- An ethical hacker is documenting the standard sequence of an attack so a defending team can map detection controls to each stage. Which model describes the progressive stages an adversary moves through, beginning with reconnaissance and ending with actions on the objective?
- The cyber kill chain
- The CIA triad
- The defense-in-depth model
- The vulnerability assessment lifecycle
Correct answer: The cyber kill chain
The cyber kill chain is correct because it is the adversary-lifecycle framework that breaks an intrusion into ordered stages such as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The CIA triad describes security goals, defense-in-depth describes layered controls, and the vulnerability assessment lifecycle describes finding and remediating weaknesses rather than mapping an adversary's progression.
- During an authorized engagement, a tester first gathers publicly available information about the target before doing anything else. Which phase of the ethical hacking methodology is the tester performing?
- Maintaining access
- Gaining access
- Covering tracks
- Reconnaissance
Correct answer: Reconnaissance
Reconnaissance is correct because it is the first of the five phases of ethical hacking and involves collecting information about the target before any intrusion. Gaining access is the exploitation phase that comes later, maintaining access keeps a foothold after compromise, and covering tracks is the final phase focused on hiding evidence of the activity.
- A security analyst lists the standard ethical hacking phases in order. After scanning, which phase comes next in the five-phase methodology?
- Reconnaissance
- Covering tracks
- Gaining access
- Maintaining access
Correct answer: Gaining access
Gaining access is correct because the ethical hacking phases proceed as reconnaissance, scanning, gaining access, maintaining access, and covering tracks; gaining access immediately follows scanning. Reconnaissance precedes scanning, while maintaining access and covering tracks both occur after access has already been obtained.
- An organization wants a repeatable process that identifies, quantifies, and prioritizes weaknesses in its systems without actually exploiting them. Which activity best matches this goal?
- A penetration test
- A vulnerability assessment
- A red team operation
- A social engineering campaign
Correct answer: A vulnerability assessment
A vulnerability assessment is correct because it systematically discovers, classifies, and ranks weaknesses to inform remediation, but it stops short of exploiting them. A penetration test and a red team operation actively exploit findings to demonstrate impact, and a social engineering campaign targets people rather than producing a prioritized inventory of technical weaknesses.
- A consultant explains that a complete vulnerability assessment is cyclical rather than a one-time scan. Which sequence best represents the vulnerability assessment lifecycle?
- Identify assets, scan and assess, prioritize and report, remediate, then verify
- Deliver, exploit, install, command and control, then act on objectives
- Reconnaissance, scanning, gaining access, maintaining access, then covering tracks
- Authentication, authorization, accounting, auditing, then archiving
Correct answer: Identify assets, scan and assess, prioritize and report, remediate, then verify
Identifying assets, scanning and assessing, prioritizing and reporting, remediating, and verifying is correct because the vulnerability assessment lifecycle is a repeating loop that ends by confirming fixes and feeding back into the next cycle. The delivery-through-objectives sequence describes the cyber kill chain, the reconnaissance-through-covering-tracks sequence describes the hacking phases, and the authentication-through-archiving list describes access-control functions, not vulnerability management.
- An attacker installs a backdoor and a rootkit after compromising a server so they can return later without re-exploiting it. Which phase of the ethical hacking methodology does this represent?
- Scanning
- Reconnaissance
- Maintaining access
- Gaining access
Correct answer: Maintaining access
Maintaining access is correct because installing backdoors or rootkits to preserve a persistent foothold for future use defines this phase. Scanning and reconnaissance both occur before any compromise, and gaining access is the initial exploitation step rather than the effort to keep that access over time.
- A policy states that information must not be altered by unauthorized parties and must remain accurate and complete from creation to deletion. Which element of the CIA triad does this policy primarily protect?
- Availability
- Confidentiality
- Integrity
- Non-repudiation
Correct answer: Integrity
Integrity is correct because it ensures data is not modified by unauthorized parties and remains accurate and trustworthy throughout its lifecycle. Confidentiality concerns preventing unauthorized disclosure, availability ensures authorized users can reach resources when needed, and non-repudiation prevents denial of an action and is not one of the three CIA triad elements.
- A tester operating strictly within a signed scope and rules-of-engagement document, with the owner's written permission, is best classified as which type of hacker?
- A black hat hacker
- A gray hat hacker
- A suicide hacker
- A white hat hacker
Correct answer: A white hat hacker
A white hat hacker is correct because this category describes professionals who test systems legally with explicit authorization and defined scope. A black hat hacker acts maliciously without permission, a gray hat hacker may probe systems without authorization but without malicious intent, and a suicide hacker pursues objectives without concern for being caught or punished.
- Before any testing begins, an ethical hacker insists on a signed authorization defining systems, timing, and permitted techniques. Why is obtaining this written scope and authorization essential to keeping the engagement ethical and lawful?
- It guarantees that no vulnerabilities will be found during the test
- It distinguishes authorized testing from illegal unauthorized access and limits liability
- It replaces the need for any reconnaissance or scanning phases
- It automatically encrypts all data the tester collects
Correct answer: It distinguishes authorized testing from illegal unauthorized access and limits liability
Distinguishing authorized testing from illegal access and limiting liability is correct because written authorization and a defined scope are what legally separate ethical hacking from criminal intrusion and protect both parties. The authorization does not guarantee findings, does not replace methodology phases, and does not perform any encryption of collected data.
- A defender deliberately layers a firewall, network segmentation, host hardening, and user training so that a single failure does not lead to full compromise. Which information security principle is being applied?
- Least privilege
- Defense in depth
- Separation of duties
- Security through obscurity
Correct answer: Defense in depth
Defense in depth is correct because it layers multiple independent controls so that the failure of one does not expose the entire system. Least privilege limits access rights to the minimum required, separation of duties divides critical tasks among people to prevent abuse, and security through obscurity relies on hiding implementation details rather than on layered safeguards.
- An attacker pretends to be a help-desk technician and persuades an employee to reveal a password. Within the information security threat landscape, this is an example of which broad attack category?
- An operating system attack
- An application-level attack
- A human-based or social engineering attack
- A misconfiguration attack
Correct answer: A human-based or social engineering attack
A human-based or social engineering attack is correct because it exploits human trust and behavior rather than a technical flaw. An operating system attack targets unpatched or default OS components, an application-level attack abuses flaws in software code, and a misconfiguration attack exploits improperly configured systems rather than manipulating a person.
- Security training defines a vulnerability, a threat, and a risk as distinct concepts. Which statement correctly describes a vulnerability?
- It is any potential danger or agent that could exploit a weakness
- It is a weakness or flaw in a system that could be exploited
- It is the likelihood and impact of a threat acting on a weakness
- It is the financial value assigned to a protected asset
Correct answer: It is a weakness or flaw in a system that could be exploited
Describing a vulnerability as a weakness or flaw that could be exploited is correct because that is the standard definition used in information security. A potential danger or agent describes a threat, the combination of likelihood and impact describes risk, and the financial value of an asset is asset valuation rather than a vulnerability.
- An organization adopts a framework that catalogs adversary tactics and techniques across the attack lifecycle so blue and red teams can speak a common language. Which framework is being described?
- ISO 9001
- The CIA triad
- The waterfall model
- MITRE ATT&CK
Correct answer: MITRE ATT&CK
MITRE ATT&CK is correct because it is a knowledge base that organizes real-world adversary tactics and techniques across the attack lifecycle, supporting both offensive and defensive teams. ISO 9001 is a quality management standard, the CIA triad describes security goals, and the waterfall model is a software development methodology unrelated to adversary behavior.
- Comparing engagement styles, how does a penetration test most clearly differ from a pure vulnerability assessment?
- A penetration test actively exploits findings to demonstrate real-world impact
- A penetration test only lists weaknesses without confirming they are exploitable
- A penetration test never requires authorization from the system owner
- A penetration test is performed exclusively by automated scanners
Correct answer: A penetration test actively exploits findings to demonstrate real-world impact
Actively exploiting findings to demonstrate real-world impact is correct because a penetration test goes beyond identifying weaknesses to prove they can be leveraged, whereas a vulnerability assessment stops at discovery and prioritization. The remaining choices invert that distinction, wrongly remove the authorization requirement, or reduce a penetration test to automated scanning only.
- In the cyber kill chain, an adversary couples an exploit with a malicious payload to create a deliverable artifact such as a weaponized document, before sending it to the victim. Which stage of the kill chain is this?
- Weaponization
- Delivery
- Installation
- Command and control
Correct answer: Weaponization
Weaponization is correct because it is the stage where an exploit is paired with a payload to build a deliverable malicious artifact, occurring after reconnaissance but before delivery. Delivery transmits that artifact to the target, installation establishes malware on the host, and command and control opens a channel for remote operation, all of which happen after weaponization.
- A company enforces a rule that every user account is granted only the minimum permissions required to perform its job, and nothing more. Which security principle does this enforce?
- Defense in depth
- Non-repudiation
- Availability
- Least privilege
Correct answer: Least privilege
Least privilege is correct because granting only the minimum access necessary for a role directly defines this principle and limits the damage from a compromised account. Defense in depth layers multiple controls, non-repudiation prevents denial of an action, and availability ensures resources are accessible to authorized users when needed.
- A CISO must decide where to invest limited security budget. The team estimates how likely each threat is to exploit a known weakness and how severe the resulting business impact would be. This combined estimate of likelihood and impact is best described as which concept?
- An exploit
- A countermeasure
- Risk
- An attack surface
Correct answer: Risk
Risk is correct because it is defined as the combination of the likelihood that a threat exploits a vulnerability and the impact if it does, which is exactly what guides prioritized investment. An exploit is the actual code or method used against a weakness, a countermeasure is a control that reduces risk, and the attack surface is the sum of points where an attacker could attempt entry rather than a measure of likelihood and impact.
- A security consultant begins a sanctioned engagement and decides to start with reconnaissance. In the recognized ethical hacking workflow, what is the primary goal of this opening reconnaissance work?
- Permanently erase the target's event logs to stay hidden
- Install a backdoor that survives a reboot of the target
- Encrypt the target's databases to demonstrate ransomware impact
- Gather as much information as possible about the target to shape later phases
Correct answer: Gather as much information as possible about the target to shape later phases
Gathering as much information as possible about the target to shape later phases is correct because reconnaissance is the intelligence-collection stage that builds a picture of systems, people, and infrastructure before any active attack. Erasing logs is covering tracks, installing a backdoor is maintaining access, and encrypting databases is an impact action, so none describe the goal of reconnaissance.
- An analyst is asked to label the type of footprinting that collects details about an organization's people, such as employee names, job titles, and social media presence. Which footprinting category does this describe?
- DNS footprinting
- Wireless footprinting
- Social engineering footprinting through public personnel data
- Network footprinting
Correct answer: Social engineering footprinting through public personnel data
Social engineering footprinting through public personnel data is correct because gathering employee names, titles, and social profiles builds a human-focused intelligence picture that feeds later social-engineering attempts. DNS footprinting targets name records, network footprinting maps ranges and routes, and wireless footprinting profiles radio networks, so none of those cover personnel intelligence.
- A tester examines archived versions of a target's old web pages to recover staff directories and documents that were since removed from the live site. Which type of resource provides these historical snapshots for footprinting?
