Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > ECCouncil > CEH v13 > 312-50v13

312-50v13 Certified Ethical Hacker Exam (CEHv13) Question and Answers

Question # 4

As part of a penetration test for a financial firm’s smart headquarters in Denver, Colorado, ethical hacker Jordan Lee begins evaluating the IoT infrastructure responsible for lighting, HVAC, and badge-controlled access. Jordan documents details such as device models, manufacturer names, firmware versions, and supported protocols like Zigbee and BLE. This information is used to understand the device ecosystem. Which step of the IoT hacking methodology is being carried out in this phase?

A.

Information gathering

B.

Launch attacks

C.

Vulnerability scanning

D.

Gain remote access

Full Access
Question # 5

You perform a SYN (half-open) scan and receive a SYN/ACK packet in response. How should this result be interpreted?

A.

The target IP is not reachable

B.

The scanned port is open

C.

The scanned port is filtered

D.

The scanned port is closed

Full Access
Question # 6

A Java app allows file download via user-controlled path. What attack is possible?

A.

SQLi

B.

Path traversal

C.

XSS

D.

CSRF

Full Access
Question # 7

During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan is assigned to assess the internal network for potential sniffing activity that could compromise sensitive customer data. While inspecting traffic in the loan processing department, Rachel observes that a workstation is receiving packets not addressed to it, raising suspicion of a sniffing tool operating in promiscuous mode. To validate her hypothesis, she prepares to conduct an active verification using a classic detection approach.

Which detection technique should Rachel use to confirm the presence of a sniffer in this case?

A.

Sniffer detection using an NSE script to check for promiscuous mode

B.

DNS method by monitoring reverse DNS lookup traffic

C.

ARP method by sending non-broadcast ARP requests

D.

Ping method by sending packets with an incorrect MAC address

Full Access
Question # 8

A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization ' s security monitoring systems. The network employs strict VLAN segmentation and port security measures. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?

A.

Deploy a rogue DHCP server to redirect network traffic

B.

Exploit a VLAN hopping vulnerability to access multiple VLANs

C.

Implement switch port mirroring on all VLANs

D.

Use ARP poisoning to perform a man-in-the-middle attack

Full Access
Question # 9

Ethical hacker Ryan Brooks, a skilled penetration tester from Austin, Texas, was hired by Skyline Aeronautics, a leading aerospace firm in Denver, to conduct a security assessment. One stormy morning, Ryan noticed an unexpected lag in the routine system update process while running his tests, sparking his curiosity. During a late-night session, he observed a junior analyst, Chris Miller, cautiously modifying a legacy server’s configuration, including a scheduled task set to a specific date. The lead developer, Jessica Hayes, casually mentioned receiving an odd email from an unfamiliar source, which she ignored as clutter. As Ryan probed deeper, he detected a faint increase in network activity only after the scheduled date passed, and a systems admin, Mark Thompson, quickly pointed out some unusual code traces on a dormant workstation.

Which type of threat best characterizes this attack?

A.

Logic Bomb

B.

Fileless Malware

C.

Advanced Persistent Threat APT

D.

Ransomware

Full Access
Question # 10

A national e-commerce retailer experiences a sustained distributed attack that saturates its edge connectivity with high-volume traffic originating from thousands of globally dispersed hosts. Internal mitigation attempts such as ACL tuning and rate limiting fail to restore service stability.

After escalating the issue, the organization coordinates with its upstream connectivity provider, which begins rerouting inbound traffic through a large-scale filtering infrastructure capable of absorbing and scrubbing malicious traffic before forwarding legitimate requests back to the retailer’s network.

What defensive approach is being applied in this scenario?

A.

Implementing RFC 3704 Filtering at the Network Edge

B.

Enabling Cisco IPS Source IP Reputation Filtering

C.

Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service

D.

Deploying Black Hole Filtering at the Routing Layer

Full Access
Question # 11

A multinational manufacturing company in San Jose, California has deployed a perimeter firewall to protect its internal production networks. During a red team exercise, testers observe that the device monitors active TCP communications and allows traffic to continue only when packets correspond to recognized, previously established connections.

The firewall evaluates multiple header attributes across ongoing communications while operating inline at the network boundary.

From a firewall architecture perspective, what type of firewall is most likely in use at this perimeter?

A.

Stateful Multilayer Inspection Firewall

B.

Circuit-Level Gateway Firewall

C.

Application-Level Firewall

D.

Packet Filtering Firewall

Full Access
Question # 12

A penetration tester suspects that the web application ' s " Order History " page is vulnerable to SQL injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?

A.

Inject JavaScript into the URL parameter to test for Cross-Site Scripting (XSS)

B.

Modify the URL parameter to userID=1 OR 1=1 and observe if all orders are displayed

C.

Perform a directory traversal attack to access sensitive system files

D.

Use a brute-force attack on the login form to identify valid user credentials

Full Access
Question # 13

Which of the following addresses the secrecy and privacy of information?

A.

Availability

B.

Integrity

C.

Confidentiality

D.

Authentication

Full Access
Question # 14

During a penetration test at a telecom provider in Denver, Colorado, Maria, a senior ethical hacker, notices that her scans are immediately flagged by intrusion detection systems. She modifies her technique, and as a result, the IDS devices are unable to reassemble the packets correctly, allowing her probes to slip through without detection. Which scanning evasion technique is Maria applying in this case?

A.

Packet Fragmentation

B.

Source Routing

C.

Decoy Scanning

D.

IP Spoofing

Full Access
Question # 15

An attacker exploits medical imaging protocols to intercept patient data. Which sniffing technique is most challenging?

A.

MRI firmware interception

B.

Ultrasound malware

C.

Covert channel within administrative messages

D.

Embedding data inside CT scan images

Full Access
Question # 16

An attacker exploits legacy protocols to perform advanced sniffing. Which technique is the most difficult to detect and neutralize?

A.

HTTP header overflow extraction

B.

SMTP steganographic payloads

C.

Covert channel via Modbus protocol manipulation

D.

X.25 packet fragmentation

Full Access
Question # 17

You discover a Web API integrated with webhooks and an existing administrative web shell. Your objective is to compromise the system while leaving minimal traces. Which technique is most effective?

A.

SSRF to perform unauthorized API calls

B.

IDOR exploitation

C.

Upload malicious scripts via the web shell

D.

Manipulate the webhook for unintended data transfer

Full Access
Question # 18

Which sophisticated DoS technique is hardest to detect and mitigate?

A.

Distributed SQL injection DoS

B.

Coordinated UDP flood on DNS servers

C.

Zero-day exploit causing service crash

D.

Smurf attack using ICMP floods

Full Access
Question # 19

A cyber adversary wants to enumerate firewall rules while minimizing noise and mimicking normal traffic behavior. Which reconnaissance technique enables mapping of firewall filtering behavior using TTL-manipulated packets?

A.

Sending ICMP Echo requests to the network ' s broadcast address

B.

Passive DNS monitoring to observe domain-to-IP relationships

C.

Conducting full SYN scans on all ports for each discovered IP

D.

Firewalking with manipulated TTL values to analyze ACL responses

Full Access
Question # 20

During a quarterly security audit at a multinational logistics firm, network security manager Priya initiates a scheduled vulnerability assessment across the organization’s hybrid infrastructure. Her team begins by identifying all active IT assets and assigning them risk scores based on business criticality. The following week, they deploy scanning tools to detect security weaknesses, validate the findings manually, and classify vulnerabilities based on severity and exploitability. After coordinating with the IT operations team, they develop a structured timeline to address the confirmed vulnerabilities, giving priority to high-risk findings affecting mission-critical systems. Finally, after the vulnerabilities are addressed, Priya ensures the affected systems are rescanned to confirm resolution and generates a compliance report for executive review.

Based on this workflow, which phase of the Vulnerability-Management Life Cycle is Priya executing?

A.

Remediation

B.

Vulnerability Analysis

C.

Verification

D.

Risk Assessment

Full Access
Question # 21

In ethical hacking, what is black box testing?

A.

Testing using only publicly available information

B.

Testing without any prior knowledge of the system

C.

Testing with full system knowledge

D.

Testing knowing only inputs and outputs

Full Access
Question # 22

During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.

Which social engineering technique is Priya demonstrating?

A.

Shoulder Surfing

B.

Dumpster Diving

C.

Tailgating

D.

Piggybacking

Full Access
Question # 23

During a security assessment at Apex Technologies in Austin, Texas, the cybersecurity team identifies a high risk of social engineering attacks, including phishing, vishing, and baiting, targeting employees across departments. To strengthen defenses, the team plans to implement a countermeasure to reduce the likelihood of employees disclosing sensitive information. Which of the following countermeasures should Apex Technologies prioritize to mitigate the risk of social engineering attacks?

A.

Conduct security awareness and training programs

B.

Employees must verify the identity of individuals requesting information

C.

Use two-factor authentication

D.

Establish policies and procedures for handling sensitive information

Full Access
Question # 24

A company’s customer data in a cloud environment has been exposed due to an unknown vulnerability. Which type of issue most likely led to the incident?

A.

Side-channel attack on the hypervisor

B.

Denial-of-Service (DoS) attack on cloud servers

C.

Brute-force attack on user passwords

D.

Exploitation of misconfigured security groups

Full Access
Question # 25

A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyses client behaviour while transmitting carefully crafted 802.11 management frames toward the organization ' s primary access point. Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent. Identify the wireless attack illustrated by this activity.

A.

Eavesdropping Attack

B.

Jamming Attack

C.

Evil Twin Attack

D.

Deauthentication Attack

Full Access
Question # 26

A senior executive receives a personalized email titled “Annual Performance Review 2024.” The email includes a malicious PDF that installs a backdoor when opened. The message appears to originate from the CEO and uses official company branding. Which phishing technique does this scenario best illustrate?

A.

Email clone attack with altered attachments

B.

Broad phishing sent to all employees

C.

Pharming using DNS poisoning

D.

Whaling attack targeting high-ranking personnel

Full Access
Question # 27

A publicly traded blockchain startup conducts a forensic review after irregular transaction reversals are detected on its distributed ledger platform. Network telemetry indicates that a single coordinated entity controlled a dominant share of the computational power participating in block validation during the affected time window.

As a result, certain confirmed transactions were replaced with alternate versions, enabling double-spending before the broader network regained balance. No individual node isolation or transaction front-running behavior is observed; rather, the anomaly stems from disproportionate influence over block creation.

Identify the blockchain attack most consistent with this incident.

A.

Eclipse Attack

B.

Finney Attack

C.

51% Attack

D.

DeFi Sandwich Attack

Full Access
Question # 28

During a reconnaissance engagement at a law firm in Houston, Texas, you are tasked with analyzing the physical movement of employees through their publicly shared media. By examining geotagged images and mapping them to specific locations, you aim to evaluate whether staff are unintentionally disclosing sensitive information about office routines. Which tool from the reconnaissance toolkit would best support this task?

A.

Creepy

B.

Social Searcher

C.

Sherlock

D.

Maltego

Full Access
Question # 29

In Seattle, Washington, ethical hacker Mia Chen is tasked with testing the network defenses of Pacific Shipping Co., a major logistics firm. During her penetration test, Mia targets the company ' s external-facing web server, which handles customer tracking requests. She observes that the security system filtering traffic to this server analyzes incoming SSH and DNS requests to block unauthorized access attempts. Mia plans to craft specific payloads to bypass this system to expose vulnerabilities to the IT department.

Which security system is Mia attempting to bypass during her penetration test of Pacific Shipping Co. ' s web server?

A.

Stateful Multilayer Inspection Firewall

B.

Application-Level Firewall

C.

Packet Filtering Firewall

D.

Circuit-Level Gateway Firewall

Full Access
Question # 30

A serverless application was compromised through an insecure third-party API used by a function. What is the most effective countermeasure?

A.

Deploy a cloud-native security platform

B.

Enforce function-level least privilege permissions

C.

Use a CASB for third-party services

D.

