ECCouncil 312-50v13 Certified Ethical Hacker Exam (CEHv13) Exam Practice Test
Certified Ethical Hacker Exam (CEHv13) Questions and Answers
An organization authorizes a wireless penetration test to evaluate the resilience of its WPA2-protected network. The assigned ethical hacker prepares the wireless adapter for packet capture and begins monitoring traffic from a nearby access point.
To accelerate the assessment, the tester transmits crafted 802.11 frames that momentarily interrupt active client connections. Shortly afterward, new authentication exchanges are observed in the capture logs, providing the necessary material for subsequent analysis.
The activity described corresponds to which component of the Aircrack-ng suite?
During a penetration test, an analyst repeatedly initiates TCP connections to a target host and records the sequence numbers returned in the SYN/ACK responses. By examining predictable or incremental patterns in these values, the analyst attempts to infer characteristics of the underlying operating system.
What OS fingerprinting attribute is being analyzed in this scenario?
A national e-commerce retailer experiences a sustained distributed attack that saturates its edge connectivity with high-volume traffic originating from thousands of globally dispersed hosts. Internal mitigation attempts such as ACL tuning and rate limiting fail to restore service stability.
After escalating the issue, the organization coordinates with its upstream connectivity provider, which begins rerouting inbound traffic through a large-scale filtering infrastructure capable of absorbing and scrubbing malicious traffic before forwarding legitimate requests back to the retailer’s network.
What defensive approach is being applied in this scenario?
A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?
A Linux server has world-writable cron directories. What can attackers achieve?
By using a smart card and pin, you are using a two-factor authentication that satisfies
A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?
You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?
At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?
A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?
A company’s online service is under a multi-vector DoS attack using SYN floods and HTTP GET floods. Firewalls and IDS cannot stop the outage. What advanced defense should the company implement?
A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?
Attackers persisted by modifying legitimate system utilities and services. What key step helps prevent similar threats?
An IDS generates alerts during normal user activity. What is the most likely cause?
A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?
During a red team operation for XYZ Financial Services, security analyst Lily Jensen is assigned to scan a critical subnet that is protected by an IDS. Her initial scan attempt is immediately flagged and blocked. To evade detection while continuing reconnaissance, she adjusts the scanning configuration to include multiple spoofed IP addresses alongside her own. This makes it difficult for network defenses to isolate her real scanning activity, while still allowing her to receive accurate results.
Which scanning technique is Lily using?
During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company ' s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server ' s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Which type of web server attack is Elena most likely demonstrating?
An employee finds a USB drive labeled “Employee Salary Info 2024” and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?
A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?
During a security assessment at Apex Technologies in Austin, Texas, the cybersecurity team identifies a high risk of social engineering attacks, including phishing, vishing, and baiting, targeting employees across departments. To strengthen defenses, the team plans to implement a countermeasure to reduce the likelihood of employees disclosing sensitive information. Which of the following countermeasures should Apex Technologies prioritize to mitigate the risk of social engineering attacks?
A corporation uses both hardware-based and cloud-based solutions to distribute incoming traffic and absorb DDoS attacks, ensuring legitimate requests remain unaffected. Which DDoS mitigation strategy is being utilized?
A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?
In the bustling financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by TrustBank, a regional US bank, to evaluate their online loan application portal. On April 22, 2025, Raj tests a feature allowing customers to upload structured financial documents for loan processing. By submitting a specially crafted document, he triggers a response that exposes internal server file paths and sensitive configuration data, including database connection strings. The issue arises from the portal ' s handling of external references in document parsing, not from response manipulation, authentication weaknesses, or undetected attack attempts. Raj compiles a detailed report to assist TrustBank ' s security team in mitigating the vulnerability.
Which type of vulnerability is Raj most likely exploiting in TrustBank ' s online loan application portal?
In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.
Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?
While conducting a covert penetration test on a UNIX-based infrastructure, the tester decides to bypass intrusion detection systems by sending specially crafted TCP packets with an unusual set of flags enabled. These packets do not initiate or complete any TCP handshake. During the scan, the tester notices that when certain ports are probed, there is no response from the target, but for others, a TCP RST (reset) packet is received. The tester notes that this behavior consistently aligns with open and closed ports. Based on these observations, which scanning technique is most likely being used?
What does DEP block?
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?
Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?
At a private aerospace research facility in Mesa, Arizona, an executive raises concerns after sensitive discussion points from speakerphone meetings begin surfacing externally. The device shows no indicators of active audio recording, and application permission history does not reflect recent camera or microphone authorization changes. A forensic mobile analysis identifies that an installed application has been continuously reading motion sensor output while the phone ' s loudspeaker is active. The collected sensor data was later transmitted to a remote server, where acoustic characteristics were reconstructed from the recorded measurements. Identify the attack technique responsible for this compromise.
Noah, a security analyst at a Seattle-based healthcare provider, is responding to a real-time data breach where attackers accessed patient records stored on a compromised server. During incident response, he must quickly secure sensitive files located on the system’s primary storage to prevent further exfiltration. The data resides in a mounted partition that needs full-volume encryption, but standard file encryption isn’t sufficient. Noah selects a solution that supports encrypted containers, strong key lengths like 256-bit AES, and can conceal secure volumes within standard ones to reduce detection. His goal is to ensure confidentiality while forensic operations continue without disrupting system functionality.
Which disk encryption tool should Noah deploy to meet these objectives?
A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections, transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack. Which attack is most likely responsible?
During a stealth penetration test at a defense research facility, ethical hacker Daniel installs a payload that survives even after multiple operating system reinstalls. The implant resides deep inside the system hardware and executes before the OS is loaded, ensuring that forensic scans and antivirus tools at the OS level cannot detect or remove it. Administrators notice unusual activity on network cards and storage devices, but repeated scans show no malware traces within the file system.
Which type of rootkit most likely enabled this level of persistence?
