Certified Ethical Hacker v12 Topic 3
Question #: 158
Topic #: 1
You work as a cloud security specialist at SkyNet Solutions. One of your clients is a healthcare organization that plans to migrate its electronic health record (EHR) system to the cloud. This system contains highly sensitive personal and medical data. As part of your job, you need to ensure the security and privacy of this data while it is being transferred and stored in the cloud. You recommend that data should be encrypted during transit and at rest. However, you also need to ensure that even if a cloud service provider(CSP) has access to encrypted data, they should not be able to decrypt it. Which of the following would be the most suitable strategy to meet this requirement?
A. Rely on network-level encryption protocols for data transfer.
B. Use SSL/TLS for data transfer and allow the CSP to manage encryption keys.
C. Utilize the CSP’s built-in data encryption services.
D. Use client-side encryption and manage encryption keys independently of the CSP.
Selected Answer: D
Question #: 157
Topic #: 1
You are the chief security officer at AlphaTech, a tech company that specializes in data storage solutions. Your company is developing a new cloud storage platform where users can store their personal files. To ensure data security, the development team is proposing to use symmetric encryption for data at rest. However, they are unsure of how to securely manage and distribute the symmetric keys to users. Which of the following strategies would you recommend to them?
A. Use hash functions to distribute the keys.
B. Use HTTPS protocol for secure key transfer.
C. Use digital signatures to encrypt the symmetric keys.
D. Implement the Diffie-Hellman protocol for secure key exchange.
Selected Answer: D
Question #: 156
Topic #: 1
During your summer internship at a tech company, you have been asked to review the security settings of their web server. While inspecting, you notice the server reveals detailed error messages to users, including database query errors and internal server errors. As a cybersecurity beginner, what is your understanding of this setting, and how would you advise the company?
A. Retain the setting as it aids in troubleshooting user issues.
B. Suppress detailed error messages, as they can expose sensitive information.
C. Implement stronger encryption to secure the error messages.
D. Increase the frequency of automated server backups.
Selected Answer: B
Question #: 154
Topic #: 1
A penetration tester is performing an enumeration on a client’s network. The tester has acquired permission to perform enumeration activities. They have identified a remote inter-process communication (IPC) share and are trying to collect more information about it. The tester decides to use a common enumeration technique to collect the desired data. Which of the following techniques would be most appropriate for this scenario?
A. Probe the IPC share by attempting to brute force admin credentials
B. Brute force Active Directory
C. Extract usernames using email IDs
D. Conduct a DNS zone transfer
Selected Answer: A
Question #: 153
Topic #: 1
As a cybersecurity analyst at IoT Defend, you are working with a large utility company that uses Industrial Control Systems (ICS) in its operational technology (OT) environment. The company has recently integrated IoT devices into this environment to enable remote monitoring and control. They want to ensure these devices do not become a weak link in their security posture. To identify potential vulnerabilities in the IoT devices, which of the following actions should you recommend as the first step?
A. Use stronger encryption algorithms for data transmission between IoT devices.
B. Implement network segmentation to isolate IoT devices from the rest of the network.
C. Conduct a vulnerability assessment specifically for the IoT devices.
D. Install the latest antivirus software on each IoT device.
Selected Answer: C
Question #: 152
Topic #: 1
A network security analyst, while conducting penetration testing, is aiming to identify a service account password using the Kerberos authentication protocol. They have a valid user authentication ticket (TGT) and decided to carry out a Kerberoasting attack. In the scenario described, which of the following steps should the analyst take next?
A. Carry out a passive wire sniffing operation using Internet packet sniffers
B. Perform a PRobability INfinite Chained Elements (PRINCE) attack
C. Extract plaintext passwords, hashes, PIN codes, and Kerberos tickets using a tool like Mimikatz
D. Request a service ticket for the service principal name of the target service account
Selected Answer: D
Question #: 173
Topic #: 1
An ethical hacker has been tasked with assessing the security of a major corporation’s network. She suspects the network uses default SNMP community strings. To exploit this, she plans to extract valuable network information using SNMP enumeration. Which tool could best help her to get the information without directly modifying any parameters within the SNMP agent’s management information base (MIB)?
A. SnmpWalk, with a command to change an OID to a different value
B. snmp-check (snmp_enum Module) to gather a wide array of information about the target
C. Nmap, with a script to retrieve all running SNMP processes and associated ports
D. OpUtils, are mainly designed for device management and not SNMP enumeration
Selected Answer: B
Question #: 169
Topic #: 1
A well-resourced attacker intends to launch a highly disruptive DDoS attack against a major online retailer. The attacker aims to exhaust all the network resources while keeping their identity concealed. Their method should be resistant to simple defensive measures such as IP-based blocking. Based on these objectives, which of the following attack strategies would be most effective?
A. The attacker should instigate a protocol-based SYN flood attack, consuming connection state tables on the retailer’s servers
B. The attacker should leverage a botnet to launch a Pulse Wave attack, sending high-volume traffic pulses at regular intervals
C. The attacker should initiate a volumetric flood attack using a single compromised machine to overwhelm the retailer’s network bandwidth
D. The attacker should execute a simple ICMP flood attack from a single IP, exploiting the retailer’s ICMP processing
Selected Answer: B
Question #: 164
Topic #: 1
You are the lead cybersecurity analyst at a multinational corporation that uses a hybrid encryption system to secure inter-departmental communications. The system uses RSA encryption for key exchange and AES for data encryption, taking advantage of the strengths of both asymmetric and symmetric encryption. Each RSA key pair has a size of ‘n’ bits, with larger keys providing more security at the cost of slower performance. The time complexity of generating an RSA key pair is O(n^2), and AES encryption has a time complexity of O(n). An attacker has developed a quantum algorithm with time complexity O((log n)^2) to crack RSA encryption. Given ‘n=4000’ and variable ‘AES key size’, which scenario is likely to provide the best balance of security and performance?
