You are an ethical hacker at Nexus Cybersecurity, contracted to perform a penetration test for BlueRidge Retail, a US-based e-commerce company in Atlanta, Georgia. While testing their online store’s product search page, you attempt to inject a malicious query into the URL to extract customer data. The application is protected by a web application firewall WAF that blocks standard SQL injection attempts. To bypass this, you modify your input to split the query into multiple parts, ensuring the malicious instructions are not detected as a single signature. For example, you craft the URL as products.php?id=1+UNION+SE+LECT+1,2, which successfully retrieves unauthorized data. Based on the observed behavior, which SQL injection evasion technique are you employing?
Targeted, logic-based credential guessing using prior intel best describes which technique?
You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?
During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.
Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.
Identify the command Kevin should execute to obtain this information.
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?
You are an ethical hacker at Sentinel Cyberworks, engaged to assess the wireless defenses of HarborTrust Bank in Portland, Oregon. During your assessment, the security team shows you a production system that continuously places selected APs into a passive scan mode, aggregates alarms from multiple wireless controllers into a central engine for forensic storage, and can automatically apply countermeasures (for example, time-sliced channel scanning and remote configuration changes) across the campus when it classifies a nearby device as malicious. Based on the described capabilities, which Wi-Fi security solution is this most consistent with?
As part of an insider threat simulation at a multinational insurance firm, lead red teamer John is asked to assess whether internal directory services are exposing sensitive user data. Gaining limited VPN access, he begins probing port 389 on a staging environment connected to the main domain infrastructure. After discovering that anonymous binds are accepted by the directory service, John launches a utility from his Kali machine that allows command-line interaction with directory entries. He structures his query to search for user objects with associated organizational units. Moments later, John reviews the output which includes usernames, group memberships, and departmental hierarchies all retrieved without authentication.
Which tool is John MOST likely using to perform this enumeration?
During a red team operation for XYZ Financial Services, security analyst Lily Jensen is assigned to scan a critical subnet that is protected by an IDS. Her initial scan attempt is immediately flagged and blocked. To evade detection while continuing reconnaissance, she adjusts the scanning configuration to include multiple spoofed IP addresses alongside her own. This makes it difficult for network defenses to isolate her real scanning activity, while still allowing her to receive accurate results.
Which scanning technique is Lily using?
An e-commerce platform hosted on a public cloud infrastructure begins to experience significant latency and timeouts. Logs show thousands of HTTP connections sending headers extremely slowly and never completing the full request. What DoS technique is most likely responsible?
A penetration tester is tasked with assessing the security of a smart home IoT device that communicates with a mobile app over an unencrypted connection. The tester wants to intercept the communication and extract sensitive information. What is the most effective approach to exploit this vulnerability?
A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?
During a security assessment of a fintech startup in San Francisco, ethical hacker Michael analyzes the company ' s cloud platform. He observes that the system automates deployment, scaling, service discovery, and workload management across multiple nodes, ensuring smooth operation of critical services without requiring manual coordination. Which Kubernetes capability is primarily responsible for these functions?
A city utility billing portal in Raleigh, North Carolina includes a search field used to retrieve customer records. During an authorized penetration test, an assessor submits repeated instances of a character commonly interpreted within SQL statements as part of the input value.
The application does not display detailed error messages, yet certain submissions result in irregular response behavior and partial rendering of results. The tester suspects the input may be affecting how the SQL command is internally constructed.
Which black-box testing technique is being applied?
A financial institution in Chicago deploys an internal HTTPS-based customer portal that uses response compression to optimize bandwidth. During an authorized security assessment, a tester gains a vantage point along the communication path between internal clients and the gateway device.
By repeatedly initiating controlled requests and analyzing subtle differences in encrypted response sizes, the tester correlates variations in compressed output with specific input patterns. Over time, this analysis enables extraction of portions of a protected authentication value transmitted within the secure channel.
Which session hijacking technique best describes this activity?
A web server is overwhelmed by many slow, incomplete HTTP connections. What attack is occurring?
During an internal red team engagement at Orion Tech Labs, a leading software firm in Austin, Texas, ethical hacker Emily Carter was tasked with evaluating the resilience of the organization ' s software deployment processes. Knowing that the finance team frequently downloaded utility tools for generating PDFs, she repackaged a trusted PDF converter installer with a secondary payload. When an employee executed the installer, the converter installed and functioned normally, but in the background, a hidden executable silently initiated outbound network communication. The user remained unaware of any suspicious activity.
Which technique did Emily most likely use to ensure the malware executed alongside the legitimate application?
You are an ethical hacker at Titan Cyber Defense, hired by BrightWave Publishing in New York City to assess the security of their content management system (CMS). While testing the article search function, you input malformed strings such as multiple single quotes. The application responds with system feedback that unexpectedly reveals the database type and internal query structure, including table and column information. You use these disclosures to better understand how the backend query is built.
Which of the following methods to detect SQL injection are you employing?
During a targeted phishing campaign, a malicious HTML attachment reconstructs malware locally using obfuscated JavaScript without making external network calls, bypassing firewalls and IDS inspection. Which evasion technique is being employed?
As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?
Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com”. Which statement below is true?
During an external security review of a manufacturing firm in Detroit, Michigan, you ' re asked to prioritize patch baselines for internet-facing servers without logging in or establishing full sessions. To achieve this, you analyze network-level responses and capture application output in order to determine the underlying system and its software release. Which technique best fits this objective?
During a strategic security briefing at Meridian Global Analytics in Washington, D.C., executives review a series of coordinated activities targeting national infrastructure. These activities include manipulating digital media to influence public perception, disrupting communication networks, and degrading critical systems to weaken institutional stability without direct conventional military engagement. What form of conflict best describes this type of coordinated activity?
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?
Maria is conducting passive reconnaissance on a competitor without interacting with their systems. Which method would be least appropriate and potentially risky?