Regularly update serverless functions

Full Access
Question # 31

A multinational payment processor conducts a long-term risk assessment to evaluate the durability of its encrypted archives against future computational advances. Internal analysts warn that if large-scale quantum computers become operational, currently deployed public-key schemes protecting stored customer data may become vulnerable to rapid key recovery.

To maintain long-term confidentiality of archived financial records, the security architecture team must implement a defensive strategy that directly addresses cryptographic resilience rather than relying solely on network segmentation or development policy controls.

Determine the most appropriate mitigation to protect stored data against quantum-enabled decryption capabilities.

A.

Use quantum-specific firewalls to protect quantum communication channels

B.

Break data into fragments and distribute it across multiple locations

C.

Encrypt stored data with quantum-resistant algorithms

D.

Include quantum-resistance checks in SDLC and code review processes

Full Access
Question # 32

During a security review, you have discovered that there are no documented security policies for the area you are assessing. Which of the following would be the most appropriate course of action?

A.

Create policies while testing

B.

Stop the audit

C.

Identify and evaluate current practices

D.

Increase the level of testing

Full Access
Question # 33

You are an ethical hacker at RedOak Cyber Solutions, contracted to perform a penetration test for MetroHealth Hospital in Cleveland, Ohio. While assessing the hospital ' s appointment booking portal, you craft and submit multiple malicious inputs into the patient search field. One of your payloads successfully manipulates the backend query, returning additional appointment data that was not intended to be displayed.

Based on the observed behavior, which step of the SQL injection methodology are you performing?

A.

Identifying Data Entry Paths

B.

Launching SQL Injection Attacks

C.

Database Enumeration

D.

Information Gathering and Vulnerability Detection

Full Access
Question # 34

Olivia works as a senior red team specialist at SecureMatrix Labs in Portland, Oregon. During a controlled adversarial simulation, she deployed a stealth persistence mechanism on a test workstation to evaluate advanced defensive detection capabilities.

After rebooting the system, the operating system continued to function normally, but subsequent investigation revealed that the OS was executing within an underlying control layer established before full system initialization. This layer intercepted low-level CPU instructions and mediated direct hardware interactions prior to their delivery to the operating system.

Which type of rootkit best describes the mechanism deployed in this scenario?

Full Access
Question # 35

A penetration tester is running a vulnerability scan on a company’s network. The scan identifies an open port with a high-severity vulnerability linked to outdated software. What is the most appropriate next step for the tester?

A.

Execute a denial-of-service (DoS) attack on the open port

B.

Perform a brute-force attack on the service running on the open port

C.

Research the vulnerability and determine if it has a publicly available exploit

D.

Ignore the vulnerability and focus on finding more vulnerabilities

Full Access
Question # 36

Which of the following is the primary objective of a rootkit?

A.

It provides an undocumented opening in a program

B.

It replaces legitimate programs

C.

It creates a buffer overflow

D.

It opens a port to provide an unauthorized service

Full Access
Question # 37

A global fintech company receives extortion emails threatening a severe DDoS attack unless ransom is paid. The attacker briefly launches an HTTP flood to demonstrate capability. The attack uses incomplete POST requests that overload application-layer resources, causing performance degradation. The attacker reinforces their demand with a second threat email. What type of DDoS attack is being carried out?

A.

RDDoS attack combining threat and extortion

B.

DRDoS attack using intermediaries

C.

Recursive GET flood disguised as crawling

D.

Pulse wave attack with burst patterns

Full Access
Question # 38

A financial services firm detects that outbound corporate emails containing sensitive underwriting data were intercepted while transmitted over unsecured channels. To immediately restore confidentiality and ensure authenticity of executive communications, the security operations team deploys a standardized email encryption framework compatible with the organization’s Microsoft Outlook environment.

The selected solution must support digital signatures for sender authentication, rely on a public-key infrastructure for secure key exchange, and enable recipients to validate signed messages using certificates issued by trusted authorities.

Identify the email encryption standard that best fulfills these requirements.

A.

FlowCrypt

B.

RMail

C.

S/MIME

D.

OpenPGP

Full Access
Question # 39

While reviewing exposed infrastructure for a logistics company in Denver, Joe, a security analyst, identifies that one host is synchronizing time using UDP port 123. Probing further, he issues queries to extract details about peers, offsets, and delays. This allows him to gather internal hostnames and client IP addresses connected to the time server. Such information leakage could provide insight into the company ' s internal network structure.

Which technique was most likely used to obtain this information?

A.

DNS Zone Transfer Enumeration

B.

NTP Enumeration

C.

VoIP Enumeration

D.

NetBIOS Enumeration

Full Access
Question # 40

Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical for verifying the identity of the signatory. He aims to assess if the algorithm’s configuration could be vulnerable to a man-in-the-middle attack due to its key structure.

Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?

A.

Diffie-Hellman

B.

RSA

C.

ElGamal

D.

DSA

Full Access
Question # 41

As part of a cybersecurity assessment for a healthcare provider in Denver, Colorado, you are asked to recommend a framework that addresses how organizations should identify, assess, and treat information security risks as part of their ISMS. Which international standard best meets this requirement?

A.

ISO/IEC 27701:2019

B.

ISO/IEC 27002:2022

C.

ISO/IEC 27005:2022

D.

ISO/IEC 27001:2022

Full Access
Question # 42

Which payload is most effective for testing time-based blind SQL injection?

A.

AND 1=0 UNION ALL SELECT ' admin ' , ' admin

B.

UNION SELECT NULL, NULL, NULL --

C.

OR ' 1 ' = ' 1 ' ;

D.

AND BENCHMARK(5000000,ENCODE( ' test ' , ' test ' ))

Full Access
Question # 43

An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?

A.

Differential cryptanalysis on input-output differences

B.

Timing attack to infer key bits based on processing time

C.

Brute-force attack to try every possible key

D.

Chosen-ciphertext attack to decrypt arbitrary ciphertexts

Full Access
Question # 44

During a penetration test at Pacific Trust Bank in Seattle, ethical hacker Mia Chen suspects that a server hosting customer transaction data may be a honeypot. To investigate, she repeatedly sends crafted queries and observes how quickly the system responds. She notices that responses are consistently faster and more uniform than those of other production servers, raising her suspicion that the environment is designed to lure attackers.

Which technique is Mia most likely using to determine if the server is a honeypot?

A.

Analyzing MAC Address

B.

Analyzing Response Time

C.

Fingerprinting the Running Service

D.

Analyzing System Configuration and Metadata

Full Access
Question # 45

During a penetration test at Greenview Credit Union in Chicago, Illinois, ethical hacker Rebecca Hayes simulates an attacker who contacts employees using a voice channel. The number displayed on their devices appears identical to the institution’s official line, convincing staff that the request is legitimate. Rebecca then asks for account credentials under the pretense of a mandatory security check. Which mobile attack vector is she demonstrating?

A.

Call Spoofing

B.

OTP Hijacking

C.

Bluebugging

D.

SMiShing

Full Access
Question # 46

You are Ava Mitchell, an ethical hacker at Sentinel Cyberworks, hired to test the wireless defenses of Horizon Financial, a bank in Boston, Massachusetts. During a covert night-time assessment, your objective is to simulate an attacker attempting to breach the bank ' s WPA-protected Wi-Fi network. You deploy a tool that allows you to capture wireless packets, send de-authentication packets to force client reconnections, and attempt to recover the encryption key, all within a single graphical interface. Based on the described functionality, which Wi-Fi security auditing tool are you using?

A.

Fern WiFi Cracker

B.

RFProtect

C.

Cisco Adaptive Wireless IPS

D.

WatchGuard Wi-Fi Cloud WIPS

Full Access
Question # 47

During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?

A.

IP decoying with randomized address positions

B.

SYN scan with spoofed MAC address

C.

Packet crafting with randomized window size

D.

Packet fragmentation to bypass filtering logic

Full Access
Question # 48

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Full Access
Question # 49

You are a cybersecurity consultant at FortiSec, advising DesertTech Innovations in Phoenix, Arizona. The company wants to modernize its Wi-Fi so that even if an attacker obtains a captured handshake or a weak passphrase, they cannot perform offline dictionary attacks or recover session keys; management also wants stronger, per-session encryption and protection for IoT devices without relying on a single shared password.

Which wireless security measure should DesertTech implement to meet these goals?

A.

MAC Address Filtering

B.

Use 802.1X Authentication

C.

Upgrade to WPA3

D.

Disable TKIP

Full Access
Question # 50

During an external security review of a manufacturing firm in Detroit, Michigan, you ' re asked to prioritize patch baselines for internet-facing servers without logging in or establishing full sessions. To achieve this, you analyze network-level responses and capture application output in order to determine the underlying system and its software release. Which technique best fits this objective?

A.

Service Version Discovery

B.

Port Scanning

C.

OS Discovery

D.

Vulnerability Scanning

Full Access
Question # 51

During a red team test, a web application dynamically builds SQL queries using a numeric URL parameter. The tester sends the following request:

http://vulnerableapp.local/view.php?id=1; DROP TABLE users;

The application throws errors and the users table is deleted. Which SQL injection technique was used?

A.

UNION-based SQL injection

B.

Stacked (Piggybacked) queries

C.

Boolean-based SQL injection

D.

Error-based SQL injection

Full Access
Question # 52

A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?

A.

Attempt SQL Injection

B.

Hijack a session and modify server configuration

C.

Launch brute-force attacks

D.

Perform automated vulnerability scanning

Full Access
Question # 53

In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.

Which session hijacking technique is Michael using in this red team exercise?

A.

Session donation attack

B.

Session replay attack

C.

Session sniffing

D.

Session fixation attack

Full Access
Question # 54

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

A.

DNS Scheme

B.

DNSSEC

C.

DynDNS

D.

Split DNS

Full Access
Question # 55

During a penetration test at a healthcare provider in Phoenix, ethical hacker Sofia crafts a stream of IP packets with manipulated offset fields and overlapping payload offsets so that the records server ' s protocol stack repeatedly attempts to reconstruct the original datagrams. The repeated reconstruction attempts consume CPU and memory, causing the system to crash intermittently and disrupt patient portal access, even though overall bandwidth remains normal. Packet analysis shows deliberately malformed offsets that trigger processing errors rather than a simple flood of traffic.

Which type of attack is Sofia most likely simulating?

A.

Fragmentation Attack

B.

ICMP Flood

C.

Teardrop Attack

D.

Ping of Death

Full Access
Question # 56

While auditing legacy network devices at a public hospital in Miami, Jason, a penetration tester, needs to verify what SNMP traffic is leaking across the internal segment. Instead of running structured queries, he decides to capture live network traffic and manually review the protocol fields. This method allows him to see SNMP requests and responses in transit but requires manual parsing of OIDs, community strings, and variable bindings.

Which method should Jason use in this situation?

A.

Nmap

B.

Wireshark

C.

SnmpWalk

D.

SoftPerfect Network Scanner

Full Access
Question # 57

You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?

A.

Use specialized rootkit detection tools followed by tailored removal procedures

B.

Deploy high-interaction honeypots to observe attacker behavior

C.

Perform a complete system format and reinstall the operating system from a trusted source

D.

Immediately power down the system and disconnect it from the network

Full Access
Question # 58

As part of a passive reconnaissance engagement for a university research network, you are tasked with mapping potential administrative exposure points across .edu domains. Your objective is to identify web pages that might allow privileged backend access, such as misconfigured administrative interfaces, using only publicly indexed information. To ensure efficiency and compliance, you decide to use advanced Google search operators to refine your search results. Your goal is to locate URLs across educational domains that may contain restricted backend functionality.

Which of the following search strings would most effectively support this goal?

A.

site:.edu filetype:pdf intitle: " admin "

B.

intitle: " admin login " site:.edu

C.

site:.edu inurl:admin

D.

inanchor: " backend access " site:.edu

Full Access
Question # 59

During an IDS audit, you notice numerous alerts triggered by legitimate user activity. What is the most likely cause?

A.

Regular users are unintentionally triggering security protocols

B.

The firewall is failing to block malicious traffic

C.

The IDS is outdated and unpatched

D.

