Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Questions 4

An attacker abuses PowerShell heavily. Which log helps most?

Options:

A.

DNS logs

B.

Firewall logs

C.

Syslog

D.

PowerShell script block logs

Buy Now
Questions 5

You are an ethical hacker at Nexus Cybersecurity, contracted to perform a penetration test for BlueRidge Retail, a US-based e-commerce company in Atlanta, Georgia. While testing their online store’s product search page, you attempt to inject a malicious query into the URL to extract customer data. The application is protected by a web application firewall WAF that blocks standard SQL injection attempts. To bypass this, you modify your input to split the query into multiple parts, ensuring the malicious instructions are not detected as a single signature. For example, you craft the URL as products.php?id=1+UNION+SE+LECT+1,2, which successfully retrieves unauthorized data. Based on the observed behavior, which SQL injection evasion technique are you employing?

Options:

A.

Hex Encoding

B.

String Concatenation

C.

In-line Comment

D.

Null Byte

Buy Now
Questions 6

Targeted, logic-based credential guessing using prior intel best describes which technique?

Options:

A.

Strategic pattern-based input using known logic

B.

Exhaustive brute-force testing

C.

Shoulder surfing

D.

Rule-less hybrid attack

Buy Now
Questions 7

You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?

Options:

A.

Project scope

B.

Nondisclosure agreement

C.

Service-level agreement

D.

Rules of engagement

Buy Now
Questions 8

During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.

Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.

Identify the command Kevin should execute to obtain this information.

Options:

A.

ntptrace [-n] [-m maxhosts] [servername/IP address]

B.

ntpq [-inp] [-c command] [host] [...]

C.

ntpdc [-ilnps] [-c command] [host] [...]

D.

ntpq -p [host]

Buy Now
Questions 9

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

Options:

A.

DNS Scheme

B.

DNSSEC

C.

DynDNS

D.

Split DNS

Buy Now
Questions 10

You are an ethical hacker at Sentinel Cyberworks, engaged to assess the wireless defenses of HarborTrust Bank in Portland, Oregon. During your assessment, the security team shows you a production system that continuously places selected APs into a passive scan mode, aggregates alarms from multiple wireless controllers into a central engine for forensic storage, and can automatically apply countermeasures (for example, time-sliced channel scanning and remote configuration changes) across the campus when it classifies a nearby device as malicious. Based on the described capabilities, which Wi-Fi security solution is this most consistent with?

Options:

A.

WatchGuard Wi-Fi Cloud WIPS

B.

RFProtect

C.

Fern WiFi Cracker

D.

Cisco Adaptive Wireless IPS

Buy Now
Questions 11

As part of an insider threat simulation at a multinational insurance firm, lead red teamer John is asked to assess whether internal directory services are exposing sensitive user data. Gaining limited VPN access, he begins probing port 389 on a staging environment connected to the main domain infrastructure. After discovering that anonymous binds are accepted by the directory service, John launches a utility from his Kali machine that allows command-line interaction with directory entries. He structures his query to search for user objects with associated organizational units. Moments later, John reviews the output which includes usernames, group memberships, and departmental hierarchies all retrieved without authentication.

Which tool is John MOST likely using to perform this enumeration?

Options:

Buy Now
Questions 12

During a red team operation for XYZ Financial Services, security analyst Lily Jensen is assigned to scan a critical subnet that is protected by an IDS. Her initial scan attempt is immediately flagged and blocked. To evade detection while continuing reconnaissance, she adjusts the scanning configuration to include multiple spoofed IP addresses alongside her own. This makes it difficult for network defenses to isolate her real scanning activity, while still allowing her to receive accurate results.

Which scanning technique is Lily using?

Options:

A.

SYN FIN Scanning

B.

Source Routing

C.

IP Spoofing

D.

Decoy Scanning

Buy Now
Questions 13

An e-commerce platform hosted on a public cloud infrastructure begins to experience significant latency and timeouts. Logs show thousands of HTTP connections sending headers extremely slowly and never completing the full request. What DoS technique is most likely responsible?

Options:

A.

Slowloris holding web server connections

B.

Fragmentation flood attack

C.

UDP application-layer flooding

D.

SYN flood with spoofed source IPs

Buy Now
Questions 14

A penetration tester is tasked with assessing the security of a smart home IoT device that communicates with a mobile app over an unencrypted connection. The tester wants to intercept the communication and extract sensitive information. What is the most effective approach to exploit this vulnerability?

Options:

A.

Perform a brute-force attack on the device ' s Wi-Fi credentials

B.

Use a man-in-the-middle (MitM) attack to intercept and analyze the unencrypted traffic

C.

Execute a SQL injection attack on the IoT device’s cloud management portal

D.

Use a dictionary attack to guess the admin login credentials of the device

Buy Now
Questions 15

Which vulnerability exploits memory corruption?

Options:

A.

XSS

B.

Buffer overflow

C.

CSRF

D.

SQLi

Buy Now
Questions 16

A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?

Options:

A.

Upload the file to VirusTotal and rely on engine consensus

B.

Disassemble the PDF using PE Explorer

C.

Extract and analyze stream objects using PDFStreamDumper

D.

Compute file hashes using HashMyFiles for signature matching

Buy Now
Questions 17

During a security assessment of a fintech startup in San Francisco, ethical hacker Michael analyzes the company ' s cloud platform. He observes that the system automates deployment, scaling, service discovery, and workload management across multiple nodes, ensuring smooth operation of critical services without requiring manual coordination. Which Kubernetes capability is primarily responsible for these functions?

Options:

A.

Kube-controller-manager

B.

Self-healing

C.

Container orchestration

D.

Container vulnerabilities

Buy Now
Questions 18

A city utility billing portal in Raleigh, North Carolina includes a search field used to retrieve customer records. During an authorized penetration test, an assessor submits repeated instances of a character commonly interpreted within SQL statements as part of the input value.

The application does not display detailed error messages, yet certain submissions result in irregular response behavior and partial rendering of results. The tester suspects the input may be affecting how the SQL command is internally constructed.

Which black-box testing technique is being applied?

Options:

A.

Sending special characters to detect SQL modification behavior

B.

Sending arbitrary data to detect truncation issues

C.

Using right square bracket characters to detect identifier handling issues

D.

Sending isolated quotation characters to detect unsanitized input

Buy Now
Questions 19

A financial institution in Chicago deploys an internal HTTPS-based customer portal that uses response compression to optimize bandwidth. During an authorized security assessment, a tester gains a vantage point along the communication path between internal clients and the gateway device.

By repeatedly initiating controlled requests and analyzing subtle differences in encrypted response sizes, the tester correlates variations in compressed output with specific input patterns. Over time, this analysis enables extraction of portions of a protected authentication value transmitted within the secure channel.

Which session hijacking technique best describes this activity?

Options:

A.

Forbidden Attack

B.

CRIME Attack

C.

Man-in-the-Browser (MITB) Attack

D.

Man-in-the-Middle (MITM) Attack

Buy Now
Questions 20

A web server is overwhelmed by many slow, incomplete HTTP connections. What attack is occurring?

Options:

A.

Slowloris attack

B.

ICMP flood

C.

UDP flood

D.

Fragmentation attack

Buy Now
Questions 21

During an internal red team engagement at Orion Tech Labs, a leading software firm in Austin, Texas, ethical hacker Emily Carter was tasked with evaluating the resilience of the organization ' s software deployment processes. Knowing that the finance team frequently downloaded utility tools for generating PDFs, she repackaged a trusted PDF converter installer with a secondary payload. When an employee executed the installer, the converter installed and functioned normally, but in the background, a hidden executable silently initiated outbound network communication. The user remained unaware of any suspicious activity.

Which technique did Emily most likely use to ensure the malware executed alongside the legitimate application?

Options:

A.

Downloader

B.

Packer

C.

Dropper

D.

Wrapper

Buy Now
Questions 22

You are an ethical hacker at Titan Cyber Defense, hired by BrightWave Publishing in New York City to assess the security of their content management system (CMS). While testing the article search function, you input malformed strings such as multiple single quotes. The application responds with system feedback that unexpectedly reveals the database type and internal query structure, including table and column information. You use these disclosures to better understand how the backend query is built.

Which of the following methods to detect SQL injection are you employing?

Options:

A.

Function Testing

B.

Testing String

C.

Dynamic Testing

D.

Fuzz Testing

Buy Now
Questions 23

During a targeted phishing campaign, a malicious HTML attachment reconstructs malware locally using obfuscated JavaScript without making external network calls, bypassing firewalls and IDS inspection. Which evasion technique is being employed?

Options:

A.

HTML smuggling

B.

Port forwarding

C.

Cross-site scripting

D.

HTTP header spoofing

Buy Now
Questions 24

As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?

Options:

A.

Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

B.

Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker’s network.

C.

Immediately reset all server credentials and instruct all users to change their passwords.

D.

Immediately disconnect the affected server from the network to prevent further data exfiltration.

Buy Now
Questions 25

Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: scottsmelby@yahoo.com”. Which statement below is true?

Options:

A.

This is a scam because Bob does not know Scott.

B.

This is probably a legitimate message as it comes from a respectable organization.

C.

Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.

D.

This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.

Buy Now
Questions 26

During an external security review of a manufacturing firm in Detroit, Michigan, you ' re asked to prioritize patch baselines for internet-facing servers without logging in or establishing full sessions. To achieve this, you analyze network-level responses and capture application output in order to determine the underlying system and its software release. Which technique best fits this objective?

Options:

A.

Service Version Discovery

B.

Port Scanning

C.

OS Discovery

D.

Vulnerability Scanning

Buy Now
Questions 27

During a strategic security briefing at Meridian Global Analytics in Washington, D.C., executives review a series of coordinated activities targeting national infrastructure. These activities include manipulating digital media to influence public perception, disrupting communication networks, and degrading critical systems to weaken institutional stability without direct conventional military engagement. What form of conflict best describes this type of coordinated activity?

Options:

A.

Cyberterrorism

B.

Hacktivism

C.

Cyber espionage

D.

Information warfare

Buy Now
Questions 28

A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?

Options:

A.

Whaling

B.

Pharming

C.

Spear Phishing

D.

Search Engine Phishing

Buy Now
Questions 29

Maria is conducting passive reconnaissance on a competitor without interacting with their systems. Which method would be least appropriate and potentially risky?

Options:

A.

Using the Wayback Machine

B.

Running an intensive port scan on public IPs

C.

Reviewing forums and social media

D.

Examining patent databases and public records

Buy Now
Questions 30

Why is using Google Hacking justified during passive footprinting?

Options:

A.

Identifying weaknesses in website source code

B.

Locating phishing sites mimicking the organization

C.

Mapping internal network structures

D.

Discovering hidden organizational data indexed by search engines

Buy Now
Questions 31

A financial services firm is experiencing a sophisticated DoS attack on their DNS servers using DNS amplification and on their web servers using HTTP floods. Traditional firewall rules and IDS are failing to mitigate the attack effectively. To protect their infrastructure without impacting legitimate users, which advanced mitigation strategy should the firm implement?

Options:

A.

Increase server capacity and implement simple rate limiting

B.

Block all incoming traffic from suspicious IP ranges using access control lists

C.

Deploy a Web Application Firewall (WAF) to filter HTTP traffic

D.

Utilize a cloud-based DDoS protection service with traffic scrubbing capabilities

Buy Now
Questions 32

A city’s power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?

Options:

A.

Measuring unusual physical or electrical fluctuations during device operation at the hardware level.

B.

Identifying weak cryptographic configurations in device communications.