A financial services firm is experiencing a sophisticated DoS attack on their DNS servers using DNS amplification and on their web servers using HTTP floods. Traditional firewall rules and IDS are failing to mitigate the attack effectively. To protect their infrastructure without impacting legitimate users, which advanced mitigation strategy should the firm implement?
A city’s power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?
During a penetration test at a technology startup in Austin, Texas, an ethical hacker is tasked with evaluating defenses against stealthy scanning techniques. She selects an approach that involves sending TCP packets with no flags, relying on the way target systems respond to infer whether ports are open or closed. This allows her to remain less visible to intrusion detection systems compared to a full handshake. Which scanning method is she using?
A cloud storage provider discovers that an unauthorized party obtained a complete backup of encrypted database files containing archived client communications. The attacker did not compromise the encryption keys, nor is there evidence that any original plaintext records were exposed.
A forensic cryptography specialist reviewing the breach considers the possibility that the adversary is attempting to analyze the encrypted data in isolation, searching for statistical irregularities or structural repetition within the encrypted output to infer meaningful information.
To properly assess the organization’s exposure, the specialist must determine which cryptanalytic approach best matches an attack conducted using only the intercepted encrypted data.
A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches. Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy. To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?
A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?
Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee ' s computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action?
During a covert assessment at a logistics company in Dallas, penetration tester Emily delivers a disguised attachment to test employee awareness. When a staff member opens the file, normal content appears, but behind the scenes the attacker quietly gains full access to the workstation. Over the following week, Emily monitors emails, keystrokes, and local files without alerting the user, confirming long-term stealthy control of the machine.
Which type of malware is most likely responsible for this activity?
In an enterprise environment, the network security team detects unusual behavior suggesting advanced sniffing techniques exploiting legacy protocols to intercept sensitive communications. Which of the following sniffing-related techniques presents the greatest challenge to detect and neutralize, potentially compromising confidential enterprise data?
An attacker uses many plaintext–ciphertext pairs and applies statistical analysis to XOR combinations of specific bits. Which technique is being used?
At a private aerospace research facility in Mesa, Arizona, an executive raises concerns after sensitive discussion points from speakerphone meetings begin surfacing externally. The device shows no indicators of active audio recording, and application permission history does not reflect recent camera or microphone authorization changes.
A forensic mobile analysis identifies that an installed application has been continuously reading motion sensor output while the phone’s loudspeaker is active. The collected sensor data was later transmitted to a remote server, where acoustic characteristics were reconstructed from the recorded measurements.
Identify the attack technique responsible for this compromise.
During a penetration test at IntelliCore Systems in Raleigh, North Carolina, ethical hacker Javier directs a wave of repetitive web requests against the company ' s portal that overloads backend scripts which process search queries and form submissions. As a result, legitimate customers experience long delays and occasional timeouts while attempting to log in or complete transactions.
Which DoS/DDoS technique is Javier most likely demonstrating?
A Linux system allows passwordless sudo for multiple commands. What security principle is violated?
A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?
Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?
At Pinnacle Financial Services in Chicago, Illinois, ethical hacker Sarah Thompson is conducting a penetration test to evaluate the security of the company ' s online banking portal. During her assessment, Sarah positions herself on the internal network and uses a sniffer to capture traffic between a user’s browser and the banking server. She quietly collects session data, including user IDs and authentication tokens, without interfering with the ongoing communication. Later, she plans to use this information to impersonate a legitimate user in a controlled test environment to demonstrate potential risk to the bank’s IT team.
What type of session hijacking is Sarah performing during this phase of her penetration test?
An attacker has partial root access to a mobile application. What control best prevents further exploitation?
A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?
A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability. After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance ' s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account. Which cloud attack technique best corresponds to this activity?
You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?
A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user ' s session without triggering security alerts, which advanced session hijacking technique should the tester employ?
You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor’s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician.
Upon arrival, the receptionist allows you entry without verification, assuming you are there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.
Which social engineering technique does this scenario best illustrate?
During an authorized cloud security assessment for an e-commerce company based in Seattle, Washington, a certified ethical hacker gains temporary programmatic access to the organization’s cloud account. The tester focuses on identifying permission boundaries by querying the account to determine which identity entities are associated with attached policies and what level of access those identities possess across cloud resources. The objective is to understand privilege relationships before attempting any further controlled actions.
Which cloud reconnaissance activity best aligns with this effort?
During a penetration test at Triangle FinTech in Raleigh, North Carolina, ethical hacker Ethan attempts to bypass the company ' s perimeter firewall. Instead of sending obvious malicious payloads, he encapsulates his traffic inside standard web requests on port 80, blending in with normal browsing activity. This method allows his packets to slip past perimeter defenses that are not performing deep application inspection.
Which firewall evasion technique is Ethan most likely using?
Which action would most effectively increase the security of a virtual-hosted web server?
During a penetration test at Cascade Biotech in Portland, Oregon, ethical hacker Olivia Harper installs a monitoring agent on a single test workstation inside the research subnet. The system records local events such as file access, configuration changes, and unauthorized process execution. Olivia explains to the security team that attackers often attempt to disable or evade this type of monitoring to avoid being detected at the host level.
Which security system is Olivia most likely demonstrating?
You are an ethical hacker at CyberShield Analytics, hired by Coastal Education Services, a tutoring platform in Miami, Florida, to test the security of their student portal. While probing the portal ' s course enrollment page, you input a crafted value into the course ID field, appending a condition that checks if the first character of the database name is a specific value. The application does not display error messages or additional data, but the page takes significantly longer to load when the condition evaluates to true, indicating a deliberate delay.
Based on the observed behavior, which SQL injection technique are you employing?
In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia ' s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure. Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?
