312-50v12 Archives

Henry is a penetration tester who works for XYZ organization. While performing enumeration on a client organization, he queries the DNS server for a specific cached DNS record. Further, by using this cached record, he determines the sites recently visited by the organization's user.
What is the enumeration technique used by Henry on the organization?

A. DNS zone walking

B. DNS cache snooping

C. DNS cache poisoning

D. DNSSEC zone walking








 

Suggested Answer: B

Community Answer: B

Gregory, a professional penetration tester working at Sys Security Ltd., is tasked with performing a security test of web applications used in the company. For this purpose, Gregory uses a tool to test for any security loopholes by hijacking a session between a client and server. This tool has a feature of intercepting proxy that can be used to inspect and modify the traffic between the browser and target application. This tool can also perform customized attacks and can be used to test the randomness of session tokens. Which of the following tools is used by Gregory in the above scenario? A. Wireshark B. Nmap C. Burp Suite D. CxSAST Suggested Answer: C Community Answer: C

Alex, a cloud security engineer working in Eyecloud Inc. is tasked with isolating applications from the underlying infrastructure and stimulating communication via well-defined channels. For this purpose, he used an open-source technology that helped him in developing, packaging, and running applications; further, the technology provides PaaS through OS-level virtualization, delivers containerized software packages, and promotes fast software delivery. What is the cloud technology employed by Alex in the above scenario? A. Virtual machine B. Docker C. Zero trust network D. Serverless computing Suggested Answer: B Community Answer: B

John, a security analyst, is analyzing a server suspected of being compromised. The attacker has used a non admin account and has already gained a foothold on the system. John discovers that a new Dynamic Link Library is loaded in the application directory of the affected server. This DLL does not have a fully qualified path and seems to be malicious. What privilege escalation technique has the attacker likely used to compromise this server? A. DLL Hijacking B. Named Pipe Impersonation C. Spectre and Meltdown Vulnerabilities D. Exploiting Misconfigured Services Suggested Answer: A Community Answer: A

Geena, a cloud architect, uses a master component in the Kubernetes cluster architecture that scans newly generated pods and allocates a node to them. This component can also assign nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions. Which of the following master components is explained in the above scenario? A. Kube-apiserver B. Etcd cluster C. Kube-controller-manager D. Kube-scheduler Suggested Answer: D Community Answer: D

A security analyst uses Zenmap to perform an ICMP timestamp ping scan to acquire information related to the current time from the target host machine. Which of the following Zenmap options must the analyst use to perform the ICMP timestamp ping scan? A. -Pn B. -PU C. -PP D. -PY Suggested Answer: C Community Answer: C

A group of hackers were roaming around a bank office building in a city, driving a luxury car. They were using hacking tools on their laptop with the intention to find a free-access wireless network. What is this hacking process known as? A. Wardriving B. Spectrum analysis C. Wireless sniffing D. GPS mapping Suggested Answer: A Community Answer: A

A penetration tester is performing the footprinting process and is reviewing publicly available information about an organization by using the Google search engine. Which of the following advanced operators would allow the pen tester to restrict the search to the organization’s web domain? A. [allinurl:] B. [location:] C. [site:] D. [link:] Suggested Answer: C Community Answer: C

According to the NIST cloud deployment reference architecture, which of the following provides connectivity and transport services to consumers? A. Cloud connector B. Cloud broker C. Cloud provider D. Cloud carrier Suggested Answer: D Community Answer: D

A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature? A. Perform a vulnerability scan of the system. B. Determine the impact of enabling the audit feature. C. Perform a cost/benefit analysis of the audit feature. D. Allocate funds for staffing of audit log review. Suggested Answer: B Community Answer: B

Bill has been hired as a penetration tester and cyber security auditor for a major credit card company. Which information security standard is most applicable to his role? A. FISMA B. Sarbanes-Oxley Act C. HITECH D. PCI-DSS Suggested Answer: D Community Answer: D

Mirai malware targets IoT devices. After infiltration, it uses them to propagate and create botnets that are then used to launch which types of attack? A. MITM attack B. Password attack C. Birthday attack D. DDoS attack Suggested Answer: D Community Answer: D

Jacob works as a system administrator in an organization. He wants to extract the source code of a mobile application and disassemble the application to analyze its design flaws. Using this technique, he wants to fix any bugs in the application, discover underlying vulnerabilities, and improve defense strategies against attacks. What is the technique used by Jacob in the above scenario to improve the security of the mobile application? A. Reverse engineering B. App sandboxing C. Jailbreaking D. Social engineering Suggested Answer: A Community Answer: A

Tony wants to integrate a 128-bit symmetric block cipher with key sizes of 128, 192, or 256 bits into a software program, which involves 32 rounds of computational operations that include substitution and permutation operations on four 32-bit word blocks using 8-variable S-boxes with 4-bit entry and 4-bit exit. Which of the following algorithms includes all the above features and can be integrated by Tony into the software program? A. CAST-128 B. RC5 C. TEA D. Serpent Suggested Answer: D Community Answer: D

To hide the file on a Linux system, you have to start the filename with a specific character. What is the character? A. Tilde (~) B. Underscore (_) C. Period (.) D. Exclamation mark (!) Suggested Answer: C Community Answer: C

John, a professional hacker, targeted CyberSol Inc., an MNC. He decided to discover the IoT devices connected in the target network that are using default credentials and are vulnerable to various hijacking attacks. For this purpose, he used an automated tool to scan the target network for specific types of IoT devices and detect whether they are using the default, factory-set credentials. What is the tool employed by John in the above scenario? A. IoT Inspector B. AT&T IoT Platform C. IoTSeeker D. Azure IoT Central Suggested Answer: C Community Answer: C

Clark, a professional hacker, attempted to perform a Btlejacking attack using an automated tool, Btlejack, and hardware tool, micro:bit. This attack allowed Clark to hijack, read, and export sensitive information shared between connected devices. To perform this attack, Clark executed various btlejack commands. Which of the following commands was used by Clark to hijack the connections? A. btlejack -f 0x9c68fd30 -t -m 0x1fffffffff B. btlejack -c any C. btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s D. btlejack -f 0x129f3244 -j Suggested Answer: A Community Answer: A

Jane is working as a security professional at CyberSol Inc. She was tasked with ensuring the authentication and integrity of messages being transmitted in the corporate network. To encrypt the messages, she implemented a security model in which every user in the network maintains a ring of public keys. In this model, a user needs to encrypt a message using the receiver’s public key, and only the receiver can decrypt the message using their private key. What is the security model implemented by Jane to secure corporate messages? A. Zero trust network B. Secure Socket Layer (SSL) C. Transport Layer Security (TLS) D. Web of trust (WOT) Suggested Answer: D Community Answer: D

What is the following command used for? A. Retrieving SQL statements being executed on the database B. Creating backdoors using SQL injection C. Enumerating the databases in the DBMS for the URL D. Searching database statements at the IP address given Suggested Answer: C Community Answer: C

Given below are different steps involved in the vulnerability-management life cycle. 1) Remediation 2) Identify assets and create a baseline 3) Verification 4) Monitor 5) Vulnerability scan 6) Risk assessment Identify the correct sequence of steps involved in vulnerability management. A. 2 → 5 → 6 → 1 → 3 → 4 B. 2 → 4 → 5 → 3 → 6 → 1 C. 2 → 1 → 5 → 6 → 4 → 3 D. 1 → 2 → 3 → 4 → 5 → 6 Suggested Answer: A Community Answer: A

Which type of attack attempts to overflow the content-addressable memory (CAM) table in an Ethernet switch? A. DDoS attack B. Evil twin attack C. DNS cache flooding D. MAC flooding Suggested Answer: D Community Answer: D

An attacker decided to crack the passwords used by industrial control systems. In this process, he employed a loop strategy to recover these passwords. He used one character at a time to check whether the first character entered is correct; if so, he continued the loop for consecutive characters. If not, he terminated the loop. Furthermore, the attacker checked how much time the device took to finish one complete password authentication process, through which he deduced how many characters entered are correct. What is the attack technique employed by the attacker to crack the passwords of the industrial control systems? A. Buffer overflow attack B. Side-channel attack C. Denial-of-service attack D. HMI-based attack Suggested Answer: B Community Answer: B

Which among the following is the best example of the third step (delivery) in the cyber kill chain? A. An intruder creates malware to be used as a malicious attachment to an email. B. An intruder's malware is triggered when a target opens a malicious email attachment. C. An intruder's malware is installed on a targets machine. D. An intruder sends a malicious attachment via email to a target. Suggested Answer: D Community Answer: D

The security team of Debry Inc. decided to upgrade Wi-Fi security to thwart attacks such as dictionary attacks and key recovery attacks. For this purpose, the security team started implementing cutting-edge technology that uses a modern key establishment protocol called the simultaneous authentication of equals (SAE), also known as dragonfly key exchange, which replaces the PSK concept. What is the Wi-Fi encryption technology implemented by Debry Inc.? A. WPA B. WEP C. WPA3 D. WPA2 Suggested Answer: C Community Answer: C

James is working as an ethical hacker at Technix Solutions. The management ordered James to discover how vulnerable its network is towards footprinting attacks. James took the help of an open-source framework for performing automated reconnaissance activities. This framework helped James in gathering information using free tools and resources. What is the framework used by James to conduct footprinting and reconnaissance activities? A. OSINT framework B. WebSploit Framework C. Browser Exploitation Framework D. SpeedPhish Framework Suggested Answer: A Community Answer: A

What would be the purpose of running "wget 192.168.0.15 -q -S" against a web server? A. Performing content enumeration on the web server to discover hidden folders B. Using wget to perform banner grabbing on the webserver C. Flooding the web server with requests to perform a DoS attack D. Downloading all the contents of the web page locally for further examination Suggested Answer: B Community Answer: B

When considering how an attacker may exploit a web server, what is web server footprinting? A. When an attacker creates a complete profile of the site's external links and file structures B. When an attacker uses a brute-force attack to crack a web-server password C. When an attacker implements a vulnerability scanner to identity weaknesses D. When an attacker gathers system-level data, including account details and server names Suggested Answer: D Community Answer: D

What useful information is gathered during a successful Simple Mail Transfer Protocol (SMTP) enumeration? A. A list of all mail proxy server addresses used by the targeted host. B. The internal command RCPT provides a list of ports open to message traffic. C. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists. D. Reveals the daily outgoing message limits before mailboxes are locked. Suggested Answer: C Community Answer: C

Which of the following web vulnerabilities would an attacker be attempting to exploit if they delivered the following input? A. SQLi B. XXE C. XXS D. IDOR Suggested Answer: B Community Answer: B

What information security law or standard aims at protecting stakeholders and the general public from accounting errors and fraudulent activities within organizations? A. FISMA B. PCI-DSS C. SOX D. ISO/IEC 27001:2013 Suggested Answer: C Community Answer: C

Which of the following types of SQL injection attacks extends the results returned by the original query, enabling attackers to run two or more statements if they have the same structure as the original one? A. Union SQL injection B. Error-based injection C. Blind SQL injection D. Boolean-based blind SQL injection Suggested Answer: A Community Answer: A

Leverox Solutions hired Arnold, a security professional, for the threat intelligence process. Arnold collected information about specific threats against the organization. From this information, he retrieved contextual information about security events and incidents that helped him disclose potential risks and gain insight into attacker methodologies. He collected the information from sources such as humans, social media, and chat rooms as well as from events that resulted in cyberattacks. In this process, he also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks. What is the type of threat intelligence collected by Arnold in the above scenario? A. Strategic threat intelligence B. Operational threat intelligence C. Technical threat intelligence D. Tactical threat intelligence Suggested Answer: B Community Answer: B

An attacker can employ many methods to perform social engineering against unsuspecting employees, including scareware. What is the best example of a scareware attack? A. A pop-up appears to a user stating, "You have won a free cruise! Click here to claim your prize!" B. A banner appears to a user stating, "Your account has been locked. Click here to reset your password and unlock your account." C. A pop-up appears to a user stating, "Your computer may have been infected with spyware. Click here to install an anti-spyware tool to resolve this issue." D. A banner appears to a user stating, "Your Amazon order has been delayed. Click here to find out your new delivery date." Suggested Answer: C Community Answer: C

This type of injection attack does not show any error message. It is difficult to exploit as it returns information when the application is given SQL payloads that elicit a true or false response from the server. By observing the response, an attacker can extract sensitive information. What type of attack is this? A. Union SQL injection B. Error-based SQL injection C. Time-based SQL injection D. Blind SQL injection Suggested Answer: D Community Answer: D

Sam, a web developer, was instructed to incorporate a hybrid encryption software program into a web application to secure email messages. Sam used an encryption software, which is a free implementation of the OpenPGP standard that uses both symmetric-key cryptography and asymmetric-key cryptography for improved speed and secure key exchange. What is the encryption software employed by Sam for securing the email messages? A. PGP B. SMTP C. GPG D. S/MIME Suggested Answer: C Community Answer: C

Stephen, an attacker, targeted the industrial control systems of an organization. He generated a fraudulent email with a malicious attachment and sent it to employees of the target organization. An employee who manages the sales software of the operational plant opened the fraudulent email and clicked on the malicious attachment. This resulted in the malicious attachment being downloaded and malware being injected into the sales software maintained in the victim's system. Further, the malware propagated itself to other networked systems, finally damaging the industrial automation components. What is the attack technique used by Stephen to damage the industrial systems? A. HMI-based attack B. SMishing attack C. Reconnaissance attack D. Spear-phishing attack Suggested Answer: D Community Answer: D

Roma is a member of a security team. She was tasked with protecting the internal network of an organization from imminent threats. To accomplish this task, Roma fed threat intelligence into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the organization's network. Which type of threat intelligence is used by Roma to secure the internal network? A. Operational threat intelligence B. Strategic threat intelligence C. Tactical threat intelligence D. Technical threat intelligence Suggested Answer: D Community Answer: D

Jack, a professional hacker, targets an organization and performs vulnerability scanning on the target web server to identify any possible weaknesses, vulnerabilities, and misconfigurations. In this process, Jack uses an automated tool that eases his work and performs vulnerability scanning to find hosts, services, and other vulnerabilities in the target server. Which of the following tools is used by Jack to perform vulnerability scanning? A. Infoga B. NCollector Studio C. Netsparker D. WebCopier Pro Suggested Answer: C Community Answer: C

Which wireless security protocol replaces the personal pre-shared key (PSK) authentication with Simultaneous Authentication of Equals (SAE) and is therefore resistant to offline dictionary attacks? A. Bluetooth B. WPA2-Enterprise C. WPA3-Personal D. ZigBee Suggested Answer: C Community Answer: C

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files. What is the type of injection attack Calvin's web application is susceptible to? A. CRLF injection B. Server-side template injection C. Server-side JS injection D. Server-side includes injection Suggested Answer: D Community Answer: D

Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering. Which of the following design flaws in the authentication mechanism is exploited by Calvin? A. User impersonation B. Insecure transmission of credentials C. Password reset mechanism D. Verbose failure messages Suggested Answer: D Community Answer: D

Harris is attempting to identify the OS running on his target machine. He inspected the initial TTL in the IP header and the related TCP window size and obtained the following results: TTL: 64 - Window Size: 5840 - What the OS running on the target machine? A. Windows OS B. Mac OS C. Linux OS D. Solaris OS Suggested Answer: C Community Answer: C

Rebecca, a security professional, wants to authenticate employees who use web services for safe and secure communication. In this process, she employs a component of the Web Service Architecture, which is an extension of SOAP, and it can maintain the integrity and confidentiality of SOAP messages. Which of the following components of the Web Service Architecture is used by Rebecca for securing the communication? A. WS-Work Processes B. WS-Security C. WS-Policy D. WSDL Suggested Answer: B Community Answer: B

An attacker identified that a user and an access point are both compatible with WPA2 and WPA3 encryption. The attacker installed a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to get connected. After the connection was established, the attacker used automated tools to crack WPA2-encrypted messages. What is the attack performed in the above scenario? A. Cache-based attack B. Timing-based attack C. Downgrade security attack D. Side-channel attack Suggested Answer: C Community Answer: C

Thomas, a cloud security professional, is performing security assessment on cloud services to identify any loopholes. He detects a vulnerability in a bare-metal cloud server that can enable hackers to implant malicious backdoors in its firmware. He also identified that an installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS. What is the type of cloud attack that can be performed by exploiting the vulnerability discussed in the above scenario? A. Cloudborne attack B. Man-in-the-cloud (MITC) attack C. Metadata spoofing attack D. Cloud cryptojacking Suggested Answer: A Community Answer: A

BitLocker encryption has been implemented for all the Windows-based computers in an organization. You are concerned that someone might lose their cryptographic key. Therefore, a mechanism was implemented to recover the keys from Active Directory. What is this mechanism called in cryptography? A. Key archival B. Certificate rollover C. Key escrow D. Key renewal Suggested Answer: C Community Answer: C

