Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

ECCouncil 312-50v13 Dumps

Page: 1 / 80
Total 797 questions

Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Question 1

Which advanced session-hijacking technique is hardest to detect and mitigate?

Options:

A.

Covert XSS attack

B.

Man-in-the-Browser (MitB) attack

C.

Passive sniffing on Wi-Fi

D.

Session fixation

Question 2

A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?

Options:

A.

Attempt SQL Injection

B.

Hijack a session and modify server configuration

C.

Launch brute-force attacks

D.

Perform automated vulnerability scanning

Question 3

A large chemical plant uses operational technology (OT) networks to control its industrial processes. Recently, abnormal behavior is observed from PLCs, suggesting a stealthy compromise via malicious firmware. Which action should the team take FIRST to verify and neutralize the issue?

Options:

A.

Immediately isolate suspicious devices

B.

Perform detailed inspections of device software for unauthorized modifications

C.

Implement enhanced IDS rules

D.

Restrict remote administrative access

Question 4

A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?

Options:

A.

Continuous code review and penetration testing

B.

Deploy WAF with evasion detection

C.

SIEM monitoring

D.

Enforce 2FA

Question 5

A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?

Options:

A.

Whaling

B.

Pharming

C.

Spear Phishing

D.

Search Engine Phishing

Question 6

A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?

Options:

A.

Downgrade the connection to WPA2 and capture the handshake to crack the key

B.

Execute a dictionary attack on the WPA3 handshake using common passwords

C.

Perform a brute-force attack directly on the WPA3 handshake

D.

Perform a SQL injection attack on the router ' s login page

Question 7

You are a wireless auditor at SeaFront Labs in San Diego, California, engaged to review the radio-layer protections used by a biotech research facility. While capturing traffic in monitor mode, you observe frames that include a CCMP-like header and AES-based encryption, and you note the use of a four-way handshake with a packet number (PN) for replay protection — features that were introduced to replace older TKIP/RC4 approaches. Based on these observed characteristics, which wireless encryption protocol is the access point most likely using?

Options:

A.

WPA2

B.

WPA

C.

WPA3

D.

WEP

Question 8

An organization lacks centralized logs. Which attack phase is hardest to detect?

Options:

A.

Lateral movement

B.

Recon

C.

Delivery

D.

Initial access

Question 9

A competing technology firm begins releasing products that closely mirror the design, pricing strategy, and feature roadmap of ApexDynamics Inc. An internal review reveals that detailed information about ApexDynamics ' s upcoming initiatives had been gradually collected through publicly available sources and external disclosures before product launch. Which footprinting-related threat does this scenario best represent?

Options:

A.

Corporate Espionage

B.

Business Loss

C.

Information Leakage

D.

Social Engineering

Question 10

A web app deserializes untrusted data leading to RCE. What flaw exists?

Options:

A.

SSTI

B.

Insecure deserialization

C.

SQLi

D.

XSS

Question 11

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

Options:

A.

Check MITRE.org for the latest list of CVE findings

B.

Use a scan tool like Nessus

C.

Create a disk image of a clean Windows installation

D.

Use the built-in Windows Update tool

Question 12

During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.

Options:

A.

Whaling

B.

Spear Phishing

C.

Clone Phishing

D.

Consent Phishing

Question 13

In the bustling digital marketplace of Miami ' s tech corridor, ethical hacker Sofia Alvarez probes the virtual defenses of RetailRush, a US-based online retailer hosting thousands of daily transactions. Tasked with exposing weaknesses in the web server ' s URL processing, Sofia submits crafted requests to manipulate resource paths. Her tests uncover a severe flaw: the server grants access to restricted system files, exposing sensitive configuration data. Further scrutiny reveals the issue stems from the server ' s failure to validate input paths, not from header manipulation, cached content tampering, or credential compromise. Committed to hardening the platform, Sofia drafts a precise report to direct the security team toward immediate fixes.

Which web server attack type is Sofia most likely exploiting in RetailRush ' s web server?

Options:

A.

Directory Traversal Attack

B.

Web Cache Poisoning Attack

C.

HTTP Response Splitting Attack

D.

Password Cracking Attack

Question 14

During a penetration test at a technology startup in Austin, Texas, an ethical hacker is tasked with evaluating defenses against stealthy scanning techniques. She selects an approach that involves sending TCP packets with no flags, relying on the way target systems respond to infer whether ports are open or closed. This allows her to remain less visible to intrusion detection systems compared to a full handshake. Which scanning method is she using?

Options:

A.

TCP Connect Scan

B.

FIN Scan

C.

NULL Scan

D.

ACK Scan

Question 15

A financial services firm detects that outbound corporate emails containing sensitive underwriting data were intercepted while transmitted over unsecured channels. To immediately restore confidentiality and ensure authenticity of executive communications, the security operations team deploys a standardized email encryption framework compatible with the organization’s Microsoft Outlook environment.

The selected solution must support digital signatures for sender authentication, rely on a public-key infrastructure for secure key exchange, and enable recipients to validate signed messages using certificates issued by trusted authorities.

Identify the email encryption standard that best fulfills these requirements.

Options:

A.

FlowCrypt

B.

RMail

C.

S/MIME

D.

OpenPGP

Question 16

Following a suspected data breach at a pharmaceutical research lab in Cambridge, Massachusetts, forensic examiners identified several research documents that had been removed from normal directory listings on a compromised server.

When analysts examined the physical storage sectors previously associated with those files, they found that the sector contents no longer matched the historical allocation records, and no recognizable fragments of the original material could be reconstructed. The disk structure itself remained intact, and the storage medium showed no signs of hardware-level destruction.

Which anti-forensics technique best explains the attacker’s actions in this scenario?

Options:

A.

Data Hiding in File System Structures

B.

Data/File Deletion

C.

Overwriting Data/Metadata

D.

Artifact Wiping

Question 17

During a scheduled security review in a high-tech lab in Austin, Texas, penetration tester Lucas Bennett was assessing a state government’s new payroll system hosted in a private cloud. One humid afternoon, while fuzz testing the input validation logic of the TaxCalcEngine.dll module, he triggered a buffer overflow by submitting malformed taxpayer ID strings. The crash led to unintended disclosure of payroll data due to unchecked data boundaries. Lucas traced the issue to a coding oversight in a core processing module. Applying a structured analysis approach, which category best describes the vulnerability he discovered?

Options:

A.

Application Flaws

B.

Poor Patch Management

C.

Misconfigurations Weak Configurations

D.

Design Flaws

Question 18

A financial services firm is experiencing a sophisticated DoS attack on their DNS servers using DNS amplification and on their web servers using HTTP floods. Traditional firewall rules and IDS are failing to mitigate the attack effectively. To protect their infrastructure without impacting legitimate users, which advanced mitigation strategy should the firm implement?

Options:

A.

Increase server capacity and implement simple rate limiting

B.

Block all incoming traffic from suspicious IP ranges using access control lists

C.

Deploy a Web Application Firewall (WAF) to filter HTTP traffic

D.

Utilize a cloud-based DDoS protection service with traffic scrubbing capabilities

Question 19

What is lateral movement?

Options:

A.

Data exfiltration

B.

Pivoting

C.

Privilege escalation

D.

Network traversal

Question 20

After the completion of the pen test, you have provided the client with a list of controls to implement to reduce the identified risk. What term best describes the risk that remains after the controls have been implemented?

Options:

A.

Inherent risk

B.

Residual risk

C.

Gap analysis

D.

Total risk

Question 21

During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.

Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.

Identify the command Kevin should execute to obtain this information.

Options:

A.

ntptrace [-n] [-m maxhosts] [servername/IP address]

B.

ntpq [-inp] [-c command] [host] [...]

C.

ntpdc [-ilnps] [-c command] [host] [...]

D.

ntpq -p [host]

Question 22

During a quarterly vulnerability management review at RedCore Motors, Priya finalizes the deployment of Nessus Essentials across the company ' s IT infrastructure. The solution is selected for its ability to support diverse technologies including operating systems, databases, web servers, and virtual environments. While preparing a training session for junior analysts, Priya asks them to identify a capability that Nessus Essentials is specifically designed to provide as part of its scanning process.

Which capability is Nessus Essentials specifically designed to provide?

Options:

A.

Patch management for operating systems and third-party applications

B.

High-speed asset discovery

C.

Checks for outdated versions across a wide range of server and service technologies

D.

Agent-based detection

Question 23

Why explore the Deep Web during reconnaissance?

Options:

A.

Insider threats

B.

Physical attacker locations

C.

Learning hacking techniques

D.

Non-indexed company data exposure

Question 24

Who are “script kiddies” in the context of ethical hacking?

Options:

A.

Highly skilled hackers who write custom scripts

B.

Novices who use scripts developed by others

C.

Ethical hackers using scripts for penetration testing

D.

Hackers specializing in scripting languages

Question 25

Why is NTP responding with internal IP addresses and hostnames?

Options:

A.

TCP fallback abuse

B.

DNS poisoning

C.

Honeypot redirection

D.

Misconfigured NTP daemon allowing external queries

Question 26

During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan is assigned to assess the internal network for potential sniffing activity that could compromise sensitive customer data. While inspecting traffic in the loan processing department, Rachel observes that a workstation is receiving packets not addressed to it, raising suspicion of a sniffing tool operating in promiscuous mode. To validate her hypothesis, she prepares to conduct an active verification using a classic detection approach.

Which detection technique should Rachel use to confirm the presence of a sniffer in this case?

Options:

A.

Sniffer detection using an NSE script to check for promiscuous mode

B.

DNS method by monitoring reverse DNS lookup traffic

C.

ARP method by sending non-broadcast ARP requests

D.

Ping method by sending packets with an incorrect MAC address

Question 27

A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?

Options:

A.

ElGamal

B.

Diffie-Hellman

C.

DSA

D.

RSA

Question 28

During a red team simul-ation, an attacker crafts packets with malformed checksums so the IDS accepts them but the target silently discards them. Which evasion technique is being employed?

Options:

A.

Insertion attack

B.

Polymorphic shellcode

C.

Session splicing

D.

Fragmentation attack

Question 29

You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor ' s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician. Upon arrival, the receptionist allows you entry without verifying credentials, assuming you ' re there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.

Which social engineering technique does this scenario best illustrate?

Options:

A.

Shoulder Surfing

B.

Eavesdropping

C.

Impersonation

D.

Dumpster Diving

Question 30

A DevOps engineer at a Toronto-based SaaS provider deploys a multi-tenant application within a shared orchestration environment. During a security assessment, a penetration tester discovers that a compromised workload is able to access host-level system resources and interact with adjacent workloads beyond its intended isolation controls.

Further investigation reveals that the workload was launched with elevated privileges and insufficient runtime restrictions, allowing the attacker to cross the intended isolation boundary and gain unauthorized access to the underlying infrastructure.

Which cloud attack technique best describes this security weakness?

Options:

A.

Man-in-the-Cloud Attack

B.

Side-Channel Attack

C.

Container Escape

D.