C.

Assessing SCADA user interfaces for unauthorized access or misuse.

Buy Now
Questions 33

During a penetration test at a technology startup in Austin, Texas, an ethical hacker is tasked with evaluating defenses against stealthy scanning techniques. She selects an approach that involves sending TCP packets with no flags, relying on the way target systems respond to infer whether ports are open or closed. This allows her to remain less visible to intrusion detection systems compared to a full handshake. Which scanning method is she using?

Options:

A.

TCP Connect Scan

B.

FIN Scan

C.

NULL Scan

D.

ACK Scan

Buy Now
Questions 34

A cloud storage provider discovers that an unauthorized party obtained a complete backup of encrypted database files containing archived client communications. The attacker did not compromise the encryption keys, nor is there evidence that any original plaintext records were exposed.

A forensic cryptography specialist reviewing the breach considers the possibility that the adversary is attempting to analyze the encrypted data in isolation, searching for statistical irregularities or structural repetition within the encrypted output to infer meaningful information.

To properly assess the organization’s exposure, the specialist must determine which cryptanalytic approach best matches an attack conducted using only the intercepted encrypted data.

Options:

A.

Chosen-Ciphertext Attack

B.

Known-Plaintext Attack

C.

Chosen-Plaintext Attack

D.

Ciphertext-Only Attack

Buy Now
Questions 35

A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches. Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy. To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?

Options:

A.

Configuring Loop Guard on non-designated ports

B.

Activating UDLD (Unidirectional Link Detection) on uplinks

C.

Applying Root Guard on designated interfaces

D.

Enabling BPDU Guard on edge ports

Buy Now
Questions 36

A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?

Options:

A.

Apply the vendor patch and reboot during maintenance

B.

Dismiss it as a false positive if unverified

C.

Reroute SSH traffic to another server

D.

Isolate the server, audit it, and apply patches

Buy Now
Questions 37

Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee ' s computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action?

Options:

A.

Make a copy of the data and store it on your local machine.

B.

Stop the pen test immediately and contact management.

C.

Continue the pen test and include this information in your report.

D.

Contact the employee and ask why they have the data.

Buy Now
Questions 38

During a covert assessment at a logistics company in Dallas, penetration tester Emily delivers a disguised attachment to test employee awareness. When a staff member opens the file, normal content appears, but behind the scenes the attacker quietly gains full access to the workstation. Over the following week, Emily monitors emails, keystrokes, and local files without alerting the user, confirming long-term stealthy control of the machine.

Which type of malware is most likely responsible for this activity?

Options:

A.

Remote Access Trojan (RAT)

B.

Botnet

C.

Adware

D.

Spyware

Buy Now
Questions 39

In an enterprise environment, the network security team detects unusual behavior suggesting advanced sniffing techniques exploiting legacy protocols to intercept sensitive communications. Which of the following sniffing-related techniques presents the greatest challenge to detect and neutralize, potentially compromising confidential enterprise data?

Options:

A.

Steganographic payload embedding within SMTP email headers

B.

Encrypted data extraction via HTTP header field overflows

C.

Covert data interception via X2S packet fragmentation

D.

Covert channel establishment through Modbus protocol manipulation

Buy Now
Questions 40

An attacker uses many plaintext–ciphertext pairs and applies statistical analysis to XOR combinations of specific bits. Which technique is being used?

Options:

A.

Brute-force attack

B.

Differential cryptanalysis

C.

Linear cryptanalysis

D.

Side-channel attack

Buy Now
Questions 41

At a private aerospace research facility in Mesa, Arizona, an executive raises concerns after sensitive discussion points from speakerphone meetings begin surfacing externally. The device shows no indicators of active audio recording, and application permission history does not reflect recent camera or microphone authorization changes.

A forensic mobile analysis identifies that an installed application has been continuously reading motion sensor output while the phone’s loudspeaker is active. The collected sensor data was later transmitted to a remote server, where acoustic characteristics were reconstructed from the recorded measurements.

Identify the attack technique responsible for this compromise.

Options:

A.

Camfecting

B.

StormBreaker Abuse

C.

Android Camera Hijack Attack

D.

Spearphone Attack

Buy Now
Questions 42

During a penetration test at IntelliCore Systems in Raleigh, North Carolina, ethical hacker Javier directs a wave of repetitive web requests against the company ' s portal that overloads backend scripts which process search queries and form submissions. As a result, legitimate customers experience long delays and occasional timeouts while attempting to log in or complete transactions.

Which DoS/DDoS technique is Javier most likely demonstrating?

Options:

A.

Slowloris

B.

UDP Flood

C.

Peer-to-Peer Attack

D.

HTTP GET/POST Attack

Buy Now
Questions 43

A Linux system allows passwordless sudo for multiple commands. What security principle is violated?

Options:

A.

Zero trust

B.

Defense in depth

C.

CIA

D.

Least privilege

Buy Now
Questions 44

A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?

Options:

A.

Utilize a session fixation attack by forcing a known session ID during login

B.

Perform a Cross-Site Scripting (XSS) attack to steal the session token

C.

Exploit a timing side-channel vulnerability to predict session tokens

D.

Implement a Man-in-the-Middle (MitM) attack by compromising a trusted certificate authority

Buy Now
Questions 45

Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?

Options:

A.

Honey trap

B.

Diversion theft

C.

Piggybacking

D.

Baiting

Buy Now
Questions 46

At Pinnacle Financial Services in Chicago, Illinois, ethical hacker Sarah Thompson is conducting a penetration test to evaluate the security of the company ' s online banking portal. During her assessment, Sarah positions herself on the internal network and uses a sniffer to capture traffic between a user’s browser and the banking server. She quietly collects session data, including user IDs and authentication tokens, without interfering with the ongoing communication. Later, she plans to use this information to impersonate a legitimate user in a controlled test environment to demonstrate potential risk to the bank’s IT team.

What type of session hijacking is Sarah performing during this phase of her penetration test?

Options:

A.

Session Fixation Attack

B.

Active Session Hijacking

C.

Man-in-the-browser Attack

D.

Passive Session Hijacking

Buy Now
Questions 47

An attacker has partial root access to a mobile application. What control best prevents further exploitation?

Options:

A.

Secure coding and automated reviews

B.

Certificate pinning

C.

Regular penetration testing

D.

Mobile Application Management (MAM)

Buy Now
Questions 48

Which payload is most effective for testing time-based blind SQL injection?

Options:

A.

AND 1=0 UNION ALL SELECT ' admin ' , ' admin

B.

UNION SELECT NULL, NULL, NULL --

C.

OR ' 1 ' = ' 1 ' ;

D.

AND BENCHMARK(5000000,ENCODE( ' test ' , ' test ' ))

Buy Now
Questions 49

A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?

Options:

A.

Perform a replay attack by using the same session token after the user logs out

B.

Use a Cross-Site Request Forgery (CSRF) attack to steal the session tokens

C.

Use a brute-force attack to guess valid session tokens

D.

Execute a SQL injection attack to retrieve session tokens from the database

Buy Now
Questions 50

A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability. After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance ' s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account. Which cloud attack technique best corresponds to this activity?

Options:

A.

Cloud Snooper Attack

B.

Wrapping Attack

C.

IMDS Attack

D.

CP DoS Attack

Buy Now
Questions 51

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

Options:

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Buy Now
Questions 52

A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user ' s session without triggering security alerts, which advanced session hijacking technique should the tester employ?

Options:

A.

Perform a man-in-the-middle attack by exploiting certificate vulnerabilities

B.

Use a session fixation attack by setting a known session ID before the user logs in

C.

Conduct a session token prediction attack by analyzing session ID patterns

D.

Implement a Cross-Site Scripting (XSS) attack to steal session tokens

Buy Now
Questions 53

You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor’s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician.

Upon arrival, the receptionist allows you entry without verification, assuming you are there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.

Which social engineering technique does this scenario best illustrate?

Options:

A.

Shoulder Surfing

B.

Eavesdropping

C.

Impersonation

D.

Dumpster Diving

Buy Now
Questions 54

During an authorized cloud security assessment for an e-commerce company based in Seattle, Washington, a certified ethical hacker gains temporary programmatic access to the organization’s cloud account. The tester focuses on identifying permission boundaries by querying the account to determine which identity entities are associated with attached policies and what level of access those identities possess across cloud resources. The objective is to understand privilege relationships before attempting any further controlled actions.

Which cloud reconnaissance activity best aligns with this effort?

Options:

A.

Enumerating IAM Roles

B.

Enumerating S3 Buckets

C.

Enumerating EC2 Instances

D.

Enumerating Serverless Resources

Buy Now
Questions 55

During a penetration test at Triangle FinTech in Raleigh, North Carolina, ethical hacker Ethan attempts to bypass the company ' s perimeter firewall. Instead of sending obvious malicious payloads, he encapsulates his traffic inside standard web requests on port 80, blending in with normal browsing activity. This method allows his packets to slip past perimeter defenses that are not performing deep application inspection.

Which firewall evasion technique is Ethan most likely using?

Options:

A.

HTTP Tunneling

B.

Source Routing

C.

Tiny Fragments

D.

DNS Tunneling

Buy Now
Questions 56

Which action would most effectively increase the security of a virtual-hosted web server?

Options:

A.

Implement LAMP architecture

B.

Change IP addresses regularly

C.

Regularly update and patch server software

D.

Move document root to another disk

Buy Now
Questions 57

During a penetration test at Cascade Biotech in Portland, Oregon, ethical hacker Olivia Harper installs a monitoring agent on a single test workstation inside the research subnet. The system records local events such as file access, configuration changes, and unauthorized process execution. Olivia explains to the security team that attackers often attempt to disable or evade this type of monitoring to avoid being detected at the host level.

Which security system is Olivia most likely demonstrating?

Options:

A.

Network-Based Firewall

B.

Host-Based Firewall

C.

Network-Based Intrusion Detection System

D.

Host-Based Intrusion Detection System

Buy Now
Questions 58

You are an ethical hacker at CyberShield Analytics, hired by Coastal Education Services, a tutoring platform in Miami, Florida, to test the security of their student portal. While probing the portal ' s course enrollment page, you input a crafted value into the course ID field, appending a condition that checks if the first character of the database name is a specific value. The application does not display error messages or additional data, but the page takes significantly longer to load when the condition evaluates to true, indicating a deliberate delay.

Based on the observed behavior, which SQL injection technique are you employing?

Options:

A.

Boolean exploitation

B.

Time-based blind SQL injection

C.

UNION SQL injection

D.

Error-based SQL injection

Buy Now
Questions 59

In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia ' s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure. Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?

Options:

A.

Conduct an extensive risk assessment to determine which segments of the network are most vulnerable or at high risk that need to be patched first

B.

Use a dedicated machine as a web server

C.

Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB

D.

Eliminate unnecessary files within the jar files

Buy Now
Questions 60

A web app does not limit API request rate in code. What attack is enabled?

Options:

A.

XSS

B.

Data scraping

C.

SQLi

D.

CSRF

Buy Now
Questions 61

While assessing a web server, a tester sends malformed HTTP requests and compares responses to identify the server type and version. What technique is being employed?

Options:

A.

Fingerprinting server identity using banner-grabbing techniques

B.

Sending phishing emails to extract web server login credentials

C.

Conducting session fixation using malformed cookie headers

D.

Injecting scripts into headers for persistent XSS attacks

Buy Now
Questions 62

During a cloud security assessment, you discover a former employee still has access to critical cloud resources months after leaving. Which practice would most effectively prevent this?

