in multiple phases (e.g., exploitation or maintaining access), but it does not specifically describe the act of clearing logs to avoid detection.

155
MCQmedium

A penetration tester executes the command: snmpwalk -c public -v2c 192.168.1.50. Which of the following BEST describes the purpose of this command?

A.Modify SNMP settings on the remote device
B.Perform a brute-force attack on the SNMP community string
C.Test the SNMP agent for denial of service vulnerabilities
D.Enumerate the MIB tree of the SNMP agent using the 'public' community string
AnswerD

SNMPwalk walks the MIB tree, retrieving OID values. Using community string 'public' is a typical enumeration technique.

Why this answer

The `snmpwalk` command is used to retrieve a subtree of management information from an SNMP agent. By specifying `-c public` (the community string) and `-v2c` (SNMP version 2c), the command performs a GETNEXT request cycle to walk the entire MIB tree, enumerating all accessible OIDs and their values. Option D correctly identifies this as enumerating the MIB tree using the 'public' community string.

Exam trap

The trap here is that candidates may confuse `snmpwalk` with a modification or attack tool, but the CEH exam expects you to recognize it as a standard enumeration command that leverages the SNMP GETNEXT operation to walk the MIB tree.

How to eliminate wrong answers

Option A is wrong because `snmpwalk` is a read-only operation that retrieves data; it cannot modify SNMP settings on the remote device. Option B is wrong because `snmpwalk` does not perform brute-force attacks; tools like `onesixtyone` or `hydra` are used for brute-forcing community strings, and the command already provides the community string 'public'. Option C is wrong because `snmpwalk` is not a denial of service test; it is a standard enumeration technique, and DoS testing would involve flooding or malformed packets, not a normal GETNEXT walk.

156
MCQmedium

A security engineer notices repeated log entries showing a user account logging in at odd hours and then clearing event logs. The engineer suspects credential theft. Which phase of the CHPSET methodology involves erasing tracks?

A.Erasing tracks
B.Hiding files
C.Spying
D.Cracking passwords
AnswerA

Why this answer

CHPSET stands for Cracking, Hiding, Privilege escalation, Executing applications, Spying, Erasing tracks. Erasing tracks is the last phase, where attackers remove evidence of their activity.

157
MCQeasy

During a penetration test, you need to enumerate SMB shares on a Windows target. Which of the following tools is specifically designed for this purpose?

A.ldapsearch
B.nmap
C.enum4linux
D.snmpwalk
AnswerC

enum4linux is a Perl script that wraps SMB enumeration tools.

Why this answer

enum4linux is specifically designed to enumerate SMB shares and other information from Windows and Samba systems. It leverages the SMB/CIFS protocol to extract share listings, user lists, and other details using tools like smbclient, rpclient, and net, making it the correct choice for SMB enumeration.

Exam trap

The trap here is that candidates may choose nmap because it can scan for SMB services, but the question asks for a tool specifically designed for enumerating SMB shares, not just detecting the service.

How to eliminate wrong answers

Option A is wrong because ldapsearch is a tool for querying LDAP directories, not for enumerating SMB shares. Option B is wrong because while nmap can scan for open SMB ports (e.g., 139, 445) and run some SMB scripts, it is a general-purpose port scanner, not a tool specifically designed for SMB share enumeration. Option D is wrong because snmpwalk is used to retrieve SNMP MIB data from network devices, not for SMB share enumeration.

158
MCQeasy

A security analyst runs 'nbtstat -A 192.168.1.10' and receives a table showing the machine name and a list of names registered. Which service is being enumerated?

B.LDAP
D.NetBIOS
AnswerD

nbtstat is specifically for NetBIOS enumeration.

Why this answer

The 'nbtstat -A' command performs a NetBIOS name table lookup against a remote IP address using the NetBIOS over TCP/IP (NBT) protocol. It queries the target's NetBIOS name service (UDP port 137) and returns the registered names, including the machine name, workgroup/domain, and logged-in users. This directly enumerates the NetBIOS service, making D the correct answer.

