CCNA Vuln Analysis Hacking Questions

19 questions · Vuln Analysis Hacking topic · All types, answers revealed

1
MCQhard

Refer to the exhibit. An attacker wants to exploit a known vulnerability. Which service is most likely vulnerable to CVE-2019-0215?

A.OpenSSH 7.2p2
B.Linux kernel
C.Squid http proxy 3.5.12
D.Apache httpd 2.4.18
AnswerD

Apache 2.4.18 is vulnerable to CVE-2019-0215.

Why this answer

CVE-2019-0215 affects Apache HTTP Server versions 2.4.17 to 2.4.38. The exhibit shows Apache 2.4.18, which is within the vulnerable range.

2
MCQhard

Refer to the exhibit. An analyst runs netstat on a Windows server and observes multiple established connections to port 3389 from internal IPs. Which attack is most likely occurring?

A.SMB relay attack
B.DDoS attack
C.RDP brute-force attack
D.Man-in-the-middle attack
AnswerC

Multiple established connections to RDP port 3389 from different IPs indicate successful brute-force attempts.

Why this answer

Multiple established RDP connections from different internal IPs suggest a brute-force or password-spraying attack against RDP. The established connections indicate successful authentication attempts.

3
MCQmedium

Based on the exhibit, which service should be targeted first to gain initial access with the highest chance of success?

A.HTTP (80) - exploit Apache vulnerability
B.SSH (22) - brute force user credentials
C.Proxy (8080) - exploit Squid vulnerability
D.MySQL (3306) - exploit CVE-2016-6662
AnswerD

This critical vulnerability allows remote code execution without authentication, making it the best initial vector.

Why this answer

MySQL (3306) is the correct target because CVE-2016-6662 is a critical remote code execution vulnerability in MySQL that allows an attacker to inject malicious configuration directives via a crafted `my.cnf` file, leading to arbitrary code execution with the privileges of the MySQL daemon (typically root). This provides a reliable, high-impact initial access vector without requiring authentication or brute-forcing, making it the highest-chance option among the listed services.

Exam trap

EC-Council often tests the misconception that HTTP or SSH are always the easiest initial footholds, but in this scenario the MySQL CVE-2016-6662 exploit is a known, high-success-rate vector that requires no brute-forcing or version guessing, making it the most reliable choice for initial access.

How to eliminate wrong answers

Option A is wrong because exploiting an Apache vulnerability on port 80 typically requires a known, unpatched CVE with a working exploit, and Apache is generally well-hardened; the question does not specify a vulnerable version, so this is a lower-probability guess. Option B is wrong because brute-forcing SSH (22) credentials is noisy, time-consuming, and often blocked by rate-limiting or fail2ban, making it unreliable for initial access unless weak credentials are confirmed. Option C is wrong because exploiting a Squid vulnerability on port 8080 is uncommon; Squid is a caching proxy with a relatively small attack surface, and most Squid exploits target misconfigurations (e.g., open proxy) rather than providing direct shell access.

4
MCQmedium

Refer to the exhibit. A penetration tester runs hashcat to crack NTLM hashes. Which hash mode (-m) would be correct for NTLM?

A.1100
B.1000
C.3000
D.5500
AnswerB

Mode 1000 is for NTLM.

Why this answer

NTLM hash mode is 1000. The exhibit shows -m 1000, which is correct for NTLM.

5
Multi-Selecthard

Which TWO of the following are valid techniques for password cracking?

Select 2 answers
A.Brute-force attack
B.Phishing
C.Man-in-the-middle attack
D.Rainbow table attack
E.Keylogging
AnswersA, D

Tries all possible passwords until correct.

Why this answer

A brute-force attack is a valid password cracking technique that systematically tries every possible combination of characters until the correct password is found. It is computationally intensive but guaranteed to succeed given enough time, making it a fundamental method in password auditing and recovery.

Exam trap

The trap here is that candidates often confuse passive or indirect credential theft methods (phishing, keylogging, MITM) with active password cracking techniques that directly derive plaintext from hashes or encrypted data.

6
MCQmedium

An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?