The IDS is configured with overly sensitive thresholds

Full Access
Question # 60

A payload causes a significant delay in response without visible output when testing an Oracle-backed application. What SQL injection technique is being used?

A.

Time-based SQL injection using WAITFOR DELAY

B.

Heavy query-based SQL injection

C.

Union-based SQL injection

D.

Out-of-band SQL injection

Full Access
Question # 61

After installing a backdoor on a web server, what action best ensures it remains undetected?

A.

Embed it in a frequently updated web file

B.

Increase the backdoor code size

C.

Install it on a non-web file referenced in a URL

D.

Place it in a file type excluded from resource maps

Full Access
Question # 62

An attacker has partial root access to a mobile application. What control best prevents further exploitation?

A.

Secure coding and automated reviews

B.

Certificate pinning

C.

Regular penetration testing

D.

Mobile Application Management (MAM)

Full Access
Question # 63

A penetration tester suspects that a web application ' s user profile page is vulnerable to SQL injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?

A.

Use the userID parameter to perform a brute-force attack on the admin login page

B.

Modify the userID parameter in the URL to ' OR ' 1 ' = ' 1 and check if it returns multiple profiles

C.

Inject HTML code into the userID parameter to test for Cross-Site Scripting (XSS)

D.

Attempt a directory traversal attack using the userID parameter

Full Access
Question # 64

This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.

A.

Stolen equipment

B.

Insider attack

C.

Physical entry

D.

Outsider attack

Full Access
Question # 65

A compromised admin account is used to disable logging services. What is the attacker attempting?

A.

Anti-forensics

B.

Exfiltration

C.

Recon

D.

Privilege escalation

Full Access
Question # 66

You are an ethical hacker at SilverRock Security, engaged by BayState Credit Union in Boston, Massachusetts, to evaluate their online loan application portal. While testing the customer dashboard, you inject crafted input into a numeric parameter. Instead of returning only the expected loan details, the response also displays sensitive employee information from another table, merged into the same page results. This behavior indicates that the attacker’s input successfully combined multiple datasets into a single output.

Based on the observed behavior, which type of SQL injection attack are you exploiting?

A.

Error-Based SQL Injection

B.

Blind SQL Injection

C.

Second-Order SQL Injection

D.

UNION SQL Injection

Full Access
Question # 67

Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?

A.

Internal Scanning

B.

External Scanning

C.

Manual Scanning

D.

Network-based Scanning

Full Access
Question # 68

A digital media company in Seattle, Washington deploys an Nginx-based infrastructure to support its internal analytics dashboard and content publishing portal. During an authorized red team engagement, a tester evaluates the web-based administrative interface used to upload configuration bundles and manage application components. While analyzing a file-upload feature, the tester observes that certain user-supplied parameters submitted with uploaded content are incorporated into backend processing routines with limited validation. By adjusting specific values in the request, he alters how the server-side component interprets those inputs. Subsequent log analysis shows that the modified input affected system-level operations executed under the web service context, despite no direct shell access being obtained. Which Nginx-related vulnerability best describes the weakness identified in this scenario?

A.

Improper certificate validation

B.

NULL pointer dereference in HTTP/3

C.

OS command injection in nginxWebUI

D.

Server-side request forgery (SSRF) vulnerability

Full Access
Question # 69

During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.

Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.

Identify the command Kevin should execute to obtain this information.

A.

ntptrace [-n] [-m maxhosts] [servername/IP address]

B.

ntpq [-inp] [-c command] [host] [...]

C.

ntpdc [-ilnps] [-c command] [host] [...]

D.

ntpq -p [host]

Full Access
Question # 70

As an IT security analyst, you perform network scanning using ICMP Echo Requests. During the scan, several IP addresses do not return Echo Replies, yet other network services remain operational. How should this situation be interpreted?

A.

The non-responsive IP addresses indicate severe network congestion.

B.

A firewall or security control is likely blocking ICMP Echo Requests.

C.

The lack of Echo Replies indicates an active security breach.

D.

The IP addresses are unused and available for reassignment.

Full Access
Question # 71

A municipal data center in Phoenix, Arizona, deploys a network intrusion detection system to monitor traffic entering its public records portal. During a scheduled red team exercise, authorized testers successfully exploit a vulnerable web service and gain restricted administrative access.

Post-exercise review reveals that the IDS generated a high-severity alert precisely at the time the exploit traffic reached the server. Log correlation confirms that the alert corresponded directly to the malicious activity performed during the test window.

How should this IDS outcome be classified?

A.

False Negative

B.

True Positive

C.

False Positive

D.

True Negative

Full Access
Question # 72

You are a security analyst at Sentinel Cyber Group, monitoring the web portal of Aspen Valley Bank in Salt Lake City, Utah. During log review, you notice repeated attempts by attackers to inject malicious strings into the login fields. However, despite these attempts, the application executes queries safely without altering their logic, since user inputs are kept separate from the SQL statements and bound as fixed values before execution.

Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?

A.

Perform user input validation

B.

Restrict database access

C.

Encoding the single quote

D.

Use parameterized queries or prepared statements

Full Access
Question # 73

A manufacturing company in Columbus, Ohio, reported a surge in internal support tickets after employees received an alarming email appearing to originate from an independent cybersecurity researcher.

The message claimed that a newly discovered malware strain was actively targeting corporate email systems and stated that several Fortune 500 organizations had already been compromised. It encouraged recipients to immediately circulate the message within their departments “to minimize exposure,” warning that failure to act quickly could result in data loss.

The email did not request credentials, payment, or direct downloads. However, it relied heavily on dramatic language and cited unverifiable statistics to increase urgency and credibility.

From a social engineering classification standpoint, how should this technique be categorized?

A.

Scareware Designed to Trick Users into Installing Rogue Software

B.

Spam Email Used for Mass Unsolicited Distribution

C.

Chain Letters that Incentivize Forwarding Messages

D.

Hoax Letters that Spread False Security Warnings

Full Access
Question # 74

A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?

A.

Quid Pro Quo

B.

Baiting

C.

Elicitation

D.

Honey Trap

Full Access
Question # 75

Arjun Mehta, a red team specialist at Sentinel Dynamics, is conducting a controlled reconnaissance assessment against the company’s perimeter network. During testing, the security operations team observes that the firewall logs display several different originating systems associated with the same scanning activity. Arjun’s objective is to ensure that his actual testing machine cannot be easily distinguished from other recorded entries.

What technique is Arjun using in this scenario?

A.

Source Routing

B.

IP Address Decoy

C.

Source Port Manipulation

D.

IP Address Spoofing

Full Access
Question # 76

A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?

A.

Configure firewalls to block all incoming SYN and HTTP requests from external IPs

B.

Increase server bandwidth and apply basic rate limiting on incoming traffic

C.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection capabilities

D.

Utilize a cloud-based DDoS protection service that offers multi-layer traffic scrubbing and auto-scaling

Full Access
Question # 77

A penetration tester is testing a web application ' s product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?

A.

Inject a script to test for Cross-Site Scripting (XSS)

B.

Input DROP TABLE products; -- to see if the table is deleted

C.

Enter 1 ' OR ' 1 ' = ' 1 to check if all products are returned

D.

Use directory traversal syntax to access restricted files on the server

Full Access
Question # 78

You are an ethical hacker at Nexus Cybersecurity, contracted to perform a penetration test for BlueRidge Retail, a US-based e-commerce company in Atlanta, Georgia. While testing their online store’s product search page, you attempt to inject a malicious query into the URL to extract customer data. The application is protected by a web application firewall WAF that blocks standard SQL injection attempts. To bypass this, you modify your input to split the query into multiple parts, ensuring the malicious instructions are not detected as a single signature. For example, you craft the URL as products.php?id=1+UNION+SE+LECT+1,2, which successfully retrieves unauthorized data. Based on the observed behavior, which SQL injection evasion technique are you employing?

A.

Hex Encoding

B.

String Concatenation

C.

In-line Comment

D.

Null Byte

Full Access
Question # 79

A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?

A.

Launching a DDoS attack to overload IoT devices

B.

Compromising the system using stolen user credentials

C.

Exploiting zero-day vulnerabilities in IoT device firmware

D.

Performing an encryption-based Man-in-the-Middle attack

Full Access
Question # 80

During a black-box internal penetration test, a security analyst identifies an SNMPv2-enabled Linux server using the default community string “public.” The analyst wants to enumerate running processes. Which Nmap command retrieves this information?

A.

nmap -sU -p 161 --script snmp-sysdescr

B.

nmap -sU -p 161 --script snmp-win32-services

C.

nmap -sU -p 161 --script snmp-processes

D.

nmap -sU -p 161 --script snmp-interfaces

Full Access
Question # 81

You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor ' s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician. Upon arrival, the receptionist allows you entry without verifying credentials, assuming you ' re there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.

Which social engineering technique does this scenario best illustrate?

A.

Shoulder Surfing

B.

Eavesdropping

C.

Impersonation

D.

Dumpster Diving

Full Access
Question # 82

An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?

A.

Deploy a packet sniffer to capture and analyze network traffic

B.

Perform a DNS zone transfer to obtain internal domain details

C.

Exploit null sessions to connect anonymously to the IPC$ share

D.

Utilize SNMP queries to extract user information from network devices

Full Access
Question # 83

A WPA2-PSK wireless network is tested. Which method would allow identification of a key vulnerability?

A.

De-authentication attack to capture the four-way handshake

B.

MITM to steal the PSK directly

C.

Jamming to force PSK disclosure

D.

Rogue AP revealing PSK

Full Access
Question # 84

During a code review at a defense technology contractor in Virginia, penetration tester Lucas identifies that a newly deployed payroll application encrypts sensitive employee data using a weak custom algorithm. In addition, its session validation logic allows certain requests to bypass access controls altogether. These oversights are traced back to flawed system logic and poor encryption design decisions made during the development phase.

Which vulnerability category BEST describes the issue Lucas discovered?

A.

Design Flaws

B.

Application Flaws

C.

Misconfigurations/Weak Configurations

D.

Poor Patch Management

Full Access
Question # 85

A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

A.

Shut down the server

B.

Apply a virtual patch using a WAF

C.

Perform regular backups and prepare IR plans

D.

Monitor for suspicious activity

Full Access
Question # 86

Which protocol is insecure by default?

A.

HTTPS

B.

SFTP

C.

SSH

D.

Telnet

Full Access
Question # 87

A tester evaluates a login form that builds SQL queries using unsanitized input. By submitting a single quote ( ' ), the tester bypasses authentication and logs in. What type of SQL injection occurred?

A.

UNION-based SQL injection

B.

Error-based SQL injection

C.

Time-based blind SQL injection

D.

Tautology-based SQL injection

Full Access
Question # 88

During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?

A.

DHCP starvation

B.

Rogue DHCP relay injection

C.

DNS cache poisoning

D.

ARP spoofing

Full Access
Question # 89

You are Michael, an ethical hacker at a New York–based e-commerce company performing a security review of their payment-signing service. While observing the signing process (without access to private keys), you note the service generates a fresh random value for each signature operation, the signature algorithm uses modular arithmetic in a subgroup defined by public domain parameters, and signatures are verified with a public verification key rather than by decrypting the message. Which asymmetric algorithm best matches the signing mechanism you observed?

A.

DSA

B.

RSA

C.

Diffie-Hellman

D.

ElGamal

Full Access
Question # 90

You are leading an internal red team assessment for a multinational bank with a highly complex and distributed IT infrastructure. Your team is required to simulate attacks across cloud services, servers, and remote endpoints. Due to the sheer scale of the environment, you deploy an AI-based platform that automatically scans the entire network, flags anomalies based on prior breach data, and adjusts its threat detection models as new attack behaviors are encountered.

What key benefit of AI-driven ethical hacking is most critical to your success in this scenario?

A.

Predictive analysis

B.

Simulation and testing

C.

Scalability

D.