Exam trap

The trap here is that candidates confuse the nbtstat command with other enumeration tools, mistakenly thinking it queries SNMP or LDAP because those services also reveal system information, but nbtstat is exclusively a NetBIOS enumeration command.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) uses UDP ports 161/162 and is enumerated with tools like snmpwalk or snmp-check, not the nbtstat command. Option B is wrong because LDAP (Lightweight Directory Access Protocol) operates on TCP port 389 and is enumerated via ldapsearch or similar directory queries, not through NetBIOS name resolution. Option C is wrong because SMTP (Simple Mail Transfer Protocol) runs on TCP port 25 and is enumerated with commands like VRFY or EXPN, or tools like smtp-user-enum, not via nbtstat.

159
MCQmedium

In the context of system hacking methodology (CHPSET), which phase involves hiding malicious files from the operating system and security tools using techniques such as NTFS alternate data streams (ADS) or steganography?

A.Privilege escalation
B.Erasing tracks
C.Hiding files
D.Cracking passwords
AnswerC

Correct phase for hiding files.

Why this answer

CHPSET: Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing tracks. Hiding files involves techniques like ADS or steganography to conceal malicious files.

160
MCQmedium

A penetration tester gains access to a Linux server and attempts to escalate privileges. They run `sudo -l` and see that the user can run `/usr/bin/vim` as root without a password. Which privilege escalation technique should the tester use?

A.Perform token impersonation using SeImpersonatePrivilege
B.Use vim's shell escape via `:!bash` to get a root shell
C.Exploit a kernel vulnerability (CVE-2023-xxxx)
D.Abuse the SUID bit on vim
AnswerB

Vim can spawn a shell that runs with root privileges if launched via sudo.

Why this answer

If a user has sudo rights to run vim as root, they can escape to a shell by typing `:!bash` within vim, gaining a root shell. This is a known sudo privilege escalation vector.

161
MCQhard

During a penetration test, the tester runs `enum4linux -U 192.168.1.20` and obtains a list of usernames. What service is being enumerated, and what is the primary risk associated with this information disclosure?

A.NFS; it can lead to unauthorized file access
B.SNMP; it can reveal community strings
C.SMB; it can facilitate password spraying or brute‑force attacks
D.LDAP; it can expose directory structure
AnswerC

Why this answer

enum4linux is a tool for enumerating SMB (Server Message Block) services on Windows. Disclosing usernames can enable attackers to perform password guessing or brute‑force attacks.

162
MCQeasy

A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?

A.nslookup
B.netstat
C.nbtstat
D.net view
AnswerC

nbtstat is the correct command for NetBIOS name resolution and enumeration.

Why this answer

The nbtstat command is the correct built-in Windows tool for enumerating NetBIOS names because it directly queries and displays NetBIOS over TCP/IP (NetBT) statistics, name tables, and caches. NetBIOS name enumeration relies on the NBT protocol (RFC 1001/1002), and nbtstat -a or -A retrieves the remote machine's NetBIOS name table, which includes service types like file sharing, messaging, and workstation services.

Exam trap

The trap here is that candidates confuse 'net view' (which shows network shares) with NetBIOS name enumeration, but nbtstat is the specific tool for querying the NetBIOS name table and cache directly.

How to eliminate wrong answers

Option A (nslookup) is wrong because it is used for DNS queries (A, AAAA, MX, etc.) and has no capability to enumerate NetBIOS names, which operate at a different layer (NetBIOS session service over TCP/UDP 137-139). Option B (netstat) is wrong because it displays active TCP/UDP connections, listening ports, and routing tables, but it does not query or resolve NetBIOS names or name tables. Option D (net view) is wrong because while it lists shared resources on a network, it relies on the Server Message Block (SMB) protocol and does not directly enumerate the raw NetBIOS name table or cache; it is a higher-level command that uses NetBIOS indirectly but is not the tool for name enumeration.

163
MCQeasy

A security analyst wants to enumerate all users from an SMTP server. Which of the following SMTP commands can be used for user enumeration?

A.DATA
B.MAIL FROM
C.HELO
D.VRFY
AnswerD

VRFY checks if a mailbox exists, allowing enumeration.

Why this answer

Option B is correct. The SMTP VRFY command is used to verify if a user exists on the server, enabling user enumeration.

164
MCQmedium

An attacker uses a tool that sends crafted RCPT TO commands to an SMTP server to verify email addresses. Which SMTP enumeration technique is being used?