Golden SAML Attack

Question 31

Maya Patel from SecureHorizon Consulting is called to investigate a security breach at Dallas General Hospital in Dallas, Texas, where a lost employee smartphone was used to access sensitive patient records. During her analysis, Maya finds that the hospital ' s mobile security policy failed to include a contingency to remotely secure compromised devices, allowing continued access to confidential data even after the device was lost. Based on this gap, which mobile security guideline should Maya recommend preventing similar incidents?

Options:

A.

Utilize a secure VPN connection while accessing public Wi-Fi networks

B.

Install device tracking software that allows the device to be located remotely

C.

Register devices with a remote locate and wipe facility

D.

Use anti-virus and data loss prevention DLP solutions

Question 32

A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?

Options:

A.

Keylogger

B.

Ransomware

C.

Virus

D.

Worm

Question 33

You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor’s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician.

Upon arrival, the receptionist allows you entry without verification, assuming you are there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.

Which social engineering technique does this scenario best illustrate?

Options:

A.

Shoulder Surfing

B.

Eavesdropping

C.

Impersonation

D.

Dumpster Diving

Question 34

During a security assessment of a metropolitan public transportation terminal, a penetration tester examines a network-connected IoT surveillance camera system used for 24/7 video monitoring. The camera uses outdated SSLv2 encryption to transmit video data. The tester intercepts and decrypts video streams due to the weak encryption and absence of authentication mechanisms. What IoT vulnerability is most likely being exploited in this scenario?

Options:

A.

Insecure data transfer and storage

B.

Jamming attack on RF communication

C.

Credential theft via web application

D.

Replay attack on wireless signals

Question 35

You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?

Options:

A.

Insecure Communication

B.

Improper Credential Usage

C.

Inadequate Privacy Controls

D.

Insecure Data Storage

Question 36

During a penetration test at an e-commerce company in Boston, ethical hacker Sophia launches an HTTP flood against the checkout page of the site. The simulated traffic consists of repeated GET and POST requests designed to overload application-layer resources. In response, the IT team activates a security tool that inspects and filters malicious HTTP traffic while allowing legitimate customer requests to pass, ensuring service continuity during the exercise.

Which DoS/DDoS protection tool is most likely being used in this scenario?

Options:

A.

Load Balancer

B.

Web Application Firewall

C.

Intrusion Prevention System

D.

Firewall

Question 37

A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?

Options:

A.

Deploying self-replicating malware

B.

Fragmenting malicious packets into smaller segments

C.

Flooding the IDS with ICMP packets

D.

Sending phishing emails

Question 38

Scenario:

    Victim opens the attacker ' s website.

    Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.

    Victim clicks the attractive content URL.

    The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.

What is the name of the attack mentioned in the scenario?

Options:

A.

HTTP Parameter Pollution

B.

Clickjacking Attack

C.

HTML Injection

D.

Session Fixation

Question 39

MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.

The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.

Which approach best satisfies this requirement?

Options:

Question 40

A health-tech startup in Raleigh, North Carolina operates a Kubernetes cluster supporting patient-facing microservices. During an authorized security assessment, a certified ethical hacker reviews internal cluster activity records available to operations personnel.

While analyzing these records, the tester notices that authentication artifacts associated with service accounts are recorded within system-generated output. The tester determines that if an individual obtained access to these records, they could reuse the captured authentication material to interact with cluster resources under the same privileges.

Which Kubernetes vulnerability best corresponds to this condition?

Options:

A.

No Certificate Revocation

B.

Unauthenticated HTTPS Connections

C.

No Non-repudiation

D.

Exposed Bearer Tokens in Logs

Question 41

Fleet vehicles with smart locking systems were compromised after attackers captured unique signals from key fobs. What should the security team prioritize to confirm and prevent this attack?

Options:

A.

Secure firmware updates

B.

Increase physical surveillance

C.

Deploy anti-malware on smartphones

D.

Monitor wireless signals for jamming or interference

Question 42

A Linux system allows passwordless sudo for multiple commands. What security principle is violated?

Options:

A.

Zero trust

B.

Defense in depth

C.

CIA

D.

Least privilege

Question 43

During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.

Which technique was most likely used to obtain this information?

Options:

A.

LDAP Enumeration

B.

NTP Enumeration

C.

DNS Zone Transfer Enumeration

D.

NetBIOS Enumeration

Question 44

During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.

Which type of keylogger did Tyler most likely deploy?

Options:

A.

JavaScript Keylogger

B.

Hardware Keylogger

C.

Kernel Keylogger

D.

Application Keylogger

Question 45

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

OpenVAS

B.

Nessus

C.

Qualys VM

D.

Nikto

Question 46

In the sunlit tech oasis of Phoenix, Arizona, ethical hacker Nadia Patel explores the security posture of LearnSphere, a U.S.-based e-learning platform serving thousands of students. During her testing, Nadia intentionally submits invalid inputs to the platform ' s content delivery system. Instead of returning a generic failure notice, the application responds with detailed system information, including database query strings and directory paths. Such responses provide attackers with valuable insights into the application ' s internal workings, which could be used to craft more precise and damaging attacks.

Which issue is being demonstrated?

Options:

A.

Improper Error Handling

B.

Directory Traversal

C.

Verbose Error Messages

D.

CORS Misconfiguration

Question 47

What is a “Collision attack” in cryptography?

Options:

A.

Collision attacks try to find two inputs producing the same hash

B.

Collision attacks try to get the public key

C.

Collision attacks try to break the hash into three parts to get the plaintext value

D.

Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key

Question 48

Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.

Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?

Options:

A.

Break data into fragments and distribute it across multiple locations

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Include quantum-resistance checks in SDLC and code review processes

Question 49

During a red team exercise for a global insurance provider in Chicago, ethical hacker Maria tests the effectiveness of the company ' s endpoint defenses. She launches an attack by injecting malicious PowerShell commands into a trusted process without dropping any executables to disk. The code executes entirely in memory, generating abnormal spikes in resource usage. After a reboot, Maria notes that the system returns to normal and traditional antivirus logs show no evidence of infection.

Which type of malware technique did Maria most likely use in this test?

Options:

A.

Rootkit

B.

Trojan

C.

Fileless Malware

D.

Ransomware

Question 50

As part of a penetration test for a financial firm’s smart headquarters in Denver, Colorado, ethical hacker Jordan Lee begins evaluating the IoT infrastructure responsible for lighting, HVAC, and badge-controlled access. Jordan documents details such as device models, manufacturer names, firmware versions, and supported protocols like Zigbee and BLE. This information is used to understand the device ecosystem. Which step of the IoT hacking methodology is being carried out in this phase?

Options:

A.

Information gathering

B.

Launch attacks

C.

Vulnerability scanning

D.

Gain remote access

Question 51

A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?

Options:

A.

Quid Pro Quo

B.

Baiting

C.

Elicitation

D.

Honey Trap

Question 52

You are an ethical hacker at HarborLine Assessments, engaged to audit the Wi-Fi at Portside Freight in Tacoma, Washington. During an overnight reconnaissance, you enable your wireless interface’s monitor mode and run a command that silently records beacon frames, probe responses, and authentication frames from nearby APs and clients into a capture file for later offline analysis—you do not transmit any frames from your laptop. Based on the described activity, which Wi-Fi security auditing tool are you most likely using?

Options:

A.

Aireplay-ng

B.

Aircrack-ng

C.

Airbase-ng

D.

Airodump-ng

Question 53

A city’s power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?

Options:

A.

Measuring unusual physical or electrical fluctuations during device operation at the hardware level.

B.

Identifying weak cryptographic configurations in device communications.

C.

Assessing SCADA user interfaces for unauthorized access or misuse.

Question 54

A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?

Options:

A.

Inference-Based Assessment

B.

Service-Based Solutions

C.

Product-Based Solutions

D.

Tree-Based Assessment

Question 55

A municipal services portal in Lexington, Kentucky includes a search parameter that retrieves citizen service requests. During an authorized security review, an analyst alters the parameter value by introducing single quotation marks, logical expressions such as AND 1=1, and variations like AND 1=2, observing how the application responds to each modification.

By comparing differences in the application’s output and behavior after each structured input change, the analyst evaluates whether the parameter affects the underlying query processing.

Which SQL injection detection method is being applied?

Options:

A.

Static Testing

B.

Dynamic Testing

C.

Function Testing

D.

Fuzz Testing

Question 56

During an internal red team engagement, an operator discovers that TCP port 389 is open on a target system identified as a domain controller. To assess the extent of LDAP exposure, the operator runs the command ldapsearch -h < Target IP > -x -s base namingcontexts and receives a response revealing the base distinguished name (DN): DC=internal,DC=corp. This naming context indicates the root of the LDAP directory structure. With this discovery, the operator plans the next step to continue LDAP enumeration and expand visibility into users and objects in the domain. What is the most logical next action?

Options:

A.

Launch a brute-force attack against user passwords via SMB

B.

Conduct an ARP scan on the local subnet

C.

Attempt an RDP login to the domain controller

D.

Use the base DN in a filter to enumerate directory objects

Question 57

During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?

Options:

A.

Use the " Filtering by IP Address " to set a filter for HTTP traffic before capturing

B.

Use the " Monitoring the Specific Ports " to generate a traffic summary and identify HTTP packets

C.

Use the " Follow TCP Stream " to reconstruct and read HTTP session data

D.

Use the " Display Filtering by Protocol " to isolate HTTP traffic and view packet details

Question 58

A penetration tester is evaluating the security of a mobile application and discovers that it lacks proper input validation. The tester suspects that the application is vulnerable to a malicious code injection attack. What is the most effective way to confirm and exploit this vulnerability?

Options:

A.

Perform a brute-force attack on the application ' s login page to guess weak credentials

B.

Inject a malicious JavaScript code into the input fields and observe the application ' s behavior

C.

Use directory traversal to access sensitive files stored in the application ' s internal storage

D.

Execute a dictionary attack on the mobile app ' s encryption algorithm

Question 59

You are a security analyst at Sentinel IT Services, monitoring the web application of GreenValley Credit Union in Portland, Oregon. During a log analysis, you identify an SQL injection attempt on the customer login portal, where the attacker inputs a malicious string to manipulate the query logic. The application mitigates this by replacing special characters with their escaped equivalents to prevent query manipulation before the query is executed, ensuring the SQL statement remains unchanged. Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?

Options:

A.

Perform user input validation

B.

Encoding the single quote

C.

Restrict database access

D.

Use parameterized queries or prepared statements

Question 60

A penetration tester evaluates the security of an iOS mobile application that handles sensitive user information. The tester discovers that the application is vulnerable to insecure data transmission. What is the most effective method to exploit this vulnerability?

Options:

A.

Execute a SQL injection attack to retrieve data from the backend server

B.

Perform a man-in-the-middle attack to intercept unencrypted data transmitted over the network

C.

Conduct a brute-force attack on the app’s authentication system

D.