A.Craft a request with a local file inclusion parameter pointing to /etc/passwd
B.Use SQLMap to test for SQL injection
C.Scan the server with Nikto to detect known RFI signatures
D.Attempt to include a remote URL containing a web shell
AnswerA

This safely confirms RFI by reading a local file, proving the vulnerability.

Why this answer

Option A is correct because it uses a local file inclusion (LFI) parameter to test for file inclusion without causing damage. By attempting to include /etc/passwd, the tester can verify if the server processes user-supplied input to include files, which is a direct indicator of an RFI vulnerability if the server returns the file contents. This approach is safe and non-destructive, as it only reads a standard system file.

Exam trap

The trap here is that candidates may confuse RFI with LFI or think that using a web shell is acceptable for confirmation, but the CEH exam emphasizes non-destructive testing and ethical boundaries, making a local file inclusion test the correct first step.

How to eliminate wrong answers

Option B is wrong because SQLMap is designed to test for SQL injection vulnerabilities, not remote file inclusion; using it would not confirm an RFI vulnerability and could cause unintended database damage. Option C is wrong because Nikto is a vulnerability scanner that detects known signatures, but it may produce false positives or miss custom RFI vectors; it is not a direct confirmation method and could trigger alerts or cause unintended behavior. Option D is wrong because attempting to include a remote URL containing a web shell is destructive and unethical; it would actively exploit the vulnerability, potentially compromising the server, which violates the principle of non-destructive testing in ethical hacking.

7
Matchingmedium

Match each type of attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via deceptive emails

Intercepting communication between two parties

Inserting malicious SQL queries into input fields

Overwhelming a system to make it unavailable

Associating attacker's MAC with victim's IP

Why these pairings

These attacks are covered in CEH domain on system hacking and network attacks.

8
MCQhard

Refer to the exhibit. A security analyst checks for missing patches. Which vulnerability is this system likely exposed to?

A.EternalBlue (MS17-010)
B.BlueKeep (CVE-2019-0708)
C.ZeroLogon (CVE-2020-1472)
D.PrintNightmare (CVE-2021-34527)
AnswerD

Not patched as of the exhibited patch dates (2020).

Why this answer

The system is Windows 10 build 19041 (2004) with patches up to 9/17/2020. EternalBlue (MS17-010) was patched in 2017, so it is likely patched. However, BlueKeep (CVE-2019-0708) affects older systems (Windows 7/2008 R2), not Windows 10.

ZeroLogon (CVE-2020-1472) was patched in August 2020; the system has KB4577586 from 9/8/2020 which includes the fix. PrintNightmare (CVE-2021-34527) was disclosed in 2021, after the patch dates shown, so the system is likely vulnerable to PrintNightmare.

9
MCQmedium

Refer to the exhibit. A security auditor reviews the password hashes. Which user has the weakest password hash?

A.admin
B.root
C.user
D.All are equally strong
AnswerC

User uses MD5 ($1$), which is weaker.

Why this answer

The hash prefix $1$ indicates MD5, which is significantly weaker than SHA-512 ($6$). The user 'user' uses MD5.

10
Multi-Selecteasy

Which TWO vulnerabilities are associated with buffer overflow attacks?

Select 2 answers
A.Arbitrary code execution
B.Stack smashing
C.Authentication bypass via SQL injection
D.Cross-site scripting (XSS)
E.Race condition
AnswersA, B

Successful buffer overflow attacks often lead to arbitrary code execution.

Why this answer

Buffer overflow attacks occur when a program writes more data to a buffer than it can hold, overwriting adjacent memory. This can corrupt the stack and allow an attacker to inject and execute arbitrary code (option A) by overwriting the return address or function pointers. Stack smashing (option B) is a specific technique that deliberately corrupts the call stack to hijack control flow, often as part of a buffer overflow exploit.

Exam trap

The trap here is that candidates often confuse buffer overflow with other injection or concurrency flaws, but the CEH exam specifically pairs arbitrary code execution and stack smashing as the two direct consequences of a buffer overflow.

11
MCQhard

A penetration tester is analyzing a Windows 10 system and runs the following command to dump password hashes from the SAM database. The output shows hashes for local users but some are missing. Which step is most likely missing?