A. AES key size=128 bits: This configuration provides less security than option A, but RSA key generation and AES encryption will be faster.
B. AES key size=256 bits: This configuration provides a high level of security, but RSA key generation may be slow.
C. AES key size=192 bits: This configuration is a balance between options A and B, providing moderate security and performance.
D. AES key size=512 bits: This configuration provides the highest level of security but at a significant performance cost due to the large AES key size.
Selected Answer: C
Question #: 149
Topic #: 1
An audacious attacker is targeting a web server you oversee. He intends to perform a Slow HTTP POST attack, by manipulating ‘a’ HTTP connection. Each connection sends a byte of data every ‘b’ second, effectively holding up the connections for an extended period. Your server is designed to manage ‘m’ connections per second, but any connections exceeding this number tend to overwhelm the system. Given ‘a=100’ and variable ‘m’, along with the attacker’s intention of maximizing the attack duration ‘D=a*b’, consider the following scenarios. Which is most likely to result in the longest duration of server unavailability?
A. m=90, b=15: The server can manage 90 connections per second, but the attacker’s 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant.
B. m=105, b=12: The server can manage 105 connections per second, more than the attacker’s 100 connections, likely maintaining operation despite a moderate hold-up time.
C. m=110, b=20: Despite the attacker sending 100 connections, the server can handle 110 connections per second, therefore likely staying operative, regardless of the hold-up time per connection.
D. m=95, b=10: Here, the server can handle 95 connections per second, but it falls short against the attacker’s 100 connections, albeit the hold-up time per connection is lower.
Selected Answer: A
Question #: 75
Topic #: 1
Alice, a professional hacker, targeted an organization’s cloud services. She infiltrated the target’s MSP provider by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and gain remote access to the cloud service. Further, she accessed the target customer profiles with her MSP account, compressed the customer data, and stored them in the MSP. Then, she used this information to launch further attacks on the target organization.
Which of the following cloud attacks did Alice perform in the above scenario?
A. Cloud cryptojacking
B. Man-in-the-cloud (MITC) attack
C. Cloud hopper attack
D. Cloudborne attack
Selected Answer: C
Question #: 292
Topic #: 1
George, an employee of an organization, is attempting to access restricted websites from an official computer. For this purpose, he used an anonymizer that masked his real IP address and ensured complete and continuous anonymity for all his online activities.
Which of the following anonymizers helps George hide his activities?
A. https://www.baidu.com
B. https://www.guardster.com
C. https://www.wolframalpha.com
D. https://karmadecay.com
Selected Answer: B
Question #: 132
Topic #: 1
Your company has been receiving regular alerts from its IDS about potential intrusions. On further investigation, you notice that these alerts have been false positives triggered by certain goodware files. In response, you are planning to enhance the IDS with YARA rules, reducing these false positives while improving the detection of real threats. Based on the scenario and the principles of YARA and IDS, which of the following strategies would best serve your purpose?
A. Writing YARA rules specifically to identify the goodware files triggering false positives
B. Implementing YARA rules that focus solely on known malware signatures
C. Creating YARA rules to examine only the private database for intrusions
D. Incorporating YARA rules to detect patterns in all files regardless of their nature
Selected Answer: A
Question #: 229
Topic #: 1
You are a cybersecurity consultant for a smart city project. The project involves deploying a vast network of IoT devices for public utilities like traffic control, water supply, and power grid management. The city administration is concerned about the possibility of a Distributed Denial of Service (DDoS) attack crippling these critical services. They have asked you for advice on how to prevent such an attack. What would be your primary recommendation?
A. Implement regular firmware updates for all IoT devices.
B. Establish strong, unique passwords for each IoT device.
C. Deploy network intrusion detection systems (IDS) across the IoT network.
D. Implement IP address whitelisting for all IoT devices.
Selected Answer: D
Question #: 217
Topic #: 1
As part of a penetration testing team, you’ve discovered a web application vulnerable to Cross-Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you’ve noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users’ session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack?
A. Build an XSS payload using HTML encoding and use it to exploit the server-side code, potentially disabling the HTTPOnly flag on cookies.
B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies.
C. Utilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to reveal the HTTPOnly cookies.
D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured.
Selected Answer: D
Question #: 206
Topic #: 1
An ethical hacker is performing a network scan to evaluate the security of a company’s IT infrastructure. During the scan, he discovers an active host with multiple open ports running various services. The hacker uses TCP communication flags to establish a connection with the host and starts communicating with it. He sends a SYN packet to a port on the host and receives a SYN/ACK packet back. He then sends an ACK packet for the received SYN/ACK packet, which triggers an open connection. Which of the following actions should the ethical hacker perform next?
A. Send a PSH packet to inform the receiving application about the buffered data.
B. Conduct a vulnerability scan on the open port to identify any potential weaknesses.
C. Scan another port on the same host using the SYN, ACK, and RST flags.
D. Send a FIN or RST packet to close the connection.
Selected Answer: B
Question #: 188
Topic #: 1
A penetration tester was assigned to scan a large network range to find live hosts. The network is known for using strict TCP filtering rules on its firewall, which may obstruct common host discovery techniques. The tester needs a method that can bypass these firewall restrictions and accurately identify live systems. What host discovery technique should the tester use?
A. ICMP Timestamp Ping Scan
B. ICMP ECHO Ping Scan
C. TCP SYN Ping Scan
D. UDP Ping Scan
Selected Answer: D
Question #: 187
Topic #: 1
As the lead security engineer for a retail corporation, you are assessing the security of the wireless networks in the company’s stores. One of your main concerns is the potential for “Wardriving” attacks, where attackers drive around with a Wi-Fi-enabled device to discover vulnerable wireless networks. Given the nature of the retail stores, you need to ensure that any security measures you implement do not interfere with customer experience, such as their ability to access in-store Wi-Fi. Taking into consideration these factors, which of the following would be the most suitable measure to mitigate the risk of Wardriving attacks?