Use a Cross-Site Request Forgery (CSRF) attack to steal user session tokens

Question 61

During a penetration test at Greenview Credit Union in Chicago, Illinois, ethical hacker Rebecca Hayes simulates an attacker who contacts employees using a voice channel. The number displayed on their devices appears identical to the institution’s official line, convincing staff that the request is legitimate. Rebecca then asks for account credentials under the pretense of a mandatory security check. Which mobile attack vector is she demonstrating?

Options:

A.

Call Spoofing

B.

OTP Hijacking

C.

Bluebugging

D.

SMiShing

Question 62

A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization ' s security monitoring systems. The network employs strict VLAN segmentation and port security measures. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?

Options:

A.

Deploy a rogue DHCP server to redirect network traffic

B.

Exploit a VLAN hopping vulnerability to access multiple VLANs

C.

Implement switch port mirroring on all VLANs

D.

Use ARP poisoning to perform a man-in-the-middle attack

Question 63

A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability. After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance ' s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account. Which cloud attack technique best corresponds to this activity?

Options:

A.

Cloud Snooper Attack

B.

Wrapping Attack

C.

IMDS Attack

D.

CP DoS Attack

Question 64

Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?

Options:

A.

Aggressive zero-trust shutdown

B.

Deep forensic analysis

C.

Behavioral analytics profiling normal interactions

D.

Employee awareness training

Question 65

What does DEP block?

Options:

A.

Encryption

B.

Logging

C.

Execution in data memory

D.

Scanning

Question 66

At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?

Options:

A.

It uses a tethered jailbreak to restart the device with patched kernel functions

B.

It is an APK that can run directly on the device without a PC

C.

It relies on weak SSL validation to bypass application controls

D.

It exploits Bluetooth pairing flaws to gain device-level privileges

Question 67

Noah, a security analyst at a Seattle-based healthcare provider, is responding to a real-time data breach where attackers accessed patient records stored on a compromised server. During incident response, he must quickly secure sensitive files located on the system’s primary storage to prevent further exfiltration. The data resides in a mounted partition that needs full-volume encryption, but standard file encryption isn’t sufficient. Noah selects a solution that supports encrypted containers, strong key lengths like 256-bit AES, and can conceal secure volumes within standard ones to reduce detection. His goal is to ensure confidentiality while forensic operations continue without disrupting system functionality.

Which disk encryption tool should Noah deploy to meet these objectives?

Options:

A.

BitLocker Drive Encryption

B.

FileVault

C.

Rohos Disk Encryption

D.

VeraCrypt

Question 68

Which method of password cracking takes the most time and effort?

Options:

A.

Dictionary attack

B.

Rainbow tables

C.

Shoulder surfing

D.

Brute force

Question 69

Which sophisticated DoS technique is hardest to detect and mitigate?

Options:

A.

Distributed SQL injection DoS

B.

Coordinated UDP flood on DNS servers

C.

Zero-day exploit causing service crash

D.

Smurf attack using ICMP floods

Question 70

Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?

Options:

A.

Internal Scanning

B.

External Scanning

C.

Manual Scanning

D.

Network-based Scanning

Question 71

During an authorized penetration test of an organization ' s Operational Technology (OT) environment, the tester has already identified exposed industrial assets and now begins actively probing controllers, services, and interfaces to identify exploitable weaknesses. No exploitation attempts or persistence mechanisms have been performed yet.

According to the OT hacking methodology, which phase is currently being carried out?

Options:

A.

Gain Remote Access

B.

Information Gathering

C.

Launch Attacks

D.

Vulnerability Scanning

Question 72

As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?

Options:

A.

Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

B.

Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker’s network.

C.

Immediately reset all server credentials and instruct all users to change their passwords.

D.

Immediately disconnect the affected server from the network to prevent further data exfiltration.

Question 73

A logistics technology provider in Kansas City, Missouri conducts an internal review after an ethical hacker demonstrates several recurring input-handling weaknesses across different customer-facing web applications. The findings show that validation logic varies between modules, with many controls implemented inconsistently across components developed by separate teams.

Although immediate patches are applied to address the identified flaws, similar issues have surfaced in previous platform iterations despite corrective updates. Leadership determines that isolated fixes are insufficient and initiates an effort to standardize how security requirements are defined and incorporated across future development initiatives.

Based on the web application attack countermeasures, which category best aligns with this remediation approach?

Options:

A.

Insecure Design

B.

Broken Access Control

C.

Security Misconfiguration

D.

Cryptographic Failures / Sensitive Data Exposure

Question 74

A Linux server has world-writable cron directories. What can attackers achieve?

Options:

A.

DoS

B.

SQLi

C.

XSS

D.

Persistence

Question 75

An organization uses SHA-256 for data integrity checks but still experiences unauthorized data modification. Which cryptographic tool can help resolve this issue?

Options:

A.

Asymmetric encryption

B.

SSL/TLS certificates

C.

Symmetric encryption

D.

Digital signatures

Question 76

A penetration tester targets a WPA2-PSK wireless network. The tester captures the handshake and wants to speed up cracking the pre-shared key. Which approach is most effective?

Options:

A.

Conduct a Cross-Site Scripting (XSS) attack on the router ' s login page

B.

Use a brute-force attack to crack the pre-shared key manually

C.

Use a dictionary attack with a large wordlist to crack the WPA2 key

D.

Perform a SQL injection attack to bypass the WPA2 authentication

Question 77

A penetration tester is assessing a company ' s HR department for vulnerability to social engineering attacks using knowledge of recruitment and onboarding processes. What is the most effective technique to obtain network access credentials without raising suspicion?

Options:

A.

Develop a fake social media profile to connect with HR employees and request sensitive information

B.

Create a convincing fake onboarding portal that mimics the company’s internal systems

C.

Send a generic phishing email with a link to a fake HR policy document

D.

Conduct a phone call posing as a new employee to request password resets

Question 78

Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?

Options:

A.

To illicit a response back that will reveal information about email servers and how they treat undeliverable mail

B.

To create needless SPAM

C.

To determine who is the holder of the root account

D.

To test for virus protection

E.

To perform a DoS

Question 79

An e-commerce platform hosted on a public cloud infrastructure begins to experience significant latency and timeouts. Logs show thousands of HTTP connections sending headers extremely slowly and never completing the full request. What DoS technique is most likely responsible?

Options:

A.

Slowloris holding web server connections

B.

Fragmentation flood attack

C.

UDP application-layer flooding

D.

SYN flood with spoofed source IPs

Question 80

Noah Kim, an ethical hacker at Quantum Cyber Solutions in Austin, Texas, is assessing iPhones used for proprietary development. On one device, he demonstrates a technique that allows it to boot normally without a computer, but the elevated access is temporarily lost after restart until the user launches a special on-device app to reapply the modifications. Which jailbreaking method is this?

Options:

A.

Tethered Jailbreaking

B.

Untethered Jailbreaking

C.

Semi-untethered Jailbreaking

D.

Semi-tethered Jailbreaking

Question 81

As a Certified Ethical Hacker assessing session management vulnerabilities in a secure web application using MFA, encrypted cookies, and a WAF, which technique would most effectively exploit a session management weakness while bypassing these defenses?

Options:

A.

Utilizing Session Fixation to force a victim to use a known session ID

B.

Executing a Cross-Site Request Forgery (CSRF) attack

C.

Exploiting insecure deserialization vulnerabilities for code execution

D.

Conducting Session Sidejacking using captured session tokens

Question 82

Which attack best demonstrates covert eavesdropping via smartphone sensors?

Options:

A.

Malicious APK exploitation

B.

Man-in-the-Disk attack

C.

Spearphone attack

D.

Tap ‘n Ghost attack

Question 83

Working as an Information Security Analyst, you are creating training material on session hijacking. Which scenario best describes a side jacking attack?

Options:

A.

An attacker uses social engineering to trick an employee into revealing their password.

B.

An attacker intercepts network traffic, captures unencrypted session cookies, and uses these to impersonate the user.

C.

An attacker exploits a firewall vulnerability to gain access to internal systems.

D.

An attacker convinces an employee to visit a malicious site that injects a script into their browser.

Question 84

During a black-box penetration test, an attacker runs the following command:

nmap -p25 --script smtp-enum-users --script-args EXPN,RCPT < target IP >

The script successfully returns multiple valid usernames. Which server misconfiguration is being exploited?

Options:

A.

The SMTP server allows authentication without credentials

B.

The SMTP server has disabled STARTTLS, allowing plaintext enumeration

C.

SMTP user verification commands are exposed without restrictions

D.

DNS MX records point to an internal mail relay

Question 85

During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?

Options:

A.

LDAP over SSL (LDAPS)

B.

Authenticated LDAP with Kerberos

C.

Anonymous LDAP binding

D.

LDAP via RADIUS relay

Question 86

Several months prior to a confirmed compromise, security telemetry at a semiconductor manufacturer in Phoenix, Arizona showed systematic intelligence gathering focused on executive leadership, research engineers, and publicly exposed infrastructure.

Subsequent investigation determined that the adversary had assembled customized exploit frameworks, tested malware variants against commercial defensive products in isolated environments, and mapped externally accessible services associated with the organization.

These activities were part of a coordinated strategy developed well before any credential abuse or lateral movement was observed.

Determine the APT lifecycle stage represented by these actions.

Options:

A.

Persistence

B.

Expansion

C.

Preparation

D.

Initial Intrusion

Question 87

During a penetration test at Cascade Biotech in Portland, Oregon, ethical hacker Olivia Harper installs a monitoring agent on a single test workstation inside the research subnet. The system records local events such as file access, configuration changes, and unauthorized process execution. Olivia explains to the security team that attackers often attempt to disable or evade this type of monitoring to avoid being detected at the host level.

Which security system is Olivia most likely demonstrating?

Options:

A.

Network-Based Firewall

B.

Host-Based Firewall

C.

Network-Based Intrusion Detection System

D.

Host-Based Intrusion Detection System

Question 88

In a high-stakes cybersecurity exercise in Boston, Emily, an ethical hacker, is tasked with tracing a mock phishing email sent to a healthcare provider’s staff. Using the email header, she identifies a series of IP addresses and server details, including multiple timestamps and server names. Her objective is to pinpoint the exact moment the email was processed by the sender’s system.

As part of her reconnaissance, what specific detail from the email header should Emily examine to determine this information?

Options:

A.

Sender’s mail server

B.

Date and time of message sent

C.

Authentication system used by sender’s mail server

D.

Date and time received by the originator’s email servers

Question 89

On a busy Monday morning at Horizon Financial Services in Chicago, accounts assistant Clara Nguyen receives an email that appears to come from the company ' s IT department. The email, addressed specifically to Clara and mentioning her role in the accounts team, warns of a critical system vulnerability requiring immediate action. It includes a link to a login page resembling the company ' s internal portal, urging her to update her credentials to prevent account suspension. The email ' s sender address looks legitimate, but Clara notices a slight misspelling in the domain name.

What social engineering technique is being attempted against Clara?

Options:

A.

Spear Phishing

B.

Impersonation

C.

Quid Pro Quo

D.

