اضغط هنا للانضمام الى قروب فوجي للإختبارات على تيليقرام

أرشيف أسئلة الاختبار

اختبار شهادة الهكر الأخلاقي Certified Ethical Hacker (CEH) V13

هذه الصفحة مخصصة للأرشفة وتعرض جميع أسئلة الاختبار وروابط كل سؤال مع الخيارات والنقاشات.

الأسئلة

448 سؤال
  1. Under what conditions does a secondary name server request a zone transfer from a primary name server?
  2. An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a web server in the external DMZ. ...
  3. The collection of potentially actionable, overt, and publicly available information is known as:
  4. Which of the following is a component of a risk assessment?
  5. Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?
  6. An attacker, using a rogue wireless AP, performed a MITM attack and injected HTML code to embed a malicious applet in all HTTP connections. When users accessed ...
  7. Eric used Dsniff tools to intercept communications between two entities, establishing credentials with both sides and relaying all traffic. Neither endpoint not ...
  8. While using your bank’s online services you see this URL: "http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21" You notice that if ...
  9. Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored?
  10. What tool can crack Windows SMB passwords simply by listening to network traffic?
  11. Bob decides a DMZ is not needed if the firewall is configured to only allow access to specific Internet-facing servers/ports and block access to workstations. H ...
  12. Based on the following extract from the log of a compromised machine (showing access to "har.txt" in the repair context), what is the hacker really trying to st ...
  13. User A is sending a sensitive email to user B and chooses to use PKI to secure the message so only B can read it. At what OSI layer does the encryption and decr ...
  14. Bob is performing a password assessment and suspects weak passwords are common. He knows about password weaknesses and keyloggers. Which option best represents ...
  15. An incident investigator receives logs from firewalls, proxy servers, and IDS sensors after a possible breach. When correlating events, the sequences in differe ...
  16. The Heartbleed bug (CVE-2014-0160) affects OpenSSL’s implementation of TLS. What type of key does this bug potentially expose to the Internet, making exploitati ...
  17. What two conditions must a digital signature meet?
  18. What is NOT a PCI compliance recommendation?
  19. You have physical access to a Windows 2008 R2 server with an accessible disk drive but cannot guess the admin password. You boot an Ubuntu LiveCD. Which Linux-b ...
  20. Which of the following is a command-line packet analyzer similar to GUI-based Wireshark?
  21. Scenario: An attacker creates an attractive web page and overlays an invisible iframe on top of a button. The victim thinks they click the visible offer, but ac ...
  22. In the Mason Insurance scenario, internal users see the normal website while Internet users see a defaced website at www.masonins.com. Tripwire shows no changes ...
  23. A hacker studies a target company’s public information, email style, leadership names, and branding to craft realistic phishing emails. The time spent gathering ...
  24. DHCP snooping is enabled to prevent rogue DHCP servers. Which security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middl ...
  25. Which type of physical security feature stops vehicles from crashing through the doors of a building?
  26. A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub ...
  27. The establishment of a TCP connection involves a negotiation called the three-way handshake. What type of message does the client send to the server in order to ...
  28. “........ is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdro ...
  29. A company’s security policy states that all web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is ...
  30. MX record priority increases as the number increases. (True/False.)
  31. A zone file consists of which of the following Resource Records (RRs)?
  32. Which of the following incident handling process phases is responsible for defining rules, coordinating people, creating a backup plan, and testing the plans fo ...
  33. The command `env x='(){ :;};echo exploit' bash -c 'cat /etc/passwd'` is used in the Shellshock bash vulnerability. What is it attempting to do on a vulnerable L ...
  34. You are tasked to perform a penetration test. During information gathering, you find an employee list and the receptionist’s email. You send her an email spoofe ...
  35. During a black-box penetration test, you attempt to pass IRC traffic over TCP port 80 from a compromised web-enabled host. The traffic is blocked, but normal ou ...
  36. Which of the following statements about a DNS zone transfer is correct? (Choose three.)
  37. Null sessions are unauthenticated connections (no username or password) to an NT or 2000 system. Which TCP ports must you filter to block/null-check these sessi ...
  38. An attacker has installed a RAT on a host and wants to ensure that when a user visits "www.MyPersonalBank.com" they are silently redirected to a phishing site. ...
  39. In Nmap, what does the `-oX` flag do during a scan?
  40. Bob, a network administrator at a university, discovered that some students are plugging their laptops into unused wired Ethernet ports to get Internet access. ...
  41. Which UDP port does Network Time Protocol (NTP) primarily use for communication?
  42. You have just deployed a security system in your network. In which type of system would you most likely find a rule such as: alert tcp any any -> 192.168.100.0/ ...
  43. Which of the following is considered a low-tech method of gaining unauthorized access to systems?
  44. Shellshock allowed unauthorized users to gain access to many Internet-facing services that used the Bash shell. Which operating system was NOT directly affected ...
  45. You have the following SOA record in your DNS zone: collegae.edu. SOA, college.edu ipad.college.edu. (200302028 3600 3600 604800 3600). Secondary DNS servers ha ...
  46. Which method of password cracking typically requires the most time and effort when other conditions are equal?
  47. Bob receives this SMS: "Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com". Which statement i ...
  48. Which statement best describes the behavior of a classic boot sector virus?
  49. Which type of virus attempts to hide from antivirus programs by actively altering or intercepting system service calls while they are being executed?
  50. During a security assessment, you find that the organization has one DNS server in the DMZ and another DNS server on the internal network. What is this DNS desi ...
  51. Which type of malware is most commonly targeted at Microsoft Office products such as Word or Excel?
  52. What does a traditional network firewall primarily inspect to block certain ports and applications from entering an organization?
  53. A systems administrator needs to migrate email services to the cloud model that requires the least amount of administrative effort. Which of the following shoul ...
  54. While investigating network traffic, a cloud administrator discovers the monthly billing has increased substantially. Upon further review, it appears the server ...
  55. A cloud administrator is monitoring a database system and notices an unusual increase in the read operations, which is causing a heavy load in the system. The s ...
  56. What term is commonly used when referring to the type of testing in which large amounts of random, unexpected, or malformed input are sent to an application to ...
  57. SMTP can upgrade a plain-text connection between two mail servers so that email is encrypted in transit. Which SMTP command is used to initiate transmission of ...
  58. What is the technique called that sends crafted packets toward a protected host through a firewall to determine which ports are allowed through the firewall’s p ...
  59. A hacker is an intelligent individual with strong computer skills who may act offensively or defensively at different times. Which class of hacker refers to som ...
