Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

ECCouncil 312-50v13 Certified Ethical Hacker Exam (CEHv13) Exam Practice Test

Page: 1 / 80
Total 797 questions

Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Question 1

An organization authorizes a wireless penetration test to evaluate the resilience of its WPA2-protected network. The assigned ethical hacker prepares the wireless adapter for packet capture and begins monitoring traffic from a nearby access point.

To accelerate the assessment, the tester transmits crafted 802.11 frames that momentarily interrupt active client connections. Shortly afterward, new authentication exchanges are observed in the capture logs, providing the necessary material for subsequent analysis.

The activity described corresponds to which component of the Aircrack-ng suite?

Options:

A.

airodump-ng

B.

airmon-ng

C.

aircrack-ng

D.

aireplay-ng

Question 2

During a penetration test, an analyst repeatedly initiates TCP connections to a target host and records the sequence numbers returned in the SYN/ACK responses. By examining predictable or incremental patterns in these values, the analyst attempts to infer characteristics of the underlying operating system.

What OS fingerprinting attribute is being analyzed in this scenario?

Options:

A.

TCP Timestamp Analysis

B.

TCP Window Size

C.

Initial Sequence Number (ISN)

D.

Time to Live (TTL)

Question 3

A national e-commerce retailer experiences a sustained distributed attack that saturates its edge connectivity with high-volume traffic originating from thousands of globally dispersed hosts. Internal mitigation attempts such as ACL tuning and rate limiting fail to restore service stability.

After escalating the issue, the organization coordinates with its upstream connectivity provider, which begins rerouting inbound traffic through a large-scale filtering infrastructure capable of absorbing and scrubbing malicious traffic before forwarding legitimate requests back to the retailer’s network.

What defensive approach is being applied in this scenario?

Options:

A.

Implementing RFC 3704 Filtering at the Network Edge

B.

Enabling Cisco IPS Source IP Reputation Filtering

C.

Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service

D.

Deploying Black Hole Filtering at the Routing Layer

Question 4

A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?

Options:

A.

Apply the vendor patch and reboot during maintenance

B.

Dismiss it as a false positive if unverified

C.

Reroute SSH traffic to another server

D.

Isolate the server, audit it, and apply patches

Question 5

A Linux server has world-writable cron directories. What can attackers achieve?

Options:

A.

DoS

B.

SQLi

C.

XSS

D.

Persistence

Question 6

By using a smart card and pin, you are using a two-factor authentication that satisfies

Options:

A.

Something you know and something you are

B.

Something you have and something you know

C.

Something you have and something you are

D.

Something you are and something you remember

Question 7

A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?

Options:

A.

Black Hat hackers

B.

Hacktivists

C.

Script Kiddies

D.

White Hat hackers

Question 8

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

Options:

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Question 9

At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?

Options:

A.

Measured service

B.

Broad network access

C.

On-demand self-service

D.

Resource pooling

Question 10

A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?

Options:

A.

Increase server bandwidth and implement basic rate limiting

B.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection

C.

Configure the firewall to block all incoming DNS and HTTP requests

D.

Utilize a hybrid DDoS mitigation service that offers both on-premises and cloud-based protection

Question 11

A company’s online service is under a multi-vector DoS attack using SYN floods and HTTP GET floods. Firewalls and IDS cannot stop the outage. What advanced defense should the company implement?

Options:

A.

Configure the firewall to block all incoming SYN packets from external IPs

B.

Use DDoS mitigation services that offer multi-layer protection

C.

Deploy a Web Application Firewall (WAF) with anomaly detection

D.

Increase server bandwidth and apply basic rate limiting

Question 12

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

OpenVAS

B.

Nessus

C.

Qualys VM

D.

Nikto

Question 13

Attackers persisted by modifying legitimate system utilities and services. What key step helps prevent similar threats?

Options:

A.

Weekly off-site backups

B.

Monitor file hashes of sensitive executables

C.

Update antivirus and firewalls

D.

Disable unused ports

Question 14

An IDS generates alerts during normal user activity. What is the most likely cause?

Options:

A.

Firewall failure

B.

IDS outdated

C.

Excessive IDS sensitivity causing false positives

D.

Users triggering protocols

Question 15

A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?

Options:

A.

Perform a brute-force attack on the server to gain access

B.

Ignore the high-risk vulnerability and proceed with testing other systems

C.

Focus on exploiting the low-risk vulnerabilities first

D.

Verify if the high-risk vulnerability is exploitable by checking for known exploits

Question 16

During a red team operation for XYZ Financial Services, security analyst Lily Jensen is assigned to scan a critical subnet that is protected by an IDS. Her initial scan attempt is immediately flagged and blocked. To evade detection while continuing reconnaissance, she adjusts the scanning configuration to include multiple spoofed IP addresses alongside her own. This makes it difficult for network defenses to isolate her real scanning activity, while still allowing her to receive accurate results.

Which scanning technique is Lily using?

Options:

A.

SYN FIN Scanning

B.

Source Routing

C.

IP Spoofing

D.

Decoy Scanning

Question 17

During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company ' s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server ' s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Which type of web server attack is Elena most likely demonstrating?

Options:

A.

Password Cracking Attack

B.

HTTP Response Splitting Attack

C.

Directory Traversal Attack

D.

Web Cache Poisoning Attack

Question 18

An employee finds a USB drive labeled “Employee Salary Info 2024” and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?

Options:

A.

Tempting the victim to engage with a malicious device using curiosity.

B.

Impersonating a senior staff member to extract login credentials.

C.

Using a discarded document to retrieve sensitive information.

D.

Bypassing physical security by following an authorized employee.

Question 19

The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?

Options:

A.

RST

B.

ACK

C.

SYN-ACK

D.

SYN

Question 20

A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?

Options:

A.

Use directory traversal in the search field to access sensitive files on the server

B.

Input a SQL query such as 1 OR 1=1 — into the search field to check for SQL injection

C.

Perform a brute-force attack on the login page to identify weak passwords

D.

Inject JavaScript into the search field to perform a Cross-Site Scripting (XSS) attack

Question 21

During a security assessment at Apex Technologies in Austin, Texas, the cybersecurity team identifies a high risk of social engineering attacks, including phishing, vishing, and baiting, targeting employees across departments. To strengthen defenses, the team plans to implement a countermeasure to reduce the likelihood of employees disclosing sensitive information. Which of the following countermeasures should Apex Technologies prioritize to mitigate the risk of social engineering attacks?

Options:

A.

Conduct security awareness and training programs

B.

Employees must verify the identity of individuals requesting information

C.

Use two-factor authentication

D.

Establish policies and procedures for handling sensitive information

Question 22

A corporation uses both hardware-based and cloud-based solutions to distribute incoming traffic and absorb DDoS attacks, ensuring legitimate requests remain unaffected. Which DDoS mitigation strategy is being utilized?

Options:

A.

Black Hole Routing

B.

Load Balancing

C.

Sinkholing

D.

Rate Limiting

Question 23

A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?

Options:

A.

A synchronized Layer 3 Smurf attack flooding routers with ICMP echo requests

B.

A distributed SQL injection attack against online banking database servers causing resource exhaustion

C.

A zero-day buffer overflow exploit against the web server causing service unavailability via RCE

D.

A coordinated UDP flood targeting authoritative DNS servers to disrupt domain resolution

Question 24

In the bustling financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by TrustBank, a regional US bank, to evaluate their online loan application portal. On April 22, 2025, Raj tests a feature allowing customers to upload structured financial documents for loan processing. By submitting a specially crafted document, he triggers a response that exposes internal server file paths and sensitive configuration data, including database connection strings. The issue arises from the portal ' s handling of external references in document parsing, not from response manipulation, authentication weaknesses, or undetected attack attempts. Raj compiles a detailed report to assist TrustBank ' s security team in mitigating the vulnerability.

Which type of vulnerability is Raj most likely exploiting in TrustBank ' s online loan application portal?

Options:

A.

Identification and Authentication Failures

B.

HTTP Response Splitting

C.

XML External Entity (XXE) Injection

D.

Security Logging and Monitoring Failures

Question 25

In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.

Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?

Options:

A.

Source Routing

B.

Tiny Fragments

C.

HTTP Tunneling

D.

IP Address Spoofing

Question 26

While conducting a covert penetration test on a UNIX-based infrastructure, the tester decides to bypass intrusion detection systems by sending specially crafted TCP packets with an unusual set of flags enabled. These packets do not initiate or complete any TCP handshake. During the scan, the tester notices that when certain ports are probed, there is no response from the target, but for others, a TCP RST (reset) packet is received. The tester notes that this behavior consistently aligns with open and closed ports. Based on these observations, which scanning technique is most likely being used?

Options:

A.

ACK flag scan to evaluate firewall behavior

B.

TCP Connect scan to complete the three-way handshake

C.

Xmas scan leveraging RFC 793 quirks

D.

FIN scan using stealthy flag combinations

Question 27

What does DEP block?

Options:

A.

Encryption

B.

Logging

C.

Execution in data memory

D.

Scanning

Question 28

A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?

Options:

A.

Whaling

B.

Pharming

C.

Spear Phishing

D.

Search Engine Phishing

Question 29

Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?

Options:

A.

Misconfigured security groups

B.

Brute force attack

C.

DoS attack

D.

Side-channel attack

Question 30

At a private aerospace research facility in Mesa, Arizona, an executive raises concerns after sensitive discussion points from speakerphone meetings begin surfacing externally. The device shows no indicators of active audio recording, and application permission history does not reflect recent camera or microphone authorization changes. A forensic mobile analysis identifies that an installed application has been continuously reading motion sensor output while the phone ' s loudspeaker is active. The collected sensor data was later transmitted to a remote server, where acoustic characteristics were reconstructed from the recorded measurements. Identify the attack technique responsible for this compromise.

Options:

A.

Spearphone Attack

B.

Storm Breaker Abuse

C.

Android Camera Hijack Attack

D.

Camfecting

Question 31

Noah, a security analyst at a Seattle-based healthcare provider, is responding to a real-time data breach where attackers accessed patient records stored on a compromised server. During incident response, he must quickly secure sensitive files located on the system’s primary storage to prevent further exfiltration. The data resides in a mounted partition that needs full-volume encryption, but standard file encryption isn’t sufficient. Noah selects a solution that supports encrypted containers, strong key lengths like 256-bit AES, and can conceal secure volumes within standard ones to reduce detection. His goal is to ensure confidentiality while forensic operations continue without disrupting system functionality.

Which disk encryption tool should Noah deploy to meet these objectives?

Options:

A.

BitLocker Drive Encryption

B.

FileVault

C.

Rohos Disk Encryption

D.

VeraCrypt

Question 32

A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections, transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack. Which attack is most likely responsible?

Options:

A.

A UDP flooding attack targeting random ports.

B.

An ICMP Echo Request flooding attack.

C.

A Slowloris attack that keeps numerous HTTP connections open to exhaust server resources.

D.

A fragmented packet attack with overlapping offset values.

Question 33

During a stealth penetration test at a defense research facility, ethical hacker Daniel installs a payload that survives even after multiple operating system reinstalls. The implant resides deep inside the system hardware and executes before the OS is loaded, ensuring that forensic scans and antivirus tools at the OS level cannot detect or remove it. Administrators notice unusual activity on network cards and storage devices, but repeated scans show no malware traces within the file system.