Vishing

Question 90

You are an ethical hacker at SilverRock Security, engaged by BayState Credit Union in Boston, Massachusetts, to evaluate their online loan application portal. While testing the customer dashboard, you inject crafted input into a numeric parameter. Instead of returning only the expected loan details, the response also displays sensitive employee information from another table, merged into the same page results. This behavior indicates that the attacker’s input successfully combined multiple datasets into a single output.

Based on the observed behavior, which type of SQL injection attack are you exploiting?

Options:

A.

Error-Based SQL Injection

B.

Blind SQL Injection

C.

Second-Order SQL Injection

D.

UNION SQL Injection

Question 91

A penetration tester suspects that a web application ' s user profile page is vulnerable to SQL injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?

Options:

A.

Use the userID parameter to perform a brute-force attack on the admin login page

B.

Modify the userID parameter in the URL to ' OR ' 1 ' = ' 1 and check if it returns multiple profiles

C.

Inject HTML code into the userID parameter to test for Cross-Site Scripting (XSS)

D.

Attempt a directory traversal attack using the userID parameter

Question 92

What is the purpose of banner grabbing?

Options:

A.

Sniffing

B.

Cracking

C.

Identification

D.

Exploitation

Question 93

During routine network monitoring, the blue team notices several LLMNR and NBT-NS broadcasts originating from a workstation attempting to resolve an internal hostname. They also observe suspicious responses coming from a non-corporate IP address that claims to be the requested host. Upon further inspection, the security team suspects that an attacker is impersonating network resources to capture authentication attempts. What type of password-cracking setup is likely being staged?

Options:

A.

Decrypt login tokens from wireless networks

B.

Use CPU resources to guess passphrases quickly

C.

Exploit name resolution to capture password hashes

D.

Match captured credentials with rainbow tables

Question 94

In an enterprise environment, the network security team detects unusual behavior suggesting advanced sniffing techniques exploiting legacy protocols to intercept sensitive communications. Which of the following sniffing-related techniques presents the greatest challenge to detect and neutralize, potentially compromising confidential enterprise data?

Options:

A.

Steganographic payload embedding within SMTP email headers

B.

Encrypted data extraction via HTTP header field overflows

C.

Covert data interception via X2S packet fragmentation

D.

Covert channel establishment through Modbus protocol manipulation

Question 95

A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?

Options:

A.

Utilize a session fixation attack by forcing a known session ID during login

B.

Perform a Cross-Site Scripting (XSS) attack to steal the session token

C.

Exploit a timing side-channel vulnerability to predict session tokens

D.

Implement a Man-in-the-Middle (MitM) attack by compromising a trusted certificate authority

Question 96

During a routine software update at Horizon Solutions, a mid-sized IT firm in Raleigh, North Carolina, an employee downloads a file utility from a popular third-party site to streamline document processing. During the installation, the user is prompted to install an optional “productivity toolbar” and a “system optimization tool,” which are bundled with vague descriptions. Shortly after, the employee notices intermittent pop-up ads, an altered browser homepage, and sluggish PC performance, though network logs also show occasional unexplained data transfers during off-hours. A security scan flags the additional programs as potentially harmful, but a deeper analysis reveals no immediate file encryption or self-replicating code.

What type of threat are these unwanted programs most likely classified as?

Options:

A.

Potentially Unwanted Applications (PUAs)

B.

Worms

C.

Botnet agents

D.

Logic bombs

Question 97

An ethical hacker needs to gather sensitive information about a company ' s internal network without engaging directly with the organization ' s systems to avoid detection. Which method should be employed to obtain this information discreetly?

Options:

A.

Analyze the organization ' s job postings for technical details

B.

Exploit a public vulnerability in the company ' s web server

C.

Perform a WHOIS lookup on the company ' s domain registrar

D.

Use port scanning tools to probe the company ' s firewall

Question 98

Repeated failed login attempts are followed by a sudden surge in outbound data traffic from a critical server. What should be your initial course of action?

Options:

A.

Audit all outbound traffic and analyze destination IPs

B.

Immediately disconnect the server from the network

C.

Perform real-time monitoring and log analysis to understand the activity

D.

Change server credentials and force password resets

Question 99

During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?

Options:

A.

DHCP starvation

B.

Rogue DHCP relay injection

C.

DNS cache poisoning

D.

ARP spoofing

Question 100

In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.

Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?

Options:

A.

Deep Packet Inspection

B.

Anomaly-Based Detection

C.

Signature-Based Detection

D.

Stateful Packet Inspection

Question 101

After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?

Options:

A.

Disable unused ports and restrict outbound firewall traffic

B.

Perform weekly backups and store them off-site

C.

Ensure antivirus and firewall software are up to date

D.

Monitor file hashes of critical executables for unauthorized changes

Question 102

A cybersecurity team at a regional healthcare provider is conducting an internal red team exercise to assess their exposure to service enumeration attacks. Amanda, a senior penetration tester, is assigned to probe the internal network for services that may reveal usernames, group information, or system details without requiring prior authentication. She decides to target common services running on specific ports that are often misconfigured or loosely monitored. During her reconnaissance, Amanda identifies several open ports across various hosts and must now prioritize which ones to probe first for maximum information gain related to enumeration. Which of the following services should Amanda target as a priority to enumerate usernames and group information without authentication?

Options:

A.

TCP 139 and UDP 137, 138

B.

TCP 21 and UDP 137, 138

C.

TCP 23 and UDP 137, 138

D.

TCP 25 and UDP 133

Question 103

Which technique is least useful during passive reconnaissance?

Options:

A.

WHOIS lookup

B.

Search engines

C.

Social media monitoring

D.

Nmap scanning

Question 104

Amid the vibrant buzz of Miami’s digital scene, ethical hacker Sofia Alvarez embarks on a mission to fortify the web server of Sunshine Media’s streaming platform. Diving into her security assessment, Sofia sends a meticulously crafted GET / HTTP/1.0 request to the server, scrutinizing its response. The server obligingly returns headers exposing its software version and operating system, a revelation that could empower malicious actors to tailor their attacks. Committed to bolstering the platform’s defenses, Sofia documents her findings to urge the security team to address this exposure.

What approach is Sofia using to expose the vulnerability in Sunshine Media’s web server?

Options:

A.

Information Gathering from Robots.txt File

B.

Vulnerability Scanning

C.

Directory Brute Forcing

D.

Web Server Footprinting Banner Grabbing

Question 105

In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia ' s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure. Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?

Options:

A.

Conduct an extensive risk assessment to determine which segments of the network are most vulnerable or at high risk that need to be patched first

B.

Use a dedicated machine as a web server

C.

Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB

D.

Eliminate unnecessary files within the jar files

Question 106

During an ethical hacking exercise, a security analyst is testing a web application that manages confidential information and suspects it may be vulnerable to SQL injection. Which payload would most likely reveal whether the application is vulnerable to time-based blind SQL injection?

Options:

A.

UNION SELECT NULL, NULL, NULL--

B.

' OR ' 1 ' = ' 1 ' --

C.

' OR IF(1=1,SLEEP(5),0)--

D.

AND UNION ALL SELECT ' admin ' , ' admin ' --

Question 107

You suspect a Man-in-the-Middle (MitM) attack inside the network. Which network activity would help confirm this?

Options:

A.

Sudden increase in traffic

B.

Multiple login attempts from one IP

C.

IP addresses resolving to multiple MAC addresses

D.

Abnormal DNS request volumes

Question 108

An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?

Options:

A.

Engage a forensic team immediately

B.

Power down the server and isolate it

C.

Monitor, analyze, and then isolate the server

D.

Conduct a vulnerability scan on all servers

Question 109

A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?

Options:

A.

HTTP flood attack

B.

ICMP flood attack

C.

UDP flood attack

D.

SYN flood attack

Question 110

During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?

Options:

A.

Lack of secure update mechanisms

B.

Denial-of-service through physical tampering

C.

Insecure network service exposure

D.

Use of insecure third-party components

Question 111

During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?

Options:

A.

Leverage tools like Netcraft or DNSdumpster to gather subdomain information

B.

Attempt to guess admin credentials and access the company’s DNS portal

C.

Conduct a brute-force DNS subdomain enumeration

D.

Request internal DNS records using spoofed credentials

Question 112

Natalie Brooks is leading an authorized red team exercise for Sentinel Networks in Seattle. While briefing her team on different attacker profiles, she describes an individual who is new to cybersecurity, actively learning techniques through online communities, and experimenting with basic tools on low-risk targets to build practical skills without causing significant damage.

Which hacker class best matches this profile?

Options:

A.

Blue Hat Hacker

B.

Green Hat Hacker

C.

Gray Hat Hacker

D.

Red Hat Hacker

Question 113

A penetration tester observes that traceroutes to various internal devices always show 10.10.10.1 as the second-to-last hop, regardless of the destination subnet. What does this pattern most likely indicate?

Options:

A.

DNS poisoning at the local resolver used by the compromised host

B.

Loopback misconfiguration at the destination endpoints

C.

A core router facilitating communication across multiple internal subnets

D.

Presence of a transparent proxy device acting as a forwarder

Question 114

During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.

Which technique is Sofia most likely using in this assessment?

Options:

A.

Vulnerability Scanning

B.

Information Gathering from robots.txt File

C.

Web Server Footprinting/Banner Grabbing

D.

Directory Brute Forcing

Question 115

Abnormal DNS resolution behavior is detected on an internal network. Users are redirected to altered login pages. DNS replies come from an unauthorized internal IP and are faster than legitimate responses. ARP spoofing alerts are also detected. What sniffing-based attack is most likely occurring?

Options:

A.

Internet DNS spoofing

B.

Intranet DNS poisoning via local spoofed responses

C.

Proxy-based DNS redirection

D.

Upstream DNS cache poisoning

Question 116

A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?

Options:

A.

Use publicly available tools to exploit the vulnerabilities and confirm their impact

B.

Ignore the vulnerabilities since they are medium-risk

C.

Perform a brute-force attack on the web server ' s login page

D.

Conduct a denial-of-service (DoS) attack to test the server ' s resilience

Question 117

As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?

Options:

A.

Content-Based Blind SQL Injection

B.

Time-Based Blind SQL Injection

C.

Union-Based SQL Injection

D.

Error-Based SQL Injection

Question 118

Which attack manipulates hidden fields?

Options:

A.

SQLi

B.

XSS

C.

Parameter tampering

D.

CSRF

Question 119

Which of the following is the primary objective of a rootkit?

Options:

A.

It provides an undocumented opening in a program

B.

It replaces legitimate programs

C.

It creates a buffer overflow

D.

It opens a port to provide an unauthorized service

Question 120

You are an ethical hacker at Apex Cyber Defense contracted to audit Coastal Healthcare ' s wireless estate in Miami, Florida. During a network sweep, your logs show a previously unknown access point physically connected to the hospital ' s internal switch and issuing IP addresses to devices on the corporate VLAN - it was neither provisioned by IT nor listed in the asset inventory. The device is relaying internal traffic and providing remote connectivity back to an external host. Based on the observed behavior, which wireless threat has the attacker most likely introduced?

Options:

A.

Misconfigured AP

B.

Rogue AP

C.