- A live exploit framework that injects payloads
- A password-cracking dictionary file
- A wireless packet injection driver
- An internet archive or web cache that stores past versions of pages
Correct answer: An internet archive or web cache that stores past versions of pages
An internet archive or web cache that stores past versions of pages is correct because historical archives retain content that has since been removed, letting a tester recover old directories and documents passively. An exploit framework, a password dictionary, and a packet-injection driver are attack or cracking tools, not sources of historical page snapshots.
- During an engagement a tester reviews job postings published by the target company. Beyond hiring intent, what reconnaissance value do detailed job listings most directly provide?
- The administrative password to the human resources portal
- A live feed of every employee's keystrokes
- Insight into the technologies and platforms the organization uses internally
- The encryption keys protecting the corporate VPN
Correct answer: Insight into the technologies and platforms the organization uses internally
Insight into the technologies and platforms the organization uses internally is correct because job listings often name specific operating systems, applications, and frameworks the company runs, revealing the target's tech stack. Job postings do not disclose portal passwords, keystrokes, or VPN keys, so the other options misstate what they leak.
- A tester compiles a footprinting report and wants to capture the single most useful end product of the reconnaissance effort. Which outcome best represents that value?
- A copy of the tester's licensing agreement with the client
- A randomized list of public companies in the same sector
- A backup of the tester's personal toolset
- A prioritized profile of the target's attack surface to guide later testing
Correct answer: A prioritized profile of the target's attack surface to guide later testing
A prioritized profile of the target's attack surface to guide later testing is correct because footprinting exists to consolidate intelligence and rank likely entry points so subsequent phases are focused. A licensing agreement, a random company list, and a toolset backup are not intelligence about the target, so they do not represent the value of footprinting.
- A reconnaissance analyst is asked to define passive reconnaissance precisely for an engagement plan. Which description fits passive reconnaissance?
- Sending crafted packets to the target to map open ports
- Logging into the target's portal with stolen credentials
- Flooding the target's server with traffic to test resilience
- Collecting information from public sources without directly interacting with the target's systems
Correct answer: Collecting information from public sources without directly interacting with the target's systems
Collecting information from public sources without directly interacting with the target's systems is correct because passive reconnaissance relies on registries, search engines, and social media so the target sees no direct probing. Sending crafted packets, logging in with credentials, and flooding a server all touch the target directly, which makes them active rather than passive.
- A tester must choose between active and passive reconnaissance for a stealth-critical engagement against a heavily monitored target. Which choice and reasoning is most sound?
- Active reconnaissance, because it never generates any detectable traffic
- Passive reconnaissance, because it avoids touching the target and lowers detection risk
- Active reconnaissance, because public records contain no useful data
- Passive reconnaissance, because it guarantees full administrative access
Correct answer: Passive reconnaissance, because it avoids touching the target and lowers detection risk
Choosing passive reconnaissance because it avoids touching the target and lowers detection risk is correct because gathering only public data leaves no trace on the monitored systems. Active reconnaissance does generate traffic, public records are often useful, and passive methods do not grant administrative access, so the other options are inaccurate.
- A tester uses a search-engine-style service that continuously scans the internet and indexes exposed devices, banners, and open ports, then queries it for the target's internet-facing systems. Why is querying such a pre-built index considered passive reconnaissance?
- The tester probes the target directly but spoofs the source address
- The query physically disables the target's firewall
- The third-party service already collected the data, so the tester never touches the target
- The service decrypts the target's TLS traffic for the tester
Correct answer: The third-party service already collected the data, so the tester never touches the target
Saying the third-party service already collected the data so the tester never touches the target is correct because the scanning was done by the service, and querying its index sends no traffic to the target. The tester is not probing the target, the query cannot disable a firewall, and the service does not decrypt TLS, so the other options misdescribe the technique.
- An analyst mines a target executive's public social media for travel plans, coworkers, and interests to prepare a future pretext. Which combination correctly classifies this activity?
- Active reconnaissance and exploitation
- Passive reconnaissance and OSINT gathering
- Privilege escalation and persistence
- Scanning and enumeration
Correct answer: Passive reconnaissance and OSINT gathering
Passive reconnaissance and OSINT gathering is correct because harvesting publicly posted personal details is open-source intelligence collected without contacting the target's systems. Exploitation, privilege escalation, persistence, scanning, and enumeration all involve interacting with or attacking systems, so the other combinations do not fit social-media OSINT.
- A tester wants to find documents the target accidentally exposed by searching for a specific file extension on the organization's domain. Which Google dorking operator narrows results to a particular document type?
- The intitle: operator
- The cache: operator
- The filetype: operator
- The related: operator
Correct answer: The filetype: operator
The filetype: operator is correct because it restricts search results to a chosen file extension, such as PDF or XLSX, surfacing exposed documents. The intitle: operator matches page titles, cache: shows a stored copy, and related: finds similar sites, so none of those filter by document type.
- A tester wants search results limited to pages whose title contains a chosen word, such as an index or login keyword. Which Google dorking operator matches text in the page title?
- The inurl: operator
- The link: operator
- The intitle: operator
- The site: operator
Correct answer: The intitle: operator
The intitle: operator is correct because it returns pages whose HTML title contains the specified term, useful for finding directory listings or login pages. The inurl: operator searches the URL, link: finds pages that link to a target, and site: limits results to a domain, so none of those match the page title.
- A tester combines two dork operators to find login pages indexed only under the target's domain. Which combined query expresses that intent correctly?
- Site:target.com inurl:login
- Related:target.com define:login
- Cache:target.com filetype:login
- Link:target.com intext:public
Correct answer: Site:target.com inurl:login
The query site:target.com inurl:login is correct because site: confines results to the target domain while inurl:login surfaces pages with login in the URL, precisely the intent. Combining related: with define:, cache: with filetype:, or link: with intext: does not constrain results to the domain while finding login URLs, so the other queries miss the goal.
- After a dorking review surfaces an indexed internal directory listing, a tester recommends a fix. Which control most directly prevents search engines from indexing and exposing such content?
- Enforcing access controls and noindex/robots directives on sensitive paths
- Increasing the office network bandwidth
- Changing the company's logo on the homepage
- Rotating employee parking assignments
Correct answer: Enforcing access controls and noindex/robots directives on sensitive paths
Enforcing access controls and noindex/robots directives on sensitive paths is correct because dorking can only reveal content that is publicly reachable and crawlable, so restricting access and blocking indexing removes the exposure. Adjusting bandwidth, changing a logo, or reassigning parking has no effect on what search engines index, so the other options are irrelevant.
- A tester runs a WHOIS query against a target domain during footprinting. Which set of details does a WHOIS record typically return?
- The live CPU and memory usage of the web server
- The plaintext passwords of every domain administrator
- The full source code of the hosted web application
- The registrar, registration and expiration dates, and authoritative name servers
Correct answer: The registrar, registration and expiration dates, and authoritative name servers
Returning the registrar, registration and expiration dates, and authoritative name servers is correct because WHOIS exposes domain registration metadata useful for profiling a target. WHOIS does not report server resource usage, administrator passwords, or application source code, so the other options describe information it does not contain.
- A tester wants to discover which mail servers handle email for a target domain during DNS footprinting. Which DNS record type identifies a domain's mail servers?
- The A record
- The CNAME record
- The MX record
- The PTR record
Correct answer: The MX record
The MX record is correct because mail exchange records list the mail servers responsible for receiving email for a domain, exactly what the tester needs. An A record maps a name to an IPv4 address, a CNAME creates an alias, and a PTR supports reverse lookups, so none of those identify mail servers.
- A tester attempts a DNS zone transfer against a misconfigured name server and succeeds. What does a successful zone transfer give the tester?
- Remote shell access to the DNS server
- The wireless passphrase for the corporate network
- The ability to decrypt all HTTPS traffic to the domain
- A complete copy of the domain's DNS records, including many internal hostnames
Correct answer: A complete copy of the domain's DNS records, including many internal hostnames
A complete copy of the domain's DNS records, including many internal hostnames, is correct because an unrestricted zone transfer hands over the entire zone file, exposing the target's naming and infrastructure. A zone transfer does not grant shell access, reveal a Wi-Fi passphrase, or decrypt HTTPS, so the other options overstate its effect.
- A tester notices that a target uses a WHOIS privacy or domain-protection service, masking the registrant contact fields. How does this most directly affect the tester's footprinting?
- It encrypts all DNS queries to the domain
- It hides the registrant's name, email, and address, reducing personal intelligence available
- It blocks the tester from resolving the domain at all
- It reveals the internal Active Directory structure instead
Correct answer: It hides the registrant's name, email, and address, reducing personal intelligence available
Saying it hides the registrant's name, email, and address, reducing personal intelligence available, is correct because privacy services replace public contact details with proxy information, limiting what WHOIS leaks. The service does not encrypt DNS queries, prevent name resolution, or expose Active Directory, so the other options misrepresent its effect.
- A tester wants Nmap to perform a default stealthy port scan that does not complete the TCP connection. Which Nmap scan type sends a SYN and tears the connection down before the handshake finishes?
- SYN (half-open) scan
- TCP connect scan
- UDP scan
- ARP scan
Correct answer: SYN (half-open) scan
The SYN (half-open) scan is correct because it sends a SYN, reads the reply, then sends an RST without completing the handshake, making it the default stealthy TCP scan. A TCP connect scan finishes the full handshake, a UDP scan probes connectionless ports, and an ARP scan resolves link-layer addresses, so none match the half-open behavior.
- A tester runs an Nmap XMAS scan, which sets the FIN, PSH, and URG flags together. What is the intended purpose of lighting up these specific flags?
- To complete a normal three-way handshake quickly
- To force the target to reboot
- To probe port state stealthily by eliciting RSTs only from closed ports on compliant stacks
- To establish an encrypted tunnel to the target
Correct answer: To probe port state stealthily by eliciting RSTs only from closed ports on compliant stacks
Probing port state stealthily by eliciting RSTs only from closed ports on compliant stacks is correct because an XMAS scan relies on RFC behavior where open ports stay silent and closed ports reply with RST. The flag combination does not complete a handshake, reboot the host, or build an encrypted tunnel, so the other options misstate its purpose.
- A tester needs to know not just whether ports are open but which software and version each one runs. Which Nmap capability provides that service and version detail?
- A simple ICMP ping sweep with no port probing
- A traceroute that lists intermediate routers
- A reverse DNS lookup of the host's IP
- Service and version detection that interrogates open ports for application information
Correct answer: Service and version detection that interrogates open ports for application information
Service and version detection that interrogates open ports for application information is correct because it sends probes and matches responses to determine the running software and version on each open port. A ping sweep only finds live hosts, a traceroute maps the path, and a reverse DNS lookup returns a hostname, so none reveal service versions.
- A tester needs to identify live hosts and services on connectionless protocols like SNMP and DNS. Why is scanning these UDP services typically slower and less reliable than scanning TCP?
- UDP encrypts every packet, so replies must be decrypted first
- UDP has no handshake, so the scanner often infers state from missing replies or ICMP unreachable messages
- UDP ports can never be open, so scans always time out
- UDP requires valid credentials before any probe is accepted
Correct answer: UDP has no handshake, so the scanner often infers state from missing replies or ICMP unreachable messages
Saying UDP has no handshake, so the scanner often infers state from missing replies or ICMP unreachable messages, is correct because the lack of acknowledgments and rate-limited ICMP make UDP results ambiguous and slow. UDP is not encrypted by default, UDP ports can be open, and scanning needs no credentials, so the other options are incorrect.