Which type of rootkit most likely enabled this level of persistence?

Options:

A.

Boot-Loader-Level Rootkit

B.

Hypervisor-Level Rootkit

C.

Kernel-Level Rootkit

D.

Hardware/Firmware Rootkit

Question 34

What does a NULL scan send?

Options:

A.

No flags set

B.

SYN packet

C.

ACK packet

D.

RST packet

Question 35

A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic’s appointment system, they were directed to a website that looked identical to the official portal.

The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization’s infrastructure.

Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site.

Which type of social engineering technique best explains this attack?

Options:

A.

Whaling

B.

Pharming

C.

Spear Phishing

D.

Spimming

Question 36

A multinational corporation recently survived a severe Distributed Denial-of-Service (DDoS) attack and has implemented enhanced security measures. During an audit, you discover that the organization uses both hardware- and cloud-based solutions to distribute incoming traffic in order to absorb and mitigate DDoS attacks while ensuring legitimate traffic remains available. What type of DDoS mitigation strategy is the company utilizing?

Options:

A.

Black Hole Routing

B.

Load Balancing

C.

Rate Limiting

D.

Sinkholing

Question 37

You are Liam Chen, an ethical hacker at CyberGuard Analytics, hired to test the social engineering defenses of Coastal Trends, a retail chain in Los Angeles, California. During a covert assessment, you craft a deceptive message sent to the employees’ company phones, claiming a critical account update is needed and directing them to a link that installs monitoring software. Several employees interact with the link, exposing a vulnerability to a specific mobile attack vector. Based on this approach, which mobile attack type are you simulating?

Options:

A.

Bluebugging

B.

SMS Phishing

C.

Call Spoofing

D.

OTP Hijacking

Question 38

A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?

Options:

A.

Perform a replay attack by using the same session token after the user logs out

B.

Use a Cross-Site Request Forgery (CSRF) attack to steal the session tokens

C.

Use a brute-force attack to guess valid session tokens

D.

Execute a SQL injection attack to retrieve session tokens from the database

Question 39

A penetration tester is assessing a web application that employs secure, HTTP-only cookies, regenerates session IDs upon login, and uses strict session timeout policies. To hijack a user ' s session without triggering the application ' s security defenses, which advanced technique should the tester utilize?

Options:

A.

Perform a session token prediction by analyzing session ID entropy and patterns

B.

Conduct a network-level man-in-the-middle attack to intercept and reuse session tokens

C.

Execute a Cross-Site Request Forgery (CSRF) attack to manipulate session states

D.

Implement a session fixation strategy by pre-setting a session ID before user authentication

Question 40

As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?

Options:

A.

Regularly updating serverless functions to reduce vulnerabilities.

B.

Using a Cloud Access Security Broker (CASB) to enforce third-party policies.

C.

Deploying a Cloud-Native Security Platform (CNSP) for full cloud protection.

D.

Implementing function-level permissions and enforcing the principle of least privilege.

Question 41

A penetration tester identifies malware that monitors the activities of a user and secretly collects personal information, such as login credentials and browsing habits. What type of malware is this?

Options:

A.

Worm

B.

Rootkit

C.

Spyware

D.

Ransomware

Question 42

In Dallas, Texas, ethical hacker Ethan Brooks is hired by Lone Star Credit Union to assess the security of their online banking portal, which processes customer transactions. During his penetration test, Ethan probes the web server hosting the portal, experimenting with crafted URL requests. He notices that by altering the URL parameters in a specific way, the server returns data from areas of the system that should be restricted, revealing configuration files not intended for public access. Suspecting this behavior indicates a vulnerability, Ethan documents the issue to help the security team strengthen their defenses against potential unauthorized access.

Which technique is Ethan most likely using to uncover the vulnerability in Lone Star Credit Union’s web server?

Options:

A.

Password Cracking

B.

Web Cache Poisoning

C.

HTTP Response Splitting

D.

Directory Traversal

Question 43

A competing technology firm begins releasing products that closely mirror the design, pricing strategy, and feature roadmap of ApexDynamics Inc. An internal review reveals that detailed information about ApexDynamics’ upcoming initiatives had been gradually collected through publicly available sources and external disclosures before product launch.

Which footprinting-related threat does this scenario best represent?

Options:

A.

Social Engineering

B.

Information Leakage

C.

Business Loss

D.

Corporate Espionage

Question 44

An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments.

The test email claimed to originate from the corporate compliance office and instructed employees to “complete a mandatory regulatory update within the next 30 minutes to avoid account suspension.” The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications.

Additionally, security analysts observed that the embedded hyperlink displayed the organization’s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host.

From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?

Options:

Question 45

A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?

Options:

A.

Rootkit

B.

Ransomware

C.

Keylogger

D.

Worm

Question 46

You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?

Options:

A.

Use specialized rootkit detection tools followed by tailored removal procedures

B.

Deploy high-interaction honeypots to observe attacker behavior

C.

Perform a complete system format and reinstall the operating system from a trusted source

D.

Immediately power down the system and disconnect it from the network

Question 47

During a penetration test at a manufacturing company in Detroit, Amanda, a senior security consultant, scans several legacy Linux servers. On one host, she discovers an open port used for file transfer that allows anonymous login. Once connected, she is able to view the directory structure and check available files, which helps her identify potential sensitive information exposure. She also notices background traffic on a UDP service related to NetBIOS name lookups, but she continues probing the file transfer service to confirm user access weaknesses.

Which ports and services should Amanda prioritize for this enumeration activity?

Options:

A.

TCP 23 and UDP 137, 138

B.

TCP 21 and UDP 137

C.

TCP 25 and UDP 138

D.

TCP 139 and UDP 137, 138

Question 48

At a federal research agency, cybersecurity officer Nikhil is drafting a vulnerability assessment report. In this section, he documents the scanning methodology used, the information about the targets, the type and scope of scans performed, and the tools involved. He does not yet include specific vulnerabilities or affected assets, as this portion of the report is meant to provide context for how the assessment was conducted.

Which section of the vulnerability assessment report is Nikhil working on?

Options:

A.

Supporting Information

B.

Risk Assessment

C.

Assessment Overview

D.

Findings

Question 49

Which attack targets WPA WPS PIN?

Options:

A.

Wireshark

B.

Reaver

C.

Aircrack

D.

Kismet

Question 50

A known vulnerability exists on a production server, but patching is delayed due to operational constraints. What immediate action can reduce risk without disrupting operations?

Options:

A.

Conduct a full penetration test

B.

Shut down the server

C.

Monitor traffic continuously

D.

Implement Virtual Patching

Question 51

The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

Options:

A.

Intrusion Prevention Server

B.

Security Incident and Event Monitoring

C.

Network Sniffer

D.

Vulnerability Scanner

Question 52

On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.

What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?

Options:

Question 53

You are Michael, an ethical hacker at a New York–based e-commerce company performing a security review of their payment-signing service. While observing the signing process (without access to private keys), you note the service generates a fresh random value for each signature operation, the signature algorithm uses modular arithmetic in a subgroup defined by public domain parameters, and signatures are verified with a public verification key rather than by decrypting the message. Which asymmetric algorithm best matches the signing mechanism you observed?

Options:

A.

DSA

B.

RSA

C.

Diffie-Hellman

D.

ElGamal

Question 54

You perform a SYN (half-open) scan and receive a SYN/ACK packet in response. How should this result be interpreted?

Options:

A.

The target IP is not reachable

B.

The scanned port is open

C.

The scanned port is filtered

D.

The scanned port is closed

Question 55

During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.

Options:

A.

Whaling

B.

Spear Phishing

C.

Clone Phishing

D.

Consent Phishing

Question 56

A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?

Options:

A.

Upload the file to VirusTotal and rely on engine consensus

B.

Disassemble the PDF using PE Explorer

C.

Extract and analyze stream objects using PDFStreamDumper

D.

Compute file hashes using HashMyFiles for signature matching

Question 57

In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MediVault, a U.S.-based healthcare platform used by regional clinics to manage patient data. During her review, Lila discovers that sensitive records are weakly protected, allowing attackers to intercept and manipulate the information in transit. She warns that such weaknesses could be exploited to commit credit-card fraud, identity theft, or similar crimes. Further analysis reveals that MediVault is vulnerable to well-documented flaws such as cookie snooping and downgrade attacks.

Which issue is MOST clearly indicated?

Options:

A.

Broken Access Control

B.

Cryptographic Failures

C.

Security Misconfiguration

D.

Identification and Authentication Failures

Question 58

As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?

Options:

A.

Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

B.

Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker’s network.

C.

Immediately reset all server credentials and instruct all users to change their passwords.

D.

Immediately disconnect the affected server from the network to prevent further data exfiltration.

Question 59

As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?

Options:

A.

Content-Based Blind SQL Injection

B.

Time-Based Blind SQL Injection

C.

Union-Based SQL Injection

D.

Error-Based SQL Injection

Question 60

Which of the following protocols is used when an attacker attempts to launch a man-in-the-middle attack by manipulating sequence and acknowledgment numbers?

Options:

A.

ICMP

B.

TCP

C.

UDP

D.

IP

Question 61

A financial services firm detects that outbound corporate emails containing sensitive underwriting data were intercepted while transmitted over unsecured channels. To immediately restore confidentiality and ensure authenticity of executive communications, the security operations team deploys a standardized email encryption framework compatible with the organization’s Microsoft Outlook environment.

The selected solution must support digital signatures for sender authentication, rely on a public-key infrastructure for secure key exchange, and enable recipients to validate signed messages using certificates issued by trusted authorities.

Identify the email encryption standard that best fulfills these requirements.

Options:

A.

FlowCrypt

B.

RMail

C.

S/MIME

D.

OpenPGP

Question 62

A global media streaming platform experiences traffic surges every 10 minutes, with spikes over 300 Gbps followed by quiet intervals. Which DDoS attack explains this behavior?

Options:

A.

UDP flood sustained attack

B.

Recursive HTTP GET flood

C.

Permanent DoS (PDoS)

D.

Pulse Wave attack

Question 63

During a security assessment for an e-commerce company in Boston, Massachusetts, your team conducts a reconnaissance phase to identify potential entry points into the organization ' s communication infrastructure. You focus on gathering details about the systems responsible for handling incoming email traffic, avoiding active network probing, and relying on passive DNS data collection. Given this objective, which DNS record type should you query to extract information about the target’s mail server configuration?

Options:

A.

SOA

B.

TXT

C.

NS

D.

MX

Question 64

During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?

Options:

A.

Lack of secure update mechanisms

B.

Denial-of-service through physical tampering

C.

Insecure network service exposure

D.

Use of insecure third-party components

Question 65

During a security assessment of a metropolitan public transportation terminal, a penetration tester examines a network-connected IoT surveillance camera system used for 24/7 video monitoring. The camera uses outdated SSLv2 encryption to transmit video data. The tester intercepts and decrypts video streams due to the weak encryption and absence of authentication mechanisms. What IoT vulnerability is most likely being exploited in this scenario?

Options:

A.

Insecure data transfer and storage

B.

Jamming attack on RF communication

C.

Credential theft via web application

D.