What does a NULL scan send?
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic’s appointment system, they were directed to a website that looked identical to the official portal.
The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization’s infrastructure.
Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site.
Which type of social engineering technique best explains this attack?
A multinational corporation recently survived a severe Distributed Denial-of-Service (DDoS) attack and has implemented enhanced security measures. During an audit, you discover that the organization uses both hardware- and cloud-based solutions to distribute incoming traffic in order to absorb and mitigate DDoS attacks while ensuring legitimate traffic remains available. What type of DDoS mitigation strategy is the company utilizing?
You are Liam Chen, an ethical hacker at CyberGuard Analytics, hired to test the social engineering defenses of Coastal Trends, a retail chain in Los Angeles, California. During a covert assessment, you craft a deceptive message sent to the employees’ company phones, claiming a critical account update is needed and directing them to a link that installs monitoring software. Several employees interact with the link, exposing a vulnerability to a specific mobile attack vector. Based on this approach, which mobile attack type are you simulating?
A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?
A penetration tester is assessing a web application that employs secure, HTTP-only cookies, regenerates session IDs upon login, and uses strict session timeout policies. To hijack a user ' s session without triggering the application ' s security defenses, which advanced technique should the tester utilize?
As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?
A penetration tester identifies malware that monitors the activities of a user and secretly collects personal information, such as login credentials and browsing habits. What type of malware is this?
In Dallas, Texas, ethical hacker Ethan Brooks is hired by Lone Star Credit Union to assess the security of their online banking portal, which processes customer transactions. During his penetration test, Ethan probes the web server hosting the portal, experimenting with crafted URL requests. He notices that by altering the URL parameters in a specific way, the server returns data from areas of the system that should be restricted, revealing configuration files not intended for public access. Suspecting this behavior indicates a vulnerability, Ethan documents the issue to help the security team strengthen their defenses against potential unauthorized access.
Which technique is Ethan most likely using to uncover the vulnerability in Lone Star Credit Union’s web server?
A competing technology firm begins releasing products that closely mirror the design, pricing strategy, and feature roadmap of ApexDynamics Inc. An internal review reveals that detailed information about ApexDynamics’ upcoming initiatives had been gradually collected through publicly available sources and external disclosures before product launch.
Which footprinting-related threat does this scenario best represent?
An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments.
The test email claimed to originate from the corporate compliance office and instructed employees to “complete a mandatory regulatory update within the next 30 minutes to avoid account suspension.” The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications.
Additionally, security analysts observed that the embedded hyperlink displayed the organization’s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host.
From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?
A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?
You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?
During a penetration test at a manufacturing company in Detroit, Amanda, a senior security consultant, scans several legacy Linux servers. On one host, she discovers an open port used for file transfer that allows anonymous login. Once connected, she is able to view the directory structure and check available files, which helps her identify potential sensitive information exposure. She also notices background traffic on a UDP service related to NetBIOS name lookups, but she continues probing the file transfer service to confirm user access weaknesses.
Which ports and services should Amanda prioritize for this enumeration activity?
At a federal research agency, cybersecurity officer Nikhil is drafting a vulnerability assessment report. In this section, he documents the scanning methodology used, the information about the targets, the type and scope of scans performed, and the tools involved. He does not yet include specific vulnerabilities or affected assets, as this portion of the report is meant to provide context for how the assessment was conducted.
Which section of the vulnerability assessment report is Nikhil working on?
Which attack targets WPA WPS PIN?
A known vulnerability exists on a production server, but patching is delayed due to operational constraints. What immediate action can reduce risk without disrupting operations?
The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?
On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.
What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?
You are Michael, an ethical hacker at a New York–based e-commerce company performing a security review of their payment-signing service. While observing the signing process (without access to private keys), you note the service generates a fresh random value for each signature operation, the signature algorithm uses modular arithmetic in a subgroup defined by public domain parameters, and signatures are verified with a public verification key rather than by decrypting the message. Which asymmetric algorithm best matches the signing mechanism you observed?
You perform a SYN (half-open) scan and receive a SYN/ACK packet in response. How should this result be interpreted?
During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.
A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?
In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MediVault, a U.S.-based healthcare platform used by regional clinics to manage patient data. During her review, Lila discovers that sensitive records are weakly protected, allowing attackers to intercept and manipulate the information in transit. She warns that such weaknesses could be exploited to commit credit-card fraud, identity theft, or similar crimes. Further analysis reveals that MediVault is vulnerable to well-documented flaws such as cookie snooping and downgrade attacks.
Which issue is MOST clearly indicated?
As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?
As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?
Which of the following protocols is used when an attacker attempts to launch a man-in-the-middle attack by manipulating sequence and acknowledgment numbers?
A financial services firm detects that outbound corporate emails containing sensitive underwriting data were intercepted while transmitted over unsecured channels. To immediately restore confidentiality and ensure authenticity of executive communications, the security operations team deploys a standardized email encryption framework compatible with the organization’s Microsoft Outlook environment.
The selected solution must support digital signatures for sender authentication, rely on a public-key infrastructure for secure key exchange, and enable recipients to validate signed messages using certificates issued by trusted authorities.
Identify the email encryption standard that best fulfills these requirements.
A global media streaming platform experiences traffic surges every 10 minutes, with spikes over 300 Gbps followed by quiet intervals. Which DDoS attack explains this behavior?
During a security assessment for an e-commerce company in Boston, Massachusetts, your team conducts a reconnaissance phase to identify potential entry points into the organization ' s communication infrastructure. You focus on gathering details about the systems responsible for handling incoming email traffic, avoiding active network probing, and relying on passive DNS data collection. Given this objective, which DNS record type should you query to extract information about the target’s mail server configuration?
During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?