- A tester reviews how TCP establishes a reliable session before data flows. Which sequence of segments correctly describes the TCP three-way handshake?
- SYN, then SYN-ACK, then ACK
- ACK, then SYN, then FIN
- RST, then SYN, then ACK
- FIN, then FIN-ACK, then RST
Correct answer: SYN, then SYN-ACK, then ACK
SYN, then SYN-ACK, then ACK is correct because the initiator sends SYN, the responder replies SYN-ACK, and the initiator confirms with ACK to open a connection. The other sequences misorder the flags or substitute RST and FIN, which belong to resets and teardown rather than connection setup, so they do not describe the handshake.
- A tester captures a packet during a scan and sees only the RST flag set in a response. What does an RST most commonly signal at the TCP layer?
- A request to gracefully begin closing a session over four steps
- A successful completion of the three-way handshake
- An abrupt reset that refuses or aborts the connection
- An acknowledgment that data was received in order
Correct answer: An abrupt reset that refuses or aborts the connection
An abrupt reset that refuses or aborts the connection is correct because the RST flag tears a connection down immediately, which is why closed ports answer scans with RST. RST is not the graceful FIN-based teardown, not handshake completion, and not an ordinary data acknowledgment, so the other options describe different flags.
- A tester crafts a FIN scan to evade simple filters that only watch for SYN packets. On an RFC-compliant stack, how does a closed port respond to an unsolicited FIN packet?
- It replies with a SYN-ACK
- It responds with an RST
- It stays silent and sends nothing
- It echoes the FIN back unchanged
Correct answer: It responds with an RST
Responding with an RST is correct because on a compliant stack a closed port answers an unsolicited FIN with a reset, while an open port stays silent, which is how a FIN scan infers state. A closed port does not send a SYN-ACK, stay silent, or echo the packet, so the other options describe behaviors that do not apply.
- A tester wants to understand why a half-open SYN scan stops after receiving the server's reply rather than sending the final ACK. After the target answers a SYN with SYN-ACK, what has the scanner determined, and why does it not finish?
- The port is open, and it sends an RST to avoid a logged full connection
- The port is closed, so it must complete the handshake to confirm
- The data was decrypted, so no further packets are needed
- The credentials were valid, so the session is already authenticated
Correct answer: The port is open, and it sends an RST to avoid a logged full connection
Saying the port is open and it sends an RST to avoid a logged full connection is correct because the SYN-ACK already proves the service is listening, and aborting with RST keeps the connection half-open and quieter. A SYN-ACK does not mean closed, the scan involves no decryption, and no credentials are exchanged, so the other options misread the exchange.
- A tester compares a SYN scan with a full TCP connect scan and must justify choosing the SYN scan for a large internet-facing range. Which justification is strongest?
- The SYN scan completes the handshake on every port for accuracy
- The SYN scan is stealthier and faster because it never finishes the connection per port
- The SYN scan works without any IP routing to the target
- The SYN scan automatically patches the discovered services
Correct answer: The SYN scan is stealthier and faster because it never finishes the connection per port
Saying the SYN scan is stealthier and faster because it never finishes the connection per port is correct because skipping the final ACK avoids fully logged sessions and reduces overhead across many ports. A SYN scan does not complete the handshake, still needs routing to the target, and never patches services, so the other justifications are wrong.
- A tester connects to an FTP service on port 21 and the server immediately returns a line reading '220 ProFTPD 1.3.5 Server ready'. Identifying the software and version from this returned line is an example of which technique?
- DNS poisoning
- Privilege escalation
- Session hijacking
- Banner grabbing
Correct answer: Banner grabbing
Banner grabbing is correct because reading a service's self-disclosed welcome line, such as an FTP 220 banner naming ProFTPD and its version, identifies the software, which is the essence of banner grabbing. DNS poisoning corrupts name resolution, privilege escalation raises access, and session hijacking steals a session, none of which involve reading a service banner.
- A tester uses a basic network utility to open a raw TCP connection to a service and manually type a request, then reads the textual reply to fingerprint the service. Which tool is classically used for this manual banner grabbing?
- John the Ripper
- Netcat
- Aircrack-ng
- Hydra
Correct answer: Netcat
Netcat is correct because it can open a raw TCP connection to a port so a tester can send input and read the service's banner directly, a classic manual banner-grabbing method. John the Ripper cracks passwords, Aircrack-ng attacks wireless encryption, and Hydra performs online password guessing, so none are used to read service banners this way.
- A tester wants to fingerprint a remote operating system by sending crafted probes and analyzing how the host's TCP/IP stack replies. What underlying property makes this active OS fingerprinting possible?
- All operating systems respond identically to every probe
- Each operating system broadcasts its name in cleartext at boot
- Operating systems differ in how their TCP/IP stacks handle unusual or edge-case packets
- Probes must be encrypted with the target's private key first
Correct answer: Operating systems differ in how their TCP/IP stacks handle unusual or edge-case packets
Saying operating systems differ in how their TCP/IP stacks handle unusual or edge-case packets is correct because those subtle response differences form signatures the tool matches to guess the OS. Stacks do not respond identically, operating systems do not broadcast their name at boot, and probes are not encrypted with the target's key, so the other options are incorrect.
- A tester inspects passively captured packets and uses the observed default Time-To-Live and TCP window size to guess the sender's operating system. Why are these passive indicators preferred against a tightly monitored target?
- They produce no probe traffic, so they are unlikely to trigger detection
- They guarantee the exact build and patch level of the OS
- They require domain administrator rights to read
- They actively reset the target's connections to force a reply
Correct answer: They produce no probe traffic, so they are unlikely to trigger detection
Saying they produce no probe traffic, so they are unlikely to trigger detection, is correct because passive fingerprinting only reads existing packets and never sends anything to the target. These indicators do not guarantee the exact patch level, do not need admin rights, and do not reset connections, so the other options overstate the technique.
- A tester running OS detection sees results pointing to two different operating systems with similar confidence and a note that a firewall may be altering responses. What is the most reasonable interpretation?
- The host is definitely running both operating systems at once
- Intervening filtering can distort stack responses, lowering fingerprint confidence
- OS detection always returns a single perfectly accurate result
- The ambiguity proves the host has no operating system
Correct answer: Intervening filtering can distort stack responses, lowering fingerprint confidence
Saying intervening filtering can distort stack responses, lowering fingerprint confidence, is correct because firewalls and proxies can normalize or drop packets, blurring the signatures OS detection relies on. A host does not run two operating systems simultaneously this way, OS detection is probabilistic rather than always exact, and ambiguity does not mean the host lacks an OS, so the other options are wrong.
- A tester writes the methodology section of a report and must explain how enumeration differs from the scanning that precedes it. Which statement is accurate?
- Scanning extracts user account names while enumeration only counts hosts
- Scanning finds live hosts and open ports, while enumeration actively connects to services to extract named resources like users and shares
- Enumeration is purely passive and never connects to a service
- Scanning and enumeration are identical and interchangeable terms
Correct answer: Scanning finds live hosts and open ports, while enumeration actively connects to services to extract named resources like users and shares
Saying scanning finds live hosts and open ports while enumeration actively connects to services to extract named resources like users and shares is correct because scanning maps the surface and enumeration drills in for specific accounts, shares, and details. The other choices reverse the roles, wrongly call enumeration passive, or equate the two steps, so they are inaccurate.
- A tester enumerates a Windows file-sharing service over SMB. Which kind of resource is enumeration of this service most likely to reveal?
- The GPS coordinates of the data center
- The model number of the server's power supply
- The wireless channel used by nearby access points
- Available network shares and the users who can access them
Correct answer: Available network shares and the users who can access them
Available network shares and the users who can access them is correct because SMB enumeration lists shared folders, sessions, and accounts on a Windows host. SMB enumeration does not reveal data-center coordinates, power-supply models, or wireless channels, so the other options describe unrelated information.
- A tester enumerating a mail server connects to the SMTP service and uses commands that ask the server to confirm whether specific mailboxes exist. Which goal does this SMTP enumeration most directly serve?
- Validating which email addresses or usernames are valid on the server
- Cracking the encryption on the server's stored mail
- Rooting the underlying operating system
- Capturing a wireless handshake from the mail server
Correct answer: Validating which email addresses or usernames are valid on the server
Validating which email addresses or usernames are valid on the server is correct because SMTP verification commands let a tester confirm valid recipients, building a username list. SMTP enumeration does not crack stored mail encryption, root the OS, or capture a wireless handshake, so the other options misstate its purpose.
- A tester performs SNMP enumeration and recovers the device's default read community string. What does possessing a valid read community string allow the tester to do?
- Physically power the device off and on
- Decrypt the device's TLS certificates
- Reflash the device firmware remotely without any other access
- Read management data such as interfaces, routes, and system details from the device
Correct answer: Read management data such as interfaces, routes, and system details from the device
Reading management data such as interfaces, routes, and system details from the device is correct because a valid read community string authorizes SNMP read access to the device's MIB. A read community string does not power-cycle hardware, decrypt TLS certificates, or by itself reflash firmware, so the other options overstate what it grants.
- A tester wants to understand why SNMPv1 and SNMPv2c are risky to leave exposed during reconnaissance. What weakness do these earlier SNMP versions share?
- They require certificates that are easy to forge
- They encrypt traffic so strongly that no device can read it
- They transmit community strings in cleartext, exposing them to sniffing
- They can only run over wireless links
Correct answer: They transmit community strings in cleartext, exposing them to sniffing
Saying they transmit community strings in cleartext, exposing them to sniffing, is correct because SNMPv1 and SNMPv2c send the community string unencrypted, so a sniffer can capture it. They do not rely on forgeable certificates, do not strongly encrypt traffic, and are not limited to wireless, so the other options are incorrect.
- A tester enumerates a Windows host using NetBIOS and pulls a name table whose entries each carry a hexadecimal suffix code. What does reading these NetBIOS suffix codes tell the tester?
- Which services and roles the host is running, such as a file server or domain master
- The host's full disk-encryption recovery key
- The list of websites the host has visited recently
- The radio frequency of the nearest wireless router
Correct answer: Which services and roles the host is running, such as a file server or domain master
Saying the suffix codes tell which services and roles the host is running, such as a file server or domain master, is correct because each NetBIOS name suffix maps to a particular service or role. The codes do not reveal an encryption recovery key, browsing history, or wireless frequency, so the other options misrepresent the data.
- A tester wants to query a directory service to map out users, groups, and organizational units. Which protocol is the standard target for enumerating directory services like Active Directory?
Correct answer: LDAP
LDAP is correct because the Lightweight Directory Access Protocol is the standard interface for querying directory services, making it the focus of directory enumeration. SMTP handles email transport, SNMP manages network devices, and NTP synchronizes time, so none of those are used to enumerate directory objects.
- A tester finds a directory server that permits an anonymous LDAP bind. Why is this misconfiguration valuable during reconnaissance?
- It lets the tester query directory entries like users and groups without supplying credentials
- It instantly elevates the tester to domain administrator
- It encrypts the tester's queries automatically
- It physically secures the server rack
Correct answer: It lets the tester query directory entries like users and groups without supplying credentials
Saying it lets the tester query directory entries like users and groups without supplying credentials is correct because an anonymous bind can expose directory contents that should require authentication. An anonymous bind does not elevate privileges, encrypt queries, or affect physical security, so the other options describe outcomes it does not produce.