A.AUTH
B.RCPT TO
C.EXPN
D.VRFY
AnswerB

Correct. RCPT TO can be used for email address enumeration based on server responses.

Why this answer

The RCPT TO command is used in SMTP to specify the recipient of an email. By sending crafted RCPT TO commands to an SMTP server, an attacker can observe the server's response (e.g., '250 OK' for valid addresses vs. '550 No such user' for invalid ones) to enumerate valid email addresses. This technique directly exploits the SMTP protocol's recipient verification behavior.

Exam trap

The trap here is that candidates often confuse RCPT TO with VRFY, assuming VRFY is the primary enumeration command, but in practice, VRFY is frequently disabled, making RCPT TO the more reliable and commonly tested technique in CEH scenarios.

How to eliminate wrong answers

Option A is wrong because AUTH is an SMTP command used for authentication, not for verifying email addresses; it does not reveal whether a recipient exists. Option C is wrong because EXPN is used to expand mailing lists or aliases, returning all members of a list, not to verify individual email addresses. Option D is wrong because VRFY is used to verify if a user exists on the server, but it is often disabled or restricted for security reasons, whereas RCPT TO is more commonly available and effective for enumeration.

165
Multi-Selecteasy

Which TWO tools can be used to enumerate SMB shares and users on a Windows target? (Choose two.)

Select 2 answers
A.smbclient
B.enum4linux
C.nslookup
D.snmpwalk
E.ldapsearch
AnswersA, B

smbclient -L lists available shares.

Why this answer

smbclient is a command-line tool that uses the SMB/CIFS protocol to connect to Windows file shares. It can list available shares with the `-L` option and, with valid credentials, enumerate users via the `-U` flag or by browsing the IPC$ share. This makes it a direct tool for SMB enumeration.

Exam trap

The trap here is that candidates may confuse LDAP-based enumeration (ldapsearch) with SMB-based enumeration, or assume SNMP tools like snmpwalk can enumerate SMB shares, when in fact only tools that directly communicate over SMB/RPC (like smbclient and enum4linux) are appropriate for this task.

166
MCQhard

An attacker uses SMTP commands to verify the existence of email accounts on a mail server. Which sequence of SMTP commands is used for this purpose?

A.EHLO, AUTH, STARTTLS
B.HELO, MAIL FROM, RCPT TO, DATA
C.NOOP, QUIT, RSET
D.VRFY, EXPN, RCPT TO
AnswerD

VRFY and EXPN enumerate users and aliases; RCPT TO can also be used to verify recipients.

Why this answer

Option D is correct because the VRFY command asks the mail server to verify whether a given email address exists, EXPN expands a mailing list to reveal individual addresses, and RCPT TO (used in the SMTP transaction) can also be used to check address validity by observing the server's response. Together, these commands allow an attacker to enumerate valid email accounts on the server.

Exam trap

The trap here is that candidates often confuse the standard SMTP mail-sending sequence (HELO, MAIL FROM, RCPT TO, DATA) with the enumeration-specific commands, forgetting that VRFY and EXPN are explicitly designed for address verification.

How to eliminate wrong answers

Option A is wrong because EHLO, AUTH, and STARTTLS are used for SMTP session initiation, authentication, and encryption negotiation, not for verifying email account existence. Option B is wrong because HELO, MAIL FROM, RCPT TO, and DATA are the standard sequence for sending an email message, not specifically for enumeration, though RCPT TO can be abused for enumeration it is not the primary sequence. Option C is wrong because NOOP is a no-operation command, QUIT ends the session, and RSET resets the session; none of these commands verify email account existence.

167
Multi-Selecthard

Which THREE of the following are valid techniques for covering tracks after compromising a system? (Select 3 correct answers)

Select 3 answers
A.Clearing event logs using wevtutil
B.Exploiting SUID binaries to gain root
C.Installing a rootkit to hide malicious processes
D.Using timestomp to modify file timestamps
E.Disabling Windows Defender via Group Policy
AnswersA, C, D

Clearing logs removes evidence of activity.

Why this answer

A is correct because wevtutil is a Windows command-line utility used to manage event logs. After compromising a system, an attacker can use 'wevtutil cl' followed by a log name (e.g., 'wevtutil cl System') to clear specific event logs, thereby erasing evidence of their activities. This is a direct and common technique for covering tracks by removing forensic artifacts.