Options:

A.

Real-time traffic analysis

B.

Regular penetration testing

C.

Enforcing timely user de-provisioning

D.

Multi-cloud deployment

Buy Now
Questions 63

A national logistics company in Atlanta, Georgia maintains a segmented research VLAN inside its primary data center to study emerging supply-chain targeting tactics. The environment includes enterprise-grade server platforms hosting web applications, database services populated with curated operational data, and identity services configured to resemble production access structures.

During a red team engagement, external adversaries who gained initial access were observed interacting with systems inside this VLAN for several days. They escalated privileges, accessed structured data repositories, moved between internal hosts, and attempted to reach additional internal segments. All activity occurred within the controlled environment and was instrumented to capture attacker techniques in depth.

Which honeypot deployment model most accurately describes this research environment?

Options:

A.

Low-Interaction Honeypot

B.

High-Interaction Honeypot

C.

Pure Honeypot

D.

Medium-Interaction Honeypot

Buy Now
Questions 64

A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?

Options:

A.

Perform a brute-force attack using common passwords against the captured handshake

B.

Use a dictionary attack against the captured WPA2 handshake to crack the key

C.

Execute a SQL injection attack on the router ' s login page

D.

Conduct a de-authentication attack to disconnect all clients from the network

Buy Now
Questions 65

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

OpenVAS

B.

Nessus

C.

Qualys VM

D.

Nikto

Buy Now
Questions 66

A financial startup in Chicago hires an ethical hacker to evaluate its exposure on hidden networks. The client is particularly concerned that confidential administrative documents might be circulating on .onion sites. To remain passive, the hacker relies on advanced search filters to look for files with headers suggesting management-related content. Which of the following queries would best meet this objective?

Options:

A.

filetype:docx " credentials "

B.

filetype:pdf intitle: " secure login " site:onion

C.

filetype:pdf intitle: " admin access " site:onion

D.

filetype:docx intitle: " user accounts " site:onion

Buy Now
Questions 67

A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.

After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.

Which cloud attack technique best corresponds to this activity?

Options:

A.

IMDS Attack

B.

CPDoS Attack

C.

Cloud Snooper Attack

D.

Wrapping Attack

Buy Now
Questions 68

Which technique is commonly used by attackers to evade firewall detection?

Options:

A.

Spoofing source IP addresses to appear trusted

B.

Using open-source operating systems

C.

Using encrypted communication channels

D.

Social engineering employees

Buy Now
Questions 69

Which defense MOST disrupts ransomware spread?

Options:

A.

Backup

B.

IDS

C.

Network segmentation

D.

AV

Buy Now
Questions 70

Why explore the Deep Web during reconnaissance?

Options:

A.

Insider threats

B.

Physical attacker locations

C.

Learning hacking techniques

D.

Non-indexed company data exposure

Buy Now
Questions 71

An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?

Options:

A.

The domain has expired

B.

The record was cached and returned

C.

The DNS server failed

D.

No recent client from that network accessed the domain

Buy Now
Questions 72

During a security assessment in San Francisco, an ethical hacker is tasked with evaluating a network ' s resilience against stealthy reconnaissance attempts. The hacker needs to employ a scanning technique that leverages TCP flags to evade detection by intrusion detection systems, relying on the target ' s response behavior to infer port states without completing a full connection. Which approach best aligns with this strategy, ensuring minimal visibility during the assessment?

Options:

A.

TCP Connect Scan

B.

Network Scanning

C.

FIN Scan

D.

NULL Scan

Buy Now
Questions 73

A threat intelligence review at a manufacturing firm in Pittsburgh, Pennsylvania, revealed repeated external queries targeting the organization’s public name servers. Although no intrusion occurred, analysts observed that the queries appeared designed to systematically map internal naming conventions and infrastructure patterns.

The security team determined that the issue was not excessive traffic volume but rather the exposure of internal namespace details through responses handled by the same server used for both internal and external resolution. To reduce the risk of disclosing sensitive structural information to outside systems, the team redesigned their DNS deployment.

Which countermeasure best addresses the risk described in this scenario?

Options:

A.

Randomizing DNS Source Ports and Query Identifiers

B.

Implementing a Split DNS Architecture

C.

Implementing Rate Limiting on DNS Servers

D.

Enabling DNS Logging and Anomaly Detection

Buy Now
Questions 74

A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?

Options:

A.

Saving data today for future quantum decryption

B.

Replaying intercepted quantum messages

C.

Breaking RSA using quantum algorithms

D.

Flipping qubit values to corrupt the output

Buy Now
Questions 75

A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider’s API. What is the most likely threat arising from this flaw?

Options:

A.

Distributed Denial-of-Service (DDoS) attacks on cloud servers

B.

Unauthorized access to cloud resources

C.

Physical security compromise of data centers

D.

Compromise of encrypted data at rest

Buy Now
Questions 76

A Java app uses outdated libraries with known CVEs. What risk does this create?

Options:

A.

CSRF

B.

DoS

C.

Supply chain risk

D.

XSS

Buy Now
Questions 77

Scenario:

    Victim opens the attacker ' s website.

    Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.

    Victim clicks the attractive content URL.

    The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.

What is the name of the attack mentioned in the scenario?

Options:

A.

HTTP Parameter Pollution

B.

Clickjacking Attack

C.

HTML Injection

D.

Session Fixation

Buy Now
Questions 78

During an internal red team engagement at a financial services firm, an ethical hacker named Anika tests persistence mechanisms after successfully gaining access to a junior employee’s workstation. As part of her assessment, she deploys a lightweight binary into a low-visibility system folder. To maintain long-term access, she configures it to launch automatically on every system reboot without requiring user interaction.

Which of the following techniques has most likely been used to ensure the persistence of the attacker’s payload?

Options:

A.

Installing a keylogger

B.

Creating scheduled tasks

C.

Modifying file attributes

D.

Injecting into the startup folder

Buy Now
Questions 79

A cybersecurity team at a cloud infrastructure provider in San Jose, California, initiated a structured vulnerability evaluation across its production environment. The scanning process began by identifying communication protocols active on each host. Once the protocols were cataloged, the platform analyzed which services were associated with those ports and dynamically selected only the vulnerability tests relevant to those detected services. The scanning logic adjusted automatically based on discoveries made during execution. Which vulnerability assessment approach is illustrated in this scenario?

Options:

A.

Inference-Based Assessment

B.

Service-Based Solutions

C.

Product-Based Solutions

D.

Tree-Based Assessment

Buy Now
Questions 80

During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?

Options:

A.

Leverage tools like Netcraft or DNSdumpster to gather subdomain information

B.

Attempt to guess admin credentials and access the company’s DNS portal

C.

Conduct a brute-force DNS subdomain enumeration

D.

Request internal DNS records using spoofed credentials

Buy Now
Questions 81

A penetration tester is evaluating the security of a mobile application and discovers that it lacks proper input validation. The tester suspects that the application is vulnerable to a malicious code injection attack. What is the most effective way to confirm and exploit this vulnerability?

Options:

A.

Perform a brute-force attack on the application ' s login page to guess weak credentials

B.

Inject a malicious JavaScript code into the input fields and observe the application ' s behavior

C.

Use directory traversal to access sensitive files stored in the application ' s internal storage

D.

Execute a dictionary attack on the mobile app ' s encryption algorithm

Buy Now
Questions 82

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company’s HTTP servers.

The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation.

Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

Nessus

B.

OpenVAS

C.

Qualys VM

D.

Nikto

Buy Now
Questions 83

In Miami, Florida, a luxury resort deploys smart climate control units in guest rooms. During a red team engagement, ethical hacker Sophia Bennett discovers that once a compromised device is restarted, it continues running altered instructions without any integrity check before the operating system loads. This allows tampered firmware to run as if it were legitimate. Which secure development practice would most directly prevent this weakness?

Options:

A.

Allow code signing

B.

Secure firmware or software updates

C.

Utilize secure communication protocols

D.

Ensure secure boot

Buy Now
Questions 84

A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?

Options:

A.

Inject a SQL query into the input field to perform SQL injection

B.

Use directory traversal to access sensitive system files on the server

C.

Provide a URL pointing to a remote malicious script to include it in the web application

D.

Upload a malicious shell to the server and execute commands remotely

Buy Now
Questions 85

What does ATT & CK tactic “Persistence” mean?

Options:

A.

Initial exploit

B.

Data theft

C.

Cleanup

D.

Long-term access

Buy Now
Questions 86

During a quarterly security audit at a multinational logistics firm, network security manager Priya initiates a scheduled vulnerability assessment across the organization’s hybrid infrastructure. Her team begins by identifying all active IT assets and assigning them risk scores based on business criticality. The following week, they deploy scanning tools to detect security weaknesses, validate the findings manually, and classify vulnerabilities based on severity and exploitability. After coordinating with the IT operations team, they develop a structured timeline to address the confirmed vulnerabilities, giving priority to high-risk findings affecting mission-critical systems. Finally, after the vulnerabilities are addressed, Priya ensures the affected systems are rescanned to confirm resolution and generates a compliance report for executive review.

Based on this workflow, which phase of the Vulnerability-Management Life Cycle is Priya executing?

Options:

A.

Remediation

B.

Vulnerability Analysis

C.

Verification

D.

Risk Assessment

Buy Now
Questions 87

During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?

Options:

A.

LDAP directory data is protected by Access Control Lists (ACLs)

B.

LDAP is running on a non-standard port

C.

Hosts are in a different subnet

D.

Network congestion is causing dropped requests

Buy Now
Questions 88

Michael, an ethical hacker at a San Francisco-based fintech startup, is conducting a security assessment of the company ' s cloud-based payment processing platform, which uses Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. During his review, Michael identified a feature that automatically replaces and reschedules containers from failed nodes to ensure high availability of services a critical requirement for uninterrupted payment operations. Based on his study of cloud container technology principles, which Kubernetes feature should Michael highlight as responsible for this capability?

Options:

A.

Container vulnerabilities

B.

Kube-controller-manager

C.

Container orchestration

D.

Self-healing

Buy Now
Questions 89

An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization ' s machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?

Options:

A.

Tree-based assessment

B.

Inference-based assessment

C.

Product-based solutions

D.

Service-based solutions

Buy Now
Questions 90

A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

Options:

A.

Shut down the server

B.

Apply a virtual patch using a WAF

C.

Perform regular backups and prepare IR plans

D.

Monitor for suspicious activity

Buy Now
Questions 91

A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?

Options:

A.

Internal Monologue attack technique executed through OS authentication protocol manipulations

B.

Replay attack attempt by reusing captured authentication traffic sequences

C.

Hash injection approach using credential hashes for authentication purposes

D.

Pass-the-ticket attack method involving forged tickets for network access

Buy Now
Questions 92

A Nessus scan reveals a critical SSH vulnerability (CVSS 9.0) allowing potential remote code execution on a Linux server. What action should be immediately prioritized?

Options:

A.

Redirect SSH traffic to another server

B.

Treat the finding as a possible false positive

C.

Immediately apply vendor patches and reboot during scheduled downtime

D.

Temporarily isolate the affected server, conduct a forensic audit, and then patch

Buy Now
Questions 93

What is RID cycling?

Options:

A.

SQLi

B.

DoS

C.

DNS attack

D.

SMB enumeration

Buy Now
Questions 94

Attackers exfiltrate data using steganography embedded in images. What is the best countermeasure?

Options:

A.

Block all outbound traffic

B.

Deploy IPS

C.

Monitor outbound traffic for anomalies

D.