While assessing a web server, a tester sends malformed HTTP requests and compares responses to identify the server type and version. What technique is being employed?
During a cloud security assessment, you discover a former employee still has access to critical cloud resources months after leaving. Which practice would most effectively prevent this?
A national logistics company in Atlanta, Georgia maintains a segmented research VLAN inside its primary data center to study emerging supply-chain targeting tactics. The environment includes enterprise-grade server platforms hosting web applications, database services populated with curated operational data, and identity services configured to resemble production access structures.
During a red team engagement, external adversaries who gained initial access were observed interacting with systems inside this VLAN for several days. They escalated privileges, accessed structured data repositories, moved between internal hosts, and attempted to reach additional internal segments. All activity occurred within the controlled environment and was instrumented to capture attacker techniques in depth.
Which honeypot deployment model most accurately describes this research environment?
A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?
A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?
A financial startup in Chicago hires an ethical hacker to evaluate its exposure on hidden networks. The client is particularly concerned that confidential administrative documents might be circulating on .onion sites. To remain passive, the hacker relies on advanced search filters to look for files with headers suggesting management-related content. Which of the following queries would best meet this objective?
A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.
After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.
Which cloud attack technique best corresponds to this activity?
An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?
During a security assessment in San Francisco, an ethical hacker is tasked with evaluating a network ' s resilience against stealthy reconnaissance attempts. The hacker needs to employ a scanning technique that leverages TCP flags to evade detection by intrusion detection systems, relying on the target ' s response behavior to infer port states without completing a full connection. Which approach best aligns with this strategy, ensuring minimal visibility during the assessment?
A threat intelligence review at a manufacturing firm in Pittsburgh, Pennsylvania, revealed repeated external queries targeting the organization’s public name servers. Although no intrusion occurred, analysts observed that the queries appeared designed to systematically map internal naming conventions and infrastructure patterns.
The security team determined that the issue was not excessive traffic volume but rather the exposure of internal namespace details through responses handled by the same server used for both internal and external resolution. To reduce the risk of disclosing sensitive structural information to outside systems, the team redesigned their DNS deployment.
Which countermeasure best addresses the risk described in this scenario?
A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?
A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider’s API. What is the most likely threat arising from this flaw?
A Java app uses outdated libraries with known CVEs. What risk does this create?
Scenario:
Victim opens the attacker ' s website.
Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.
Victim clicks the attractive content URL.
The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.
What is the name of the attack mentioned in the scenario?
During an internal red team engagement at a financial services firm, an ethical hacker named Anika tests persistence mechanisms after successfully gaining access to a junior employee’s workstation. As part of her assessment, she deploys a lightweight binary into a low-visibility system folder. To maintain long-term access, she configures it to launch automatically on every system reboot without requiring user interaction.
Which of the following techniques has most likely been used to ensure the persistence of the attacker’s payload?
A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?
During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?
A penetration tester is evaluating the security of a mobile application and discovers that it lacks proper input validation. The tester suspects that the application is vulnerable to a malicious code injection attack. What is the most effective way to confirm and exploit this vulnerability?
A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company’s HTTP servers.
The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation.
Which vulnerability assessment tool most closely aligns with the capabilities described?
In Miami, Florida, a luxury resort deploys smart climate control units in guest rooms. During a red team engagement, ethical hacker Sophia Bennett discovers that once a compromised device is restarted, it continues running altered instructions without any integrity check before the operating system loads. This allows tampered firmware to run as if it were legitimate. Which secure development practice would most directly prevent this weakness?
A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?
During a quarterly security audit at a multinational logistics firm, network security manager Priya initiates a scheduled vulnerability assessment across the organization’s hybrid infrastructure. Her team begins by identifying all active IT assets and assigning them risk scores based on business criticality. The following week, they deploy scanning tools to detect security weaknesses, validate the findings manually, and classify vulnerabilities based on severity and exploitability. After coordinating with the IT operations team, they develop a structured timeline to address the confirmed vulnerabilities, giving priority to high-risk findings affecting mission-critical systems. Finally, after the vulnerabilities are addressed, Priya ensures the affected systems are rescanned to confirm resolution and generates a compliance report for executive review.
Based on this workflow, which phase of the Vulnerability-Management Life Cycle is Priya executing?
During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?
Michael, an ethical hacker at a San Francisco-based fintech startup, is conducting a security assessment of the company ' s cloud-based payment processing platform, which uses Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. During his review, Michael identified a feature that automatically replaces and reschedules containers from failed nodes to ensure high availability of services a critical requirement for uninterrupted payment operations. Based on his study of cloud container technology principles, which Kubernetes feature should Michael highlight as responsible for this capability?
An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization ' s machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?
A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?
A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?
A Nessus scan reveals a critical SSH vulnerability (CVSS 9.0) allowing potential remote code execution on a Linux server. What action should be immediately prioritized?
Attackers exfiltrate data using steganography embedded in images. What is the best countermeasure?
During a penetration test at an e-commerce company in Boston, ethical hacker Sophia launches an HTTP flood against the checkout page of the site. The simulated traffic consists of repeated GET and POST requests designed to overload application-layer resources. In response, the IT team activates a security tool that inspects and filters malicious HTTP traffic while allowing legitimate customer requests to pass, ensuring service continuity during the exercise.
Which DoS/DDoS protection tool is most likely being used in this scenario?
MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.
The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.
Which approach best satisfies this requirement?
An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?
You are an ethical hacker at Apex Cyber Defense contracted to audit Coastal Healthcare ' s wireless estate in Miami, Florida. During a network sweep, your logs show a previously unknown access point physically connected to the hospital ' s internal switch and issuing IP addresses to devices on the corporate VLAN - it was neither provisioned by IT nor listed in the asset inventory. The device is relaying internal traffic and providing remote connectivity back to an external host. Based on the observed behavior, which wireless threat has the attacker most likely introduced?