Honeypot AP

D.

Evil Twin AP

Question 121

In an ethical hacking methodology and framework, which of the following step is known for “active and passive information gathering”?

Options:

A.

Obfuscation

B.

Exploitation

C.

Reconnaissance

D.

Denial of service

Question 122

A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.

After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.

Which cloud attack technique best corresponds to this activity?

Options:

A.

IMDS Attack

B.

CPDoS Attack

C.

Cloud Snooper Attack

D.

Wrapping Attack

Question 123

A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?

Options:

A.

Organized hackers

B.

State-sponsored hackers

C.

Hacktivists

D.

Gray hat hackers

Question 124

As part of a red team campaign against a pharmaceutical company in Boston, ethical hacker Alex begins with a successful spear-phishing attack that delivers an initial payload to a manager ' s laptop. After gaining access, Alex pivots to harvesting cached credentials and using them to move laterally across the internal network. Soon, routers, printers, and several file servers are compromised, expanding the red team ' s control beyond the original host. At this point, Alex has not yet targeted sensitive research data, but the team has built a broader foothold within the environment.

Which phase of the Advanced Persistent Threat (APT) lifecycle is Alex simulating?

Options:

A.

Initial Intrusion

B.

Persistence

C.

Search & Exfiltration

D.

Expansion

Question 125

During a high-stakes engagement, a penetration tester abuses MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled server. The tester captures the NTLM hash and relays it to AD CS to obtain a certificate granting domain admin privileges. Which network-level hijacking technique is illustrated?

Options:

A.

Hijacking sessions using a PetitPotam relay attack

B.

Exploiting vulnerabilities in TLS compression via a CRIME attack

C.

Stealing session tokens using browser-based exploits

D.

Employing a session donation method to transfer tokens

Question 126

During a compliance review at a law firm in Chicago, an ethical hacker tests the firm’s secure email gateway. She observes that sensitive legal documents are being transmitted in clear text over the Internet, allowing anyone intercepting the traffic to read the contents. The firm is concerned about unauthorized individuals being able to view these communications. Which principle of information security is being violated?

Options:

A.

Confidentiality

B.

Integrity

C.

Non-Repudiation

D.

Availability

Question 127

Which type of security feature stops vehicles from crashing through the doors of a building?

Options:

A.

Receptionist

B.

Mantrap

C.

Bollards

D.

Turnstile

Question 128

An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?

Options:

A.

The domain has expired

B.

The record was cached and returned

C.

The DNS server failed

D.

No recent client from that network accessed the domain

Question 129

An ethical hacker conducting an authorized assessment of a multinational advisory firm begins collecting intelligence exclusively from publicly accessible online platforms where employees share professional background details and engage in industry-related discussions.

By correlating individual role descriptions, publicly endorsed technical competencies, collaborative conversations referencing internal initiatives, and recurring terminology used to describe projects and departments, the tester develops a structured view of reporting relationships, identifies commonly deployed technologies, and infers internal naming conventions.

From a reconnaissance methodology perspective, which technique is being applied?

Options:

A.

Footprinting through Social Networking Sites

B.

Footprinting through Internet Research Services

C.

Footprinting through Social Engineering

D.

Footprinting through Search Engines

Question 130

An attacker abuses weak password reuse across services using leaked credentials. What attack is this?

Options:

A.

Replay

B.

Credential stuffing

C.

Brute force

D.

Dictionary attack

Question 131

You are working as a threat intelligence analyst for a fintech startup that recently discovered a spike in credential stuffing attempts against its admin panel. The security team believes this may be due to leaked internal files circulating on underground forums. You are tasked with investigating potential exposure on the dark web without directly interacting with any service or forum. You decide to use advanced search filters to identify documents hosted on hidden services that may contain sensitive access details. The team suspects these documents might include account-related keywords in their titles.

Which of the following search queries would best support this investigation?

Options:

A.

filetype:pdf intitle: " admin access " site:onion

B.

filetype:docx intitle: " login credentials "

C.

filetype:pdf intitle: " secure login " site:onion

D.

filetype:docx intitle: " user accounts " site:onion

Question 132

You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?

Options:

A.

Project scope

B.

Nondisclosure agreement

C.

Service-level agreement

D.

Rules of engagement

Question 133

During a security assessment of an internal network, a penetration tester discovers that UDP port 123 is open, indicating that the NTP service is active. The tester wants to enumerate NTP peers, check synchronization status, offset, and stratum levels. Which command should the tester use?

Options:

A.

ntpdc

B.

ntpq

C.

ntptrace

D.

ntpdate

Question 134

Which of the following is the primary goal of ethical hacking?

Options:

A.

To disrupt services by launching denial-of-service attacks

B.

To identify and fix security vulnerabilities in a system

C.

To steal sensitive information from a company ' s network

D.

To spread malware to compromise multiple systems

Question 135

A penetration tester is hired to legally assess the security of a company ' s network by identifying vulnerabilities and attempting to exploit them. What type of hacker is this?

Options:

A.

Black Hat

B.

Grey Hat

C.

Script Kiddie

D.

White Hat

Question 136

You are an ethical hacker at ShieldPoint Security, hired by Pinecrest Travel Agency in Orlando, Florida, to perform a penetration test on their flight booking portal. During testing, you notice that normal SQL injection attempts are blocked by a security filter. To bypass it, you adjust your input so that key SQL keywords are broken apart with unexpected symbols, allowing the database to interpret them correctly while evading the filter. This manipulation allows you to retrieve hidden booking records despite the filter ' s restrictions. Based on the observed behavior, which SQL injection evasion technique are you employing?

Options:

A.

String Concatenation

B.

Hex Encoding

C.

In-line Comment

D.

Null Byte

Question 137

During a compliance audit at a logistics company in Columbus, Ohio, the mobile security team discovers that several field-issued Android devices are responding to remote commands from an unknown external system. The affected devices are not connected via USB, and no enterprise mobility policies were recently modified.

Network monitoring reveals that the devices have remote debugging enabled and are accepting connections over the wireless network on a specific high-numbered port commonly associated with remote device communication. Investigators determine that the external system was able to capture screenshots, list installed applications, forward ports, and install additional packages without requiring physical access to the devices.

Which attack technique most accurately explains this compromise?

Options:

A.

Device Administration API Abuse

B.

FRP Bypass

C.

Android Rooting

D.

ADB Exploitation via TCP 5555

Question 138

A fintech startup in Austin, Texas authorizes a controlled red team engagement to evaluate the resilience of its web-based loan management platform. At the outset of the engagement, the assessment team concentrates on developing a structural understanding of the application.

They examine publicly exposed endpoints, observe server responses under different navigation paths, identify accessible directories, and document the relationships between client-side scripts, form parameters, and backend behaviors. Error handling patterns and response variations are cataloged to understand how user interactions are processed across various components of the platform.

The collected information is used to guide strategic planning for subsequent phases of the engagement.

Within the web application hacking methodology, which phase is most accurately demonstrated in this scenario?

Options:

A.

Maintaining Access

B.

Scanning

C.

Gaining Access

D.

Reconnaissance

Question 139

A penetration tester discovers that a web application is vulnerable to Local File Inclusion (LFI) due to improper input validation in a URL parameter. Which approach should the tester take to exploit this vulnerability?

Options:

A.

Conduct a brute-force attack on the admin login page to gain access

B.

Inject SQL commands into the URL parameter to test for database vulnerabilities

C.

Perform a Cross-Site Scripting (XSS) attack by injecting malicious scripts into the URL

D.

Use directory traversal to access sensitive files on the server, such as /etc/passwd

Question 140

While reviewing exposed infrastructure for a logistics company in Denver, Joe, a security analyst, identifies that one host is synchronizing time using UDP port 123. Probing further, he issues queries to extract details about peers, offsets, and delays. This allows him to gather internal hostnames and client IP addresses connected to the time server. Such information leakage could provide insight into the company ' s internal network structure.

Which technique was most likely used to obtain this information?

Options:

A.

DNS Zone Transfer Enumeration

B.

NTP Enumeration

C.

VoIP Enumeration

D.

NetBIOS Enumeration

Question 141

Which information CANNOT be directly obtained from DNS interrogation?

Options:

A.

Usernames and passwords

B.

Server geolocation (via IPs)

C.

Subdomains of the organization

D.

IP addresses of mail servers

Question 142

An ethical hacker audits a hospital’s wireless network secured with WPA using TKIP and successfully performs packet injection and decryption attacks. Which WPA vulnerability most likely enabled this?

Options:

A.

Use of weak Initialization Vectors (IVs)

B.

Dependence on weak passwords

C.

Lack of AES-based encryption

D.

Predictable Group Temporal Key (GTK)

Question 143

A regional hospital network is conducting incident containment after discovering that an internal file server was accessed by unauthorized actors. While forensic analysis is ongoing, a security engineer must immediately protect sensitive medical records stored on a mounted partition without shutting down the system.

The solution must support strong encryption, including 256-bit AES, allow creation of encrypted containers within existing storage volumes, and provide the capability to conceal protected data inside standard-looking volumes to reduce visibility during continued investigation.

Select the disk encryption tool that best satisfies these operational and security requirements.

Options:

A.

FileVault

B.

Rohos Disk Encryption

C.

VeraCrypt

D.

BitLocker Drive Encryption

Question 144

A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

Options:

A.

Tautology-based SQL injection

B.

Error-based SQL injection

C.

Union-based SQL injection

D.

Time-based blind SQL injection

Question 145

You are an ethical hacker at Apex Security Consulting, hired by Riverfront Media, a digital marketing firm in Boston, Massachusetts, to assess the security of their customer relationship management CRM web application. While evaluating the application’s search feature, you input a long string of single quote characters into the search bar. The application responds with an error message suggesting that it cannot handle the length or structure of the input in the current SQL context. Based on the observed behavior, which SQL injection vulnerability detection technique are you employing?

Options:

A.

Detecting SQL Modification

B.

Fuzz Testing

C.

Function Testing

D.

Error Message Analysis

Question 146

You are conducting a security audit at a government agency. During your walkthrough, you observe a temporary contractor sitting in the staff lounge using their smartphone to discretely record employees as they enter passwords into their systems. Upon further investigation, you find discarded documents in a nearby trash bin containing sensitive project information. What type of attack is most likely being performed?

Options:

A.

Cisco-in attack

B.

Insider attack

C.

Distribution attack

D.

Passive attack

Question 147

During a security assessment of a cloud-hosted application using SOAP-based web services, a red team operator intercepts a valid SOAP request, duplicates the signed message body, inserts it into the same envelope, and forwards it. Due to improper validation, the server accepts the duplicated body and executes unauthorized code. What type of attack does this represent?

Options:

A.

Cloud snooper attack

B.

Cryptanalysis attack

C.

Wrapping attack

D.

IMDS abuse

Question 148

Which indicator most strongly confirms a MAC flooding attack?

Options:

A.

Multiple IPs to one MAC

B.

Multiple MACs to one IP

C.

Numerous MAC addresses on a single switch port

D.