During a security assessment of a metropolitan public transportation terminal, a penetration tester examines a network-connected IoT surveillance camera system used for 24/7 video monitoring. The camera uses outdated SSLv2 encryption to transmit video data. The tester intercepts and decrypts video streams due to the weak encryption and absence of authentication mechanisms. What IoT vulnerability is most likely being exploited in this scenario?
A security analyst investigates unusual east-west traffic on a corporate network. A rogue device has been physically inserted between a workstation and the switch, enabling unauthorized access while inheriting the workstation’s authenticated network state. Which evasion technique is being used?
An attacker exploits a misconfigured S3 bucket containing application backups with database credentials. What cloud security failure category does this fall under?
A Linux system allows passwordless sudo for multiple commands. What security principle is violated?
A system’s audit logs are not centralized. Which attack phase is hardest to detect?
A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?
Targeted, logic-based credential guessing using prior intel best describes which technique?
You discover multiple NetBIOS responses during an nbtscan, but only one host returns a < 1B > entry. What does this indicate?
A national retail chain headquartered in Minneapolis, Minnesota operates a customer rewards portal supported by front-end delivery layers designed to improve performance during peak shopping periods. During an authorized security assessment, a tester submits a specially crafted request containing unusual header combinations and a modified query parameter while accessing a promotional page.
Shortly afterward, other legitimate users requesting the same promotional page through standard browsers begin receiving altered content that differs from what the application normally generates. When the tester accesses the underlying origin system directly, the response reflects the expected legitimate version. After some time and additional routine traffic, the unexpected content is no longer served.
Identify the attack technique that best explains this observed behavior.
Which advanced evasion technique poses the greatest challenge to detect and mitigate?
What does TTL manipulation help evade?
A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?
In Portland, Oregon, ethical hacker Olivia Harper is hired by Cascade Biotech to test the security of their research network. During her penetration test, she simulates an attack by sending malicious packets to a server hosting sensitive genetic data. To evade detection, she needs to understand the monitoring system deployed near the network’s perimeter firewall, which analyzes incoming and outgoing traffic for suspicious patterns across the entire subnet. Olivia’s goal is to bypass this system to highlight vulnerabilities for the security team.
Which security system is Olivia attempting to bypass during her penetration test of Cascade Biotech’s network?
During a red team assessment of a mid-sized insurance provider in Denver, Colorado, testers established persistent access on an internal developer workstation after exploiting a misconfigured automation service. To sustain command-and-control without triggering perimeter defenses, they configured a low-bandwidth outbound channel designed to blend into infrastructure traffic that is routinely permitted through egress controls.
Security operations later identified periodic outbound communication from the compromised host to a single unfamiliar external endpoint not associated with approved vendors or user activity. The traffic was distributed over time rather than bursty. Although the exchanges resembled legitimate service requests, packet inspection revealed irregular payload sizing and structured encoding patterns inconsistent with typical client behavior across the environment.
What covert communication technique was most likely used to sustain the red team’s access?
During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?
Which best describes the role of a penetration tester?
A Java app uses Random() for session tokens. What is the risk?
You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?
At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?
Which scenario best describes a slow, stealthy scanning technique?
During a red team simulation at a bank in Chicago, Illinois, the SOC team suspects that some of the incoming traffic may be spoofed. To verify this, an analyst begins monitoring the sequence values assigned to packets, looking for irregularities that indicate they were not generated by the legitimate source. Which spoofing detection technique is the analyst using?
A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?
A penetration tester is assessing a web application that uses dynamic SQL queries for searching users in the database. The tester suspects the search input field is vulnerable to SQL injection. What is the best approach to confirm this vulnerability?
In a security assessment conducted in New York, Sarah, an ethical hacker, is evaluating a corporate network to enhance its protection against potential threats. She aims to gather essential data about available access points to guide her analysis. Which scanning technique should Sarah apply to meet this objective while adhering to the organization ' s ethical guidelines?
During a penetration test at a financial services company in Denver, ethical hacker Jason demonstrates how employees could be tricked by a rogue DHCP server. To help the client prevent such attacks in the future, Jason shows the administrators how to configure their Cisco switches to reject DHCP responses from untrusted ports. He explains that this global setting must be activated before more granular controls can be applied.
Which switch command should Jason recommend to implement this defense?
Which of the following is the primary objective of a rootkit?
Which of the following best describes the role of a penetration tester?
A regional investment firm in Denver, Colorado, recently migrated to a fully switched Ethernet infrastructure. During an authorized security evaluation, a consultant connected a test device to an access-layer switch and initiated a scripted network interaction.
Within minutes, administrators observed irregular switching behavior. Frames that were normally delivered directly between specific workstations began appearing across multiple switch ports. Users reported brief connectivity instability, but no configuration changes were made to the switch. After the activity subsided, forwarding operations gradually stabilized.
Based on the observed behavior, which sniffing technique was most likely performed?
In a tense red team exercise at a mid-sized university in Austin, Texas, an ethical hacker named Jake targeted a legacy Linux server in the engineering department. Late one afternoon, he discovered TCP port 2049 was open during his first sweep, suggesting hidden file-sharing capabilities. Intrigued, Jake used a standard utility to request a list of remote file systems shared across the network, aiming to map accessible resources. Meanwhile, he idly checked for Telnet access and probed a time-sync service out of routine, but both proved fruitless on this host.
Which enumeration method is actively demonstrated in this scenario?
A penetration tester is testing a web application ' s product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?
A security consultant is conducting an authorized assessment for a healthcare billing provider in Phoenix, Arizona. While monitoring internal traffic, he observes an authenticated employee interacting with a sensitive web-based management portal over TCP.
During the session, the consultant carefully crafts and injects packets into the ongoing communication stream. Shortly afterward, the legitimate user experiences irregular responses from the application, and the server begins processing commands originating from the consultant’s injected traffic as though they were part of the established session.
The technique does not involve credential guessing or forcing the user to reauthenticate. Instead, it targets the communication channel already in progress.