Enhanced reporting

Full Access
Question # 91

During a red team assessment at Apex Technologies in Austin, ethical hacker Ryan tests whether employees can be tricked into disclosing sensitive data over the phone. He poses as a vendor requesting payment details and reaches out to several staff members. To evaluate defenses, the security team emphasizes that beyond general training, there is a practical step employees must apply in every interaction to avoid being deceived by such calls.

Which countermeasure should Apex Technologies prioritize to directly prevent this type of social engineering attempt?

A.

Conduct security awareness programs

B.

Employees must verify the identity of individuals requesting information

C.

Establish policies and procedures

D.

Use two-factor authentication

Full Access
Question # 92

MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.

The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.

Which approach best satisfies this requirement?

Full Access
Question # 93

In a recent cybersecurity incident, Google’s response team in the United States investigated a severe attack that briefly disrupted services and customer-facing platforms for approximately 2–3 minutes. Server logs recorded a sudden surge in traffic, peaking at 398 million requests per second, which caused active connections to drop unexpectedly. The attack was traced to numerous compromised devices, likely orchestrated through malicious tools promoted on social media. Based on this information, what type of attack was most likely executed against Google’s infrastructure?

A.

SYN Flood Attack

B.

TCP SACK Panic Attack

C.

RST Attack

D.

HTTP GET POST Attack

Full Access
Question # 94

During an internal red team engagement at Orion Tech Labs, a leading software firm in Austin, Texas, ethical hacker Emily Carter was tasked with evaluating the resilience of the organization ' s software deployment processes. Knowing that the finance team frequently downloaded utility tools for generating PDFs, she repackaged a trusted PDF converter installer with a secondary payload. When an employee executed the installer, the converter installed and functioned normally, but in the background, a hidden executable silently initiated outbound network communication. The user remained unaware of any suspicious activity.

Which technique did Emily most likely use to ensure the malware executed alongside the legitimate application?

A.

Downloader

B.

Packer

C.

Dropper

D.

Wrapper

Full Access
Question # 95

During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?

Full Access
Question # 96

This type of security test usually takes on an adversarial role and looks to see what an outsider can access and control.

A.

Penetration test

B.

Policy assessment

C.

High-level evaluation

D.

Network evaluation

Full Access
Question # 97

An employee finds a USB drive labeled “Employee Salary Info 2024” and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?

A.

Tempting the victim to engage with a malicious device using curiosity.

B.

Impersonating a senior staff member to extract login credentials.

C.

Using a discarded document to retrieve sensitive information.

D.

Bypassing physical security by following an authorized employee.

Full Access
Question # 98

During an authorized security assessment of a smart thermostat manufacturer in Denver, Colorado, a certified ethical hacker receives a firmware image extracted from a production device for further evaluation.

The tester begins by examining the binary file to determine its format and architecture. Basic inspection commands are executed against the image to review embedded human-readable content and observe low-level binary structure before proceeding with deeper analysis.

Within the firmware analysis workflow, which stage is the tester performing?

A.

Extract the Filesystem

B.

Obtain Firmware

C.

Analyze Firmware

D.

Emulate Firmware

Full Access
Question # 99

In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia ' s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure. Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?

A.

Conduct an extensive risk assessment to determine which segments of the network are most vulnerable or at high risk that need to be patched first

B.

Use a dedicated machine as a web server

C.

Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB

D.

Eliminate unnecessary files within the jar files

Full Access
Question # 100

A BLE attack captured LL_ENC_REQ and LL_ENC_RSP packets but not the LTK. What is the next step?

A.

Decrypt pcap using -o option

B.

Attack cannot continue without LTK

C.

Use hcitool inq

D.

Use Btlejacking

Full Access
Question # 101

You are an ethical hacker at HorizonSec Consulting, hired by Liberty Insurance in Philadelphia, Pennsylvania, to test the resilience of their online claim submission portal. During testing, you modify the claim ID parameter in the URL with conditions such as AND and AND 1=2. When the first condition is used, the portal displays claim details as normal; when the second condition is used, the page displays no results. You repeat this process to determine how the application responds to true and false conditions without error messages or delays.

Based on the observed behavior, which SQL injection technique are you employing?

A.

UNION SQL Injection

B.

Error-based SQL Injection

C.

Time-based Blind SQL Injection

D.

Boolean Exploitation

Full Access
Question # 102

After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?

A.

Disable unused ports and restrict outbound firewall traffic

B.

Perform weekly backups and store them off-site

C.

Ensure antivirus and firewall software are up to date

D.

Monitor file hashes of critical executables for unauthorized changes

Full Access
Question # 103

In the sunlit tech oasis of Phoenix, Arizona, ethical hacker Nadia Patel explores the security posture of LearnSphere, a U.S.-based e-learning platform serving thousands of students. During her testing, Nadia intentionally submits invalid inputs to the platform ' s content delivery system. Instead of returning a generic failure notice, the application responds with detailed system information, including database query strings and directory paths. Such responses provide attackers with valuable insights into the application ' s internal workings, which could be used to craft more precise and damaging attacks.

Which issue is being demonstrated?

A.

Improper Error Handling

B.

Directory Traversal

C.

Verbose Error Messages

D.

CORS Misconfiguration

Full Access
Question # 104

An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?

A.

Seek identical digests across hash outputs

B.

Test every possible password through automation

C.

Force encryption key through quantum solving

D.

Analyze output length to spot anomalies

Full Access
Question # 105

Sarah, a cybersecurity analyst at a US-based e-commerce company in New York, is tasked with evaluating the company ' s transition to a cloud-based infrastructure to support its growing online platform. The company aims to optimize resource allocation to handle fluctuating customer demand during peak shopping seasons, such as Black Friday. Sarah must recommend a key characteristic of cloud computing that ensures resources are efficiently shared across multiple users while maintaining scalability.

Which cloud computing characteristic should Sarah recommend ensuring efficient resource sharing and scalability for the e-commerce platform?

A.

Measured service

B.

Broad network access

C.

Resource pooling

D.

On-demand self-service

Full Access
Question # 106

Multiple failed login attempts using expired tokens are followed by successful access with a valid token. What is the most likely attack scenario?

A.

Capturing a valid token before expiry

B.

Token replay attack using expired tokens

C.

Brute-forcing token generation

D.

Exploiting a race condition in token validation

Full Access
Question # 107

At a power distribution facility in Phoenix, Arizona, ethical hacker Sameer Das is performing an OT security assessment. He demonstrates that a programmable controller accepts modifications delivered over the network without checking the origin or cryptographic validity of the package. By uploading altered instructions, he changes how the controller processes commands during operations. Which IoT/OT threat best represents this technique?

A.

Firmware update attack

B.

Forged malicious device

C.

Remote access using backdoor

D.

Exploit kits

Full Access
Question # 108

You are Maya, a security engineer at HarborPoint Cloud Services in Chicago, Illinois, performing a post-incident hardening review after an internal audit flagged multiple services that rely on legacy public-key algorithms. The engineering team must prioritize actions company-wide to reduce long-term risk from future quantum-capable adversaries while development continues on a large refactor of several services. Which proactive control should Maya recommend as the highest-priority change to embed into the organization ' s development lifecycle to improve future resistance to quantum-based attacks?

A.

Include quantum-resistance checks in SDLC and code review processes

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Break data into fragments and distribute it across multiple locations

Full Access
Question # 109

In an ethical hacking methodology and framework, which of the following step is known for “active and passive information gathering”?

A.

Obfuscation

B.

Exploitation

C.

Reconnaissance

D.

Denial of service

Full Access
Question # 110

An ethical hacker is conducting a penetration test on a company’s network with full knowledge and permission from the organization. What is this type of hacking called?

A.

Blue Hat Hacking

B.

Grey Hat Hacking

C.

Black Hat Hacking

D.

White Hat Hacking

Full Access
Question # 111

You are Alex, a forensic responder at HarborHealth in Seattle, Washington. During a live incident response you must secure an enterprise Windows server ' s system partition and attached data volumes without rebooting user machines or disrupting domain authentication. The IT team prefers a solution that integrates with Windows platform features (including hardware-backed startup protection and centralized key escrow via Active Directory/management policies) and provides transparent full-disk protection for the OS volume. Which disk-encryption solution should you deploy?

A.

FileVault

B.

BitLocker Drive Encryption

C.

VeraCrypt

D.

Rohos Disk Encryption

Full Access
Question # 112

Dr. Evelyn Reed, a cybersecurity expert, was called in to investigate a series of unusual activities at " Global Innovations Inc. " The first red flag was a surge in spear-phishing emails targeting senior management, disguised as urgent internal memos. Soon after, the company ' s web server showed unexpected outbound traffic to unfamiliar IP addresses. A network audit revealed that multiple underutilized printers and routers had unauthorized firmware installed. Further review uncovered inconsistencies in file access logs linked to the R & D department, including unusually large data transfers occurring during non-business hours. Dr. Reed also noted the attackers appeared to have intimate knowledge of the organization ' s internal data structure.

Which phase of the Advanced Persistent Threat (APT) lifecycle is Global Innovations Inc. most likely experiencing, given the combination of these incidents?

A.

Initial Intrusion

B.

Expansion

C.

Search and Exfiltration

D.

Persistence

Full Access
Question # 113

In the neon-lit sprawl of Las Vegas, Nevada, a luxury hotel’s smart room control system suffered a breach, allowing an intruder to manipulate guest room settings. The incident investigation revealed that the IoT devices lacked any mechanism to verify the integrity or authenticity of software prior to execution, allowing tampered instructions to run unchecked. As Emna Ruza, a cybersecurity consultant brought in to assess the breach, you recommend a solution that ensures only authorized, validated code is executed on the devices.

Which secure development practice are you advising the hotel to implement?

A.

Allow code signing

B.

Ensure secure boot

C.

Secure firmware or software updates

D.

Utilize secure communication protocols

Full Access
Question # 114

Which tool dumps Windows hashes?

A.

Mimikatz

B.

John

C.

Hydra

D.

Aircrack-ng

Full Access
Question # 115

You have successfully compromised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best Nmap command you will use?

A.

nmap -T4 -q 10.10.0.0/24

B.

nmap -T4 -O 10.10.0.0/24

C.

nmap -T4 -r 10.10.1.0/24

D.

nmap -T4 -F 10.10.0.0/24

Full Access
Question # 116

During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.

Which type of keylogger did Tyler most likely deploy?

A.

JavaScript Keylogger

B.

Hardware Keylogger

C.

Kernel Keylogger

D.

Application Keylogger

Full Access
Question # 117

Michael, an ethical hacker at a San Francisco-based fintech startup, is conducting a security assessment of the company ' s cloud-based payment processing platform, which uses Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. During his review, Michael identified a feature that automatically replaces and reschedules containers from failed nodes to ensure high availability of services a critical requirement for uninterrupted payment operations. Based on his study of cloud container technology principles, which Kubernetes feature should Michael highlight as responsible for this capability?

A.

Container vulnerabilities

B.

Kube-controller-manager

C.

Container orchestration

D.

Self-healing

Full Access
Question # 118

An Android device has an unpatched permission-handling flaw and updated antivirus. What is the most effective undetected exploitation approach?

A.

SMS phishing

B.

Rootkit installation

C.

Custom exploit with obfuscation

D.

Metasploit payload

Full Access
Question # 119

As part of an insider threat simulation at a multinational insurance firm, lead red teamer John is asked to assess whether internal directory services are exposing sensitive user data. Gaining limited VPN access, he begins probing port 389 on a staging environment connected to the main domain infrastructure. After discovering that anonymous binds are accepted by the directory service, John launches a utility from his Kali machine that allows command-line interaction with directory entries. He structures his query to search for user objects with associated organizational units. Moments later, John reviews the output which includes usernames, group memberships, and departmental hierarchies all retrieved without authentication.

Which tool is John MOST likely using to perform this enumeration?

Full Access
Question # 120

During a red team simulation at a bank in Chicago, Illinois, the SOC team suspects that some of the incoming traffic may be spoofed. To verify this, an analyst begins monitoring the sequence values assigned to packets, looking for irregularities that indicate they were not generated by the legitimate source. Which spoofing detection technique is the analyst using?