A. Limit the range of the store’s wireless signals
B. Implement MAC address filtering
C. Disable SSID broadcasting
D. Implement WPA3 encryption for the store’s Wi-Fi network
Selected Answer: D
Question #: 148
Topic #: 1
A large corporation is planning to implement preventive measures to counter a broad range of social engineering techniques. The organization has implemented a signature-based IDS, intrusion detection system, to detect known attack payloads and network flow analysis to monitor data entering and leaving the network. The organization is deliberating on the next step. Considering the information provided about various social engineering techniques, what should be the organization’s next course of action?
A. Implement endpoint detection and response solution to oversee endpoint activities
B. Set up a honeypot to attract potential attackers into a controlled environment for analysis
C. Deploy more security personnel to physically monitor key points of access
D. Organize regular employee awareness training regarding social engineering techniques and preventive measures
Selected Answer: D
Question #: 143
Topic #: 1
A Certified Ethical Hacker (CEH) is given the task to perform an LDAP enumeration on a target system. The system is secured and accepts connections only on secure LDAP. The CEH uses Python for the enumeration process. After successfully installing LDAP and establishing a connection with the target, he attempts to fetch details like the domain name and naming context but is unable to receive the expected response. Considering the circumstances, which of the following is the most plausible reason for this situation?
A. The system failed to establish a connection due to an incorrect port number.
B. The enumeration process was blocked by the target system’s intrusion detection system.
C. The secure LDAP connection was not properly initialized due to a lack of ‘use_ssl = True’ in the server object creation.
D. The Python version installed on the CEH’s machine is incompatible with the Idap3 library.
Selected Answer: C
Question #: 145
Topic #: 1
As a Certified Ethical Hacker, you are conducting a footprinting and reconnaissance operation against a target organization. You discover a range of IP addresses associated with the target using the SecurityTrails tool. Now, you need to perform a reverse DNS lookup on these IP addresses to find the associated domain names, as well as determine the nameservers and mail exchange (MX) records. Which of the following DNSRecon commands would be most effective for this purpose?
A. dnsrecon -r 192.168.1.0/24 -n nsl.example.com -t axfr
B. dnsrecon -r 10.0.0.0/24 -n nsl.example.com -t zonewalk
C. dnsrecon -r 162.241.216.0/24 -n nsl.example.com -t std
D. dnsrecon -r 162.241.216.0/24 -d example.com -t brt
Selected Answer: C
Question #: 134
Topic #: 1
Given the complexities of an organization’s network infrastructure, a threat actor has exploited an unidentified vulnerability, leading to a major data breach. As a Certified Ethical Hacker (CEH). you are tasked with enhancing the organization’s security stance. To ensure a comprehensive security defense, you recommend a certain security strategy. Which of the following best represents the strategy you would likely suggest and why?
A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization.
B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack.
C. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems.
D. Adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense.
Selected Answer: D
Question #: 170
Topic #: 1
A large organization is investigating a possible identity theft case where an attacker has created a new identity by combining multiple pieces of information from different victims to open a new bank account. The attacker also managed to receive government benefits using a fraudulent identity. Given the circumstances, which type of identity theft is the organization dealing with?
A. Identity Cloning and Concealment
B. Child Identity Theft
C. Social Identity Theft
D. Synthetic Identity Theft
Selected Answer: D
Question #: 225
Topic #: 1
A penetration tester is tasked with gathering information about the subdomains of a target organization’s website. The tester needs a versatile and efficient solution for the task. Which of the following options would be the most effective method to accomplish this goal?
A. Analyzing LinkedIn profiles to find employees of the target company and their job titles
B. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT
C. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization
D. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing
Selected Answer: B
Question #: 53
Topic #: 1
You are a penetration tester and are about to perform a scan on a specific server. The agreement that you signed with the client contains the following specific condition for the scan: “The attacker must scan every port on the server several times using a set of spoofed source IP addresses.” Suppose that you are using Nmap to perform this scan.
What flag will you use to satisfy this requirement?
A. The -g flag
B. The -A flag
C. The -f flag
D. The -D flag
Selected Answer: D
Question #: 11
Topic #: 1
While performing an Nmap scan against a host, Paola determines the existence of a firewall.
In an attempt to determine whether the firewall is stateful or stateless, which of the following options would be best to use?
A. -sA
B. -sX
C. -sT
D. -sF
Selected Answer: A
Question #: 226
Topic #: 1
Your network infrastructure is under a SYN flood attack. The attacker has crafted an automated botnet to simultaneously send ‘s’ SYN packets per second to the server. You have put measures in place to manage ‘f’ SYN packets per second, and the system is designed to deal with this number without any performance issues. If ‘s’ exceeds ‘f’, the network infrastructure begins to show signs of overload. The system’s response time increases exponentially (2^k), where ‘k’ represents each additional SYN packet above the ‘f’ limit. Now, considering ‘s=500’ and different ‘f’ values, in which scenario is the server most likely to experience overload and significantly increased response times?
A. f=510: The server can handle 510 SYN packets per second, which is greater than what the attacker is sending. The system stays stable, and the response time remains unaffected.
B. f=495: The server can handle 495 SYN packets per second. The response time drastically rises (2^5 = 32 times the normal), indicating a probable system overload.
C. f=505: The server can handle 505 SYN packets per second. In this case, the response time increases but not as drastically (2^5 = 32 times the normal), and the system might still function, albeit slowly.
D. f=490: The server can handle 490 SYN packets per second. With ‘s’ exceeding ‘f’ by 10, the response time shoots up (2^10 = 1024 times the usual response time), indicating a system overload.
Selected Answer: D
Question #: 163
Topic #: 1
You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you discover that the company’s wireless network is using WEP encryption. You understand the vulnerabilities associated with WEP and plan to recommend a more secure encryption method. Which of the following would you recommend as a suitable replacement to enhance the security of the company’s wireless network?