From a network-level perspective, what type of session hijacking technique is being demonstrated?
During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.
Which technique was most likely used to obtain this information?
During a red team engagement for a client in the financial sector, ethical hacker Tyler Brooks conducts a phishing campaign using a crafted internal web page disguised as a company VPN login. After several users enter their credentials, Tyler confirms that the payload successfully recorded input without triggering antivirus or requiring local installation privileges. The captured keystrokes came exclusively from a web-based form embedded in the fake login page.
Based on the technique used, which type of keylogger did Tyler most likely deploy?
You perform a network scan using ICMP Echo Requests and observe that certain IP addresses do not return Echo Replies, while other network services remain functional. How should this situation be interpreted?
A company hires a hacker to test its network security by simulating real-world attacks. The hacker has permission and operates within legal boundaries. What is this type of hacker called?
A penetration tester suspects that the web application ' s " Order History " page is vulnerable to SQL injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?
During a red team engagement at a technology startup in Austin, ethical hacker Priya simulates an internal attacker by connecting a laptop to the corporate LAN. Within minutes, nearby workstations begin receiving incorrect network settings such as altered gateways and DNS servers. Employees trying to access the intranet are redirected to fake login portals hosted on Priya’s machine. Security tools record temporary IP conflicts, but no alerts are triggered against the altered traffic paths.
Which attack technique did Priya most likely use?
Which indicator most strongly confirms a MAC flooding attack?
During an investigation, an ethical hacker discovers that a web application’s API has been compromised, leading to unauthorized access and data manipulation. The attacker is using webhooks and a webshell. To prevent further exploitation, which of the following actions should be taken?
A security analyst is investigating a network compromise where malware communicates externally using common protocols such as HTTP and DNS. The malware operates stealthily, modifies system components, and avoids writing payloads to disk. What is the most effective action to detect and disrupt this type of malware communication?
During a security assessment, a consultant investigates how the application handles requests from authenticated users. They discover that once a user logs in, the application does not verify the origin of subsequent requests. To exploit this, the consultant creates a web page containing a malicious form that submits a funds transfer request to the application. A logged-in user, believing the page is part of a promotional campaign, fills out the form and submits it. The application processes the request successfully without any reauthentication or user confirmation, completing the transaction under the victim’s session. Which session hijacking technique is being used in this scenario?
The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?
A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?
A multinational manufacturing company in San Jose, California has deployed a perimeter firewall to protect its internal production networks. During a red team exercise, testers observe that the device monitors active TCP communications and allows traffic to continue only when packets correspond to recognized, previously established connections.
The firewall evaluates multiple header attributes across ongoing communications while operating inline at the network boundary.
From a firewall architecture perspective, what type of firewall is most likely in use at this perimeter?
A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?
You are an ethical hacker at CyberShield Analytics, hired by Coastal Education Services, a tutoring platform in Miami, Florida, to test the security of their student portal. While probing the portal ' s course enrollment page, you input a crafted value into the course ID field, appending a condition that checks if the first character of the database name is a specific value. The application does not display error messages or additional data, but the page takes significantly longer to load when the condition evaluates to true, indicating a deliberate delay.
Based on the observed behavior, which SQL injection technique are you employing?
In the neon-lit sprawl of Las Vegas, Nevada, a luxury hotel’s smart room control system suffered a breach, allowing an intruder to manipulate guest room settings. The incident investigation revealed that the IoT devices lacked any mechanism to verify the integrity or authenticity of software prior to execution, allowing tampered instructions to run unchecked. As Emna Ruza, a cybersecurity consultant brought in to assess the breach, you recommend a solution that ensures only authorized, validated code is executed on the devices.
Which secure development practice are you advising the hotel to implement?
During a penetration test at Windy City Enterprises in Chicago, ethical hacker Mia Torres targets the company ' s public-facing site. By exploiting an unpatched vulnerability in the web server, she manages to alter visible content on the homepage, replacing it with unauthorized messages. Mia explains to the IT team that this kind of attack can damage the company ' s reputation and erode customer trust, even if sensitive data is not directly stolen.
Which type of web server attack is Mia most likely demonstrating?
A telecommunications provider in Toronto operates a monitoring platform that analyzes inbound traffic streams during suspected denial-of-service conditions. The system converts traffic measurements into signal components and evaluates their energy across multiple frequency ranges to distinguish abnormal traffic bursts from background network noise.
Rather than focusing on traffic baselines or identifying the exact statistical breakpoint where behavior changes, the platform identifies anomalies by decomposing traffic signals into spectral components for analysis.
Which DDoS detection technique is being used in this scenario?
A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?
During a security assessment in San Francisco, an ethical hacker is tasked with evaluating a network ' s resilience against stealthy reconnaissance attempts. The hacker needs to employ a scanning technique that leverages TCP flags to evade detection by intrusion detection systems, relying on the target ' s response behavior to infer port states without completing a full connection. Which approach best aligns with this strategy, ensuring minimal visibility during the assessment?
You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.
Based on the described method, which Wi-Fi discovery technique are you employing?
During a high-stakes engagement, a penetration tester abuses MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled server. The tester captures the NTLM hash and relays it to AD CS to obtain a certificate granting domain admin privileges. Which network-level hijacking technique is illustrated?
During a penetration test at Pacific Trust Bank in Seattle, ethical hacker Mia Chen suspects that a server hosting customer transaction data may be a honeypot. To investigate, she repeatedly sends crafted queries and observes how quickly the system responds. She notices that responses are consistently faster and more uniform than those of other production servers, raising her suspicion that the environment is designed to lure attackers.
Which technique is Mia most likely using to determine if the server is a honeypot?
At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?
Which of the following program infects the system boot sector and the executable files at the same time?
Malware uses Background Intelligent Transfer Service (BITS) to evade detection. Why is BITS attractive to attackers?