Exam trap

EC-Council often tests the distinction between privilege escalation (gaining higher access) and covering tracks (hiding evidence), causing candidates to mistakenly select SUID exploitation as a track-covering technique.

168
Multi-Selecteasy

Which TWO of the following are enumeration techniques?

Select 2 answers
A.Buffer overflow
B.Cross-site scripting
C.LDAP enumeration
D.SQL injection
E.SMTP enumeration
AnswersC, E

LDAP enumeration queries directory services for information.

Why this answer

Options C and D are correct. LDAP enumeration and SMTP enumeration are both enumeration techniques used to gather information about users, systems, or services.

169
MCQeasy

Which of the following is the correct order of phases in the system hacking methodology known as CHPSET?

A.Spying, Erasing, Cracking, Hiding, Privilege escalation, Executing
B.Privilege escalation, Cracking, Hiding, Executing, Spying, Erasing
C.Executing, Cracking, Spying, Hiding, Privilege escalation, Erasing
D.Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing
AnswerD

CHPSET order: Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing.

Why this answer

The CHPSET methodology in system hacking stands for Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing. Option D correctly lists these phases in order: Cracking (password cracking), Hiding (covering tracks), Privilege escalation (gaining higher access), Executing (running malicious code), Spying (monitoring activity), and Erasing (removing evidence). This sequence follows the logical progression from initial access to maintaining access and finally covering tracks.

Exam trap

The trap here is that candidates often confuse the order of Hiding and Privilege escalation, mistakenly thinking hiding occurs first, but in CHPSET, hiding (covering tracks) happens after privilege escalation to conceal the elevated access and subsequent actions.

How to eliminate wrong answers

Option A is wrong because it starts with Spying and Erasing, which are later phases, and misplaces Cracking after Erasing; the correct order begins with Cracking. Option B is wrong because it places Privilege escalation and Cracking before Hiding, but Hiding (covering tracks) typically occurs after privilege escalation and execution to conceal the attacker's presence. Option C is wrong because it starts with Executing and Cracking, but Cracking must occur before execution to obtain credentials for access, and Spying is placed too early before privilege escalation.

170
MCQmedium

After compromising a system, an attacker wants to erase their tracks. They clear the Windows Event Logs using `wevtutil cl` commands. However, the logs are forwarded to a remote SIEM. Which covering tracks technique would be MOST effective to avoid detection?

A.Modify specific event log entries to remove evidence of their actions
B.Disable Windows Event Log service (EventLog)
C.Use a rootkit to hide files and processes
D.Encrypt the log files
AnswerA

Selective modification can remove incriminating entries while keeping normal logging, reducing suspicion.

Why this answer

If logs are forwarded to a remote SIEM, local log deletion will still leave traces in the SIEM. A better approach is to manipulate specific log entries (e.g., modify or delete only the incriminating entries) to avoid raising alert on bulk deletion. However, the best among options is to modify logs selectively.

171
Multi-Selecthard

Which THREE of the following are methods for covering tracks after compromising a system? (Select 3)

Select 3 answers
A.Installing a rootkit to hide files and processes
B.Escalating privileges to SYSTEM
C.Disabling antivirus software
D.Using steganography to hide stolen data in images
E.Clearing event logs
AnswersA, D, E

Rootkits help hide evidence.

Why this answer

Covering tracks includes log manipulation (clearing or modifying logs), using rootkits to hide processes/files, and steganography to hide malicious data. Disabling antivirus is more of an evasion technique during the attack, not specifically covering tracks. Privilege escalation is a different phase.

172
Multi-Selecteasy

A penetration tester successfully gains access to a Linux server as a low-privilege user. The goal is to escalate to root. Which THREE methods could the tester use to achieve privilege escalation?

Select 3 answers
A.Enumerate SUID binaries with 'find / -perm -4000'
B.Exploit a vulnerable SUID binary to spawn a root shell
C.Use 'sudo -l' to list allowed commands and exploit misconfigurations
D.Check /etc/shadow for weak password hashes
E.Run a local kernel exploit that matches the kernel version
AnswersB, C, E

If a SUID binary has a vulnerability, it can be used to execute commands as root.