Replay attack on wireless signals

Question 66

A security analyst investigates unusual east-west traffic on a corporate network. A rogue device has been physically inserted between a workstation and the switch, enabling unauthorized access while inheriting the workstation’s authenticated network state. Which evasion technique is being used?

Options:

A.

Exploiting a wireless rogue access point to tunnel through the firewall

B.

NAC bypass using a pre-authenticated device for network bridging

C.

Spoofing ARP responses from a dynamic IP allocation pool

D.

VLAN double tagging to shift between network segments

Question 67

An attacker exploits a misconfigured S3 bucket containing application backups with database credentials. What cloud security failure category does this fall under?

Options:

A.

Misconfiguration

B.

Insider threat

C.

Zero-day vulnerability

D.

Malware infection

Question 68

A Linux system allows passwordless sudo for multiple commands. What security principle is violated?

Options:

A.

Zero trust

B.

Defense in depth

C.

CIA

D.

Least privilege

Question 69

A system’s audit logs are not centralized. Which attack phase is hardest to detect?

Options:

A.

Initial access

B.

Lateral movement

C.

Delivery

D.

Recon

Question 70

A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?

Options:

A.

Internal Monologue attack technique executed through OS authentication protocol manipulations

B.

Replay attack attempt by reusing captured authentication traffic sequences

C.

Hash injection approach using credential hashes for authentication purposes

D.

Pass-the-ticket attack method involving forged tickets for network access

Question 71

Targeted, logic-based credential guessing using prior intel best describes which technique?

Options:

A.

Strategic pattern-based input using known logic

B.

Exhaustive brute-force testing

C.

Shoulder surfing

D.

Rule-less hybrid attack

Question 72

You discover multiple NetBIOS responses during an nbtscan, but only one host returns a < 1B > entry. What does this indicate?

Options:

A.

It is the local system

B.

It is a rogue DHCP server

C.

It is the domain master browser / Primary Domain Controller (PDC)

D.

NetBIOS over TCP/IP is disabled

Question 73

A national retail chain headquartered in Minneapolis, Minnesota operates a customer rewards portal supported by front-end delivery layers designed to improve performance during peak shopping periods. During an authorized security assessment, a tester submits a specially crafted request containing unusual header combinations and a modified query parameter while accessing a promotional page.

Shortly afterward, other legitimate users requesting the same promotional page through standard browsers begin receiving altered content that differs from what the application normally generates. When the tester accesses the underlying origin system directly, the response reflects the expected legitimate version. After some time and additional routine traffic, the unexpected content is no longer served.

Identify the attack technique that best explains this observed behavior.

Options:

A.

DNS Server Hijacking

B.

DNS Rebinding Attack

C.

Web Cache Poisoning Attack

D.

SQL Injection Vulnerability

Question 74

Which advanced evasion technique poses the greatest challenge to detect and mitigate?

Options:

A.

Covert channel communication using IP header fields

B.

Honeypot spoofing

C.

Polymorphic malware

D.

Packet fragmentation evasion

Question 75

What does TTL manipulation help evade?

Options:

A.

Encryption

B.

Firewall

C.

IDS

D.

Router

Question 76

A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

Options:

A.

Shut down the server

B.

Apply a virtual patch using a WAF

C.

Perform regular backups and prepare IR plans

D.

Monitor for suspicious activity

Question 77

In Portland, Oregon, ethical hacker Olivia Harper is hired by Cascade Biotech to test the security of their research network. During her penetration test, she simulates an attack by sending malicious packets to a server hosting sensitive genetic data. To evade detection, she needs to understand the monitoring system deployed near the network’s perimeter firewall, which analyzes incoming and outgoing traffic for suspicious patterns across the entire subnet. Olivia’s goal is to bypass this system to highlight vulnerabilities for the security team.

Which security system is Olivia attempting to bypass during her penetration test of Cascade Biotech’s network?

Options:

A.

Network-Based Intrusion Detection System

B.

Host-Based Firewalls

C.

Network-Based Firewalls

D.

Host-Based Intrusion Detection System

Question 78

During a red team assessment of a mid-sized insurance provider in Denver, Colorado, testers established persistent access on an internal developer workstation after exploiting a misconfigured automation service. To sustain command-and-control without triggering perimeter defenses, they configured a low-bandwidth outbound channel designed to blend into infrastructure traffic that is routinely permitted through egress controls.

Security operations later identified periodic outbound communication from the compromised host to a single unfamiliar external endpoint not associated with approved vendors or user activity. The traffic was distributed over time rather than bursty. Although the exchanges resembled legitimate service requests, packet inspection revealed irregular payload sizing and structured encoding patterns inconsistent with typical client behavior across the environment.

What covert communication technique was most likely used to sustain the red team’s access?

Options:

A.

ICMP Tunneling

B.

TCP Sequence Tunneling

C.

HTTP/S Tunneling

D.

DNS Tunneling

Question 79

During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?

Options:

A.

ARP poisoning causing routing inconsistencies

B.

DHCP snooping improperly configured

C.

Legitimate ARP table refresh on all clients

D.

Port security restricting all outbound MAC responses

Question 80

Which best describes the role of a penetration tester?

Options:

A.

Unauthorized malicious hacker

B.

Malware distributor

C.

Authorized security professional who exploits vulnerabilities

D.

Malicious code developer

Question 81

A Java app uses Random() for session tokens. What is the risk?

Options:

A.

Session fixation

B.

XSS

C.

Predictable tokens

D.

CSRF

Question 82

You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?

Options:

A.

Project scope

B.

Nondisclosure agreement

C.

Service-level agreement

D.

Rules of engagement

Question 83

At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?

Options:

A.

System and Network Attacks

B.

Social Engineering

C.

Information Leakage

D.

Corporate Espionage

Question 84

Which scenario best describes a slow, stealthy scanning technique?

Options:

A.

FIN scanning

B.

TCP connect scanning

C.

Xmas scanning

D.

Zombie-based idle scanning

Question 85

During a red team simulation at a bank in Chicago, Illinois, the SOC team suspects that some of the incoming traffic may be spoofed. To verify this, an analyst begins monitoring the sequence values assigned to packets, looking for irregularities that indicate they were not generated by the legitimate source. Which spoofing detection technique is the analyst using?

Options:

Question 86

A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?

Options:

A.

There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.

B.

The operator knows that attacks and down time are inevitable and should have a backup site.

C.

Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.

D.

As long as the physical access to the network elements is restricted, there is no need for additional measures.

Question 87

A penetration tester is assessing a web application that uses dynamic SQL queries for searching users in the database. The tester suspects the search input field is vulnerable to SQL injection. What is the best approach to confirm this vulnerability?

Options:

A.

Input DROP TABLE users; -- into the search field to test if the database query can be altered

B.

Inject JavaScript into the search field to test for Cross-Site Scripting (XSS)

C.

Use a directory traversal attack to access server configuration files

D.

Perform a brute-force attack on the user login page to guess weak passwords

Question 88

In a security assessment conducted in New York, Sarah, an ethical hacker, is evaluating a corporate network to enhance its protection against potential threats. She aims to gather essential data about available access points to guide her analysis. Which scanning technique should Sarah apply to meet this objective while adhering to the organization ' s ethical guidelines?

Options:

A.

Vulnerability Scanning

B.

Port Scanning

C.

Topology Mapping

D.

Network Scanning

Question 89

During a penetration test at a financial services company in Denver, ethical hacker Jason demonstrates how employees could be tricked by a rogue DHCP server. To help the client prevent such attacks in the future, Jason shows the administrators how to configure their Cisco switches to reject DHCP responses from untrusted ports. He explains that this global setting must be activated before more granular controls can be applied.

Which switch command should Jason recommend to implement this defense?

Options:

A.

Switch(config)# ip dhcp snooping

B.

Switch(config)# ip arp inspection vlan 10

C.

Switch(config)# ip dhcp snooping vlan 10

D.

Switch(config-if)# ip dhcp snooping trust

Question 90

Which of the following is the primary objective of a rootkit?

Options:

A.

It provides an undocumented opening in a program

B.

It replaces legitimate programs

C.

It creates a buffer overflow

D.

It opens a port to provide an unauthorized service

Question 91

Which of the following best describes the role of a penetration tester?

Options:

A.

A security professional hired to identify and exploit vulnerabilities with permission

B.

A developer who writes malicious code for cyberattacks

C.

A hacker who gains unauthorized access to systems for malicious purposes

D.

A hacker who spreads malware to compromise systems

Question 92

A regional investment firm in Denver, Colorado, recently migrated to a fully switched Ethernet infrastructure. During an authorized security evaluation, a consultant connected a test device to an access-layer switch and initiated a scripted network interaction.

Within minutes, administrators observed irregular switching behavior. Frames that were normally delivered directly between specific workstations began appearing across multiple switch ports. Users reported brief connectivity instability, but no configuration changes were made to the switch. After the activity subsided, forwarding operations gradually stabilized.

Based on the observed behavior, which sniffing technique was most likely performed?

Options:

A.

Switch Port Stealing

B.

ARP Poisoning

C.

MAC Flooding

D.

DNS Poisoning

Question 93

In a tense red team exercise at a mid-sized university in Austin, Texas, an ethical hacker named Jake targeted a legacy Linux server in the engineering department. Late one afternoon, he discovered TCP port 2049 was open during his first sweep, suggesting hidden file-sharing capabilities. Intrigued, Jake used a standard utility to request a list of remote file systems shared across the network, aiming to map accessible resources. Meanwhile, he idly checked for Telnet access and probed a time-sync service out of routine, but both proved fruitless on this host.

Which enumeration method is actively demonstrated in this scenario?

Options:

A.

NFS Enumeration

B.

SNMP Enumeration

C.

NetBIOS Enumeration

D.

NTP Enumeration

Question 94

A penetration tester is testing a web application ' s product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?

Options:

A.

Inject a script to test for Cross-Site Scripting (XSS)

B.

Input DROP TABLE products; -- to see if the table is deleted

C.

Enter 1 ' OR ' 1 ' = ' 1 to check if all products are returned

D.

Use directory traversal syntax to access restricted files on the server

Question 95

A security consultant is conducting an authorized assessment for a healthcare billing provider in Phoenix, Arizona. While monitoring internal traffic, he observes an authenticated employee interacting with a sensitive web-based management portal over TCP.

During the session, the consultant carefully crafts and injects packets into the ongoing communication stream. Shortly afterward, the legitimate user experiences irregular responses from the application, and the server begins processing commands originating from the consultant’s injected traffic as though they were part of the established session.

The technique does not involve credential guessing or forcing the user to reauthenticate. Instead, it targets the communication channel already in progress.

From a network-level perspective, what type of session hijacking technique is being demonstrated?

Options:

A.

UDP Hijacking

B.

RST Hijacking

C.

Blind Hijacking

D.

TCP/IP Hijacking

Question 96

During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.

Which technique was most likely used to obtain this information?

Options:

A.

LDAP Enumeration

B.

NTP Enumeration

C.

DNS Zone Transfer Enumeration

D.

NetBIOS Enumeration

Question 97

During a red team engagement for a client in the financial sector, ethical hacker Tyler Brooks conducts a phishing campaign using a crafted internal web page disguised as a company VPN login. After several users enter their credentials, Tyler confirms that the payload successfully recorded input without triggering antivirus or requiring local installation privileges. The captured keystrokes came exclusively from a web-based form embedded in the fake login page.