A health-tech startup in Raleigh, North Carolina operates a Kubernetes cluster supporting patient-facing microservices. During an authorized security assessment, a certified ethical hacker reviews internal cluster activity records available to operations personnel.
While analyzing these records, the tester notices that authentication artifacts associated with service accounts are recorded within system-generated output. The tester determines that if an individual obtained access to these records, they could reuse the captured authentication material to interact with cluster resources under the same privileges.
Which Kubernetes vulnerability best corresponds to this condition?
During a cybersecurity awareness drill at Quantum Analytics in San Francisco, California, the ethical hacking team tests the company’s defenses against social media-based threats. Nadia creates a fake LinkedIn profile posing as a senior HR manager from Quantum Analytics, using a stolen company logo and publicly available employee details. Nadia sends connection requests to several employees, including data analyst Priya Sharma, inviting them to join a private group called Quantum Analytics Innovation Hub. The group’s page prompts members to share their work email and department role for exclusive project updates.
What social engineering threat to corporate networks is Nadia’s exercise primarily simulating?
During a penetration test for a U.S.-based retail company, John gains access to a secondary server that responds unusually to structured queries. By sending a specially crafted request, he receives a full list of subdomains, MX records, and aliases belonging to the target organization. The response exposes sensitive internal mappings that could be leveraged for further attacks.
Which tool was MOST likely used to perform this enumeration?
The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?
A large-scale inventory management platform implements a pattern-based inspection layer to prevent malicious database interactions. During authorized testing, repeated payloads containing recognizable structural sequences are denied before reaching the application logic. While analyzing the inspection behavior, the tester observes that blocked requests share a consistent textual arrangement of components. The tester then alters how those components are presented within the payload while preserving the intended database operation. After this adjustment, the request bypasses the inspection layer and executes successfully, producing results consistent with earlier attempts. Determine the evasion method that best accounts for this behavior.
A system’s audit logs are not centralized. Which attack phase is hardest to detect?
A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?
Bob, a seasoned security analyst at XYZ Aerospace, was investigating a series of misaligned transaction timestamps coming from one of the data archival systems. Suspecting that the server might be syncing with an unstable time source, Bob decided to extract a detailed list of all peer servers associated with the target machine, including metrics such as delay, offset, and jitter, to determine whether the issue stemmed from time synchronization drift.
Which of the following commands should Bob use to retrieve this information?
During an internal security review at a transportation authority in Columbus, Ohio, a red team analyst positioned himself on the same local network segment as several domain-joined administrative workstations. Over several hours, he recorded authentication exchanges as legitimate users performed their routine logon activities across the network.
He later analyzed the captured traffic to recover valid credentials associated with privileged accounts. Based on the attacker’s actions, how should this password attack be classified?
Malware remains dormant until triggered and changes its code with each infection. What malware type is responsible, and how should it be mitigated?
You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?
Justin Fletcher is conducting an authorized assessment for EverSafe Technologies in Las Vegas. During the active reconnaissance phase, he interacts directly with the organization ' s infrastructure to retrieve structural details about how its public-facing systems are logically organized. His activity generates entries within the target environment ' s monitoring systems. Which type of active footprinting technique is Justin performing?
During a code review at a defense technology contractor in Virginia, penetration tester Lucas identifies that a newly deployed payroll application encrypts sensitive employee data using a weak custom algorithm. In addition, its session validation logic allows certain requests to bypass access controls altogether. These oversights are traced back to flawed system logic and poor encryption design decisions made during the development phase.
Which vulnerability category BEST describes the issue Lucas discovered?
A company’s customer data in a cloud environment has been exposed due to an unknown vulnerability. Which type of issue most likely led to the incident?
A regional healthcare provider in Minneapolis, Minnesota began experiencing intermittent connectivity issues across a newly activated access-layer network segment. Shortly after a contractor connected a diagnostic device to an unused switch port, multiple employee workstations failed to receive valid network configurations. System logs showed repeated address negotiation attempts from affected hosts, while monitoring tools recorded a rapid sequence of configuration requests originating from a single switch interface. Within minutes, additional clients on the segment encountered similar assignment failures. From a sniffing standpoint, which technique most accurately explains this behavior?
During a red team assessment of a multinational financial firm, you are tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior.
The team has shortlisted multiple tools for the task. Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?
A multinational payment processor conducts a long-term risk assessment to evaluate the durability of its encrypted archives against future computational advances. Internal analysts warn that if large-scale quantum computers become operational, currently deployed public-key schemes protecting stored customer data may become vulnerable to rapid key recovery.
To maintain long-term confidentiality of archived financial records, the security architecture team must implement a defensive strategy that directly addresses cryptographic resilience rather than relying solely on network segmentation or development policy controls.
Determine the most appropriate mitigation to protect stored data against quantum-enabled decryption capabilities.
During a security assessment for an e-commerce company in Boston, Massachusetts, your team conducts a reconnaissance phase to identify potential entry points into the organization ' s communication infrastructure. You focus on gathering details about the systems responsible for handling incoming email traffic, avoiding active network probing, and relying on passive DNS data collection. Given this objective, which DNS record type should you query to extract information about the target’s mail server configuration?
You are part of a red team hired to assess the cybersecurity posture of a large retail chain headquartered in New York. The client wants to know whether their defenses can anticipate future attack patterns before they occur. To meet this objective, your team deploys an AI-enabled platform that analyzes previous breaches and anomaly data to forecast potential attack vectors. Which benefit of AI-driven ethical hacking is most critical in this case?
During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?
Attackers compromise a legitimate email account and send convincing internal messages requesting urgent actions. What attack is this?
A security analyst is investigating a network compromise where malware communicates externally using common protocols such as HTTP and DNS. The malware operates stealthily, modifies system components, and avoids writing payloads to disk. What is the most effective action to detect and disrupt this type of malware communication?