A.Run the tool as Administrator
B.Use reg.exe save to export SAM hive
C.Create a Volume Shadow Copy to access SAM file
D.Enable SeDebugPrivilege for the current process
AnswerC

VSS provides a read-only snapshot of the SAM file, bypassing the OS lock.

Why this answer

On Windows 10, the SAM file is locked by the operating system while the system is running, preventing direct read access even with Administrator privileges. Creating a Volume Shadow Copy (VSS) allows the penetration tester to access a point-in-time snapshot of the SAM file, bypassing the lock. This is the standard technique for dumping password hashes from a live system without rebooting or using a boot disk.

Exam trap

The trap here is that candidates assume Administrator privileges alone are sufficient to read the SAM file, overlooking the fact that Windows locks the file even for administrators, and that VSS is the required bypass.

How to eliminate wrong answers

Option A is wrong because running the tool as Administrator is necessary but not sufficient; the SAM file is still locked by the OS even for administrators. Option B is wrong because reg.exe save can export registry hives like SAM, but it requires the SeBackupPrivilege and still may fail if the hive is in use or if the tool does not handle the locked file correctly; VSS is the more reliable method. Option D is wrong because SeDebugPrivilege is used for debugging processes and accessing process memory, not for reading the locked SAM file directly; it does not bypass the file system lock.

12
MCQeasy

A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?

A.Update Log4j to version 2.17.1 or later
B.Remove the JndiLookup class from the Log4j jar
C.Disable JDBC appender in Log4j configuration
D.Block outbound traffic from the server to the internet
AnswerA

Patching directly addresses the vulnerability.

Why this answer

Option A is correct because CVE-2021-44228 (Log4Shell) is a remote code execution vulnerability in Apache Log4j versions 2.0 through 2.14.1, triggered by JNDI lookups in log messages. Updating to Log4j 2.17.1 or later fully patches the flaw by disabling JNDI lookups by default and fixing the LDAP deserialization vector. This is the vendor-recommended immediate remediation step as it addresses the root cause without relying on workarounds.

Exam trap

The trap here is that candidates often choose Option B (removing JndiLookup) because it was widely publicized as a quick fix, but the CEH exam expects you to know that only a full version update to 2.17.1 or later is the complete and recommended remediation, as the class removal is version-dependent and does not address all attack surfaces.

How to eliminate wrong answers

Option B is wrong because removing the JndiLookup class from the Log4j JAR file is a temporary mitigation that only works for Log4j versions 2.10 to 2.14.1; it does not fix other attack vectors like JDBC appender or Thread Context Map lookups, and the fix is not persistent across updates. Option C is wrong because disabling the JDBC appender does not address the core JNDI lookup vulnerability; the JDBC appender is a separate feature and not the primary attack vector for CVE-2021-44228. Option D is wrong because blocking outbound traffic from the server is a network-level containment measure that may limit exfiltration but does not prevent the initial RCE exploitation; the vulnerability can still be triggered internally or via reverse connections.

13
MCQhard

Based on the Nmap scan output, which service is most likely vulnerable to remote code execution?

A.MAC Address 00:1A:2B:3C:4D:5E
B.Apache httpd 2.4.18
C.OpenSSH 7.2p2
D.Apache Tomcat 8.5.5
AnswerD

Tomcat 8.5.5 is vulnerable to Ghostcat (CVE-2020-1938) which allows RCE.

Why this answer

Apache Tomcat 8.5.5 is known to be vulnerable to remote code execution (RCE) via the Ghostcat vulnerability (CVE-2020-1938), which exploits the AJP connector on port 8009. This allows an attacker to read or execute arbitrary files on the server, making it the most likely candidate for RCE among the listed services.

Exam trap

EC-Council often tests the misconception that a common service like Apache httpd or OpenSSH is the most vulnerable, but the trap here is that the AJP connector on Tomcat (port 8009) is frequently overlooked, yet it provides a direct path to RCE via Ghostcat.

How to eliminate wrong answers

Option A is wrong because a MAC address is a hardware identifier for the network interface, not a service, and thus cannot be vulnerable to remote code execution. Option B is wrong because Apache httpd 2.4.18, while having known vulnerabilities, is not typically associated with a direct remote code execution vector in standard Nmap scans; its primary risks are denial-of-service or information disclosure. Option C is wrong because OpenSSH 7.2p2, though it has vulnerabilities like CVE-2016-6210 (user enumeration), does not have a known remote code execution flaw that is commonly exploitable without authentication.