Based on the technique used, which type of keylogger did Tyler most likely deploy?

Options:

A.

Keylogger Keyboard

B.

Hypervisor-based Keylogger

C.

Application Keylogger

D.

JavaScript-based Keylogger

Question 98

You perform a network scan using ICMP Echo Requests and observe that certain IP addresses do not return Echo Replies, while other network services remain functional. How should this situation be interpreted?

Options:

A.

The scanned IPs are unused and available for expansion

B.

The lack of replies indicates a major breach

C.

A firewall or security control is blocking ICMP Echo Requests

D.

The non-responsive IPs indicate severe congestion

Question 99

A company hires a hacker to test its network security by simulating real-world attacks. The hacker has permission and operates within legal boundaries. What is this type of hacker called?

Options:

A.

Script Kiddie

B.

Black Hat Hacker

C.

Grey Hat Hacker

D.

White Hat Hacker

Question 100

A penetration tester suspects that the web application ' s " Order History " page is vulnerable to SQL injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?

Options:

A.

Inject JavaScript into the URL parameter to test for Cross-Site Scripting (XSS)

B.

Modify the URL parameter to userID=1 OR 1=1 and observe if all orders are displayed

C.

Perform a directory traversal attack to access sensitive system files

D.

Use a brute-force attack on the login form to identify valid user credentials

Question 101

During a red team engagement at a technology startup in Austin, ethical hacker Priya simulates an internal attacker by connecting a laptop to the corporate LAN. Within minutes, nearby workstations begin receiving incorrect network settings such as altered gateways and DNS servers. Employees trying to access the intranet are redirected to fake login portals hosted on Priya’s machine. Security tools record temporary IP conflicts, but no alerts are triggered against the altered traffic paths.

Which attack technique did Priya most likely use?

Options:

A.

DHCP Starvation Attack

B.

DNS Cache Poisoning

C.

Rogue DHCP Server Attack

D.

Packet Sniffing

Question 102

Which indicator most strongly confirms a MAC flooding attack?

Options:

A.

Multiple IPs to one MAC

B.

Multiple MACs to one IP

C.

Numerous MAC addresses on a single switch port

D.

Increased ARP requests

Question 103

During an investigation, an ethical hacker discovers that a web application’s API has been compromised, leading to unauthorized access and data manipulation. The attacker is using webhooks and a webshell. To prevent further exploitation, which of the following actions should be taken?

Options:

A.

Implement a Web Application Firewall (WAF) with rules to block webshell traffic and increase the logging verbosity of webhooks.

B.

Perform regular code reviews for the webhooks and modify the API to block connections from unknown IP addresses.

C.

Harden the web server security, add multi-factor authentication for API users, and restrict the execution of scripts server-side.

D.

Implement input validation on all API endpoints, review webhook payloads, and schedule regular scanning for webshells.

Question 104

A security analyst is investigating a network compromise where malware communicates externally using common protocols such as HTTP and DNS. The malware operates stealthily, modifies system components, and avoids writing payloads to disk. What is the most effective action to detect and disrupt this type of malware communication?

Options:

A.

Blocking commonly known malware ports such as 6667 and 12345.

B.

Relying solely on frequent antivirus signature updates.

C.

Using behavioral analytics to monitor abnormal outbound traffic and application behavior.

D.

Blocking all unencrypted HTTP traffic at the proxy level.

Question 105

During a security assessment, a consultant investigates how the application handles requests from authenticated users. They discover that once a user logs in, the application does not verify the origin of subsequent requests. To exploit this, the consultant creates a web page containing a malicious form that submits a funds transfer request to the application. A logged-in user, believing the page is part of a promotional campaign, fills out the form and submits it. The application processes the request successfully without any reauthentication or user confirmation, completing the transaction under the victim’s session. Which session hijacking technique is being used in this scenario?

Options:

A.

Hijacking a user session using a session fixation attack

B.

Hijacking a user session using a session replay attack

C.

Hijacking a user session using a cross-site request forgery attack

D.

Hijacking a user session using a cross-site script attack

Question 106

The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?

Options:

A.

The document can be sent to the accountant using an exclusive USB for that document

B.

The CFO can use an excel file with a password

C.

The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure is the same document

D.

The CFO can use a hash algorithm in the document once he approved the financial statements

Question 107

A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?

Options:

A.

Perform a SQL injection attack to extract sensitive database information

B.

Upload a shell script disguised as an image file to execute commands on the server

C.

Conduct a brute-force attack on the server ' s FTP service to gain access

D.

Use a Cross-Site Scripting (XSS) attack to steal user session cookies

Question 108

A multinational manufacturing company in San Jose, California has deployed a perimeter firewall to protect its internal production networks. During a red team exercise, testers observe that the device monitors active TCP communications and allows traffic to continue only when packets correspond to recognized, previously established connections.

The firewall evaluates multiple header attributes across ongoing communications while operating inline at the network boundary.

From a firewall architecture perspective, what type of firewall is most likely in use at this perimeter?

Options:

A.

Stateful Multilayer Inspection Firewall

B.

Circuit-Level Gateway Firewall

C.

Application-Level Firewall

D.

Packet Filtering Firewall

Question 109

A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

Options:

A.

Perform a dictionary attack using a list of commonly used passwords against the stolen hash values

B.

Input a SQL query to check for SQL injection vulnerabilities in the login form

C.

Conduct a brute-force attack on the login form to guess weak passwords

D.

Capture the login request using a proxy tool and attempt to decrypt the passwords

Question 110

You are an ethical hacker at CyberShield Analytics, hired by Coastal Education Services, a tutoring platform in Miami, Florida, to test the security of their student portal. While probing the portal ' s course enrollment page, you input a crafted value into the course ID field, appending a condition that checks if the first character of the database name is a specific value. The application does not display error messages or additional data, but the page takes significantly longer to load when the condition evaluates to true, indicating a deliberate delay.

Based on the observed behavior, which SQL injection technique are you employing?

Options:

A.

Boolean exploitation

B.

Time-based blind SQL injection

C.

UNION SQL injection

D.

Error-based SQL injection

Question 111

In the neon-lit sprawl of Las Vegas, Nevada, a luxury hotel’s smart room control system suffered a breach, allowing an intruder to manipulate guest room settings. The incident investigation revealed that the IoT devices lacked any mechanism to verify the integrity or authenticity of software prior to execution, allowing tampered instructions to run unchecked. As Emna Ruza, a cybersecurity consultant brought in to assess the breach, you recommend a solution that ensures only authorized, validated code is executed on the devices.

Which secure development practice are you advising the hotel to implement?

Options:

A.

Allow code signing

B.

Ensure secure boot

C.

Secure firmware or software updates

D.

Utilize secure communication protocols

Question 112

During a penetration test at Windy City Enterprises in Chicago, ethical hacker Mia Torres targets the company ' s public-facing site. By exploiting an unpatched vulnerability in the web server, she manages to alter visible content on the homepage, replacing it with unauthorized messages. Mia explains to the IT team that this kind of attack can damage the company ' s reputation and erode customer trust, even if sensitive data is not directly stolen.

Which type of web server attack is Mia most likely demonstrating?

Options:

A.

DNS Hijacking

B.

Frontjacking

C.

File Upload Exploits

D.

Website Defacement

Question 113

A telecommunications provider in Toronto operates a monitoring platform that analyzes inbound traffic streams during suspected denial-of-service conditions. The system converts traffic measurements into signal components and evaluates their energy across multiple frequency ranges to distinguish abnormal traffic bursts from background network noise.

Rather than focusing on traffic baselines or identifying the exact statistical breakpoint where behavior changes, the platform identifies anomalies by decomposing traffic signals into spectral components for analysis.

Which DDoS detection technique is being used in this scenario?

Options:

A.

Traffic Pattern Analysis

B.

Sequential Change-Point Detection

C.

Activity Profiling

D.

Wavelet-Based Signal Analysis

Question 114

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?

Options:

A.

Mamo

B.

Pegasus

C.

Agent Smith

D.

GoldPickaxe

Question 115

During a security assessment in San Francisco, an ethical hacker is tasked with evaluating a network ' s resilience against stealthy reconnaissance attempts. The hacker needs to employ a scanning technique that leverages TCP flags to evade detection by intrusion detection systems, relying on the target ' s response behavior to infer port states without completing a full connection. Which approach best aligns with this strategy, ensuring minimal visibility during the assessment?

Options:

A.

TCP Connect Scan

B.

Network Scanning

C.

FIN Scan

D.

NULL Scan

Question 116

You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.

Based on the described method, which Wi-Fi discovery technique are you employing?

Options:

A.

Network Discovery Software

B.

Passive Footprinting

C.

Wash Command

D.

Active Footprinting

Question 117

During a high-stakes engagement, a penetration tester abuses MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled server. The tester captures the NTLM hash and relays it to AD CS to obtain a certificate granting domain admin privileges. Which network-level hijacking technique is illustrated?

Options:

A.

Hijacking sessions using a PetitPotam relay attack

B.

Exploiting vulnerabilities in TLS compression via a CRIME attack

C.

Stealing session tokens using browser-based exploits

D.

Employing a session donation method to transfer tokens

Question 118

During a penetration test at Pacific Trust Bank in Seattle, ethical hacker Mia Chen suspects that a server hosting customer transaction data may be a honeypot. To investigate, she repeatedly sends crafted queries and observes how quickly the system responds. She notices that responses are consistently faster and more uniform than those of other production servers, raising her suspicion that the environment is designed to lure attackers.

Which technique is Mia most likely using to determine if the server is a honeypot?

Options:

A.

Analyzing MAC Address

B.

Analyzing Response Time

C.

Fingerprinting the Running Service

D.

Analyzing System Configuration and Metadata

Question 119

At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?

Options:

A.

It uses a tethered jailbreak to restart the device with patched kernel functions

B.

It is an APK that can run directly on the device without a PC

C.

It relies on weak SSL validation to bypass application controls

D.

It exploits Bluetooth pairing flaws to gain device-level privileges

Question 120

Which of the following program infects the system boot sector and the executable files at the same time?

Options:

A.

Stealth virus

B.

Polymorphic virus

C.

Macro virus

D.

Multipartite Virus

Question 121

Malware uses Background Intelligent Transfer Service (BITS) to evade detection. Why is BITS attractive to attackers?

Options:

A.

It uses IP fragmentation

B.

It encrypts DNS packets

C.

It looks like normal Windows Update traffic

D.

It works only through HTTP tunneling

Question 122

During a red team test, a web application dynamically builds SQL queries using a numeric URL parameter. The tester sends the following request:

http://vulnerableapp.local/view.php?id=1; DROP TABLE users;

The application throws errors and the users table is deleted. Which SQL injection technique was used?

Options:

A.

UNION-based SQL injection

B.

Stacked (Piggybacked) queries

C.

Boolean-based SQL injection

D.

Error-based SQL injection

Question 123

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably.

Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission.

Based on the observed behavior, what malware is most consistent with this incident?

Options:

A.

GoldPickaxe

B.

Agent Smith

C.

Pegasus

D.

Mamont

Question 124

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company’s HTTP servers.

The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation.

Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

Nessus

B.

OpenVAS

C.

Qualys VM

D.