Morris, an attacker, wanted to check whether the target AP is in a locked state. He attempted using different utilities to identify WPS-enabled APs in the target wireless network. Ultimately, he succeeded with one special command-line utility. Which of the following command-line utilities allowed Morris to discover the WPS-enabled APs? A. wash B. net view C. macof D. ntptrace Suggested Answer: A Community Answer: A

Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer and the response of a honeypot to a manual SYN request. Which of the following techniques is employed by Dayn to detect honeypots? A. Detecting honeypots running on VMware B. Detecting the presence of Snort_inline honeypots C. Detecting the presence of Honeyd honeypots D. Detecting the presence of Sebek-based honeypots Suggested Answer: C Community Answer: C

Robert, a professional hacker, is attempting to execute a fault injection attack on a target IoT device. In this process, he injects faults into the power supply that can be used for remote execution, also causing the skipping of key instructions. He also injects faults into the clock network used for delivering a synchronized signal across the chip. Which of the following types of fault injection attack is performed by Robert in the above scenario? A. Frequency/voltage tampering B. Optical, electromagnetic fault injection (EMFI) C. Temperature attack D. Power/clock/reset glitching Suggested Answer: D Community Answer: D

Kate dropped her phone and subsequently encountered an issue with the phone's internal speaker. Thus, she is using the phone's loudspeaker for phone calls and other activities. Bob, an attacker, takes advantage of this vulnerability and secretly exploits the hardware of Kate's phone so that he can monitor the loudspeaker's output from data sources such as voice assistants, multimedia messages, and audio files by using a malicious app to breach speech privacy. What is the type of attack Bob performed on Kate in the above scenario? A. SIM card attack B. aLTEr attack C. Spearphone attack D. Man-in-the-disk attack Suggested Answer: C Community Answer: C

Jake, a professional hacker, installed spyware on a target iPhone to spy on the target user’s activities. He can take complete control of the target mobile device by jailbreaking the device remotely and record audio, capture screenshots, and monitor all phone calls and SMS messages. What is the type of spyware that Jake used to infect the target device? A. DroidSheep B. Androrat C. Trident D. Zscaler Suggested Answer: C Community Answer: C

Which is the first step followed by Vulnerability Scanners for scanning a network? A. OS Detection B. Firewall detection C. TCP/UDP Port scanning D. Checking if the remote host is alive Suggested Answer: D Community Answer: D

Miley, a professional hacker, decided to attack a target organization's network. To perform the attack, she used a tool to send fake ARP messages over the target network to link her MAC address with the target system's IP address. By performing this, Miley received messages directed to the victim's MAC address and further used the tool to intercept steal, modify, and block sensitive communication to the target system. What is the tool employed by Miley to perform the above attack? A. Wireshark B. BetterCAP C. DerpNSpoof D. Gobbler Suggested Answer: B Community Answer: B

Ron, a security professional, was pen testing web applications and SaaS platforms used by his company. While testing, he found a vulnerability that allows hackers to gain unauthorized access to API objects and perform actions such as view, update, and delete sensitive data of the company. What is the API vulnerability revealed in the above scenario? A. No ABAC validation B. Business logic flaws C. Improper use of CORS D. Code injections Suggested Answer: A Community Answer: A

Kevin, an encryption specialist, implemented a technique that enhances the security of keys used for encryption and authentication. Using this technique, Kevin input an initial key to an algorithm that generated an enhanced key that is resistant to brute-force attacks. What is the technique employed by Kevin to improve the security of encryption keys? A. Key stretching B. Public key infrastructure C. Key derivation function D. Key reinstallation Suggested Answer: A Community Answer: A

Which of the following tactics uses malicious code to redirect users’ web traffic? A. Spear-phishing B. Phishing C. Spimming D. Pharming Suggested Answer: D Community Answer: D

George, an employee of an organization, is attempting to access restricted websites from an official computer. For this purpose, he used an anonymizer that masked his real IP address and ensured complete and continuous anonymity for all his online activities. Which of the following anonymizers helps George hide his activities? A. https://www.baidu.com B. https://www.guardster.com C. https://www.wolframalpha.com D. https://karmadecay.com Suggested Answer: B Community Answer: B

A "Server-Side Includes" attack refers to the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary code remotely. Which web-page file type, if it exists on the web server, is a strong indication that the server is vulnerable to this kind of attack? A. .stm B. .cms C. .rss D. .html Suggested Answer: A Community Answer: A

In an attempt to damage the reputation of a competitor organization, Hailey, a professional hacker, gathers a list of employee and client email addresses and other related information by using various search engines, social networking sites, and web spidering tools. In this process, she also uses an automated tool to gather a list of words from the target website to further perform a brute-force attack on the previously gathered email addresses. What is the tool used by Hailey for gathering a list of words from the target website? A. CeWL B. Orbot C. Shadowsocks D. Psiphon Suggested Answer: A Community Answer: A

A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the software vendor for several months prior to the intrusion. This is likely a failure in which of the following security processes? A. Secure development lifecycle B. Security awareness training C. Vendor risk management D. Patch management Suggested Answer: D Community Answer: D

Louis, a professional hacker, had used specialized tools or search engines to encrypt all his browsing activity and navigate anonymously to obtain sensitive/hidden information about official government or federal databases. After gathering the information, he successfully performed an attack on the target government organization without being traced. Which of the following techniques is described in the above scenario? A. Website footprinting B. Dark web footprinting C. VPN footprinting D. VoIP footprinting Suggested Answer: B Community Answer: B

Harper, a software engineer, is developing an email application. To ensure the confidentiality of email messages, Harper uses a symmetric-key block cipher having a classical 12- or 16-round Feistel network with a block size of 64 bits for encryption, which includes large 8 × 32-bit S-boxes (S1, S2, S3, S4) based on bent functions, modular addition and subtraction, key-dependent rotation, and XOR operations. This cipher also uses a masking key (Km1) and a rotation key (Kr1) for performing its functions. What is the algorithm employed by Harper to secure the email messages? A. CAST-128 B. AES C. GOST block cipher D. DES Suggested Answer: A Community Answer: A

Which type of malware spreads from one system to another or from one network to another and causes similar types of damage as viruses do to the infected system? A. Worm B. Rootkit C. Adware D. Trojan Suggested Answer: A Community Answer: A

Which Nmap switch helps evade IDS or firewalls? A. -D B. -n/-R C. -T D. -oN/-oX/-oG Suggested Answer: C Community Answer: A

During a penetration test, an ethical hacker is exploring the security of a complex web application. The application heavily relies on JavaScript for client-side input sanitization, with an apparent assumption that this alone is adequate to prevent injection attacks. During the investigation, the ethical hacker also notices that the application utilizes cookies to manage user sessions but does not enable the HttpOnly flag. This lack of flag potentially exposes the cookies to client-side scripts. Given these identified vulnerabilities, what would be the most effective strategy for the ethical hacker to exploit this application? A. Instigate a Distributed Denial of Service (DDoS) attack to overload the server, capitalizing on potential weak server-side security. B. Implement an SQL Injection attack to take advantage of potential unvalidated input and gain unauthorized database access. C. Employ a brute-force attack to decipher user credentials, considering the lack of server-side validation. D. Launch a Cross-Site Scripting (XSS) attack, aiming to bypass the client-side sanitization and exploit the exposure of session cookies. Correct Answer: D

In the process of footprinting a target website, an ethical hacker utilized various tools to gather critical information. The hacker encountered a target site where standard web spiders were ineffective due to a specific file in its root directory. However, they managed to uncover all the files and web pages on the target site, monitoring the resulting incoming and outgoing traffic while browsing the website manually. What technique did the hacker likely employ to achieve this? A. Using the Netcraft tool to gather website information B. Examining HTML source code and cookies C. Using Photon to retrieve archived URLs of the target website from archive.org D. User-directed spidering with tools like Burp Suite and WebScarab Correct Answer: D

During a comprehensive security assessment, your cybersecurity team at XYZ Corp stumbles upon signs that point toward a possible Advanced Persistent Threat (APT) in ltration in the network infrastructure. These sophisticated threats often exhibit subtle indicators that distinguish them from other types of cyberattacks. To confirm your suspicion and adequately isolate the potential APT, which of the following actions should you prioritize? A. Investigate for anomalies in file movements or unauthorized data access attempts within your database system B. Scrutinize for repeat network login attempts from unrecognized geographical regions C. Vigilantly monitor for evidence of zero-day exploits that manage to evade your firewall or antivirus software D. Search for proof of a spear-phishing attempt, such as the presence of malicious emails or risky attachments C Correct Answer: A

As a budding cybersecurity enthusiast, you have set up a small lab at home to learn more about wireless network security. While experimenting with your home Wi-Fi network, you decide to use a well-known hacking tool to capture network traffic and attempt to crack the Wi-Fi password. However, despite many attempts, you have been unsuccessful. Your home Wi-Fi network uses WPA2 Personal with AES encryption. Why are you nding it difficult to crack the Wi-Fi password? A. Your hacking tool is outdated. B. The Wi-Fi password is too complex and long. C. The network is using an uncrackable encryption method. D. The network is using MAC address filtering. Correct Answer: B

An ethical hacker is testing a web application of a financial rm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site Scripting (XSS) vulnerability. However, the application has a stringent Content Security Policy (CSP) disallowing inline scripts and scripts from external domains but permitting scripts from its own domain. What would be the hacker's next step to confirm the XSS vulnerability? A. Utilize a script hosted on the application's domain to test the form B. Try to disable the CSP to bypass script restrictions C. Inject a benign script inline to the form to see if it executes D. Load a script from an external domain to test the vulnerability Correct Answer: A

John, a security analyst, is analyzing a server suspected of being compromised. The attacker has used a non admin account and has already gained a foothold on the system. John discovers that a new Dynamic Link Library is loaded in the application directory of the affected server. This DLL does not have a fully quali ed path and seems to be malicious. What privilege escalation technique has the attacker likely used to compromise this server? A. DLL Hijacking B. Named Pipe Impersonation C. Spectre and Meltdown Vulnerabilities D. Exploiting Misconfigured Services Correct Answer: A

An ethical hacker is preparing to scan a network to identify live systems. To increase the efficiency and accuracy of his scans, he is considering several different host discovery techniques. He expects several unused IP addresses at any given time, specifically within the private address range of the LAN, but he also anticipates the presence of restrictive rewalls that may conceal active devices. Which scanning method would be most effective in this situation? A. ICMP ECHO Ping Sweep B. ICMP Timestamp Ping C. TCP SYN Ping D. ARP Ping Scan Correct Answer: D

As an IT intern, you have been asked to help set up a secure Wi-Fi network for a local coffee shop. The owners want to provide free Wi-Fi to their customers, but they are concerned about potential security risks. They are looking for a simple yet effective solution that would not require a lot of technical knowledge to manage. Which of the following security measures would be the most suitable in this context? A. Disable the network's SSID broadcast B. Enable MAC address filtering C. Require customers to use VPN when connected to the Wi-Fi D. Implement WPA2 or WPA3 encryption Correct Answer: D

A penetration tester is tasked with gathering information about the subdomains of a target organization's website. The tester needs a versatile and efficient solution for the task. Which of the following options would be the most effective method to accomplish this goal? A. Analyzing LinkedIn profiles to find employees of the target company and their job titles B. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT C. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization D. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing B Correct Answer: B

Your network infrastructure is under a SYN ood attack. The attacker has crafted an automated botnet to simultaneously send 's' SYN packets per second to the server. You have put measures in place to manage 'f' SYN packets per second, and the system is designed to deal with this number without any performance issues. If 's' exceeds 'f', the network infrastructure begins to show signs of overload. The system's response time increases exponentially (2^k), where 'k' represents each additional SYN packet above the 'f' limit. Now, considering 's=500' and different 'f' values, in which scenario is the server most likely to experience overload and significantly increased response times? A. f=510: The server can handle 510 SYN packets per second, which is greater than what the attacker is sending. The system stays stable, and the response time remains unaffected. B. f=495: The server can handle 495 SYN packets per second. The response time drastically rises (2^5 = 32 times the normal), indicating a probable system overload. C. f=505: The server can handle 505 SYN packets per second. In this case, the response time increases but not as drastically (2^5 = 32 times the normal), and the system might still function, albeit slowly. D. f=490: The server can handle 490 SYN packets per second. With 's' exceeding 'f' by 10, the response time shoots up (2^10 = 1024 times the usual response time), indicating a system overload. Correct Answer: D

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access? A. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database. B. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials. C. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack. D. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection. Correct Answer: B

In a large organization, a network security analyst discovered a series of packet captures that seem unusual. The network operates on a switched Ethernet environment. The security team suspects that an attacker might be using a sniffer tool. Which technique could the attacker be using to successfully carry out this attack, considering the switched nature of the network? A. The attacker might be compromising physical security to plug into the network directly. B. The attacker might be implementing MAC flooding to overwhelm the switch's memory. C. The attacker is probably using a Trojan horse with in-built sni ng capability. D. The attacker might be using passive sni ng, as it provides significant stealth advantages. Correct Answer: C

You are a cybersecurity consultant for a smart city project. The project involves deploying a vast network of IoT devices for public utilities like traffic control, water supply, and power grid management. The city administration is concerned about the possibility of a Distributed Denial of Service (DDoS) attack crippling these critical services. They have asked you for advice on how to prevent such an attack. What would be your primary recommendation? A. Implement regular firmware updates for all IoT devices. B. Establish strong, unique passwords for each IoT device. C. Deploy network intrusion detection systems (IDS) across the IoT network. D. Implement IP address whitelisting for all IoT devices. Correct Answer: C

Consider a scenario where a Certi ed Ethical Hacker is attempting to in ltrate a company's network without being detected. The hacker intends to use a stealth scan on a BSD-derived TCP/IP stack, but he suspects that the network security devices may be able to detect SYN packets. Based on this information, which of the following methods should he use to bypass the detection mechanisms and why? A. Maimon Scan, because it is very similar to NULL, FIN, and Xmas scans, but the probe used here is FIN/ACK B. Xmas Scan, because it can pass through lters undetected, depending on the security mechanisms installed C. TCP Connect/Full-Open Scan, because it completes a three-way handshake with the target machine D. ACK Flag Probe Scan, because it exploits the vulnerabilities within the BSD-derived TCP/IP stack B Correct Answer: D

While performing a security audit of a web application, an ethical hacker discovers a potential vulnerability. The application responds to logically incorrect queries with detailed error messages that divulge the underlying database's structure. The ethical hacker decides to exploit this vulnerability further. Which type of SQL Injection attack is the ethical hacker likely to use? A. UNION SQL Injection B. Error-based SQL Injection C. In-band SQL Injection D. Blind/Inferential SQL Injection Correct Answer: B

You are a security analyst of a large IT company and are responsible for maintaining the organization's security posture. You are evaluating multiple vulnerability assessment tools for your network. Given that your network has a hybrid IT environment with on-premise and cloud assets, which tool would be most appropriate considering its comprehensive coverage and visibility, continuous scanning, and ability to monitor unexpected changes before they turn into breaches? A. GFI LanCuard B. Qualys Vulnerability Management C. Open VAS D. Nessus Professional Correct Answer: B

Martin, a Certi ed Ethical Hacker (CEH), is conducting a penetration test on a large enterprise network. He suspects that sensitive information might be leaking out of the network. Martin decides to use network sni ng as part of his testing methodology. Which of the following sni ng techniques should Martin employ to get a comprehensive understanding of the data owing across the network? A. Raw Sni ng B. MAC Flooding C. ARP Poisoning D. DNS Poisoning Correct Answer: A

As a cybersecurity consultant for SafePath Corp, you have been tasked with implementing a system for secure email communication. The key requirement is to ensure both confidentiality and non-repudiation. While considering various encryption methods, you are inclined towards using a combination of symmetric and asymmetric cryptography. However, you are unsure which cryptographic technique would best serve the purpose. Which of the following options would you choose to meet these requirements? A. Apply asymmetric encryption with RSA and use the private key for signing. B. Use the Diffie-hellman protocol for key exchange and encryption. C. Apply asymmetric encryption with RSA and use the public key for encryption. D. Use symmetric encryption with the AES algorithm. Correct Answer: A

As a cybersecurity analyst for SecureNet, you are performing a security assessment of a new mobile payment application. One of your primary concerns is the secure storage of customer data on the device. The application stores sensitive information such as credit card details and personal identification numbers (PINs) on the device. Which of the following measures would best ensure the security of this data? A. Enable GPS tracking for all devices using the app. B. Regularly update the app to the latest version. C. Encrypt all sensitive data stored on the device. D. Implement biometric authentication for app access. Correct Answer: C