Increased ARP requests

Question 149

During a routine security audit, administrators discover that cloud storage backups were illegally accessed and modified. Which countermeasure would most directly mitigate such incidents in the future?

Options:

A.

Implementing resource auto-scaling

B.

Regularly conducting SQL injection testing

C.

Deploying biometric entry systems

D.

Adopting the 3-2-1 backup model

Question 150

Sarah, an ethical hacker at a San Francisco-based financial firm, is testing the security of their customer database after a recent data exposure incident. Her analysis reveals that the sensitive client information is safeguarded using a symmetric encryption algorithm. She observes that the algorithm processes data in 64-bit blocks and supports a variable key size from 32 to 448 bits. During her penetration test, Sarah intercepts a ciphertext transmission and notes that the encryption was developed as a replacement for DES, an older algorithm. She aims to determine if the algorithm’s flexible key size could be susceptible to brute-force attacks. The algorithm is also noted for its use in secure storage, a critical application for the firm’s data protection.

Which symmetric encryption algorithm should Sarah identify as the one used by the firm?

Options:

A.

RC4

B.

Twofish

C.

AES

D.

Blowfish

Question 151

As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?

Options:

A.

Regularly updating serverless functions to reduce vulnerabilities.

B.

Using a Cloud Access Security Broker (CASB) to enforce third-party policies.

C.

Deploying a Cloud-Native Security Platform (CNSP) for full cloud protection.

D.

Implementing function-level permissions and enforcing the principle of least privilege.

Question 152

Emma, an ethical hacker at a Chicago-based healthcare provider, is performing a penetration test on the organization ' s patient record system following a recent data breach. During her investigation, she discovers that attackers gained access to a large volume of encrypted patient records but had no knowledge of the original data or encryption keys. Emma observes that the system uses a block cipher and suspects the attackers may have applied a cryptanalytic method that examines encrypted outputs in bulk to detect structural or statistical patterns in the encrypted data.

Which cryptanalysis technique should Emma investigate to assess the system ' s vulnerability in this scenario?

Options:

A.

Chosen-plaintext attack

B.

Known-plaintext attack

C.

Chosen-ciphertext attack

D.

Ciphertext-only attack

Question 153

On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.

What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?

Options:

Question 154

A cybersecurity analyst monitors competitors’ web content for changes indicating strategic shifts. Which missing component is most crucial for effective passive surveillance?

Options:

A.

Participating in competitors’ blogs and forums

B.

Setting up Google Alerts for competitor names and keywords

C.

Using a VPN to hide the analyst’s IP address

D.

Hiring a third party to hack competitor databases

Question 155

An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments.

The test email claimed to originate from the corporate compliance office and instructed employees to “complete a mandatory regulatory update within the next 30 minutes to avoid account suspension.” The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications.

Additionally, security analysts observed that the embedded hyperlink displayed the organization’s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host.

From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?

Options:

Question 156

At HarborGrid Utilities in Oregon, a security assessment team is reviewing how the organization’s network monitoring platform evaluates inbound traffic targeting its SCADA management interface. During testing, the red team introduces carefully crafted packets that adhere to known protocol standards but contain payload sequences previously identified in documented exploit repositories.

The monitoring system immediately flags the activity because it matches patterns stored in its internal threat database. However, when the team slightly modifies the exploit sequence while preserving its overall malicious intent, the alerts are no longer triggered.

Based on this behavior, which intrusion detection method is most likely deployed in this environment?

Options:

A.

Protocol Anomaly Detection

B.

Anomaly Detection

C.

Stateful Protocol Analysis

D.

Signature Recognition

Question 157

A system’s audit logs are not centralized. Which attack phase is hardest to detect?

Options:

A.

Initial access

B.

Lateral movement

C.

Delivery

D.

Recon

Question 158

A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?

Options:

A.

Perform a brute-force attack using common passwords against the captured handshake

B.

Use a dictionary attack against the captured WPA2 handshake to crack the key

C.

Execute a SQL injection attack on the router ' s login page

D.

Conduct a de-authentication attack to disconnect all clients from the network

Question 159

Lily, a network security analyst at a regional healthcare provider, is preparing defenses ahead of a scheduled external vulnerability assessment. During internal simulation drills, she observes that scanners are successfully identifying open ports and service banners across critical systems. Tasked with reducing exposure to such reconnaissance efforts, Lily is instructed to apply measures that specifically hinder port scanning activity without disrupting legitimate traffic.

Which of the following actions should Lily implement?

Options:

Question 160

In the rainy streets of Portland, Oregon, ethical hacker Ethan Brooks delves into the security layers of ShopSwift, a US-based e-commerce platform reeling from a recent data breach. Tasked with uncovering the method behind unauthorized account takeovers, Ethan examines login patterns across the platform ' s user base. His investigation reveals a surge of automated login activity across multiple accounts, with a suspiciously high success rate. Determined to trace the root cause, Ethan compiles a detailed log to assist ShopSwift ' s security team in restoring trust.

Which attack method is Ethan most likely uncovering in ShopSwift’s authentication system?

Options:

A.

Password Spraying

B.

Brute Force Attack

C.

Credential Stuffing

D.

Phishing Attacks

Question 161

A company hires a hacker to test its network security by simulating real-world attacks. The hacker has permission and operates within legal boundaries. What is this type of hacker called?

Options:

A.

Script Kiddie

B.

Black Hat Hacker

C.

Grey Hat Hacker

D.

White Hat Hacker

Question 162

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?

Options:

A.

Mamo

B.

Pegasus

C.

Agent Smith

D.

GoldPickaxe

Question 163

The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

Options:

A.

Intrusion Prevention Server

B.

Security Incident and Event Monitoring

C.

Network Sniffer

D.

Vulnerability Scanner

Question 164

In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia’s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure.

Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?

Options:

A.

Eliminate unnecessary files within the jar files

B.

Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB

C.

Use a dedicated machine as a web server

D.

Conduct an extensive risk assessment to determine which segments of the network are most vulnerable or at high risk that need to be patched first

Question 165

A financial clearinghouse in Newark, New Jersey, initiated a structured vulnerability review across its enterprise servers. The scanning platform was configured to collect detailed information about installed updates, local security configurations, and system policy settings on each target machine. The resulting report contained granular host-level findings, including configuration inconsistencies and patch gaps that required direct system-level inspection to obtain. Based on the activity described, what type of vulnerability scanning is being performed?

Options:

A.

Automated Scanning

B.

Non-Credentialed Scanning

C.

Application Scanning

D.

Credentialed Scanning

Question 166

You are instructed to perform a TCP NULL scan. In the context of TCP NULL scanning, which response indicates that a port on the target system is closed?

Options:

A.

ICMP error message

B.

TCP SYN/ACK packet

C.

No response

D.

TCP RST packet

Question 167

You are Noah Kim, an ethical hacker at Quantum Cyber Solutions, hired to test the mobile device security of TechTrend Innovations, a tech firm in Austin, Texas. During a covert assessment, your objective is to simulate an attacker attempting to gain privileged access to an iPhone 12 running iOS 14.5 used for proprietary app development. You apply a jailbreaking technique that allows the device to fully restart without requiring a computer, maintaining a patched kernel and enabling access to sensitive app data in the file system. Based on this method, which iOS jailbreaking technique are you using?

Options:

A.

Semi-tethered jailbreaking

B.

Untethered jailbreaking

C.

Semi-untethered jailbreaking

D.

Tethered jailbreaking

Question 168

During a red team assessment at a university in Chicago, Jake, a penetration tester, scans a group of older Windows workstations in the administration department. On several hosts, he notices traffic on UDP ports 137 and 138 as well as an open TCP port 139. Curious, he uses a utility to query the name table and session services. Within moments, he collects information including machine names, logged-in usernames, and available shared folders without authentication.

Which enumeration method is being demonstrated in this scenario?

Options:

A.

NFS Enumeration

B.

NetBIOS Enumeration

C.

SMB Enumeration

D.

SNMP Enumeration

Question 169

Which vulnerability exploits memory corruption?

Options:

A.

XSS

B.

Buffer overflow

C.

CSRF

D.

SQLi

Question 170

A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user ' s session without triggering security alerts, which advanced session hijacking technique should the tester employ?

Options:

A.

Perform a man-in-the-middle attack by exploiting certificate vulnerabilities

B.

Use a session fixation attack by setting a known session ID before the user logs in

C.

Conduct a session token prediction attack by analyzing session ID patterns

D.

Implement a Cross-Site Scripting (XSS) attack to steal session tokens

Question 171

In a highly secure online banking environment, customers report unauthorized access to their accounts despite robust authentication controls. Investigation reveals attackers are using advanced session hijacking techniques to perform fraudulent transactions. Which advanced session-hijacking attack, resembling a scenario-based attack, presents the greatest challenge to detect and mitigate?

Options:

A.

Covert Cross-Site Scripting (XSS) attack injecting malicious scripts into banking pages

B.

Man-in-the-Browser (MitB) attack using malicious browser extensions to intercept sessions

C.

Session fixation attack manipulating HTTP session identifiers

D.

Passive sniffing attack capturing encrypted session tokens over unsecured Wi-Fi

Question 172

During a penetration test at a shipping company in Miami, ethical hacker Daniel delivers a disguised email attachment containing a hidden payload. Once executed by employees, the compromised workstations begin to silently communicate with a remote server under Daniel’s control. Over the following week, he confirms that multiple infected endpoints can receive synchronized commands and perform background tasks simultaneously, including sending bursts of outbound traffic on demand.

Which type of malicious component is Daniel most likely simulating in this assessment?

Options:

A.

Spyware

B.

Botnet Agents

C.

Scareware

D.

Potentially Unwanted Applications (PUAs)

Question 173

A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?

Options:

A.

Access the local storage to retrieve sensitive data directly from the device

B.

Use SQL injection to retrieve sensitive data from the backend server

C.

Execute a Cross-Site Scripting (XSS) attack to steal session cookies

D.

Perform a brute-force attack on the application ' s login credentials

Question 174

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

Options:

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Question 175

During a physical penetration test simulating a social engineering attack, a threat actor walks into the lobby of a target organization dressed as a field technician from a known external vendor. Carrying a fake ID badge and referencing a known company name, the attacker confidently claims they’ve been dispatched to perform a routine server room upgrade. Using internal-sounding terminology and referencing real employee names gathered via OSINT, the individual conveys urgency. The receptionist, recognizing the vendor name and the convincing language, allows access without verifying the credentials.

Options:

A.

Perceived authority and reliance on third-party familiarity

B.

Leaked credentials on public networks and forums

C.

Trust in physical security logs used by security teams

D.

Misconfigured network segmentation allowing unauthorized access

Question 176

During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?

Options:

A.

Internal Monologue Attack

B.

LLMNR/NBT-NS Poisoning

C.

Kerberoasting

D.

Pass-the-Ticket Attack

Question 177

In a bustling tech firm in Seattle, Michael, an ethical hacker, is conducting a security assessment to identify potential risks. During his evaluation, he notices that sensitive employee details and system configurations have been exposed through public forums, likely due to careless online behavior. His manager suspects this could lead to unauthorized access or data theft. As part of his testing, what type of threat should Michael focus on to simulate the adversary ' s method of gathering this exposed information?