Nikto

Question 125

During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?

Options:

A.

LDAP over SSL (LDAPS)

B.

Authenticated LDAP with Kerberos

C.

Anonymous LDAP binding

D.

LDAP via RADIUS relay

Question 126

During a red team exercise at Apex Logistics in Denver, ethical hacker Rachel launches controlled packet injection attacks to simulate session hijacking attempts. The client ' s IT team wants a way to automatically detect such abnormal behaviors across the network in real time, instead of relying on manual analysis. They decide to deploy a monitoring system capable of flagging suspicious session activity based on predefined rules and traffic signatures.

Which detection method best fits the IT team ' s requirement?

Options:

A.

Check for predictable session tokens

B.

Perform manual packet analysis using sniffing tools

C.

Monitor for ACK storms

D.

Use an Intrusion Detection System (IDS)

Question 127

A penetration tester discovers that a web application is using outdated SSL/TLS protocols (TLS 1.0) to secure communication. What is the most effective way to exploit this vulnerability?

Options:

A.

Conduct a Cross-Site Scripting (XSS) attack on the application

B.

Use a man-in-the-middle (MitM) attack to intercept and decrypt traffic

C.

Perform a brute-force attack on the SSL/TLS handshake

D.

Execute a SQL injection attack on the application ' s backend

Question 128

An organization uses SHA-256 for data integrity verification but still experiences unauthorized data modification. Which cryptographic tool would best resolve this issue?

Options:

A.

Asymmetric encryption

B.

Symmetric encryption

C.

SSL/TLS certificates

D.

Digital signatures

Question 129

Attackers exploit SMBv1 to spread malware across hosts. What attack behavior is this?

Options:

A.

Worm-like propagation

B.

Phishing

C.

Credential stuffing

D.

DoS

Question 130

After installing a backdoor on a web server, what action best ensures it remains undetected?

Options:

A.

Embed it in a frequently updated web file

B.

Increase the backdoor code size

C.

Install it on a non-web file referenced in a URL

D.

Place it in a file type excluded from resource maps

Question 131

A Java app uses outdated libraries with known CVEs. What risk does this create?

Options:

A.

CSRF

B.

DoS

C.

Supply chain risk

D.

XSS

Question 132

A cybersecurity team at a regional healthcare provider is conducting an internal red team exercise to assess their exposure to service enumeration attacks. Amanda, a senior penetration tester, is assigned to probe the internal network for services that may reveal usernames, group information, or system details without requiring prior authentication. She decides to target common services running on specific ports that are often misconfigured or loosely monitored. During her reconnaissance, Amanda identifies several open ports across various hosts and must now prioritize which ones to probe first for maximum information gain related to enumeration. Which of the following services should Amanda target as a priority to enumerate usernames and group information without authentication?

Options:

A.

TCP 139 and UDP 137, 138

B.

TCP 21 and UDP 137, 138

C.

TCP 23 and UDP 137, 138

D.

TCP 25 and UDP 133

Question 133

After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?

Options:

A.

Disable unused ports and restrict outbound firewall traffic

B.

Perform weekly backups and store them off-site

C.

Ensure antivirus and firewall software are up to date

D.

Monitor file hashes of critical executables for unauthorized changes

Question 134

A penetration tester is tasked with identifying vulnerabilities on a web server running outdated software. The server hosts several web applications and is protected by a basic firewall. Which technique should the tester use to exploit potential server vulnerabilities?

Options:

A.

Conduct a SQL injection attack on the web application ' s login form

B.

Perform a brute-force login attack on the admin panel

C.

Execute a buffer overflow attack targeting the web server software

D.

Use directory traversal to access sensitive configuration files

Question 135

During a covert red team engagement, a penetration tester is tasked with identifying live hosts in a target organization’s internal subnet (10.0.0.0/24) without triggering intrusion detection systems (IDS). To remain undetected, the tester opts to use the command nmap -sn -PE 10.0.0.0/24, which results in several " Host is up " responses, even though the organization’s IDS is tuned to detect high-volume scans. After the engagement, the client reviews the logs and is surprised that the scan was not flagged. What allowed the scan to complete without triggering alerts?

Options:

A.

It used TCP ACK packets that were allowed through.

B.

It used UDP packets that bypassed ICMP inspection.

C.

It scanned only the ports open in the firewall whitelist.

D.

It performed an ICMP Echo ping sweep without port probing.

Question 136

A penetration tester finds that a web application does not properly validate user input and is vulnerable to reflected Cross-Site Scripting (XSS). What is the most appropriate approach to exploit this vulnerability?

Options:

A.

Perform a brute-force attack on the user login form to steal credentials

B.

Embed a malicious script in a URL and trick a user into clicking the link

C.

Inject a SQL query into the search form to attempt SQL injection

D.

Use directory traversal to access sensitive files on the server

Question 137

A penetration tester is conducting an external assessment of a corporate web server. They start by accessing https://www.targetcorp.com/robots.txt and observe multiple Disallow entries that reference directories such as /admin-panel/, /backup/, and /confidentialdocs/. When the tester directly visits these paths via a browser, they find that access is not restricted by authentication and gain access to sensitive files, including server configuration and unprotected credentials. Which stage of the web server attack methodology is demonstrated in this scenario?

Options:

A.

Injecting malicious SQL queries to access sensitive database records

B.

Performing a cross-site request forgery (CSRF) attack to manipulate user actions

C.

Gathering information through exposed indexing instructions

D.

Leveraging the directory traversal flaw to access critical server files

Question 138

In Miami, Florida, a luxury resort deploys smart climate control units in guest rooms. During a red team engagement, ethical hacker Sophia Bennett discovers that once a compromised device is restarted, it continues running altered instructions without any integrity check before the operating system loads. This allows tampered firmware to run as if it were legitimate. Which secure development practice would most directly prevent this weakness?

Options:

A.

Allow code signing

B.

Secure firmware or software updates

C.

Utilize secure communication protocols

D.

Ensure secure boot

Question 139

During an external assessment of a healthcare insurance company in Houston, a penetration tester identifies a service running on TCP port 389. When queried, the service accepts anonymous binds and reveals directory data. By structuring his search filter, the tester is able to obtain usernames, departmental details, and organizational units. This information could potentially be used for targeted password attacks or privilege escalation.

Which classification best describes this enumeration activity?

Options:

A.

SMTP Enumeration

B.

DNS Enumeration

C.

LDAP Enumeration

D.

NTP Enumeration

Question 140

Granite Ridge Technologies in New Jersey is preparing to formalize its information security governance model. Executive leadership requires adoption of an internationally recognized framework that ensures confidentiality, integrity, and availability of information while enabling the organization to systematically identify, assess, and manage information security risks. The framework must also support compliance with regulatory and contractual obligations and demonstrate commitment to stakeholders.

Which standard best fulfills these requirements?

Options:

A.

ISO/IEC 27001:2022

B.

ISO/IEC 27005:2022

C.

ISO/IEC 27701:2019

D.

ISO/IEC 27002:2022

Question 141

As a cybersecurity analyst conducting passive reconnaissance, you aim to gather information without interacting directly with the target system. Which technique is least likely to assist in this process?

Options:

A.

Using a tool like Nmap to scan the organization’s public IP range

B.

Inspecting the WHOIS database for domain registration details

C.

Using search engines and public data sources

D.

Monitoring publicly available social media and professional profiles

Question 142

On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.

Which of the following best explains the technique Sofia used to trigger the server crashes?

Options:

A.

ICMP Flood Attack

B.

Ping of Death PoD

C.

Smurf Attack

D.

ACK Flood Attack

Question 143

During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?

Options:

A.

IP decoying with randomized address positions

B.

SYN scan with spoofed MAC address

C.

Packet crafting with randomized window size

D.

Packet fragmentation to bypass filtering logic

Question 144

During a simulated attack against a university ' s IT network in California, ethical hacker Sophia deploys custom malicious code onto one lab workstation. Without requiring further user interaction, she observes the malware automatically copying itself into shared folders and spreading through weak admin credentials. Within a short time, dozens of computers across multiple departments are infected with the same payload, even though only one machine was initially targeted.

Which type of malware is Sophia most likely demonstrating?

Options:

A.

Logic Bomb

B.

Worm

C.

Backdoor

D.

Fileless Malware

Question 145

During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.

Which social engineering technique is Priya demonstrating?

Options:

A.

Shoulder Surfing

B.

Dumpster Diving

C.

Tailgating

D.

Piggybacking

Question 146

An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker ' s access token, allowing automatic synchronization of internal files to the attacker’s cloud storage. What type of attack has likely occurred?

Options:

A.

Cloud Snooper attack leveraging port masquerading

B.

Man-in-the-Cloud (MITC) attack

C.

Side-channel attack exploiting CPU cache

D.

Cryptojacking using Coin Hive scripts

Question 147

Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee ' s computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action?

Options:

A.

Make a copy of the data and store it on your local machine.

B.

Stop the pen test immediately and contact management.

C.

Continue the pen test and include this information in your report.

D.

Contact the employee and ask why they have the data.

Question 148

Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?

Options:

A.

CSRF

B.

Side jacking

C.

Session fixation

D.

Insecure deserialization

Question 149

A biotech research firm in Boston, Massachusetts, migrates its laboratory management platform to the cloud. The vendor provides an environment where developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage. The firm controls the application logic but not the runtime infrastructure.

Which cloud service model is the company using?

Options:

A.

Infrastructure as a Service (IaaS)

B.

Platform as a Service (PaaS)

C.

Software as a Service (SaaS)

D.

Anything as a Service (XaaS)

Question 150

Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com”. Which statement below is true?

Options:

A.

This is a scam because Bob does not know Scott.

B.

This is probably a legitimate message as it comes from a respectable organization.

C.

Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.

D.

This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.

Question 151

Multiple internal workstations and IoT devices are compromised and transmitting large volumes of traffic to numerous external targets under botnet control. Which type of denial-of-service attack best describes this situation?

Options:

A.

An attack where compromised internal devices participate in a botnet and flood external targets

B.

An attack relying on spoofed IP addresses to trick external servers

C.

A direct botnet flood without spoofing intermediary services

D.

An internal amplification attack using spoofed DNS responses

Question 152

A mid-sized insurance provider in Hartford, Connecticut authorizes a controlled red team engagement to evaluate its public-facing customer portal. Before progressing to active exploitation, the assessment team concentrates on understanding how the site is organized and how its content is interconnected.

Using automated tooling, they systematically retrieve publicly accessible pages along with associated resources such as scripts, media files, and referenced directories. The collected material allows the team to analyze navigation paths, hidden references, and structural relationships without repeatedly interacting with the live production system.

This preparatory effort is intended to build a detailed structural understanding of the application before later testing phases begin.

Within the web server attack methodology, which stage is most accurately demonstrated in this scenario?

Options:

A.

Website Mirroring

B.

Information Gathering

C.

Web Server Footprinting

D.

Vulnerability Scanning

Question 153

A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?

Options:

A.

Utilize a session fixation attack by forcing a known session ID during login

B.

Perform a Cross-Site Scripting (XSS) attack to steal the session token

C.

Exploit a timing side-channel vulnerability to predict session tokens

D.