A large multinational corporation is in the process of evaluating its security infrastructure to identify potential vulnerabilities. After a comprehensive analysis, they found multiple areas of concern, including time of check/time of use (TOC/TOU) errors, improper input handling, and poor patch management. Which of the following approaches will best help the organization mitigate the vulnerability associated with TOC/TOU errors? A. Regular patching of servers, firmware, operating system, and applications B. Ensuring atomicity of operations between checking and using data resources C. Frequently updating firewall configurations to prevent intrusion attempts D. Implementing stronger encryption algorithms for all data transfers Correct Answer: B

An IT security team is conducting an internal review of security protocols in their organization to identify potential vulnerabilities. During their investigation, they encounter a suspicious program running on several computers. Further examination reveals that the program has been logging all user keystrokes. How can the security team confirm the type of program and what countermeasures should be taken to ensure the same attack does not occur in the future? A. The program is spyware; the team should use password managers and encrypt sensitive data. B. The program is a keylogger; the team should employ intrusion detection systems and regularly update the system software. C. The program is a keylogger; the team should educate employees about phishing attacks and maintain regular backups. D. The program is a Trojan; the team should regularly update antivirus software and install a reliable firewall. Correct Answer: B

A security analyst is preparing to analyze a potentially malicious program believed to have in ltrated an organization's network. To ensure the safety and integrity of the production environment, the analyst decided to use a sheep dip computer for the analysis. Before initiating the analysis, what key step should the analyst take? A. Install the potentially malicious program on the sheep dip computer. B. Store the potentially malicious program on an external medium, such as a CD-ROM. C. Run the potentially malicious program on the sheep dip computer to determine its behavior. D. Connect the sheep dip computer to the organization's internal network. Correct Answer: B

Being a Certi ed Ethical Hacker (CEH), a company has brought you on board to evaluate the safety measures in place for their network system. The company uses a network time protocol server in the demilitarized zone. During your enumeration, you decide to run a ntptrace command. Given the syntax: ntptrace [-n] [-m maxhosts] [servername/IP_address], which command usage would best serve your objective to find where the NTP server obtains the time from and to trace the list of NTP servers connected to the network? A. ntptrace -n -m 5192.168.1.1 B. ntptrace -m 5192.168.1.1 C. ntptrace -n localhost D. ntptrace 192.168.1.1 Correct Answer: B

As an IT Security Analyst, you'five been asked to review the security measures of an e-commerce website that relies on a SQL database for storing sensitive customer data. Recently, an anonymous tip has alerted you to a possible threat: a seasoned hacker who specializes in SQL Injection attacks may be targeting your system. The site already employs input validation measures to prevent basic injection attacks, and it blocks any user inputs containing suspicious patterns. However, this hacker is known to use advanced SQL Injection techniques. Given this situation, which of the following strategies would the hacker most likely adopt to bypass your security measures? A. The hacker might employ a 'blind' SQL Injection attack, taking advantage of the application's true or false responses to extract data bit by bit B. The hacker may resort to a DDoS attack instead, attempting to crash the server and thus render the e-commerce site unavailable C. The hacker may try to use SQL commands which are less known and less likely to be blocked by your system's security D. The hacker could deploy an 'out-of-band' SQL Injection attack, extracting data via a different communication channel, such as DNS or HTTP requests Correct Answer: A

A Certi ed Ethical Hacker is attempting to gather information about a target organization's network structure through network footprinting. During the operation, they encounter ICMP blocking by the target system's firewall. The hacker wants to ascertain the path that packets take to the host system from a source, using an alternative protocol. Which of the following actions should the hacker consider next? A. Use UDP Traceroute in the Linux operating system by executing the 'traceroute' command with the destination IP or domain name. B. Use the ICMP Traceroute on the Windows operating system as it is the default utility. C. Use the ARIN Whois database search tool to find the network range of the target network. D. Utilize the Path Analyzer Pro to trace the route from the source to the destination target systems. Correct Answer: A

Your company, SecureTech Inc., is planning to transmit some sensitive data over an unsecured communication channel. As a cyber security expert, you decide to use symmetric key encryption to protect the data. However, you must also ensure the secure exchange of the symmetric key. Which of the following protocols would you recommend to the team to achieve this? A. Switching all data transmission to the HTTPS protocol. B. Implementing SSL certificates on your company's web servers. C. Utilizing SSH for secure remote logins to the servers. D. Applying the Diffie-hellman protocol to exchange the symmetric key. Correct Answer: D

As a certi ed ethical hacker, you are performing a system hacking process for a company that is suspicious about its security system. You found that the company's passwords are all known words, but not in the dictionary. You know that one employee always changes the password by just adding some numbers to the old password. Which attack is most likely to succeed in this scenario? A. Brute-Force Attack B. Password Spraying Attack C. Hybrid Attack D. Rule-based Attack Correct Answer: C

A security analyst is investigating a potential network-level session hijacking incident. During the investigation, the analyst finds that the attacker has been using a technique in which they injected an authentic-looking reset packet using a spoofed source IP address and a guessed acknowledgment number. As a result, the victim's connection was reset. Which of the following hijacking techniques has the attacker most likely used? A. Blind hijacking B. UDP hijacking C. first hijacking D. TCP/IP hijacking Correct Answer: C

During a red team engagement, an ethical hacker is tasked with testing the security measures of an organization's wireless network. The hacker needs to select an appropriate tool to carry out a session hijacking attack. Which of the following tools should the hacker use to effectively perform session hijacking and subsequent security analysis, given that the target wireless network has the Wi-Fi Protected Access-pre-shared key (WPA-PSK) security protocol in place? A. Hetty B. bettercap C. DroidSheep D. FaceNiff Correct Answer: D

As a certi ed ethical hacker, you are tasked with gaining information about an enterprise's internal network. You are permitted to test the network's security using enumeration techniques. You successfully obtain a list of usernames using email IDs and execute a DNS Zone Transfer. Which enumeration technique would be most effective for your next move given that you have identified open TCP ports 25 (SMTP) and 139 (NetBIOS Session Service)? A. Perform a brute force attack on Microsoft Active Directory to extract valid usernames B. Exploit the NetBIOS Session Service on TCP port 139 to gain unauthorized access to the file system C. Use SNMP to extract usernames given the community strings D. Exploit the NFS protocol on TCP port 2049 to gain control over a remote system B Correct Answer: C

A large corporate network is being subjected to repeated sni ng attacks. To increase security, the company's IT department decides to implement a combination of several security measures. They permanently add the MAC address of the gateway to the ARP cache, switch to using IPv6 instead of IPv4, implement the use of encrypted sessions such as SSH instead of Telnet, and use Secure File Transfer Protocol instead of FTP. However, they are still faced with the threat of sni ng. Considering the countermeasures, what should be their next step to enhance network security? A. Use HTTP instead of HTTPS for protecting usernames and passwords B. Implement network scanning and monitoring tools C. Enable network identification broadcasts D. Retrieve MAC addresses from the OS Correct Answer: B

As the chief security officer at SecureMobile, you are overseeing the development of a mobile banking application. You are aware of the potential risks of man-in-the-middle (MitM) attacks where an attacker might intercept communication between the app and the bank's servers. Recently, you have learned about a technique used by attackers where they use rogue Wi-Fi hotspots to conduct MitM attacks. To prevent this type of attack, you plan to implement a security feature in the mobile app. What should this feature accomplish? A. It should require two-factor authentication for user logins. B. It should prevent the app from communicating over a network if it detects a rogue access point. C. It should prevent the app from connecting to any unencrypted Wi-Fi networks. D. It should require users to change their password every 30 days. Correct Answer: C

A cyber attacker has initiated a series of activities against a high-profile organization following the Cyber Kill Chain Methodology. The attacker is presently in the "Delivery" stage. As an Ethical Hacker, you are trying to anticipate the adversary's next move. What is the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology? A. The attacker will attempt to escalate privileges to gain complete control of the compromised system. B. The attacker will exploit the malicious payload delivered to the target organization and establish a foothold. C. The attacker will initiate an active connection to the target system to gather more data. D. The attacker will start reconnaissance to gather as much information as possible about the target. Correct Answer: B

You are a cloud security expert at CloudGuard Inc. working with a client who plans to transition their infrastructure to a public cloud. The client expresses concern about potential data breaches and wants to ensure that only authorized personnel can access certain sensitive resources. You propose implementing a Zero Trust security model. Which of the following best describes how the Zero Trust model would enhance the security of their cloud resources? A. It operates on the principle of least privilege, verifying each request as if it is from an untrusted source, regardless of its location. B. It encrypts all data stored in the cloud, ensuring only authorized users can decrypt it. C. It uses multi-factor authentication for all user accounts. D. It ensures secure data transmission by implementing SSL/TLS protocols. Correct Answer: A

Your company, Encryptor Corp, is developing a new application that will handle highly sensitive user information. As a cybersecurity specialist, you want to ensure this data is securely stored. The development team proposes a method where data is hashed and then encrypted before storage. However, you want an added layer of security to verify the integrity of the data upon retrieval. Which of the following cryptographic concepts should you propose to the team? A. Switch to elliptic curve cryptography. B. Implement a block cipher mode of operation. C. Apply a digital signature mechanism. D. Suggest using salt with hashing. Correct Answer: C

A large e-commerce organization is planning to implement a vulnerability assessment solution to enhance its security posture. They require a solution that imitates the outside view of attackers, performs well-organized inference-based testing, scans automatically against continuously updated databases, and supports multiple networks. Given these requirements, which type of vulnerability assessment solution would be most appropriate? A. Inference-based assessment solution B. Tree-based assessment approach C. Product-based solution installed on a private network D. Service-based solution offered by an auditing rm Correct Answer: D

As part of a penetration testing team, you'five discovered a web application vulnerable to Cross-Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you'five noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users' session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack? A. Build an XSS payload using HTML encoding and use it to exploit the server-side code, potentially disabling the HTTPOnly flag on cookies. B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies. C. Utilize an HTML-encoded XSS payload to trigger a buffer over flow attack, forcing the server to reveal the HTTPOnly cookies. D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured. Correct Answer: C

During a penetration testing assignment, a Certi ed Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task? A. Hping3 -1 10.0.0.25 -ICMP B. Hping3 -2 10.0.0.25-p 80 C. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4 D. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -- ood Correct Answer: D

An ethical hacker is testing the security of a website's database system against SQL Injection attacks. They discover that the IDS has a strong signature detection mechanism to detect typical SQL injection patterns. Which evasion technique can be most effectively used to bypass the IDS signature detection while performing a SQL Injection attack? A. Employ IP fragmentation to obscure the attack payload B. Implement case variation by altering the case of SQL statements C. Leverage string concatenation to break identi able keywords D. Use Hex encoding to represent the SQL query string Correct Answer: A

An ethical hacker is hired to conduct a comprehensive network scan of a large organization that strongly suspects potential intrusions into their internal systems. The hacker decides to employ a combination of scanning tools to obtain a detailed understanding of the network. Which sequence of actions would provide the most comprehensive information about the network's status? A. Use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and nally use Metasploit to exploit identified vulnerabilities. B. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and nally use Metasploit to exploit detected vulnerabilities. C. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and nally perform an SYN flooding with Hping3. D. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and nally use Hping3 to perform remote OS ngerprinting. Correct Answer: D

You have been hired as an intern at a start-up company. Your first task is to help set up a basic web server for the company's new website. The team leader has asked you to make sure the server is secure from common threats. Based on your knowledge from studying for the CEH exam, which of the following actions should be your priority to secure the web server? A. Limiting the number of concurrent connections to the server B. Installing a web application firewall C. Regularly updating and patching the server software D. Encrypting the company's website with SSL/TLS Correct Answer: C

While working as an intern for a small business, you have been tasked with managing the company's web server. The server is being bombarded with requests, and the company's website is intermittently going offline. You suspect that this could be a Distributed Denial of Service (DDoS) attack. As an ethical hacker, which of the following steps would be your first course of action to mitigate the issue? A. Contact your Internet Service Provider (ISP) for assistance B. Install a newer version of the server software C. Implement IP address whitelisting D. Increase the server's bandwidth Correct Answer: A

A sophisticated attacker targets your web server with the intent to execute a Denial of Service (DoS) attack. His strategy involves a unique mixture of TCP SYN, UDP, and ICMP oods, using 'r' packets per second. Your server, reinforced with advanced security measures, can handle 'h' packets per second before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to become unresponsive. In a peculiar pattern, the attacker selects 'r' as a composite number and 'h' as a prime number, making the attack detection more challenging. Considering 'r=2010' and different values for 'h', which of the following scenarios would potentially cause the server to falter? A. h=1987 (prime): The attacker's packet rate exceeds the server's capacity, causing potential unresponsiveness. B. h=1999 (prime): Despite the attacker's packet ood, the server can handle these requests, remaining responsive. C. h=1993 (prime): Despite being less than 'r', the server's prime number capacity keeps it barely operational, but the risk of falling is imminent. D. h=2003 (prime): The server can manage more packets than the attacker is sending, hence it stays operational. Correct Answer: A

As a cybersecurity consultant, you are working with a client who wants to migrate their data to a Software as a Service (SaaS) cloud environment. They are particularly concerned about maintaining the privacy of their sensitive data, even from the cloud service provider. Which of the following strategies would best ensure the privacy of their data in the SaaS environment? A. Implement a Virtual Private Network (VPN) for accessing the SaaS applications. B. Rely on the cloud service provider's built-in security features. C. Encrypt the data client-side before uploading to the SaaS environment and manage encryption keys independently. D. Use multi-factor authentication for all user accounts accessing the SaaS applications C Correct Answer:

An ethical hacker is performing a network scan to evaluate the security of a company's IT infrastructure. During the scan, he discovers an active host with multiple open ports running various services. The hacker uses TCP communication flags to establish a connection with the host and starts communicating with it. He sends a SYN packet to a port on the host and receives a SYN/ACK packet back. He then sends an ACK packet for the received SYN/ACK packet, which triggers an open connection. Which of the following actions should the ethical hacker perform next? A. Send a PSH packet to inform the receiving application about the buffered data. B. Conduct a vulnerability scan on the open port to identify any potential weaknesses. C. Scan another port on the same host using the SYN, ACK, and first flags. D. Send a FIN or first packet to close the connection. Correct Answer: D

A multinational corporation's computer system was in ltrated by an advanced persistent threat (APT). During forensic analysis, it was discovered that the malware was utilizing a blend of two highly sophisticated techniques to stay undetected and continue its operations. Firstly, the malware was embedding its harmful code into the actual binary or executable part of genuine system files rather than appending or prepending itself to the files. This made it exceptionally difficult to detect and eradicate, as doing so risked damaging the system files themselves. Secondly, the malware exhibited characteristics of a type of malware that changes its code as it propagates, making signature-based detection approaches nearly impossible. On top of these, the malware maintained a persistent presence by installing itself in the registry, making it able to survive system reboots. Given these distinctive characteristics, which two types of malware techniques does this malware most closely embody? A. Polymorphic and Metamorphic malware B. Polymorphic and Macro malware C. Macro and Rootkit malware D. Metamorphic and Rootkit malware Correct Answer: D

A multinational organization has recently faced a severe information security breach. Investigations reveal that the attacker had a high degree of understanding of the organization's internal processes and systems. This knowledge was utilized to bypass security controls and corrupt valuable resources. Considering this event, the security team is contemplating the type of attack that occurred and the steps they could have taken to prevent it. Choose the most plausible type of attack and a countermeasure that the organization could have employed: A. Insider attacks and the organization should have implemented robust access control and monitoring. B. Distribution attack and the organization could have ensured software and hardware integrity checks. C. Passive attack and the organization should have used encryption techniques. D. Active attack and the organization could have used network traffic analysis. Correct Answer: A

As a security analyst for SkySecure Inc., you are working with a client that uses a multi-cloud strategy, utilizing services from several cloud providers. The client wants to implement a system that will provide unified security management across all their cloud platforms. They need a solution that allows them to consistently enforce security policies, identify and respond to threats, and maintain visibility of all their cloud resources. Which of the following should you recommend as the best solution? A. Use a Cloud Access Security Broker (CASB). B. Use a hardware-based firewall to secure all cloud resources. C. Implement separate security management tools for each cloud platform. D. Rely on the built-in security features of each cloud platform. Correct Answer: A

As a security consultant, you are advising a startup that is developing an IoT device for home security. The device communicates with a mobile app, allowing homeowners to monitor their homes in real time. The CEO is concerned about potential Man-in-the-Middle (MitM) attacks that could allow an attacker to intercept and manipulate the device's communication. Which of the following solutions would best protect against such attacks? A. Use CAPTCHA on the mobile app's login screen. B. Implement SSL/TLS encryption for data transmission between the IoT device and the mobile app. C. Limit the range of the IoT device's wireless signals. D. Frequently change the IoT device's IP address. Correct Answer: B