  60. When performing a TCP NULL scan, what is the typical response from a host if the scanned port is OPEN?
  61. A hard drive is expected to fail once every three years. A new drive costs $300. It takes 10 hours to reinstall the OS and software and 4 hours to restore the d ...
  62. When you are assessing a web server, you want to identify which HTTP methods (GET, POST, HEAD, PUT, DELETE, TRACE) are enabled, because PUT and DELETE can be da ...
  63. Which of the following tools can be used for passive OS fingerprinting based only on captured network traffic?
  64. Which known-plaintext attack against DES showed that encrypting plaintext with one DES key followed by a second DES key does not provide much more security than ...
  65. When performing a TCP NULL scan, what is the typical response from a host if the scanned port is CLOSED?
  66. A CFO approves the financial statements and then sends them to a new accountant. The CFO wants to ensure the document is not modified after approval. Which of t ...
  67. Which pair of commands does an IRC client typically send first to register itself on an IRC network?
  68. One of your team members asks you to analyze the following SOA record: Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu. (200302028 3600 3600 604800 2400) What ...
  69. Which mode of IPsec should you use to assure security and confidentiality of data within the same LAN (host-to-host protection)?
  70. What is the primary purpose of a demilitarized zone (DMZ) on a network?
  71. Session splicing is an IDS evasion technique where an attacker sends malicious data in many small packets so signatures are harder to detect. Which tool is trad ...
  72. Which of the following is the BEST way to defend against network sniffing attacks?
  73. Which address translation scheme allows a single public IP address to always correspond to a single internal machine, enabling "server publishing" from the Inte ...
  74. Three companies (A, B, and C) compete globally. A and B are collaborating on a new product. Company B’s DNS server is vulnerable to spoofing, and attackers at C ...
  75. Which Intrusion Detection System is BEST suited for large environments where critical assets on the network need extra scrutiny and where it is ideal to observe ...
  76. Your company performs penetration tests for small and medium businesses. During an assessment, you discover clear evidence that your client is involved in human ...
  77. If a token and 4-digit PIN are used to access a system and the token verifies the PIN offline (no server-side rate limiting), which type of attack is most feasi ...
  78. Todd is asked to purchase a counter-based authentication system. Which of the following BEST describes this type of system?
  79. What is the following Windows command used for? net use \\target\ipc$ "" /u:""
  80. In cryptography, what is a "collision attack" on a hash function?
  81. During a penetration test you send an email to an address you know does NOT exist in the target company’s domain. Why might this be useful?
  82. A large mobile telephony and data network operator has a data center that houses network elements, which are essentially large Linux-based systems. The perimete ...
  83. Which of the following tools performs comprehensive tests against web servers, including checks for dangerous files and CGIs?
  84. An attacker with access to the inside network of a small company launches a successful STP (Spanning Tree Protocol) manipulation attack. What will the attacker ...
  85. What is the role of test automation in security testing?
  86. A company’s security risk assessment shows that the risk of a breach in its main application was initially 50%. After implementing controls, the risk is reduced ...
  87. A company’s security risk assessment shows that the risk of a breach in its main application was initially 50%. After implementing controls, the risk is reduced ...
  88. A network administrator discovers several unknown files in the root directory of a Linux FTP server: a tarball, two shell scripts, and a binary named "nc". Logs ...
  89. What two conditions must a digital signature meet?
  90. A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the FIRST step ...
  91. What is a NULL scan?
  92. What is correct about digital signatures?
  93. The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the CPU, rather than passing only the frames that t ...
  94. What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
  95. Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records, ...
  96. Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting
  97. What ports should be blocked on the firewall to prevent NetBIOS traffic from coming through the firewall if the network is comprised of Windows NT, 2000, and XP ...
  98. You are the Network Admin, and you get a complaint that some websites are no longer accessible. You can ping the servers and access them by IP in a browser, but ...
  99. You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet ...
  100. Peter, a Network Administrator, needs a tool to perform SNMP inquiries over the network. Which of these tools would do the SNMP enumeration he is looking for? ( ...
  101. Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?
  102. If a tester is attempting to ping a target that exists but receives no ICMP response or “destination unreachable”, ICMP may be disabled and the network may be u ...
  103. A large company intends to use BlackBerry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use ...
  104. A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer can transfer files locally ...
  105. ________ is a set of extensions to DNS that provide origin authentication of DNS data to DNS clients (resolvers) to reduce the threat of DNS poisoning, spoofing ...
  106. CompanyXYZ has asked you to assess the security of their perimeter email gateway. You send a test email that appears to be from jim_miller@companyxyz.com to mic ...
  107. You have compromised a server with IP 10.10.0.5 and want to quickly enumerate all machines in the same /24 network using Nmap. Which is the BEST command to use?
  108. Which of the following Linux commands will resolve a domain name into an IP address?
  109. Why is a penetration test considered to be more thorough than a vulnerability scan?
  110. The “Gray-box testing” methodology enforces what kind of restriction?
  111. PGP, SSL, and IKE are all examples of which type of cryptography?
  112. You have snort installed on 192.168.0.99 and Kiwi Syslog on 192.168.0.150. You want Wireshark to show connections from the snort machine to the Kiwi Syslog mach ...
  113. Which regulation defines security and privacy controls for U.S. Federal information systems and organizations?
  114. Steve developed a system that identifies people based on walking patterns (gait) and then requires them to present an RFID badge. Both identifications are requi ...
  115. Which of the following is NOT a Bluetooth attack?
  116. What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?
  117. Which system consists of a publicly available set of databases that contain domain name registration contact information?
  118. One of your team members has asked you to analyze the following SOA record. What is the version (serial number)? Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.e ...
  119. Susan has synchronized her boss’s session with a file server, intercepts his traffic, modifies it, and then forwards it to the server so it appears to come from ...
  120. Bob is a well-known underground hacker who shares advanced hacking knowledge that can be used for both offense and defense. What is the MOST effective method to ...
  121. As a security consultant, which of the following would you recommend to a company to help ensure DNS security? (Choose FOUR.)
  122. Which of the following tools are commonly used for Windows SID enumeration? (Choose THREE.)
  123. Which of the following tools are commonly used for Windows SID enumeration? (Choose THREE.)
  124. What is the minimum number of network connections (interfaces) in a multihomed firewall?
  125. Which detection technique is used by modern antivirus solutions that collect data from many protected endpoints and analyze it centrally in the provider’s envir ...