Implement a Man-in-the-Middle (MitM) attack by compromising a trusted certificate authority

Question 154

An attacker exploits medical imaging protocols to intercept patient data. Which sniffing technique is most challenging?

Options:

A.

MRI firmware interception

B.

Ultrasound malware

C.

Covert channel within administrative messages

D.

Embedding data inside CT scan images

Question 155

A cybersecurity analyst monitors competitors’ web content for changes indicating strategic shifts. Which missing component is most crucial for effective passive surveillance?

Options:

A.

Participating in competitors’ blogs and forums

B.

Setting up Google Alerts for competitor names and keywords

C.

Using a VPN to hide the analyst’s IP address

D.

Hiring a third party to hack competitor databases

Question 156

A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.

What host discovery technique is being used in this scenario?

Options:

A.

UDP Ping Scan

B.

ICMP Echo Ping Sweep

C.

IP Protocol Scan

D.

ICMP Timestamp Ping Scan

Question 157

In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.

Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?

Options:

A.

Deep Packet Inspection

B.

Anomaly-Based Detection

C.

Signature-Based Detection

D.

Stateful Packet Inspection

Question 158

During a forensic investigation of an attack on a media company in New York, analysts discovered that a non-privileged process loaded a malicious library instead of the intended library because the attacker placed the rogue file in a directory Windows searched before the legitimate location. When the trusted application started, the attacker’s code executed with the application’s privileges. No registry changes or kernel exploits were involved. Which technique most likely enabled the privilege escalation?

Options:

A.

Privilege Escalation by Exploiting Vulnerabilities

B.

Privilege Escalation Using DLL Hijacking

C.

Access Token Manipulation

D.

Privilege Escalation by Bypassing User Account Control

Question 159

A vulnerability has a score of 9.8. What does this rating help explain?

Options:

A.

It quantifies impact and exploitability to prioritize remediation

B.

It measures authentication errors

C.

It generates exploit payloads

D.

It classifies attacks qualitatively

Question 160

During a cybersecurity awareness drill at Quantum Analytics in San Francisco, California, the ethical hacking team tests the company’s defenses against social media-based threats. Nadia creates a fake LinkedIn profile posing as a senior HR manager from Quantum Analytics, using a stolen company logo and publicly available employee details. Nadia sends connection requests to several employees, including data analyst Priya Sharma, inviting them to join a private group called Quantum Analytics Innovation Hub. The group’s page prompts members to share their work email and department role for exclusive project updates.

What social engineering threat to corporate networks is Nadia’s exercise primarily simulating?

Options:

A.

Loss of Productivity

B.

Involuntary Data Leakage

C.

Spam and Phishing

D.

Network Vulnerability Exploitation

Question 161

During a red team engagement against a multinational financial services organization, an ethical hacker conducts network reconnaissance against externally accessible systems. Instead of sending scan traffic directly from the originating assessment machine, the tester routes all reconnaissance packets through an intermediary external system before they reach the target network.

When the organization’s security team reviews monitoring data, the activity appears to originate from infrastructure unrelated to the tester’s actual geographic or organizational location.

From a reconnaissance methodology perspective, what is the primary objective of using this intermediary system?

Options:

A.

To Establish Persistent Access within the Target Network

B.

To Bypass Authentication Controls Protecting Internal Applications

C.

To Conceal the Origin of Reconnaissance Activity and Reduce Attribution Risk

D.

To Spoof Packet Source Addresses at the IP Layer

Question 162

A Linux system allows SSH login using deprecated ciphers. What risk exists?

Options:

A.

DoS

B.

XSS

C.

Downgrade attacks

D.

SQLi

Question 163

During a scheduled security review in a high-tech lab in Austin, Texas, penetration tester Lucas Bennett was assessing a state government’s new payroll system hosted in a private cloud. One humid afternoon, while fuzz testing the input validation logic of the TaxCalcEngine.dll module, he triggered a buffer overflow by submitting malformed taxpayer ID strings. The crash led to unintended disclosure of payroll data due to unchecked data boundaries. Lucas traced the issue to a coding oversight in a core processing module. Applying a structured analysis approach, which category best describes the vulnerability he discovered?

Options:

A.

Application Flaws

B.

Poor Patch Management

C.

Misconfigurations Weak Configurations

D.

Design Flaws

Question 164

During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.

When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.

From a malware deployment perspective, what technique best describes this approach?

Options:

A.

Wrapper

B.

Downloader

C.

Packer

D.

Dropper

Question 165

A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyses client behaviour while transmitting carefully crafted 802.11 management frames toward the organization ' s primary access point. Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent. Identify the wireless attack illustrated by this activity.

Options:

A.

Eavesdropping Attack

B.

Jamming Attack

C.

Evil Twin Attack

D.

Deauthentication Attack

Question 166

A multinational healthcare provider headquartered in Boston, Massachusetts relies on federated authentication to allow employees to access multiple cloud-hosted applications using a single sign-on portal. During an authorized red team engagement, a security consultant gains access to the organization ' s identity infrastructure and extracts signing material used in trust relationships between the internal identity provider and external cloud services. Using this material, the consultant generates authentication responses that grant administrative-level access to several cloud applications without interacting with user credentials or triggering multifactor authentication challenges. The access appears legitimate within the cloud service logs. Which cloud attack technique best aligns with this behavior?

Options:

A.

Golden SAML Attack

B.

Man-in-the-Cloud (MITC) Attack

C.

Cloud Hopper Attack

D.

Living off the Cloud (LotC) Attack

Question 167

A penetration tester is tasked with uncovering historical content from a company’s website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization’s web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?

Options:

A.

Search with intext: " login " site:target.com to retrieve login data

B.

Use the link: operator to find backlinks to login portals

C.

Apply the cache: operator to view Google ' s stored versions of target pages

D.

Use the intitle:login operator to list current login pages

Question 168

Which attack best demonstrates covert eavesdropping via smartphone sensors?

Options:

A.

Malicious APK exploitation

B.

Man-in-the-Disk attack

C.

Spearphone attack

D.

Tap ‘n Ghost attack

Question 169

A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?

Options:

A.

ElGamal

B.

Diffie-Hellman

C.

DSA

D.

RSA

Question 170

A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?

Options:

A.

Deploying self-replicating malware

B.

Fragmenting malicious packets into smaller segments

C.

Flooding the IDS with ICMP packets

D.

Sending phishing emails

Question 171

During a compliance review at a law firm in Chicago, an ethical hacker tests the firm’s secure email gateway. She observes that sensitive legal documents are being transmitted in clear text over the Internet, allowing anyone intercepting the traffic to read the contents. The firm is concerned about unauthorized individuals being able to view these communications. Which principle of information security is being violated?

Options:

A.

Confidentiality

B.

Integrity

C.

Non-Repudiation

D.

Availability

Question 172

An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?

Options:

A.

The record was found in the DNS cache and successfully returned.

B.

The DNS server failed to resolve the request.

C.

No client from the DNS server’s network has recently accessed the queried domain.

D.

The queried domain has expired and no longer exists.

Question 173

A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?

Options:

A.

Moving the document root directory to a different disk

B.

Regularly updating and patching the server software

C.

Changing the server’s IP address regularly

D.

Implementing an open-source web server architecture such as LAMP

Question 174

As the cybersecurity lead for an international news agency, you are alerted by your threat intelligence team that confidential communications between journalists and whistleblowers have been posted to an online activist forum. Further forensic analysis reveals that no financial transactions were tampered with and no ransomware was deployed. However, the agency’s internal systems were accessed and selectively leaked emails were published alongside a manifesto accusing the organization of biased reporting. The attackers also posted on social media claiming responsibility and justifying their actions as a fight against misinformation.

Based on this behavior, what category of hacker are you most likely dealing with?

Options:

A.

Script Kiddies

B.

Hacktivists

C.

Black Hat hackers

D.

White Hat hackers

Question 175

Which of the following is a common framework applied by business management and other personnel to identify potential events that may affect the enterprise, manage the associated risks and opportunities, and provide reasonable assurance that objectives will be achieved?

Options:

A.

Risk management framework

B.

Qualitative risk assessment

C.

PC-DSS

D.

NIST SP 800-37

Question 176

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

Options:

A.

Check MITRE.org for the latest list of CVE findings

B.

Use a scan tool like Nessus

C.

Create a disk image of a clean Windows installation

D.

Use the built-in Windows Update tool

Question 177

A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing the Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this service to conceal malicious activities?

Options:

A.

Because BITS packets appear identical to normal Windows Update traffic.

B.

Because BITS operates exclusively through HTTP tunneling.

C.

Because BITS utilizes IP fragmentation to evade intrusion detection systems.

D.

Because BITS traffic uses encrypted DNS packets.

Question 178

In Austin, Texas, ethical hacker Liam Carter is hired by Lone Star Healthcare to probe the defenses of their patient data network. During his penetration test, Liam aims to bypass the hospital’s firewall protecting a medical records server. To do so, he uses a tool to craft custom network packets, carefully designing their headers to slip past the firewall’s filtering rules. His goal is to demonstrate how an attacker could infiltrate the system, exposing vulnerabilities for the security team to address.

Which tool is Liam using to bypass Lone Star Healthcare’s firewall during his penetration test?

Options:

A.

Metasploit

B.

Colasoft Packet Builder

C.

Nmap

D.

Traffic IQ Professional

Question 179

An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?

Options:

A.

Engage a forensic team immediately

B.

Power down the server and isolate it

C.

Monitor, analyze, and then isolate the server

D.

Conduct a vulnerability scan on all servers

Question 180

A municipal services portal in Lexington, Kentucky includes a search parameter that retrieves citizen service requests. During an authorized security review, an analyst alters the parameter value by introducing single quotation marks, logical expressions such as AND 1=1, and variations like AND 1=2, observing how the application responds to each modification.

By comparing differences in the application’s output and behavior after each structured input change, the analyst evaluates whether the parameter affects the underlying query processing.

Which SQL injection detection method is being applied?

Options:

A.

Static Testing

B.

Dynamic Testing

C.

Function Testing

D.

Fuzz Testing

Question 181

During an internal red team engagement at a financial services firm, an ethical hacker named Anika tests persistence mechanisms after successfully gaining access to a junior employee’s workstation. As part of her assessment, she deploys a lightweight binary into a low-visibility system folder. To maintain long-term access, she configures it to launch automatically on every system reboot without requiring user interaction.

Which of the following techniques has most likely been used to ensure the persistence of the attacker’s payload?

Options:

A.

Installing a keylogger

B.

Creating scheduled tasks

C.

Modifying file attributes

D.

Injecting into the startup folder

Question 182

You are Ava Mitchell, an ethical hacker at Sentinel Cyberworks, hired to test the wireless defenses of Horizon Financial, a bank in Boston, Massachusetts. During a covert night-time assessment, your objective is to simulate an attacker attempting to breach the bank ' s WPA-protected Wi-Fi network. You deploy a tool that allows you to capture wireless packets, send de-authentication packets to force client reconnections, and attempt to recover the encryption key, all within a single graphical interface. Based on the described functionality, which Wi-Fi security auditing tool are you using?

Options:

A.

Fern WiFi Cracker

B.

RFProtect

C.

Cisco Adaptive Wireless IPS

D.

WatchGuard Wi-Fi Cloud WIPS

Question 183

An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?

Options:

A.

Differential cryptanalysis on input-output differences

B.