Use steganalysis tools

Buy Now
Questions 95

During a penetration test at an e-commerce company in Boston, ethical hacker Sophia launches an HTTP flood against the checkout page of the site. The simulated traffic consists of repeated GET and POST requests designed to overload application-layer resources. In response, the IT team activates a security tool that inspects and filters malicious HTTP traffic while allowing legitimate customer requests to pass, ensuring service continuity during the exercise.

Which DoS/DDoS protection tool is most likely being used in this scenario?

Options:

A.

Load Balancer

B.

Web Application Firewall

C.

Intrusion Prevention System

D.

Firewall

Buy Now
Questions 96

MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.

The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.

Which approach best satisfies this requirement?

Options:

Buy Now
Questions 97

An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?

Options:

A.

Differential cryptanalysis on input-output differences

B.

Timing attack to infer key bits based on processing time

C.

Brute-force attack to try every possible key

D.

Chosen-ciphertext attack to decrypt arbitrary ciphertexts

Buy Now
Questions 98

You are an ethical hacker at Apex Cyber Defense contracted to audit Coastal Healthcare ' s wireless estate in Miami, Florida. During a network sweep, your logs show a previously unknown access point physically connected to the hospital ' s internal switch and issuing IP addresses to devices on the corporate VLAN - it was neither provisioned by IT nor listed in the asset inventory. The device is relaying internal traffic and providing remote connectivity back to an external host. Based on the observed behavior, which wireless threat has the attacker most likely introduced?

Options:

A.

Misconfigured AP

B.

Rogue AP

C.

Honeypot AP

D.

Evil Twin AP

Buy Now
Questions 99

Which tool dumps Windows hashes?

Options:

A.

Mimikatz

B.

John

C.

Hydra

D.

Aircrack-ng

Buy Now
Questions 100

A health-tech startup in Raleigh, North Carolina operates a Kubernetes cluster supporting patient-facing microservices. During an authorized security assessment, a certified ethical hacker reviews internal cluster activity records available to operations personnel.

While analyzing these records, the tester notices that authentication artifacts associated with service accounts are recorded within system-generated output. The tester determines that if an individual obtained access to these records, they could reuse the captured authentication material to interact with cluster resources under the same privileges.

Which Kubernetes vulnerability best corresponds to this condition?

Options:

A.

No Certificate Revocation

B.

Unauthenticated HTTPS Connections

C.

No Non-repudiation

D.

Exposed Bearer Tokens in Logs

Buy Now
Questions 101

During a cybersecurity awareness drill at Quantum Analytics in San Francisco, California, the ethical hacking team tests the company’s defenses against social media-based threats. Nadia creates a fake LinkedIn profile posing as a senior HR manager from Quantum Analytics, using a stolen company logo and publicly available employee details. Nadia sends connection requests to several employees, including data analyst Priya Sharma, inviting them to join a private group called Quantum Analytics Innovation Hub. The group’s page prompts members to share their work email and department role for exclusive project updates.

What social engineering threat to corporate networks is Nadia’s exercise primarily simulating?

Options:

A.

Loss of Productivity

B.

Involuntary Data Leakage

C.

Spam and Phishing

D.

Network Vulnerability Exploitation

Buy Now
Questions 102

During a penetration test for a U.S.-based retail company, John gains access to a secondary server that responds unusually to structured queries. By sending a specially crafted request, he receives a full list of subdomains, MX records, and aliases belonging to the target organization. The response exposes sensitive internal mappings that could be leveraged for further attacks.

Which tool was MOST likely used to perform this enumeration?

Options:

A.

smtp-user-enum.pl -u user -t host

B.

ldapsearch -h -x

C.

nbtstat -A

D.

dig @server axfr

Buy Now
Questions 103

The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?

Options:

A.

The document can be sent to the accountant using an exclusive USB for that document

B.

The CFO can use an excel file with a password

C.

The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure is the same document

D.

The CFO can use a hash algorithm in the document once he approved the financial statements

Buy Now
Questions 104

A large-scale inventory management platform implements a pattern-based inspection layer to prevent malicious database interactions. During authorized testing, repeated payloads containing recognizable structural sequences are denied before reaching the application logic. While analyzing the inspection behavior, the tester observes that blocked requests share a consistent textual arrangement of components. The tester then alters how those components are presented within the payload while preserving the intended database operation. After this adjustment, the request bypasses the inspection layer and executes successfully, producing results consistent with earlier attempts. Determine the evasion method that best accounts for this behavior.

Options:

A.

Transforming literal parameters using alternate character encoding schemes

B.

Introducing inline comment delimiters to fragment instruction sequences

C.

Modifying spacing and delimiter placement to disrupt detection patterns

D.

Constructing the payload dynamically through segmented string operations

Buy Now
Questions 105

A system’s audit logs are not centralized. Which attack phase is hardest to detect?

Options:

A.

Initial access

B.

Lateral movement

C.

Delivery

D.

Recon

Buy Now
Questions 106

A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?

Options:

A.

Rootkit

B.

Ransomware

C.

Keylogger

D.

Worm

Buy Now
Questions 107

Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?

Options:

A.

139 and 443

B.

137 and 139

C.

137 and 443

D.

139 and 445

Buy Now
Questions 108

During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?

Options:

Buy Now
Questions 109

Bob, a seasoned security analyst at XYZ Aerospace, was investigating a series of misaligned transaction timestamps coming from one of the data archival systems. Suspecting that the server might be syncing with an unstable time source, Bob decided to extract a detailed list of all peer servers associated with the target machine, including metrics such as delay, offset, and jitter, to determine whether the issue stemmed from time synchronization drift.

Which of the following commands should Bob use to retrieve this information?

Options:

A.

ntptrace [-n] [-m maxhosts] [servername/IP_address]

B.

ntpq -p [host]

C.

ntpdc [-n] [-s] [-c command] [host] [...]

D.

ntpq [-n] [-l] [-c command] [host] [...]

Buy Now
Questions 110

During an internal security review at a transportation authority in Columbus, Ohio, a red team analyst positioned himself on the same local network segment as several domain-joined administrative workstations. Over several hours, he recorded authentication exchanges as legitimate users performed their routine logon activities across the network.

He later analyzed the captured traffic to recover valid credentials associated with privileged accounts. Based on the attacker’s actions, how should this password attack be classified?

Options:

A.

Passive Online Attack

B.

Non-Electronic Attack

C.

Active Online Attack

D.

Offline Attack

Buy Now
Questions 111

Malware remains dormant until triggered and changes its code with each infection. What malware type is responsible, and how should it be mitigated?

Options:

A.

Adware

B.

Polymorphic malware

C.

Worm

D.

Rootkit

Buy Now
Questions 112

Which patch management strategy is most effective?

Options:

A.

External-only patches

B.

Automated patch management with monitoring

C.

Manual patching on live servers

D.

Applying all patches regardless of source

Buy Now
Questions 113

Which algorithm best protects encrypted traffic patterns?

Options:

A.

PSA

B.

AES

C.

DES

D.

HMAC

Buy Now
Questions 114

You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?

Options:

A.

Develop a custom exploit using obfuscation techniques

B.

Use Metasploit to deploy a known payload

C.

Install a rootkit to manipulate the device

D.

Use SMS phishing to trick the user

Buy Now
Questions 115

Justin Fletcher is conducting an authorized assessment for EverSafe Technologies in Las Vegas. During the active reconnaissance phase, he interacts directly with the organization ' s infrastructure to retrieve structural details about how its public-facing systems are logically organized. His activity generates entries within the target environment ' s monitoring systems. Which type of active footprinting technique is Justin performing?

Options:

A.

Network/port scanning

B.

DNS interrogation

C.

Social engineering

D.

User and service enumeration

Buy Now
Questions 116

During a code review at a defense technology contractor in Virginia, penetration tester Lucas identifies that a newly deployed payroll application encrypts sensitive employee data using a weak custom algorithm. In addition, its session validation logic allows certain requests to bypass access controls altogether. These oversights are traced back to flawed system logic and poor encryption design decisions made during the development phase.

Which vulnerability category BEST describes the issue Lucas discovered?

Options:

A.

Design Flaws

B.

Application Flaws

C.

Misconfigurations/Weak Configurations

D.

Poor Patch Management

Buy Now
Questions 117

A company’s customer data in a cloud environment has been exposed due to an unknown vulnerability. Which type of issue most likely led to the incident?

Options:

A.

Side-channel attack on the hypervisor

B.

Denial-of-Service (DoS) attack on cloud servers

C.

Brute-force attack on user passwords

D.

Exploitation of misconfigured security groups

Buy Now
Questions 118

A regional healthcare provider in Minneapolis, Minnesota began experiencing intermittent connectivity issues across a newly activated access-layer network segment. Shortly after a contractor connected a diagnostic device to an unused switch port, multiple employee workstations failed to receive valid network configurations. System logs showed repeated address negotiation attempts from affected hosts, while monitoring tools recorded a rapid sequence of configuration requests originating from a single switch interface. Within minutes, additional clients on the segment encountered similar assignment failures. From a sniffing standpoint, which technique most accurately explains this behavior?

Options:

A.

IRDP Spoofing

B.

DHCP Starvation

C.

Rogue DHCP Server

D.

MAC Spoofing

Buy Now
Questions 119

During a red team assessment of a multinational financial firm, you are tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior.

The team has shortlisted multiple tools for the task. Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?

Options:

A.

Maltego

B.

Creepy

C.

Sherlock

D.

Social Searcher

Buy Now
Questions 120

A multinational payment processor conducts a long-term risk assessment to evaluate the durability of its encrypted archives against future computational advances. Internal analysts warn that if large-scale quantum computers become operational, currently deployed public-key schemes protecting stored customer data may become vulnerable to rapid key recovery.

To maintain long-term confidentiality of archived financial records, the security architecture team must implement a defensive strategy that directly addresses cryptographic resilience rather than relying solely on network segmentation or development policy controls.

Determine the most appropriate mitigation to protect stored data against quantum-enabled decryption capabilities.

Options:

A.

Use quantum-specific firewalls to protect quantum communication channels

B.

Break data into fragments and distribute it across multiple locations

C.

Encrypt stored data with quantum-resistant algorithms

D.

Include quantum-resistance checks in SDLC and code review processes

Buy Now
Questions 121

During a security assessment for an e-commerce company in Boston, Massachusetts, your team conducts a reconnaissance phase to identify potential entry points into the organization ' s communication infrastructure. You focus on gathering details about the systems responsible for handling incoming email traffic, avoiding active network probing, and relying on passive DNS data collection. Given this objective, which DNS record type should you query to extract information about the target’s mail server configuration?

Options:

A.

SOA

B.

TXT

C.

NS

D.

MX

Buy Now
Questions 122

Which wireless attack captures handshake?

Options:

A.

Deauth

B.

Jamming

C.

Spoofing

D.

Replay

Buy Now
Questions 123

You are part of a red team hired to assess the cybersecurity posture of a large retail chain headquartered in New York. The client wants to know whether their defenses can anticipate future attack patterns before they occur. To meet this objective, your team deploys an AI-enabled platform that analyzes previous breaches and anomaly data to forecast potential attack vectors. Which benefit of AI-driven ethical hacking is most critical in this case?

Options:

A.

Scalability

B.

Predictive analysis

C.

Enhanced reporting

D.

Simulation and testing

Buy Now
Questions 124

During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?

Options:

A.

LDAP over SSL (LDAPS)

B.

Authenticated LDAP with Kerberos

C.

Anonymous LDAP binding

D.