A. Open System authentication
B. WPA2-PSK with AES encryption
C. SSID broadcast disabling
D. MAC address filtering
Selected Answer: B
Question #: 306
Topic #: 1
Ron, a security professional, was pen testing web applications and SaaS platforms used by his company. While testing, he found a vulnerability that allows hackers to gain unauthorized access to API objects and perform actions such as view, update, and delete sensitive data of the company.
What is the API vulnerability revealed in the above scenario?
A. No ABAC validation
B. Business logic flaws
C. Improper use of CORS
D. Code injections
Selected Answer: A
Question #: 3
Topic #: 1
John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization.
Which of the following attack techniques is used by John?
A. Insider threat
B. Diversion theft
C. Spear-phishing sites
D. Advanced persistent threat
Selected Answer: D
Question #: 2
Topic #: 1
John is investigating web-application firewall logs and observers that someone is attempting to inject the following:
What type of attack is this?
A. SQL injection
B. Buffer overflow
C. CSRF
D. XSS
Selected Answer: B
Question #: 243
Topic #: 1
During a comprehensive security assessment, your cybersecurity team at XYZ Corp stumbles upon signs that point toward a possible Advanced Persistent Threat (APT) infiltration in the network infrastructure. These sophisticated threats often exhibit subtle indicators that distinguish them from other types of cyberattacks. To confirm your suspicion and adequately isolate the potential APT, which of the following actions should you prioritize?
A. Investigate for anomalies in file movements or unauthorized data access attempts within your database system
B. Scrutinize for repeat network login attempts from unrecognized geographical regions
C. Vigilantly monitor for evidence of zero-day exploits that manage to evade your firewall or antivirus software
D. Search for proof of a spear-phishing attempt, such as the presence of malicious emails or risky attachments
Selected Answer: A
Question #: 203
Topic #: 1
An ethical hacker is hired to conduct a comprehensive network scan of a large organization that strongly suspects potential intrusions into their internal systems. The hacker decides to employ a combination of scanning tools to obtain a detailed understanding of the network. Which sequence of actions would provide the most comprehensive information about the network’s status?
A. Use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities.
B. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities.
C. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3.
D. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting.
Selected Answer: D
Question #: 202
Topic #: 1
During a penetration testing assignment, a Certified Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task?
A. Hping3 -1 10.0.0.25 -ICMP
B. Hping3 -2 10.0.0.25-p 80
C. Nmap -sS -Pn -n -vw –packet-trace -p- –script discovery -T4
D. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 –flood
Selected Answer: D
Question #: 212
Topic #: 1
A large corporate network is being subjected to repeated sniffing attacks. To increase security, the company’s IT department decides to implement a combination of several security measures. They permanently add the MAC address of the gateway to the ARP cache, switch to using IPv6 instead of IPv4, implement the use of encrypted sessions such as SSH instead of Telnet, and use Secure File Transfer Protocol instead of FTP. However, they are still faced with the threat of sniffing. Considering the countermeasures, what should be their next step to enhance network security?
A. Use HTTP instead of HTTPS for protecting usernames and passwords
B. Implement network scanning and monitoring tools
C. Enable network identification broadcasts
D. Retrieve MAC addresses from the OS
Selected Answer: B
Question #: 135
Topic #: 1
As a cybersecurity professional, you are responsible for securing a high-traffic web application that uses MySQL as its backend database. Recently, there has been a surge of unauthorized login attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown proficiency in SQL Injection and appears to be using the ‘UNION’ SQL keyword to trick the login process into returning additional data. However, your application’s security measures include filtering special characters in user inputs, a method usually effective against such attacks. In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ?
A. The hacker tries to manipulate the ‘UNION’ keyword in such a way that it triggers a database error, potentially revealing valuable information about the database’s structure.
B. The hacker switches tactics and resorts to a ‘time-based blind’ SQL Injection attack, which would force the application to delay its response, thereby revealing information based on the duration of the delay.
C. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.
D. The hacker alters his approach and injects a DROP TABLE’ statement, a move that could potentially lead to the loss of vital data stored in the application’s database.
Selected Answer: C
Question #: 126
Topic #: 1
You are a cybersecurity specialist at CloudTech Inc., a company providing cloud-based services. You are managing a project for a client who wants to migrate their sensitive data to a public cloud service. To comply with regulatory requirements, the client insists on maintaining full control over the encryption keys even when the data is at rest on the cloud. Which of the following practices should you implement to meet this requirement?
A. Encrypt data client-side before uploading to the cloud and retain control of the encryption keys.
B. Use the cloud service provider’s encryption services but store keys on-premises.
C. Rely on Secure Sockets Layer (SSL) encryption for data at rest.
D. Use the cloud service provider’s default encryption and key management services.
Selected Answer: A
Question #: 125
Topic #: 1
There have been concerns in your network that the wireless network component is not sufficiently secure. You perform a vulnerability scan of the wireless network and find that it is using an old encryption protocol that was designed to mimic wired encryption.
What encryption protocol is being used?
A. RADIUS
B. WPA
C. WEP
D. WPA3
Selected Answer: C
Question #: 119
Topic #: 1
Morris, a professional hacker, performed a vulnerability scan on a target organization by sniffing the traffic on the network to identify the active systems, network services, applications, and vulnerabilities. He also obtained the list of the users who are currently accessing the network.
What is the type of vulnerability assessment that Morris performed on the target organization?
A. Credentialed assessment
B. Internal assessment
C. External assessment
D. Passive assessment
Selected Answer: D
Question #: 110
Topic #: 1
At what stage of the cyber kill chain theory model does data exfiltration occur?
A. Weaponization
B. Actions on objectives
C. Command and control
D. Installation
Selected Answer: B
Question #: 309
Topic #: 1
Which of the following tactics uses malicious code to redirect users’ web traffic?