Why this answer

Options B, C, and D are correct. Exploiting SUID binaries, kernel exploits, and sudo misconfigurations are common Linux privilege escalation techniques. A and E are enumeration steps, not escalation methods.

173
MCQeasy

A security analyst runs the command `nbtstat -A 192.168.1.105` on a Windows machine. What information is the analyst most likely trying to gather?

A.The NetBIOS name table and MAC address of the remote host
B.The LDAP directory structure of the domain
C.The SNMP community strings of the target
D.The SMB shares available on the remote host
AnswerA

nbtstat -A shows NetBIOS names, type, and MAC address for the given IP.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against the specified IP address using the NetBIOS over TCP/IP (NBT) protocol. It returns the remote host's NetBIOS name table, which includes registered names and services, along with the MAC address of the network adapter. This is a standard enumeration technique to identify the hostname, logged-in user, and other NetBIOS-related information.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with `net view` or `nbtstat -a`, mistakenly thinking it lists SMB shares or uses a hostname instead of an IP address, when in fact `-A` specifically targets a remote IP and returns the NetBIOS name table and MAC.

How to eliminate wrong answers

Option B is wrong because LDAP directory structure is queried using LDAP-specific tools like `ldapsearch` or `nslookup` with SRV records, not `nbtstat`. Option C is wrong because SNMP community strings are obtained via SNMP enumeration tools like `snmpwalk` or `snmpenum`, not through NetBIOS commands. Option D is wrong because SMB shares are enumerated using commands like `net view` or tools like `smbclient`, while `nbtstat` only reveals NetBIOS names and MAC addresses, not share listings.

174
Multi-Selecthard

Which TWO of the following are examples of hybrid password attacks? (Select 2 correct answers)

Select 2 answers
A.Using a wordlist to try every possible password in the list
B.Using a dictionary file and appending random numbers to each word
C.Using a set of rules with Hashcat to modify dictionary words (e.g., leet speak substitutions)
D.Generating all possible character combinations up to a certain length
E.Cracking passwords using precomputed rainbow tables
AnswersB, C

This combines dictionary with brute force (numbers) – a hybrid.

Why this answer

Option B is correct because a hybrid password attack combines a dictionary or wordlist with additional modifications, such as appending random numbers to each word. This approach leverages common password patterns where users often add digits to a base word to meet complexity requirements, making it more effective than a simple dictionary attack.

Exam trap

EC-Council often tests the distinction between hybrid attacks and other attack types, and the trap here is that candidates may confuse a dictionary attack (Option A) with a hybrid attack, or mistake brute-force (Option D) or rainbow tables (Option E) as hybrid methods, when in fact hybrid attacks specifically combine a dictionary with rule-based modifications or appendages.

175
MCQeasy

Which SNMP community string is typically used for read-only access by default on many devices?

B.private
C.admin
D.public
AnswerD

'public' is the default read-only community string.

Why this answer

The default read-only community string in SNMPv1 and SNMPv2c is 'public'. This string acts as a password that allows an SNMP manager to query device MIB objects for monitoring purposes without making configuration changes. It is widely documented in RFC 1157 and is the standard default across most networking equipment.

Exam trap

The trap here is that candidates often confuse 'public' with 'private', mistakenly thinking 'private' is the read-only string, when in fact 'private' is the default read-write community string.

How to eliminate wrong answers

Option A is wrong because 'snmp' is not a standard default community string; it is occasionally used as a custom string but never as a default. Option B is wrong because 'private' is the default read-write community string, granting write access to modify device configurations, not read-only. Option C is wrong because 'admin' is a common administrative username, not an SNMP community string; SNMP community strings are separate from device login credentials.

176
MCQhard

After gaining initial access to a Linux server, a penetration tester wants to maintain persistence by creating a backdoor. The tester decides to replace a common system binary with a trojanized version. Which of the following techniques is MOST likely to evade detection by file integrity monitoring (FIM) systems?

A.Replace the binary with a modified version that has the same file size and timestamp
B.Place the backdoor in a directory that is excluded from FIM monitoring
C.Use steganography to hide the backdoor inside an image file
D.Use a kernel-level rootkit that intercepts read operations to present the original binary's content
AnswerD

A rootkit can hook system calls to return the original file content when FIM reads it, while the modified binary runs.