During a security audit, a penetration tester observes abnormal redirection of all traffic for a financial institution’s primary domain. Users are being redirected to a phishing clone of the website. Investigation shows the authoritative DNS server was compromised and its zone records modified to point to the attacker’s server. This demonstrates total manipulation of domain-level resolution, not cache poisoning or client-side attacks. Which technique is being used in this scenario?
A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?
A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?
An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?
A penetration tester is tasked with mapping an organization ' s network while avoiding detection by sophisticated intrusion detection systems (IDS). The organization employs advanced IDS capable of recognizing common scanning patterns. Which scanning technique should the tester use to effectively discover live hosts and open ports without triggering the IDS?
During a red team assessment at a banking client in Chicago, ethical hacker David gains access to the internal LAN. He sets up a test machine and injects crafted messages into the network. Soon, all traffic between a finance workstation and the authentication server is silently routed through his system without changing switch configurations. He observes usernames and passwords passing through his interface, even though no proxy or VPN is in use.
Which sniffing technique did David most likely use?
This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.
Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?
A serverless application was compromised through an insecure third-party API used by a function. What is the most effective countermeasure?
You are instructed to perform a TCP NULL scan. In the context of TCP NULL scanning, which response indicates that a port on the target system is closed?
In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.
Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?
Which advanced mobile hacking technique is the hardest to detect and mitigate in a healthcare environment?
During a quarterly vulnerability management cycle at a multinational logistics firm, Priya ' s team has already applied patches and fixes to address confirmed vulnerabilities. Now, she directs the analysts to run follow-up scans and review the attack surface to confirm that the applied remedies have effectively eliminated the risks. Only after this step will she prepare a compliance report for the executive board.
Which phase of the Vulnerability-Management Life Cycle is Priya executing?
A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?
Ethan works as a penetration tester at CyberGuard Solutions, a cybersecurity consulting firm in Raleigh, North Carolina. During an authorized security assessment of a regional insurance company, Ethan was provided with a set of password hashes to evaluate the strength of employee-generated credentials.
To test resistance against word-based password creation patterns, Ethan supplied a single custom wordlist containing common organizational terms and department names into his cracking tool. The tool automatically generated password candidates by linking multiple entries from that same list in varying combinations before attempting to match them against the hashes.
This approach proved highly effective against passwords formed by concatenating familiar words.
Which of the following password-cracking techniques is Ethan using?
During a red team exercise at a financial institution in New York, penetration tester Bob investigates irregularities in time synchronization across critical servers. While probing one server, he decides to use a diagnostic command that allows him to directly interact with the NTP daemon and query its internal state. This command enables him to perform monitoring and retrieve statistics, but it is primarily focused on controlling and checking the operation of the NTP service rather than listing peers with delay, offset, and jitter values.
Which command should Bob use to accomplish this?
As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?
Emily, a security engineer at a Chicago-based healthcare provider, is auditing the organization ' s new cloud environment after a breach where sensitive patient records were exposed. Her investigation reveals that the root cause was the lack of encryption during data transmission between end-user devices and cloud storage. To mitigate this issue and align with HIPAA compliance requirements, Emily must prioritize addressing the correct cloud computing security risk.
Which cloud computing threat should Emily address to mitigate the risk of sensitive data being exposed during transmission?
During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification.
Which social engineering technique is Liam demonstrating?
As part of an internal security assessment at First Union Bank in Chicago, Rachel Morgan is evaluating whether unauthorized packet capture tools are operating within the loan processing segment of the network. During traffic observation, she notices behavior suggesting that a particular host may be processing frames beyond its intended destination scope.
To verify whether the network interface is accepting traffic not explicitly addressed to it, Rachel decides to transmit specially crafted packets designed to provoke an abnormal response from a system operating in promiscuous mode.
Which detection technique should Rachel use to confirm the presence of a sniffer?
During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.
An Android device has an unpatched permission-handling flaw and updated antivirus. What is the most effective undetected exploitation approach?
As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?
A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?
During a quarterly vulnerability management review at RedCore Motors, Priya finalizes the deployment of Nessus Essentials across the company ' s IT infrastructure. The solution is selected for its ability to support diverse technologies including operating systems, databases, web servers, and virtual environments. While preparing a training session for junior analysts, Priya asks them to identify a capability that Nessus Essentials is specifically designed to provide as part of its scanning process.
Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?
In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing the firm’s defenses against potential Denial-of-Service (DoS) attacks. During a recent review, you noticed several IP addresses generating excessive traffic, causing an unusually high server load. Inspection of packets revealed that the TCP three-way handshake was never completed, leaving multiple connections in a SYN_RECEIVED state. The intent appears to be saturating server resources without completing connections. Which type of DoS attack is most likely being executed?
A penetration tester performs a vulnerability scan on a company ' s network and identifies a critical vulnerability related to an outdated version of a database server. What should the tester prioritize as the next step?
A technology consulting firm in Denver, Colorado, recently experienced a wave of suspicious account compromise incidents. Several employees reported receiving an email that appeared identical to a legitimate cloud storage notification they had received earlier that week. The message reused the original branding, formatting, sender display name, and subject line. However, it informed recipients that the previously shared document had been “updated due to synchronization errors” and instructed them to reauthenticate using the embedded link. The link directed users to a convincing replica of the organization’s authentication portal. Investigation revealed that the attacker had reused content from a genuine prior communication and modified only the embedded hyperlink. Which type of social engineering attack does this scenario most accurately represent?
A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?
During a security review, you have discovered that there are no documented security policies for the area you are assessing. Which of the following would be the most appropriate course of action?
A payroll management portal used by a manufacturing firm in Toledo, Ohio allows administrators to configure customizable notification templates that are later incorporated into automated reporting functions. During an authorized assessment, an ethical hacker submits specially structured input into a template field while creating a test notification.