LDAP via RADIUS relay

Buy Now
Questions 125

Attackers compromise a legitimate email account and send convincing internal messages requesting urgent actions. What attack is this?

Options:

A.

Spoofing

B.

Phishing

C.

Spear phishing

D.

Business Email Compromise

Buy Now
Questions 126

A security analyst is investigating a network compromise where malware communicates externally using common protocols such as HTTP and DNS. The malware operates stealthily, modifies system components, and avoids writing payloads to disk. What is the most effective action to detect and disrupt this type of malware communication?

Options:

A.

Blocking commonly known malware ports such as 6667 and 12345.

B.

Relying solely on frequent antivirus signature updates.

C.

Using behavioral analytics to monitor abnormal outbound traffic and application behavior.

D.

Blocking all unencrypted HTTP traffic at the proxy level.

Buy Now
Questions 127

During a security audit, a penetration tester observes abnormal redirection of all traffic for a financial institution’s primary domain. Users are being redirected to a phishing clone of the website. Investigation shows the authoritative DNS server was compromised and its zone records modified to point to the attacker’s server. This demonstrates total manipulation of domain-level resolution, not cache poisoning or client-side attacks. Which technique is being used in this scenario?

Options:

A.

Establish covert communication using DNS tunneling over standard DNS queries

B.

Perform DNS rebinding to manipulate browser-origin interactions

C.

Carry out DNS server hijacking by tampering with the legitimate name-resolution infrastructure

D.

Initiate a DNS amplification attack using recursive servers

Buy Now
Questions 128

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?

Options:

A.

Mamo

B.

Pegasus

C.

Agent Smith

D.

GoldPickaxe

Buy Now
Questions 129

A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?

Options:

A.

Quid Pro Quo

B.

Baiting

C.

Elicitation

D.

Honey Trap

Buy Now
Questions 130

A vulnerability has a score of 9.8. What does this rating help explain?

Options:

A.

It quantifies impact and exploitability to prioritize remediation

B.

It measures authentication errors

C.

It generates exploit payloads

D.

It classifies attacks qualitatively

Buy Now
Questions 131

An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?

Options:

A.

Deploy a packet sniffer to capture and analyze network traffic

B.

Perform a DNS zone transfer to obtain internal domain details

C.

Exploit null sessions to connect anonymously to the IPC$ share

D.

Utilize SNMP queries to extract user information from network devices

Buy Now
Questions 132

A penetration tester is tasked with mapping an organization ' s network while avoiding detection by sophisticated intrusion detection systems (IDS). The organization employs advanced IDS capable of recognizing common scanning patterns. Which scanning technique should the tester use to effectively discover live hosts and open ports without triggering the IDS?

Options:

A.

Execute a FIN scan by sending TCP packets with the FIN flag set

B.

Use an Idle scan leveraging a third-party zombie host

C.

Conduct a TCP Connect scan using randomized port sequences

D.

Perform an ICMP Echo scan to ping all network devices

Buy Now
Questions 133

During a red team assessment at a banking client in Chicago, ethical hacker David gains access to the internal LAN. He sets up a test machine and injects crafted messages into the network. Soon, all traffic between a finance workstation and the authentication server is silently routed through his system without changing switch configurations. He observes usernames and passwords passing through his interface, even though no proxy or VPN is in use.

Which sniffing technique did David most likely use?

Options:

A.

Switch Port Stealing

B.

ARP Spoofing

C.

STP Attack

D.

IRDP Spoofing

Buy Now
Questions 134

This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.

Options:

A.

Stolen equipment

B.

Insider attack

C.

Physical entry

D.

Outsider attack

Buy Now
Questions 135

Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?

Options:

A.

Misconfigured security groups

B.

Brute force attack

C.

DoS attack

D.

Side-channel attack

Buy Now
Questions 136

A serverless application was compromised through an insecure third-party API used by a function. What is the most effective countermeasure?

Options:

A.

Deploy a cloud-native security platform

B.

Enforce function-level least privilege permissions

C.

Use a CASB for third-party services

D.

Regularly update serverless functions

Buy Now
Questions 137

You are instructed to perform a TCP NULL scan. In the context of TCP NULL scanning, which response indicates that a port on the target system is closed?

Options:

A.

ICMP error message

B.

TCP SYN/ACK packet

C.

No response

D.

TCP RST packet

Buy Now
Questions 138

In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.

Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?

Options:

A.

Source Routing

B.

Tiny Fragments

C.

HTTP Tunneling

D.

IP Address Spoofing

Buy Now
Questions 139

Which advanced mobile hacking technique is the hardest to detect and mitigate in a healthcare environment?

Options:

A.

Zero-day mobile exploits

B.

App spoofing

C.

Bluejacking

D.

Side-channel attacks

Buy Now
Questions 140

During a quarterly vulnerability management cycle at a multinational logistics firm, Priya ' s team has already applied patches and fixes to address confirmed vulnerabilities. Now, she directs the analysts to run follow-up scans and review the attack surface to confirm that the applied remedies have effectively eliminated the risks. Only after this step will she prepare a compliance report for the executive board.

Which phase of the Vulnerability-Management Life Cycle is Priya executing?

Options:

A.

Monitoring

B.

Verification

C.

Risk Assessment

D.

Remediation

Buy Now
Questions 141

A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?

Options:

A.

Injecting JavaScript to steal session cookies via cross-site scripting

B.

DNS cache poisoning to redirect users to fake sites

C.

Session fixation by pre-setting the token in a URL

D.

Cross-site request forgery exploiting user trust in websites

Buy Now
Questions 142

Ethan works as a penetration tester at CyberGuard Solutions, a cybersecurity consulting firm in Raleigh, North Carolina. During an authorized security assessment of a regional insurance company, Ethan was provided with a set of password hashes to evaluate the strength of employee-generated credentials.

To test resistance against word-based password creation patterns, Ethan supplied a single custom wordlist containing common organizational terms and department names into his cracking tool. The tool automatically generated password candidates by linking multiple entries from that same list in varying combinations before attempting to match them against the hashes.

This approach proved highly effective against passwords formed by concatenating familiar words.

Which of the following password-cracking techniques is Ethan using?

Options:

A.

PRINCE Attack

B.

Combinator Attack

C.

Markov-Chain Attack

D.

Fingerprint Attack

Buy Now
Questions 143

During a red team exercise at a financial institution in New York, penetration tester Bob investigates irregularities in time synchronization across critical servers. While probing one server, he decides to use a diagnostic command that allows him to directly interact with the NTP daemon and query its internal state. This command enables him to perform monitoring and retrieve statistics, but it is primarily focused on controlling and checking the operation of the NTP service rather than listing peers with delay, offset, and jitter values.

Which command should Bob use to accomplish this?

Options:

A.

ntpq -p [host]

B.

ntptrace [-m maxhosts] [servername/IP_address]

C.

ntpdc [-ilnps] [-c command] [host]

D.

ntpq [-inp] [-c command] [host]...

Buy Now
Questions 144

As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?

Options:

A.

Content-Based Blind SQL Injection

B.

Time-Based Blind SQL Injection

C.

Union-Based SQL Injection

D.

Error-Based SQL Injection

Buy Now
Questions 145

Emily, a security engineer at a Chicago-based healthcare provider, is auditing the organization ' s new cloud environment after a breach where sensitive patient records were exposed. Her investigation reveals that the root cause was the lack of encryption during data transmission between end-user devices and cloud storage. To mitigate this issue and align with HIPAA compliance requirements, Emily must prioritize addressing the correct cloud computing security risk.

Which cloud computing threat should Emily address to mitigate the risk of sensitive data being exposed during transmission?

Options:

A.

Multi-Tenancy and Physical Security

B.

Incidence Analysis and Forensic Support

C.

Service and Data Integration

D.

Infrastructure Security

Buy Now
Questions 146

During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification.

Which social engineering technique is Liam demonstrating?

Options:

Buy Now
Questions 147

As part of an internal security assessment at First Union Bank in Chicago, Rachel Morgan is evaluating whether unauthorized packet capture tools are operating within the loan processing segment of the network. During traffic observation, she notices behavior suggesting that a particular host may be processing frames beyond its intended destination scope.

To verify whether the network interface is accepting traffic not explicitly addressed to it, Rachel decides to transmit specially crafted packets designed to provoke an abnormal response from a system operating in promiscuous mode.

Which detection technique should Rachel use to confirm the presence of a sniffer?

Options:

A.

DNS method by monitoring reverse DNS lookup traffic

B.

Sniffer detection using an NSE script to check for promiscuous mode

C.

Ping method by sending packets with an incorrect MAC address

D.

ARP method by sending non-broadcast ARP requests

Buy Now
Questions 148

During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.

Options:

A.

Whaling

B.

Spear Phishing

C.

Clone Phishing

D.

Consent Phishing

Buy Now
Questions 149

An Android device has an unpatched permission-handling flaw and updated antivirus. What is the most effective undetected exploitation approach?

Options:

A.

SMS phishing

B.

Rootkit installation

C.

Custom exploit with obfuscation

D.

Metasploit payload

Buy Now
Questions 150

As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?

Options:

A.

Regularly updating serverless functions to reduce vulnerabilities.

B.

Using a Cloud Access Security Broker (CASB) to enforce third-party policies.

C.

Deploying a Cloud-Native Security Platform (CNSP) for full cloud protection.

D.

Implementing function-level permissions and enforcing the principle of least privilege.

Buy Now
Questions 151

A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?

Options:

A.

Increase server bandwidth and implement basic rate limiting

B.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection

C.

Configure the firewall to block all incoming DNS and HTTP requests

D.

Utilize a hybrid DDoS mitigation service that offers both on-premises and cloud-based protection

Buy Now
Questions 152

During a quarterly vulnerability management review at RedCore Motors, Priya finalizes the deployment of Nessus Essentials across the company ' s IT infrastructure. The solution is selected for its ability to support diverse technologies including operating systems, databases, web servers, and virtual environments. While preparing a training session for junior analysts, Priya asks them to identify a capability that Nessus Essentials is specifically designed to provide as part of its scanning process.

Options:

A.

Patch management for operating systems and third-party applications

B.

Checks for outdated versions of over 1,250 servers

C.

Agent-based detection

D.

High-speed asset discovery

Buy Now
Questions 153

Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?

Options:

A.

Aggressive zero-trust shutdown

B.

Deep forensic analysis

C.

Behavioral analytics profiling normal interactions

D.

Employee awareness training

Buy Now
Questions 154

In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing the firm’s defenses against potential Denial-of-Service (DoS) attacks. During a recent review, you noticed several IP addresses generating excessive traffic, causing an unusually high server load. Inspection of packets revealed that the TCP three-way handshake was never completed, leaving multiple connections in a SYN_RECEIVED state. The intent appears to be saturating server resources without completing connections. Which type of DoS attack is most likely being executed?

Options:

A.

SYN Flood

B.

Smurf Attack

C.

Ping of Death

D.

UDP Flood

Buy Now
Questions 155

A penetration tester performs a vulnerability scan on a company ' s network and identifies a critical vulnerability related to an outdated version of a database server. What should the tester prioritize as the next step?

Options:

A.

Attempt to exploit the vulnerability using publicly available tools or exploits

B.

Conduct a brute-force attack on the database login page

C.

Ignore the vulnerability and move on to testing other systems

D.