  126. Which is the FIRST step that vulnerability scanners typically perform when scanning a network?
  127. Which of the following security properties is primarily assured by the use of a cryptographic hash function?
  128. Which type of malware infects both the system boot sector and executable files at the same time?
  129. A company policy requires employees to use encrypted protocols for file transfers. You suspect some still use unencrypted FTP. With Wireshark capturing laptop t ...
  130. Why should the security analyst disable/remove unnecessary ISAPI filters?
  131. Which DNS resource record can indicate how long any 'DNS poisoning' could last?
  132. Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
  133. In the field of cryptanalysis, what is meant by a 'rubber-hose' attack?
  134. Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the BEST approach for discovering vulnerabilitie ...
  135. When analyzing the IDS logs, an alert is logged when the external router is accessed legitimately by the administrator from their workstation to update the conf ...
  136. Which definition best describes a covert channel?
  137. By using a smart card and PIN, you are using a two-factor authentication that satisfies which combination?
  138. A new wireless client uses the same hardware and software as other clients and can see the 802.11 network but cannot connect. A packet sniffer shows the WAP is ...
  139. Widespread fraud at Enron, WorldCom, and Tyco led to a law designed to improve accuracy and accountability of corporate financial disclosures. It took effect in ...
  140. Jane, an ethical hacker, copied an entire website and its content locally to analyze directory structure, files, links, and images for information about the tar ...
  141. What is the FIRST port you should consider blocking if you suspect an IoT device on your network has been compromised?
  142. While scanning with Nmap, Patin finds a host with an incremental IP ID sequence and then runs: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com (where kiosk.adobe. ...
  143. How is the public key distributed in an orderly, controlled fashion so that users can be sure of the sender’s identity?
  144. At what stage of the cyber kill chain model does data exfiltration typically occur?
  145. Clark, a professional hacker, created and configured multiple domains pointing to the same host so he can switch quickly between domains and avoid detection. Wh ...
  146. Jim, a professional hacker, targeted an OT network and used Nmap to identify Ethernet/IP devices and retrieve information such as vendor name, product code, and ...
  147. Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three.)
  148. What is the algorithm used by LM for the Windows 2000 SAM?
  149. Within the context of computer security, which of the following statements describes Social Engineering best?
  150. What is the correct way of using MSFvenom to generate a reverse TCP Meterpreter shell for Windows?
  151. The tools which receive event logs from servers, network equipment, and applications, perform analysis and correlation on those logs, and can generate alarms fo ...
  152. Robin plugged in a rogue switch to an unused LAN port and set its priority lower than any other switch so it would become the root bridge and allow him to sniff ...
  153. Emily overshares private information and locations on social media. James, a professional hacker, uses an automated tool to perform location searches and gather ...
  154. Which of the following protocols can be used to secure an LDAP service against anonymous queries?
  155. Every company needs a formal written document that explains what employees may and may not do with company systems, and what consequences apply. Employees must ...
  156. What kind of detection technique is used in antivirus software that identifies malware by collecting data from multiple protected systems and analyzing it in th ...
  157. John hired a professional hacker. The attacker installed a scanner on a victim’s machine and then used it to scan other machines on the same network to identify ...
  158. A security administrator notices abnormal outbound traffic at night and confirms that data is being exfiltrated. AV and IDS/IPS do not see any non-whitelisted b ...
  159. ________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
  160. Which of the following commands checks for valid users on an SMTP server?
  161. Daniel is performing an SQL injection attack and uses characters like "' or '1'='1" to alter basic injection statements such as "or 1=1" in order to evade IDS s ...
  162. This kind of password cracking method uses word lists in combination with numbers and special characters:
  163. What piece of hardware on a computer's motherboard generates encryption keys and only releases a part of the key so that decrypting a disk on new hardware is no ...
  164. You are attempting to crack LM hashes from a Windows 2000 SAM file using an LM brute force tool. Which encryption algorithm are you actually attacking?
  165. A penetration tester is configuring Wireshark on Windows. Which driver and library are required so that the NIC can operate in promiscuous mode?
  166. What is the common name for a vulnerability disclosure program that companies open on platforms such as HackerOne?
  167. You are analysing traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs (192.168. ...
  168. Yancey, a long-time network security administrator, finds out he will be laid off and plants logic bombs, viruses, Trojans, and backdoors across the network, no ...
  169. To invisibly maintain access to a machine, an attacker uses a toolkit that sits undetected in the core components of the operating system. What type of rootkit ...
  170. Susan, a software developer, wants her web API to update other applications with the latest information in real time whenever specific events occur. She uses us ...
  171. This TCP flag instructs the sending system to transmit all buffered data immediately.
  172. What type of analysis is being performed when an attacker (or tester) has partial knowledge of the inner workings of an application?
  173. How does a denial-of-service (DoS) attack work?
  174. Johnson, an attacker, called a cybersecurity firm pretending to be vendor technical support, warned of an imminent compromise, and convinced the victim to run u ...
  175. Joe, an IT administrator, set up a cloud computing service for his organization and contracted a telecom company to provide Internet connectivity and transport ...
  176. The network team has procedures that require manager approval before creating new firewall rules. You notice a recently added rule with no recorded approval. Wh ...
  177. While reviewing audit logs, you see that users are able to telnet to the SMTP server on port 25. You see no evidence of attacks, but you are worried about impac ...
  178. John is an incident handler who often forgets steps and procedures during stressful incidents and his responses are below company standards. Which action should ...
  179. Attacker Lauren gained credentials to an internal server and logged in at irregular times. Analyst Robert examined the compromised device to determine details s ...
  180. Henry used an OS fingerprinting tool and obtained a TTL value that indicated the target host is running Windows. Which TTL value did he see?
  181. In a risk assessment methodology, which step refers to vulnerability identification according to the exam’s mapping?
  182. Log monitoring tools report suspicious logins on a Linux server during non-business hours. On investigation, the administrator finds the system time is off by m ...
  183. Bella finds that sensitive files, usernames, and passwords were transferred in plaintext, leading to a successful session hijacking. She then implements a proto ...
  184. An LDAP directory can store information similarly to a SQL database. LDAP uses a _____ structure instead of SQL’s _____ structure, which makes representing many ...
  185. Garry is a network administrator using SNMP and MIBs to manage networked devices. He is currently retrieving information from an MIB that contains object types ...
  186. Ethical hacker Jane Smith wants to perform an SQL injection attack that lets her test response time for true/false conditions and also determine whether the dat ...
  187. Which of the following is the primary objective of a rootkit?
  188. Which Bluetooth hacking technique refers specifically to the theft of information from a wireless device over Bluetooth?