The application accepts and stores the value without any noticeable disruption to the interface. Days later, when a scheduled reporting task executes, the resulting dataset includes records beyond the expected scope defined by the report criteria.
Further review reveals that the reporting engine dynamically constructs database queries using previously stored template values during execution.
Determine the SQL injection variant illustrated in this scenario.
An organization authorizes a wireless penetration test to evaluate the resilience of its WPA2-protected network. The assigned ethical hacker prepares the wireless adapter for packet capture and begins monitoring traffic from a nearby access point.
To accelerate the assessment, the tester transmits crafted 802.11 frames that momentarily interrupt active client connections. Shortly afterward, new authentication exchanges are observed in the capture logs, providing the necessary material for subsequent analysis.
The activity described corresponds to which component of the Aircrack-ng suite?
In the bustling tech hub of Silicon Valley, cybersecurity investigator Elena Martinez found herself deep into a late-night investigation at Horizon Tech Solutions on July 7, 2025. The company had reported sporadic network disruptions affecting their research team ' s access to critical project files. Elena, working under the cover of a maintenance window from midnight to 3 AM PDT, began monitoring the internal network, focusing on a subnet reserved for the R & D department. She noticed a pattern of failed connection attempts logged just before each disruption, with multiple hosts reporting temporary IP address conflicts. Suspecting foul play, Elena deployed a discreet test to simulate an internal threat scenario. Shortly afterward, several workstations began showing unfamiliar gateway settings and redirected users to misleading login portals during routine access attempts. Despite these anomalies, no security alerts were triggered.
What type of attack technique did Elena most likely simulate?
During a penetration test at TechTrend Innovations in California, ethical hacker Jake Henderson reviews the company ' s web server exposure to network-based threats. He finds that the server is running with multiple open services and protocols that are not required for its operation, such as NetBIOS and SMB. Jake explains to the IT team that attackers could exploit these unnecessary services to gain unauthorized access to the server.
Which hardening measure should the IT team implement to mitigate this risk?
A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?
During a penetration test at Cascade Financial in Raleigh, ethical hacker Ethan Brooks evaluates the security of the company ' s authentication system. He observes that the application accepts a high volume of repeated credential submissions without introducing any additional challenge, allowing automated scripts to cycle rapidly through large password lists. Ethan advises the IT team to deploy a control that forces interaction steps designed to disrupt automation.
Which countermeasure should the IT team adopt in this scenario?
An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?
A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?
A Windows system shows LSASS memory access by unknown processes. What attack is likely?
On a busy Monday morning at Horizon Financial Services in Chicago, accounts assistant Clara Nguyen receives an email that appears to come from the company ' s IT department. The email, addressed specifically to Clara and mentioning her role in the accounts team, warns of a critical system vulnerability requiring immediate action. It includes a link to a login page resembling the company ' s internal portal, urging her to update her credentials to prevent account suspension. The email ' s sender address looks legitimate, but Clara notices a slight misspelling in the domain name.
What social engineering technique is being attempted against Clara?
You are a wireless auditor at SeaFront Labs in San Diego, California, engaged to review the radio-layer protections used by a biotech research facility. While capturing traffic in monitor mode, you observe frames that include a CCMP-like header and AES-based encryption, and you note the use of a four-way handshake with a packet number (PN) for replay protection — features that were introduced to replace older TKIP/RC4 approaches. Based on these observed characteristics, which wireless encryption protocol is the access point most likely using?
A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?
At a cybersecurity consultancy firm in Boston, senior analyst Amanda Liu is called in to assess a malware outbreak affecting a regional healthcare provider. Despite using updated antivirus tools, the security team notices inconsistent detection across infected endpoints. Amanda discovers that while the malicious behavior is consistent, system file tampering and suspicious outbound traffic, each malware sample has a slightly different code structure and fails traditional hash-based comparison. Static analysis reveals that the underlying logic remains unchanged, but the code patterns vary unpredictably across infections. What type of virus is most likely responsible for this behavior?
Which method best bypasses client-side controls without triggering server-side alarms?
In Austin, Texas, ethical hacker Liam Carter is hired by Lone Star Healthcare to probe the defenses of their patient data network. During his penetration test, Liam aims to bypass the hospital’s firewall protecting a medical records server. To do so, he uses a tool to craft custom network packets, carefully designing their headers to slip past the firewall’s filtering rules. His goal is to demonstrate how an attacker could infiltrate the system, exposing vulnerabilities for the security team to address.
Which tool is Liam using to bypass Lone Star Healthcare’s firewall during his penetration test?
Joe, a cybersecurity analyst at XYZ-FinTech, has been assigned to perform a quarterly vulnerability assessment across the organization ' s Windows-based servers and employee workstations. His objective is to detect issues such as software configuration errors, incorrect registry or file permissions, native configuration table problems, and other system-level misconfigurations. He is instructed to log into each system using valid credentials to ensure comprehensive data collection. Based on this assignment, which type of vulnerability scanning should Joe perform?
Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?
Which advanced evasion technique poses the greatest challenge to detect and mitigate?
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?
During a red team engagement at Apex Biotech in Dallas, ethical hacker Rachel calls the company ' s HR desk pretending to be Mark Stevens, a senior finance manager. She pressures the HR staffer by citing his “upcoming presentation for the CFO” and insists he urgently needs a copy of the updated employee benefits spreadsheet. The staffer feels compelled to help due to Rachel’s convincing manner and authoritative tone.
Which social engineering technique is Rachel demonstrating in this exercise?
A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?