During a red team test, a web application dynamically builds SQL queries using a numeric URL parameter. The tester sends the following request:
http://vulnerableapp.local/view.php?id=1; DROP TABLE users;
The application throws errors and the users table is deleted. Which SQL injection technique was used?
A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably.
Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission.
Based on the observed behavior, what malware is most consistent with this incident?
A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company’s HTTP servers.
The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation.
Which vulnerability assessment tool most closely aligns with the capabilities described?
During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?
During a red team exercise at Apex Logistics in Denver, ethical hacker Rachel launches controlled packet injection attacks to simulate session hijacking attempts. The client ' s IT team wants a way to automatically detect such abnormal behaviors across the network in real time, instead of relying on manual analysis. They decide to deploy a monitoring system capable of flagging suspicious session activity based on predefined rules and traffic signatures.
Which detection method best fits the IT team ' s requirement?
A penetration tester discovers that a web application is using outdated SSL/TLS protocols (TLS 1.0) to secure communication. What is the most effective way to exploit this vulnerability?
An organization uses SHA-256 for data integrity verification but still experiences unauthorized data modification. Which cryptographic tool would best resolve this issue?
Attackers exploit SMBv1 to spread malware across hosts. What attack behavior is this?
After installing a backdoor on a web server, what action best ensures it remains undetected?
A Java app uses outdated libraries with known CVEs. What risk does this create?
A cybersecurity team at a regional healthcare provider is conducting an internal red team exercise to assess their exposure to service enumeration attacks. Amanda, a senior penetration tester, is assigned to probe the internal network for services that may reveal usernames, group information, or system details without requiring prior authentication. She decides to target common services running on specific ports that are often misconfigured or loosely monitored. During her reconnaissance, Amanda identifies several open ports across various hosts and must now prioritize which ones to probe first for maximum information gain related to enumeration. Which of the following services should Amanda target as a priority to enumerate usernames and group information without authentication?
After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?
A penetration tester is tasked with identifying vulnerabilities on a web server running outdated software. The server hosts several web applications and is protected by a basic firewall. Which technique should the tester use to exploit potential server vulnerabilities?
During a covert red team engagement, a penetration tester is tasked with identifying live hosts in a target organization’s internal subnet (10.0.0.0/24) without triggering intrusion detection systems (IDS). To remain undetected, the tester opts to use the command nmap -sn -PE 10.0.0.0/24, which results in several " Host is up " responses, even though the organization’s IDS is tuned to detect high-volume scans. After the engagement, the client reviews the logs and is surprised that the scan was not flagged. What allowed the scan to complete without triggering alerts?
A penetration tester finds that a web application does not properly validate user input and is vulnerable to reflected Cross-Site Scripting (XSS). What is the most appropriate approach to exploit this vulnerability?
A penetration tester is conducting an external assessment of a corporate web server. They start by accessing https://www.targetcorp.com/robots.txt and observe multiple Disallow entries that reference directories such as /admin-panel/, /backup/, and /confidentialdocs/. When the tester directly visits these paths via a browser, they find that access is not restricted by authentication and gain access to sensitive files, including server configuration and unprotected credentials. Which stage of the web server attack methodology is demonstrated in this scenario?
In Miami, Florida, a luxury resort deploys smart climate control units in guest rooms. During a red team engagement, ethical hacker Sophia Bennett discovers that once a compromised device is restarted, it continues running altered instructions without any integrity check before the operating system loads. This allows tampered firmware to run as if it were legitimate. Which secure development practice would most directly prevent this weakness?
During an external assessment of a healthcare insurance company in Houston, a penetration tester identifies a service running on TCP port 389. When queried, the service accepts anonymous binds and reveals directory data. By structuring his search filter, the tester is able to obtain usernames, departmental details, and organizational units. This information could potentially be used for targeted password attacks or privilege escalation.
Which classification best describes this enumeration activity?
Granite Ridge Technologies in New Jersey is preparing to formalize its information security governance model. Executive leadership requires adoption of an internationally recognized framework that ensures confidentiality, integrity, and availability of information while enabling the organization to systematically identify, assess, and manage information security risks. The framework must also support compliance with regulatory and contractual obligations and demonstrate commitment to stakeholders.
Which standard best fulfills these requirements?
As a cybersecurity analyst conducting passive reconnaissance, you aim to gather information without interacting directly with the target system. Which technique is least likely to assist in this process?
On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.
Which of the following best explains the technique Sofia used to trigger the server crashes?
During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?
During a simulated attack against a university ' s IT network in California, ethical hacker Sophia deploys custom malicious code onto one lab workstation. Without requiring further user interaction, she observes the malware automatically copying itself into shared folders and spreading through weak admin credentials. Within a short time, dozens of computers across multiple departments are infected with the same payload, even though only one machine was initially targeted.
Which type of malware is Sophia most likely demonstrating?
During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.
Which social engineering technique is Priya demonstrating?
An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker ' s access token, allowing automatic synchronization of internal files to the attacker’s cloud storage. What type of attack has likely occurred?
Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee ' s computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action?
Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?
A biotech research firm in Boston, Massachusetts, migrates its laboratory management platform to the cloud. The vendor provides an environment where developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage. The firm controls the application logic but not the runtime infrastructure.
Which cloud service model is the company using?
Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com”. Which statement below is true?
Multiple internal workstations and IoT devices are compromised and transmitting large volumes of traffic to numerous external targets under botnet control. Which type of denial-of-service attack best describes this situation?
A mid-sized insurance provider in Hartford, Connecticut authorizes a controlled red team engagement to evaluate its public-facing customer portal. Before progressing to active exploitation, the assessment team concentrates on understanding how the site is organized and how its content is interconnected.
Using automated tooling, they systematically retrieve publicly accessible pages along with associated resources such as scripts, media files, and referenced directories. The collected material allows the team to analyze navigation paths, hidden references, and structural relationships without repeatedly interacting with the live production system.