- A tester building a footprinting plan must confirm the order of the early ethical hacking phases. Which phase comes immediately before gaining access in the standard methodology?
- Reconnaissance
- Covering tracks
- Scanning
- Maintaining access
Correct answer: Scanning
Scanning is correct because the methodology orders the phases as reconnaissance, scanning, gaining access, maintaining access, and covering tracks, so scanning directly precedes gaining access. Reconnaissance comes before scanning, while maintaining access and covering tracks come after gaining access, so the other options are out of order.
- A tester must quickly discover which IP addresses are alive on a directly connected /24 LAN segment where ICMP echo is blocked. Which discovery method is most reliable on that local segment?
- A WHOIS lookup of each address
- An ARP scan that resolves MAC addresses for each IP on the segment
- A Google dork for each address
- A WPA handshake capture for each address
Correct answer: An ARP scan that resolves MAC addresses for each IP on the segment
An ARP scan that resolves MAC addresses for each IP on the segment is correct because ARP operates at layer 2 on the local LAN and reliably finds live hosts even when ICMP is filtered. A WHOIS lookup returns registration data, a Google dork searches indexed content, and a WPA handshake capture is a wireless attack, so none perform local host discovery.
- A tester needs to time scans to avoid tripping rate-based alerts on a monitored target. Which scanning adjustment most directly reduces the chance of triggering such detection?
- Sending probes more slowly and spreading them over time
- Completing a full TCP connection to every single port
- Scanning every port simultaneously as fast as possible
- Encrypting each probe with the target's public key
Correct answer: Sending probes more slowly and spreading them over time
Sending probes more slowly and spreading them over time is correct because slowing the scan keeps traffic below the thresholds that trigger rate-based alerts. Completing full connections is noisier, scanning everything as fast as possible increases detection risk, and encrypting probes with a public key does not hide scan timing, so the other options are wrong.
- A tester wants to enumerate the actual hostnames behind a target's IP range by querying reverse DNS. Which record type returns the hostname associated with a given IP address?
- The TXT record
- The PTR record
- The SOA record
- The NS record
Correct answer: The PTR record
The PTR record is correct because pointer records support reverse DNS by mapping an IP address back to its hostname, helping a tester label discovered hosts. A TXT record holds arbitrary text, an SOA record defines zone authority parameters, and an NS record lists name servers, so none provide reverse name resolution.
- A tester uses an OSINT framework that takes a single domain and automatically pivots across public sources to discover subdomains, related hosts, and email addresses, displaying the relationships graphically. What is the chief reconnaissance benefit of this automated correlation?
- It rapidly maps the target's external footprint and relationships from public data in one place
- It guarantees remote code execution on each discovered host
- It decrypts the target's email contents
- It disables the target's intrusion detection system
Correct answer: It rapidly maps the target's external footprint and relationships from public data in one place
Saying it rapidly maps the target's external footprint and relationships from public data in one place is correct because such frameworks aggregate and correlate OSINT to reveal the target's attack surface efficiently. They do not guarantee code execution, decrypt email, or disable an IDS, so the other options describe capabilities these passive tools lack.
- A tester wants to discover additional hostnames under a target domain, such as vpn, mail, and dev subdomains, without performing a zone transfer. Which approach best supports this subdomain discovery during footprinting?
- Brute forcing or querying public sources for subdomains and resolving each name
- Cracking the target's WPA2 passphrase
- Performing ARP poisoning on the local LAN
- Injecting SQL into the login form
Correct answer: Brute forcing or querying public sources for subdomains and resolving each name
Brute forcing or querying public sources for subdomains and resolving each name is correct because guessing common names and mining certificate transparency or DNS data uncovers subdomains without a zone transfer. WPA2 cracking, ARP poisoning, and SQL injection are attacks against other layers, not DNS subdomain discovery, so the other options are off target.
- A tester pulls a target's published SPF and DMARC records from DNS during footprinting. Beyond email security posture, what reconnaissance value can these TXT-based records provide?
- They can reveal third-party mail providers and sending hosts the organization authorizes
- They expose the domain administrator's login password
- They contain the full customer database
- They grant the tester control of the mail server
Correct answer: They can reveal third-party mail providers and sending hosts the organization authorizes
Saying they can reveal third-party mail providers and sending hosts the organization authorizes is correct because SPF and DMARC records list domains and IPs permitted to send mail, exposing service relationships. These records do not contain admin passwords or customer databases, and reading them does not grant control of the mail server, so the other options are incorrect.
- A tester reviews an Nmap result showing a port labeled open|filtered after a UDP scan. What does this combined state most accurately indicate?
- The port definitely completed a TCP handshake
- Nmap could not distinguish open from filtered because no response was received
- The port is confirmed closed and unreachable
- The host has been fully compromised
Correct answer: Nmap could not distinguish open from filtered because no response was received
Saying Nmap could not distinguish open from filtered because no response was received is correct because silence on a UDP probe could mean the port is open or that a filter dropped the packet, so Nmap reports both. The state does not confirm a completed handshake, a closed port, or a compromise, so the other options misread it.
- A tester enumerating an Active Directory environment over LDAP retrieves the organizational units, group memberships, and privileged group rosters. Why is this directory map valuable before the gaining-access phase?
- It encrypts the tester's traffic to avoid detection
- It immediately grants the tester domain administrator rights
- It physically relocates the domain controller
- It reveals the organization's structure and high-value accounts to prioritize later targeting
Correct answer: It reveals the organization's structure and high-value accounts to prioritize later targeting
Saying it reveals the organization's structure and high-value accounts to prioritize later targeting is correct because enumerating organizational units and privileged groups shows which accounts hold the most access, focusing later attacks. The map does not encrypt traffic, grant admin rights, or move hardware, so the other options overstate what enumeration provides.
- A tester wants to confirm the boundary between reconnaissance and scanning so the report uses the terms correctly. Which activity belongs to reconnaissance rather than to scanning?
- Sending SYN packets to map which ports are open
- Running an ARP sweep to find live hosts on a subnet
- Reviewing the target's public WHOIS and DNS records
- Performing service-version detection against open ports
Correct answer: Reviewing the target's public WHOIS and DNS records
Reviewing the target's public WHOIS and DNS records is correct because consulting public registration and name data is information gathering that defines reconnaissance, not the active probing of scanning. Sending SYN packets, running an ARP sweep, and detecting service versions all directly probe systems, which places them in the scanning phase rather than reconnaissance.
- A penetration tester outlines the recognized order of the system-hacking methodology to a client. Which sequence correctly lists the major goals an attacker pursues once a target system has been identified?
- Gaining access, escalating privileges, executing applications, hiding files, and covering tracks
- Footprinting, WHOIS lookup, DNS transfer, and banner grabbing
- Wireless deauthentication, evil twin, WEP cracking, and rogue AP setup
- Encrypting data, generating a key pair, signing, and verifying a certificate
Correct answer: Gaining access, escalating privileges, executing applications, hiding files, and covering tracks
Gaining access, escalating privileges, executing applications, hiding files, and covering tracks is correct because that is the recognized goal sequence of the system-hacking phase once a target is selected. The footprinting and WHOIS list describes reconnaissance, the deauthentication list describes wireless attacks, and the encryption list describes cryptography, none of which is the system-hacking methodology.
- An attacker has finished cracking a low-level account's password and now wants to run their own tools and a backdoor service on the compromised host. In the system-hacking methodology, the step of running attacker code on the target after access is obtained is referred to as what?
- Banner grabbing
- Executing applications
- Passive reconnaissance
- DNS footprinting
Correct answer: Executing applications
Executing applications is correct because running attacker-supplied programs such as keyloggers, backdoors, or spyware on a compromised host is the named system-hacking step that follows gaining and escalating access. Banner grabbing, passive reconnaissance, and DNS footprinting are all pre-attack information-gathering activities and do not involve running code on an already-compromised target.
- A tester captured a set of password hashes and configures a tool to try every possible combination of characters up to a set length until each hash is matched. Because it exhausts the entire keyspace rather than relying on a wordlist, which password-cracking method is this?
- A pass-the-hash attack
- A rainbow table lookup
- A brute-force attack
- A salting operation
Correct answer: A brute-force attack
A brute-force attack is correct because systematically trying every possible character combination across the keyspace defines brute forcing, distinct from using a finite wordlist. A pass-the-hash attack reuses a hash without cracking it, a rainbow table lookup matches against precomputed values, and salting is a defensive hardening technique, so none describe exhaustively testing all combinations.
- An attacker first tries a wordlist, and for any password not found, the tool then appends numbers and symbols and changes letter cases on those same words before resorting to full brute force. This blended method that mutates dictionary words is best described as which password-cracking technique?
- A purely passive sniffing attack
- A zone transfer
- A MAC flooding attack
- A hybrid attack
Correct answer: A hybrid attack
A hybrid attack is correct because it combines a dictionary base with rule-based mutations such as appended digits, symbols, and case changes, bridging dictionary and brute-force approaches. Passive sniffing only captures traffic, a zone transfer pulls DNS records, and MAC flooding overwhelms a switch, so none describe mutating wordlist entries to crack passwords.
- A defender wants to slow down offline cracking of stolen hashes. Beyond adding a unique salt, which additional measure most directly increases the time an attacker needs per guess?
- Using a deliberately slow, computationally expensive key-derivation function with many iterations
- Storing the passwords in plain text for faster lookups
- Shortening the maximum allowed password length
- Reusing one shared salt for all accounts
Correct answer: Using a deliberately slow, computationally expensive key-derivation function with many iterations
Using a deliberately slow, computationally expensive key-derivation function is correct because iterated work-factor algorithms make each guess costly, dramatically slowing offline cracking. Storing plaintext eliminates protection, shortening length weakens passwords, and a single shared salt reintroduces precomputation across accounts, so the other options make cracking easier rather than harder.
- After harvesting a Kerberos ticket-granting ticket from a compromised domain, an attacker reuses that ticket to authenticate to network services without ever knowing the account password. This Kerberos-based credential reuse is most closely analogous to which Windows credential attack?
- ARP poisoning, the switching counterpart of phishing
- Pass-the-ticket, the Kerberos counterpart of pass-the-hash
- A SYN flood, the TCP counterpart of brute force
- A zone transfer, the DNS counterpart of enumeration
Correct answer: Pass-the-ticket, the Kerberos counterpart of pass-the-hash
Pass-the-ticket is correct because reusing a stolen Kerberos ticket to authenticate without the password is the Kerberos analog of pass-the-hash, which replays an NTLM hash. ARP poisoning, a SYN flood, and a zone transfer are network and DNS techniques unrelated to reusing Kerberos credentials, so the other pairings are incorrect.
- An analyst explains why pass-the-hash is feasible against NTLM but a properly enforced challenge-response design with strong protocol controls aims to limit it. What is the core characteristic of the targeted authentication that pass-the-hash abuses?
- The plaintext password is transmitted in clear text on every login
- The hash is mathematically reversible into the password by any client
- The stored or cached hash is itself accepted as the authentication credential, so it need not be cracked
- The server discards the hash and requires biometric input instead
Correct answer: The stored or cached hash is itself accepted as the authentication credential, so it need not be cracked
Saying the stored or cached hash is itself accepted as the credential is correct because NTLM validates the hash rather than the typed password, letting an attacker replay a captured hash. The password is not sent in clear text, the hash is not reversible by clients, and biometric input is not part of the mechanism, so the other options misstate why pass-the-hash works.