14
MCQmedium

An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?

A.SQL injection
B.Cross-site request forgery (CSRF)
C.Session hijacking via cross-site scripting (XSS)
D.Clickjacking
AnswerC

XSS can steal cookies if HttpOnly is not set.

Why this answer

Option C is correct because the absence of the HttpOnly flag allows JavaScript to access the session cookie via `document.cookie`. An attacker can exploit a cross-site scripting (XSS) vulnerability to steal the cookie and perform session hijacking. The missing Secure flag further exposes the cookie to interception over unencrypted HTTP connections, making the attack easier to execute.

Exam trap

The trap here is that candidates often confuse CSRF with session hijacking, but CSRF does not require reading the cookie—it only requires the browser to automatically include it in requests, whereas XSS-based session hijacking directly steals the cookie value.

How to eliminate wrong answers

Option A is wrong because SQL injection exploits database query vulnerabilities, not cookie flag misconfigurations; it does not rely on cookie attributes. Option B is wrong because CSRF exploits the trust a site has in a user's browser, typically using forged requests, and does not require reading cookies; missing HttpOnly/Secure flags do not directly enable CSRF. Option D is wrong because clickjacking uses transparent overlays to trick users into clicking UI elements, and it does not involve stealing or accessing session cookies.

15
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule in iptables to block incoming SSH traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First check rules, add drop rule, verify, save, then test.

16
MCQeasy

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

A.Nikto
B.Hydra
C.Nmap
D.enum4linux
AnswerD

Correct: enum4linux extracts SMB information like users, shares, and OS details.

Why this answer

enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via SMB. It leverages the SMB protocol to extract users, shares, OS details, and other system information from a target with port 445 open, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may choose Nmap because it is a versatile tool that can perform SMB enumeration with scripts, but the CEH exam expects the specialized tool (enum4linux) for this specific task, as Nmap is primarily a port scanner and not the dedicated enumeration tool.

How to eliminate wrong answers

Option A is wrong because Nikto is a web server scanner that tests for vulnerabilities in HTTP/HTTPS services, not for SMB enumeration. Option B is wrong because Hydra is a password brute-forcing tool used for online attacks against various services, not for passive enumeration of users, shares, or OS information. Option C is wrong because while Nmap can detect open ports and perform basic SMB enumeration via scripts (e.g., smb-enum-shares), it is not the dedicated tool for comprehensive SMB enumeration; enum4linux is purpose-built for this task.

17
Multi-Selectmedium

Which THREE of the following are common indicators of a buffer overflow vulnerability?

Select 3 answers
A.Unexpected program crashes or segmentation faults
B.Access violation errors when writing to memory
C.Use of return-oriented programming (ROP)
D.High CPU usage
E.Overwritten adjacent memory regions
AnswersA, B, E

Crashes often occur when memory is corrupted.

Why this answer

A is correct because buffer overflow vulnerabilities often cause unexpected program crashes or segmentation faults. When a program writes data beyond the allocated buffer size, it can corrupt the stack or heap, leading to invalid memory access that the operating system detects and terminates with a segmentation fault (SIGSEGV). This is a classic symptom of overwritten return addresses or other critical control data.

Exam trap

The trap here is that candidates confuse exploitation techniques (like ROP) with vulnerability indicators, but ROP is a post-exploitation method, not a sign that a buffer overflow exists.

18
MCQhard

During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?

A.Exploit a kernel vulnerability using a local exploit
B.Run /usr/bin/less with sudo, then type !/bin/bash to spawn a root shell
C.Use the find command with -exec to execute a shell
D.Check for world-writable scripts in cron jobs
AnswerB

less allows command execution via ! when run with elevated privileges.

Why this answer

Option B is correct because when a user has sudo privileges to run /usr/bin/less as root without a password, the tester can leverage the fact that less can execute shell commands from within its interface. By running 'sudo /usr/bin/less' and then typing '!/bin/bash', the tester spawns a root shell, effectively escalating privileges to root.