A. Spear-phishing
B. Phishing
C. Spimming
D. Pharming
Selected Answer: D
Question #: 254
Topic #: 1
An attacker decided to crack the passwords used by industrial control systems. In this process, he employed a loop strategy to recover these passwords. He used one character at a time to check whether the first character entered is correct; if so, he continued the loop for consecutive characters. If not, he terminated the loop. Furthermore, the attacker checked how much time the device took to finish one complete password authentication process, through which he deduced how many characters entered are correct.
What is the attack technique employed by the attacker to crack the passwords of the industrial control systems?
A. Buffer overflow attack
B. Side-channel attack
C. Denial-of-service attack
D. HMI-based attack
Selected Answer: B
Question #: 279
Topic #: 1
What information security law or standard aims at protecting stakeholders and the general public from accounting errors and fraudulent activities within organizations?
A. FISMA
B. PCI-DSS
C. SOX
D. ISO/IEC 27001:2013
Selected Answer: C
Question #: 246
Topic #: 1
John, a security analyst, is analyzing a server suspected of being compromised. The attacker has used a non admin account and has already gained a foothold on the system. John discovers that a new Dynamic Link Library is loaded in the application directory of the affected server. This DLL does not have a fully qualified path and seems to be malicious. What privilege escalation technique has the attacker likely used to compromise this server?
A. DLL Hijacking
B. Named Pipe Impersonation
C. Spectre and Meltdown Vulnerabilities
D. Exploiting Misconfigured Services
Selected Answer: A
Question #: 305
Topic #: 1
Harper, a software engineer, is developing an email application. To ensure the confidentiality of email messages, Harper uses a symmetric-key block cipher having a classical 12- or 16-round Feistel network with a block size of 64 bits for encryption, which includes large 8 × 32-bit S-boxes (S1, S2, S3, S4) based on bent functions, modular addition and subtraction, key-dependent rotation, and XOR operations. This cipher also uses a masking key (Km1) and a rotation key (Kr1) for performing its functions.
What is the algorithm employed by Harper to secure the email messages?
A. CAST-128
B. AES
C. GOST block cipher
D. DES
Selected Answer: A
Question #: 205
Topic #: 1
As a cybersecurity consultant, you are working with a client who wants to migrate their data to a Software as a Service (SaaS) cloud environment. They are particularly concerned about maintaining the privacy of their sensitive data, even from the cloud service provider. Which of the following strategies would best ensure the privacy of their data in the SaaS environment?
A. Implement a Virtual Private Network (VPN) for accessing the SaaS applications.
B. Rely on the cloud service provider’s built-in security features.
C. Encrypt the data client-side before uploading to the SaaS environment and manage encryption keys independently.
D. Use multi-factor authentication for all user accounts accessing the SaaS applications
Selected Answer: C
Question #: 130
Topic #: 1
In an intricate web application architecture using an Oracle database, you, as a security analyst, have identified a potential SQL Injection attack surface. The database consists of ‘x’ tables, each with ‘y’ columns. Each table contains ‘z’ records. An attacker, well-versed in SQLi techniques, crafts ‘u’ SQL payloads, each attempting to extract maximum data from the database. The payloads include ‘UNION SELECT’ statements and ‘DBMS_XSLPROCESSOR.READ2CLOB’ to read sensitive files. The attacker aims to maximize the total data extracted ‘E=xyz*u’. Assuming ‘x=4’, ‘y=2’, and varying ‘z’ and ‘u’, which situation is likely to result in the highest extracted data volume?
A. z=600, u=2: The attacker devises 2 SQL payloads, each aimed at tables holding 600 records, affecting all columns across all tables.
B. z=550, u=2: Here, the attacker formulates 2 SQL payloads and directs them towards tables containing 550 records, impacting all columns and tables.
C. z=500, u=3: The attacker creates 3 SQL payloads and targets tables with 500 records each, exploiting all columns and tables.
D. z=400, u=4: The attacker constructs 4 SQL payloads, each focusing on tables with 400 records, influencing all columns of all tables.
Selected Answer: D
Question #: 95
Topic #: 1
Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered.
John decided to perform a TCP SYN ping scan on the target network.
Which of the following Nmap commands must John use to perform the TCP SYN ping scan?
A. nmap -sn -PO < target IP address >
B. nmap -sn -PS < target IP address >
C. nmap -sn -PA < target IP address >
D. nmap -sn -PP < target IP address >
Selected Answer: B
Question #: 253
Topic #: 1
A security analyst uses Zenmap to perform an ICMP timestamp ping scan to acquire information related to the current time from the target host machine.
Which of the following Zenmap options must the analyst use to perform the ICMP timestamp ping scan?
A. -Pn
B. -PU
C. -PP
D. -PY
Selected Answer: C
Question #: 308
Topic #: 1
Thomas, a cloud security professional, is performing security assessment on cloud services to identify any loopholes. He detects a vulnerability in a bare-metal cloud server that can enable hackers to implant malicious backdoors in its firmware. He also identified that an installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS.
What is the type of cloud attack that can be performed by exploiting the vulnerability discussed in the above scenario?
A. Cloudborne attack
B. Man-in-the-cloud (MITC) attack
C. Metadata spoofing attack
D. Cloud cryptojacking
Selected Answer: A
Question #: 304
Topic #: 1
A “Server-Side Includes” attack refers to the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary code remotely.
Which web-page file type, if it exists on the web server, is a strong indication that the server is vulnerable to this kind of attack?
A. .stm
B. .cms
C. .rss
D. .html
Selected Answer: A
Question #: 302
Topic #: 1
Which is the first step followed by Vulnerability Scanners for scanning a network?
A. OS Detection
B. Firewall detection
C. TCP/UDP Port scanning
D. Checking if the remote host is alive
Selected Answer: D
Question #: 301
Topic #: 1
Which type of malware spreads from one system to another or from one network to another and causes similar types of damage as viruses do to the infected system?