  189. Harry, a professional hacker, sends spear-phishing emails and exploits public servers to deploy malware and establish an outbound connection from a victim syste ...
  190. Which utility will show, in real time, which TCP/UDP ports are listening or in another state on a Windows system, with a constantly updating GUI view?
  191. Which of the following are well-known password-cracking programs? (Choose two.)
  192. While browsing Facebook, Matt answers a friend’s post containing a series of personal questions. A few days later, his bank account password has been changed an ...
  193. E-mail scams and mail fraud are regulated by which of the following statutes according to the exam key?
  194. Tremp is planning to deploy an IDS in a small company. He needs near real-time detection, verification of attack success or failure, monitoring of system activi ...
  195. What is the minimum number of network connections (interfaces) in a multihomed firewall?
  196. Bobby installs a fake communication tower between a victim and the real cellular tower, intercepting LTE traffic and redirecting the user to a malicious website ...
  197. John targets an organization that uses LDAP and runs an automated tool to anonymously query the LDAP service for usernames, email addresses, department details, ...
  198. Which of the following LM hashes represent a password of fewer than 8 characters? (Choose two.)
  199. Nedved, an IT Security Manager at a bank, finds a suspicious outbound connection from the email server to an unknown IP address and suspects a breach. What is t ...
  200. OpenSSL on Linux includes a command-line tool for testing TLS connections. What is the tool and the correct syntax to connect to a web server over HTTPS?
  201. During an Xmas scan, which response from a target indicates that a port is closed?
  202. You have brute-forced the SNMP community string of a Cisco router, but an access list on the gateway prevents you from connecting directly. You still want to re ...
  203. Andrew, an ethical hacker, must discover all active devices on an IPv4 target network where a restrictive firewall hides hosts from traditional IP ping scans. W ...
  204. In an Android application, which file defines the basic configuration such as activities, services, broadcast receivers, and required permissions?
  205. Which of the following DoS tools is used to attack target web applications by starving available sessions on the web server by sending never-ending HTTP POSTs w ...
  206. This encryption algorithm is a block cipher with a 128-bit block size and supports key sizes up to 256 bits. Which algorithm is described?
  207. You are asked to configure a DHCP server to lease the last 100 usable IP addresses in the subnet 10.1.4.0/23. Which of the following IP addresses could be lease ...
  208. You work as a Sales Manager in a company with strict egress monitoring. You want to steal the Sales.xls database and exfiltrate it to your home PC without raisi ...
  209. During a web application test, you run Nmap with the -sV option and see: "80/tcp open http-proxy Apache Server 7.1.6". Which information-gathering technique doe ...
  210. Ralph poses as a legitimate customer support executive and arranges a ‘technician visit’ to Jane’s company. Once inside, he scans terminals for passwords and se ...
  211. Morris performs a vulnerability assessment by sniffing network traffic to identify active systems, services, applications, and vulnerabilities, and to see which ...
  212. Taylor, a security professional, wants to monitor her company’s website traffic and track the geographical location of visitors. Which tool matches this use cas ...
  213. In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does a medium vulnerability fall in?
  214. You are trying to break into a highly secured top-secret banking mainframe where conventional technical hacking is ineffective. According to the exam scenario, ...
  215. Under the PCI DSS objective "Implement strong access control measures", which requirement fits best?
  216. Sam performs CVSS v3.0 scoring and obtains a base score of 4.0 for a vulnerability. What is the CVSS severity level of this vulnerability?
  217. An attacker sends a victim an email with a link that looks authentic but actually redirects to a malicious site used to steal the victim’s data. What type of at ...
  218. An organization performs a vulnerability assessment. James first builds an inventory of protocols and services on each machine, then selects only the relevant v ...
  219. In the field of cryptanalysis, what is meant by a "rubber-hose" attack?
  220. Bob is performing an active session hijack against a Telnet session. He has identified an active session and analyzed the target system’s sequence behavior. Acc ...
  221. When discussing passwords, what is considered a brute-force attack?
  222. A password attack combines dictionary words with variations generated by brute-force (such as adding numbers and symbols). What is this type of attack called?
  223. How can you determine from an LM hash whether the original password is less than 8 characters long?
  224. In the context of cryptographic hashes, what is the main security service they are intended to provide?
  225. During an internal penetration test, you gain shell access to a Windows host. You want to attempt a DNS zone transfer for the internal domain abccorp.local from ...
  226. During web-server footprinting, which file on a site is a particularly rich target for discovering the structure of a website and potentially restricted paths?
  227. Which firewall-evasion scanning technique uses a ‘zombie’ host with low network activity and predictable IP ID values to stealthily probe a target?
  228. Nathan uses the tool Macof to flood the ARP cache of several switches on a network. If the ARP cache flooding attack succeeds, what is the most likely result?
  229. Samuel finds that a web server permits SSLv2 connections and shares the same certificate/private key with another server that also allows SSLv2. This configurat ...
  230. Despite strong technical controls such as firewalls, IDS/IPS, and anti-malware, Peter Smith argues that there is still a “weakest link” in the security chain th ...
  231. Jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password, even though Jane has a long, com ...
  232. What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stacheldraht all have in common?
  233. During the enumeration phase, Lawrence performs banner grabbing to obtain information such as OS details and service versions. The service he probes is listenin ...
  234. You are testing a web application for SQL injection. You know the backend is Microsoft SQL Server. In the login form you submit the following: Username: attack' ...
  235. Attacker Steve compromises a DNS server and poisons its cache so that the IP address for a legitimate company website is replaced with the address of a fake sit ...
  236. What port number is used by the LDAP protocol by default?
  237. On a web server, which configuration file is commonly misconfigured and can expose useful information (such as verbose error messages) to attackers?
  238. You retrieved password hashes from a Windows 2000 domain. Strong password policy requires at least 8 characters and 3 of 4 character classes. Given typical user ...
  239. Why are containers often considered less secure than full virtual machines?
  240. Nicolas discovers a zero-day vulnerability on a public-facing system. He emails the system owner with details and mitigation steps, and also notifies Microsoft ...
  241. In the exam’s terminology, which type of virus can change its own code and then cipher itself multiple times as it replicates?
  242. Alice compromises a managed service provider (MSP) by spear-phishing and custom malware, then uses the MSP’s access to pivot into customers’ cloud environments ...
  243. In the context of Windows authentication, what does GINA stand for?
  244. Robin is performing DNS tunneling using the NSTX tool to bypass firewalls and exfiltrate data. On which port should NSTX typically run to blend with normal DNS ...