- A blue-teamer is asked why rainbow tables can crack many unsalted hashes far faster than brute forcing each one live. What design tradeoff makes rainbow tables fast?
- They require no storage and compute every hash from scratch during the attack
- They reverse the hash function mathematically without any precomputation
- They depend on the target server revealing the plaintext on request
- They trade large amounts of precomputed storage for greatly reduced cracking time at attack time
Correct answer: They trade large amounts of precomputed storage for greatly reduced cracking time at attack time
Saying they trade precomputed storage for reduced cracking time is correct because rainbow tables embody a time-memory tradeoff, doing the heavy hashing once and storing chains for fast lookup later. They do require substantial storage, they do not mathematically reverse the hash, and they do not rely on the server disclosing plaintext, so the other options are wrong.
- An exam item asks which single defensive measure most effectively neutralizes the advantage of a precomputed rainbow table against a password database. Which is it?
- Adding a unique random salt to each password before hashing
- Lengthening the session timeout on the login page
- Switching the web server to a different TCP port
- Disabling ICMP echo replies on the host
Correct answer: Adding a unique random salt to each password before hashing
Adding a unique random salt is correct because a per-password salt forces any precomputed table to be useless, since the same password hashes differently for each user. Changing session timeouts, server ports, or ICMP behavior affect networking or sessions and do nothing to defeat precomputed hash lookups, so the other options miss the point.
- An attacker on a Linux host finds a program owned by root that has its set-user-ID bit enabled and contains a flaw. By exploiting that program, the attacker's code runs with root privileges. This is an example of which system-hacking objective?
- Passive footprinting via WHOIS
- Vertical privilege escalation via a SUID binary
- Covering tracks via timestomping
- Reconnaissance via banner grabbing
Correct answer: Vertical privilege escalation via a SUID binary
Vertical privilege escalation via a SUID binary is correct because abusing a flawed root-owned set-user-ID program to execute code as root raises the attacker from a lower to a higher privilege level. WHOIS footprinting and banner grabbing are reconnaissance, and timestomping is a covering-tracks action, none of which describe elevating rights through a SUID flaw.
- A Windows attacker places a malicious library in a directory that an application searches before the legitimate library location, so the application loads the attacker's code with its own privileges. Which privilege-escalation technique is this?
- DNS cache poisoning
- Cross-site scripting
- DLL hijacking (search-order abuse)
- Wireless deauthentication
Correct answer: DLL hijacking (search-order abuse)
DLL hijacking through search-order abuse is correct because planting a malicious library where an application loads it first causes the program to run attacker code with its privileges, a classic local escalation. DNS cache poisoning is a network attack, cross-site scripting targets web pages, and deauthentication is a wireless attack, so none describe abusing a library search order to escalate.
- An incident report notes that an attacker captured the user's plaintext password using software that records typed input, but the workstation's antivirus never flagged a file on disk because the tool ran entirely in memory. The credential-stealing program that records typed input is which kind of tool?
- A vulnerability scanner
- A certificate authority
- A load balancer
- A keylogger
Correct answer: A keylogger
A keylogger is correct because a tool that records the keys a user types to capture credentials is by definition a keylogger, regardless of whether it runs from disk or memory. A vulnerability scanner finds weaknesses, a certificate authority issues certificates, and a load balancer distributes traffic, none of which record keystrokes.
- A privacy investigator finds an application that silently captures screenshots, logs visited websites, and reports a user's activity to a remote party without consent, but it does not log keystrokes or encrypt files. Which malware category best fits this surveillance behavior?
- Spyware
- Ransomware
- A worm
- A logic bomb
Correct answer: Spyware
Spyware is correct because covertly monitoring activity such as screenshots and browsing and reporting it to a third party without consent is the defining behavior of spyware. Ransomware encrypts and extorts, a worm self-replicates across networks, and a logic bomb triggers on a condition, none of which center on stealthy surveillance and reporting.
- A user-mode rootkit and a kernel-mode rootkit both aim to hide an attacker's presence, but they operate at different levels. Where does a user-mode rootkit primarily achieve its concealment?
- By replacing the CPU microcode at the hardware level
- By intercepting and altering calls within user-space applications and APIs without modifying the kernel
- By operating exclusively inside the network switch firmware
- By rewriting the DNS records of the domain controller
Correct answer: By intercepting and altering calls within user-space applications and APIs without modifying the kernel
Saying it intercepts and alters user-space application and API calls without modifying the kernel is correct because a user-mode rootkit hooks at the application layer rather than ring 0. It does not rewrite CPU microcode, live in switch firmware, or alter DNS records, so the other options describe unrelated mechanisms outside a user-mode rootkit's scope.
- After detecting a deeply embedded kernel-mode rootkit, an incident responder concludes that cleaning individual files is not trustworthy. What is the generally recommended remediation for a confirmed kernel-mode rootkit infection?
- Simply deleting the most recently modified file
- Renaming the administrator account
- Wiping the system and reinstalling the operating system from known-good media
- Increasing the screen resolution to expose hidden windows
Correct answer: Wiping the system and reinstalling the operating system from known-good media
Wiping the system and reinstalling from known-good media is correct because a kernel-mode rootkit can subvert the running OS so thoroughly that a full rebuild is the only reliable way to ensure removal. Deleting one file, renaming an account, or changing resolution cannot guarantee a stealthy kernel rootkit is gone, so the other options are inadequate.
- A SOC analyst describes malware that operates without writing an executable to disk, instead running its payload directly in memory and abusing legitimate built-in tools such as the scripting host and management framework. What is this category of malware called?
- A boot-sector virus
- A hardware keylogger
- A rainbow table
- Fileless malware
Correct answer: Fileless malware
Fileless malware is correct because it avoids dropping an executable on disk and instead executes in memory while abusing trusted system utilities, making signature-based detection harder. A boot-sector virus writes to the disk boot record, a hardware keylogger is a physical device, and a rainbow table is a cracking aid, none of which match memory-resident, disk-avoiding malware.
- An organization is targeted by a well-resourced adversary that quietly maintains access for many months, moves carefully to avoid detection, and pursues specific high-value data over time. This type of stealthy, persistent, goal-driven threat actor is best described by which term?
- An advanced persistent threat (APT)
- A script kiddie
- A honeypot
- A vulnerability scanner
Correct answer: An advanced persistent threat (APT)
An advanced persistent threat is correct because a sophisticated, well-resourced actor that maintains long-term covert access and pursues specific objectives defines an APT. A script kiddie uses others' tools opportunistically, a honeypot is a defensive decoy, and a vulnerability scanner is a tool, none of which describe a stealthy, persistent, targeted adversary.
- A defender notes that fileless malware that abuses legitimate administrative tools is hard to catch with traditional file-scanning antivirus. Which detection approach is best suited to identifying such living-off-the-land activity?
- Comparing file extensions against an allowlist of known names
- Behavioral monitoring of process activity, command lines, and memory rather than scanning files on disk
- Counting the number of files in each user's home folder
- Measuring the temperature of the CPU during logins
Correct answer: Behavioral monitoring of process activity, command lines, and memory rather than scanning files on disk
Behavioral monitoring of process activity, command lines, and memory is correct because fileless malware leaves little on disk, so watching how trusted tools are actually being used is what reveals the abuse. Checking file extensions, counting files, or measuring CPU temperature do not capture in-memory abuse of legitimate utilities, so the other options fail against fileless threats.
- An attacker conceals a secret message inside the least significant bits of an image's pixel values so the picture looks unchanged to a viewer. Which property of the human visual system makes this least-significant-bit technique effective?
- Human eyes can perceive every individual bit of color data precisely
- Editing the lowest bits doubles the file size and is obvious
- Small changes to the lowest-order color bits produce visual differences too subtle for a person to notice
- Pixels store no color information that could be altered
Correct answer: Small changes to the lowest-order color bits produce visual differences too subtle for a person to notice
Saying small changes to the lowest-order color bits are too subtle to notice is correct because altering least-significant bits shifts each pixel's color imperceptibly, allowing hidden data without visible distortion. Humans cannot perceive every bit precisely, LSB edits do not double the file size, and pixels clearly store color data, so the other options are false.
- A forensic team suspects covert data is hidden in audio files leaving the company. Which of the following is a legitimate steganographic carrier they should examine, beyond images?
- Only printed paper documents, which cannot hold digital payloads
- The room's physical lighting, which stores no data
- The mouse cursor speed setting, which carries no payload
- Audio, video, and document files that can embed hidden data within their structure
Correct answer: Audio, video, and document files that can embed hidden data within their structure
Audio, video, and document files are correct because steganography can embed hidden data in many digital carriers beyond images, including sound, video, and documents. Physical lighting and cursor speed are not data carriers, and the claim that only printed paper applies is wrong because steganography is fundamentally about digital host files, so the other options are incorrect.
- A virus that changes its own code with each infection, rewriting its instructions while preserving functionality so signature scanners struggle to match it, is best described by which term?
- A metamorphic virus
- A logic bomb
- A honeypot
- A digital signature
Correct answer: A metamorphic virus
A metamorphic virus is correct because it rewrites its own code on each propagation while keeping its behavior, defeating static signatures. A logic bomb triggers on a condition, a honeypot is a defensive decoy, and a digital signature verifies authenticity, none of which describe self-rewriting malware.
- A malware sample encrypts its body with a different key each time it spreads, leaving only a small decryption routine in the clear. Because the visible portion stays mostly constant while the payload appears different, which evasion-focused malware category is this?
- A boot-sector wiper
- A polymorphic virus
- A rainbow table
- A rogue access point
Correct answer: A polymorphic virus
A polymorphic virus is correct because it encrypts its payload with varying keys so each copy looks different while retaining the same underlying code, evading signature detection. A boot-sector wiper destroys boot records, a rainbow table is a cracking aid, and a rogue access point is a wireless threat, none of which describe key-varying self-encryption.
- A defender contrasts a worm with a virus to a new analyst. Which statement most accurately captures the key difference in how they spread?
- A worm requires a host file, while a virus spreads with no host and no user action
- Both require the user to manually copy files for any spread to occur
- A worm self-propagates across networks on its own, while a virus needs a host file and typically user action to spread
- Neither can spread across a network under any circumstances
Correct answer: A worm self-propagates across networks on its own, while a virus needs a host file and typically user action to spread
Saying a worm self-propagates while a virus needs a host file and user action is correct because autonomous network spread defines a worm, whereas a virus attaches to files and usually depends on execution. The reversed claim is wrong, not all spread requires manual copying, and worms clearly spread across networks, so the other options are incorrect.
- An exam question asks which malware type relies on social deception to be installed and, unlike a virus or worm, does not replicate itself at all. Which is it?
- A polymorphic virus
- A network worm
- A boot-sector virus
- A Trojan horse
Correct answer: A Trojan horse
A Trojan horse is correct because it depends on tricking a user into running a disguised program and, by definition, does not self-replicate, unlike viruses and worms. A polymorphic virus and a boot-sector virus both replicate by infecting files, and a network worm self-propagates, so the other options all involve replication.
- A ransomware variant does not encrypt files at all but instead threatens to publish stolen sensitive data unless the victim pays. This pressure tactic, often combined with traditional encryption, is commonly called what?