A. Worm
B. Rootkit
C. Adware
D. Trojan
Selected Answer: A
Question #: 300
Topic #: 1
A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the software vendor for several months prior to the intrusion. This is likely a failure in which of the following security processes?
A. Secure development lifecycle
B. Security awareness training
C. Vendor risk management
D. Patch management
Selected Answer: D
Question #: 299
Topic #: 1
BitLocker encryption has been implemented for all the Windows-based computers in an organization. You are concerned that someone might lose their cryptographic key. Therefore, a mechanism was implemented to recover the keys from Active Directory.
What is this mechanism called in cryptography?
A. Key archival
B. Certificate rollover
C. Key escrow
D. Key renewal
Selected Answer: C
Question #: 291
Topic #: 1
Miley, a professional hacker, decided to attack a target organization’s network. To perform the attack, she used a tool to send fake ARP messages over the target network to link her MAC address with the target system’s IP address. By performing this, Miley received messages directed to the victim’s MAC address and further used the tool to intercept steal, modify, and block sensitive communication to the target system.
What is the tool employed by Miley to perform the above attack?
A. Wireshark
B. BetterCAP
C. DerpNSpoof
D. Gobbler
Selected Answer: B
Question #: 281
Topic #: 1
What useful information is gathered during a successful Simple Mail Transfer Protocol (SMTP) enumeration?
A. A list of all mail proxy server addresses used by the targeted host.
B. The internal command RCPT provides a list of ports open to message traffic.
C. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.
D. Reveals the daily outgoing message limits before mailboxes are locked.
Selected Answer: C
Question #: 276
Topic #: 1
An attacker can employ many methods to perform social engineering against unsuspecting employees, including scareware.
What is the best example of a scareware attack?
A. A pop-up appears to a user stating, “You have won a free cruise! Click here to claim your prize!”
B. A banner appears to a user stating, “Your account has been locked. Click here to reset your password and unlock your account.”
C. A pop-up appears to a user stating, “Your computer may have been infected with spyware. Click here to install an anti-spyware tool to resolve this issue.”
D. A banner appears to a user stating, “Your Amazon order has been delayed. Click here to find out your new delivery date.”
Selected Answer: C
Question #: 262
Topic #: 1
Tony wants to integrate a 128-bit symmetric block cipher with key sizes of 128, 192, or 256 bits into a software program, which involves 32 rounds of computational operations that include substitution and permutation operations on four 32-bit word blocks using 8-variable S-boxes with 4-bit entry and 4-bit exit.
Which of the following algorithms includes all the above features and can be integrated by Tony into the software program?
A. CAST-128
B. RC5
C. TEA
D. Serpent
Selected Answer: D
Question #: 209
Topic #: 1
A security analyst is investigating a potential network-level session hijacking incident. During the investigation, the analyst finds that the attacker has been using a technique in which they injected an authentic-looking reset packet using a spoofed source IP address and a guessed acknowledgment number. As a result, the victim’s connection was reset. Which of the following hijacking techniques has the attacker most likely used?
A. Blind hijacking
B. UDP hijacking
C. RST hijacking
D. TCP/IP hijacking
Selected Answer: C
Question #: 4
Topic #: 1
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?
A. nmap -A – Pn
B. nmap -sP -p-65535 -T5
C. nmap -sT -O -T0
D. nmap -A –host-timeout 99 -T1
Selected Answer: C
Question #: 5
Topic #: 1
This wireless security protocol allows 192-bit minimum-strength security protocols and cryptographic tools to protect sensitive data, such as GCMP-256, HMAC-SHA384, and ECDSA using a 384-bit elliptic curve.
Which is this wireless security protocol?
A. WPA3-Personal
B. WPA3-Enterprise
C. WPA2-Enterprise
D. WPA2-Personal
Selected Answer: B
Question #: 142
Topic #: 1
An ethical hacker is attempting to crack NTLM hashed passwords from a Windows SAM file using a rainbow table attack. He has dumped the on-disk contents of the SAM file successfully and noticed that all LM hashes are blank. Given this scenario, which of the following would be the most likely reason for the blank LM hashes?
A. The SAM file has been encrypted using the SYSKEY function.
B. The passwords exceeded 14 characters in length and therefore, the LM hashes were set to a “dummy” value.
C. The Windows system is Vista or a later version, where LM hashes are disabled by default.
D. The Windows system is using the Kerberos authentication protocol as the default method.
Selected Answer: C
Question #: 6
Topic #: 1
What are common files on a web server that can be misconfigured and provide useful information for a hacker such as verbose error messages?
A. httpd.conf
B. administration.config
C. php.ini
D. idq.dll
Selected Answer: C
Question #: 128
Topic #: 1
As a part of an ethical hacking exercise, an attacker is probing a target network that is suspected to employ various honeypot systems for security. The attacker needs to detect and bypass these honeypots without alerting the target. The attacker decides to utilize a suite of techniques. Which of the following techniques would NOT assist in detecting a honeypot?
A. Implementing a brute force attack to verify system vulnerability
B. Probing system services and observing the three-way handshake
C. Using honeypot detection tools like Send-Safe Honeypot Hunter
D. Analyzing the MAC address to detect instances running on VMware
Selected Answer: A
Question #: 189
Topic #: 1
As part of a college project, you have set up a web server for hosting your team’s application. Given your interest in cybersecurity, you have taken the lead in securing the server. You are aware that hackers often attempt to exploit server misconfigurations. Which of the following actions would best protect your web server from potential misconfiguration-based attacks?