A Certi ed Ethical Hacker (CEH) is analyzing a target network. To do this, he decides to utilize an IDLE/IPID header scan using Nmap. The network analysis reveals that the IPID number increases by 2 after following the steps of an IDLE scan. Based on this information, what can the CEH conclude about the target network? A. The ports on the target network are open B. The target network has no firewall present C. The ports on the target network are closed D. The target network has a stateful firewall present Correct Answer: A

You have been given the responsibility to ensure the security of your school's web server. As a step towards this, you plan to restrict unnecessary services running on the server. In the context of web server security, why is this step considered important? A. Unnecessary services eat up server memory; save memory resources. B. Unnecessary services could contain vulnerabilities; minimize the attack surface. C. Unnecessary services reveal server software; hide software details. D. Unnecessary services slow down the server; optimize server speed. Correct Answer: B

An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certi ed Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why? A. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files B. Koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules D. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files Correct Answer: A

An ethical hacker is hired to evaluate the defenses of an organization's database system which is known to employ a signature-based IDS. The hacker knows that some SQL Injection evasion techniques may allow him to bypass the system's signatures. During the operation, he successfully retrieved a list of usernames from the database without triggering an alarm by employing an advanced evasion technique. Which of the following could he have used? A. Utilizing the char encoding function to convert hexadecimal and decimal values into characters that pass-through SQL engine parsing B. Implementing sophisticated matches such as "OR john' = 'john'" in place of classical matches like "OR 1=1" C. Manipulating white spaces in SQL queries to bypass signature detection D. Using the URL encoding method to replace characters with their ASCII codes in hexadecimal form A Correct Answer: C

During an attempt to perform an SQL injection attack, a certi ed ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database? A. Utilize a blind injection technique that uses time delays or error signatures to extract information B. Try to insert a string value where a number is expected in the input field C. Attempt to compromise the system through OS-level command shell execution D. Use the UNION operator to combine the result sets of two or more SELECT statements A Correct Answer: A

As the Chief Information Security officer (CISO) at a large university, you are responsible for the security of a campus-wide Wi-Fi network that serves thousands of students, faculty, and staff. Recently, there has been a rise in reports of unauthorized network access, and you suspect that some users are sharing their login credentials. You are considering deploying an additional layer of security that could effectively mitigate this issue. What would be the most suitable measure to implement in this context? A. Implement network segmentation B. Deploy a VPN for the entire campus C. Enforce a policy of regularly changing Wi-Fi passwords D. Implement 802.1X authentication Correct Answer: D

During an ethical hacking engagement, you have been assigned to evaluate the security of a large organization's network. While examining the network traffic, you notice numerous incoming requests on various ports from different locations that show a pattern of an orchestrated attack. Based on your analysis, you deduce that the requests are likely to be automated scripts being run by unskilled hackers. What type of hacker classification does this scenario most likely represent? A. Script Kiddies trying to compromise the system using pre-made scripts. B. Gray Hats testing system vulnerabilities to help vendors improve security. C. White Hats conducting penetration testing to identify security weaknesses. D. Black Hats trying to exploit system vulnerabilities for malicious intent. Correct Answer: A

An ethical hacker is scanning a target network. They initiate a TCP connection by sending an SYN packet to a target machine and receiving a SYN/ACK packet in response. But instead of completing the three-way handshake with an ACK packet, they send an first packet. What kind of scan is the ethical hacker likely performing and what is their goal? A. They are performing an SYN scan to stealthily identify open ports without fully establishing a connection. B. They are performing a network scan to identify live hosts and their IP addresses. C. They are performing a TCP connect scan to identify open ports on the target machine. D. They are performing a vulnerability scan to identify any weaknesses in the target system. Correct Answer: A

Your company suspects a potential security breach and has hired you as a Certi ed Ethical Hacker to investigate. You discover evidence of footprinting through search engines and advanced Google hacking techniques. The attacker utilized Google search operators to extract sensitive information. You further notice queries that indicate the use of the Google Hacking Database (CHDB) with an emphasis on VPN footprinting. Which of the following Google advanced search operators would be the LEAST useful in providing the attacker with sensitive VPN-related information? A. location: This operator finds information for a specific location B. inurl: This operator restricts the results to only the pages containing the speci ed word in the URL C. link: This operator searches websites or pages that contain links to the speci ed website or page D. intitle: This operator restricts results to only the pages containing the speci ed term in the title D Correct Answer: A

In the process of setting up a lab for malware analysis, a cybersecurity analyst is tasked to establish a secure environment using a sheep dip computer. The analyst must prepare the testbed while adhering to best practices. Which of the following steps should the analyst avoid when configuring the environment? A. Installing malware analysis tools on the guest OS B. Connecting the system to the production network during the malware analysis C. Simulating Internet services using tools such as INetSim D. Installing multiple guest operating systems on the virtual machine(s) Correct Answer: B

In a recent cyber-attack against a large corporation, an unknown adversary compromised the network and began escalating privileges and lateral movement. The security team identified that the adversary used a sophisticated set of techniques, specifically targeting zero-day vulnerabilities. As a Certi ed Ethical Hacker (CEH) hired to understand this attack and propose preventive measures, which of the following actions will be most crucial for your initial analysis? A. Identifying the specific tools used by the adversary for privilege escalation. B. Analyzing the initial exploitation methods, the adversary used. C. Checking the persistence mechanisms used by the adversary in compromised systems. D. Investigating the data ex ltration methods used by the adversary. Correct Answer: B

Jason, a certi ed ethical hacker, is hired by a major e-commerce company to evaluate their network's security. As part of his reconnaissance, Jason is trying to gain as much information as possible about the company's public-facing servers without arousing suspicion. His goal is to find potential points of entry and map out the network infrastructure for further examination. Which technique should Jason employ to gather this information without alerting the company's intrusion detection systems (IDS)? A. Jason should directly connect to each server and attempt to exploit known vulnerabilities. B. Jason should use passive reconnaissance techniques such as WHOIS lookups, NS lookups, and web research. C. Jason should use a DNS zone transfer to gather information about the company's servers. D. Jason should perform a ping sweep to identify all the live hosts in the company's IP range. Correct Answer: B

As the lead security engineer for a retail corporation, you are assessing the security of the wireless networks in the company's stores. One of your main concerns is the potential for "Wardriving" attacks, where attackers drive around with a Wi-Fi-enabled device to discover vulnerable wireless networks. Given the nature of the retail stores, you need to ensure that any security measures you implement do not interfere with customer experience, such as their ability to access in-store Wi-Fi. Taking into consideration these factors, which of the following would be the most suitable measure to mitigate the risk of Wardriving attacks? A. Limit the range of the store's wireless signals B. Implement MAC address filtering C. Disable SSID broadcasting D. Implement WPA3 encryption for the store's Wi-Fi network Correct Answer: D

A penetration tester was assigned to scan a large network range to find live hosts. The network is known for using strict TCP filtering rules on its firewall, which may obstruct common host discovery techniques. The tester needs a method that can bypass these firewall restrictions and accurately identify live systems. What host discovery technique should the tester use? A. ICMP Timestamp Ping Scan B. ICMP ECHO Ping Scan C. TCP SYN Ping Scan D. UDP Ping Scan Correct Answer: D

As part of a college project, you have set up a web server for hosting your team's application. Given your interest in cybersecurity, you have taken the lead in securing the server. You are aware that hackers often attempt to exploit server misconfigurations. Which of the following actions would best protect your web server from potential misconfiguration-based attacks? A. Regularly backing up server data B. Enabling multi-factor authentication for users C. Implementing a firewall to filter traffic D. Performing regular server configuration audits Correct Answer: D

You are the chief cybersecurity officer at CloudSecure Inc., and your team is responsible for securing a cloud based application that handles sensitive customer data. To ensure that the data is protected from breaches, you have decided to implement encryption for both data-at-rest and data-in-transit. The development team suggests using SSL/TLS for securing data in transit. However, you want to also implement a mechanism to detect if the data was tampered with during transmission. Which of the following should you propose? A. Implement IPsec in addition to SSL/TLS. B. Switch to using SSH for data transmission. C. Encrypt data using the AES algorithm before transmission. D. Use the cloud service provider's built-in encryption services. Correct Answer: A

Sarah, a system administrator, was alerted of potential malicious activity on the network of her company. She discovered a malicious program spread through the instant messenger application used by her team. The attacker had obtained access to one of her teammate's messenger accounts and started sending files across the contact list. Which best describes the attack scenario and what measure could have prevented it? A. Insecure Patch Management; updating application software regularly B. Instant Messenger Applications; verifying the sender's identity before opening any files C. Rogue/Decoy Applications; ensuring software is labeled as TRUSTED D. Portable Hardware Media/Removable Devices; disabling Autorun functionality Correct Answer: A

In an advanced digital security scenario, a multinational enterprise is being targeted with a complex series of assaults aimed to disrupt operations, manipulate data integrity, and cause serious financial damage. As the Lead Cybersecurity Analyst with CEH and CISSP certi cations, your responsibility is to correctly identify the specific type of attack based on the following indicators: The attacks are exploiting a vulnerability in the target system's hardware, inducing misprediction of future instructions in a program's control flow. The attackers are strategically inducing the victim process to speculatively execute instructions sequences that would not have been executed in the absence of the misprediction, leading to subtle side effects. These side effects, which are observable from the shared state, are then utilized to infer the values of in- ight data. What type of attack best describes this scenario? A. Rowhammer Attack B. Watering Hole Attack C. Side-Channel Attack D. Privilege Escalation Attack Correct Answer: C

You are a security analyst for CloudSec, a company providing cloud security solutions. One of your clients, a financial institution, wants to shift its operations to a public cloud while maintaining a high level of security control. They want to ensure that they can monitor all their cloud resources continuously and receive real-time alerts about potential security threats. They also want to enforce their security policies consistently across all cloud workloads. Which of the following solutions would best meet these requirements? A. Implement a Virtual Private Network (VPN) for secure data transmission. B. Deploy a Cloud Access Security Broker (CASB). C. Use multi-factor authentication for all cloud user accounts. D. Use client-side encryption for all stored data. Correct Answer: B

In the process of implementing a network vulnerability assessment strategy for a tech company, the security analyst is confronted with the following scenarios: 1) A legacy application is discovered on the network, which no longer receives updates from the vendor. 2) Several systems in the network are found running outdated versions of web browsers prone to distributed attacks. 3) The network firewall has been configured using default settings and passwords. 4) Certain TCP/IP protocols used in the organization are inherently insecure. The security analyst decides to use vulnerability scanning software. Which of the following limitations of vulnerability assessment should the analyst be most cautious about in this context? A. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations B. Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed C. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time D. Vulnerability scanning software is limited in its ability to perform live tests on web applications to detect errors or unexpected behavior Correct Answer: A

Consider a hypothetical situation where an attacker, known for his pro ciency in SQL Injection attacks, is targeting your web server. This adversary meticulously crafts 'q' malicious SQL queries, each inducing a delay of 'd' seconds in the server response. This delay in response is an indicator of a potential attack. If the total delay, represented by the product 'q*d', crosses a defined threshold 'T', an alert is activated in your security system. Furthermore, it is observed that the attacker prefers prime numbers for 'q', and 'd' follows a pattern in the Fibonacci sequence. Now, consider 'd=13' seconds (a Fibonacci number) and various values of 'q' (a prime number) and 'T'. Which among the following scenarios will most likely trigger an alert? A. q=17, T=220: Even though the attacker increases 'q', the total delay ('q*d' = 221 seconds) just surpasses the threshold, possibly activating an alert. B. q=13, T=180: In this case, the total delay caused by the attacker ('q*d' = 169 seconds) breaches the threshold, likely leading to the triggering of a security alert. C. q=11, T=150: Here, the total delay induced by the attacker ('q*d' = 143 seconds) does not surpass the threshold, so the security system remains dormant. D. q=19, T=260: Despite the attacker's increased effort, the total delay ('q*d' = 247 seconds) does not exceed the threshold, thus no alert is triggered. Correct Answer: A

In your cybersecurity class, you are learning about common security risks associated with web servers. One topic that comes up is the risk posed by using default server settings. Why is using default settings on a web server considered a security risk, and what would be the best initial step to mitigate this risk? A. Default settings allow unlimited login attempts; setup account lockout B. Default settings reveal server software type; change these settings C. Default settings cause server malfunctions; simplify the settings D. Default settings enable auto-updates; disable and manually patch Correct Answer: B

You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you discover that the company's wireless network is using WEP encryption. You understand the vulnerabilities associated with WEP and plan to recommend a more secure encryption method. Which of the following would you recommend as a suitable replacement to enhance the security of the company's wireless network? A. Open System authentication B. WPA2-PSK with AES encryption C. SSID broadcast disabling D. MAC address filtering Correct Answer: B

As a junior security analyst for a small business, you are tasked with setting up the company's first wireless network. The company wants to ensure the network is secure from potential attacks. Given that the company's workforce is relatively small and the need for simplicity in managing network security, which of the following measures would you consider a priority to protect the network? A. Hide the network SSID B. Enable WPA2 or WPA3 encryption on the wireless router C. Implement a MAC address whitelist D. Establish a regular schedule for changing the network password Correct Answer: B

You are the lead cybersecurity analyst at a multinational corporation that uses a hybrid encryption system to secure inter-departmental communications. The system uses RSA encryption for key exchange and AES for data encryption, taking advantage of the strengths of both asymmetric and symmetric encryption. Each RSA key pair has a size of 'n' bits, with larger keys providing more security at the cost of slower performance. The time complexity of generating an RSA key pair is O(n^2), and AES encryption has a time complexity of O(n). An attacker has developed a quantum algorithm with time complexity O((log n)^2) to crack RSA encryption. Given 'n=4000' and variable 'AES key size', which scenario is likely to provide the best balance of security and performance? A. AES key size=128 bits: This configuration provides less security than option A, but RSA key generation and AES encryption will be faster. B. AES key size=256 bits: This configuration provides a high level of security, but RSA key generation may be slow. C. AES key size=192 bits: This configuration is a balance between options A and B, providing moderate security and performance. D. AES key size=512 bits: This configuration provides the highest level of security but at a significant performance cost due to the large AES key size. Correct Answer: C

During a reconnaissance mission, an ethical hacker uses Maltego, a popular footprinting tool, to collect information about a target organization. The information includes the target's Internet infrastructure details (domains, DNS names, Netblocks, IP address information). The hacker decides to use social engineering techniques to gain further information. Which of the following would be the least likely method of social engineering to yield beneficial information based on the data collected? A. Dumpster diving in the target company's trash bins for valuable printouts B. Impersonating an ISP technical support agent to trick the target into providing further network details C. Shoulder sur ng to observe sensitive credentials input on the target's computers D. Eavesdropping on internal corporate conversations to understand key topics Correct Answer: B

An experienced cyber attacker has created a fake LinkedIn profile, successfully impersonating a high-ranking o cial from a well-established company, to execute a social engineering attack. The attacker then connected with other employees within the organization, receiving invitations to exclusive corporate events and gaining access to proprietary project details shared within the network. What advanced social engineering technique has the attacker primarily used to exploit the system and what is the most likely immediate threat to the organization? A. Whaling and Targeted Attacks B. Pretexting and Network Vulnerability C. Spear Phishing and Spam D. Baiting and Involuntary Data Leakage Correct Answer: B

As a cybersecurity analyst for a large corporation, you are auditing the company's mobile device management (MDM) policy. One of your areas of concern is data leakage from company-provided smartphones. You are worried about employees unintentionally installing malicious apps that could access sensitive corporate data on their devices. Which of the following would be an effective measure to prevent such data leakage? A. Require biometric authentication for unlocking devices. B. Regularly change Wi-Fi passwords used by the devices. C. Mandate the use of VPNs when accessing corporate data. D. Enforce a policy that only allows app installations from approved corporate app stores. Correct Answer: D

A certi ed ethical hacker is carrying out an email footprinting exercise on a targeted organization using eMailTrackerPro. They want to map out detailed information about the recipient's activities after receiving the email. Which among the following pieces of information would NOT be directly obtained from eMailTrackerPro during this exercise? A. Geolocation of the recipient B. Type of device used to open the email C. The email accounts related to the domain of the organization D. The time recipient spent reading the email Correct Answer: C

You are a cybersecurity trainee tasked with securing a small home network. The homeowner is concerned about potential "Wi-Fi eavesdropping," where unauthorized individuals could intercept the wireless communications. What would be the most effective first step to mitigate this risk, considering the simplicity and the residential nature of the network? A. Disable the network's SSID broadcast B. Enable encryption on the wireless network C. Enable MAC address filtering D. Reduce the signal strength of the wireless router Correct Answer: B