Perform a denial-of-service (DoS) attack on the database server

Buy Now
Questions 156

A technology consulting firm in Denver, Colorado, recently experienced a wave of suspicious account compromise incidents. Several employees reported receiving an email that appeared identical to a legitimate cloud storage notification they had received earlier that week. The message reused the original branding, formatting, sender display name, and subject line. However, it informed recipients that the previously shared document had been “updated due to synchronization errors” and instructed them to reauthenticate using the embedded link. The link directed users to a convincing replica of the organization’s authentication portal. Investigation revealed that the attacker had reused content from a genuine prior communication and modified only the embedded hyperlink. Which type of social engineering attack does this scenario most accurately represent?

Options:

A.

Clone Phishing

B.

Consent Phishing

C.

Search Engine Phishing

D.

Tabnabbing

Buy Now
Questions 157

A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?

Options:

A.

Access the local storage to retrieve sensitive data directly from the device

B.

Use SQL injection to retrieve sensitive data from the backend server

C.

Execute a Cross-Site Scripting (XSS) attack to steal session cookies

D.

Perform a brute-force attack on the application ' s login credentials

Buy Now
Questions 158

During a security review, you have discovered that there are no documented security policies for the area you are assessing. Which of the following would be the most appropriate course of action?

Options:

A.

Create policies while testing

B.

Stop the audit

C.

Identify and evaluate current practices

D.

Increase the level of testing

Buy Now
Questions 159

A payroll management portal used by a manufacturing firm in Toledo, Ohio allows administrators to configure customizable notification templates that are later incorporated into automated reporting functions. During an authorized assessment, an ethical hacker submits specially structured input into a template field while creating a test notification.

The application accepts and stores the value without any noticeable disruption to the interface. Days later, when a scheduled reporting task executes, the resulting dataset includes records beyond the expected scope defined by the report criteria.

Further review reveals that the reporting engine dynamically constructs database queries using previously stored template values during execution.

Determine the SQL injection variant illustrated in this scenario.

Options:

A.

Stored Procedure Injection

B.

Second-Order SQL Injection

C.

Error-Based SQL Injection

D.

Piggybacked Query Injection

Buy Now
Questions 160

Which of the following is the primary objective of a rootkit?

Options:

A.

It provides an undocumented opening in a program

B.

It replaces legitimate programs

C.

It creates a buffer overflow

D.

It opens a port to provide an unauthorized service

Buy Now
Questions 161

An organization authorizes a wireless penetration test to evaluate the resilience of its WPA2-protected network. The assigned ethical hacker prepares the wireless adapter for packet capture and begins monitoring traffic from a nearby access point.

To accelerate the assessment, the tester transmits crafted 802.11 frames that momentarily interrupt active client connections. Shortly afterward, new authentication exchanges are observed in the capture logs, providing the necessary material for subsequent analysis.

The activity described corresponds to which component of the Aircrack-ng suite?

Options:

A.

airodump-ng

B.

airmon-ng

C.

aircrack-ng

D.

aireplay-ng

Buy Now
Questions 162

In the bustling tech hub of Silicon Valley, cybersecurity investigator Elena Martinez found herself deep into a late-night investigation at Horizon Tech Solutions on July 7, 2025. The company had reported sporadic network disruptions affecting their research team ' s access to critical project files. Elena, working under the cover of a maintenance window from midnight to 3 AM PDT, began monitoring the internal network, focusing on a subnet reserved for the R & D department. She noticed a pattern of failed connection attempts logged just before each disruption, with multiple hosts reporting temporary IP address conflicts. Suspecting foul play, Elena deployed a discreet test to simulate an internal threat scenario. Shortly afterward, several workstations began showing unfamiliar gateway settings and redirected users to misleading login portals during routine access attempts. Despite these anomalies, no security alerts were triggered.

What type of attack technique did Elena most likely simulate?

Options:

A.

DHCP Starvation Attack

B.

Packet Sniffing

C.

MAC Flooding

D.

Rogue DHCP Server Attack

Buy Now
Questions 163

During a penetration test at TechTrend Innovations in California, ethical hacker Jake Henderson reviews the company ' s web server exposure to network-based threats. He finds that the server is running with multiple open services and protocols that are not required for its operation, such as NetBIOS and SMB. Jake explains to the IT team that attackers could exploit these unnecessary services to gain unauthorized access to the server.

Which hardening measure should the IT team implement to mitigate this risk?

Options:

A.

Use a dedicated machine as a web server

B.

Conduct risk assessment for patching

C.

Eliminate unnecessary files

D.

Block all unnecessary ports, ICMP traffic, and protocols

Buy Now
Questions 164

A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?

Options:

A.

Black Hat hackers

B.

Hacktivists

C.

Script Kiddies

D.

White Hat hackers

Buy Now
Questions 165

During a penetration test at Cascade Financial in Raleigh, ethical hacker Ethan Brooks evaluates the security of the company ' s authentication system. He observes that the application accepts a high volume of repeated credential submissions without introducing any additional challenge, allowing automated scripts to cycle rapidly through large password lists. Ethan advises the IT team to deploy a control that forces interaction steps designed to disrupt automation.

Which countermeasure should the IT team adopt in this scenario?

Options:

A.

Use strong hashing algorithms

B.

Implement 2FA/MFA

C.

Use CAPTCHA challenges on login and registration pages

D.

Force periodic password changes

Buy Now
Questions 166

An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?

Options:

A.

Seek identical digests across hash outputs

B.

Test every possible password through automation

C.

Force encryption key through quantum solving

D.

Analyze output length to spot anomalies

Buy Now
Questions 167

A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?

Options:

A.

Launching a DDoS attack to overload IoT devices

B.

Compromising the system using stolen user credentials

C.

Exploiting zero-day vulnerabilities in IoT device firmware

D.

Performing an encryption-based Man-in-the-Middle attack

Buy Now
Questions 168

A Windows system shows LSASS memory access by unknown processes. What attack is likely?

Options:

A.

SQLi

B.

XSS

C.

Credential dumping

D.

DoS

Buy Now
Questions 169

On a busy Monday morning at Horizon Financial Services in Chicago, accounts assistant Clara Nguyen receives an email that appears to come from the company ' s IT department. The email, addressed specifically to Clara and mentioning her role in the accounts team, warns of a critical system vulnerability requiring immediate action. It includes a link to a login page resembling the company ' s internal portal, urging her to update her credentials to prevent account suspension. The email ' s sender address looks legitimate, but Clara notices a slight misspelling in the domain name.

What social engineering technique is being attempted against Clara?

Options:

A.

Spear Phishing

B.

Impersonation

C.

Quid Pro Quo

D.

Vishing

Buy Now
Questions 170

You are a wireless auditor at SeaFront Labs in San Diego, California, engaged to review the radio-layer protections used by a biotech research facility. While capturing traffic in monitor mode, you observe frames that include a CCMP-like header and AES-based encryption, and you note the use of a four-way handshake with a packet number (PN) for replay protection — features that were introduced to replace older TKIP/RC4 approaches. Based on these observed characteristics, which wireless encryption protocol is the access point most likely using?

Options:

A.

WPA2

B.

WPA

C.

WPA3

D.

WEP

Buy Now
Questions 171

A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?

Options:

A.

HMAC

B.

RSA

C.

DES

D.

AES

Buy Now
Questions 172

At a cybersecurity consultancy firm in Boston, senior analyst Amanda Liu is called in to assess a malware outbreak affecting a regional healthcare provider. Despite using updated antivirus tools, the security team notices inconsistent detection across infected endpoints. Amanda discovers that while the malicious behavior is consistent, system file tampering and suspicious outbound traffic, each malware sample has a slightly different code structure and fails traditional hash-based comparison. Static analysis reveals that the underlying logic remains unchanged, but the code patterns vary unpredictably across infections. What type of virus is most likely responsible for this behavior?

Options:

A.

Cavity virus

B.

Macro virus

C.

Polymorphic virus

D.

Stealth virus

Buy Now
Questions 173

What does an ACK scan mainly identify?

Options:

A.

Services

B.

Firewall rules

C.

Closed ports

D.

Open ports

Buy Now
Questions 174

Which method best bypasses client-side controls without triggering server-side alarms?

Options:

A.

Disable JavaScript in the browser

B.

Intercept and modify requests using a proxy tool

C.

Inject malicious JavaScript into the login form

D.

Reverse-engineer the encryption algorithm

Buy Now
Questions 175

In Austin, Texas, ethical hacker Liam Carter is hired by Lone Star Healthcare to probe the defenses of their patient data network. During his penetration test, Liam aims to bypass the hospital’s firewall protecting a medical records server. To do so, he uses a tool to craft custom network packets, carefully designing their headers to slip past the firewall’s filtering rules. His goal is to demonstrate how an attacker could infiltrate the system, exposing vulnerabilities for the security team to address.

Which tool is Liam using to bypass Lone Star Healthcare’s firewall during his penetration test?

Options:

A.

Metasploit

B.

Colasoft Packet Builder

C.

Nmap

D.

Traffic IQ Professional

Buy Now
Questions 176

Which protocol is insecure by default?

Options:

A.

HTTPS

B.

SFTP

C.

SSH

D.

Telnet

Buy Now
Questions 177

Joe, a cybersecurity analyst at XYZ-FinTech, has been assigned to perform a quarterly vulnerability assessment across the organization ' s Windows-based servers and employee workstations. His objective is to detect issues such as software configuration errors, incorrect registry or file permissions, native configuration table problems, and other system-level misconfigurations. He is instructed to log into each system using valid credentials to ensure comprehensive data collection. Based on this assignment, which type of vulnerability scanning should Joe perform?

Options:

A.

Application Scanning

B.

Host-based Scanning

C.

Network-based Scanning

D.

External Scanning

Buy Now
Questions 178

Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?

Options:

A.

Internal Scanning

B.

External Scanning

C.

Manual Scanning

D.

Network-based Scanning

Buy Now
Questions 179

Which advanced evasion technique poses the greatest challenge to detect and mitigate?

Options:

A.

Covert channel communication using IP header fields

B.

Honeypot spoofing

C.

Polymorphic malware

D.

Packet fragmentation evasion

Buy Now
Questions 180

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

Options:

A.

Wireshark

B.

Aircrack-ng

C.

Ettercap

D.

Tcpdump

Buy Now
Questions 181

During a red team engagement at Apex Biotech in Dallas, ethical hacker Rachel calls the company ' s HR desk pretending to be Mark Stevens, a senior finance manager. She pressures the HR staffer by citing his “upcoming presentation for the CFO” and insists he urgently needs a copy of the updated employee benefits spreadsheet. The staffer feels compelled to help due to Rachel’s convincing manner and authoritative tone.

Which social engineering technique is Rachel demonstrating in this exercise?

Options:

A.

Quid Pro Quo

B.

Impersonation

C.

Vishing

D.

Reverse Social Engineering

Buy Now
Questions 182

A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?

Options:

A.

Conduct a denial-of-service (DoS) attack to disrupt the system’s services

B.

Execute a Cross-Site Request Forgery (CSRF) attack to steal session data

C.

Perform a brute-force attack on the system ' s root password

D.

Use a privilege escalation exploit to gain administrative privileges on the system

Buy Now
Questions 183

During a security compliance audit at Nexus Tech Solutions in Boston, Massachusetts, the ethical hacking team launches a controlled social engineering exercise to assess help desk vulnerabilities. Ethical hacker Rachel Kim calls the company ' s help desk, posing as a stressed employee named Laura Bennett from the marketing department. Rachel claims her laptop is running slowly and offers to share her login credentials if the help desk can provide a quick fix to meet a tight project deadline. The call is designed to test whether help desk staff follow proper verification protocols or fall for the offer of credentials in exchange for assistance.