Timing attack to infer key bits based on processing time

C.

Brute-force attack to try every possible key

D.

Chosen-ciphertext attack to decrypt arbitrary ciphertexts

Question 184

During a red team assessment of an enterprise LAN environment, the tester discovers an access switch that connects multiple internal workstations. The switch has no port security measures in place. To silently intercept communication between different hosts without deploying ARP poisoning or modifying the routing table, the tester launches a MAC flooding attack using the macof utility from the dsniff suite. This command sends thousands of Ethernet frames per minute, each with random, spoofed source MAC addresses. Soon after the flooding begins, the tester puts their network interface into promiscuous mode and starts capturing packets. They observe unicast traffic between internal machines appearing in their packet sniffer—traffic that should have been isolated. What internal switch behavior is responsible for this sudden exposure of isolated traffic?

Options:

A.

The switch performed ARP spoofing to misroute packets.

B.

The switch entered hub-like behavior due to a full CAM table.

C.

The interface performed DHCP starvation to capture broadcasts.

D.

The switch disabled MAC filtering due to duplicate address conflicts.

Question 185

During a penetration test at Pinnacle Bank in Chicago, ethical hacker Sarah injects crafted TCP packets into an active communication between a customer ' s browser and the online banking server. The victim ' s connection becomes unstable, allowing Sarah ' s system to maintain communication with the server in place of the legitimate client. She later demonstrates to the IT team how attackers could forcibly take control of live sessions through this approach.

Which type of session hijacking is Sarah performing in this scenario?

Options:

A.

Passive Session Hijacking

B.

Blind Hijacking

C.

Man-in-the-Browser Attack

D.

Active Session Hijacking

Question 186

A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?

Options:

A.

HTTP flood attack

B.

ICMP flood attack

C.

UDP flood attack

D.

SYN flood attack

Question 187

A malware analyst finds JavaScript and /OpenAction keywords in a suspicious PDF using pdfid. What should be the next step to assess the potential impact?

Options:

A.

Upload the file to VirusTotal

B.

Extract and analyze stream objects using PDFStreamDumper

C.

Compute file hashes for signature matching

Question 188

While analyzing suspicious network activity, you observe a slow, stealthy scanning technique that is difficult to trace back to the attacker. Which scenario best describes the scanning technique being used?

Options:

A.

The attacker sends FIN packets to infer port states based on responses

B.

The attacker uses a “zombie” machine to perform scans, hiding their true identity

C.

The attacker performs full TCP connect scans on all ports

D.

The attacker sends packets with all TCP flags set

Question 189

A mid-sized manufacturing firm in Des Moines, Iowa reported that several employee workstations were periodically communicating with an unfamiliar external server over an IRC channel. The affected systems showed no visible interface for remote control, yet investigators confirmed that the machines were receiving instructions and executing distributed traffic bursts at scheduled intervals.

Further review revealed that the initial infection occurred after employees opened a phishing email attachment. Once executed, the infected systems silently connected outward and began awaiting commands from a centralized remote controller.

Determine the Trojan classification that best matches this behavior.

Options:

A.

E-banking Trojan

B.

Rootkit Trojan

C.

Botnet Trojan

D.

Backdoor Trojan

Question 190

During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan is assigned to assess the internal network for potential sniffing activity that could compromise sensitive customer data. While inspecting traffic in the loan processing department, Rachel observes that a workstation is receiving packets not addressed to it, raising suspicion of a sniffing tool operating in promiscuous mode. To validate her hypothesis, she prepares to conduct an active verification using a classic detection approach.

Which detection technique should Rachel use to confirm the presence of a sniffer in this case?

Options:

A.

Sniffer detection using an NSE script to check for promiscuous mode

B.

DNS method by monitoring reverse DNS lookup traffic

C.

ARP method by sending non-broadcast ARP requests

D.

Ping method by sending packets with an incorrect MAC address

Question 191

A web app fails to restrict API request frequency. What risk exists?

Options:

A.

Data scraping

B.

CSRF

C.

XSS

D.

SQLi

Question 192

A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.

The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.

Identify the BYOD security guideline that would directly mitigate this exposure.

Options:

A.

Use Encryption Mechanism to Store Data

B.

Set a Strong Passcode on the Device and Change It Relatively Often

C.

Maintain a Clear Separation between Business and Personal Data

D.

Set Passwords for Apps to Restrict Others from Accessing Them

Question 193

A penetration tester evaluates an industrial control system (ICS) that manages critical infrastructure. The tester discovers that the system uses weak default passwords for remote access. What is the most effective method to exploit this vulnerability?

Options:

A.

Perform a brute-force attack to guess the system ' s default passwords

B.

Execute a Cross-Site Request Forgery (CSRF) attack to manipulate system settings

C.

Conduct a denial-of-service (DoS) attack to disrupt the system temporarily

D.

Use the default passwords to gain unauthorized access to the ICS and control system operations

Question 194

While performing a SYN (half-open) scan using Nmap, you send a SYN packet to a target IP address and receive a SYN/ACK response. How should this result be interpreted?

Options:

A.

The scanned port is open and ready to establish a connection

B.

The target IP is unreachable

C.

The port is filtered by a firewall

D.

The port is closed but acknowledged

Question 195

During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?

Options:

A.

Unencrypted FTP services storing software data

B.

The SNMP agent allowed anonymous bulk data queries due to default settings

C.

Remote access to encrypted Windows registry keys

D.

SNMP trap messages logged in plain text

Question 196

A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?

Options:

A.

Launching a DDoS attack to overload IoT devices

B.

Compromising the system using stolen user credentials

C.

Exploiting zero-day vulnerabilities in IoT device firmware

D.

Performing an encryption-based Man-in-the-Middle attack

Question 197

During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.

Which technique is Sofia most likely using in this assessment?

Options:

A.

Vulnerability Scanning

B.

Information Gathering from robots.txt File

C.

Web Server Footprinting/Banner Grabbing

D.

Directory Brute Forcing

Question 198

A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?

Options:

A.

HMAC

B.

RSA

C.

DES

D.

AES

Question 199

During a routine security audit, administrators found that cloud storage backups were illegally accessed and modified. What countermeasure would most directly mitigate such incidents in the future?

Options:

A.

Deploying biometric entry systems

B.

Implementing resource auto-scaling

C.

Regularly conducting SQL injection testing

D.

Adopting the 3-2-1 backup model

Question 200

What is the purpose of banner grabbing?

Options:

A.

Sniffing

B.

Cracking

C.

Identification

D.

Exploitation

Question 201

A municipal data center in Phoenix, Arizona, deploys a network intrusion detection system to monitor traffic entering its public records portal. During a scheduled red team exercise, authorized testers successfully exploit a vulnerable web service and gain restricted administrative access.

Post-exercise review reveals that the IDS generated a high-severity alert precisely at the time the exploit traffic reached the server. Log correlation confirms that the alert corresponded directly to the malicious activity performed during the test window.

How should this IDS outcome be classified?

Options:

A.

False Negative

B.

True Positive

C.

False Positive

D.

True Negative

Question 202

A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.

By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.

What kind of wireless attack technique is being illustrated in this scenario?

Options:

A.

Key Reinstallation Attack (KRACK)

B.

Replay Attack

C.

Man-in-the-Middle Attack

D.

WPA2 PSK Offline Cracking

Question 203

Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical for verifying the identity of the signatory. He aims to assess if the algorithm’s configuration could be vulnerable to a man-in-the-middle attack due to its key structure.

Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?

Options:

A.

Diffie-Hellman

B.

RSA

C.

ElGamal

D.

DSA

Question 204

A penetration tester evaluates a secure web application using HTTPS, secure cookies, and multi-factor authentication. To hijack a legitimate user’s session without triggering alerts, which technique should be used?

Options:

A.

Exploit a browser zero-day vulnerability to inject malicious scripts

B.

Implement a man-in-the-middle attack by compromising a trusted network device

C.

Perform a Cross-Site Request Forgery (CSRF) attack to manipulate session tokens

D.

Utilize a session token replay attack by capturing encrypted tokens

Question 205

A penetration tester needs to map open ports on a target network without triggering the organization’s intrusion detection systems (IDS), which are configured to detect standard scanning patterns and abnormal traffic volumes. To achieve this, the tester decides to use a method that leverages a third-party host to obscure the origin of the scan. Which scanning technique should be employed to accomplish this stealthily?

Options:

A.

Conduct a TCP FIN scan with randomized port sequences

B.

Perform a TCP SYN scan using slow-timing options

C.

Execute a UDP scan with packet fragmentation

D.

Use an Idle scan by exploiting a " zombie " host

Question 206

What is CVSS used for?

Options:

A.

Auditing

B.

Encryption

C.

Severity scoring

D.

Exploitation

Question 207

An ethical hacker needs to gather detailed information about a company ' s internal network without initiating any direct interaction that could be logged or raise suspicion. Which approach should be used to obtain this information covertly?

Options:

A.

Analyze the company ' s SSL certificates for internal details

B.

Examine email headers from past communications with the company

C.

Inspect public WHOIS records for hidden network data

D.

Utilize network scanning tools to map the company ' s IP range

Question 208

A Windows system shows LSASS memory access by unknown processes. What attack is likely?

Options:

A.

SQLi

B.

XSS

C.

Credential dumping

D.

DoS

Question 209

During a penetration test at a healthcare facility in Baltimore, Maryland, an ethical hacker demonstrates how attackers are mapping active hosts and open ports using ICMP-based techniques. To reduce the organization’s exposure, the security team decides to implement a countermeasure that specifically disrupts ICMP discovery traffic by preventing error messages from being returned. Which action should they take?

Options:

A.

Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter specific ports

B.

Configure firewall and IDS rules to detect and block probes

C.

Block unwanted services running on the ports and update the service versions

D.

Block inbound ICMP message types and all outbound ICMP type 3 (Destination Unreachable) messages

Question 210

In Miami, Florida, cybersecurity analyst Laura Bennett is responding to a series of unauthorized access attempts targeting Sunshine Credit Union’s online banking platform. She observes unusual network activity that suggests attackers may be intercepting session IDs transmitted over unsecured connections to hijack active user sessions. To prevent further compromise, Laura works with the network team to apply a control that secures session-related communications throughout the entire portal, ensuring sensitive tokens are no longer exposed to interception during user interactions.

What countermeasure should Laura implement to prevent session hijacking in this scenario?

Options:

A.

Regenerate the session ID after a successful login

B.

Implement SSL to encrypt all information in transit via the network

C.

Use restrictive cache directives such as Cache-Control no-cache

D.

Do not create sessions for unauthenticated users

Question 211

Which scenario best describes a tailgating attack?

Options:

A.

Following an employee through a secured door

B.

Phishing email requesting credentials

C.

Phone-based impersonation

D.

Leaving a malicious USB device

Question 212

During a red team engagement at a biotechnology firm in San Diego, California, the security team observed that a compromised internal workstation was generating an unusually high number of outbound name resolution requests to external servers.

Upon deeper inspection, analysts discovered that the query strings contained encoded data segments rather than typical lookup patterns. Further analysis revealed that these outbound requests were being used to transfer sensitive information to an attacker-controlled system outside the corporate network.

Which technique was most likely used to covertly transfer the data in this scenario?

Options:

A.