During a security compliance audit at Nexus Tech Solutions in Boston, Massachusetts, the ethical hacking team launches a controlled social engineering exercise to assess help desk vulnerabilities. Ethical hacker Rachel Kim calls the company ' s help desk, posing as a stressed employee named Laura Bennett from the marketing department. Rachel claims her laptop is running slowly and offers to share her login credentials if the help desk can provide a quick fix to meet a tight project deadline. The call is designed to test whether help desk staff follow proper verification protocols or fall for the offer of credentials in exchange for assistance.
What social engineering technique is Rachel employing in this exercise?
A regional insurance claims platform in Sacramento, California is protected by a web application firewall that evaluates inbound requests for suspicious query structures. During an authorized assessment, a tester observes that conventional injection attempts are consistently rejected.
The tester then adjusts the format and composition of the request while preserving its intended database behavior. After this modification, the request passes through the filtering mechanism and is processed by the backend system without disruption.
Which firewall evasion technique is being demonstrated?
During a security penetration test at Sterling Manufacturing in Cleveland, Ohio, the ethical hacking team evaluates the company ' s physical security controls. On a chilly evening in July 2025, ethical hacker Priya Desai, posing as a facilities contractor, accesses the company ' s loading dock area after regular business hours. Behind the employee entrance, she comes across an unsecured maintenance container with discarded packaging, shipping labels, and shredded office material. Among the clutter, Priya retrieves a crumpled document listing temporary access codes for the employee break room, along with a partially shredded memo referencing an upcoming audit. The exercise tests whether sensitive information discarded improperly can be exploited. The next day, Priya uses the recovered access codes to enter the break room undetected during a shift change, logging her entry on a controlled test system to simulate a breach.
What social engineering technique is Priya ' s exercise primarily simulating?
You have successfully compromised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best Nmap command you will use?
You are a penetration tester hired to evaluate the security posture of a regional manufacturing company’s network devices. During your assessment, you discover that one of the core routers allows external administrative access without requiring a password. Additionally, the router communicates with other devices using a protocol that does not provide encryption or validation. Based solely on these observations, which of the following network device vulnerabilities is most clearly present?
A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?
Following reports of inconsistent IP-to-MAC mappings on an internal access switch at a manufacturing company in Detroit, Michigan, the network security team enabled additional validation controls.
Soon afterward, the switch began automatically discarding certain ARP replies that did not match previously recorded IP address assignments. Log entries indicated that packets were being denied due to validation failures tied to existing address-to-port mappings learned earlier from legitimate host configuration traffic.
Which switch-level security feature is most likely responsible for enforcing this ARP validation behavior?
Sarah, an ethical hacker at a San Francisco-based financial firm, is testing the security of their customer database after a recent data exposure incident. Her analysis reveals that the sensitive client information is safeguarded using a symmetric encryption algorithm. She observes that the algorithm processes data in 64-bit blocks and supports a variable key size from 32 to 448 bits. During her penetration test, Sarah intercepts a ciphertext transmission and notes that the encryption was developed as a replacement for DES, an older algorithm. She aims to determine if the algorithm’s flexible key size could be susceptible to brute-force attacks. The algorithm is also noted for its use in secure storage, a critical application for the firm’s data protection.
Which symmetric encryption algorithm should Sarah identify as the one used by the firm?
A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?
Cyber experts conducting covert missions exclusively for national interests are best classified as:
One customer’s malicious activity impacts other tenants. Which control would best prevent this?
Ethical hacker Ryan Brooks, a skilled penetration tester from Austin, Texas, was hired by Skyline Aeronautics, a leading aerospace firm in Denver, to conduct a security assessment. One stormy morning, Ryan noticed an unexpected lag in the routine system update process while running his tests, sparking his curiosity. During a late-night session, he observed a junior analyst, Chris Miller, cautiously modifying a legacy server’s configuration, including a scheduled task set to a specific date. The lead developer, Jessica Hayes, casually mentioned receiving an odd email from an unfamiliar source, which she ignored as clutter. As Ryan probed deeper, he detected a faint increase in network activity only after the scheduled date passed, and a systems admin, Mark Thompson, quickly pointed out some unusual code traces on a dormant workstation.
Which type of threat best characterizes this attack?
During an authorized security assessment of a smart thermostat manufacturer in Denver, Colorado, a certified ethical hacker receives a firmware image extracted from a production device for further evaluation.
The tester begins by examining the binary file to determine its format and architecture. Basic inspection commands are executed against the image to review embedded human-readable content and observe low-level binary structure before proceeding with deeper analysis.
Within the firmware analysis workflow, which stage is the tester performing?
Which of the following is the most important step for the ethical hacker to perform during the pre-assessment?
During a red team test, a web application dynamically builds SQL queries using a numeric URL parameter. The tester sends the following request:
http://vulnerableapp.local/view.php?id=1; DROP TABLE users;
The application throws errors and the users table is deleted. Which SQL injection technique was used?
A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches.
Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy.
To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?
You are an ethical hacker at ShieldPoint Security, hired by Pinecrest Travel Agency in Orlando, Florida, to perform a penetration test on their flight booking portal. During testing, you notice that normal SQL injection attempts are blocked by a security filter. To bypass it, you adjust your input so that key SQL keywords are broken apart with unexpected symbols, allowing the database to interpret them correctly while evading the filter. This manipulation allows you to retrieve hidden booking records despite the filter ' s restrictions. Based on the observed behavior, which SQL injection evasion technique are you employing?
You are a cybersecurity consultant at FortiSec, advising DesertTech Innovations in Phoenix, Arizona. The company wants to modernize its Wi-Fi so that even if an attacker obtains a captured handshake or a weak passphrase, they cannot perform offline dictionary attacks or recover session keys; management also wants stronger, per-session encryption and protection for IoT devices without relying on a single shared password.
Which wireless security measure should DesertTech implement to meet these goals?
A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?
During an assessment for a tech company in Seattle, Washington, an ethical hacker seeks to uncover details about the organization’s domain ownership to identify potential points of contact. She uses an online service to retrieve publicly available records without direct interaction with the target. Which method is she most likely employing to achieve this?