- Double extortion, adding data-leak threats to ransom demands
- A SYN flood, exhausting connection tables
- A zone transfer, copying DNS records
- ARP poisoning, redirecting LAN traffic
Correct answer: Double extortion, adding data-leak threats to ransom demands
Double extortion is correct because modern ransomware operators steal data and threaten to leak it in addition to or instead of encrypting, pressuring victims to pay even if they have backups. A SYN flood, a zone transfer, and ARP poisoning are unrelated network and DNS techniques and do not describe data-leak extortion, so the other options are wrong.
- A consultant lists controls that reduce the impact of a ransomware outbreak. Which combination most directly limits how far ransomware can spread and ensures recovery?
- Disabling all backups to save disk space
- Network segmentation plus tested offline backups and least-privilege access
- Granting every user local administrator rights for convenience
- Turning off endpoint protection during business hours
Correct answer: Network segmentation plus tested offline backups and least-privilege access
Network segmentation plus tested offline backups and least privilege is correct because segmentation contains lateral spread, offline backups enable recovery, and least privilege limits what the malware can reach. Disabling backups, granting universal admin rights, and turning off endpoint protection all increase ransomware impact, so the other options worsen risk.
- An attacker who already controls a Windows host wants their malware to relaunch automatically at the next user logon. Adding an entry under the registry's autostart Run key is an example of which system-hacking goal?
- Footprinting through WHOIS
- Scanning through a ping sweep
- Maintaining access through a persistence mechanism
- Reconnaissance through Google dorking
Correct answer: Maintaining access through a persistence mechanism
Maintaining access through a persistence mechanism is correct because configuring an autostart registry Run key so malware relaunches at logon is a classic way to keep a foothold across sessions. WHOIS footprinting, ping-sweep scanning, and Google dorking are all pre-compromise reconnaissance activities and do not keep malware resident on a compromised host.
- During covering tracks on a Linux host, an attacker disables shell history logging and overwrites entries in the authentication log. Which defensive control most directly preserves evidence against such tampering?
- Storing all logs only on the same host in a world-writable file
- Letting each local user freely edit the system logs
- Disabling logging entirely to save space
- Forwarding logs in real time to a separate, write-once remote logging server
Correct answer: Forwarding logs in real time to a separate, write-once remote logging server
Forwarding logs to a separate write-once remote server is correct because once records leave the compromised host to protected storage, an attacker clearing local logs cannot erase the copies. Keeping logs only locally in a world-writable file, letting users edit logs, or disabling logging all make tampering easy, so the other options undermine evidence preservation.
- An attacker deletes specific malicious entries from a Windows event log rather than wiping the entire log, hoping the smaller change draws less attention. Both this selective editing and full log clearing serve which overarching system-hacking aim?
- Covering tracks to hide evidence of the intrusion
- Enumeration of network shares
- Active scanning of open ports
- Footprinting the organization's email addresses
Correct answer: Covering tracks to hide evidence of the intrusion
Covering tracks to hide evidence is correct because both selectively editing and fully clearing logs aim to remove or obscure traces of malicious activity, the purpose of the final system-hacking phase. Enumeration, active scanning, and footprinting all occur before compromise and are about gathering information, not concealing post-attack evidence.
- A penetration tester wants persistent administrative reach across an entire Active Directory domain and forges a Kerberos ticket-granting ticket using the domain's KRBTGT account hash, letting them impersonate any user. This powerful persistence technique is known as what?
- A SYN scan
- A golden ticket attack
- A DHCP starvation attack
- A banner-grabbing attack
Correct answer: A golden ticket attack
A golden ticket attack is correct because forging Kerberos ticket-granting tickets with the KRBTGT key allows an attacker to impersonate any account and persist across the domain. A SYN scan probes ports, DHCP starvation exhausts address leases, and banner grabbing reads service strings, none of which forge domain-wide Kerberos tickets.
- An attacker measures how a Windows login responds and finds that simple, common passwords are tried first in their cracking job because attackers know users reuse predictable choices. Which factor most increases an account's resistance to such password attacks?
- Choosing a single dictionary word for easy recall
- Reusing the same short password across all systems
- Greater password length and complexity, increasing the keyspace an attacker must search
- Writing the password on a sticky note at the desk
Correct answer: Greater password length and complexity, increasing the keyspace an attacker must search
Greater password length and complexity is correct because expanding the keyspace makes brute-force and hybrid attacks exponentially slower and dictionary hits less likely. A single dictionary word, a reused short password, and a written-down password all make cracking or theft easier, so the other options reduce rather than improve resistance.
- A user-installed program shows constant pop-up advertisements and redirects searches to revenue-generating pages but does not steal credentials or encrypt files. Which malware category best describes this nuisance software?
- Ransomware
- A rootkit
- A worm
- Adware
Correct answer: Adware
Adware is correct because software whose primary behavior is forcing advertisements and ad-driven redirects, without encrypting files or hiding at the kernel, is adware. Ransomware encrypts and extorts, a rootkit conceals itself to maintain access, and a worm self-replicates, none of which are defined by displaying advertisements.
- An attacker bundles a backdoor with a pirated copy of legitimate productivity software so victims install both at once. The malicious bundling that ships hidden code alongside a wanted program most closely defines which malware delivery method?
- A wrapper or binder packaging a Trojan with a legitimate file
- A passive ARP cache read
- A DNS zone transfer download
- An ICMP echo request sweep
Correct answer: A wrapper or binder packaging a Trojan with a legitimate file
A wrapper or binder packaging a Trojan with a legitimate file is correct because such tools combine malicious code with a desirable program so the victim installs both, a standard Trojan delivery method. A passive ARP read, a DNS zone transfer, and an ICMP sweep are reconnaissance or network actions and do not bundle malware with legitimate files.
- A steganalyst compares a suspect image against a known clean original of the same picture and finds statistical differences in the bit patterns. This method of detecting hidden data by comparing against a reference is best described as which steganalysis approach?
- A SYN-flood denial of service against the file server
- A known-cover (comparison) attack against the stego file
- A WHOIS enumeration of the file's author
- A MAC-flooding attack on the storage switch
Correct answer: A known-cover (comparison) attack against the stego file
A known-cover comparison attack is correct because comparing a suspect stego file against a clean original to spot statistical differences is a recognized steganalysis method. A SYN flood and MAC flooding are denial-of-service attacks, and WHOIS enumeration is reconnaissance, none of which detect hidden data by comparing carriers.
- A compromised host quietly joins thousands of others under a single attacker's command-and-control infrastructure, awaiting orders to send spam or launch attacks. The entire network of such remotely controlled infected machines is called what?
- A honeynet
- A subnet mask
- A botnet
- A certificate chain
Correct answer: A botnet
A botnet is correct because a collection of compromised, remotely controlled hosts directed from command-and-control infrastructure is by definition a botnet. A honeynet is a network of defensive decoys, a subnet mask defines network boundaries, and a certificate chain links trust in PKI, none of which describe a network of infected, attacker-controlled machines.
- An attacker installs malware that infects the master boot record so its code executes before the operating system loads, making it run very early and resist normal cleanup. Which malware classification fits code that infects the boot process?
- A rainbow table
- A rogue access point
- A digital certificate
- A boot-sector (bootkit) infection
Correct answer: A boot-sector (bootkit) infection
A boot-sector or bootkit infection is correct because malware that infects the master boot record runs before the operating system loads, gaining early control and persistence. A rainbow table is a cracking aid, a rogue access point is a wireless threat, and a digital certificate binds identity to a key, none of which describe boot-process infection.
- An attacker who already has SYSTEM access dumps the local Security Account Manager database to obtain the stored Windows password hashes for offline cracking. Accessing the SAM to harvest hashes is part of which system-hacking activity?
- Gaining credentials for cracking and lateral reuse during system hacking
- Passive footprinting of the organization
- Wireless deauthentication of clients
- Web application SQL injection
Correct answer: Gaining credentials for cracking and lateral reuse during system hacking
Gaining credentials for cracking and lateral reuse is correct because dumping the SAM to obtain stored hashes supplies material for offline cracking and credential-reuse attacks within system hacking. Passive footprinting precedes any compromise, wireless deauthentication is a Wi-Fi attack, and SQL injection targets web databases, none of which describe harvesting local Windows hashes.
- An attacker tries the same small list of very common passwords against many different user accounts, deliberately keeping attempts per account low to avoid lockouts. This account-takeover technique is best described as what?
- A rainbow table generation
- Password spraying
- A man-in-the-middle attack
- A directory traversal
Correct answer: Password spraying
Password spraying is correct because trying a few common passwords across many accounts, while limiting attempts per account to evade lockout, defines spraying. Rainbow table generation precomputes hashes, a man-in-the-middle attack intercepts traffic, and directory traversal targets file paths in web apps, none of which describe low-and-slow guessing across many accounts.
- An analyst explains why fileless malware that abuses the system's built-in scripting and management frameworks is often described as living off the land. What advantage does this approach give the attacker?
- It guarantees the malware is written to disk for easier persistence
- It requires the attacker to bring large custom binaries onto the host
- It uses trusted, signed system tools already present, reducing the footprint and evading signature-based detection
- It automatically alerts the system administrator to its presence
Correct answer: It uses trusted, signed system tools already present, reducing the footprint and evading signature-based detection
Saying it uses trusted, signed system tools to reduce footprint and evade signatures is correct because living-off-the-land abuse of legitimate utilities leaves little for file scanners to catch. It does not require writing to disk, does not depend on bringing large custom binaries, and certainly does not alert administrators, so the other options contradict the technique's stealth purpose.
- A penetration tester escalates privileges by exploiting a scheduled task that runs as SYSTEM but points to a script the tester can modify. Editing that script to insert attacker commands so they run with SYSTEM rights is an example of which technique?
- Passive OS fingerprinting
- DNS spoofing
- WHOIS footprinting
- Privilege escalation by abusing a writable high-privilege scheduled task
Correct answer: Privilege escalation by abusing a writable high-privilege scheduled task
Privilege escalation by abusing a writable high-privilege scheduled task is correct because modifying a script a SYSTEM-level task executes causes attacker commands to run with elevated rights. Passive OS fingerprinting and WHOIS footprinting are reconnaissance, and DNS spoofing is a network attack, none of which describe elevating rights through a writable scheduled task.
- An attacker captures a user's authentication response on the network and replays it later to impersonate that user without ever knowing the password. To best defend against such credential replay during authentication, which control is most appropriate?
- Using nonces or timestamps so each authentication exchange cannot be reused
- Allowing the same response to authenticate indefinitely for convenience
- Sending the password in clear text to speed logins
- Disabling account lockout thresholds entirely
Correct answer: Using nonces or timestamps so each authentication exchange cannot be reused
Using nonces or timestamps is correct because making each authentication exchange unique and time-bound prevents a captured response from being replayed later. Allowing indefinite reuse enables replay, sending passwords in clear text exposes credentials, and disabling lockouts aids guessing, so the other options weaken rather than prevent replay attacks.
- A forensic analyst discovers that an attacker hid a malicious payload by appending it after the legitimate end-of-file marker in an image, so viewers see a normal picture while the extra bytes ride along undetected. This concealment of data within a carrier file is an instance of which system-hacking technique?