  245. John wants to send Marie a confidential email using PGP over an untrusted network. Which key should he use to encrypt the message so that only Marie can read it ...
  246. In Windows security terminology, what is a "null" user?
  247. Gerard performs DNS footprinting to retrieve DNS zone data (domain names, hostnames, IPs, DNS and network WHOIS records) and then uses this information for furt ...
  248. David is implementing a vulnerability management program. He is currently applying fixes and patches on vulnerable systems to reduce the impact and severity of ...
  249. "Password cracking programs reverse the hashing process to recover passwords." Is this statement true or false?
  250. When preparing for a formal security assessment, what should a security analyst do to detect inconsistencies in the secure assets database and verify that syste ...
  251. Bob emails you an offer about a client deal, which you accept. Two days later he denies ever sending that email. Which security property do you rely on to prove ...
  252. After a breach, many patients discover their personal medical records exposed on the Internet and indexable via simple Google searches. Which regulation has mos ...
  253. Which of the following statements is FALSE with respect to Intrusion Detection Systems (IDS)?
  254. Techno Security Inc. hires John to identify open ports and detect if firewall rule sets are encountered. He decides to perform a TCP SYN ping scan with Nmap. Wh ...
  255. Challenge/response authentication is primarily designed to prevent which type of attack?
  256. You need a tool that can provide network intrusion detection and prevention, act as a network sniffer, and record network activity. Which tool best fits these r ...
  257. Which type of SQL injection leverages the database server's ability to make DNS or HTTP requests in order to pass data to an attacker?
  258. Wilson wants to launch a phishing campaign and first gathers intelligence about target email addresses, sender identities, mail servers, and checks if emails we ...
  259. You have logged into a Linux system and want to cover your tracks. Many login attempts are logged under /var/log. Which of the following files does NOT belong t ...
  260. Jason abuses a web feature that fetches remote feeds via a URL parameter (e.g., feed.php?url=externalsite.com/feed/). He changes the URL input to localhost to m ...
  261. Which information security control sets up an attractive but isolated environment to lure attackers away from critical systems while collecting intelligence abo ...
  262. In an Android application, which file defines the basic configuration such as activities, services, broadcast receivers, and required permissions?
  263. Harry, a professional hacker, sends spear-phishing emails and exploits public servers to deploy malware and establish an outbound connection from a victim syste ...
  264. Which utility will show, in real time, which TCP/UDP ports are listening or in another state on a Windows system, with a constantly updating GUI view?
  265. During an Xmas scan, which response from a target indicates that a port is closed?
  266. Sam performs CVSS v3.0 scoring and obtains a base score of 4.0 for a vulnerability. What is the CVSS severity level of this vulnerability?
  267. In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does a medium vulnerability fall in?
  268. Samuel finds that a web server permits SSLv2 connections and shares the same certificate/private key with another server that also allows SSLv2. This configurat ...
  269. A password attack combines dictionary words with variations generated by brute-force (such as adding numbers and symbols). What is this type of attack called?
  270. What is the minimum number of network connections (interfaces) in a multihomed firewall?
  271. Elliot exploits a web app using SQL as a back-end and has found it vulnerable to SQL injection. He introduces conditional timing delays into injected queries to ...
  272. Fred, a network administrator, wants to trick an internal switch from an external IP into thinking it already has an established session with his machine. What ...
  273. Steve creates a fake profile on social media with an attractive picture and backstory. After Stella accepts his request, he builds trust and slowly extracts sen ...
  274. Joe turns on his home computer to access online banking. He types www.bank.com, but the site appears different, not secure (no HTTPS), and acts as if he is a ne ...
  275. A rootkit has been discovered on a critical server. What is the BEST alternative to fully recover the system and ensure it is clean?
  276. In DNS, what is the primary purpose of an AAAA record?
  277. Consider the Snort rule: alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";). What does this rule mean?
  278. A customer wants to share a cloud environment with a specific group of organizations that have similar requirements, so they can share cost while keeping some i ...
  279. A vulnerability scan of your wireless network shows it is using an old encryption protocol that was originally designed to provide "wired-equivalent" protection ...
  280. Ethical hacker Jane Doe is cracking the password of the head of IT using a rainbow table. She notices that when a password is entered, extra characters are adde ...
  281. Infecting a system with malware and using phishing to gain credentials to a system or web application are examples of which phase of the ethical hacking methodo ...
  282. These hackers have limited or no formal training and only know how to use basic tools and prefabricated scripts, often without fully understanding how they work ...
  283. Gilbert, a web developer, uses a centralized web API that relies on HTTP methods such as PUT, POST, GET, and DELETE to improve performance, visibility, scalabil ...
  284. On a Windows system, which command-line tool can be used to display the current TCP/IP connections?
  285. An attacker installs a rogue access point within an organization’s perimeter to break into the internal network. The auditor detects unusual wireless traffic, d ...
  286. Matthew has a Meterpreter session on a Windows kiosk. His current SID is S-1-5-21-1223352397-1872883824-861252104-501. What must he do before having full admini ...
  287. You are a penetration tester evaluating user awareness. After harvesting employees’ emails, you are building a client-side backdoor payload that you will send t ...
  288. To make a wireless network harder to discover and only accessible to users who already know about it, an administrator wants to hide it from normal Wi-Fi scans. ...
  289. A friend executed a file received from a coworker. It appeared to do nothing, and he now suspects a Trojan may be installed. Which test would best help determin ...
  290. OpenSSL on Linux includes a command-line tool for testing TLS connections. What is the tool and the correct syntax to connect to a web server over HTTPS?
  291. Vlady works in a fishing company where employees share passwords, write them on sticky notes, leave computers unlocked, and forget to log out. He wants them to ...
  292. Richard targets IoT devices on a network. He records the radio frequency used between devices, captures the original command data, then later replays the same c ...
  293. Bob gains access to an IoT device and wants to learn about its model and regulatory certifications. He uses an online lookup service that can return details abo ...
  294. During normal TCP operation, a server maintains a finite queue of half-open connections while waiting for the final ACK in the three-way handshake. An attacker ...
  295. During the process of encryption and decryption in a public-key (asymmetric) cryptosystem, which keys are shared openly between communicating parties?
  296. A new employee, Janet, receives a workstation that previously belonged to someone else. Before reissuing it, Martin, the administrator, reviews system configura ...
  297. George needs a short-range wireless technology for industrial systems that is based on the IEEE 802.15.4 standard. It should support low-rate, infrequent data t ...