Why this answer

Rootkits at the kernel level can intercept system calls and hide file changes from FIM. DKOM rootkits modify kernel objects to hide processes and files, making detection difficult.

177
MCQmedium

A security analyst runs the command: nbtstat -A 192.168.1.10. The output shows the table of names for the remote machine. Which of the following is the MOST likely purpose of this command?

A.To perform a DNS zone transfer
B.To enumerate SNMP community strings on the remote host
C.To enumerate NetBIOS names and services on the remote host
D.To enumerate SMB shares on the remote host
AnswerC

nbtstat -A queries the NetBIOS name table of a remote machine.

Why this answer

nbtstat -A (with capital A) performs a NetBIOS name table lookup on a remote IP address, revealing computer names, logged-in users, and services.

178
MCQmedium

A security analyst reviews the following command output from a Linux system: `uid=0(root) gid=0(root) groups=0(root)`. The analyst suspects a privilege escalation attack. Which of the following techniques could have been used to achieve root access from a standard user account?

A.Token impersonation
B.Pass-the-hash attack
C.LLMNR/NBT-NS poisoning
D.SUID/GUID abuse
AnswerD

Exploiting a SUID binary can elevate privileges to root.

Why this answer

The command output shows the current user has UID 0, which is the root user. On Linux, SUID (Set User ID) and GUID (Group ID) bits allow executables to run with the permissions of the file owner (e.g., root). A standard user can exploit a misconfigured SUID binary (like `passwd` or a custom script) to execute commands with root privileges, achieving privilege escalation.

This is a classic Linux privilege escalation technique directly tied to the UID/GID output shown.

Exam trap

The trap here is that candidates confuse Windows-specific attacks (token impersonation, pass-the-hash, LLMNR poisoning) with Linux privilege escalation, failing to recognize that the `uid=0` output is a direct indicator of root access achieved via SUID/GUID abuse.

How to eliminate wrong answers

Option A is wrong because token impersonation is a Windows-specific attack that involves duplicating access tokens (e.g., via SeImpersonatePrivilege) and does not apply to Linux systems. Option B is wrong because pass-the-hash is a Windows network authentication attack that reuses NTLM hashes to authenticate without knowing the plaintext password; it is not relevant to Linux local privilege escalation. Option C is wrong because LLMNR/NBT-NS poisoning is a Windows network protocol attack used to intercept authentication requests on a local network, not a technique to escalate privileges on a local Linux system.

179
MCQeasy

Which of the following is a primary purpose of the enumeration phase in a penetration test?

A.To gather in-depth information about the target system and its resources
B.To exploit identified vulnerabilities and gain access
C.To perform a vulnerability scan on the target network
D.To delete logs and cover tracks after a successful compromise
AnswerA

Enumeration focuses on extracting information like usernames, shares, services, and other details that can be used for exploitation.

Why this answer

Enumeration is the process of extracting detailed information about a target, such as user accounts, network shares, and services, which is used to identify potential attack vectors.

180
MCQmedium

A penetration tester is performing SNMP enumeration against a network device and wants to retrieve the entire Management Information Base (MIB) tree. Which command should they use?

A.snmpwalk -v 2c -c public 192.168.1.1 .1
B.snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.1.0 s 'test'
C.snmpbulkwalk -v 2c -c public 192.168.1.1 .1
D.snmpget -v 2c -c public 192.168.1.1 1.3.6.1.2.1.1
AnswerA

snmpwalk with .1 as the starting OID will walk the entire MIB tree, retrieving all values.

Why this answer

Option A is correct because `snmpwalk` is specifically designed to retrieve a subtree of MIB objects by performing a series of GETNEXT requests starting from a given OID. Using `.1` as the root OID (which corresponds to the entire ISO tree) with the SNMPv2c community string 'public' will enumerate all accessible OIDs in the MIB tree, effectively dumping the entire Management Information Base.

Exam trap

The trap here is that candidates often confuse `snmpbulkwalk` as the correct answer because it is faster for large MIBs, but the CEH exam expects `snmpwalk` as the standard enumeration tool, and `snmpbulkwalk` may not be supported by all SNMP agents.