Options:

A.

Corporate Espionage

B.

Social Engineering

C.

System and Network Attacks

D.

Information Leakage

Question 178

During an investigation, an ethical hacker discovers that a web application’s API has been compromised, leading to unauthorized access and data manipulation. The attacker is using webhooks and a webshell. To prevent further exploitation, which of the following actions should be taken?

Options:

A.

Implement a Web Application Firewall (WAF) with rules to block webshell traffic and increase the logging verbosity of webhooks.

B.

Perform regular code reviews for the webhooks and modify the API to block connections from unknown IP addresses.

C.

Harden the web server security, add multi-factor authentication for API users, and restrict the execution of scripts server-side.

D.

Implement input validation on all API endpoints, review webhook payloads, and schedule regular scanning for webshells.

Question 179

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

Options:

A.

DNS Scheme

B.

DNSSEC

C.

DynDNS

D.

Split DNS

Question 180

A DNS server responds with different IP addresses rapidly for the same domain, pointing to constantly changing hosts. What technique is being used?

Options:

A.

DNS tunneling

B.

DNS poisoning

C.

Fast flux

D.

Zone transfer

Question 181

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing " server publishing " ?

Options:

A.

Static Network Address Translation

B.

Overloading Port Address Translation

C.

Address Translation

D.

Dynamic Network

E.

Dynamic Port Address Translation

Question 182

Encrypted session tokens vary in length, indicating inconsistent encryption strength. What is the best mitigation?

Options:

A.

Rotate keys frequently

B.

Enforce MFA for privileged users

C.

Implement uniform encryption strength

D.

Centralized logging

Question 183

Which of the following best describes an attack that altered the contents of two critical files?

Options:

A.

Availability

B.

Authentication

C.

Confidentially

D.

Integrity

Question 184

A penetration tester is tasked with mapping an organization ' s network while avoiding detection by sophisticated intrusion detection systems (IDS). The organization employs advanced IDS capable of recognizing common scanning patterns. Which scanning technique should the tester use to effectively discover live hosts and open ports without triggering the IDS?

Options:

A.

Execute a FIN scan by sending TCP packets with the FIN flag set

B.

Use an Idle scan leveraging a third-party zombie host

C.

Conduct a TCP Connect scan using randomized port sequences

D.

Perform an ICMP Echo scan to ping all network devices

Question 185

The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?

Options:

A.

Promiscuous mode

B.

Port forwarding

C.

WEM

D.

Multi-cast mode

Question 186

An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?

Options:

A.

The record was found in the DNS cache and successfully returned.

B.

The DNS server failed to resolve the request.

C.

No client from the DNS server’s network has recently accessed the queried domain.

D.

The queried domain has expired and no longer exists.

Question 187

A Java app uses outdated libraries with known CVEs. What risk does this create?

Options:

A.

CSRF

B.

DoS

C.

Supply chain risk

D.

XSS

Question 188

Which WPA vulnerability allowed packet injection and decryption attacks?

Options:

A.

Lack of AES encryption

B.

Predictable GTK

C.

Weak Initialization Vectors (IVs)

D.

Weak passwords

Question 189

During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification.

Which social engineering technique is Liam demonstrating?

Options:

Question 190

During a penetration test for a global e-commerce platform in Dallas, ethical hacker Maria simulates a large-scale DoS campaign. Instead of sending attack traffic directly, she forges requests to multiple open services across the internet. These services unknowingly reply to the victim system, multiplying the amount of traffic hitting the target. Within minutes, the victim ' s server is overwhelmed by a flood of responses, even though Maria ' s own machine generated only a small amount of traffic.

Which attack technique is Maria most likely demonstrating?

Options:

A.

Smurf Attack

B.

Distributed Reflection Denial-of-Service (DRDoS)

C.

Botnet

D.

NTP Amplification Attack

Question 191

Ethical hacker Ryan Brooks, a skilled penetration tester from Austin, Texas, was hired by Skyline Aeronautics, a leading aerospace firm in Denver, to conduct a security assessment. One stormy morning, Ryan noticed an unexpected lag in the routine system update process while running his tests, sparking his curiosity. During a late-night session, he observed a junior analyst, Chris Miller, cautiously modifying a legacy server’s configuration, including a scheduled task set to a specific date. The lead developer, Jessica Hayes, casually mentioned receiving an odd email from an unfamiliar source, which she ignored as clutter. As Ryan probed deeper, he detected a faint increase in network activity only after the scheduled date passed, and a systems admin, Mark Thompson, quickly pointed out some unusual code traces on a dormant workstation.

Which type of threat best characterizes this attack?

Options:

A.

Logic Bomb

B.

Fileless Malware

C.

Advanced Persistent Threat APT

D.

Ransomware

Question 192

A penetration tester discovers that a web application is using outdated SSL/TLS protocols (TLS 1.0) to secure communication. What is the most effective way to exploit this vulnerability?

Options:

A.

Conduct a Cross-Site Scripting (XSS) attack on the application

B.

Use a man-in-the-middle (MitM) attack to intercept and decrypt traffic

C.

Perform a brute-force attack on the SSL/TLS handshake

D.

Execute a SQL injection attack on the application ' s backend

Question 193

During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?

Options:

A.

Unencrypted FTP services storing software data

B.

The SNMP agent allowed anonymous bulk data queries due to default settings

C.

Remote access to encrypted Windows registry keys

D.

SNMP trap messages logged in plain text

Question 194

A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches. Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy. To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?

Options:

A.

Configuring Loop Guard on non-designated ports

B.

Activating UDLD (Unidirectional Link Detection) on uplinks

C.

Applying Root Guard on designated interfaces

D.

Enabling BPDU Guard on edge ports

Question 195

A web application returns generic error messages. The analyst submits AND 1=1 and AND 1=2 and observes different responses. What type of injection is being tested?

Options:

A.

UNION-based SQL injection

B.

Error-based SQL injection

C.

Boolean-based blind SQL injection

D.

Time-based blind SQL injection

Question 196

A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.

The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.

Identify the BYOD security guideline that would directly mitigate this exposure.

Options:

A.

Use Encryption Mechanism to Store Data

B.

Set a Strong Passcode on the Device and Change It Relatively Often

C.

Maintain a Clear Separation between Business and Personal Data

D.

Set Passwords for Apps to Restrict Others from Accessing Them

Question 197

You discover multiple NetBIOS responses during an nbtscan, but only one host returns a < 1B > entry. What does this indicate?

Options:

A.

It is the local system

B.

It is a rogue DHCP server

C.

It is the domain master browser / Primary Domain Controller (PDC)

D.

NetBIOS over TCP/IP is disabled

Question 198

A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?

Options:

A.

Perform a SQL injection attack to extract sensitive database information

B.

Upload a shell script disguised as an image file to execute commands on the server

C.

Conduct a brute-force attack on the server ' s FTP service to gain access

D.

Use a Cross-Site Scripting (XSS) attack to steal user session cookies

Question 199

Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?

Options:

A.

Software only, they are the most effective.

B.

Hardware and Software Keyloggers.

C.

Passwords are always best obtained using Hardware key loggers.

D.

Hardware, Software, and Sniffing.

Question 200

During a security review, you have discovered that there are no documented security policies for the area you are assessing. Which of the following would be the most appropriate course of action?

Options:

A.

Create policies while testing

B.

Stop the audit

C.

Identify and evaluate current practices

D.

Increase the level of testing

Question 201

Under the neon glow of Seattle ' s skyline, ethical hacker Elena Vasquez slips into her role as a cybersecurity consultant for Cascade Financial ' s online banking platform. Tasked with probing the web server ' s defenses, Elena simulates a series of rapid login attempts to the admin portal. She notes that the system allows unlimited tries without locking the account, exposing a gap that could invite relentless password-guessing attacks. Determined to safeguard the bank ' s assets, Elena drafts a recommendation to fortify the server ' s authentication process against such threats.

What countermeasure should Elena recommend to strengthen Cascade Financial ' s web server against the vulnerability identified?

Options:

A.

Implement 2FA or MFA

B.

Force users to periodically change passwords

C.

Use CAPTCHA challenges on login and registration pages

D.

Use strong, one-way hashing algorithms such as bcrypt, scrypt, or Argon2

Question 202

You are an ethical hacker at CyberShield Analytics, hired by Coastal Education Services, a tutoring platform in Miami, Florida, to test the security of their student portal. While probing the portal ' s course enrollment page, you input a crafted value into the course ID field, appending a condition that checks if the first character of the database name is a specific value. The application does not display error messages or additional data, but the page takes significantly longer to load when the condition evaluates to true, indicating a deliberate delay.

Based on the observed behavior, which SQL injection technique are you employing?

Options:

A.

Boolean exploitation

B.

Time-based blind SQL injection

C.

UNION SQL injection

D.

Error-based SQL injection

Question 203

During a red team exercise at a technology consulting firm in San Francisco, analyst Evelyn deploys a malicious payload disguised within a software update installer. When the target runs the installer, the main application functions normally, but behind the scenes, additional malware components are silently placed on the system without the user ' s knowledge. These hidden components later activate to establish remote access for the red team.

Which technique was most likely used to deliver the hidden malware?

Options:

A.

Downloader

B.

Wrapper

C.

Injector

D.

Dropper

Question 204

On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.

Which of the following best explains the technique Sofia used to trigger the server crashes?

Options:

A.

ICMP Flood Attack

B.

Ping of Death PoD

C.

Smurf Attack

D.

ACK Flood Attack

Question 205

During an internal assessment, a penetration tester gains access to a hash dump containing NTLM password hashes from a compromised Windows system. To crack the passwords efficiently, the tester uses a high-performance CPU setup with Hashcat, attempting millions of password combinations per second. Which technique is being optimized in this scenario?

Options:

A.

Spoof NetBIOS to impersonate a file server

B.

Leverage hardware acceleration for cracking speed

C.

Dump SAM contents for offline password retrieval

D.

Exploit dictionary rules with appended symbols

Question 206

A state benefits processing platform in Sacramento, California, implemented a multi-step identity verification process before granting access to sensitive citizen records. During a controlled assessment, security analyst Daniel Kim observed that by altering specific request parameters within the transaction sequence, it was possible to bypass an intermediate verification stage and retrieve restricted account data.

Further analysis revealed that the authentication workflow advanced through sequential client-driven interactions, but the server did not enforce strict validation of completion for each required stage before granting access.

Based on the scenario, which vulnerability classification best describes the issue identified?

Options:

A.

Poor Patch Management

B.

Design Flaws

C.

Application Flaws

D.

Misconfigurations / Weak Configurations

Question 207

A penetration tester suspects that the web application ' s " Order History " page is vulnerable to SQL injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?

Options:

A.

Inject JavaScript into the URL parameter to test for Cross-Site Scripting (XSS)

B.

Modify the URL parameter to userID=1 OR 1=1 and observe if all orders are displayed

C.