  298. Sam, a professional hacker, targets an organization’s AWS environment. He makes fake phone calls while posing as an internal employee and sends phishing emails ...
  299. You are a penetration tester assessing the wireless network "Brakeme-Internal" and discover that it uses WPA3 encryption. Which known vulnerability family again ...
  300. Boney, a professional hacker, logs into an online service and obtains a valid session ID. He then sends that same session ID to a target employee via an MITM-ba ...
  301. A victim receives an email that appears to be from PayPal, claiming their account is disabled and must be confirmed. The attackers then trick the victim into en ...
  302. You are using Gobuster to enumerate content on a web server and want the fastest practical way to discover existing files and directories. Which approach is bes ...
  303. Bill, a network administrator, configures a SPAN port to capture all traffic going to his data center. He finds cleartext traffic on UDP port 161 and wants to s ...
  304. Abel uses container technology in a five-tier architecture. He is currently verifying and validating image contents, signing the images, and then sending them t ...
  305. Clark gathers the public IP address of a target organization’s server using WHOIS-style footprinting. He then inputs that IP into an online service to obtain th ...
  306. While testing a web application, you notice that the server does not properly ignore "dot dot slash" (../) sequences and returns directory listings or file cont ...
  307. Steven connects his iPhone to a public computer that has been infected by an attacker named Clark. Steven enables iTunes Wi-Fi sync so the iPhone can continue c ...
  308. Allen, a professional penetration tester, is enumerating NetBIOS on a remote Windows system. Port 139 is open and he can see various NetBIOS resource codes. Whi ...
  309. Jack, a disgruntled ex-employee, wants to deliver fileless malware into his former company’s systems. He uses current employees’ email addresses to send fraudul ...
  310. Sam, a penetration tester, sends FIN/ACK probes to a target host as part of port scanning. When a port is closed, the target responds with an RST packet. Which ...
  311. During a wireless security audit, you discover that the company’s WLAN still uses WEP as its encryption method. To significantly enhance the security of the wir ...
  312. SecureTech Inc. wants to use symmetric encryption to protect sensitive data sent over an insecure channel, but they still need a secure way to exchange the symm ...
  313. James, an ethical hacker at Technix Solutions, is ordered to see how vulnerable the network is to footprinting. He uses an open-source framework that automates ...
  314. A penetration tester is assessing a financial web application that uses form-based authentication but has no account lockout after repeated failures. The app al ...
  315. Which of the following activities gives a security professional the most direct information about a system’s security posture (open services and exposure)?
  316. You send a TCP ACK segment to a known closed port on a host behind a firewall, but you do not receive an RST in response. What does this most likely tell you ab ...
  317. Sophia receives a fake email with a link to a page full of trendy outfits. She clicks the link and logs in with her real social media credentials. The attacker ...
  318. In the cyber kill chain, which of the following is the best example of the third step, Delivery?
  319. Tony, a penetration tester, gains access to a system and finds a list of hashed passwords. Which of the following tools would NOT be useful for cracking these h ...
  320. An ISP needs an AAA solution to authenticate users connecting via modems, DSL, wireless data, and VPN over Frame Relay. Which AAA protocol is most suitable?
  321. Consider the following command: sqlmap.py -u "http://10.10.1.20/?p=1&forumaction=search" -dbs What is this command used for?
  322. Richard gathers domain information such as the target domain name, owner contact details, expiry date, and creation date, then uses this to map the organization ...
  323. During reconnaissance, an ethical hacker uses Maltego to gather Internet infrastructure details (domains, DNS names, netblocks, IP information). They then plan ...
  324. During a penetration test, a CEH wants to spoof source IPs while probing a target using hping3. Which of the following commands achieves this by sending SYN pac ...
  325. An unauthorized person slips in through the employee entrance right after lunch by following an employee through the door. What type of physical security breach ...
  326. When sniffing a network passively, which of the following actions CANNOT be performed?
  327. Harper designs an email application and chooses a symmetric block cipher with a 64-bit block size and a 12- or 16-round Feistel network. It uses large 8×32-bit ...
  328. An ethical hacker is testing a database protected by a signature-based IDS. He manages to retrieve usernames via SQL injection without triggering an alert by su ...
  329. Review the following Python script used against a service on TCP port 9999. It builds payloads of increasing lengths of “A” and sends each as an argument to mul ...
  330. Kevin wants to evade a company’s IDS while attacking a web app. He encodes HTTP request data with Unicode characters so that the IDS fails to recognize the payl ...
  331. A security engineer connects to TCP port 80 using netcat and sees an HTTP 200 OK response that includes headers revealing the web server software (for example, ...
  332. A user and an access point both support WPA2 and WPA3. An attacker sets up a rogue AP that only supports WPA2, forces the victim to connect using WPA2, then cap ...
  333. Jude, a penetration tester, evaluates an organization’s network from the outside, using Internet-facing devices such as firewalls, routers, and servers to ident ...
  334. Mary has obtained password hashes on a compromised system but does not have time to crack them into plaintext. She still wants to authenticate to other systems ...
  335. BigFox Ltd has suffered radio jamming and scrambling attacks against its wireless communications. Mike, the security engineer, deploys a countermeasure at the p ...
  336. A CEH is trying SQL injection and originally attempts to trigger detailed ODBC error messages to identify the database engine, but the application returns only ...
  337. Heather’s company adopts a cloud-hosted CRM where the provider manages hardware, OS, patches, and application, and Heather only manages user accounts. What type ...
  338. In an N-tier application architecture, which tier is primarily responsible for moving and processing data between the other tiers?
  339. After an audit, you are told there is a critical finding related to a service running on port 389. Which service is this, and what should you do to secure it?
  340. An attacker creates a fake LinkedIn profile impersonating a high-ranking executive, connects with employees, and gains access to exclusive internal information. ...
  341. A rogue access point is discovered inside an organization’s perimeter, and the auditor analyzes weak or outdated wireless security and authentication mechanisms ...
  342. Conceptually, what is a key advantage of an anomaly-based IDS compared to a signature-based IDS?
  343. Which protocol is commonly used to establish secure channels between two devices, typically in VPN implementations?
  344. An organization connects industrial control systems to the Internet and wants continuous monitoring and anomaly detection to protect against cyber-espionage, ze ...
  345. A large enterprise suffers crashes and instability while logs show abnormally large packets that exceed normal size limits, suggesting malformed oversized traff ...
  346. Which information security law or standard is specifically aimed at protecting investors and the public from accounting errors and fraudulent financial reportin ...
  347. A web app returns detailed database error messages whenever the tester sends logically incorrect queries, exposing table and column information. Which SQL injec ...