A well-resourced attacker intends to launch a highly disruptive DDoS attack against a major online retailer. The attacker aims to exhaust all the network resources while keeping their identity concealed. Their method should be resistant to simple defensive measures such as IP-based blocking. Based on these objectives, which of the following attack strategies would be most effective? A. The attacker should instigate a protocol-based SYN ood attack, consuming connection state tables on the retailer's servers B. The attacker should leverage a botnet to launch a Pulse Wave attack, sending high-volume traffic pulses at regular intervals C. The attacker should initiate a volumetric ood attack using a single compromised machine to overwhelm the retailer's network bandwidth D. The attacker should execute a simple ICMP ood attack from a single IP, exploiting the retailer's ICMP processing B Correct Answer: B

A large organization is investigating a possible identity theft case where an attacker has created a new identity by combining multiple pieces of information from different victims to open a new bank account. The attacker also managed to receive government benefits using a fraudulent identity. Given the circumstances, which type of identity theft is the organization dealing with? A. Identity Cloning and Concealment B. Child Identity Theft C. Social Identity Theft D. Synthetic Identity Theft Correct Answer: D

A company recently experienced a debilitating social engineering attack that led to substantial identity theft. An inquiry found that the employee inadvertently provided critical information during an innocuous phone conversation. Considering the specific guidelines issued by the company to thwart social engineering attacks, which countermeasure would have been the most successful in averting the incident? A. Conduct comprehensive training sessions for employees on various social engineering methodologies and the risks associated with revealing con dential data. B. Implement a well-documented change management process for modifications related to hardware or software. C. Adopt a robust software policy that restricts the installation of unauthorized applications. D. Reinforce physical security measures to limit access to sensitive zones within the company premises, thereby warding off unauthorized intruders. Correct Answer: A

An IT company has just implemented new security controls to their network and system setup. As a Certi ed Ethical Hacker, your responsibility is to assess the possible vulnerabilities in the new setup. You are given the information that the network and system are adequately patched with the latest updates, and all employees have gone through recent cybersecurity awareness training. Considering the potential vulnerability sources, what is the best initial approach to vulnerability assessment? A. Conducting social engineering tests to check if employees can be tricked into revealing sensitive information B. Checking for hardware and software misconfigurations to identify any possible loopholes C. Evaluating the network for inherent technology weaknesses prone to specific types of attacks D. Investigating if any ex-employees still have access to the company's system and data B Correct Answer: B

An ethical hacker has been tasked with assessing the security of a major corporation's network. She suspects the network uses default SNMP community strings. To exploit this, she plans to extract valuable network information using SNMP enumeration. Which tool could best help her to get the information without directly modifying any parameters within the SNMP agent's management information base (MIB)? A. SnmpWalk, with a command to change an OID to a different value B. snmp-check (snmp_enum Module) to gather a wide array of information about the target C. Nmap, with a script to retrieve all running SNMP processes and associated ports D. OpUtils, are mainly designed for device management and not SNMP enumeration Correct Answer: B

During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities? A. Temporal metric represents the inherent qualities of a vulnerability. B. Base metric represents the inherent qualities of a vulnerability. C. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation. D. Environmental metric involves the features that change during the lifetime of the vulnerability. Correct Answer: B

You are a cybersecurity consultant at SecureIoT Inc. A manufacturing company has contracted you to strengthen the security of their Industrial IoT (IIoT) devices used in their operational technology (OT)environment. They are concerned about potential attacks that could disrupt their production lines and compromise safety. They have an advanced firewall system in place, but you know this alone is not enough. Which of the following measures should you suggest to provide comprehensive protection for their IIoT devices? A. Increase the frequency of changing passwords on all IIoT devices. B. Use the same encryption standards for IIoT devices as for IT devices. C. Rely on the existing firewall and install antivirus software on each IIoT device. D. Implement network segmentation to separate IIoT devices from the rest of the network. Correct Answer: D

You are a cybersecurity consultant for a major airport that offers free Wi-Fi to travelers. The management is concerned about the possibility of "Evil Twin" attacks, where a malicious actor sets up a rogue access point that mimics the legitimate one. They are looking for a solution that would not significantly impact the user experience or require travelers to install additional software. What is the most effective security measure you could recommend that ts these constraints, considering the airport's unique operational environment? A. Regularly change the SSID of the airport's Wi-Fi network B. Use MAC address filtering on the airport's Wi-Fi network C. Implement WPA3 encryption for the airport's Wi-Fi network D. Display a captive portal page that warns users about the possibility of Evil Twin attacks D Correct Answer: D

You are a cybersecurity professional managing cryptographic systems for a global corporation. The company uses a mix of Elliptic Curve Cryptography (ECC) for key exchange and symmetric encryption algorithms for data encryption. The time complexity of ECC key pair generation is O(n^3), where 'n' is the size of the key. An advanced threat actor group has a quantum computer that can potentially break ECC with a time complexity of O((log n)^2). Given that the ECC key size is 'n=512' and varying symmetric encryption algorithms and key sizes, which scenario would provide the best balance of security and performance? A. Data encryption with AES-128: Provides moderate security and fast encryption, offering a balance between the two. B. Data encryption with AES-256: Provides high security with better performance than 3DES, but not as fast as other AES key sizes. C. Data encryption with 3DES using a 168-bit key: Offers high security but slower performance due to 3DES's inherent inefficiencies. D. Data encryption with Blow sh using a 448-bit key: Offers high security but potential compatibility issues due to Blow sh's less widespread use. Correct Answer: B

As a Certi ed Ethical Hacker, you are conducting a footprinting and reconnaissance operation against a target organization. You discover a range of IP addresses associated with the target using the SecurityTrails tool. Now, you need to perform a reverse DNS lookup on these IP addresses to find the associated domain names, as well as determine the nameservers and mail exchange (MX) records. Which of the following DNSRecon commands would be most effective for this purpose? A. dnsrecon -r 192.168.1.0/24 -n nsl.example.com -t axfr B. dnsrecon -r 10.0.0.0/24 -n nsl.example.com -t zonewalk C. dnsrecon -r 162.241.216.0/24 -n nsl.example.com -t std D. dnsrecon -r 162.241.216.0/24 -d example.com -t brt Correct Answer: C

You are an ethical hacker tasked with conducting an enumeration of a company's network. Given a Windows Answered Marked for Review 37.6% system with NetBIOS enabled, port 139 open, and file and printer sharing active, you are about to run some nbtstat commands to enumerate NetBIOS names. The company uses IPv6 for its network. Which of the following actions should you take next? A. Switch to an enumeration tool that supports IPv6 B. Use nbtstat -a followed by the IPv6 address of the target machine C. Use nbtstat -c to get the contents of the NetBIOS name cache D. Utilize Nmap Scripting Engine (NSE) for NetBIOS enumeration Correct Answer: D

During a red team assessment, a CEH is given a task to perform network scanning on the target network without revealing its IP address. They are also required to find an open port and the services available on the target machine. What scanning technique should they employ, and which command in Zenmap should they use? A. Use SCTP INIT Scan with the command "-sY" B. Use UDP Raw ICMP Port Unreachable Scanning with the command "-sU" C. Use the ACK flag probe scanning technique with the command "-sA" D. Use the IDLE/IPID header scan technique with the command "-sI" Correct Answer: D

A large corporation is planning to implement preventive measures to counter a broad range of social engineering techniques. The organization has implemented a signature-based IDS, intrusion detection system, to detect known attack payloads and network flow analysis to monitor data entering and leaving the network. The organization is deliberating on the next step. Considering the information provided about various social engineering techniques, what should be the organization's next course of action? A. Implement endpoint detection and response solution to oversee endpoint activities B. Set up a honeypot to attract potential attackers into a controlled environment for analysis C. Deploy more security personnel to physically monitor key points of access D. Organize regular employee awareness training regarding social engineering techniques and preventive measures Correct Answer: D

An audacious attacker is targeting a web server you oversee. He intends to perform a Slow HTTP POST attack, by manipulating 'a' HTTP connection. Each connection sends a byte of data every 'b' second, effectively holding up the connections for an extended period. Your server is designed to manage 'm' connections per second, but any connections exceeding this number tend to overwhelm the system. Given 'a=100' and variable 'm', along with the attacker's intention of maximizing the attack duration 'D=a*b', consider the following scenarios. Which is most likely to result in the longest duration of server unavailability? A. m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant. B. m=105, b=12: The server can manage 105 connections per second, more than the attacker's 100 connections, likely maintaining operation despite a moderate hold-up time. C. m=110, b=20: Despite the attacker sending 100 connections, the server can handle 110 connections per second, therefore likely staying operative, regardless of the hold-up time per connection. D. m=95, b=10: Here, the server can handle 95 connections per second, but it falls short against the attacker's 100 connections, albeit the hold-up time per connection is lower. Correct Answer: A

A large organization has recently performed a vulnerability assessment using Nessus Professional, and the security team is now preparing the final report. They have identified a high-risk vulnerability, named XYZ, which could potentially allow unauthorized access to the network. In preparing the report, which of the following elements would NOT be typically included in the detailed documentation for this specific vulnerability? A. Proof of concept (PoC) of the vulnerability, if possible, to demonstrate its potential impact on the system. B. The total number of high, medium, and low-risk vulnerabilities detected throughout the network. C. The list of all affected systems within the organization that are susceptible to the identified vulnerability. D. The CVE ID of the vulnerability and its mapping to the vulnerability's name, XYZ. Correct Answer: B

Recently, the employees of a company have been receiving emails that seem to be from their colleagues, but with suspicious attachments. When opened, these attachments appear to install malware on their systems. The IT department suspects that this is a targeted malware attack. Which of the following measures would be the most effective in preventing such attacks? A. Disabling Autorun functionality on all drives B. Avoiding the use of outdated web browsers and email software C. Regularly scan systems for any new files and examine them D. Applying the latest patches and updating software programs Correct Answer: D

A network security analyst, while conducting penetration testing, is aiming to identify a service account password using the Kerberos authentication protocol. They have a valid user authentication ticket (TGT) and decided to carry out a Kerberoasting attack. In the scenario described, which of the following steps should the analyst take next? A. Carry out a passive wire sni ng operation using Internet packet sniffers B. Perform a PRobability IN nite Chained Elements (PRINCE) attack C. Extract plaintext passwords, hashes, PIN codes, and Kerberos tickets using a tool like Mimikatz D. Request a service ticket for the service principal name of the target service account Correct Answer: D

As a cybersecurity analyst at IoT Defend, you are working with a large utility company that uses Industrial Control Systems (ICS) in its operational technology (OT) environment. The company has recently integrated IoT devices into this environment to enable remote monitoring and control. They want to ensure these devices do not become a weak link in their security posture. To identify potential vulnerabilities in the IoT devices, which of the following actions should you recommend as the first step? A. Use stronger encryption algorithms for data transmission between IoT devices. B. Implement network segmentation to isolate IoT devices from the rest of the network. C. Conduct a vulnerability assessment specifically for the IoT devices. D. Install the latest antivirus software on each IoT device. Correct Answer: C

A penetration tester is performing an enumeration on a client's network. The tester has acquired permission to perform enumeration activities. They have identified a remote inter-process communication (IPC) share and are trying to collect more information about it. The tester decides to use a common enumeration technique to collect the desired data. Which of the following techniques would be most appropriate for this scenario? A. Probe the IPC share by attempting to brute force admin credentials B. Brute force Active Directory C. Extract usernames using email IDs D. Conduct a DNS zone transfer Correct Answer: A

As a cybersecurity analyst at TechSafe Inc., you are working on a project to improve the security of a smart home system. This IoT-enabled system controls various aspects of the home, from heating and lighting to security cameras and door locks. Your client wants to ensure that even if one device is compromised, the rest of the system remains secure. Which of the following strategies would be most effective for this purpose? A. Recommend using a strong password for the smart home system's main control panel. B. Suggest implementing two-factor authentication for the smart home system's mobile app. C. Propose frequent system resets to clear any potential malware. D. Advise using a dedicated network for the smart home system, separate from the home's main Wi-Fi network. Correct Answer: D

During your summer internship at a tech company, you have been asked to review the security settings of their web server. While inspecting, you notice the server reveals detailed error messages to users, including database query errors and internal server errors. As a cybersecurity beginner, what is your understanding of this setting, and how would you advise the company? A. Retain the setting as it aids in troubleshooting user issues. B. Suppress detailed error messages, as they can expose sensitive information. C. Implement stronger encryption to secure the error messages. D. Increase the frequency of automated server backups. Correct Answer: B

An organization suspects a persistent threat from a cybercriminal. They hire an ethical hacker, John, to evaluate their system security. John identifies several vulnerabilities and advises the organization on preventive measures. However, the organization has limited resources and opts to fix only the most severe vulnerability. Subsequently, a data breach occurs exploiting a different vulnerability. Which of the following statements best describes this scenario? A. The organization is at fault because it did not x all identified vulnerabilities. B. Both the organization and John share responsibility because they did not adequately manage the vulnerabilities. C. John is at fault because he did not emphasize the necessity of patching all vulnerabilities. D. The organization is not at fault because they used their resources as per their understanding. Correct Answer: B

You are the chief security officer at AlphaTech, a tech company that specializes in data storage solutions. Your company is developing a new cloud storage platform where users can store their personal files. To ensure data security, the development team is proposing to use symmetric encryption for data at rest. However, they are unsure of how to securely manage and distribute the symmetric keys to users. Which of the following strategies would you recommend to them? A. Use hash functions to distribute the keys. B. Use HTTPS protocol for secure key transfer. C. Use digital signatures to encrypt the symmetric keys. D. Implement the Diffie-hellman protocol for secure key exchange. Correct Answer: D

An ethical hacker is attempting to crack NTLM hashed passwords from a Windows SAM file using a rainbow table attack. He has dumped the on- disk contents of the SAM file successfully and noticed that all LM hashes are blank. Given this scenario, which of the following would be the most likely reason for the blank LM hashes? A. The SAM file has been encrypted using the SYSKEY function. B. The passwords exceeded 14 characters in length and therefore, the LM hashes were set to a "dummy" value. C. The Windows system is Vista or a later version, where LM hashes are disabled by default. D. The Windows system is using the Kerberos authentication protocol as the default method. Correct Answer: C

You work as a cloud security specialist at SkyNet Solutions. One of your clients is a healthcare organization that plans to migrate its electronic health record (EHR) system to the cloud. This system contains highly sensitive personal and medical data. As part of your job, you need to ensure the security and privacy of this data while it is being transferred and stored in the cloud. You recommend that data should be encrypted during transit and at rest. However, you also need to ensure that even if a cloud service provider(CSP) has access to encrypted data, they should not be able to decrypt it. Which of the following would be the most suitable strategy to meet this requirement? A. Rely on network-level encryption protocols for data transfer. B. Use SSL/TLS for data transfer and allow the CSP to manage encryption keys. C. Utilize the CSP's built-in data encryption services. D. Use client-side encryption and manage encryption keys independently of the CSP. Correct Answer: D

A Certi ed Ethical Hacker (CEH) is given the task to perform an LDAP enumeration on a target system. The system is secured and accepts connections only on secure LDAP. The CEH uses Python for the enumeration process. After successfully installing LDAP and establishing a connection with the target, he attempts to fetch details like the domain name and naming context but is unable to receive the expected response. Considering the circumstances, which of the following is the most plausible reason for this situation? A. The system failed to establish a connection due to an incorrect port number. B. The enumeration process was blocked by the target system's intrusion detection system. C. The secure LDAP connection was not properly initialized due to a lack of 'use_ssl = True' in the server object creation. D. The Python version installed on the CEH's machine is incompatible with the Idap3 library. Correct Answer: C

A certi ed ethical hacker is conducting a Whois footprinting activity on a specific domain. The individual is leveraging various tools such as Batch IP Converter and Whois Analyzer Pro to retrieve vital details but is unable to gather complete Whois information from the registrar for a particular set of data. As the hacker, what might be the probable data model being utilized by the domain's registrar for storing and looking up Whois information? A. Thin Whois model working correctly B. Thin Whois model with a malfunctioning server C. Thick Whois model with a malfunctioning server D. Thick Whois model working correctly Correct Answer: A

As a part of an ethical hacking exercise, an attacker is probing a target network that is suspected to employ various honeypot systems for security. The attacker needs to detect and bypass these honeypots without alerting the target. The attacker decides to utilize a suite of techniques. Which of the following techniques would NOT assist in detecting a honeypot? A. Implementing a brute force attack to verify system vulnerability B. Probing system services and observing the three-way handshake C. Using honeypot detection tools like Send-Safe Honeypot Hunter D. Analyzing the MAC address to detect instances running on VMware Correct Answer: A