How to eliminate wrong answers

Option B is wrong because `snmpset` is used to modify SNMP objects, not to retrieve them; it requires write access (community 'private') and would fail to enumerate the MIB tree. Option C is wrong because `snmpbulkwalk` is optimized for bulk retrieval but is not the standard command for a full MIB tree walk; it uses GETBULK requests which may be blocked or behave differently on some devices, and the question asks for the command to use, not the most efficient one. Option D is wrong because `snmpget` retrieves only a single OID value (1.3.6.1.2.1.1) and does not walk the tree; it would return only the system description or a single scalar object, not the entire MIB.

181
MCQmedium

During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS information. What protocol is enum4linux primarily using to gather this information?

A.NetBIOS
C.LDAP
D.SMB/CIFS
AnswerD

enum4linux leverages SMB/CIFS protocol to query Windows shares, users, and OS details.

Why this answer

enum4linux is a wrapper around tools from the Samba suite, primarily using the SMB/CIFS protocol to query Windows systems for information such as user lists, shares, and OS details. It leverages SMB's remote IPC mechanisms (e.g., via \pipe\lsarpc or \pipe\samr) to enumerate these data points, making D the correct answer.

Exam trap

The trap here is that candidates confuse the underlying protocol (SMB/CIFS) with the transport or name-resolution layer (NetBIOS), leading them to select Option A because enum4linux historically used NetBIOS name lookups, but the core enumeration protocol is SMB/CIFS.

How to eliminate wrong answers

Option A is wrong because NetBIOS is a session-layer protocol used for name resolution and service discovery, but enum4linux relies on SMB/CIFS over TCP/445 (or NetBIOS over TCP/139) to perform its enumeration; the tool itself is not primarily a NetBIOS scanner. Option B is wrong because SNMP (Simple Network Management Protocol) uses UDP ports 161/162 and is designed for managing network devices, not for enumerating Windows user accounts or shares via SMB. Option C is wrong because LDAP (Lightweight Directory Access Protocol) operates on TCP/389 and is used for querying directory services like Active Directory, but enum4linux does not use LDAP by default; it uses SMB RPC calls to extract information.

182
MCQmedium

During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amount of output. Which protocol and community string are being used?

A.SNMPv1 with community string public
B.SNMPv1 with community string private
C.SNMPv2c with community string public
D.SNMPv3 with user public
AnswerC

The flags -v2c and -c public correctly identify SNMP version 2c and community string public.

Why this answer

The command 'snmpwalk -v2c -c public 192.168.1.10' explicitly specifies SNMP version 2c with the '-v2c' flag and the community string 'public' with the '-c' flag. SNMPv2c is the most common version for read-only queries, and 'public' is the default read-only community string. The large output indicates successful enumeration of the MIB tree, confirming the community string is correct.

Exam trap

The trap here is that candidates often confuse the '-v2c' flag with SNMPv1 or assume 'public' is always read-only, but the question tests the direct mapping of command-line arguments to protocol version and community string.

How to eliminate wrong answers

Option A is wrong because the command uses '-v2c', not '-v1', so SNMPv1 is not being used. Option B is wrong because it incorrectly specifies SNMPv1 and the community string 'private', which is typically used for read-write access, not the 'public' string shown in the command. Option D is wrong because SNMPv3 does not use community strings; it uses usernames and authentication/encryption parameters, and the command does not include any SNMPv3-specific flags like '-u' or '-l'.

183
Multi-Selectmedium

Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)

Select 2 answers
A.Hashcat
B.Hydra
C.John the Ripper
D.Nmap
E.Wireshark
AnswersA, C

Hashcat is a powerful offline password cracker supporting GPU acceleration.

Why this answer

John the Ripper and Hashcat are both offline password crackers. Hydra is for online attacks. Wireshark is a packet analyzer.

Nmap is a network scanner.

184
MCQeasy

Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows systems?

A.ldapsearch
B.snmpwalk
C.smbclient
D.nmap
AnswerC

smbclient -L lists shares and can connect to them to browse files.

Why this answer

smbclient is a tool from the Samba suite specifically designed to interact with SMB/CIFS shares. It allows an attacker to enumerate available shares on a Windows target and retrieve file listings by connecting to the SMB service (port 445 or 139) using commands like 'smbclient -L //target' or by mounting a share and listing its contents.