Perform a directory traversal attack to access sensitive system files

D.

Use a brute-force attack on the login form to identify valid user credentials

Question 208

“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?

Options:

A.

Restrict and monitor script and system tool execution

B.

Isolate systems and inspect traffic

C.

Schedule frequent reboots

D.

Clean temporary folders

Question 209

You are a security analyst at Sentinel Cyber Group, monitoring the web portal of Aspen Valley Bank in Salt Lake City, Utah. During log review, you notice repeated attempts by attackers to inject malicious strings into the login fields. However, despite these attempts, the application executes queries safely without altering their logic, since user inputs are kept separate from the SQL statements and bound as fixed values before execution.

Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?

Options:

A.

Perform user input validation

B.

Restrict database access

C.

Encoding the single quote

D.

Use parameterized queries or prepared statements

Question 210

Bluetooth devices are suspected of being targeted by a Bluesnarfing attack. What is the most effective countermeasure?

Options:

A.

Disable discoverable mode

B.

Update firmware regularly

C.

Increase Bluetooth PIN complexity

D.

Encrypt Bluetooth traffic

Question 211

During a penetration test at IntelliCore Systems in Raleigh, North Carolina, ethical hacker Javier directs a wave of repetitive web requests against the company ' s portal that overloads backend scripts which process search queries and form submissions. As a result, legitimate customers experience long delays and occasional timeouts while attempting to log in or complete transactions.

Which DoS/DDoS technique is Javier most likely demonstrating?

Options:

A.

Slowloris

B.

UDP Flood

C.

Peer-to-Peer Attack

D.

HTTP GET/POST Attack

Question 212

During a late-night shift at IronWave Logistics in Seattle, cybersecurity analyst Marcus Chen notices a pattern of high-port outbound traffic from over a dozen internal machines to a previously unseen external IP. Each system had recently received a disguised shipping report, which, when opened, initiated a process that spread autonomously to other workstations using shared folders and stolen credentials. Upon investigation, Marcus discovers that the machines now contain hidden executables that silently accept remote instructions and occasionally trigger coordinated background tasks. The compromised endpoints are behaving like zombies, and malware analysts confirm that the payload used worm-like propagation to deliver a backdoor component across the network.

Which is the most likely objective behind this attack?

Options:

A.

To exfiltrate sensitive information and tracking data

B.

To execute a ransomware payload and encrypt all data

C.

To establish a botnet for remote command and control

D.

To deploy a Remote Access Trojan (RAT) for stealthy surveillance

Question 213

During a red team exercise, a Certified Ethical Hacker (CEH) is attempting to exploit a potential vulnerability in a target organization’s web server. The CEH has completed the information gathering and footprinting phases and has mirrored the website for offline analysis. It has also been discovered that the server is vulnerable to session hijacking. Which of the following steps is most likely to be part of a successful attack methodology while minimizing the possibility of detection?

Options:

A.

Hijack an active session and immediately modify server configuration files.

B.

Attempt SQL injection to extract sensitive database information.

C.

Perform vulnerability scanning using automated tools to identify additional weaknesses.

D.

Launch a direct brute-force attack to crack the server’s administrative password.

Question 214

At a Chicago-based healthcare provider, security engineer Emily reviews the migration of critical applications to a cloud service. During her evaluation, she notes that administrators can provision new servers, increase storage, and expand compute power instantly through a web dashboard without any manual involvement from the cloud provider. Which NIST-defined characteristic of cloud computing best explains this capability?

Options:

A.

On-demand self-service

B.

Measured service

C.

Resource pooling

D.

Broad network access

Question 215

Cyber experts conducting covert missions exclusively for national interests are best classified as:

Options:

A.

State-sponsored hackers

B.

Organized hackers

C.

Gray hat hackers

D.

Hacktivists

Question 216

During a red team assessment of a multinational financial firm, you are tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior.

The team has shortlisted multiple tools for the task. Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?

Options:

A.

Maltego

B.

Creepy

C.

Sherlock

D.

Social Searcher

Question 217

During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?

Options:

Question 218

During a penetration test at Rocky Mountain Insurance in Denver, ethical hacker Sophia Nguyen attempts to evade detection by fragmenting malicious traffic into smaller packets. The IT security team counters her strategy with a system that monitors traffic for deviations from established baselines, flagging behavior that does not match normal network activity. This allows them to stop Sophia’s evasion attempts in real time.

Which detection technique is the IT team most likely using in this case?

Options:

A.

Deep Packet Inspection

B.

Stateful Packet Inspection

C.

Signature-Based Detection

D.

Anomaly-Based Detection

Question 219

Which advanced mobile attack is hardest to detect and mitigate?

Options:

A.

Mobile MitM

B.

Jailbreaking/Rooting

C.

Mobile Remote Access Trojan (RAT)

D.

Clickjacking

Question 220

A penetration tester is testing a web application ' s product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?

Options:

A.

Inject a script to test for Cross-Site Scripting (XSS)

B.

Input DROP TABLE products; -- to see if the table is deleted

C.

Enter 1 ' OR ' 1 ' = ' 1 to check if all products are returned

D.

Use directory traversal syntax to access restricted files on the server

Question 221

While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information such as serial number and refresh interval.

Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?

Options:

A.

TXT

B.

MX

C.

NS

D.

SOA

Question 222

You have gone to an organization’s website to gather information, such as employee names, email addresses, and phone numbers. Which step of the hacker’s methodology does this correspond to?

Options:

A.

Fingerprinting

B.

Reconnaissance

C.

Scanning and enumeration

D.

Gaining access

Question 223

During an authorized engagement at IronClad Financial Services in Charlotte, the red team successfully exploits a weakness and obtains administrative access to a critical server. After achieving this objective, the team installs a backdoor mechanism to ensure continued access even if the original vulnerability is remediated. The team documents this activity as part of demonstrating long-term adversary behavior within the approved scope.

Within the CEH ethical hacking framework, which phase does this activity represent?

Options:

A.

Reconnaissance

B.

Vulnerability Scanning

C.

Maintaining Access

D.

Clearing Tracks

Question 224

A critical flaw exists in a cloud provider’s API. What is the most likely threat?

Options:

A.

Physical security breaches

B.

Unauthorized access to cloud resources

C.

DDoS attacks

D.

Compromise of encrypted data at rest

Question 225

In Portland, Oregon, ethical hacker Olivia Harper is hired by Cascade Biotech to test the security of their research network. During her penetration test, she simulates an attack by sending malicious packets to a server hosting sensitive genetic data. To evade detection, she needs to understand the monitoring system deployed near the network’s perimeter firewall, which analyzes incoming and outgoing traffic for suspicious patterns across the entire subnet. Olivia’s goal is to bypass this system to highlight vulnerabilities for the security team.

Which security system is Olivia attempting to bypass during her penetration test of Cascade Biotech’s network?

Options:

A.

Network-Based Intrusion Detection System

B.

Host-Based Firewalls

C.

Network-Based Firewalls

D.

Host-Based Intrusion Detection System

Question 226

While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information like serial number and refresh interval.

Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?

Options:

A.

MX

B.

SOA

C.

TXT

D.

NS

Question 227

Malware infecting multiple systems remains dormant until triggered and changes its code or encryption with each infection to evade detection. Which malware type best fits this description, and what is the most effective mitigation?

Options:

A.

Rootkit – use anti-rootkit tools and patch systems

B.

Adware – deploy anti-adware tools and train users

C.

Worm – isolate infected systems and scan the network

D.

Polymorphic malware – use behavior-based detection and ensure systems are patched

Question 228

During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?

Options:

A.

ARP poisoning causing routing inconsistencies

B.

DHCP snooping improperly configured

C.

Legitimate ARP table refresh on all clients

D.

Port security restricting all outbound MAC responses

Question 229

Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?

Options:

A.

Enforce VPN usage

B.

Adopt biometric authentication

C.

Disable ADB except in strictly controlled environments

D.

Frequently update MDM systems

Question 230

Clark is a talented coder and as such has found a vulnerability in a well-known application. Unconcerned about the ethics of the situation, he has developed an exploit that can leverage this unknown vulnerability. Based on this information, which of the following is most correct?

Options:

A.

Clark has violated U.S. Code Section 1027.

B.

Clark has developed a zero-day.

C.

Clark is a suicide hacker.

D.

Clark is a white hat hacker.

Question 231

The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?

Options:

A.

RST

B.

ACK

C.

SYN-ACK

D.

SYN

Question 232

You are Alex, a forensic responder at HarborHealth in Seattle, Washington. During a live incident response you must secure an enterprise Windows server ' s system partition and attached data volumes without rebooting user machines or disrupting domain authentication. The IT team prefers a solution that integrates with Windows platform features (including hardware-backed startup protection and centralized key escrow via Active Directory/management policies) and provides transparent full-disk protection for the OS volume. Which disk-encryption solution should you deploy?

Options:

A.

FileVault

B.

BitLocker Drive Encryption

C.

VeraCrypt

D.

Rohos Disk Encryption

Question 233

Olivia works as a senior red team specialist at SecureMatrix Labs in Portland, Oregon. During a controlled adversarial simulation, she deployed a stealth persistence mechanism on a test workstation to evaluate advanced defensive detection capabilities.

After rebooting the system, the operating system continued to function normally, but subsequent investigation revealed that the OS was executing within an underlying control layer established before full system initialization. This layer intercepted low-level CPU instructions and mediated direct hardware interactions prior to their delivery to the operating system.

Which type of rootkit best describes the mechanism deployed in this scenario?

Options:

Question 234

A compromised endpoint communicates with C2 using DNS queries. What system-level indicator exists?

Options:

A.

DNS anomalies

B.

Memory leaks

C.

CPU spikes

D.

Disk usage

Question 235

At Norwest Freight Services, a rotating audit team is asked to evaluate host exposure across multiple departments following a suspected misconfiguration incident. Simon, a junior analyst working from a trusted subnet, initiates a network-wide scan using the default configuration profile of his assessment tool. The tool completes quickly but returns only partial insights such as open service ports and version banners while deeper registry settings, user policies, and missing patches remain unreported. Midway through the report review, Simon notices that system login prompts were never triggered during scanning, and no credential failures were logged in the SIEM.

Which type of vulnerability scan BEST explains the behavior observed in Simon’s assessment?

Options:

A.

Unauthenticated Scanning

B.

Authenticated Scanning

C.

Internal Scan

D.

Credentialed Scanning

Question 236

An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?

Options:

A.

Seek identical digests across hash outputs

B.

Test every possible password through automation

C.

Force encryption key through quantum solving

D.

Analyze output length to spot anomalies

Question 237

A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?

Options:

A.

The WAP does not recognize the client ' s MAC address

B.

The client cannot see the SSID of the wireless network

C.

The wireless client is not configured to use DHCP

D.

Client is configured for the wrong channel

Question 238

A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

Options:

A.

Shut down the server

B.

Apply a virtual patch using a WAF

C.

Perform regular backups and prepare IR plans

D.

Monitor for suspicious activity

Page: 1 / 80
Total 797 questions