TCP Parameter Manipulation

B.

Reverse ICMP Tunnel

C.

DNS Tunneling

D.

Reverse HTTP Shell

Question 213

A penetration tester suspects that a web application ' s login form is vulnerable to SQL injection due to improper sanitization of user input. What is the most appropriate approach to test for SQL injection in the login form?

Options:

A.

Inject JavaScript into the input fields to test for Cross-Site Scripting (XSS)

B.

Enter ' OR ' 1 ' = ' 1 in the username and password fields to bypass authentication

C.

Perform a directory traversal attack to access sensitive files

D.

Use a brute-force attack on the login page to guess valid credentials

Question 214

A penetration tester is assessing an IoT thermostat used in a smart home system. The device communicates with a cloud server for updates and commands. The tester discovers that communication between the device and the cloud server is not encrypted. What is the most effective way to exploit this vulnerability?

Options:

A.

Conduct a Cross-Site Scripting (XSS) attack on the thermostat’s web interface

B.

Perform a brute-force attack on the thermostat’s local admin login

C.

Execute a SQL injection attack on the cloud server ' s login page

D.

Use a man-in-the-middle (MitM) attack to intercept and manipulate unencrypted communication

Question 215

A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?

Options:

A.

Inference-Based Assessment

B.

Service-Based Solutions

C.

Product-Based Solutions

D.

Tree-Based Assessment

Question 216

A penetration tester observes that traceroutes to various internal devices always show 10.10.10.1 as the second-to-last hop, regardless of the destination subnet. What does this pattern most likely indicate?

Options:

A.

DNS poisoning at the local resolver used by the compromised host

B.

Loopback misconfiguration at the destination endpoints

C.

A core router facilitating communication across multiple internal subnets

D.

Presence of a transparent proxy device acting as a forwarder

Question 217

During a security evaluation of a smart agriculture setup, an analyst investigates a cloud-managed irrigation controller. The device is found to transmit operational commands and receive firmware updates over unencrypted HTTP. Additionally, it lacks mechanisms to verify the integrity or authenticity of those updates. This vulnerability could allow an adversary to intercept communications or inject malicious firmware, leading to unauthorized control over the device ' s behavior or denial of essential functionality. Which IoT threat category does this situation best illustrate?

Options:

A.

Insecure default settings

B.

Insecure ecosystem interfaces

C.

Insufficient privacy protection

D.

Insecure network services

Question 218

As part of an authorized security assessment at a maritime logistics firm in Charleston, South Carolina, an ethical hacker evaluated the organization’s resilience to coordinated endpoint compromise.

Employees received a carefully crafted email attachment disguised as a routine operational update. After execution on several systems, monitoring tools later revealed that the infected machines periodically contacted an external host controlled by the tester.

Over time, the compromised systems began receiving commands from a centralized control server and simultaneously generated coordinated network traffic toward designated targets when instructed, without any direct user interaction.

From a malware classification standpoint, what component is being simulated in this scenario?

Options:

A.

Spyware

B.

Scareware

C.

Potentially Unwanted Applications (PUAs)

D.

Botnet Agents

Question 219

A regional e-commerce company in Dallas, Texas operates an Apache-based web server to manage product catalogs and promotional campaigns. During an authorized assessment, a security consultant analyzes how the platform processes a referral parameter embedded in product-sharing links. While reviewing responses through an intercepting proxy, he observes that values supplied in the referral parameter are incorporated into metadata returned to the browser. By introducing carefully crafted delimiter characters into the parameter, he notices that the structure of the server’s outbound response changes in an unexpected manner. Further testing shows that the manipulated input causes the server to generate multiple logically distinct response segments within what should have been a single transaction. When the crafted link is accessed through a standard browser, the client interprets the injected portion as a separate directive, resulting in redirection behavior influenced by the attacker-controlled input. Identify the web server attack technique being demonstrated in this scenario.

Options:

A.

Web Cache Poisoning Attack

B.

Directory Traversal Attack

C.

HTTP Response-Splitting Attack

D.

Frontjacking Attack

Question 220

During an ethical hacking exercise, a security analyst is testing a web application that manages confidential information and suspects it may be vulnerable to SQL injection. Which payload would most likely reveal whether the application is vulnerable to time-based blind SQL injection?

Options:

A.

UNION SELECT NULL, NULL, NULL--

B.

' OR ' 1 ' = ' 1 ' --

C.

' OR IF(1=1,SLEEP(5),0)--

D.

AND UNION ALL SELECT ' admin ' , ' admin ' --

Question 221

A financial startup in Chicago hires an ethical hacker to evaluate its exposure on hidden networks. The client is particularly concerned that confidential administrative documents might be circulating on .onion sites. To remain passive, the hacker relies on advanced search filters to look for files with headers suggesting management-related content. Which of the following queries would best meet this objective?

Options:

A.

filetype:docx " credentials "

B.

filetype:pdf intitle: " secure login " site:onion

C.

filetype:pdf intitle: " admin access " site:onion

D.

filetype:docx intitle: " user accounts " site:onion

Question 222

A penetration tester extracts NTLM hashes but does not crack them, instead reuses them to authenticate. What attack is this?

Options:

A.

Kerberoasting

B.

Pass-the-hash

C.

Brute force

D.

Replay attack

Question 223

A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?

Options:

A.

Configure firewalls to block all incoming SYN and HTTP requests from external IPs

B.

Increase server bandwidth and apply basic rate limiting on incoming traffic

C.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection capabilities

D.

Utilize a cloud-based DDoS protection service that offers multi-layer traffic scrubbing and auto-scaling

Question 224

During a red team assessment of a multinational financial firm, you ' re tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior. The team has shortlisted multiple tools for the task.

Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?

Options:

A.

Creepy

B.

Social Searcher

C.

Maltego

D.

Sherlock

Question 225

Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?

Options:

A.

Enforce VPN usage

B.

Adopt biometric authentication

C.

Disable ADB except in strictly controlled environments

D.

Frequently update MDM systems

Question 226

A regional insurance claims platform in Sacramento, California is protected by a web application firewall that evaluates inbound requests for suspicious query structures. During an authorized assessment, a tester observes that conventional injection attempts are consistently rejected.

The tester then adjusts the format and composition of the request while preserving its intended database behavior. After this modification, the request passes through the filtering mechanism and is processed by the backend system without disruption.

Which firewall evasion technique is being demonstrated?

Options:

A.

Splitting Payload Components Using HTTP Parameter Fragmentation (HPF)

B.

Transforming Query Structure to Evade Pattern-Based Inspection

C.

Combining Multiple Evasion Methods through an Integration Approach

D.

Using HTTP Parameter Pollution (HPP) to Override Query Parameters

Question 227

During a black-box internal penetration test, a security analyst identifies an SNMPv2-enabled Linux server using the default community string “public.” The analyst wants to enumerate running processes. Which Nmap command retrieves this information?

Options:

A.

nmap -sU -p 161 --script snmp-sysdescr

B.

nmap -sU -p 161 --script snmp-win32-services

C.

nmap -sU -p 161 --script snmp-processes

D.

nmap -sU -p 161 --script snmp-interfaces

Question 228

During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?

Options:

A.

Internal Monologue Attack

B.

LLMNR/NBT-NS Poisoning

C.

Kerberoasting

D.

Pass-the-Ticket Attack

Question 229

At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.

Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?

Options:

A.

DNS Cache Poisoning

B.

ARP Poisoning

C.

MAC Flooding

D.

Switch Port Stealing

Question 230

Infected systems receive external instructions over HTTP and DNS, with fileless payloads modifying system components. What is the most effective action to detect and disrupt this malware?

Options:

A.

Update antivirus signatures regularly

B.

Allow only encrypted traffic via proxies

C.

Block common malware ports

D.

Use behavioral analytics to monitor abnormal outbound behavior

Question 231

Scenario:

    Victim opens the attacker ' s website.

    Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.

    Victim clicks the attractive content URL.

    The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.

What is the name of the attack mentioned in the scenario?

Options:

A.

HTTP Parameter Pollution

B.

Clickjacking Attack

C.

HTML Injection

D.

Session Fixation

Question 232

A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?

Options:

A.

Perform a brute-force attack using common passwords against the captured handshake

B.

Use a dictionary attack against the captured WPA2 handshake to crack the key

C.

Execute a SQL injection attack on the router ' s login page

D.

Conduct a de-authentication attack to disconnect all clients from the network

Question 233

A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?

Options:

A.

Set up a fake access point with the same SSID and use a de-authentication attack

B.

Use a brute-force attack to crack the WPA2 encryption directly

C.

Perform a dictionary attack on the RADIUS server to retrieve credentials

D.

Execute a Cross-Site Scripting (XSS) attack on the wireless controller ' s login page

Question 234

During a red team engagement at a healthcare organization in Chicago, ethical hacker Devon intercepts Kerberos authentication material from a compromised workstation. Instead of cracking the data, he reuses the stolen tickets to authenticate directly to other systems within the domain. This allows him to access shared resources and servers without needing the users ' plaintext credentials. No NTLM hashes or broadcast poisoning were involved.

Which attack technique did Devon most likely perform?

Options:

A.

LLMNR/NBT-NS Poisoning

B.

Pass-the-Ticket Attack

C.

Kerberoasting

D.

Pass-the-Hash

Question 235

A compromised endpoint communicates with C2 using DNS queries. What system-level indicator exists?

Options:

A.

DNS anomalies

B.

Memory leaks

C.

CPU spikes

D.

Disk usage

Question 236

A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' C ' ll-T; —, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

Options:

A.

Tautology-based SQL injection

B.

Error-based SQL injection

C.

Union-based SQL injection

D.

Time-based blind SQL injection

Question 237

At RedCore Motors, the IT security lead, Priya, is tasked with selecting a vulnerability management solution for their expanding hybrid infrastructure. During the evaluation, she prioritizes tools that support agent-based detection across endpoints, offer constant monitoring and alerting capabilities, and provide comprehensive visibility into both on-premises and cloud-based systems. After thorough testing, she selects a platform that promises to scan for vulnerabilities everywhere accurately and efficiently, aligning with her organization’s need for centralized visibility and real-time risk assessment.

Which vulnerability assessment tool did Priya MOST LIKELY select?

Options:

A.

Nessus

B.

Nikto

C.

Qualys VM

D.

OpenVAS

Question 238

During an authorized security assessment of a smart thermostat manufacturer in Denver, Colorado, a certified ethical hacker receives a firmware image extracted from a production device for further evaluation.

The tester begins by examining the binary file to determine its format and architecture. Basic inspection commands are executed against the image to review embedded human-readable content and observe low-level binary structure before proceeding with deeper analysis.

Within the firmware analysis workflow, which stage is the tester performing?

Options:

A.

Extract the Filesystem

B.

Obtain Firmware

C.

Analyze Firmware

D.

Emulate Firmware

Question 239

During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?

Options:

A.

Use the " Filtering by IP Address " to set a filter for HTTP traffic before capturing

B.

Use the " Monitoring the Specific Ports " to generate a traffic summary and identify HTTP packets

C.

Use the " Follow TCP Stream " to reconstruct and read HTTP session data

D.

Use the " Display Filtering by Protocol " to isolate HTTP traffic and view packet details

Page: 1 / 80
Total 797 questions