- Symmetric key generation
- Steganography to hide the existence of the payload
- TCP three-way handshake completion
- ICMP ping sweeping
Correct answer: Steganography to hide the existence of the payload
Steganography to hide the existence of the payload is correct because embedding hidden bytes within a carrier file so the picture appears normal conceals that any secret data is present, the defining goal of steganography. Symmetric key generation, completing a TCP handshake, and ICMP ping sweeping are unrelated cryptographic and network actions and do not hide data inside a file.
- An attacker hides a malicious script inside an NTFS alternate data stream attached to an ordinary file and then uses fileless execution to run it from memory. What makes this combination especially effective at evading basic file inspection?
- The technique writes a large, obvious executable to the desktop
- The script can only run after rebooting into safe mode
- The hidden stream does not appear in a normal directory listing and the in-memory execution leaves little for disk-based scanners to find
- The stream automatically emails an alert to the administrator
Correct answer: The hidden stream does not appear in a normal directory listing and the in-memory execution leaves little for disk-based scanners to find
Saying the hidden stream is invisible in normal listings and in-memory execution leaves little for disk scanners is correct because alternate data streams conceal content while fileless execution avoids dropping detectable files. The technique does not write an obvious executable, does not require safe mode, and does not alert administrators, so the other options contradict its stealth purpose.
- A defender deploys application allowlisting so that only approved, signed executables can run on endpoints. Within the system-hacking methodology, which attacker goal does this control most directly hinder?
- Performing WHOIS lookups during footprinting
- Capturing a wireless handshake for offline cracking
- Enumerating DNS records via a zone transfer
- Executing attacker-supplied applications such as backdoors and tools on the compromised host
Correct answer: Executing attacker-supplied applications such as backdoors and tools on the compromised host
Executing attacker-supplied applications is correct because allowlisting blocks unapproved binaries, directly frustrating the system-hacking step where attackers run their own tools and backdoors. WHOIS footprinting, wireless handshake capture, and DNS zone transfers occur outside the host's application-execution control, so allowlisting does not primarily target those activities.
- A penetration tester needs a packet-capture utility that can operate from a command line on a Linux host with no graphical interface to record traffic into a file for later review. Which tool is best suited to capturing packets directly from the terminal?
- Tcpdump
- Hydra
- John the Ripper
- Nikto
Correct answer: Tcpdump
tcpdump is correct because it is a command-line packet capture and analysis utility that records traffic from an interface into a file without needing a graphical interface. Hydra performs online password guessing, John the Ripper cracks password hashes offline, and Nikto scans web servers for vulnerabilities, none of which capture raw packets from the command line.
- An attacker wants to capture only the traffic of a single host on a busy segment to reduce the volume of data they must analyze. Applying a rule at capture time that records solely packets to and from that host's address is best described as what?
- Performing privilege escalation
- Setting a capture filter
- Conducting a DNS zone transfer
- Issuing a banner-grab request
Correct answer: Setting a capture filter
Setting a capture filter is correct because a capture filter restricts what a sniffer records at the moment of capture, such as limiting it to one host's address, reducing the data collected. Privilege escalation raises account rights, a DNS zone transfer pulls DNS records, and a banner grab reads a service's identification string, none of which limit which packets a sniffer records.
- A network team replaces the legacy HTTP login on an internal application with HTTPS specifically to defeat sniffing. Which protection does encrypting the session in transit provide against a sniffer that has already gained a position on the path?
- It prevents the sniffer's network card from entering promiscuous mode
- It empties the switch's CAM table on each request
- It prevents the sniffer from reading the captured payload contents
- It removes the source IP address from each packet
Correct answer: It prevents the sniffer from reading the captured payload contents
Saying it prevents the sniffer from reading the captured payload contents is correct because encrypting the session means the captured bytes are ciphertext that the sniffer cannot interpret, even though it can still see the packets. Encryption does not stop a card from entering promiscuous mode, does not affect the CAM table, and does not strip the source IP, so the other options misstate what encryption accomplishes.
- An ethical hacker explains that sniffing yields the most useful results on which type of traffic, all else being equal?
- Traffic protected by mutually authenticated TLS
- Traffic inside an established VPN tunnel
- Traffic encrypted with a per-session ephemeral key
- Traffic carried by cleartext protocols that send data without encryption
Correct answer: Traffic carried by cleartext protocols that send data without encryption
Saying traffic carried by cleartext protocols is correct because unencrypted protocols expose their contents directly to a sniffer, making them the most rewarding to capture. Mutually authenticated TLS, VPN-tunneled traffic, and traffic with ephemeral per-session keys are all encrypted, so a sniffer sees only ciphertext rather than readable contents.
- An attacker on a LAN wants to use ARP poisoning but first must learn the IP and MAC of both the victim and the gateway. Which preliminary step provides this Layer 2 information needed to craft the forged ARP replies?
- Scanning the local subnet to discover live hosts and their MAC addresses
- Cracking the gateway's administrative password
- Performing a WHOIS lookup on the company domain
- Encrypting the attacker's own disk
Correct answer: Scanning the local subnet to discover live hosts and their MAC addresses
Scanning the local subnet to discover live hosts and their MAC addresses is correct because the attacker must know the IP-to-MAC mappings of the victim and gateway before sending forged ARP replies that bind those IPs to the attacker's MAC. Cracking the gateway password, performing a WHOIS lookup, and encrypting the attacker's disk do not provide the Layer 2 addressing needed to launch ARP poisoning.
- A defender observes that after enabling a particular Layer 2 feature, forged ARP replies arriving on access ports are dropped because they fail validation against records built from address assignments. Which combination of switch features produces this protection?
- Spanning Tree Protocol feeding the routing table
- DHCP snooping feeding a binding table that Dynamic ARP Inspection validates against
- Jumbo frames feeding the CAM table
- Port mirroring feeding the DNS resolver cache
Correct answer: DHCP snooping feeding a binding table that Dynamic ARP Inspection validates against
Saying DHCP snooping feeding a binding table that Dynamic ARP Inspection validates against is correct because DHCP snooping records legitimate IP-to-MAC assignments and Dynamic ARP Inspection uses that table to drop ARP replies that do not match. Spanning Tree Protocol prevents loops, jumbo frames change payload size, and port mirroring copies traffic, none of which build or validate the ARP binding table.
- An attacker analyzing whether ARP poisoning is feasible against a target notes that the victim and attacker must share a key precondition. Which condition is required for ARP poisoning to work?
- The attacker must hold a valid TLS certificate for the gateway
- The victim must be running a web server
- The attacker and victim must be on the same Layer 2 broadcast domain
- The attacker must control the victim's DNS registrar
Correct answer: The attacker and victim must be on the same Layer 2 broadcast domain
Saying the attacker and victim must be on the same Layer 2 broadcast domain is correct because ARP is a local-link protocol, so an attacker can only poison caches of hosts that share the same broadcast domain. Holding a TLS certificate, running a web server, or controlling a DNS registrar are unrelated to whether ARP replies can reach and update the victim's cache.
- A switch port has port security configured with violation mode set to shut down the port if more than the allowed number of MAC addresses appear. When an attacker launches MAC flooding against that port, what is the expected outcome?
- The switch fails open and floods all ports
- The switch encrypts all subsequent frames
- The CAM table is shared with the DNS resolver
- The port is disabled when the MAC limit is exceeded, stopping the flood at that port
Correct answer: The port is disabled when the MAC limit is exceeded, stopping the flood at that port
Saying the port is disabled when the MAC limit is exceeded is correct because port security in shutdown violation mode disables the offending port once too many MAC addresses appear, halting the flood there rather than letting the CAM table overflow. With port security active the switch does not fail open, does not encrypt frames, and does not merge the CAM table with a DNS resolver, so the other options are incorrect.
- An ethical hacker contrasts MAC flooding with a normal switch's design intent. What is the legitimate function of the CAM table that MAC flooding subverts?
- It maps learned MAC addresses to switch ports so frames are forwarded only to the correct port
- It stores DNS records for the local domain
- It holds the firewall's stateful connection entries
- It caches recently visited web pages for clients
Correct answer: It maps learned MAC addresses to switch ports so frames are forwarded only to the correct port
Saying it maps learned MAC addresses to switch ports is correct because the CAM table's legitimate purpose is to record which port leads to each MAC so the switch forwards unicast frames only out the right port, which MAC flooding subverts by overflowing it. The CAM table does not store DNS records, firewall connection state, or cached web pages, so the other options misidentify its function.
- During a MAC flooding attempt, a tester notes the switch they are testing has hardware-based CAM tables large enough that filling them is impractical. As an analysis, what does this tell the tester about MAC flooding's reliability across environments?
- MAC flooding always succeeds regardless of the switch model
- MAC flooding success depends on the switch's table capacity and hardening, so it is not universally effective
- MAC flooding works only over encrypted links
- MAC flooding requires the attacker to know the gateway password
Correct answer: MAC flooding success depends on the switch's table capacity and hardening, so it is not universally effective
Saying MAC flooding success depends on the switch's table capacity and hardening is correct because larger tables and protections like port security can make filling the CAM table impractical, so the attack is not universally reliable. MAC flooding does not always succeed, does not require encrypted links, and does not depend on a gateway password, so the other options overstate or misdescribe its reliability.
- An attacker poisons the cache of a victim's local DNS resolver so a banking hostname maps to a malicious IP. To make the spoofed page convincing, what does the attacker still need to provide on their malicious server?
- A valid copy of the bank's private signing key
- Administrative access to the victim's switch
- A counterfeit copy of the legitimate site to harvest credentials
- Ownership of the bank's domain registration
Correct answer: A counterfeit copy of the legitimate site to harvest credentials
Saying a counterfeit copy of the legitimate site is correct because redirecting the name only sends the victim to the attacker's server, which must host a convincing clone to actually capture credentials. The attacker does not obtain the bank's private signing key, does not need switch administrative access, and does not own the bank's registration to run this DNS spoofing scheme, so the other options are incorrect.
- An organization deploys encrypted DNS, sending resolver queries over TLS so they cannot be read or altered on the path. How does encrypting DNS queries in transit help against on-path DNS spoofing?
- It eliminates the need for the resolver to cache answers
- It guarantees the destination web server is not malicious
- It removes the transaction ID from each query
- It prevents an on-path attacker from reading or tampering with the query and response between client and resolver
Correct answer: It prevents an on-path attacker from reading or tampering with the query and response between client and resolver
Saying it prevents an on-path attacker from reading or tampering with the query and response is correct because encrypting DNS in transit protects the channel between the client and resolver, blocking injection or alteration by someone on the path. Encrypted DNS does not stop caching, cannot certify that a destination server is benign, and does not remove the transaction ID, so the other options misstate the protection.
- A SOC analyst reviewing DNS logs sees that a single client suddenly received an authoritative-looking answer for a popular domain that resolves to an unfamiliar foreign IP, while all other clients still resolve it correctly. Which attack does this pattern most strongly suggest?
- A targeted DNS spoofing of that one client's resolution
- A MAC flooding attack on the core switch
- A privilege escalation on the DNS server
- A directory traversal on a web server
Correct answer: A targeted DNS spoofing of that one client's resolution
Saying a targeted DNS spoofing of that one client's resolution is correct because a single client getting a forged answer while others resolve correctly indicates the attacker injected a spoofed response aimed at that client rather than poisoning a shared cache. MAC flooding, privilege escalation, and directory traversal do not produce a single-client name-resolution anomaly, so the other options do not fit the pattern.