Full Access
Question # 121

A penetration tester is hired by a company to assess its vulnerability to social engineering attacks targeting its IT department. The tester decides to use a sophisticated pretext involving technical jargon and insider information to deceive employees into revealing their network credentials. What is the most effective social engineering technique the tester should employ to maximize the chances of obtaining valid credentials without raising suspicion?

A.

Conduct a phone call posing as a high-level executive requesting urgent password resets

B.

Send a generic phishing email with a malicious attachment to multiple employees

C.

Create a convincing fake IT support portal that mimics the company ' s internal systems

D.

Visit the office in person as a maintenance worker to gain physical access to terminals

Full Access
Question # 122

What is GINA?

A.

GUI Installed Network Application CLASS

B.

Gateway Interface Network Application

C.

Graphical Identification and Authentication DLL

D.

Global Internet National Authority (G-USA)

Full Access
Question # 123

During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?

A.

LDAP over SSL (LDAPS)

B.

Authenticated LDAP with Kerberos

C.

Anonymous LDAP binding

D.

LDAP via RADIUS relay

Full Access
Question # 124

During a large-scale network assessment of a telecom provider in Dallas, Texas, a cybersecurity consultant uses Recon-ng and Nmap to enumerate legacy and infrastructure-level services across multiple nodes. The tools uncover open Telnet ports, FTP directories with anonymous login enabled, active TFTP services, and exposed SMB shares. The consultant also detects a service that responds to VRFY, EXPN, and RCPT commands, allowing the enumeration of user identities and delivery addresses due to weak input validation. IPv6 tunneling protocols are also detected. Concerned about information leakage, the consultant flags these services for immediate remediation.

Which classification best describes this set of enumeration activities?

A.

LDAP Enumeration

B.

VoIP Enumeration

C.

SMTP Enumeration

D.

DNS Enumeration

Full Access
Question # 125

Under the neon glow of Seattle ' s skyline, ethical hacker Elena Vasquez slips into her role as a cybersecurity consultant for Cascade Financial ' s online banking platform. Tasked with probing the web server ' s defenses, Elena simulates a series of rapid login attempts to the admin portal. She notes that the system allows unlimited tries without locking the account, exposing a gap that could invite relentless password-guessing attacks. Determined to safeguard the bank ' s assets, Elena drafts a recommendation to fortify the server ' s authentication process against such threats.

What countermeasure should Elena recommend to strengthen Cascade Financial ' s web server against the vulnerability identified?

A.

Implement 2FA or MFA

B.

Force users to periodically change passwords

C.

Use CAPTCHA challenges on login and registration pages

D.

Use strong, one-way hashing algorithms such as bcrypt, scrypt, or Argon2

Full Access
Question # 126

You are Noah Kim, an ethical hacker at Quantum Cyber Solutions, hired to test the mobile device security of TechTrend Innovations, a tech firm in Austin, Texas. During a covert assessment, your objective is to simulate an attacker attempting to gain privileged access to an iPhone 12 running iOS 14.5 used for proprietary app development. You apply a jailbreaking technique that allows the device to fully restart without requiring a computer, maintaining a patched kernel and enabling access to sensitive app data in the file system. Based on this method, which iOS jailbreaking technique are you using?

A.

Semi-tethered jailbreaking

B.

Untethered jailbreaking

C.

Semi-untethered jailbreaking

D.

Tethered jailbreaking

Full Access
Question # 127

A biotech research firm in Boston, Massachusetts, migrates its laboratory management platform to the cloud. The vendor provides an environment where developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage. The firm controls the application logic but not the runtime infrastructure.

Which cloud service model is the company using?

A.

Infrastructure as a Service (IaaS)

B.

Platform as a Service (PaaS)

C.

Software as a Service (SaaS)

D.

Anything as a Service (XaaS)

Full Access
Question # 128

Which technique is least useful during passive reconnaissance?

A.

WHOIS lookup

B.

Search engines

C.

Social media monitoring

D.

Nmap scanning

Full Access
Question # 129

Kevin and his friends are going through a local IT firm ' s garbage. Which of the following best describes this activity?

A.

Intelligence gathering

B.

Reconnaissance

C.

Dumpster diving

D.

Social engineering

Full Access
Question # 130

Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?

A.

Enforce VPN usage

B.

Adopt biometric authentication

C.

Disable ADB except in strictly controlled environments

D.

Frequently update MDM systems

Full Access
Question # 131

Which of the following is the most important step for the ethical hacker to perform during the pre-assessment?

A.

Hack the web server.

B.

Gather information about the target.

C.

Obtain verbal permission to hack.

D.

Obtain written permission to hack.

Full Access
Question # 132

During a security penetration test at Sterling Manufacturing in Cleveland, Ohio, the ethical hacking team evaluates the company ' s physical security controls. On a chilly evening in July 2025, ethical hacker Priya Desai, posing as a facilities contractor, accesses the company ' s loading dock area after regular business hours. Behind the employee entrance, she comes across an unsecured maintenance container with discarded packaging, shipping labels, and shredded office material. Among the clutter, Priya retrieves a crumpled document listing temporary access codes for the employee break room, along with a partially shredded memo referencing an upcoming audit. The exercise tests whether sensitive information discarded improperly can be exploited. The next day, Priya uses the recovered access codes to enter the break room undetected during a shift change, logging her entry on a controlled test system to simulate a breach.

What social engineering technique is Priya ' s exercise primarily simulating?

A.

Tailgating

B.

Eavesdropping

C.

Dumpster Diving

D.

Shoulder Surfing

Full Access
Question # 133

An ethical hacker conducting an authorized assessment of a multinational advisory firm begins collecting intelligence exclusively from publicly accessible online platforms where employees share professional background details and engage in industry-related discussions.

By correlating individual role descriptions, publicly endorsed technical competencies, collaborative conversations referencing internal initiatives, and recurring terminology used to describe projects and departments, the tester develops a structured view of reporting relationships, identifies commonly deployed technologies, and infers internal naming conventions.

From a reconnaissance methodology perspective, which technique is being applied?

A.

Footprinting through Social Networking Sites

B.

Footprinting through Internet Research Services

C.

Footprinting through Social Engineering

D.

Footprinting through Search Engines

Full Access
Question # 134

An attacker plans to compromise IoT devices to pivot into OT systems. What should be the immediate action?

A.

Perform penetration testing

B.

Secure IoT–OT communications with encryption and authentication

C.

Deploy ML-based threat prediction

D.

Deploy an IPS

Full Access
Question # 135

During network analysis, clients are receiving incorrect gateway and DNS settings due to a rogue DHCP server. What security feature should the administrator enable to prevent this in the future?

A.

DHCP snooping on trusted interfaces

B.

ARP inspection across VLANs

C.

Port security on all trunk ports

D.

Static DHCP reservations for clients

Full Access
Question # 136

A Windows machine shows disabled Windows Defender without admin approval. What phase is this?

A.

Delivery

B.

Persistence

C.

Recon

D.

Defense evasion

Full Access
Question # 137

During a penetration test at a technology startup in Austin, Texas, an ethical hacker is tasked with evaluating defenses against stealthy scanning techniques. She selects an approach that involves sending TCP packets with no flags, relying on the way target systems respond to infer whether ports are open or closed. This allows her to remain less visible to intrusion detection systems compared to a full handshake. Which scanning method is she using?

A.

TCP Connect Scan

B.

FIN Scan

C.

NULL Scan

D.

ACK Scan

Full Access
Question # 138

An attacker accesses a server using reused NTLM hashes without cracking passwords. What attack is this?

A.

Brute force

B.

Replay

C.

Kerberoasting

D.

Pass-the-hash

Full Access
Question # 139

During a quarterly security audit at a financial services company in Charlotte, North Carolina, you are tasked with reviewing exposed services on legacy servers inherited from a third-party vendor. While scanning, you discover that TCP port 1434 is open on a database node that is not listed in the company ' s active inventory. The IT team has no records explaining why this service is running, and you are asked to determine whether the exposure of this port could indicate an unnecessary database-related risk. Based on standardized port assignments, which service is most likely running on this port and requires further review?

A.

ms-sql-m

B.

sqlsrv

C.

sql*net

D.

ms-sql-s

Full Access
Question # 140

You are an ethical hacker at ShieldPoint Security, hired by Pinecrest Travel Agency in Orlando, Florida, to perform a penetration test on their flight booking portal. During testing, you notice that normal SQL injection attempts are blocked by a security filter. To bypass it, you adjust your input so that key SQL keywords are broken apart with unexpected symbols, allowing the database to interpret them correctly while evading the filter. This manipulation allows you to retrieve hidden booking records despite the filter ' s restrictions. Based on the observed behavior, which SQL injection evasion technique are you employing?

A.

String Concatenation

B.

Hex Encoding

C.

In-line Comment

D.

Null Byte

Full Access
Question # 141

Which of the following program infects the system boot sector and the executable files at the same time?

A.

Stealth virus

B.

Polymorphic virus

C.

Macro virus

D.

Multipartite Virus

Full Access
Question # 142

You are Evelyn, an ethical hacker at LoneStar Health in Austin, Texas, engaged to investigate a recent compromise of archived patient records. During the investigation you recover a large set of encrypted records from a compromised backup and, separately, obtain several original template records (standard headers and form fields) that correspond to some entries in the encrypted set. You plan to use these paired examples (the original templates and their encrypted counterparts) to attempt to recover keys or deduce other plaintext values. Which cryptanalytic approach is most appropriate for this situation?

A.

Chosen-ciphertext attack

B.

Known-plaintext attack

C.

Chosen-plaintext attack

D.

Ciphertext-only attack

Full Access
Question # 143

A penetration tester targets a WPA2-PSK wireless network. The tester captures the handshake and wants to speed up cracking the pre-shared key. Which approach is most effective?

A.

Conduct a Cross-Site Scripting (XSS) attack on the router ' s login page

B.

Use a brute-force attack to crack the pre-shared key manually

C.

Use a dictionary attack with a large wordlist to crack the WPA2 key

D.

Perform a SQL injection attack to bypass the WPA2 authentication

Full Access
Question # 144

At Apex Financial Services in Houston, Texas, ethical hacker Javier Ruiz evaluates mobile security practices under the company ' s BYOD policy. He demonstrates that employees often install applications that request access to contact lists, cameras, and messaging services, even though these functions are unrelated to the apps ' intended purpose. This behavior allows a malicious program to harvest sensitive corporate information.

Which security guideline would most directly prevent this issue?

A.

Use encryption mechanisms to store data

B.

Enforce automatic device locking or implement biometric authentication

C.

Review permissions requested by apps before installing them

D.

Set passwords for apps to restrict others from accessing them

Full Access
Question # 145

A cybersecurity team at a regional healthcare provider is conducting an internal red team exercise to assess their exposure to service enumeration attacks. Amanda, a senior penetration tester, is assigned to probe the internal network for services that may reveal usernames, group information, or system details without requiring prior authentication. She decides to target common services running on specific ports that are often misconfigured or loosely monitored. During her reconnaissance, Amanda identifies several open ports across various hosts and must now prioritize which ones to probe first for maximum information gain related to enumeration. Which of the following services should Amanda target as a priority to enumerate usernames and group information without authentication?

A.

TCP 139 and UDP 137, 138

B.

TCP 21 and UDP 137, 138

C.

TCP 23 and UDP 137, 138

D.

TCP 25 and UDP 133

Full Access
Question # 146

You perform a FIN scan and observe that many ports do not respond to FIN packets. How should these results be interpreted?

A.

Conclude the ports are closed

B.

Escalate as an active breach

C.

Attribute it to network congestion

D.

Suspect firewall filtering and investigate further

Full Access
Question # 147

At Redwood Financial Group in Boston, Massachusetts, the security leadership team is formalizing a continual security strategy composed of four coordinated activities. During implementation planning, one team is assigned responsibility for reviewing operational data across the enterprise environment to recognize irregular patterns that may indicate malicious activity.

Within this model, which activity is responsible for this responsibility?