  348. Ron discovers that an internal API lets attackers access and perform actions on sensitive objects (view, update, delete) because the API does not properly enfor ...
  349. Don installs a game from a third-party app store; afterward, legitimate apps on his phone are silently replaced by deceptive look-alike apps and he starts seein ...
  350. A company uses RSA for key exchange (n = 4000-bit keys) and AES for data encryption in a hybrid scheme. Considering security and performance, which data-encrypt ...
  351. During a risk assessment, you need to determine the potential impact if critical business processes are interrupted. Which process is used to identify and prior ...
  352. When analyzing a public IP address in a security alert, which of the following is generally the least important piece of information?
  353. You are starting a web application penetration test and want to grab all links from the main page of https://site.com using Linux command-line tools. Which pipe ...
  354. A security analyst discovers a critical LAN vulnerability that exposes financial and personal information of employees. He quietly reviews this data for two day ...
  355. During an internal test, a penetration tester finds an IPC$ share on a Windows host and wants to enumerate it further. Which technique is most appropriate in th ...
  356. Which of the following is the most effective way to defeat rainbow table attacks against stored passwords?
  357. A table lists approximate wireless ranges as follows: 802.11a 150–150 ft, 802.11b 150–150 ft, 802.11g 150–150 ft, and 802.16 (WiMAX) 30 miles. Which entry is in ...
  358. A hacker uses specialized tools and search engines to encrypt and anonymize all browsing, then navigates hidden services to collect sensitive data from governme ...
  359. Which activity allows attackers to build a map or outline of a target organization’s network infrastructure so they understand the environment they are about to ...
  360. A cloud security engineer wants to isolate applications from the underlying OS and run them as containerized packages using open-source technology that supports ...
  361. As part of a security assessment, you want to trace where an NTP server (192.168.1.1) gets its time from and see the chain of upstream NTP servers. Using `ntptr ...
  362. A large e-commerce organization wants a vulnerability assessment solution that imitates the outside view of attackers, performs well-organized inference-based t ...
  363. Which type of rootkit works by adding code and/or replacing parts of the operating system kernel to hide a backdoor on a system?
  364. A large corporate network is suffering repeated sniffing attacks. They have pinned the gateway MAC in ARP cache, moved to IPv6, enforced SSH instead of Telnet, ...
  365. John, a professional hacker, exfiltrates data by embedding it into DNS packets so that even DNSSEC cannot detect the abuse. He uses this channel to bypass the f ...
  366. While testing a financial web app, an ethical hacker finds an XSS risk in a 'Contact Us' form. The site’s CSP blocks inline and external-domain scripts but allo ...
  367. An ethical hacker suspects that default SNMP community strings are in use and wants to enumerate devices without changing any values in the SNMP agent’s MIB. Wh ...
  368. In a Kerberoasting scenario, an attacker has already requested TGS tickets for a service and exported them for offline cracking but was stopped mid-attack. What ...
  369. In a Kubernetes cluster, which master component is responsible for watching newly created Pods and assigning them to appropriate nodes based on resources, polic ...
  370. You are the chief security officer at AlphaTech. The team wants to use symmetric encryption for data at rest in a new cloud storage platform but is unsure how t ...
  371. Harris is identifying the OS of a target by inspecting the initial TTL and TCP window size. He observes: TTL = 64 and Window Size = 5840. Which OS is the target ...
  372. A penetration tester must gather information about subdomains of a target organization’s website. Which method is most effective for this goal?
  373. An ethical hacker performs advanced OS fingerprinting by sending a TCP packet with SYN and ECN-Echo flags set to an open TCP port and observes a SYN + ECN-Echo ...
  374. In a newly hardened environment with fully patched systems and recent security awareness training, what is the best initial focus for a vulnerability assessment ...
  375. Stephen targets an organization’s industrial control systems by sending a crafted email with a malicious attachment to a specific employee managing plant sales ...
  376. In this block cipher, each block is 64 bits and three keys are used, each effectively 56 bits. Which encryption algorithm is this?
  377. You must configure a DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following could be leased under this configuratio ...
  378. Eric, a cloud security engineer, deploys an architecture that assumes no user or device is trusted by default and verifies every connection, granting only the m ...
  379. A security team adopts CVSS to score newly discovered vulnerabilities in their environment. Which statement correctly describes a CVSS metric type?
  380. What type of vulnerability/attack occurs when a malicious site causes a victim’s browser to send an unintended but authenticated request to a trusted server?
  381. John, a professional hacker, gains unauthorized access to a renowned organization’s network and stays there for a long time without being detected, quietly stea ...
  382. Josh has finished scanning a network and identified vulnerable services. He creates a malicious file disguised as a financial spreadsheet and drafts a spoofed e ...
  383. Morris wants to check whether target access points have WPS enabled and whether any are in a locked state. He tests several tools and succeeds with a special co ...
  384. Javik configures his home router by disabling SSID broadcast, leaving authentication open, and setting the SSID to a 32-character random string. What is the mos ...
  385. Sarah, a system administrator, finds that malware is spreading through the instant messenger application used by her team. The attacker took over one user’s IM ...
  386. Stella exploits a web-service vulnerability that uses extra routing information in the SOAP header (WS-Addressing) to support asynchronous communication, allowi ...
  387. Which antenna type is commonly used for communications in the 10 MHz up to VHF and UHF bands?
  388. Sam, a web developer, integrates a hybrid encryption solution to secure email messages. He chooses a free implementation of the OpenPGP standard that uses both ...
  389. Thomas, a cloud security professional, discovers that a bare-metal cloud server has a firmware-level vulnerability that lets attackers implant persistent backdo ...
  390. A CEH is performing LDAP enumeration against a system that only accepts secure LDAP (LDAPS). Using Python and the ldap3 library, they connect but cannot retriev ...
  391. Which tactic uses malicious code or DNS manipulation to silently redirect a user’s web traffic to a fraudulent destination?
  392. In this Wi-Fi attack, an adversary tricks a victim into reinstalling an already-in-use key by replaying parts of the cryptographic handshake. When the key is re ...
  393. An attacker uses social engineering in the form of scareware. Which is the best example of a scareware attack?
  394. Mirai malware targets IoT devices and, once they are infected, uses them to form botnets. These botnets are primarily used to launch which type of attack?
  395. During an investigation of a suspected session hijacking, a security analyst finds that the attacker sent a forged reset packet with a spoofed source IP and gue ...