Exam trap

The trap here is that candidates often confuse nmap's ability to detect SMB services with the actual enumeration of shares and file listings, but nmap requires specific NSE scripts and does not provide the direct interactive file listing capability that smbclient offers.

How to eliminate wrong answers

Option A is wrong because ldapsearch is a tool for querying LDAP directory services (port 389/636), not for enumerating SMB shares or retrieving file listings from Windows systems. Option B is wrong because snmpwalk is used to retrieve SNMP MIB data (port 161/162) from network devices, not to interact with SMB shares. Option D is wrong because nmap is a port scanner and network mapper that can detect open SMB ports but cannot natively enumerate SMB shares or retrieve file listings without additional scripts (e.g., smb-enum-shares), and even then it is not the dedicated tool for direct file listing.

185
MCQeasy

Which password cracking method uses a precomputed table of hash chains to reverse password hashes quickly?

A.Hybrid attack
B.Rainbow table attack
C.Dictionary attack
D.Brute-force attack
AnswerB

Rainbow tables are precomputed.

Why this answer

Rainbow tables are precomputed tables of hash chains that allow fast lookup to reverse a hash into a plaintext password.

186
MCQmedium

Which phase of the system hacking methodology (CHPSET) involves hiding files from the operating system using techniques such as rootkits or steganography?

A.Cracking passwords
B.Erasing tracks
C.Executing applications
D.Hiding files
AnswerD

Hiding files involves concealing malicious files.

Why this answer

The 'Hiding files' phase of the CHPSET (Cracking passwords, Hacking, Privilege escalation, Spying, Erasing tracks, Executing applications, Hiding files) methodology involves concealing malicious files from the operating system and security tools. Techniques such as rootkits (which hook system calls like NtQueryDirectoryFile to hide files from directory listings) and steganography (embedding data within innocent files like images or audio) are used to avoid detection. This phase directly follows 'Executing applications' and ensures the attacker's payload remains persistent and covert.

Exam trap

The trap here is that candidates confuse 'Erasing tracks' (clearing logs) with 'Hiding files' (concealing the files themselves), but the CEH CHPSET model separates these as distinct phases—'Hiding files' specifically refers to techniques like rootkits and steganography that hide the file from the OS, not just removing evidence of its execution.

How to eliminate wrong answers

Option A is wrong because 'Cracking passwords' is the initial phase of CHPSET, focused on gaining access through password attacks (e.g., brute force, rainbow tables), not hiding files. Option B is wrong because 'Erasing tracks' involves clearing logs (e.g., clearing Event Logs or using tools like `wevtutil`) to cover the attacker's footprint, not hiding files from the OS. Option C is wrong because 'Executing applications' refers to running the malicious payload (e.g., backdoor or keylogger) after privilege escalation, not the act of concealing files.

187
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM hashes using precomputed tables?

A.Ophcrack
B.John the Ripper
C.Cain & Abel
D.Hashcat
AnswerA

Ophcrack specializes in cracking Windows hashes using rainbow tables.

Why this answer

Ophcrack is a free password cracker that uses rainbow tables to crack Windows hashes.

188
MCQmedium

A penetration tester wants to enumerate users and groups from a Windows domain controller via LDAP without logging in. Which of the following tools is MOST appropriate for anonymous LDAP enumeration?

A.smbclient
B.ldapsearch
C.snmpwalk
D.enum4linux
AnswerB

ldapsearch can perform anonymous or authenticated LDAP queries to enumerate directory objects.

Why this answer

LDAP enumeration can be performed anonymously if the server allows. Tools like `ldapsearch` or `adfind` can query LDAP. Among the options, `ldapsearch` is the standard tool.

189
Multi-Selecteasy

Which TWO of the following are common methods used to hide files on a compromised system? (Select two.)

Select 2 answers
A.Rootkits
B.Token impersonation
C.NTFS Alternate Data Streams
D.Log manipulation
E.Steganography
AnswersC, E

Why this answer

NTFS Alternate Data Streams (ADS) can hide data within files, and steganography embeds data inside other files (e.g., images). Rootkits hide processes/files, not just files. Token impersonation is privilege escalation.

Log manipulation covers tracks but does not hide files.

← PreviousPage 3 of 3 · 189 questions total

Ready to test yourself?

Try a timed practice session using only Ceh Enum System Hacking questions.