This preparatory effort is intended to build a detailed structural understanding of the application before later testing phases begin.
Within the web server attack methodology, which stage is most accurately demonstrated in this scenario?
A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?
An attacker exploits medical imaging protocols to intercept patient data. Which sniffing technique is most challenging?
A cybersecurity analyst monitors competitors’ web content for changes indicating strategic shifts. Which missing component is most crucial for effective passive surveillance?
A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.
What host discovery technique is being used in this scenario?
In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.
Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?
During a forensic investigation of an attack on a media company in New York, analysts discovered that a non-privileged process loaded a malicious library instead of the intended library because the attacker placed the rogue file in a directory Windows searched before the legitimate location. When the trusted application started, the attacker’s code executed with the application’s privileges. No registry changes or kernel exploits were involved. Which technique most likely enabled the privilege escalation?
A vulnerability has a score of 9.8. What does this rating help explain?
During a cybersecurity awareness drill at Quantum Analytics in San Francisco, California, the ethical hacking team tests the company’s defenses against social media-based threats. Nadia creates a fake LinkedIn profile posing as a senior HR manager from Quantum Analytics, using a stolen company logo and publicly available employee details. Nadia sends connection requests to several employees, including data analyst Priya Sharma, inviting them to join a private group called Quantum Analytics Innovation Hub. The group’s page prompts members to share their work email and department role for exclusive project updates.
What social engineering threat to corporate networks is Nadia’s exercise primarily simulating?
During a red team engagement against a multinational financial services organization, an ethical hacker conducts network reconnaissance against externally accessible systems. Instead of sending scan traffic directly from the originating assessment machine, the tester routes all reconnaissance packets through an intermediary external system before they reach the target network.
When the organization’s security team reviews monitoring data, the activity appears to originate from infrastructure unrelated to the tester’s actual geographic or organizational location.
From a reconnaissance methodology perspective, what is the primary objective of using this intermediary system?
A Linux system allows SSH login using deprecated ciphers. What risk exists?
During a scheduled security review in a high-tech lab in Austin, Texas, penetration tester Lucas Bennett was assessing a state government’s new payroll system hosted in a private cloud. One humid afternoon, while fuzz testing the input validation logic of the TaxCalcEngine.dll module, he triggered a buffer overflow by submitting malformed taxpayer ID strings. The crash led to unintended disclosure of payroll data due to unchecked data boundaries. Lucas traced the issue to a coding oversight in a core processing module. Applying a structured analysis approach, which category best describes the vulnerability he discovered?
During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.
When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.
From a malware deployment perspective, what technique best describes this approach?
A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyses client behaviour while transmitting carefully crafted 802.11 management frames toward the organization ' s primary access point. Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent. Identify the wireless attack illustrated by this activity.
A multinational healthcare provider headquartered in Boston, Massachusetts relies on federated authentication to allow employees to access multiple cloud-hosted applications using a single sign-on portal. During an authorized red team engagement, a security consultant gains access to the organization ' s identity infrastructure and extracts signing material used in trust relationships between the internal identity provider and external cloud services. Using this material, the consultant generates authentication responses that grant administrative-level access to several cloud applications without interacting with user credentials or triggering multifactor authentication challenges. The access appears legitimate within the cloud service logs. Which cloud attack technique best aligns with this behavior?
A penetration tester is tasked with uncovering historical content from a company’s website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization’s web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?
Which attack best demonstrates covert eavesdropping via smartphone sensors?
A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?
A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?
During a compliance review at a law firm in Chicago, an ethical hacker tests the firm’s secure email gateway. She observes that sensitive legal documents are being transmitted in clear text over the Internet, allowing anyone intercepting the traffic to read the contents. The firm is concerned about unauthorized individuals being able to view these communications. Which principle of information security is being violated?
An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?
A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?
As the cybersecurity lead for an international news agency, you are alerted by your threat intelligence team that confidential communications between journalists and whistleblowers have been posted to an online activist forum. Further forensic analysis reveals that no financial transactions were tampered with and no ransomware was deployed. However, the agency’s internal systems were accessed and selectively leaked emails were published alongside a manifesto accusing the organization of biased reporting. The attackers also posted on social media claiming responsibility and justifying their actions as a fight against misinformation.
Based on this behavior, what category of hacker are you most likely dealing with?
Which of the following is a common framework applied by business management and other personnel to identify potential events that may affect the enterprise, manage the associated risks and opportunities, and provide reasonable assurance that objectives will be achieved?
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?
A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing the Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this service to conceal malicious activities?
In Austin, Texas, ethical hacker Liam Carter is hired by Lone Star Healthcare to probe the defenses of their patient data network. During his penetration test, Liam aims to bypass the hospital’s firewall protecting a medical records server. To do so, he uses a tool to craft custom network packets, carefully designing their headers to slip past the firewall’s filtering rules. His goal is to demonstrate how an attacker could infiltrate the system, exposing vulnerabilities for the security team to address.
Which tool is Liam using to bypass Lone Star Healthcare’s firewall during his penetration test?
An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?
A municipal services portal in Lexington, Kentucky includes a search parameter that retrieves citizen service requests. During an authorized security review, an analyst alters the parameter value by introducing single quotation marks, logical expressions such as AND 1=1, and variations like AND 1=2, observing how the application responds to each modification.
By comparing differences in the application’s output and behavior after each structured input change, the analyst evaluates whether the parameter affects the underlying query processing.
Which SQL injection detection method is being applied?
During an internal red team engagement at a financial services firm, an ethical hacker named Anika tests persistence mechanisms after successfully gaining access to a junior employee’s workstation. As part of her assessment, she deploys a lightweight binary into a low-visibility system folder. To maintain long-term access, she configures it to launch automatically on every system reboot without requiring user interaction.
Which of the following techniques has most likely been used to ensure the persistence of the attacker’s payload?