You are Maya, a security engineer at HarborPoint Cloud Services in Chicago, Illinois, performing a post-incident hardening review after an internal audit flagged multiple services that rely on legacy public-key algorithms. The engineering team must prioritize actions company-wide to reduce long-term risk from future quantum-capable adversaries while development continues on a large refactor of several services. Which proactive control should Maya recommend as the highest-priority change to embed into the organization ' s development lifecycle to improve future resistance to quantum-based attacks?
During a red team engagement at a retail company in Atlanta, ethical hacker James crafts a session with the company ' s shopping portal and deliberately shares that session ID with an unsuspecting employee by embedding it in a link. When the employee clicks and logs in, their activity is bound to the attacker ' s pre-assigned session. Later, James retrieves the employee ' s input from that same session to demonstrate the flaw to management.
Which session hijacking technique is James most likely using?
After installing a backdoor on a web server, what action best ensures it remains undetected?
A logistics technology provider in Kansas City, Missouri conducts an internal review after an ethical hacker demonstrates several recurring input-handling weaknesses across different customer-facing web applications. The findings show that validation logic varies between modules, with many controls implemented inconsistently across components developed by separate teams.
Although immediate patches are applied to address the identified flaws, similar issues have surfaced in previous platform iterations despite corrective updates. Leadership determines that isolated fixes are insufficient and initiates an effort to standardize how security requirements are defined and incorporated across future development initiatives.
Based on the web application attack countermeasures, which category best aligns with this remediation approach?
During a penetration test at a retail company in Seattle, Washington, an ethical hacker needs to disguise her scans so they appear to originate from a specific hardware vendor. The organization uses MAC-based logging, and by assigning a vendor-associated identifier, she can make her traffic blend in with legitimate devices on the network. Which Nmap command should she use to achieve this?
A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.
By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.
What kind of wireless attack technique is being illustrated in this scenario?
At a financial headquarters in Denver, Colorado, ethical hacker Jordan Lee moves beyond cataloging IoT devices and begins testing them for weaknesses. He runs specialized tools against smart lighting and HVAC systems to check for outdated firmware, default passwords, and open service ports. Which step of the IoT hacking methodology is Jordan carrying out?
An ethical hacker conducts testing with full knowledge and permission. What type of hacking is this?
A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?
Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical to verifying the identity of the signatory. He aims to assess if the algorithm ' s configuration could be vulnerable to a meet-in-the-middle attack due to its key structure. Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?
During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?
During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.
Which type of keylogger did Tyler most likely deploy?
During an internal assessment, a penetration tester gains access to a hash dump containing NTLM password hashes from a compromised Windows system. To crack the passwords efficiently, the tester uses a high-performance CPU setup with Hashcat, attempting millions of password combinations per second. Which technique is being optimized in this scenario?
During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company ' s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server ' s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Which type of web server attack is Elena most likely demonstrating?
You are an ethical hacker at HorizonSec Consulting, hired by Liberty Insurance in Philadelphia, Pennsylvania, to test the resilience of their online claim submission portal. During testing, you modify the claim ID parameter in the URL with conditions such as AND and AND 1=2. When the first condition is used, the portal displays claim details as normal; when the second condition is used, the page displays no results. You repeat this process to determine how the application responds to true and false conditions without error messages or delays.
Based on the observed behavior, which SQL injection technique are you employing?
A system administrator observes that several machines in the network are repeatedly sending out traffic to unknown IP addresses. Upon inspection, these machines were part of a coordinated spam campaign. What is the most probable cause?
A security researcher reviewing an organization ' s website source code finds references to Amazon S3 file locations. What is the most effective way to identify additional publicly accessible S3 bucket URLs used by the target?
In the rainy streets of Portland, Oregon, ethical hacker Ethan Brooks delves into the security layers of ShopSwift, a US-based e-commerce platform reeling from a recent data breach. Tasked with uncovering the method behind unauthorized account takeovers, Ethan examines login patterns across the platform ' s user base. His investigation reveals a surge of automated login activity across multiple accounts, with a suspiciously high success rate. Determined to trace the root cause, Ethan compiles a detailed log to assist ShopSwift ' s security team in restoring trust.
Which attack method is Ethan most likely uncovering in ShopSwift’s authentication system?
You are Sofia Patel, an ethical hacker at Nexus Security Labs, hired to test the mobile device security of Bayview University in San Francisco, California. During your assessment, you are given an Android 11-based Samsung Galaxy Tab S6 with USB debugging disabled and OEM unlock restrictions in place. To simulate an attacker attempting to gain privileged access, you install a mobile application that exploits a system vulnerability to gain root access directly on the device without requiring a PC. This allows you to bypass OS restrictions and retrieve sensitive research data. Based on this method, which Android rooting tool are you using?
At a Los Angeles-based online gaming company, penetration tester John investigates a recent cloud breach that caused downtime and delayed alerts. He finds that the root issue was management ' s lack of defined responsibilities for monitoring, auditing, and securing serverless services, which left critical functions unmanaged. Which cloud computing threat does this scenario best illustrate?
A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?
During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?
A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.
What host discovery technique is being used in this scenario?
You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?
Which advanced session hijacking technique is hardest to detect and mitigate in a remote-access environment?
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?
An ethical hacker is conducting a penetration test on a company’s network with full knowledge and permission from the organization. What is this type of hacking called?
During a post-exploitation phase on a compromised finance department workstation, ethical hacker Anika uses her Meterpreter session to extract sensitive credential data. After running a command, she receives a long list of alphanumeric strings representing LM and NTLM values. These outputs are later transferred to a cracking rig for offline password recovery, allowing the red team to simulate credential theft across multiple systems.
Which Meterpreter command most likely produced these results?
CEH v13 |