  396. Which of the following is the best example of the hacking concept known as "clearing tracks"?
  397. A forensic review of a major breach like Equifax finds that attackers exploited a known Apache Struts vulnerability for which a vendor patch had been available ...
  398. You are a cybersecurity consultant for a healthcare organization that uses Internet of Medical Things (IoMT) devices like connected insulin pumps and heart rate ...
  399. Jake installs spyware on a target iPhone, remotely jailbreaks it, and gains full control: recording audio, capturing screenshots, and monitoring calls and SMS. ...
  400. A CEH is doing Whois footprinting on a domain using tools like Batch IP Converter and Whois Analyzer Pro. They cannot get complete Whois details from the regist ...
  401. On a Linux system, which leading character in a filename will hide the file from normal directory listings (e.g., `ls`)?
  402. Cross-site request forgery (CSRF) involves which of the following?
  403. In a large switched Ethernet network, an attacker is suspected of using a sniffer despite the presence of switches. Which technique would most likely enable sni ...
  404. You manage a student web server for a college project and want to protect it specifically from misconfiguration-based attacks. Which action best addresses this ...
  405. Peter, a system administrator, works remotely and worries about session hijacking over the public internet. He implements a technique that creates an encrypted ...
  406. Hailey harvests employee and client email addresses for a competitor, then uses an automated tool to spider the target website and build a custom wordlist for b ...
  407. An attacker following the Cyber Kill Chain is currently at the “Delivery” stage. According to the model, what is the most likely next action?
  408. Which of the following systems is specifically designed to search for and locate rogue wireless access points?
  409. Given the log entry: `Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip` Which statement is true?
  410. Jake studies a network-level session hijacking technique where the attacker forges ICMP redirects and ARP replies to insert their machine between a client and s ...
  411. What is the most common way to exploit the “Bash Bug” or Shellshock vulnerability?
  412. A client uses multiple cloud providers and wants unified policy enforcement, threat detection, and visibility across all of them. Which solution best fits this ...
  413. A global organization with a BYOD policy suffered a phishing incident via a third-party email app on an employee’s personal device. They want to reduce such ris ...
  414. Dayn wants to detect honeypots in a target network using a time-based TCP fingerprinting method, comparing responses from a normal machine vs a honeypot to a cr ...
  415. You have a shell on a compromised Linux server and run `nmap -T4 -O 10.10.0.0/24` for OS fingerprinting, but Nmap exits with a message that TCP/IP fingerprintin ...
  416. An ethical hacker is testing a database behind an IDS that uses strong signatures for common SQL injection patterns. Which evasion technique best bypasses signa ...
  417. Samuel monitors an established TCP session between Bob and a host, predicts Bob’s Initial Sequence Number (ISN), and then sends spoofed packets with Bob’s IP ad ...
  418. Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP). Which of the following is an incorrect definition or c ...
  419. Which type of SQL injection extends the results returned by the original query, enabling attackers to run another SELECT that has the same structure as the orig ...
  420. An internal security review finds a suspicious program on multiple PCs that records all user keystrokes. What type of malware is this, and what countermeasures ...
  421. A penetration tester must discover live hosts on a large network where strict TCP filtering on firewalls interferes with common host discovery techniques. Which ...
  422. A hacker targets your SQL-backed e-commerce system using several payload styles. In a successful SQL injection, which of the following payloads would have the m ...
  423. Tony wants to integrate a 128-bit symmetric block cipher that supports 128, 192, and 256-bit keys and uses 32 rounds of substitution–permutation operations on f ...
  424. During Google-based footprinting, which advanced operator restricts results to pages hosted under a specific organization’s domain?
  425. Your e-commerce site filters obvious SQL injection patterns at the application layer. A skilled attacker wants to bypass this and exfiltrate data via another ch ...
  426. Which access control mechanism allows users to authenticate once to a central authentication server and then access multiple systems without re-entering credent ...
  427. In a Meterpreter session on a compromised Windows host, which Metasploit post-exploitation command is commonly used to try to elevate privileges to SYSTEM?
  428. A web-application firewall log shows an attempted injection of: `char buff[10]; buff[10] = 'a';` What type of attack does this code fragment indicate?
  429. A web development team decides to change requirements so that users are no longer allowed to submit HTML tags in any input fields, to mitigate a specific vulner ...
  430. BitLocker is deployed on all Windows systems, and recovery keys are stored in Active Directory so they can be retrieved if lost. In cryptographic terms, what is ...
  431. Which tool is known for silently copying files from USB devices as soon as they are plugged into a system?
  432. Your team uses SSL/TLS to protect data in transit for a cloud-based app. You also want explicit protection and detection of tampering at the network layer durin ...
  433. While running Nmap against a host, Paola detects a firewall and wants to determine whether it is stateful or stateless and which ports are filtered. Which scan ...
  434. In a smart city project with thousands of IoT devices controlling critical utilities, the city fears a DDoS attack that could cripple services. What should be y ...
  435. Which Nmap switch is specifically used to help evade IDS or firewalls by sending decoy packets?
  436. Which Google advanced search operator helps an attacker gather information about websites that are similar to a specified target URL?
  437. During web footprinting, standard spiders cannot crawl a target site because of restrictions in the root directory (e.g., robots.txt). The tester instead browse ...
  438. This type of SQL injection does not display error messages and instead relies on sending payloads that cause the application to respond differently to true vs. ...
  439. After a breach through an unknown vulnerability, you want a comprehensive, ongoing security approach that involves predicting, preventing, detecting, and respon ...
  440. Robert attacks an IoT device by injecting faults into the power supply and clock network, causing skipped instructions and enabling remote code execution. Which ...
  441. Clark performs a BLE hijacking attack using Btlejack and micro:bit. Which command is used to hijack an active BLE connection?
  442. Which type of virus is specifically designed to hide its presence and is therefore most likely to remain undetected by antivirus software?
  443. When considering how an attacker may exploit a web server, what does the term “web server footprinting” best describe?
  444. Your app hashes then encrypts sensitive data before storage. You also want a cryptographic mechanism to verify that the data has not been altered when retrieved ...
  445. If executives are held liable in court for failing to properly protect organizational assets and information systems, which type of law typically applies?
  446. IDS alerts show that an internal PC connected to a newly blacklisted C2 IP on the Internet. To roughly assess severity and details of the communication, which l ...
  447. A security analyst uses Zenmap/Nmap to perform an ICMP timestamp ping scan to get time-related info from a host. Which option performs an ICMP timestamp ping?
  448. Which Nmap timing option would you use if you are not concerned about stealth and want to perform the fastest, most aggressive scan?