You are Ava Mitchell, an ethical hacker at Sentinel Cyberworks, hired to test the wireless defenses of Horizon Financial, a bank in Boston, Massachusetts. During a covert night-time assessment, your objective is to simulate an attacker attempting to breach the bank ' s WPA-protected Wi-Fi network. You deploy a tool that allows you to capture wireless packets, send de-authentication packets to force client reconnections, and attempt to recover the encryption key, all within a single graphical interface. Based on the described functionality, which Wi-Fi security auditing tool are you using?
An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?
During a red team assessment of an enterprise LAN environment, the tester discovers an access switch that connects multiple internal workstations. The switch has no port security measures in place. To silently intercept communication between different hosts without deploying ARP poisoning or modifying the routing table, the tester launches a MAC flooding attack using the macof utility from the dsniff suite. This command sends thousands of Ethernet frames per minute, each with random, spoofed source MAC addresses. Soon after the flooding begins, the tester puts their network interface into promiscuous mode and starts capturing packets. They observe unicast traffic between internal machines appearing in their packet sniffer—traffic that should have been isolated. What internal switch behavior is responsible for this sudden exposure of isolated traffic?
During a penetration test at Pinnacle Bank in Chicago, ethical hacker Sarah injects crafted TCP packets into an active communication between a customer ' s browser and the online banking server. The victim ' s connection becomes unstable, allowing Sarah ' s system to maintain communication with the server in place of the legitimate client. She later demonstrates to the IT team how attackers could forcibly take control of live sessions through this approach.
Which type of session hijacking is Sarah performing in this scenario?
A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?
A malware analyst finds JavaScript and /OpenAction keywords in a suspicious PDF using pdfid. What should be the next step to assess the potential impact?
While analyzing suspicious network activity, you observe a slow, stealthy scanning technique that is difficult to trace back to the attacker. Which scenario best describes the scanning technique being used?
A mid-sized manufacturing firm in Des Moines, Iowa reported that several employee workstations were periodically communicating with an unfamiliar external server over an IRC channel. The affected systems showed no visible interface for remote control, yet investigators confirmed that the machines were receiving instructions and executing distributed traffic bursts at scheduled intervals.
Further review revealed that the initial infection occurred after employees opened a phishing email attachment. Once executed, the infected systems silently connected outward and began awaiting commands from a centralized remote controller.
Determine the Trojan classification that best matches this behavior.
During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan is assigned to assess the internal network for potential sniffing activity that could compromise sensitive customer data. While inspecting traffic in the loan processing department, Rachel observes that a workstation is receiving packets not addressed to it, raising suspicion of a sniffing tool operating in promiscuous mode. To validate her hypothesis, she prepares to conduct an active verification using a classic detection approach.
Which detection technique should Rachel use to confirm the presence of a sniffer in this case?
A web app fails to restrict API request frequency. What risk exists?
A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.
The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.
Identify the BYOD security guideline that would directly mitigate this exposure.
A penetration tester evaluates an industrial control system (ICS) that manages critical infrastructure. The tester discovers that the system uses weak default passwords for remote access. What is the most effective method to exploit this vulnerability?
While performing a SYN (half-open) scan using Nmap, you send a SYN packet to a target IP address and receive a SYN/ACK response. How should this result be interpreted?
During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?
A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?
During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.
Which technique is Sofia most likely using in this assessment?
A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?
During a routine security audit, administrators found that cloud storage backups were illegally accessed and modified. What countermeasure would most directly mitigate such incidents in the future?
What is the purpose of banner grabbing?
A municipal data center in Phoenix, Arizona, deploys a network intrusion detection system to monitor traffic entering its public records portal. During a scheduled red team exercise, authorized testers successfully exploit a vulnerable web service and gain restricted administrative access.
Post-exercise review reveals that the IDS generated a high-severity alert precisely at the time the exploit traffic reached the server. Log correlation confirms that the alert corresponded directly to the malicious activity performed during the test window.
How should this IDS outcome be classified?
A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.
By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.
What kind of wireless attack technique is being illustrated in this scenario?
Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical for verifying the identity of the signatory. He aims to assess if the algorithm’s configuration could be vulnerable to a man-in-the-middle attack due to its key structure.
Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?
A penetration tester evaluates a secure web application using HTTPS, secure cookies, and multi-factor authentication. To hijack a legitimate user’s session without triggering alerts, which technique should be used?
A penetration tester needs to map open ports on a target network without triggering the organization’s intrusion detection systems (IDS), which are configured to detect standard scanning patterns and abnormal traffic volumes. To achieve this, the tester decides to use a method that leverages a third-party host to obscure the origin of the scan. Which scanning technique should be employed to accomplish this stealthily?
What is CVSS used for?
An ethical hacker needs to gather detailed information about a company ' s internal network without initiating any direct interaction that could be logged or raise suspicion. Which approach should be used to obtain this information covertly?
A Windows system shows LSASS memory access by unknown processes. What attack is likely?
During a penetration test at a healthcare facility in Baltimore, Maryland, an ethical hacker demonstrates how attackers are mapping active hosts and open ports using ICMP-based techniques. To reduce the organization’s exposure, the security team decides to implement a countermeasure that specifically disrupts ICMP discovery traffic by preventing error messages from being returned. Which action should they take?
In Miami, Florida, cybersecurity analyst Laura Bennett is responding to a series of unauthorized access attempts targeting Sunshine Credit Union’s online banking platform. She observes unusual network activity that suggests attackers may be intercepting session IDs transmitted over unsecured connections to hijack active user sessions. To prevent further compromise, Laura works with the network team to apply a control that secures session-related communications throughout the entire portal, ensuring sensitive tokens are no longer exposed to interception during user interactions.
What countermeasure should Laura implement to prevent session hijacking in this scenario?
Which scenario best describes a tailgating attack?