A.

Predict

B.

Protect

C.

Respond

D.

Detect

Full Access
Question # 148

During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?

A.

Internal Monologue Attack

B.

LLMNR/NBT-NS Poisoning

C.

Kerberoasting

D.

Pass-the-Ticket Attack

Full Access
Question # 149

As part of a red team campaign against a pharmaceutical company in Boston, ethical hacker Alex begins with a successful spear-phishing attack that delivers an initial payload to a manager ' s laptop. After gaining access, Alex pivots to harvesting cached credentials and using them to move laterally across the internal network. Soon, routers, printers, and several file servers are compromised, expanding the red team ' s control beyond the original host. At this point, Alex has not yet targeted sensitive research data, but the team has built a broader foothold within the environment.

Which phase of the Advanced Persistent Threat (APT) lifecycle is Alex simulating?

A.

Initial Intrusion

B.

Persistence

C.

Search & Exfiltration

D.

Expansion

Full Access
Question # 150

A penetration tester is tasked with uncovering historical content from a company’s website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization’s web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?

A.

Search with intext: " login " site:target.com to retrieve login data

B.

Use the link: operator to find backlinks to login portals

C.

Apply the cache: operator to view Google ' s stored versions of target pages

D.

Use the intitle:login operator to list current login pages

Full Access
Question # 151

During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?

A.

Use the " Filtering by IP Address " to set a filter for HTTP traffic before capturing

B.

Use the " Monitoring the Specific Ports " to generate a traffic summary and identify HTTP packets

C.

Use the " Follow TCP Stream " to reconstruct and read HTTP session data

D.

Use the " Display Filtering by Protocol " to isolate HTTP traffic and view packet details

Full Access
Question # 152

An ethical hacker needs to gather sensitive information about a company ' s internal network without engaging directly with the organization ' s systems to avoid detection. Which method should be employed to obtain this information discreetly?

A.

Analyze the organization ' s job postings for technical details

B.

Exploit a public vulnerability in the company ' s web server

C.

Perform a WHOIS lookup on the company ' s domain registrar

D.

Use port scanning tools to probe the company ' s firewall

Full Access
Question # 153

A regional healthcare provider in Minneapolis, Minnesota began experiencing intermittent connectivity issues across a newly activated access-layer network segment. Shortly after a contractor connected a diagnostic device to an unused switch port, multiple employee workstations failed to receive valid network configurations. System logs showed repeated address negotiation attempts from affected hosts, while monitoring tools recorded a rapid sequence of configuration requests originating from a single switch interface. Within minutes, additional clients on the segment encountered similar assignment failures. From a sniffing standpoint, which technique most accurately explains this behavior?

A.

IRDP Spoofing

B.

DHCP Starvation

C.

Rogue DHCP Server

D.

MAC Spoofing

Full Access
Question # 154

Which of the following is the primary goal of ethical hacking?

A.

To disrupt services by launching denial-of-service attacks

B.

To identify and fix security vulnerabilities in a system

C.

To steal sensitive information from a company ' s network

D.

To spread malware to compromise multiple systems

Full Access
Question # 155

In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MedVault, a US-based healthcare platform used by regional clinics to manage patient data. During her assessment, Lila manipulates session parameters while navigating the patient portal’s dashboard. Her tests reveal a critical flaw: the system allows users to access sensitive medical records not associated with their own account, enabling unauthorized changes to private health data. Upon deeper inspection, Lila determines that the issue stems from the application allowing users to perform actions beyond their assigned roles rather than failures in encryption, unsafe object handling, or server configuration.

Which OWASP Top 10 2021 vulnerability is Lila most likely exploiting in MedVault’s web application?

A.

Security Misconfiguration

B.

Insecure Deserialization

C.

Cryptographic Failures

D.

Broken Access Control

Full Access
Question # 156

A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?

A.

Use directory traversal in the search field to access sensitive files on the server

B.

Input a SQL query such as 1 OR 1=1 — into the search field to check for SQL injection

C.

Perform a brute-force attack on the login page to identify weak passwords

D.

Inject JavaScript into the search field to perform a Cross-Site Scripting (XSS) attack

Full Access
Question # 157

A healthcare analytics firm in Denver, Colorado hosts several internal applications on an IIS web server. During an authorized security assessment, a tester evaluates a lesser-used endpoint designed for administrative operations. By sending crafted HTTP requests directly to this endpoint, the tester is able to invoke server-side management functions without interacting with the standard login workflow presented by the primary user interface.

Further review indicates that certain restricted operations can be executed when accessed through alternate request paths, suggesting inconsistent enforcement of access controls within the application.

Which IIS vulnerability is most accurately demonstrated in this scenario?

A.

File and Directory Permissions Vulnerability

B.

CRLF Cross-Site Scripting Vulnerability

C.

Trust Boundary Violation Vulnerability

D.

Authentication Bypass Vulnerability

Full Access
Question # 158

A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?

A.

Continuous code review and penetration testing

B.

Deploy WAF with evasion detection

C.

SIEM monitoring

D.

Enforce 2FA

Full Access
Question # 159

At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?

A.

It uses a tethered jailbreak to restart the device with patched kernel functions

B.

It is an APK that can run directly on the device without a PC

C.

It relies on weak SSL validation to bypass application controls

D.

It exploits Bluetooth pairing flaws to gain device-level privileges

Full Access
Question # 160

During a security assessment of a metropolitan public transportation terminal, a penetration tester examines a network-connected IoT surveillance camera system used for 24/7 video monitoring. The camera uses outdated SSLv2 encryption to transmit video data. The tester intercepts and decrypts video streams due to the weak encryption and absence of authentication mechanisms. What IoT vulnerability is most likely being exploited in this scenario?

A.

Insecure data transfer and storage

B.

Jamming attack on RF communication

C.

Credential theft via web application

D.

Replay attack on wireless signals

Full Access
Question # 161

During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.

When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.

From a malware deployment perspective, what technique best describes this approach?

A.

Wrapper

B.

Downloader

C.

Packer

D.

Dropper

Full Access
Question # 162

While conducting a compliance-driven security assessment at a public healthcare data center in Maryland, Jason, a senior penetration tester, was asked to reconcile outdated asset documentation for several legacy network appliances still active within the environment. Internal records lacked accurate device identifiers, administrative contact entries, and interface-level statistics needed for regulatory reporting.

Preliminary testing revealed that the devices were still exposing management information through long-standing read-only credentials configured years earlier. Rather than logging into each device manually or passively observing traffic, Jason decided to use a command-line approach that would systematically traverse the exposed management object tree of each system and redirect the complete output into a file for automated processing.

Determine which tool aligns with this requirement.

A.

SoftPerfect Network Scanner

B.

Wireshark

C.

Nmap

D.

SnmpWalk

Full Access
Question # 163

Which advanced mobile hacking technique is the hardest to detect and mitigate in a healthcare environment?

A.

Zero-day mobile exploits

B.

App spoofing

C.

Bluejacking

D.

Side-channel attacks

Full Access
Question # 164

In a bustling tech firm in Seattle, Michael, an ethical hacker, is conducting a security assessment to identify potential risks. During his evaluation, he notices that sensitive employee details and system configurations have been exposed through public forums, likely due to careless online behavior. His manager suspects this could lead to unauthorized access or data theft. As part of his testing, what type of threat should Michael focus on to simulate the adversary ' s method of gathering this exposed information?

A.

Corporate Espionage

B.

Social Engineering

C.

System and Network Attacks

D.

Information Leakage

Full Access
Question # 165

Emma, an ethical hacker at a Chicago-based healthcare provider, is performing a penetration test on the organization ' s patient record system following a recent data breach. During her investigation, she discovers that attackers gained access to a large volume of encrypted patient records but had no knowledge of the original data or encryption keys. Emma observes that the system uses a block cipher and suspects the attackers may have applied a cryptanalytic method that examines encrypted outputs in bulk to detect structural or statistical patterns in the encrypted data.

Which cryptanalysis technique should Emma investigate to assess the system ' s vulnerability in this scenario?

A.

Chosen-plaintext attack

B.

Known-plaintext attack

C.

Chosen-ciphertext attack

D.

Ciphertext-only attack

Full Access
Question # 166

A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?

A.

Perform a brute-force attack using common passwords against the captured handshake

B.

Use a dictionary attack against the captured WPA2 handshake to crack the key

C.

Execute a SQL injection attack on the router ' s login page

D.

Conduct a de-authentication attack to disconnect all clients from the network

Full Access
Question # 167

A penetration tester is tasked with compromising a company’s wireless network, which uses WPA2-PSK encryption. The tester wants to capture the WPA2 handshake and crack the pre-shared key. What is the most appropriate approach to achieve this?

A.

Execute a Cross-Site Scripting (XSS) attack on the router ' s admin panel

B.

Use a de-authentication attack to force a client to reconnect, capturing the WPA2 handshake

C.

Perform a brute-force attack directly on the WPA2 encryption

D.

Conduct a Man-in-the-Middle attack by spoofing the router ' s MAC address

Full Access
Question # 168

At HarborGrid Utilities in Oregon, a security assessment team is reviewing how the organization’s network monitoring platform evaluates inbound traffic targeting its SCADA management interface. During testing, the red team introduces carefully crafted packets that adhere to known protocol standards but contain payload sequences previously identified in documented exploit repositories.

The monitoring system immediately flags the activity because it matches patterns stored in its internal threat database. However, when the team slightly modifies the exploit sequence while preserving its overall malicious intent, the alerts are no longer triggered.

Based on this behavior, which intrusion detection method is most likely deployed in this environment?

A.

Protocol Anomaly Detection

B.

Anomaly Detection

C.

Stateful Protocol Analysis

D.

Signature Recognition

Full Access
Question # 169

In Denver, Colorado, ethical hacker Rachel Nguyen is conducting a network security assessment for Apex Logistics, a transportation firm with a complex internal network. During her test, Rachel observes a client-server communication and injects specially crafted packets into the exchange, disrupting the client’s session. As a result, the server continues interacting with Rachel’s system while the legitimate client’s connection becomes unresponsive. She uses this setup in a controlled environment to demonstrate vulnerabilities to the company’s IT team.

What network-level session hijacking technique is Rachel employing in this assessment?

A.

Blind hijacking

B.

UDP hijacking

C.

RST hijacking

D.

TCP/IP hijacking

Full Access
Question # 170

A vulnerability has a score of 9.8. What does this rating help explain?

A.

It quantifies impact and exploitability to prioritize remediation

B.

It measures authentication errors

C.

It generates exploit payloads

D.

It classifies attacks qualitatively

Full Access
Question # 171

You are performing a security audit for a regional hospital in Dallas, Texas. While monitoring the network, you discover that an unknown actor has been silently capturing clear-text credentials and analyzing unencrypted traffic flowing across the internal Wi-Fi network. No modifications have been made to the data, and the attack remained undetected until your assessment. Based on this activity, what type of attack is most likely being conducted?

A.

Passive attack

B.

Distribution attack

C.

Close-in attack

D.

Insider attack

Full Access
Question # 172

At a Chicago-based healthcare provider, security engineer Emily reviews the migration of critical applications to a cloud service. During her evaluation, she notes that administrators can provision new servers, increase storage, and expand compute power instantly through a web dashboard without any manual involvement from the cloud provider. Which NIST-defined characteristic of cloud computing best explains this capability?

A.

On-demand self-service

B.

Measured service

C.

Resource pooling

D.

Broad network access

Full Access
Question # 173

A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?

A.

ElGamal

B.

Diffie-Hellman

C.

DSA

D.

RSA

Full Access
Question # 174

A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?

A.

Keylogger

B.

Ransomware

C.

Virus

D.

Worm

Full Access
Question # 175

During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.

Which technique was most likely used to obtain this information?

A.

LDAP Enumeration

B.

NTP Enumeration

C.

DNS Zone Transfer Enumeration

D.

NetBIOS Enumeration

Full Access
Question # 176

An ethical hacker audits a hospital’s wireless network secured with WPA using TKIP and successfully performs packet injection and decryption attacks. Which WPA vulnerability most likely enabled this?