What social engineering technique is Rachel employing in this exercise?

Options:

A.

Shoulder Surfing

B.

Vishing

C.

Impersonation

D.

Quid Pro Quo

Buy Now
Questions 184

A regional insurance claims platform in Sacramento, California is protected by a web application firewall that evaluates inbound requests for suspicious query structures. During an authorized assessment, a tester observes that conventional injection attempts are consistently rejected.

The tester then adjusts the format and composition of the request while preserving its intended database behavior. After this modification, the request passes through the filtering mechanism and is processed by the backend system without disruption.

Which firewall evasion technique is being demonstrated?

Options:

A.

Splitting Payload Components Using HTTP Parameter Fragmentation (HPF)

B.

Transforming Query Structure to Evade Pattern-Based Inspection

C.

Combining Multiple Evasion Methods through an Integration Approach

D.

Using HTTP Parameter Pollution (HPP) to Override Query Parameters

Buy Now
Questions 185

During a security penetration test at Sterling Manufacturing in Cleveland, Ohio, the ethical hacking team evaluates the company ' s physical security controls. On a chilly evening in July 2025, ethical hacker Priya Desai, posing as a facilities contractor, accesses the company ' s loading dock area after regular business hours. Behind the employee entrance, she comes across an unsecured maintenance container with discarded packaging, shipping labels, and shredded office material. Among the clutter, Priya retrieves a crumpled document listing temporary access codes for the employee break room, along with a partially shredded memo referencing an upcoming audit. The exercise tests whether sensitive information discarded improperly can be exploited. The next day, Priya uses the recovered access codes to enter the break room undetected during a shift change, logging her entry on a controlled test system to simulate a breach.

What social engineering technique is Priya ' s exercise primarily simulating?

Options:

A.

Tailgating

B.

Eavesdropping

C.

Dumpster Diving

D.

Shoulder Surfing

Buy Now
Questions 186

You have successfully compromised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best Nmap command you will use?

Options:

A.

nmap -T4 -q 10.10.0.0/24

B.

nmap -T4 -O 10.10.0.0/24

C.

nmap -T4 -r 10.10.1.0/24

D.

nmap -T4 -F 10.10.0.0/24

Buy Now
Questions 187

You are a penetration tester hired to evaluate the security posture of a regional manufacturing company’s network devices. During your assessment, you discover that one of the core routers allows external administrative access without requiring a password. Additionally, the router communicates with other devices using a protocol that does not provide encryption or validation. Based solely on these observations, which of the following network device vulnerabilities is most clearly present?

Options:

A.

Firewall vulnerabilities

B.

Insecure routing protocols

C.

Lack of password protection

D.

Lack of authentication

Buy Now
Questions 188

A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

Options:

A.

Perform a dictionary attack using a list of commonly used passwords against the stolen hash values

B.

Input a SQL query to check for SQL injection vulnerabilities in the login form

C.

Conduct a brute-force attack on the login form to guess weak passwords

D.

Capture the login request using a proxy tool and attempt to decrypt the passwords

Buy Now
Questions 189

Following reports of inconsistent IP-to-MAC mappings on an internal access switch at a manufacturing company in Detroit, Michigan, the network security team enabled additional validation controls.

Soon afterward, the switch began automatically discarding certain ARP replies that did not match previously recorded IP address assignments. Log entries indicated that packets were being denied due to validation failures tied to existing address-to-port mappings learned earlier from legitimate host configuration traffic.

Which switch-level security feature is most likely responsible for enforcing this ARP validation behavior?

Options:

A.

Activating Dynamic ARP Inspection to validate ARP packets

B.

Displaying the DHCP Snooping binding table for verification

C.

Enabling DHCP Snooping to track address assignments

D.

Configuring BPDU Guard to protect spanning-tree topology

Buy Now
Questions 190

Sarah, an ethical hacker at a San Francisco-based financial firm, is testing the security of their customer database after a recent data exposure incident. Her analysis reveals that the sensitive client information is safeguarded using a symmetric encryption algorithm. She observes that the algorithm processes data in 64-bit blocks and supports a variable key size from 32 to 448 bits. During her penetration test, Sarah intercepts a ciphertext transmission and notes that the encryption was developed as a replacement for DES, an older algorithm. She aims to determine if the algorithm’s flexible key size could be susceptible to brute-force attacks. The algorithm is also noted for its use in secure storage, a critical application for the firm’s data protection.

Which symmetric encryption algorithm should Sarah identify as the one used by the firm?

Options:

A.

RC4

B.

Twofish

C.

AES

D.

Blowfish

Buy Now
Questions 191

A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?

Options:

A.

Use publicly available tools to exploit the vulnerabilities and confirm their impact

B.

Ignore the vulnerabilities since they are medium-risk

C.

Perform a brute-force attack on the web server ' s login page

D.

Conduct a denial-of-service (DoS) attack to test the server ' s resilience

Buy Now
Questions 192

Cyber experts conducting covert missions exclusively for national interests are best classified as:

Options:

A.

State-sponsored hackers

B.

Organized hackers

C.

Gray hat hackers

D.

Hacktivists

Buy Now
Questions 193

One customer’s malicious activity impacts other tenants. Which control would best prevent this?

Options:

A.

Strong encryption

B.

Secure log management

C.

Multi-tenant isolation

D.

Strong authentication

Buy Now
Questions 194

Ethical hacker Ryan Brooks, a skilled penetration tester from Austin, Texas, was hired by Skyline Aeronautics, a leading aerospace firm in Denver, to conduct a security assessment. One stormy morning, Ryan noticed an unexpected lag in the routine system update process while running his tests, sparking his curiosity. During a late-night session, he observed a junior analyst, Chris Miller, cautiously modifying a legacy server’s configuration, including a scheduled task set to a specific date. The lead developer, Jessica Hayes, casually mentioned receiving an odd email from an unfamiliar source, which she ignored as clutter. As Ryan probed deeper, he detected a faint increase in network activity only after the scheduled date passed, and a systems admin, Mark Thompson, quickly pointed out some unusual code traces on a dormant workstation.

Which type of threat best characterizes this attack?

Options:

A.

Logic Bomb

B.

Fileless Malware

C.

Advanced Persistent Threat APT

D.

Ransomware

Buy Now
Questions 195

During an authorized security assessment of a smart thermostat manufacturer in Denver, Colorado, a certified ethical hacker receives a firmware image extracted from a production device for further evaluation.

The tester begins by examining the binary file to determine its format and architecture. Basic inspection commands are executed against the image to review embedded human-readable content and observe low-level binary structure before proceeding with deeper analysis.

Within the firmware analysis workflow, which stage is the tester performing?

Options:

A.

Extract the Filesystem

B.

Obtain Firmware

C.

Analyze Firmware

D.

Emulate Firmware

Buy Now
Questions 196

Which of the following is the most important step for the ethical hacker to perform during the pre-assessment?

Options:

A.

Hack the web server.

B.

Gather information about the target.

C.

Obtain verbal permission to hack.

D.

Obtain written permission to hack.

Buy Now
Questions 197

During a red team test, a web application dynamically builds SQL queries using a numeric URL parameter. The tester sends the following request:

http://vulnerableapp.local/view.php?id=1; DROP TABLE users;

The application throws errors and the users table is deleted. Which SQL injection technique was used?

Options:

A.

UNION-based SQL injection

B.

Stacked (Piggybacked) queries

C.

Boolean-based SQL injection

D.

Error-based SQL injection

Buy Now
Questions 198

A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches.

Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy.

To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?

Options:

A.

Configuring Loop Guard on non-designated ports

B.

Enabling BPDU Guard on edge ports

C.

Applying Root Guard on designated interfaces

D.

Activating UDLD on uplinks

Buy Now
Questions 199

You are an ethical hacker at ShieldPoint Security, hired by Pinecrest Travel Agency in Orlando, Florida, to perform a penetration test on their flight booking portal. During testing, you notice that normal SQL injection attempts are blocked by a security filter. To bypass it, you adjust your input so that key SQL keywords are broken apart with unexpected symbols, allowing the database to interpret them correctly while evading the filter. This manipulation allows you to retrieve hidden booking records despite the filter ' s restrictions. Based on the observed behavior, which SQL injection evasion technique are you employing?

Options:

A.

String Concatenation

B.

Hex Encoding

C.

In-line Comment

D.

Null Byte

Buy Now
Questions 200

You are a cybersecurity consultant at FortiSec, advising DesertTech Innovations in Phoenix, Arizona. The company wants to modernize its Wi-Fi so that even if an attacker obtains a captured handshake or a weak passphrase, they cannot perform offline dictionary attacks or recover session keys; management also wants stronger, per-session encryption and protection for IoT devices without relying on a single shared password.

Which wireless security measure should DesertTech implement to meet these goals?

Options:

A.

MAC Address Filtering

B.

Use 802.1X Authentication

C.

Upgrade to WPA3

D.

Disable TKIP

Buy Now
Questions 201

A Java app uses Random() for session tokens. What is the risk?

Options:

A.

Session fixation

B.

XSS

C.

Predictable tokens

D.

CSRF

Buy Now
Questions 202

A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?

Options:

A.

Deploying self-replicating malware

B.

Fragmenting malicious packets into smaller segments

C.

Flooding the IDS with ICMP packets

D.

Sending phishing emails

Buy Now
Questions 203

During an assessment for a tech company in Seattle, Washington, an ethical hacker seeks to uncover details about the organization’s domain ownership to identify potential points of contact. She uses an online service to retrieve publicly available records without direct interaction with the target. Which method is she most likely employing to achieve this?

Options:

A.

Email footprinting

B.

Network footprinting

C.

Whois lookup

D.

DNS interrogation

Buy Now
Questions 204

You are Maya, a security engineer at HarborPoint Cloud Services in Chicago, Illinois, performing a post-incident hardening review after an internal audit flagged multiple services that rely on legacy public-key algorithms. The engineering team must prioritize actions company-wide to reduce long-term risk from future quantum-capable adversaries while development continues on a large refactor of several services. Which proactive control should Maya recommend as the highest-priority change to embed into the organization ' s development lifecycle to improve future resistance to quantum-based attacks?

Options:

A.

Include quantum-resistance checks in SDLC and code review processes

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Break data into fragments and distribute it across multiple locations

Buy Now
Questions 205

During a red team engagement at a retail company in Atlanta, ethical hacker James crafts a session with the company ' s shopping portal and deliberately shares that session ID with an unsuspecting employee by embedding it in a link. When the employee clicks and logs in, their activity is bound to the attacker ' s pre-assigned session. Later, James retrieves the employee ' s input from that same session to demonstrate the flaw to management.

Which session hijacking technique is James most likely using?

Options:

A.

Session Donation Attack

B.

Session Replay Attack

C.

Session Prediction

D.

Session Fixation Attack

Buy Now
Questions 206

After installing a backdoor on a web server, what action best ensures it remains undetected?

Options:

A.

Embed it in a frequently updated web file

B.

Increase the backdoor code size

C.

Install it on a non-web file referenced in a URL

D.

Place it in a file type excluded from resource maps

Buy Now
Questions 207

A logistics technology provider in Kansas City, Missouri conducts an internal review after an ethical hacker demonstrates several recurring input-handling weaknesses across different customer-facing web applications. The findings show that validation logic varies between modules, with many controls implemented inconsistently across components developed by separate teams.

Although immediate patches are applied to address the identified flaws, similar issues have surfaced in previous platform iterations despite corrective updates. Leadership determines that isolated fixes are insufficient and initiates an effort to standardize how security requirements are defined and incorporated across future development initiatives.