A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced ngerprinting technique and sent a TCP packet to an open TCP port with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo. Which test did the ethical hacker conduct and why was this specific approach adopted? A. Test 3: The test was executed to observe the response of the target system when a packet with URC, PSH, SYN, and FIN flags was sent, thereby identifying the OS B. Test 2: This test was chosen because a TCP packet with no flags enabled is known as a NULL packet and this would allow the hacker to assess the OS of the target C. Test 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker to probe the nature of the response and subsequently determine the OS fingerprint D. Test 6: The hacker selected this test because a TCP packet with the ACK flag enabled sent to a closed TCP port would yield more information about the OS Correct Answer: C

In an intricate web application architecture using an Oracle database, you, as a security analyst, have identified a potential SQL Injection attack surface. The database consists of 'x' tables, each with 'y' columns. Each table contains 'z' records. An attacker, well-versed in SQLi techniques, crafts 'u' SQL payloads, each attempting to extract maximum data from the database. The payloads include 'UNION SELECT' statements and 'DBMS_XSLPROCESSOR.READ2CLOB' to read sensitive files. The attacker aims to maximize the total data extracted 'E=xyz*u'. Assuming 'x=4', 'y=2', and varying 'z' and 'u', which situation is likely to result in the highest extracted data volume? A. z=600, u=2: The attacker devises 2 SQL payloads, each aimed at tables holding 600 records, affecting all columns across all tables. B. z=550, u=2: Here, the attacker formulates 2 SQL payloads and directs them towards tables containing 550 records, impacting all columns and tables. C. z=500, u=3: The attacker creates 3 SQL payloads and targets tables with 500 records each, exploiting all columns and tables. D. z=400, u=4: The attacker constructs 4 SQL payloads, each focusing on tables with 400 records, influencing all columns of all tables. Correct Answer: D

A large enterprise has been experiencing sporadic system crashes and instability, resulting in limited access to its web services. The security team suspects it could be a result of a Denial of Service (DoS) attack. A significant increase in traffic was noticed in the network logs, with patterns suggesting packet sizes exceeding the prescribed size limit. Which among the following DoS attack techniques best describes this scenario? A. Smurf attack B. UDP ood attack C. Pulse wave attack D. Ping of Death attack Correct Answer: D

Your company has been receiving regular alerts from its IDS about potential intrusions. On further investigation, you notice that these alerts have been false positives triggered by certain goodware files. In response, you are planning to enhance the IDS with YARA rules, reducing these false positives while improving the detection of real threats. Based on the scenario and the principles of YARA and IDS, which of the following strategies would best serve your purpose? A. Writing YARA rules specifically to identify the goodware files triggering false positives B. Implementing YARA rules that focus solely on known malware signatures C. Creating YARA rules to examine only the private database for intrusions D. Incorporating YARA rules to detect patterns in all files regardless of their nature A Correct Answer: A

Jake, a network security specialist, is trying to prevent network-level session hijacking attacks in his company. While studying different types of such attacks, he learns about a technique where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are owing through the original path. This technique is primarily used to reroute the packets. Which of the following types of network-level session hijacking attacks is Jake studying? A. TCP/IP Hijacking B. first Hijacking C. UDP Hijacking D. Man-in-the-middle Attack Using Forged ICMP and ARP spoofing Correct Answer: D

Given the complexities of an organization's network infrastructure, a threat actor has exploited an unidentified vulnerability, leading to a major data breach. As a Certi ed Ethical Hacker (CEH). you are tasked with enhancing the organization's security stance. To ensure a comprehensive security defense, you recommend a certain security strategy. Which of the following best represents the strategy you would likely suggest and why? A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization. B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack. C. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems. D. Adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. Correct Answer: D

As a cybersecurity professional, you are responsible for securing a high-traffic web application that uses MySQL as its backend database. Recently, there has been a surge of unauthorized login attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown pro ciency in SQL Injection and appears to be using the 'UNION' SQL keyword to trick the login process into returning additional data. However, your application's security measures include filtering special characters in user inputs, a method usually effective against such attacks. In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ? A. The hacker tries to manipulate the 'UNION' keyword in such a way that it triggers a database error, potentially revealing valuable information about the database's structure. B. The hacker switches tactics and resorts to a 'time-based blind' SQL Injection attack, which would force the application to delay its response, thereby revealing information based on the duration of the delay. C. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries. D. The hacker alters his approach and injects a DROP TABLE' statement, a move that could potentially lead to the loss of vital data stored in the application's database. Correct Answer: C

You're the security manager for a tech company that uses a database to store sensitive customer data. You have implemented countermeasures against SQL injection attacks. Recently, you noticed some suspicious activities and suspect an attacker is using SQL injection techniques. The attacker is believed to use different forms of payloads in his SQL queries. In the case of a successful SQL injection attack, which of the following payloads would have the most significant impact? A. UNION SELECT NULL, NULL, NULL -- : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables B. ' OR username LIKE '%': This payload uses the LIKE operator to search for a specific pattern in a column C. ' OR '1'='l: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data D. ' OR 'a'='a; DROP TABLE members; --: This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss Correct Answer: D

During the enumeration phase, Lawrence performs banner grabbing to obtain information such as OS details and versions of services running. The service that he enumerated runs directly on TCP port 445. Which of the following services is enumerated by Lawrence in this scenario? A. Remote procedure call (RPC) B. Telnet C. Server Message Block (SMB) D. Network File System (NFS) Correct Answer: C

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes? A. Perform a system reboot to clear the memory B. Delete the compromised user's account C. Change the NTLM password hash used to encrypt the ST D. Invalidate the TGS the attacker acquired Correct Answer: D

Jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password. However, Jane has a long, complex password on her router. What attack has likely occurred? A. Wardriving B. Wireless sni ng C. Evil twin D. Piggybacking Correct Answer: C

You are a cybersecurity consultant for a healthcare organization that utilizes Internet of Medical Things (IoMT) devices, such as connected insulin pumps and heart rate monitors, to provide improved patientcare. Recently, the organization has been targeted by ransomware attacks. While the IT infrastructure was unaffected due to robust security measures, they are worried that the IoMT devices could be potential entry points for future attacks. What would be your main recommendation to protect these devices from such threats? A. Disable all wireless connectivity on IoMT devices. B. Regularly change the IP addresses of all IoMT devices. C. Use network segmentation to isolate IoMT devices from the main network. D. Implement multi-factor authentication for all IoMT devices. Correct Answer: C

Which file is a rich target to discover the structure of a website during web-server footprinting? A. domain.txt B. Robots.txt C. Document root D. index.html Correct Answer: B

You are a cybersecurity consultant for a global organization. The organization has adopted a Bring Your Own Device (BYOD)policy, but they have recently experienced a phishing incident where an employee's device was compromised. In the investigation, you discovered that the phishing attack occurred through a third-party email app that the employee had installed. Given the need to balance security and user autonomy under the BYOD policy, how should the organization mitigate the risk of such incidents? Moreover, consider a measure that would prevent similar attacks without overly restricting the use of personal devices. A. Provide employees with corporate-owned devices for work-related tasks. B. Require all employee devices to use a company-provided VPN for internet access. C. Implement a mobile device management solution that restricts the installation of non-approved applications. D. Conduct regular cybersecurity awareness training, focusing on phishing attacks. Correct Answer: C

John, a professional hacker, decided to use DNS to perform data ex ltration on a target network. In this process, he embedded malicious data into the DNS protocol packets that even DNSSEC cannot detect. Using this technique, John successfully injected malware to bypass a firewall and maintained communication with the victim machine and C and C server. What is the technique employed by John to bypass the firewall? A. DNSSEC zone walking B. DNS cache snooping C. DNS enumeration D. DNS tunneling method Correct Answer: D

XYZ company recently discovered a potential vulnerability on their network, originating from misconfigurations. It was found that some of their host servers had enabled debugging functions and unknown users were granted administrative permissions. As a Certi ed Ethical Hacker, what would be the most potent risk associated with this misconfiguration? A. An attacker may be able to inject a malicious DLL into the current running process B. Weak encryption might be allowing man-in-the-middle attacks, leading to data tampering C. Unauthorized users may perform privilege escalation using unnecessarily created accounts D. An attacker may carry out a Denial-of-Service assault draining the resources of the server in the process Correct Answer: C

There have been concerns in your network that the wireless network component is not su ciently secure. You perform a vulnerability scan of the wireless network and find that it is using an old encryption protocol that was designed to mimic wired encryption. What encryption protocol is being used? A. RADIUS B. WPA C. WEP D. WPA3 Correct Answer: C

You are a cybersecurity specialist at CloudTech Inc., a company providing cloud-based services. You are managing a project for a client who wants to migrate their sensitive data to a public cloud service. To comply with regulatory requirements, the client insists on maintaining full control over the encryption keys even when the data is at rest on the cloud. Which of the following practices should you implement to meet this requirement? A. Encrypt data client-side before uploading to the cloud and retain control of the encryption keys. B. Use the cloud service provider's encryption services but store keys on-premises. C. Rely on Secure Sockets Layer (SSL) encryption for data at rest. D. Use the cloud service provider's default encryption and key management services. Correct Answer: A

In an advanced persistent threat scenario, an adversary follows a detailed set of procedures in the cyber kill chain. During one such instance, the adversary has successfully gained access to a corporate network and now attempts to obfuscate malicious traffic within legitimate network traffic. Which of the following actions would most likely be part of the adversary's current procedures? A. Employing data staging techniques to collect and aggregate sensitive data. B. Initiating DNS tunneling to communicate with the command-and-control server. C. Establishing a command-and-control server to communicate with compromised systems. D. Conducting internal reconnaissance using PowerShell scripts. Correct Answer: B

An organization decided to harden its security against web-application and web-server attacks. John, a security personnel in the organization, employed a security scanner to automate web-application security testing and to guard the organization's web infrastructure against web- application threats. Using that tool, he also wants to detect XSS, directory transversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks. Which of the following security scanners will help John perform the above task? A. AlienVault® OSSIMTM B. Syhunt Hybrid C. Saleae Logic Analyzer D. Cisco ASA Correct Answer: B

Which of the following Metasploit post-exploitation modules can be used to escalate privileges on Windows systems? A. getsystem B. getuid C. keylogrecorder D. autoroute Correct Answer: A

Sam is a penetration tester hired by Inception Tech, a security organization. He was asked to perform port scanning on a target host in the network. While performing the given task, Sam sends FIN/ACK probes and determines that an first packet is sent in response by the target host, indicating that the port is closed. What is the port scanning technique used by Sam to discover open ports? A. Xmas scan B. IDLE/IPID header scan C. TCP Maimon scan D. ACK flag probe scan Correct Answer: C

An organization has automated the operation of critical infrastructure from a remote location. For this purpose, all the industrial control systems are connected to the Internet. To empower the manufacturing process, ensure the reliability of industrial networks, and reduce downtime and service disruption, the organization decided to install an OT security tool that further protects against security incidents such as cyber espionage, zero-day attacks, and malware. Which of the following tools must the organization employ to protect its critical infrastructure? A. Robotium B. BalenaCloud C. Flowmon D. IntentFuzzer Correct Answer: C

Heather's company has decided to use a new customer relationship management tool. After performing the appropriate research, they decided to purchase a subscription to a cloud-hosted solution. The only administrative task that Heather will need to perform is the management of user accounts. The provider will take care of the hardware, operating system, and software administration including patching and monitoring. Which of the following is this type of solution? A. IaaS B. SaaS C. PaaS D. CaaS Correct Answer: B

Alice needs to send a con dential document to her coworker, Bryan. Their company has public key infrastructure set up. Therefore, Alice both encrypts the message and digitally signs it. Alice uses _______________ to encrypt the message, and Bryan uses _______________ to confirm the digital signature. A. Bryan's public key; Bryan's public key B. Alice's public key; Alice's public key C. Bryan's private key; Alice's public key D. Bryan's public key; Alice's public key Correct Answer: D

Juliet, a security researcher in an organization, was tasked with checking for the authenticity of images to be used in the organization's magazines. She used these images as a search query and tracked the original source and details of the images, which included photographs, profile pictures, and memes. Which of the following footprinting techniques did Rachel use to nish her task? A. Google advanced search B. Meta search engines C. Reverse image search D. Advanced image search Correct Answer: C

What is the file that determines the basic configuration (specifically activities, services, broadcast receivers, etc.) in an Android application? A. AndroidManifest.xml B. classes.dex C. APK.info D. resources.asrc Correct Answer: A

Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passwords that correspond to these hashes. Which type of attack can she implement in order to continue? A. Pass the hash B. Internal monologue attack C. LLMNR/NBT-NS poisoning D. Pass the ticket Correct Answer: A

Mason, a professional hacker, targets an organization and spreads Emotet malware through malicious script. After infecting the victim's device, Mason further used Emotet to spread the infection across local networks and beyond to compromise as many machines as possible. In this process, he used a tool, which is a self-extracting RAR file, to retrieve information related to network resources such as writable share drives. What is the tool employed by Mason in the above scenario? A. NetPass.exe B. Outlook scraper C. WebBrowserPassView D. Credential enumerator Correct Answer: D

Morris, a professional hacker, performed a vulnerability scan on a target organization by sni ng the traffic on the network to identify the active systems, network services, applications, and vulnerabilities. He also obtained the list of the users who are currently accessing the network. What is the type of vulnerability assessment that Morris performed on the target organization? A. Credentialed assessment B. Internal assessment C. External assessment D. Passive assessment Correct Answer: D

Which of the following Bluetooth hacking techniques refers to the theft of information from a wireless device through Bluetooth? A. Bluesmacking B. Bluesnar ng C. Bluejacking D. Bluebugging Correct Answer: B

Which of the following protocols can be used to secure an LDAP service against anonymous queries? A. NTLM B. RADIUS C. WPA D. SSO Correct Answer: A

While browsing his Facebook feed, Matt sees a picture one of his friends posted with the caption, "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate, Matt responds to the questions on the post. A few days later, Matt's bank account has been accessed, and the password has been changed. What most likely happened? A. Matt inadvertently provided the answers to his security questions when responding to the post. B. Matt inadvertently provided his password when responding to the post. C. Matt's computer was infected with a keylogger. D. Matt's bank-account login information was brute forced. Correct Answer: A

Attacker Simon targeted the communication network of an organization and disabled the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMtraffic. He then extracted all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks. What is the type of attack performed by Simon? A. Combinator attack B. Dictionary attack C. Rainbow table attack D. Internal monologue attack Correct Answer: D

Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve's profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario? A. Baiting B. Piggybacking C. Diversion theft D. Honey trap Correct Answer: D

Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, President, or Managers. The time a hacker spends performing research to locate this information about a company is known as? A. Exploration B. Investigation C. Reconnaissance D. Enumeration Correct Answer: C

Attacker Lauren has gained the credentials of an organization's internal server system, and she was often logging in during irregular times to monitor the network activities. The organization was skeptical about the login times and appointed security professional Robert to determine the issue. Robert analyzed the compromised device to find incident details such as the type of attack, its severity, target, impact, method of propagation, and vulnerabilities exploited. What is the incident handling and response (IH and R) phase, in which Robert has determined these issues? A. Incident triage B. Preparation C. Incident recording and assignment D. Eradication Correct Answer: A

At what stage of the cyber kill chain theory model does data ex ltration occur? A. Weaponization B. Actions on objectives C. Command and control D. Installation Correct Answer: B

Johnson, an attacker, performed online research for the contact details of reputed cybersecurity rms. He found the contact number of sibertech.org and dialed the number, claiming himself to represent a technical support team from a vendor. He warned that a specific server is about to be compromised and requested sibertech.org to follow the provided instructions. Consequently, he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical information to Johnson's machine. What is the social engineering technique Steve employed in the above scenario? A. Diversion theft B. Quid pro quo C. Elicitation D. Phishing Correct Answer: B

Ricardo has discovered the username for an application in his target's environment. As he has a limited amount of time, he decides to attempt to use a list of common passwords he found on the Internet. He compiles them into a list and then feeds that list as an argument into his password- cracking application. What type of attack is Ricardo performing? A. Brute force B. Known plaintext C. Dictionary D. Password spraying Correct Answer: C

You are a penetration tester tasked with testing the wireless network of your client Brakeme S A. You are attempting to break into the wireless network with the SSID "Brakeme-Internal." You realize that this network uses WPA3 encryption. Which of the following vulnerabilities is the promising to exploit? B. Cross-site request forgery C. Dragonblood D. Key reinstallation attack E. AP misconfiguration Correct Answer: B

What would be the fastest way to perform content enumeration on a given web server by using the Gobuster tool? A. Performing content enumeration using the bruteforce mode and 10 threads B. Performing content enumeration using the bruteforce mode and random file extensions C. Skipping SSL certificate verification D. Performing content enumeration using a wordlist Correct Answer: D