A. Regularly backing up server data
B. Enabling multi-factor authentication for users
C. Implementing a firewall to filter traffic
D. Performing regular server configuration audits
Selected Answer: D
Question #: 185
Topic #: 1
In a recent cyber-attack against a large corporation, an unknown adversary compromised the network and began escalating privileges and lateral movement. The security team identified that the adversary used a sophisticated set of techniques, specifically targeting zero-day vulnerabilities. As a Certified Ethical Hacker (CEH) hired to understand this attack and propose preventive measures, which of the following actions will be most crucial for your initial analysis?
A. Identifying the specific tools used by the adversary for privilege escalation.
B. Analyzing the initial exploitation methods, the adversary used.
C. Checking the persistence mechanisms used by the adversary in compromised systems.
D. Investigating the data exfiltration methods used by the adversary.
Selected Answer: B
Question #: 89
Topic #: 1
Attacker Rony installed a rogue access point within an organization’s perimeter and attempted to intrude into its internal network. Johnson, a security auditor, identified some unusual traffic in the internal network that is aimed at cracking the authentication mechanism. He immediately turned off the targeted network and tested for any weak and outdated security mechanisms that are open to attack.
What is the type of vulnerability assessment performed by Johnson in the above scenario?
A. Wireless network assessment
B. Application assessment
C. Host-based assessment
D. Distributed assessment
Selected Answer: A
Question #: 41
Topic #: 1
John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly using this type of encryption?
A. Use his own private key to encrypt the message.
B. Use his own public key to encrypt the message.
C. Use Marie’s private key to encrypt the message.
D. Use Marie’s public key to encrypt the message.
Selected Answer: D
Question #: 22
Topic #: 1
Bobby, an attacker, targeted a user and decided to hijack and intercept all their wireless communications. He installed a fake communication tower between two authentic endpoints to mislead the victim. Bobby used this virtual tower to interrupt the data transmission between the user and real tower, attempting to hijack an active session. Upon receiving the user’s request, Bobby manipulated the traffic with the virtual tower and redirected the victim to a malicious website.
What is the attack performed by Bobby in the above scenario?
A. aLTEr attack
B. Jamming signal attack
C. Wardriving
D. KRACK attack
Selected Answer: A
Question #: 68
Topic #: 1
What is the port to block first in case you are suspicious that an IoT device has been compromised?
A. 22
B. 48101
C. 80
D. 443
Selected Answer: B
Question #: 235
Topic #: 1
As a cybersecurity analyst for SecureNet, you are performing a security assessment of a new mobile payment application. One of your primary concerns is the secure storage of customer data on the device. The application stores sensitive information such as credit card details and personal identification numbers (PINs) on the device. Which of the following measures would best ensure the security of this data?
A. Enable GPS tracking for all devices using the app.
B. Regularly update the app to the latest version.
C. Encrypt all sensitive data stored on the device.
D. Implement biometric authentication for app access.
Selected Answer: C
Question #: 221
Topic #: 1
An IT security team is conducting an internal review of security protocols in their organization to identify potential vulnerabilities. During their investigation, they encounter a suspicious program running on several computers. Further examination reveals that the program has been logging all user keystrokes. How can the security team confirm the type of program and what countermeasures should be taken to ensure the same attack does not occur in the future?
A. The program is spyware; the team should use password managers and encrypt sensitive data.
B. The program is a keylogger; the team should employ intrusion detection systems and regularly update the system software.
C. The program is a keylogger; the team should educate employees about phishing attacks and maintain regular backups.
D. The program is a Trojan; the team should regularly update antivirus software and install a reliable firewall.
Selected Answer: B
Question #: 216
Topic #: 1
Your company, Encryptor Corp, is developing a new application that will handle highly sensitive user information. As a cybersecurity specialist, you want to ensure this data is securely stored. The development team proposes a method where data is hashed and then encrypted before storage. However, you want an added layer of security to verify the integrity of the data upon retrieval. Which of the following cryptographic concepts should you propose to the team?
A. Switch to elliptic curve cryptography.
B. Implement a block cipher mode of operation.
C. Apply a digital signature mechanism.
D. Suggest using salt with hashing.
Selected Answer: C
Question #: 199
Topic #: 1
An ethical hacker is scanning a target network. They initiate a TCP connection by sending an SYN packet to a target machine and receiving a SYN/ACK packet in response. But instead of completing the three-way handshake with an ACK packet, they send an RST packet. What kind of scan is the ethical hacker likely performing and what is their goal?
A. They are performing an SYN scan to stealthily identify open ports without fully establishing a connection.
B. They are performing a network scan to identify live hosts and their IP addresses.
C. They are performing a TCP connect scan to identify open ports on the target machine.
D. They are performing a vulnerability scan to identify any weaknesses in the target system.
Selected Answer: A
Question #: 186
Topic #: 1
Jason, a certified ethical hacker, is hired by a major e-commerce company to evaluate their network’s security. As part of his reconnaissance, Jason is trying to gain as much information as possible about the company’s public-facing servers without arousing suspicion. His goal is to find potential points of entry and map out the network infrastructure for further examination. Which technique should Jason employ to gather this information without alerting the company’s intrusion detection systems (IDS)?
A. Jason should directly connect to each server and attempt to exploit known vulnerabilities.
B. Jason should use passive reconnaissance techniques such as WHOIS lookups, NS lookups, and web research.
C. Jason should use a DNS zone transfer to gather information about the company’s servers.
D. Jason should perform a ping sweep to identify all the live hosts in the company’s IP range.
Selected Answer: B
Question #: 155
Topic #: 1
As a cybersecurity analyst at TechSafe Inc., you are working on a project to improve the security of a smart home system. This IoT-enabled system controls various aspects of the home, from heating and lighting to security cameras and door locks. Your client wants to ensure that even if one device is compromised, the rest of the system remains secure. Which of the following strategies would be most effective for this purpose?