Based on the web application attack countermeasures, which category best aligns with this remediation approach?

Options:

A.

Insecure Design

B.

Broken Access Control

C.

Security Misconfiguration

D.

Cryptographic Failures / Sensitive Data Exposure

Buy Now
Questions 208

What is the proper response for a NULL scan if the port is closed?

Options:

A.

No response

B.

FIN

C.

RST

D.

SYN

E.

ACK

F.

PSH

Buy Now
Questions 209

During a penetration test at a retail company in Seattle, Washington, an ethical hacker needs to disguise her scans so they appear to originate from a specific hardware vendor. The organization uses MAC-based logging, and by assigning a vendor-associated identifier, she can make her traffic blend in with legitimate devices on the network. Which Nmap command should she use to achieve this?

Options:

A.

nmap -sT -Pn --spoof-mac 00:11:22 10.10.1.11

B.

nmap -sT -Pn --spoof-mac Dell 10.10.1.11

C.

nmap -sT -Pn --spoof-mac 0 10.10.1.11

D.

nmap -sT -Pn --spoof-mac 00:01:02:25:56:AE 10.10.1.11

Buy Now
Questions 210

A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.

By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.

What kind of wireless attack technique is being illustrated in this scenario?

Options:

A.

Key Reinstallation Attack (KRACK)

B.

Replay Attack

C.

Man-in-the-Middle Attack

D.

WPA2 PSK Offline Cracking

Buy Now
Questions 211

What does DEP block?

Options:

A.

Encryption

B.

Logging

C.

Execution in data memory

D.

Scanning

Buy Now
Questions 212

What is SMB relay attack?

Options:

A.

DoS

B.

Spoofing

C.

MITM

D.

Replay

Buy Now
Questions 213

At a financial headquarters in Denver, Colorado, ethical hacker Jordan Lee moves beyond cataloging IoT devices and begins testing them for weaknesses. He runs specialized tools against smart lighting and HVAC systems to check for outdated firmware, default passwords, and open service ports. Which step of the IoT hacking methodology is Jordan carrying out?

Options:

A.

Vulnerability scanning

B.

Gain remote access

C.

Information gathering

D.

Launch attacks

Buy Now
Questions 214

An ethical hacker conducts testing with full knowledge and permission. What type of hacking is this?

Options:

A.

Blue Hat

B.

Grey Hat

C.

White Hat

D.

Black Hat

Buy Now
Questions 215

A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?

Options:

A.

Downgrade the connection to WPA2 and capture the handshake to crack the key

B.

Execute a dictionary attack on the WPA3 handshake using common passwords

C.

Perform a brute-force attack directly on the WPA3 handshake

D.

Perform a SQL injection attack on the router ' s login page

Buy Now
Questions 216

What does a NULL scan send?

Options:

A.

No flags set

B.

SYN packet

C.

ACK packet

D.

RST packet

Buy Now
Questions 217

Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical to verifying the identity of the signatory. He aims to assess if the algorithm ' s configuration could be vulnerable to a meet-in-the-middle attack due to its key structure. Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?

Options:

A.

Diffie-Hellman

B.

DSA

C.

RSA

D.

ElGamal

Buy Now
Questions 218

Which of the following is a component of a risk assessment?

Options:

A.

Administrative safeguards

B.

Logical interface

C.

Physical security

D.

DMZ

Buy Now
Questions 219

During an internal audit at a financial services firm in Mumbai, ethical hacker Meera was tasked with assessing lateral movement risks within the Windows-based domain environment. While monitoring internal network traffic, she noticed a strange broadcast from a workstation trying to resolve a non-existent host. Suspecting protocol-level weakness, she responded swiftly using a pre-configured system. A few minutes later, she captured NTLMv2 hashes from several authenticated sessions across multiple departments. Later, her team successfully cracked one of the hashes offline and used the credentials to gain access to a sensitive internal reporting server. Which type of attack did Meera most likely execute?

Options:

A.

Internal Monologue Attack

B.

LLMNR/NBT-NS Poisoning

C.

Kerberoasting

D.

Pass-the-Ticket Attack

Buy Now
Questions 220

During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.

Which type of keylogger did Tyler most likely deploy?

Options:

A.

JavaScript Keylogger

B.

Hardware Keylogger

C.

Kernel Keylogger

D.

Application Keylogger

Buy Now
Questions 221

During an internal assessment, a penetration tester gains access to a hash dump containing NTLM password hashes from a compromised Windows system. To crack the passwords efficiently, the tester uses a high-performance CPU setup with Hashcat, attempting millions of password combinations per second. Which technique is being optimized in this scenario?

Options:

A.

Spoof NetBIOS to impersonate a file server

B.

Leverage hardware acceleration for cracking speed

C.

Dump SAM contents for offline password retrieval

D.

Exploit dictionary rules with appended symbols

Buy Now
Questions 222

During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company ' s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server ' s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Which type of web server attack is Elena most likely demonstrating?

Options:

A.

Password Cracking Attack

B.

HTTP Response Splitting Attack

C.

Directory Traversal Attack

D.

Web Cache Poisoning Attack

Buy Now
Questions 223

You are an ethical hacker at HorizonSec Consulting, hired by Liberty Insurance in Philadelphia, Pennsylvania, to test the resilience of their online claim submission portal. During testing, you modify the claim ID parameter in the URL with conditions such as AND and AND 1=2. When the first condition is used, the portal displays claim details as normal; when the second condition is used, the page displays no results. You repeat this process to determine how the application responds to true and false conditions without error messages or delays.

Based on the observed behavior, which SQL injection technique are you employing?

Options:

A.

UNION SQL Injection

B.

Error-based SQL Injection

C.

Time-based Blind SQL Injection

D.

Boolean Exploitation

Buy Now
Questions 224

What indicates advanced persistent threat behavior?

Options:

A.

Long dwell time

B.

Malware spam

C.

One-time exploit

D.

Brute force

Buy Now
Questions 225

A system administrator observes that several machines in the network are repeatedly sending out traffic to unknown IP addresses. Upon inspection, these machines were part of a coordinated spam campaign. What is the most probable cause?

Options:

A.

Keyloggers were harvesting user credentials

B.

Devices were enslaved into a botnet network

C.

Browsers were redirected to adware-injected sites

D.

Worms exploited zero-day vulnerabilities

Buy Now
Questions 226

A security researcher reviewing an organization ' s website source code finds references to Amazon S3 file locations. What is the most effective way to identify additional publicly accessible S3 bucket URLs used by the target?

Options:

A.

Exploit XSS to force the page to reveal the S3 links

B.

Use Google advanced search operators to enumerate S3 bucket URLs

C.

Use SQL injection to extract internal file paths from the database

D.

Perform packet sniffing to intercept internal S3 bucket names

Buy Now
Questions 227

In the rainy streets of Portland, Oregon, ethical hacker Ethan Brooks delves into the security layers of ShopSwift, a US-based e-commerce platform reeling from a recent data breach. Tasked with uncovering the method behind unauthorized account takeovers, Ethan examines login patterns across the platform ' s user base. His investigation reveals a surge of automated login activity across multiple accounts, with a suspiciously high success rate. Determined to trace the root cause, Ethan compiles a detailed log to assist ShopSwift ' s security team in restoring trust.

Which attack method is Ethan most likely uncovering in ShopSwift’s authentication system?

Options:

A.

Password Spraying

B.

Brute Force Attack

C.

Credential Stuffing

D.

Phishing Attacks

Buy Now
Questions 228

You are Sofia Patel, an ethical hacker at Nexus Security Labs, hired to test the mobile device security of Bayview University in San Francisco, California. During your assessment, you are given an Android 11-based Samsung Galaxy Tab S6 with USB debugging disabled and OEM unlock restrictions in place. To simulate an attacker attempting to gain privileged access, you install a mobile application that exploits a system vulnerability to gain root access directly on the device without requiring a PC. This allows you to bypass OS restrictions and retrieve sensitive research data. Based on this method, which Android rooting tool are you using?

Options:

A.

Magisk Manager

B.

One Click Root

C.

KingoRoot

D.

RootMaster

Buy Now
Questions 229

At a Los Angeles-based online gaming company, penetration tester John investigates a recent cloud breach that caused downtime and delayed alerts. He finds that the root issue was management ' s lack of defined responsibilities for monitoring, auditing, and securing serverless services, which left critical functions unmanaged. Which cloud computing threat does this scenario best illustrate?

Options:

A.

Insufficient logging and monitoring

B.

Loss of governance

C.

Privilege escalation

D.

Side-channel attacks

Buy Now
Questions 230

A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?

Options:

A.

Set up a fake access point with the same SSID and use a de-authentication attack

B.

Use a brute-force attack to crack the WPA2 encryption directly

C.

Perform a dictionary attack on the RADIUS server to retrieve credentials

D.

Execute a Cross-Site Scripting (XSS) attack on the wireless controller ' s login page

Buy Now
Questions 231

During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?

Options:

A.

Date and time of message sent

B.

Sender ' s mail server

C.

Sender ' s IP address

D.

Authentication system used by sender ' s mail server

Buy Now
Questions 232

Which tool is best for sniffing plaintext HTTP traffic?

Options:

A.

Nessus

B.

Nmap

C.

Netcat

D.

Wireshark

Buy Now
Questions 233

A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.

What host discovery technique is being used in this scenario?

Options:

A.

UDP Ping Scan

B.

ICMP Echo Ping Sweep

C.

IP Protocol Scan

D.

ICMP Timestamp Ping Scan

Buy Now
Questions 234

You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?

Options:

A.

Insecure Communication

B.

Improper Credential Usage

C.

Inadequate Privacy Controls

D.

Insecure Data Storage

Buy Now
Questions 235

Which advanced session hijacking technique is hardest to detect and mitigate in a remote-access environment?

Options:

A.

Session sidejacking over public Wi-Fi

B.

ARP spoofing on local networks

C.

Brute-force session guessing

D.

Cookie poisoning

Buy Now
Questions 236

Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?

Options:

A.

OpenVAS

B.

Nessus

C.

tcptraceroute

D.

tcptrace

Buy Now
Questions 237

“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?

Options:

A.

Restrict and monitor script and system tool execution

B.

Isolate systems and inspect traffic

C.

Schedule frequent reboots

D.

Clean temporary folders

Buy Now
Questions 238

An ethical hacker is conducting a penetration test on a company’s network with full knowledge and permission from the organization. What is this type of hacking called?

Options:

A.

Blue Hat Hacking

B.

Grey Hat Hacking

C.

Black Hat Hacking

D.

White Hat Hacking

Buy Now
Questions 239

During a post-exploitation phase on a compromised finance department workstation, ethical hacker Anika uses her Meterpreter session to extract sensitive credential data. After running a command, she receives a long list of alphanumeric strings representing LM and NTLM values. These outputs are later transferred to a cracking rig for offline password recovery, allowing the red team to simulate credential theft across multiple systems.

Which Meterpreter command most likely produced these results?

Options:

A.

keyscan_start

B.

hashdump

C.

getsystem

D.

screenshot

Buy Now
Exam Code: 312-50v13
Exam Name: Certified Ethical Hacker Exam (CEHv13)
Last Update: Jun 28, 2026
Questions: 584
312-50v13 pdf

312-50v13 PDF

$25.5  $84.99
312-50v13 Engine

312-50v13 Testing Engine

$30  $99.99
312-50v13 PDF + Engine

312-50v13 PDF + Testing Engine

$40.5  $134.99