During a red team engagement at a biotechnology firm in San Diego, California, the security team observed that a compromised internal workstation was generating an unusually high number of outbound name resolution requests to external servers.
Upon deeper inspection, analysts discovered that the query strings contained encoded data segments rather than typical lookup patterns. Further analysis revealed that these outbound requests were being used to transfer sensitive information to an attacker-controlled system outside the corporate network.
Which technique was most likely used to covertly transfer the data in this scenario?
A penetration tester suspects that a web application ' s login form is vulnerable to SQL injection due to improper sanitization of user input. What is the most appropriate approach to test for SQL injection in the login form?
A penetration tester is assessing an IoT thermostat used in a smart home system. The device communicates with a cloud server for updates and commands. The tester discovers that communication between the device and the cloud server is not encrypted. What is the most effective way to exploit this vulnerability?
A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?
A penetration tester observes that traceroutes to various internal devices always show 10.10.10.1 as the second-to-last hop, regardless of the destination subnet. What does this pattern most likely indicate?
During a security evaluation of a smart agriculture setup, an analyst investigates a cloud-managed irrigation controller. The device is found to transmit operational commands and receive firmware updates over unencrypted HTTP. Additionally, it lacks mechanisms to verify the integrity or authenticity of those updates. This vulnerability could allow an adversary to intercept communications or inject malicious firmware, leading to unauthorized control over the device ' s behavior or denial of essential functionality. Which IoT threat category does this situation best illustrate?
As part of an authorized security assessment at a maritime logistics firm in Charleston, South Carolina, an ethical hacker evaluated the organization’s resilience to coordinated endpoint compromise.
Employees received a carefully crafted email attachment disguised as a routine operational update. After execution on several systems, monitoring tools later revealed that the infected machines periodically contacted an external host controlled by the tester.
Over time, the compromised systems began receiving commands from a centralized control server and simultaneously generated coordinated network traffic toward designated targets when instructed, without any direct user interaction.
From a malware classification standpoint, what component is being simulated in this scenario?
A regional e-commerce company in Dallas, Texas operates an Apache-based web server to manage product catalogs and promotional campaigns. During an authorized assessment, a security consultant analyzes how the platform processes a referral parameter embedded in product-sharing links. While reviewing responses through an intercepting proxy, he observes that values supplied in the referral parameter are incorporated into metadata returned to the browser. By introducing carefully crafted delimiter characters into the parameter, he notices that the structure of the server’s outbound response changes in an unexpected manner. Further testing shows that the manipulated input causes the server to generate multiple logically distinct response segments within what should have been a single transaction. When the crafted link is accessed through a standard browser, the client interprets the injected portion as a separate directive, resulting in redirection behavior influenced by the attacker-controlled input. Identify the web server attack technique being demonstrated in this scenario.
During an ethical hacking exercise, a security analyst is testing a web application that manages confidential information and suspects it may be vulnerable to SQL injection. Which payload would most likely reveal whether the application is vulnerable to time-based blind SQL injection?
A financial startup in Chicago hires an ethical hacker to evaluate its exposure on hidden networks. The client is particularly concerned that confidential administrative documents might be circulating on .onion sites. To remain passive, the hacker relies on advanced search filters to look for files with headers suggesting management-related content. Which of the following queries would best meet this objective?
A penetration tester extracts NTLM hashes but does not crack them, instead reuses them to authenticate. What attack is this?
A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?
During a red team assessment of a multinational financial firm, you ' re tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior. The team has shortlisted multiple tools for the task.
Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?
Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?
A regional insurance claims platform in Sacramento, California is protected by a web application firewall that evaluates inbound requests for suspicious query structures. During an authorized assessment, a tester observes that conventional injection attempts are consistently rejected.
The tester then adjusts the format and composition of the request while preserving its intended database behavior. After this modification, the request passes through the filtering mechanism and is processed by the backend system without disruption.
Which firewall evasion technique is being demonstrated?
During a black-box internal penetration test, a security analyst identifies an SNMPv2-enabled Linux server using the default community string “public.” The analyst wants to enumerate running processes. Which Nmap command retrieves this information?
During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?
At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.
Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?
Infected systems receive external instructions over HTTP and DNS, with fileless payloads modifying system components. What is the most effective action to detect and disrupt this malware?
Scenario:
Victim opens the attacker ' s website.
Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.
Victim clicks the attractive content URL.
The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.
What is the name of the attack mentioned in the scenario?
A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?
A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?
During a red team engagement at a healthcare organization in Chicago, ethical hacker Devon intercepts Kerberos authentication material from a compromised workstation. Instead of cracking the data, he reuses the stolen tickets to authenticate directly to other systems within the domain. This allows him to access shared resources and servers without needing the users ' plaintext credentials. No NTLM hashes or broadcast poisoning were involved.
Which attack technique did Devon most likely perform?
A compromised endpoint communicates with C2 using DNS queries. What system-level indicator exists?
A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' C ' ll-T; —, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
At RedCore Motors, the IT security lead, Priya, is tasked with selecting a vulnerability management solution for their expanding hybrid infrastructure. During the evaluation, she prioritizes tools that support agent-based detection across endpoints, offer constant monitoring and alerting capabilities, and provide comprehensive visibility into both on-premises and cloud-based systems. After thorough testing, she selects a platform that promises to scan for vulnerabilities everywhere accurately and efficiently, aligning with her organization’s need for centralized visibility and real-time risk assessment.
Which vulnerability assessment tool did Priya MOST LIKELY select?
During an authorized security assessment of a smart thermostat manufacturer in Denver, Colorado, a certified ethical hacker receives a firmware image extracted from a production device for further evaluation.
The tester begins by examining the binary file to determine its format and architecture. Basic inspection commands are executed against the image to review embedded human-readable content and observe low-level binary structure before proceeding with deeper analysis.
Within the firmware analysis workflow, which stage is the tester performing?
During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?