What is the common name for a vulnerability disclosure program opened by companies in platforms such as HackerOne? A. White-hat hacking program B. Bug bounty program C. Ethical hacking program D. Vulnerability hunting program Correct Answer: B

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type of an alert is this? A. False negative B. True negative C. True positive D. False positive Correct Answer: D

A DDoS attack is performed at layer 7 to take down web infrastructure. Partial HTTP requests are sent to the web infrastructure or applications. Upon receiving a partial request, the target servers opens multiple connections and keeps waiting for the requests to complete. Which attack is being described here? A. Desynchronization B. Slowloris attack C. Session splicing D. Phlashing Correct Answer: B

Garry is a network administrator in an organization. He uses SNMP to manage networked devices from a remote location. To manage nodes in the network, he uses MIB, which contains formal descriptions of all network objects managed by SNMP. He accesses the contents of MIB by using a web browser either by entering the IP address and Lseries.mib or by entering the DNS library name and Lseries.mib. He is currently retrieving information from an MIB that contains object types for workstations and server services. Which of the following types of MIB is accessed by Garry in the above scenario? A. LNMIB2.MIB B. DHCP.MIB C. MIB_II.MIB D. WINS.MIB Correct Answer: A

Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task? A. UDP scan B. ARP ping scan C. ACK flag probe scan D. TCP Maimon scan Correct Answer: B

Emily, an extrovert obsessed with social media, posts a large amount of private information, photographs, and location tags of recently visited places. Realizing this, James, a professional hacker, targets Emily and her acquaintances, conducts a location search to detect their geolocation by using an automated tool, and gathers information to perform other sophisticated attacks. What is the tool employed by James in the above scenario? A. ophcrack B. VisualRoute C. Hootsuite D. HULK Correct Answer: C

Abel, a cloud architect, uses container technology to deploy applications/software including all its dependencies, such as libraries and configuration files, binaries, and other resources that run independently from other processes in the cloud environment. For the containerization of applications, he follows the five-tier container technology architecture. Currently, Abel is verifying and validating image contents, signing images, and sending them to the registries. Which of the following tiers of the container technology architecture is Abel currently working in? A. Tier-1: Developer machines B. Tier-2: Testing and accreditation systems C. Tier-3: Registries D. Tier-4: Orchestrators Correct Answer: B

Henry is a cyber security specialist hired by BlackEye Cyber Security Solutions. He was tasked with discovering the operating system (OS) of a host. He used the Unicornscan tool to discover the OS of the target system. As a result, he obtained a TTL value, which indicates that the target system is running a Windows OS. Identify the TTL value Henry obtained, which indicates that the target OS is Windows. A. 128 B. 255 C. 64 D. 138 Correct Answer: A

Daniel is a professional hacker who is attempting to perform an SQL injection attack on a target website, www.moviescope.com. During this process, he encountered an IDS that detects SQL injection attempts based on predefined signatures. To evade any comparison statement, he attempted placing characters such as "'or `1'=`1'" in any basic injection statement such as "or 1=1." Identify the evasion technique used by Daniel in the above scenario. A. Char encoding B. IP fragmentation C. Variation D. Null byte Correct Answer: C

SQL injection (SQLi) attacks attempt to inject SQL syntax into web requests, which may bypass authentication and allow attackers to access and/or modify data attached to a web application. Which of the following SQLi types leverages a database server's ability to make DNS requests to pass data to an attacker? A. In-band SQLi B. Union-based SQLi C. Out-of-band SQLi D. Time-based blind SQLi Correct Answer: C

Attacker Rony installed a rogue access point within an organization's perimeter and attempted to intrude into its internal network. Johnson, a security auditor, identified some unusual traffic in the internal network that is aimed at cracking the authentication mechanism. He immediately turned off the targeted network and tested for any weak and outdated security mechanisms that are open to attack. What is the type of vulnerability assessment performed by Johnson in the above scenario? A. Wireless network assessment B. Application assessment C. Host-based assessment D. Distributed assessment Correct Answer: A

In this attack, an adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number and receive packet number are reset to their initial values. What is this attack called? A. Evil twin B. Chop chop attack C. Wardriving D. KRACK Correct Answer: D

After an audit, the auditors inform you that there is a critical nding that you must tackle immediately. You read the audit report, and the problem is the service running on port 389. Which service is this and how can you tackle the problem? A. The service is NTP, and you have to change it from UDP to TCP in order to encrypt it. B. The service is LDAP, and you must change it to 636, which is LDAPS. C. The findings do not require immediate actions and are only suggestions. D. The service is SMTP, and you must change it to SMIME, which is an encrypted way to send emails. Correct Answer: B

Mike, a security engineer, was recently hired by BigFox Ltd. The company recently experienced disastrous DoS attacks. The management had instructed Mike to build defensive strategies for the company's IT infrastructure to thwart DoS/DDoS attacks. Mike deployed some countermeasures to handle jamming and scrambling attacks. What is the countermeasure Mike applied to defend against jamming and scrambling attacks? A. Allow the transmission of all types of addressed packets at the ISP level B. Disable TCP SYN cookie protection C. Allow the usage of functions such as gets and strcpy D. Implement cognitive radios in the physical layer Correct Answer: D

You are using a public Wi-Fi network inside a coffee shop. Before sur ng the web, you use your VPN to prevent intruders from sni ng your traffic. If you did not have a VPN, how would you identify whether someone is performing an ARP spoofing attack on your laptop? A. You should check your ARP table and see if there is one IP address with two different MAC addresses. B. You should scan the network using Nmap to check the MAC addresses of all the hosts and look for duplicates. C. You should use netstat to check for any suspicious connections with another IP address within the LAN. D. You cannot identify such an attack and must use a VPN to protect your traffic. Correct Answer: A

Lewis, a professional hacker, targeted the IoT cameras and devices used by a target venture-capital rm. He used an information-gathering tool to collect information about the IoT devices connected to a network, open ports and services, and the attack surface area. Using this tool, he also generated statistical reports on broad usage patterns and trends. This tool helped Lewis continually monitor every reachable server and device on the Internet, further allowing him to exploit these devices in the network. Which of the following tools was employed by Lewis in the above scenario? A. NeuVector B. Lacework C. Censys D. Wapiti Correct Answer: C

Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered. John decided to perform a TCP SYN ping scan on the target network. Which of the following Nmap commands must John use to perform the TCP SYN ping scan? A. nmap -sn -PO target IP address B. nmap -sn -PS target IP address C. nmap -sn -PA target IP address D. nmap -sn -PP target IP address Correct Answer: B

Susan, a software developer, wants her web API to update other applications with the latest information. For this purpose, she uses a user-defined HTTP callback or push APIs that are raised based on trigger events; when invoked, this feature supplies data to other applications so that users can instantly receive real-time information. Which of the following techniques is employed by Susan? A. Web shells B. Webhooks C. REST API D. SOAP API Correct Answer: B

Eric, a cloud security engineer, implements a technique for securing the cloud resources used by his organization. This technique assumes by default that a user attempting to access the network is not an authentic entity and verifies every incoming connection before allowing access to the network. Using this technique, he also imposed conditions such that employees can access only the resources required for their role. What is the technique employed by Eric to secure cloud resources? A. Demilitarized zone B. Zero trust network C. Serverless computing D. Container technology Correct Answer: B

Which IOS jailbreaking technique patches the kernel during the device boot so that it becomes jailbroken after each successive reboot? A. Tethered jailbreaking B. Semi-untethered jailbreaking C. Semi-tethered jailbreaking D. Untethered jailbreaking Correct Answer: D

Stella, a professional hacker, performs an attack on web services by exploiting a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. This further allows the transmission of web-service requests and response messages using different TCP connections. Which of the following attack techniques is used by Stella to compromise the web services? A. Web services parsing attacks B. WS-Address spoofing C. SOAPAction spoofing D. XML injection Correct Answer: B

Attacker Steve targeted an organization's network with the aim of redirecting the company's web traffic to another malicious website. To achieve this goal, Steve performed DNS cache poisoning by exploiting the vulnerabilities in the DNS server software and modified the original IP address of the target website to that of a fake website. What is the technique employed by Steve to gather information for identity theft? A. Pharming B. Skimming C. Pretexting D. Wardriving Correct Answer: A

What is the port to block first in case you are suspicious that an IoT device has been compromised? A. 22 B. 48101 C. 80 D. 443 Correct Answer: B

Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. Identify the behavior of the adversary in the above scenario. A. Unspeci ed proxy activities B. Use of command-line interface C. Data staging D. Use of DNS tunneling Correct Answer: A

What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers? A. Packet fragmentation scanning B. Spoof source address scanning C. Decoy scanning D. Idle scanning Correct Answer: D

By performing a penetration test, you gained access under a user account. During the test, you established a connection with your own machine via the SMB service and occasionally entered your login and password in plaintext. Which file do you have to clean to clear the password? A. .xsession-log B. .profile C. .bashrc D. .bash_history Correct Answer: D

Jack, a disgruntled ex-employee of Incalsol Ltd., decided to inject leless malware into Incalsol's systems. To deliver the malware, he used the current employees' email IDs to send fraudulent emails embedded with malicious links that seem to be legitimate. When a victim employee clicks on the link, they are directed to a fraudulent website that automatically loads Flash and triggers the exploit. What is the technique used by Jack to launch the leless malware on the target systems? A. In-memory exploits B. Legitimate applications C. Script-based injection D. Phishing Correct Answer: D

Wilson, a professional hacker, targets an organization for financial benefit and plans to compromise its systems by sending malicious emails. For this purpose, he uses a tool to track the emails of the target and extracts information such as sender identities, mail servers, sender IP addresses, and sender locations from different public sources. He also checks if an email address was leaked using the haveibeenpwned.com API. Which of the following tools is used by Wilson in the above scenario? A. Factiva B. ZoomInfo C. Netcraft D. Infoga Correct Answer: D

David is a security professional working in an organization, and he is implementing a vulnerability management program in the organization to evaluate and control the risks and vulnerabilities in its IT infrastructure. He is currently executing the process of applying xes on vulnerable systems to reduce the impact and severity of vulnerabilities. Which phase of the vulnerability-management life cycle is David currently in? A. Remediation B. verification C. Risk assessment D. Vulnerability scan Correct Answer: A

Alice, a professional hacker, targeted an organization's cloud services. She in ltrated the target's MSP provider by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and gain remote access to the cloud service. Further, she accessed the target customer profiles with her MSP account, compressed the customer data, and stored them in the MSP. Then, she used this information to launch further attacks on the target organization. Which of the following cloud attacks did Alice perform in the above scenario? A. Cloud cryptojacking B. Man-in-the-cloud (MITC) attack C. Cloud hopper attack D. Cloudborne attack Correct Answer: C

Judy created a forum. One day, she discovers that a user is posting strange images without writing comments. She immediately calls a security expert, who discovers that the following code is hidden behind those images: What issue occurred for the users who clicked on the image? A. This php file silently executes the code and grabs the user's session cookie and session I B. The code redirects the user to another site. C. The code injects a new cookie to the browser. D. The code is a virus that is attempting to gather the user's username and password. Correct Answer: A

Richard, an attacker, aimed to hack IoT devices connected to a target network. In this process, Richard recorded the frequency required to share information between connected devices. After obtaining the frequency, he captured the original data when commands were initiated by the connected devices. Once the original data were collected, he used free tools such as URH to segregate the command sequence. Subsequently, he started injecting the segregated command sequence on the same frequency into the IoT network, which repeats the captured signals of the devices. What is the type of attack performed by Richard in the above scenario? A. Cryptanalysis attack B. Reconnaissance attack C. Side-channel attack D. Replay attack Correct Answer: D

Ethical hacker Jane Smith is attempting to perform an SQL injection attack. She wants to test the response time of a true or false response and wants to use a second command to determine whether the database will return true or false results for user IDs. Which two SQL injection types would give her the results she is looking for? A. Out of band and boolean-based B. Union-based and error-based C. Time-based and union-based D. Time-based and boolean-based Correct Answer: D

Which of the following allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to hack? A. Vulnerability analysis B. Malware analysis C. Scanning networks D. Enumeration Correct Answer: C

Jason, an attacker, targeted an organization to perform an attack on its Internet-facing web server with the intention of gaining access to backend servers, which are protected by a firewall. In this process, he used a URL https://xyz.com/feed.php?url=externalsite.com/feed/to to obtain a remote feed and altered the URL input to the local host to view all the local resources on the target server. What is the type of attack Jason performed in the above scenario? A. Web server misconfiguration B. Server-side request forgery (SSRF) attack C. Web cache poisoning attack D. Website defacement Correct Answer: B

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use the built-in Windows Update tool B. Use a scan tool like Nessus C. Check MITR D. org for the latest list of CVE findings E. Create a disk image of a clean Windows installation Correct Answer: B

George is a security professional working for iTech Solutions. He was tasked with securely transferring sensitive data of the organization between industrial systems. In this process, he used a short-range communication protocol based on the IEEE 203.15.4 standard. This protocol is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m. What is the short-range wireless communication technology George employed in the above scenario? A. LPWAN B. MQTT C. NB-IoT D. Zigbee Correct Answer: D

There are multiple cloud deployment options depending on how isolated a customer's resources are from those of other customers. Shared environments share the costs and allow each customer to enjoy lower operations expenses. One solution is for a customer to join with a group of users or organizations to share a cloud environment. What is this cloud deployment option called? A. Private B. Community C. Public D. Hybrid Correct Answer: B

Allen, a professional pen tester, was hired by XpertTech Solutions to perform an attack simulation on the organization's network resources. To perform the attack, he took advantage of the NetBIOS API and targeted the NetBIOS service. By enumerating NetBIOS, he found that port 139 was open and could see the resources that could be accessed or viewed on a remote system. He came across many NetBIOS codes during enumeration. Identify the NetBIOS code used for obtaining the messenger service running for the logged-in user? A. 00 B. 20 C. 03 D. 1B Correct Answer: C

Don, a student, came across a gaming app in a third-party app store and installed it. Subsequently, all the legitimate apps in his smartphone were replaced by deceptive applications that appeared legitimate. He also received many advertisements on his smartphone after installing the app. What is the attack performed on Don in the above scenario? A. SIM card attack B. Clickjacking C. SMS phishing attack D. Agent Smith attack Correct Answer: D

Samuel, a security administrator, is assessing the configuration of a web server. He noticed that the server permits SSLv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. This vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information. Which of the following attacks can be performed by exploiting the above vulnerability? A. Padding oracle attack B. DROWN attack C. DUHK attack D. Side-channel attack Correct Answer: B

Clark, a professional hacker, was hired by an organization to gather sensitive information about its competitors surreptitiously. Clark gathers the server IP address of the target organization using Whois footprinting. Further, he entered the server IP address as an input to an online tool to retrieve information such as the network range of the target organization and to identify the network topology and operating system used in the network. What is the online tool employed by Clark in the above scenario? A. DuckDuckGo B. AOL C. ARIN D. Baidu Correct Answer: C

You are a penetration tester and are about to perform a scan on a specific server. The agreement that you signed with the client contains the following specific condition for the scan: "The attacker must scan every port on the server several times using a set of spoofed source IP addresses." Suppose that you are using Nmap to perform this scan. What flag will you use to satisfy this requirement? A. The -g flag B. The -A flag C. The -f flag D. The -D flag Correct Answer: D

Jude, a pen tester, examined a network from a hacker's perspective to identify exploits and vulnerabilities accessible to the outside world by using devices such as rewalls, routers, and servers. In this process, he also estimated the threat of network security attacks and determined the level of security of the corporate network. What is the type of vulnerability assessment that Jude performed on the organization? A. Application assessment B. External assessment C. Passive assessment D. Host-based assessment Correct Answer: B

Widespread fraud at Enron, WorldCom, and Tyco led to the creation of a law that was designed to improve the accuracy and accountability of corporate disclosures. It covers accounting rms and third parties that provide financial services to some organizations and came into effect in 2002. This law is known by what acronym? A. SOX B. FedRAMP C. HIPAA D. PCI DSS Correct Answer: A

Abel, a security professional, conducts penetration testing in his client organization to check for any security loopholes. He launched an attack on the DHCP servers by broadcasting forged DHCP requests and leased all the DHCP addresses available in the DHCP scope until the server could not issue any more IP addresses. This led to a DoS attack, and as a result, legitimate employees were unable to access the client's network. Which of the following attacks did Abel perform in the above scenario? A. Rogue DHCP server attack B. VLAN hopping C. STP attack D. DHCP starvation Correct Answer: D

John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly using this type of encryption? A. Use his own private key to encrypt the message. B. Use his own public key to encrypt the message. C. Use Marie's private key to encrypt the message. D. Use Marie's public key to encrypt the message. Correct Answer: D