Exam trap

The trap here is that candidates may overlook the command execution capability of less and instead focus on kernel exploits or cron jobs, missing the direct and simplest path to root via the sudo misconfiguration.

How to eliminate wrong answers

Option A is wrong because exploiting a kernel vulnerability is unnecessary when a simpler, authorized sudo misconfiguration exists; this option distracts from the direct privilege escalation path. Option C is wrong because the find command with -exec is a technique for executing commands on files, but it does not inherently provide privilege escalation unless combined with a setuid binary or specific permissions, and the user does not have sudo rights to find. Option D is wrong because checking for world-writable scripts in cron jobs is a valid enumeration step but is not the immediate technique to exploit the given sudo privilege; it is a slower, indirect method that may not yield root access.

19
MCQmedium

You are a penetration tester hired by a medium-sized financial company. The company has a network consisting of 50 Windows workstations (Windows 10 Pro) and 5 Windows Server 2019 servers (domain controller, file server, web server, database server, and mail server). The network is segmented into three VLANs: User VLAN (192.168.1.0/24), Server VLAN (192.168.2.0/24), and DMZ (192.168.3.0/24). The web server is in the DMZ and hosts a public-facing e-commerce application built on ASP.NET with a SQL Server backend. The database server is in the Server VLAN and is not directly accessible from the internet. You are given a standard user account on a workstation in the User VLAN. After initial reconnaissance, you discover that the web server is running an outdated version of IIS (7.5) and is vulnerable to a known privilege escalation vulnerability (CVE-2020-0613) that allows local privilege escalation if an attacker has already gained initial access. You also find that the web application has a SQL injection vulnerability in the login page. You successfully exploit the SQL injection to extract the password hash of the web application's service account, which is 'web_svc'. You crack the hash offline and obtain the plaintext password. The 'web_svc' account has local administrative privileges on the web server. Using these credentials, you authenticate to the web server via RDP. From there, you want to pivot to the database server to extract credit card information stored in the database. The database server only allows connections from the web server on port 1433 (SQL Server). Using the 'web_svc' account, you are able to connect to the database server using SQL Server Management Studio. However, you find that the 'web_svc' account has only 'public' and 'guest' database roles, which do not allow reading any sensitive tables. You need to escalate privileges on the database server. What is the most effective next step?

A.Use the web_svc account to create a new SQL Server login with sysadmin privileges via the SQL Server Management Studio
B.Exploit the privilege escalation vulnerability on the web server to gain SYSTEM access, then dump the SQL Server service account credentials (e.g., from the SQL Server error logs or registry) and use them to log into the database server with sysadmin privileges
C.Perform a brute-force attack against the 'sa' account on the database server using a wordlist
D.Try to use the web_svc account to directly query the credit card table using a SQL injection payload on the web application
AnswerB

This leverages the local escalation to obtain higher database privileges.

Why this answer

Option B is correct because the web_svc account lacks sufficient database privileges, but by exploiting the privilege escalation vulnerability (CVE-2020-0613) on the web server to gain SYSTEM access, you can extract the SQL Server service account credentials (e.g., from SQL Server error logs or registry). The SQL Server service account typically runs with sysadmin privileges, allowing you to connect to the database server with full administrative rights and access the credit card data.

Exam trap

The trap here is that candidates assume the web_svc account's local admin rights on the web server translate to database privileges, but SQL Server role-based access control is separate, so they must escalate locally first to capture the higher-privileged service account credentials.

How to eliminate wrong answers

Option A is wrong because the web_svc account has only 'public' and 'guest' database roles, which do not grant permission to create new logins or assign sysadmin privileges; SQL Server enforces role-based access control, and such an operation requires ALTER ANY LOGIN or sysadmin rights. Option C is wrong because brute-forcing the 'sa' account is noisy, time-consuming, and likely to trigger account lockout policies or intrusion detection systems; moreover, you already have a more reliable privilege escalation path. Option D is wrong because the SQL injection vulnerability was already exploited on the web application's login page to extract the web_svc password hash; using the same injection to query the credit card table directly would still be limited by the web application's database connection permissions (the web_svc account's limited roles), and the database server only accepts connections from the web server on port 1433, not from the web application's SQL queries.

Ready to test yourself?

Try a timed practice session using only Vuln Analysis Hacking questions.