A. Recommend using a strong password for the smart home system’s main control panel.
B. Suggest implementing two-factor authentication for the smart home system’s mobile app.
C. Propose frequent system resets to clear any potential malware.
D. Advise using a dedicated network for the smart home system, separate from the home’s main Wi-Fi network.
Selected Answer: D
Question #: 171
Topic #: 1
A company recently experienced a debilitating social engineering attack that led to substantial identity theft. An inquiry found that the employee inadvertently provided critical information during an innocuous phone conversation. Considering the specific guidelines issued by the company to thwart social engineering attacks, which countermeasure would have been the most successful in averting the incident?
A. Conduct comprehensive training sessions for employees on various social engineering methodologies and the risks associated with revealing confidential data.
B. Implement a well-documented change management process for modifications related to hardware or software.
C. Adopt a robust software policy that restricts the installation of unauthorized applications.
D. Reinforce physical security measures to limit access to sensitive zones within the company premises, thereby warding off unauthorized intruders.
Selected Answer: A
Question #: 162
Topic #: 1
Consider a hypothetical situation where an attacker, known for his proficiency in SQL Injection attacks, is targeting your web server. This adversary meticulously crafts ‘q’ malicious SQL queries, each inducing a delay of ‘d’ seconds in the server response. This delay in response is an indicator of a potential attack. If the total delay, represented by the product ‘q*d’, crosses a defined threshold ‘T’, an alert is activated in your security system. Furthermore, it is observed that the attacker prefers prime numbers for ‘q’, and ‘d’ follows a pattern in the Fibonacci sequence. Now, consider ‘d=13’ seconds (a Fibonacci number) and various values of ‘q’ (a prime number) and ‘T’. Which among the following scenarios will most likely trigger an alert?
A. q=17, T=220: Even though the attacker increases ‘q’, the total delay (‘q*d’ = 221 seconds) just surpasses the threshold, possibly activating an alert.
B. q=13, T=180: In this case, the total delay caused by the attacker (‘q*d’ = 169 seconds) breaches the threshold, likely leading to the triggering of a security alert.
C. q=11, T=150: Here, the total delay induced by the attacker (‘q*d’ = 143 seconds) does not surpass the threshold, so the security system remains dormant.
D. q=19, T=260: Despite the attacker’s increased effort, the total delay (‘q*d’ = 247 seconds) does not exceed the threshold, thus no alert is triggered.
Selected Answer: A
Question #: 138
Topic #: 1
You are a cybersecurity consultant for a healthcare organization that utilizes Internet of Medical Things (IoMT) devices, such as connected insulin pumps and heart rate monitors, to provide improved patientcare. Recently, the organization has been targeted by ransomware attacks. While the IT infrastructure was unaffected due to robust security measures, they are worried that the IoMT devices could be potential entry points for future attacks. What would be your main recommendation to protect these devices from such threats?
A. Disable all wireless connectivity on IoMT devices.
B. Regularly change the IP addresses of all IoMT devices.
C. Use network segmentation to isolate IoMT devices from the main network.
D. Implement multi-factor authentication for all IoMT devices.
Selected Answer: C
Question #: 131
Topic #: 1
A large enterprise has been experiencing sporadic system crashes and instability, resulting in limited access to its web services. The security team suspects it could be a result of a Denial of Service (DoS) attack. A significant increase in traffic was noticed in the network logs, with patterns suggesting packet sizes exceeding the prescribed size limit. Which among the following DoS attack techniques best describes this scenario?
A. Smurf attack
B. UDP flood attack
C. Pulse wave attack
D. Ping of Death attack
Selected Answer: D
Question #: 133
Topic #: 1
Jake, a network security specialist, is trying to prevent network-level session hijacking attacks in his company. While studying different types of such attacks, he learns about a technique where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets. Which of the following types of network-level session hijacking attacks is Jake studying?
A. TCP/IP Hijacking
B. RST Hijacking
C. UDP Hijacking
D. Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing
Selected Answer: D
Question #: 127
Topic #: 1
In an advanced persistent threat scenario, an adversary follows a detailed set of procedures in the cyber kill chain. During one such instance, the adversary has successfully gained access to a corporate network and now attempts to obfuscate malicious traffic within legitimate network traffic. Which of the following actions would most likely be part of the adversary’s current procedures?
A. Employing data staging techniques to collect and aggregate sensitive data.
B. Initiating DNS tunneling to communicate with the command-and-control server.
C. Establishing a command-and-control server to communicate with compromised systems.
D. Conducting internal reconnaissance using PowerShell scripts.
Selected Answer: B
Question #: 59
Topic #: 1
Jim, a professional hacker, targeted an organization that is operating critical industrial infrastructure. Jim used Nmap to scan open ports and running services on systems connected to the organization’s OT network. He used an Nmap command to identify Ethernet/IP devices connected to the Internet and further gathered information such as the vendor name, product code and name, device name, and IP address.
Which of the following Nmap commands helped Jim retrieve the required information?
A. nmap -Pn -sT –scan-delay 1s –max-parallelism 1 -p < Port List > < Target IP >
B. nmap -Pn -sU -p 44818 –script enip-info < Target IP >
C. nmap -Pn -sT -p 46824 < Target IP >
D. nmap -Pn -sT -p 102 –script s7-info < Target IP >
Selected Answer: B
Question #: 49
Topic #: 1
Allen, a professional pen tester, was hired by XpertTech Solutions to perform an attack simulation on the organization’s network resources. To perform the attack, he took advantage of the NetBIOS API and targeted the NetBIOS service. By enumerating NetBIOS, he found that port 139 was open and could see the resources that could be accessed or viewed on a remote system. He came across many NetBIOS codes during enumeration.
Identify the NetBIOS code used for obtaining the messenger service running for the logged-in user?
A. <00>
B. <20>
C. <03>
D. <1B>
Selected Answer: C
Question #: 46
Topic #: 1
Infecting a system with malware and using phishing to gain credentials to a system or web application are examples of which phase of the ethical hacking methodology?
A. Scanning
B. Gaining access
C. Maintaining access
D. Reconnaissance
Selected Answer: B