This form of encryption algorithm is a symmetric key block cipher that is characterized by a 128-bit block size, and its key size can be up to 256 bits. Which among the following is this encryption algorithm? A. HMAC encryption algorithm B. Two sh encryption algorithm C. IDEA D. Blow sh encryption algorithm Correct Answer: B

In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does medium vulnerability fall in? A. 4.0-6.0 B. 3.9-6.9 C. 3.0-6.9 D. 4.0-6.9 Correct Answer: D

Jude, a pen tester working in Keiltech Ltd., performs sophisticated security testing on his company's network infrastructure to identify security loopholes. In this process, he started to circumvent the network protection tools and rewalls used in the company. He employed a technique that can create forged TCP sessions by carrying out multiple SYN, ACK, and first or FIN packets. Further, this process allowed Jude to execute DDoS attacks that can exhaust the network resources. What is the attack technique used by Jude for nding loopholes in the above scenario? A. Spoofed session ood attack B. UDP ood attack C. Peer-to-peer attack D. Ping-of-death attack Correct Answer: A

Bill is a network administrator. He wants to eliminate unencrypted traffic inside his company's network. He decides to setup a SPAN port and capture all traffic to the datacenter. He immediately discovers unencrypted traffic in port UDP 161. What protocol is this port using and how can he secure that traffic? A. RPC and the best practice is to disable RPC completely. B. SNMP and he should change it to SNMP V3. C. SNMP and he should change it to SNMP V2, which is encrypted. D. It is not necessary to perform any actions, as SNMP is not carrying important information. Correct Answer: B

Jim, a professional hacker, targeted an organization that is operating critical industrial infrastructure. Jim used Nmap to scan open ports and running services on systems connected to the organization's OT network. He used an Nmap command to identify Ethernet/IP devices connected to the Internet and further gathered information such as the vendor name, product code and name, device name, and IP address. Which of the following Nmap commands helped Jim retrieve the required information? A. nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p Port List > Target IP B. nmap -Pn -sU -p 44818 --script enip-info Target IP > C. nmap -Pn -sT -p 46824 Target IP > D. nmap -Pn -sT -p 102 --script s7-info Target IP > Correct Answer: B

Consider the following Nmap output: What command-line parameter could you use to determine the type and version number of the web server? A. -sV B. -sS C. -Pn D. -V Correct Answer: A

While testing a web application in development, you notice that the web server does not properly ignore the "dot dot slash" (../) character string and instead returns the file listing of a folder higher up in the folder structure of the server. What kind of attack is possible in this scenario? A. Cross-site scripting B. SQL injection C. Denial of service D. Directory traversal Correct Answer: D

Bob was recently hired by a medical company after it experienced a major cyber security breach. Many patients are complaining that their personal medical records are fully exposed on the Internet and someone can find them with a simple Google search. Bob's boss is very worried because of regulations that protect those data. Which of the following regulations is mostly violated? A. PCI DSS B. PII C. ISO 2002 D. HIPPA/PHI Correct Answer: D

Infecting a system with malware and using phishing to gain credentials to a system or web application are examples of which phase of the ethical hacking methodology? A. Scanning B. Gaining access C. Maintaining access D. Reconnaissance Correct Answer: B

Larry, a security professional in an organization, has noticed some abnormalities in the user accounts on a web server. To thwart evolving attacks, he decided to harden the security of the web server by adopting a few countermeasures to secure the accounts on the web server. Which of the following countermeasures must Larry implement to secure the user accounts on the web server? A. Retain all unused modules and application extensions. B. Limit the administrator or root-level access to the minimum number of users. C. Enable all non-interactive accounts that should exist but do not require interactive login. D. Enable unused default user accounts created during the installation of an OS. Correct Answer: B

Joel, a professional hacker, targeted a company and identified the types of websites frequently visited by its employees. Using this information, he searched for possible loopholes in these websites and injected a malicious script that can redirect users from the web page and download malware onto a victim's machine. Joel waits for the victim to access the infected web application so as to compromise the victim's machine. Which of the following techniques is used by Joel in the above scenario? A. Watering hole attack B. DNS rebinding attack C. MarioNet attack D. Clickjacking attack Correct Answer: A

Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been ex ltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non- whitelisted programs. What type of malware did the attacker use to bypass the company's application whitelisting? A. File-less malware B. Zero-day malware C. Phishing malware D. Logic bomb malware Correct Answer: A

Dorian is sending a digitally signed email to Poly. With which key is Dorian signing this message and how is Poly validating it? A. Dorian is signing the message with his public key, and Poly will verify that the message came from Dorian by using Dorian's private key. B. Dorian is signing the message with Poly's private key, and Poly will verify that the message came from Dorian by using Dorian's public key. C. Dorian is signing the message with his private key, and Poly will verify that the message came from Dorian by using Dorian's public key. D. Dorian is signing the message with Poly's public key, and Poly will verify that the message came from Dorian by using Dorian's public key. Correct Answer: C

Scenario: Joe turns on his home computer to access personal online banking. When he enters the URL www.bank.com, the website is displayed, but it prompts him to re-enter his credentials as if he has never visited the site before. When he examines the website URL closer, he finds that the site is not secure and the web address appears different. What type of attack he is experiencing? A. DHCP spoofing B. DoS attack C. ARP cache poisoning D. DNS hijacking Correct Answer: D

Boney, a professional hacker, targets an organization for financial benefits. He performs an attack by sending his session ID using an MITM attack technique. Boney first obtains a valid session ID by logging into a service and later feeds the same session ID to the target employee. The session ID links the target employee to Boney's account page without disclosing any information to the victim. When the target employee clicks on the link, all the sensitive payment details entered in a form are linked to Boney's account. What is the attack performed by Boney in the above scenario? A. Forbidden attack B. CRIME attack C. Session donation attack D. Session xation attack Correct Answer: C

Joe works as an IT administrator in an organization and has recently set up a cloud computing service for the organization. To implement this service, he reached out to a telecom company for providing Internet connectivity and transport services between the organization and the cloud service provider. In the NIST cloud deployment reference architecture, under which category does the telecom company fall in the above scenario? A. Cloud consumer B. Cloud broker C. Cloud auditor D. Cloud carrier Correct Answer: D

Kevin, a professional hacker, wants to penetrate CyberTech Inc's network. He employed a technique, using which he encoded packets with Unicode characters. The company's IDS cannot recognize the packets, but the target web server can decode them. What is the technique used by Kevin to evade the IDS system? A. Session splicing B. Urgency flag C. Obfuscating D. Desynchronization Correct Answer: C

Bobby, an attacker, targeted a user and decided to hijack and intercept all their wireless communications. He installed a fake communication tower between two authentic endpoints to mislead the victim. Bobby used this virtual tower to interrupt the data transmission between the user and real tower, attempting to hijack an active session. Upon receiving the user's request, Bobby manipulated the traffic with the virtual tower and redirected the victim to a malicious website. What is the attack performed by Bobby in the above scenario? A. aLTEr attack B. Jamming signal attack C. Wardriving D. KRACK attack Correct Answer: A

Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials: Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability? A. select * from Users where UserName = `attack' ' or 1=1 -- and UserPassword = `123456' B. select * from Users where UserName = `attack' or 1=1 -- and UserPassword = `123456' C. select * from Users where UserName = `attack or 1=1 -- and UserPassword = `123456' D. select * from Users where UserName = `attack' or 1=1 --' and UserPassword = `123456' Correct Answer: A

John, a professional hacker, targeted an organization that uses LDAP for accessing distributed directory services. He used an automated tool to anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names to launch further attacks on the target organization. What is the tool employed by John to gather information from the LDAP service? A. ike-scan B. Zabasearch C. JXplorer D. EarthExplorer Correct Answer: C

Which of the following commands checks for valid users on an SMTP server? A. RCPT B. CHK C. VRFY D. EXPN Correct Answer: C

Annie, a cloud security engineer, uses the Docker architecture to employ a client/server model in the application she is working on. She utilizes a component that can process API requests and handle various Docker objects, such as containers, volumes, images, and networks. What is the component of the Docker architecture used by Annie in the above scenario? A. Docker objects B. Docker daemon C. Docker client D. Docker registries Correct Answer: B

Bella, a security professional working at an IT rm, finds that a security breach has occurred while transferring important files. Sensitive data, employee usernames, and passwords are shared in plaintext, paving the way for hackers to perform successful session hijacking. To address this situation, Bella implemented a protocol that sends data using encryption and digital certificates. Which of the following protocols is used by Bella? A. FTPS B. FTP C. HTTPS D. IP Correct Answer: A

Bob, an attacker, has managed to access a target IoT device. He employed an online tool to gather information related to the model of the IoT device and the certi cations granted to it. Which of the following tools did Bob employ to gather the above information? A. FCC ID search B. Google image search C. search.com D. EarthExplorer Correct Answer: A

What piece of hardware on a computer's motherboard generates encryption keys and only releases a part of the key so that decrypting a disk on a new piece of hardware is not possible? A. CPU B. UEFI C. GPU D. TPM Correct Answer: D

Gilbert, a web developer, uses a centralized web API to reduce complexity and increase the integrity of updating and changing data. For this purpose, he uses a web service that uses HTTP methods such as PUT, POST, GET, and DELETE and can improve the overall performance, visibility, scalability, reliability, and portability of an application. What is the type of web-service API mentioned in the above scenario? A. RESTful API B. JSON-RPC C. SOAP API D. REST API Correct Answer: A

To create a botnet, the attacker can use several techniques to scan vulnerable machines. The attacker first collects information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensures the spreading and installation of malicious code in little time. Which technique is discussed here? A. Subnet scanning technique B. Permutation scanning technique C. Hit-list scanning technique. D. Topological scanning technique Correct Answer: C

Nicolas just found a vulnerability on a public-facing system that is considered a zero-day vulnerability. He sent an email to the owner of the public system describing the problem and how the owner can protect themselves from that vulnerability. He also sent an email to Microsoft informing them of the problem that their systems are exposed to. What type of hacker is Nicolas? A. Black hat B. White hat C. Gray hat D. Red hat Correct Answer: C

Sophia is a shopping enthusiast who spends significant time searching for trendy out ts online. Clark, an attacker, noticed her activities several times and sent a fake email containing a deceptive page link to her social media page displaying all-new and trendy out ts. In excitement, Sophia clicked on the malicious link and logged in to that page using her valid credentials. Which of the following tools is employed by Clark to create the spoofed email? A. Evilginx B. Slowloris C. PLCinject D. PyLoris Correct Answer: A

John, a disgruntled ex-employee of an organization, contacted a professional hacker to exploit the organization. In the attack process, the professional hacker installed a scanner on a machine belonging to one of the victims and scanned several machines on the same network to identify vulnerabilities to perform further exploitation. What is the type of vulnerability assessment tool employed by John in the above scenario? A. Agent-based scanner B. Network-based scanner C. Cluster scanner D. Proxy scanner Correct Answer: A

Becky has been hired by a client from Dubai to perform a penetration test against one of their remote offices. Working from her location in Columbus, Ohio, Becky runs her usual reconnaissance scans to obtain basic information about their network. When analyzing the results of her Whois search, Becky notices that the IP was allocated to a location in file Havre, France. Which regional Internet registry should Becky go to for detailed information? A. ARIN B. LACNIC C. APNIC D. RIPE Correct Answer: D

In this form of encryption algorithm, every individual block contains 64-bit data, and three keys are used, where each key consists of 56 bits. Which is this encryption algorithm? A. IDEA B. Triple Data Encryption Standard C. AES D. MD5 encryption algorithm Correct Answer: B

Harry, a professional hacker, targets the IT infrastructure of an organization. After preparing for the attack, he attempts to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Using these techniques, he successfully deployed malware on the target system to establish an outbound connection. What is the APT lifecycle phase that Harry is currently executing? A. Initial intrusion B. Persistence C. Cleanup D. Preparation Correct Answer: A

John is investigating web-application firewall logs and observers that someone is attempting to inject the following: What type of attack is this? A. SQL injection B. Buffer over flow C. CSRF D. XSS Correct Answer: B

Robin, a professional hacker, targeted an organization's network to sniff all the traffic. During this process, Robin plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the network. What is the attack performed by Robin in the above scenario? A. ARP spoofing attack B. STP attack C. DNS poisoning attack D. VLAN hopping attack Correct Answer: B

John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization. Which of the following attack techniques is used by John? A. Insider threat B. Diversion theft C. Spear-phishing sites D. Advanced persistent threat Correct Answer: D

An attacker utilizes a Wi-Fi Pineapple to run an access point with a legitimate-looking SSID for a nearby business in order to capture the wireless password. What kind of attack is this? A. MAC spoofing attack B. War driving attack C. Phishing attack D. Evil-twin attack Correct Answer: D

You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS? A. nmap -A - Pn B. nmap -sP -p-65535 -T5 C. nmap -sT -O -T0 D. nmap -A --host-timeout 99 -T1 Correct Answer: C

CyberTech Inc. recently experienced SQL injection attacks on its o cial website. The company appointed Bob, a security professional, to build and incorporate defensive strategies against such attacks. Bob adopted a practice whereby only a list of entities such as the data type, range, size, and value, which have been approved for secured access, is accepted. What is the defensive technique employed by Bob in the above scenario? A. Whitelist validation B. Output encoding C. Blacklist validation D. Enforce least privileges Correct Answer: A

This wireless security protocol allows 192-bit minimum-strength security protocols and cryptographic tools to protect sensitive data, such as GCMP-256, HMAC-SHA384, and ECDSA using a 384-bit elliptic curve. Which is this wireless security protocol? A. WPA3-Personal B. WPA3-Enterprise C. WPA2-Enterprise D. WPA2-Personal Correct Answer: B

What are common files on a web server that can be misconfigured and provide useful information for a hacker such as verbose error messages? A. httpd.conf B. administration.config C. php.ini D. idq.dll Correct Answer: C

Gerard, a disgruntled ex-employee of Sunglass IT Solutions, targets this organization to perform sophisticated attacks and bring down its reputation in the market. To launch the attacks process, he performed DNS footprinting to gather information about DNS servers and to identify the hosts connected in the target network. He used an automated tool that can retrieve information about DNS zone data including DNS domain names, computer names, IP addresses, DNS records, and network Whois records. He further exploited this information to launch other sophisticated attacks. What is the tool employed by Gerard in the above scenario? A. Towelroot B. Knative C. zANTI D. Bluto Correct Answer: D

Tony is a penetration tester tasked with performing a penetration test. After gaining initial access to a target system, he finds a list of hashed passwords. Which of the following tools would not be useful for cracking the hashed passwords? A. Hashcat B. John the Ripper C. THC-Hydra D. netcat Correct Answer: D

Which of the following Google advanced search operators helps an attacker in gathering information about websites that are similar to a speci ed target URL? A. [inurl:] B. [info:] C. [site:] D. [related:] Correct Answer: D

You are a penetration tester working to test the user awareness of the employees of the client XYZ. You harvested two employees' emails from some public sources and are creating a client-side backdoor to send it to the employees via email. Which stage of the cyber kill chain are you at? A. Reconnaissance B. Weaponization C. Command and control D. Exploitation Correct Answer: B

While performing an Nmap scan against a host, Paola determines the existence of a firewall. In an attempt to determine whether the firewall is stateful or stateless, which of the following options would be best to use? A. -sA B. -sX C. -sT D. -sF Correct Answer: A

A newly joined employee, Janet, has been allocated an existing system used by a previous employee. Before issuing the system to Janet, it was assessed by Martin, the administrator. Martin found that there were possibilities of compromise through user directories, registries, and other system parameters. He also identified vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. What is the type of vulnerability assessment performed by Martin? A. Database assessment B. Host-based assessment C. Credentialed assessment D. Distributed assessment Correct Answer: B

Jane, an ethical hacker, is testing a target organization's web server and website to identify security loopholes. In this process, she copied the entire website and its content on a local drive to view the complete profile of the site's directory structure, file structure, external links, images, web pages, and so on. This information helps Jane map the website's directories and gain valuable information. What is the attack technique employed by Jane in the above scenario? A. Session hijacking B. Website mirroring C. Website defacement D. Web cache poisoning Correct Answer: B

An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization's machines to detect which ports are attached to services such as an email server, a web server, or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario? A. Service-based solutions B. Product-based solutions C. Tree-based assessment D. Inference-based assessment Correct Answer: D

Taylor, a security professional, uses a tool to monitor her company's website, analyze the website's traffic, and track the geographical location of the users visiting the company's website. Which of the following tools did Taylor employ in the above scenario? A. Webroot B. Web-Stat C. WebSite-Watcher D. WAFW00F Correct Answer: B

IT Exam Questions and Solutions Library

Other exams

Welcome Back!

Create New Account!

Retrieve your password