A.

Use of weak Initialization Vectors (IVs)

B.

Dependence on weak passwords

C.

Lack of AES-based encryption

D.

Predictable Group Temporal Key (GTK)

Full Access
Question # 177

What is the main difference between ethical hacking and malicious hacking?

A.

Ethical hacking is illegal, while malicious hacking is legal

B.

Ethical hackers use different tools than malicious hackers

C.

Ethical hacking is performed with permission, while malicious hacking is unauthorized

D.

Ethical hackers always work alone, while malicious hackers work in teams

Full Access
Question # 178

During a red team simul-ation, an attacker crafts packets with malformed checksums so the IDS accepts them but the target silently discards them. Which evasion technique is being employed?

A.

Insertion attack

B.

Polymorphic shellcode

C.

Session splicing

D.

Fragmentation attack

Full Access
Question # 179

During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company ' s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server ' s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Which type of web server attack is Elena most likely demonstrating?

A.

Password Cracking Attack

B.

HTTP Response Splitting Attack

C.

Directory Traversal Attack

D.

Web Cache Poisoning Attack

Full Access
Question # 180

What is the minimum number of network connections in a multihomed firewall?

A.

5

B.

2

C.

3

D.

4

Full Access
Question # 181

A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?

A.

Injecting JavaScript to steal session cookies via cross-site scripting

B.

DNS cache poisoning to redirect users to fake sites

C.

Session fixation by pre-setting the token in a URL

D.

Cross-site request forgery exploiting user trust in websites

Full Access
Question # 182

A security analyst is tasked with gathering detailed information about an organization ' s network infrastructure without making any direct contact that could be logged or trigger alarms. Which method should the analyst use to obtain this information covertly?

A.

Examine leaked documents or data dumps related to the organization

B.

Use network mapping tools to scan the organization ' s IP range

C.

Initiate social engineering attacks to elicit information from employees

D.

Perform a DNS brute-force attack to discover subdomains

Full Access
Question # 183

On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.

Which of the following best explains the technique Sofia used to trigger the server crashes?

A.

ICMP Flood Attack

B.

Ping of Death PoD

C.

Smurf Attack

D.

ACK Flood Attack

Full Access
Question # 184

A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?

A.

A synchronized Layer 3 Smurf attack flooding routers with ICMP echo requests

B.

A distributed SQL injection attack against online banking database servers causing resource exhaustion

C.

A zero-day buffer overflow exploit against the web server causing service unavailability via RCE

D.

A coordinated UDP flood targeting authoritative DNS servers to disrupt domain resolution

Full Access
Question # 185

During a penetration test at a shipping company in Miami, ethical hacker Daniel delivers a disguised email attachment containing a hidden payload. Once executed by employees, the compromised workstations begin to silently communicate with a remote server under Daniel’s control. Over the following week, he confirms that multiple infected endpoints can receive synchronized commands and perform background tasks simultaneously, including sending bursts of outbound traffic on demand.

Which type of malicious component is Daniel most likely simulating in this assessment?

A.

Spyware

B.

Botnet Agents

C.

Scareware

D.

Potentially Unwanted Applications (PUAs)

Full Access
Question # 186

Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?

A.

139 and 443

B.

137 and 139

C.

137 and 443

D.

139 and 445

Full Access
Question # 187

A penetration tester must enumerate user accounts and network resources in a highly secured Windows environment where SMB null sessions are blocked. Which technique should be used to gather this information discreetly?

A.

Utilize NetBIOS over TCP/IP to list shared resources anonymously

B.

Exploit a misconfigured LDAP service to perform anonymous searches

C.

Leverage Active Directory Web Services for unauthorized queries

D.

Conduct a zone transfer by querying the organization’s DNS servers

Full Access
Question # 188

What does AXFR allow?

A.

Zone transfer

B.

Encryption

C.

DNS tunneling

D.

Resolution

Full Access
Question # 189

A penetration tester is tasked with assessing the security of a smart home IoT device that communicates with a mobile app over an unencrypted connection. The tester wants to intercept the communication and extract sensitive information. What is the most effective approach to exploit this vulnerability?

A.

Perform a brute-force attack on the device ' s Wi-Fi credentials

B.

Use a man-in-the-middle (MitM) attack to intercept and analyze the unencrypted traffic

C.

Execute a SQL injection attack on the IoT device’s cloud management portal

D.

Use a dictionary attack to guess the admin login credentials of the device

Full Access
Question # 190

During a compliance audit at a logistics company in Columbus, Ohio, the mobile security team discovers that several field-issued Android devices are responding to remote commands from an unknown external system. The affected devices are not connected via USB, and no enterprise mobility policies were recently modified.

Network monitoring reveals that the devices have remote debugging enabled and are accepting connections over the wireless network on a specific high-numbered port commonly associated with remote device communication. Investigators determine that the external system was able to capture screenshots, list installed applications, forward ports, and install additional packages without requiring physical access to the devices.

Which attack technique most accurately explains this compromise?

A.

Device Administration API Abuse

B.

FRP Bypass

C.

Android Rooting

D.

ADB Exploitation via TCP 5555

Full Access
Question # 191

Fleet vehicles with smart locking systems were compromised after attackers captured unique signals from key fobs. What should the security team prioritize to confirm and prevent this attack?

A.

Secure firmware updates

B.

Increase physical surveillance

C.

Deploy anti-malware on smartphones

D.

Monitor wireless signals for jamming or interference

Full Access
Question # 192

You must map open ports and services while remaining stealthy and avoiding IDS detection. Which scanning technique is best?

A.

FIN Scan

B.

TCP Connect Scan

C.

ACK Scan

D.

Stealth Scan (SYN Scan)

Full Access
Question # 193

Malware uses Background Intelligent Transfer Service (BITS) to evade detection. Why is BITS attractive to attackers?

A.

It uses IP fragmentation

B.

It encrypts DNS packets

C.

It looks like normal Windows Update traffic

D.

It works only through HTTP tunneling

Full Access
Question # 194

Which individuals believe that hacking and defacing websites can promote social change?

A.

Gray hat hackers

B.

Hacktivists

C.

Ethical hackers

D.

Black hat hackers

Full Access
Question # 195

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges.

A.

Chang

B.

Micah

C.

Sheela

D.

Rebecca

E.

Somia

F.

John

G.

Shawn

Full Access
Question # 196

Maria is conducting passive reconnaissance on a competitor without interacting with their systems. Which method would be least appropriate and potentially risky?

A.

Using the Wayback Machine

B.

Running an intensive port scan on public IPs

C.

Reviewing forums and social media

D.

Examining patent databases and public records

Full Access
Question # 197

You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.

Based on the described method, which Wi-Fi discovery technique are you employing?

A.

Network Discovery Software

B.

Passive Footprinting

C.

Wash Command

D.

Active Footprinting

Full Access
Question # 198

A penetration tester runs a vulnerability scan and identifies an outdated version of a web application running on the company’s server. The scan flags this as a medium-risk vulnerability. What is the best next step for the tester?

A.

Ignore the vulnerability since it is only flagged as medium-risk

B.

Brute-force the admin login page to gain unauthorized access

C.

Perform a denial-of-service (DoS) attack to crash the web application

D.

Research the vulnerability to check for any available patches or known exploits

Full Access
Question # 199

During an authorized wireless security assessment, an ethical hacker captures traffic between client devices and a corporate access point to evaluate the strength of the implemented encryption mechanism. Packet analysis reveals that before protected data exchange begins, the client and access point complete a structured four-message key negotiation process. Subsequent traffic is encrypted using an AES-based counter mode protocol that integrates message authentication for integrity protection. Based on these observations, identify the wireless encryption standard deployed on the network.

A.

WEP

B.

WPA

C.

WPA2

D.

WPA3

Full Access
Question # 200

During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?

A.

Unencrypted FTP services storing software data

B.

The SNMP agent allowed anonymous bulk data queries due to default settings

C.

Remote access to encrypted Windows registry keys

D.

SNMP trap messages logged in plain text

Full Access
Question # 201

You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?

A.

Insecure Communication

B.

Improper Credential Usage

C.

Inadequate Privacy Controls

D.

Insecure Data Storage

Full Access
Question # 202

A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

A.

Tautology-based SQL injection

B.

Error-based SQL injection

C.

Union-based SQL injection

D.

Time-based blind SQL injection

Full Access
Question # 203

In the bustling tech hub of Boston, Massachusetts, ethical hacker Zara Nguyen dives into the digital fortifications of CloudCrafter, a US-based platform hosting web applications for small businesses. Tasked with probing the application’s input processing, Zara submits specially crafted inputs to a server administration panel. Her tests uncover a severe vulnerability: the system performs unintended operations at the system level, enabling access to restricted server resources. Further scrutiny reveals the flaw lies in the application’s failure to sanitize user input passed to system-level execution, not in altering directory service queries, injecting newline characters, or targeting cloud-specific environments. Dedicated to strengthening the platform, Zara drafts a precise report to guide CloudCrafter’s security team toward urgent fixes.

Which injection attack type is Zara most likely exploiting in CloudCrafter’s web application?

A.

Shell Injection

B.

CRLF Injection

C.

LDAP Injection

D.

Command Injection

Full Access
Question # 204

While analyzing logs, you observe a large number of TCP SYN packets sent to various ports with no corresponding ACKs. What scanning technique was likely used?

A.

SYN scan (half-open scanning)

B.

XMAS scan

C.

SYN/ACK scan

D.

TCP Connect scan

Full Access
Question # 205

You are an ethical hacker at Apex Security Consulting, hired by Riverfront Media, a digital marketing firm in Boston, Massachusetts, to assess the security of their customer relationship management CRM web application. While evaluating the application’s search feature, you input a long string of single quote characters into the search bar. The application responds with an error message suggesting that it cannot handle the length or structure of the input in the current SQL context. Based on the observed behavior, which SQL injection vulnerability detection technique are you employing?

A.

Detecting SQL Modification

B.

Fuzz Testing

C.

Function Testing

D.

Error Message Analysis

Full Access
Question # 206

A penetration tester evaluates the security of an iOS mobile application that handles sensitive user information. The tester discovers that the application is vulnerable to insecure data transmission. What is the most effective method to exploit this vulnerability?

A.

Execute a SQL injection attack to retrieve data from the backend server

B.

Perform a man-in-the-middle attack to intercept unencrypted data transmitted over the network

C.

Conduct a brute-force attack on the app’s authentication system

D.

Use a Cross-Site Request Forgery (CSRF) attack to steal user session tokens

Full Access
Question # 207

A future-focused security audit discusses risks where attackers collect encrypted data today, anticipating they will be able to decrypt it later using quantum computers. What is this threat commonly known as?

A.

Saving data today for future quantum decryption

B.

Breaking RSA using quantum algorithms

C.

Flipping qubit values to corrupt output

D.

Replaying intercepted quantum messages

Full Access
Question # 208

Who are “script kiddies” in the context of ethical hacking?

A.

Highly skilled hackers who write custom scripts

B.

Novices who use scripts developed by others

C.

Ethical hackers using scripts for penetration testing

D.

Hackers specializing in scripting languages

Full Access
Question # 209

Working as an Information Security Analyst, you are creating training material on session hijacking. Which scenario best describes a side jacking attack?

A.

An attacker uses social engineering to trick an employee into revealing their password.

B.

An attacker intercepts network traffic, captures unencrypted session cookies, and uses these to impersonate the user.

C.

An attacker exploits a firewall vulnerability to gain access to internal systems.

D.

An attacker convinces an employee to visit a malicious site that injects a script into their browser.

Full Access
Question # 210

Upon completing a vulnerability evaluation for a financial services firm in Cincinnati, Ohio, the security team finalized its formal report for executive review. One portion of the document grouped identified weaknesses into severity tiers and highlighted systems with elevated exposure levels across the environment. This part of the report emphasized the relative impact and prioritization of identified weaknesses across affected assets. Which component of the vulnerability assessment report is represented in this scenario?

A.

Recommendations

B.

Risk Assessment

C.

Assessment Overview

D.

Findings

Full Access
Question # 211

During a compliance review at a law firm in Chicago, an ethical hacker tests the firm’s secure email gateway. She observes that sensitive legal documents are being transmitted in clear text over the Internet, allowing anyone intercepting the traffic to read the contents. The firm is concerned about unauthorized individuals being able to view these communications. Which principle of information security is being violated?

A.

Confidentiality

B.

Integrity

C.

Non-Repudiation

D.

Availability

Full Access
Question # 212

During a scheduled security review in a high-tech lab in Austin, Texas, penetration tester Lucas Bennett was assessing a state government’s new payroll system hosted in a private cloud. One humid afternoon, while fuzz testing the input validation logic of the TaxCalcEngine.dll module, he triggered a buffer overflow by submitting malformed taxpayer ID strings. The crash led to unintended disclosure of payroll data due to unchecked data boundaries. Lucas traced the issue to a coding oversight in a core processing module. Applying a structured analysis approach, which category best describes the vulnerability he discovered?

A.

Application Flaws

B.

Poor Patch Management

C.

Misconfigurations Weak Configurations

D.

Design Flaws

Full Access
Question # 213

A national retail chain headquartered in Minneapolis, Minnesota operates a customer rewards portal supported by front-end delivery layers designed to improve performance during peak shopping periods. During an authorized security assessment, a tester submits a specially crafted request containing unusual header combinations and a modified query parameter while accessing a promotional page.

Shortly afterward, other legitimate users requesting the same promotional page through standard browsers begin receiving altered content that differs from what the application normally generates. When the tester accesses the underlying origin system directly, the response reflects the expected legitimate version. After some time and additional routine traffic, the unexpected content is no longer served.

Identify the attack technique that best explains this observed behavior.

A.

DNS Server Hijacking

B.

DNS Rebinding Attack

C.

Web Cache Poisoning Attack

D.

SQL Injection Vulnerability

Full Access
Question # 214

In the rainy streets of Portland, Oregon, ethical hacker Ethan Brooks delves into the security layers of ShopSwift, a US-based e-commerce platform reeling from a recent data breach. Tasked with uncovering the method behind unauthorized account takeovers, Ethan examines login patterns across the platform ' s user base. His investigation reveals a surge of automated login activity across multiple accounts, with a suspiciously high success rate. Determined to trace the root cause, Ethan compiles a detailed log to assist ShopSwift ' s security team in restoring trust.

Which attack method is Ethan most likely uncovering in ShopSwift’s authentication system?

A.

Password Spraying

B.

Brute Force Attack

C.

Credential Stuffing

D.

Phishing Attacks

Full Access
Question # 215

Which attack manipulates hidden fields?

A.

SQLi

B.

XSS

C.

Parameter tampering

D.

CSRF

Full Access
Question # 216

During an ethical hacking exercise, a security analyst is testing a web application that manages confidential information and suspects it may be vulnerable to SQL injection. Which payload would most likely reveal whether the application is vulnerable to time-based blind SQL injection?

A.

UNION SELECT NULL, NULL, NULL--

B.

' OR ' 1 ' = ' 1 ' --

C.

' OR IF(1=1,SLEEP(5),0)--

D.

AND UNION ALL SELECT ' admin ' , ' admin ' --

Full Access
Question # 217

Which scenario best describes a slow, stealthy scanning technique?

A.

FIN scanning

B.

TCP connect scanning

C.

Xmas scanning

D.

Zombie-based idle scanning

Full Access
Question # 218

Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.

Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?

A.

Break data into fragments and distribute it across multiple locations

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Include quantum-resistance checks in SDLC and code review processes

Full Access
Question # 219

Which social engineering attack involves impersonating a co-worker or authority figure to extract confidential information?

A.

Phishing

B.

Pretexting

C.

Quid pro quo

D.

Baiting

Full Access
Question # 220

Maya Patel from SecureHorizon Consulting is investigating a breach at Dallas General Hospital in Texas after a nurse misplaced a smartphone containing patient management software. Although the device remained active on the network, administrators had no way to identify its physical whereabouts, delaying incident response and allowing sensitive medical records to be exposed for hours. Which mobile security guideline would have most directly reduced the impact of this incident?

A.

Use anti-virus and data loss prevention (DLP) solutions

B.

Utilize a secure VPN connection while accessing public Wi-Fi networks

C.

Install device tracking software that allows the device to be located remotely

D.

Register devices with a remote locate and wipe facility

Full Access
Question # 221

As a newly appointed network security analyst, you are tasked with ensuring that the organization’s network can detect and prevent evasion techniques used by attackers. One commonly used evasion technique is packet fragmentation, which is designed to bypass intrusion detection systems (IDS). Which IDS configuration should be implemented to effectively counter this technique?

A.

Implementing an anomaly-based IDS that can detect irregular traffic patterns caused by packet fragmentation.

B.

Adjusting the IDS to recognize regular intervals at which fragmented packets are sent.

C.

Configuring the IDS to reject all fragmented packets to eliminate the risk.

D.

Employing a signature-based IDS that recognizes the specific signature of fragmented packets.

Full Access
Question # 222

A Nessus scan reveals a critical SSH vulnerability (CVSS 9.0) allowing potential remote code execution on a Linux server. What action should be immediately prioritized?

A.

Redirect SSH traffic to another server

B.

Treat the finding as a possible false positive

C.

Immediately apply vendor patches and reboot during scheduled downtime

D.

Temporarily isolate the affected server, conduct a forensic audit, and then patch

Full Access
Question # 223

A penetration tester discovers that a web application is vulnerable to Local File Inclusion (LFI) due to improper input validation in a URL parameter. Which approach should the tester take to exploit this vulnerability?

A.

Conduct a brute-force attack on the admin login page to gain access

B.

Inject SQL commands into the URL parameter to test for database vulnerabilities

C.

Perform a Cross-Site Scripting (XSS) attack by injecting malicious scripts into the URL

D.

Use directory traversal to access sensitive files on the server, such as /etc/passwd

Full Access
Question # 224

A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?

A.

Downgrade the connection to WPA2 and capture the handshake to crack the key

B.

Execute a dictionary attack on the WPA3 handshake using common passwords

C.

Perform a brute-force attack directly on the WPA3 handshake

D.

Perform a SQL injection attack on the router ' s login page

Full Access
Question # 225

Which technique is most likely used to evade detection by an Intrusion Detection System (IDS)?

A.

Fragmenting malicious packets into smaller segments

B.

Using self-replicating malware

C.

Sending phishing emails

D.

Flooding the IDS with ping requests

Full Access
Question # 226

As a Certified Ethical Hacker assessing session management vulnerabilities in a secure web application using MFA, encrypted cookies, and a WAF, which technique would most effectively exploit a session management weakness while bypassing these defenses?

A.

Utilizing Session Fixation to force a victim to use a known session ID

B.

Executing a Cross-Site Request Forgery (CSRF) attack

C.

Exploiting insecure deserialization vulnerabilities for code execution

D.

Conducting Session Sidejacking using captured session tokens

Full Access
Question # 227

In a security assessment conducted in New York, Sarah, an ethical hacker, is evaluating a corporate network to enhance its protection against potential threats. She aims to gather essential data about available access points to guide her analysis. Which scanning technique should Sarah apply to meet this objective while adhering to the organization ' s ethical guidelines?

A.

Vulnerability Scanning

B.

Port Scanning

C.

Topology Mapping

D.

Network Scanning

Full Access
Question # 228

During an authorized security assessment at a municipal power distribution facility in Omaha, Nebraska, a certified ethical hacker performs passive traffic analysis between the control center and several remote substations.

The tester observes structured request-response messages used to read coil status and write register values on industrial controllers. All communication occurs over TCP port 502, and the protocol does not provide built-in encryption or authentication.

Based on these characteristics, which OT communication protocol is operating within this environment?

A.

IEC 60870-5-104

B.

MODBUS

C.

DNP3

D.

OPC UA

Full Access
Question # 229

You are an ethical hacker at HarborLine Assessments, engaged to audit the Wi-Fi at Portside Freight in Tacoma, Washington. During an overnight reconnaissance, you enable your wireless interface’s monitor mode and run a command that silently records beacon frames, probe responses, and authentication frames from nearby APs and clients into a capture file for later offline analysis—you do not transmit any frames from your laptop. Based on the described activity, which Wi-Fi security auditing tool are you most likely using?

A.

Aireplay-ng

B.

Aircrack-ng

C.

Airbase-ng

D.

Airodump-ng

Full Access
Question # 230

Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?

A.

Honey trap

B.

Diversion theft

C.

Piggybacking

D.

Baiting

Full Access
Question # 231

Which approach should an ethical hacker avoid to maintain passive reconnaissance?

A.

Direct interaction with the threat actor

B.

WHOIS and DNS lookups

C.

Anonymous browsing via Tor

D.

Using the Wayback Machine

Full Access
Question # 232

A penetration tester is assessing a company ' s executive team for vulnerability to sophisticated social engineering attacks by impersonating a trusted vendor and leveraging internal communications. What is the most effective social engineering technique to obtain sensitive executive credentials without being detected?

A.

Develop a fake social media profile to connect with executives and request private information

B.

Conduct a phone call posing as the CEO to request immediate password changes

C.

Create a targeted spear-phishing email that references recent internal projects and requests credential verification

D.

Send a mass phishing email with a malicious link disguised as a company-wide update

Full Access
Question # 233

You are working as a threat intelligence analyst for a fintech startup that recently discovered a spike in credential stuffing attempts against its admin panel. The security team believes this may be due to leaked internal files circulating on underground forums. You are tasked with investigating potential exposure on the dark web without directly interacting with any service or forum. You decide to use advanced search filters to identify documents hosted on hidden services that may contain sensitive access details. The team suspects these documents might include account-related keywords in their titles.

Which of the following search queries would best support this investigation?

A.

filetype:pdf intitle: " admin access " site:onion

B.

filetype:docx intitle: " login credentials "

C.

filetype:pdf intitle: " secure login " site:onion

D.

filetype:docx intitle: " user accounts " site:onion

Full Access
Question # 234

During an authorized security assessment of a smart home product manufacturer in San Jose, California, a certified ethical hacker evaluates the web-based management interface used to configure connected IoT cameras and lighting controllers.

The tester discovers that when an internal user visits a specially crafted external website, the browser automatically initiates requests to a locally hosted device management interface within the user’s private network.

Which attack technique best explains this behavior?

A.

Forged Malicious Device Attack

B.

SDR-Based Attack

C.

DNS Rebinding Attack

D.

Distributed Denial-of-Service (DDoS) Attack

Full Access
Question # 235

Which of the following is a common framework applied by business management and other personnel to identify potential events that may affect the enterprise, manage the associated risks and opportunities, and provide reasonable assurance that objectives will be achieved?

A.

Risk management framework

B.

Qualitative risk assessment

C.

PC-DSS

D.

NIST SP 800-37

Full Access
Question # 236

During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification. Which social engineering technique is Liam demonstrating?

Full Access
Question # 237

During a strategic security briefing at Meridian Global Analytics in Washington, D.C., executives review a series of coordinated activities targeting national infrastructure. These activities include manipulating digital media to influence public perception, disrupting communication networks, and degrading critical systems to weaken institutional stability without direct conventional military engagement.

What form of conflict best describes this type of coordinated activity?

A.

Cyber Espionage

B.

Information Warfare

C.

Hacktivism

D.

Cyberterrorism

Full Access
Question # 238

A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?

A.

Inference-Based Assessment

B.

Service-Based Solutions

C.

Product-Based Solutions

D.

Tree-Based Assessment

Full Access
Question # 239

A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

A.

Perform a dictionary attack using a list of commonly used passwords against the stolen hash values

B.

Input a SQL query to check for SQL injection vulnerabilities in the login form

C.

Conduct a brute-force attack on the login form to guess weak passwords

D.

Capture the login request using a proxy tool and attempt to decrypt the passwords

Full Access