- An attacker establishes a man-in-the-middle position and wants to determine whether the application traffic they are relaying can be read. They observe that the relayed connection uses certificate pinning on the client. What does certificate pinning do to the attacker's ability to intercept the content?
- It encrypts the attacker's local disk automatically
- It causes the client to reject the attacker's substitute certificate, preventing transparent interception
- It forces the switch into fail-open mode
- It exposes the server's private key to the attacker
Correct answer: It causes the client to reject the attacker's substitute certificate, preventing transparent interception
Saying it causes the client to reject the attacker's substitute certificate is correct because certificate pinning makes the client accept only a specific expected certificate or key, so a man-in-the-middle presenting a different one is refused. Pinning does not encrypt the attacker's disk, does not affect switch behavior, and does not reveal the server's private key, so the other options are incorrect.
- A tester explains that a man-in-the-middle attack can be active or passive. Which scenario describes a passive man-in-the-middle attack?
- The attacker rewrites a wire-transfer account number in transit
- The attacker injects malicious commands into the stream
- The attacker relays traffic between the parties and only reads it without modifying anything
- The attacker terminates the connection and impersonates the server fully
Correct answer: The attacker relays traffic between the parties and only reads it without modifying anything
Saying the attacker relays traffic and only reads it without modifying anything is correct because a passive man-in-the-middle eavesdrops on the relayed communication without altering it. Rewriting a transfer account number, injecting commands, and impersonating the server fully all involve active manipulation, so those options describe active rather than passive interception.
- An attacker on an IPv6-enabled LAN with no rogue-router protections sends crafted router advertisement messages claiming to be the default router, causing hosts to route traffic through the attacker. This IPv6 analog of gateway impersonation that yields a man-in-the-middle position is best described as what?
- A directory traversal attack
- A rainbow table attack
- A banner-grabbing attack
- A rogue router advertisement attack
Correct answer: A rogue router advertisement attack
Saying a rogue router advertisement attack is correct because forging IPv6 router advertisements lets the attacker pose as the default router so hosts send traffic through them, establishing a man-in-the-middle position much like ARP poisoning does on IPv4. Directory traversal abuses web paths, a rainbow table attack reverses hashes, and banner grabbing reads service strings, none of which describe spoofing IPv6 router advertisements.
- A penetration tester profiling a target's staff for a social engineering campaign first gathers public information from corporate sites, social media, and job postings. As an analysis, why is this information-gathering phase critical to the social engineering attack's success?
- It supplies the personal and organizational details needed to craft believable, targeted pretexts
- It cracks the employees' password hashes directly
- It floods the company's switch CAM table
- It encrypts the company's internal database
Correct answer: It supplies the personal and organizational details needed to craft believable, targeted pretexts
Saying it supplies the personal and organizational details needed to craft believable pretexts is correct because researched facts let the attacker reference real names, roles, and projects, making manipulation far more convincing. Gathering public information does not crack password hashes, flood a switch, or encrypt a database, so the other options describe unrelated technical outcomes.
- An attacker times their social engineering call to coincide with a major system outage, knowing employees are stressed and eager to restore service. Which principle of influence does exploiting the chaos of a crisis primarily rely on?
- The TCP three-way handshake
- Urgency and heightened pressure that reduce careful verification
- The switch CAM aging timer
- DNSSEC record signing
Correct answer: Urgency and heightened pressure that reduce careful verification
Saying urgency and heightened pressure is correct because social engineers exploit time pressure and stress to push targets into acting before they verify, and a crisis amplifies that effect. The TCP handshake, the CAM aging timer, and DNSSEC signing are technical mechanisms unrelated to manipulating a person's sense of urgency, so the other options are incorrect.
- An organization implements a callback verification policy requiring staff to hang up and dial a known internal number before acting on any phone request for sensitive access. Which class of social engineering attack does this policy most directly counter?
- ARP poisoning on the switch
- SQL injection on the web server
- Voice-based pretext calls that impersonate trusted insiders
- Rainbow table cracking of hashes
Correct answer: Voice-based pretext calls that impersonate trusted insiders
Saying voice-based pretext calls that impersonate trusted insiders is correct because verifying via a known callback number defeats attackers who phone in pretending to be IT or executives, since the real party is reached independently. ARP poisoning, SQL injection, and rainbow table cracking are technical attacks unaffected by a phone callback policy, so the other options are not what it counters.
- A defender wants to measure how susceptible employees are to deceptive email before a real attacker tests them. Which controlled exercise directly assesses this human-layer risk?
- A port scan of the perimeter firewall
- A WHOIS lookup of the company domain
- A CAM table capacity test on the switch
- A simulated phishing campaign that tracks who clicks and reports
Correct answer: A simulated phishing campaign that tracks who clicks and reports
Saying a simulated phishing campaign that tracks who clicks and reports is correct because sending benign test lures and measuring responses directly gauges employee susceptibility to deceptive email. A port scan, a WHOIS lookup, and a CAM table capacity test assess technical assets rather than human judgment, so the other options do not measure the social engineering risk.
- An attacker registers a domain that closely resembles a target company's domain, differing by one transposed letter, and uses it to send convincing fraudulent emails. This use of a look-alike domain to bolster a phishing attack is best described as what?
- Typosquatting to support the phishing campaign
- MAC flooding the company switch
- Performing a SYN flood
- Running a rainbow table attack
Correct answer: Typosquatting to support the phishing campaign
Saying typosquatting to support the phishing campaign is correct because registering a deceptively similar domain makes fraudulent emails appear to come from the real company, increasing the phishing attack's credibility. MAC flooding, a SYN flood, and a rainbow table attack are unrelated Layer 2, denial-of-service, and hash-cracking techniques, so the other options do not describe using a look-alike domain.
- An employee receives an email that passes basic inspection but the displayed sender name does not match the actual underlying email address revealed on closer examination. Which phishing red flag has the employee identified?
- An overflowing CAM table on the switch
- A spoofed display name masking a different real sender address
- A poisoned ARP cache entry
- A failed DNSSEC signature
Correct answer: A spoofed display name masking a different real sender address
Saying a spoofed display name masking a different real sender address is correct because attackers commonly set a trustworthy display name while the underlying address differs, a classic phishing indicator. An overflowing CAM table, a poisoned ARP cache, and a failed DNSSEC signature are network-layer conditions unrelated to inspecting an email's sender, so the other options do not describe this red flag.
- A security team configures email gateways to rewrite links in inbound messages so clicks are first routed through an inspection service that checks the destination at click time. Which phishing threat does this time-of-click link analysis most directly address?
- A SYN flood against the mail server
- An ARP poisoning attack on the LAN
- Links that point to benign pages when scanned but are switched to malicious destinations later
- A MAC flood on the access switch
Correct answer: Links that point to benign pages when scanned but are switched to malicious destinations later
Saying links that point to benign pages when scanned but are switched later is correct because time-of-click inspection re-checks the destination when the user clicks, catching attackers who delay weaponizing a URL to evade initial scanning. A SYN flood, ARP poisoning, and MAC flooding are network attacks unrelated to inspecting email links, so the other options do not describe what this control addresses.
- An attacker compiles a list of leaked credentials and sends targeted emails referencing a real password the victim once used to make the threat appear credible and pressure payment. This blend of phishing with leaked data to coerce a victim is best described as what?
- A directory traversal attack
- A Smurf amplification attack
- A VLAN hopping attack
- A sextortion-style phishing scam leveraging breached credentials
Correct answer: A sextortion-style phishing scam leveraging breached credentials
Saying a sextortion-style phishing scam leveraging breached credentials is correct because including a genuine leaked password in a coercive email is a recognized phishing tactic that exploits the victim's fear to extract payment. Directory traversal, a Smurf attack, and VLAN hopping are technical web, amplification, and Layer 2 attacks unrelated to credential-backed extortion email, so the other options are incorrect.
- An attacker sends a single crafted ICMP echo request larger than the maximum allowed IP packet size, causing older vulnerable systems to crash when reassembling it. This classic denial-of-service technique is known as what?
- A ping of death
- A WHOIS query
- A rainbow table attack
- A banner grab
Correct answer: A ping of death
A ping of death is correct because it sends an oversized or malformed ICMP packet that exceeds the maximum IP size, crashing vulnerable systems during reassembly, a denial-of-service technique. A WHOIS query gathers registration data, a rainbow table attack reverses hashes, and a banner grab reads service strings, none of which involve an oversized ping crashing a host.
- An attacker sends a stream of fragmented packets with overlapping and improperly set fragment offsets to a target whose stack mishandles reassembly, causing it to hang. Which denial-of-service technique abuses fragmentation reassembly in this way?
- A WHOIS enumeration
- A teardrop attack
- A directory traversal
- A session fixation
Correct answer: A teardrop attack
A teardrop attack is correct because it sends overlapping, malformed IP fragments that a vulnerable reassembly routine cannot handle, causing the target to crash or hang, a denial-of-service technique. WHOIS enumeration gathers registration data, directory traversal abuses web paths, and session fixation forces a known session ID, none of which exploit fragment reassembly to deny service.
- A blue team must decide which metric most directly signals a successful denial-of-service attack in progress. Which observation most directly indicates the attack is achieving its goal?
- The number of valid TLS certificates increases
- DNS records gain new DNSSEC signatures
- Legitimate users are unable to reach the service due to exhausted resources or saturated bandwidth
- The switch reduces its number of broadcast domains
Correct answer: Legitimate users are unable to reach the service due to exhausted resources or saturated bandwidth
Saying legitimate users are unable to reach the service is correct because a denial-of-service attack is defined by its impact on availability, so loss of access from exhausted resources or saturated links is the direct signal of success. More TLS certificates, new DNSSEC signatures, and fewer broadcast domains are unrelated to whether a service is being denied, so the other options do not indicate the attack's effect.
- An attacker repeatedly opens TCP connections to a server but advertises a tiny receive window and trickles data extremely slowly, holding connections open to exhaust the server's connection pool. Which low-bandwidth denial-of-service approach does this describe?
- A rainbow table attack
- A WHOIS enumeration
- A static ARP configuration
- A slow-rate connection-exhaustion attack
Correct answer: A slow-rate connection-exhaustion attack
Saying a slow-rate connection-exhaustion attack is correct because trickling data and advertising a tiny window holds connections open to drain the server's pool with little bandwidth, denying service. A rainbow table attack reverses hashes, WHOIS enumeration gathers registration data, and a static ARP entry is a defense, none of which describe holding connections open to exhaust a server.
- A threat report describes how a botnet operator maintains control by directing infected machines to periodically generate algorithmically derived domain names to find the current command server, frustrating takedown. This resilience technique is known as what?
- A domain generation algorithm
- A spanning-tree root election
- A DHCP lease renewal
- A jumbo-frame negotiation
Correct answer: A domain generation algorithm
A domain generation algorithm is correct because bots use it to compute many candidate command-and-control domain names over time, making it hard for defenders to block or seize the rendezvous point. A spanning-tree root election, a DHCP lease renewal, and jumbo-frame negotiation are normal network operations unrelated to a botnet's command resilience, so the other options are incorrect.
- Analysts distinguish a volumetric DDoS attack from a protocol or state-exhaustion DDoS attack. Which description best characterizes a volumetric attack?
- It exhausts a firewall's connection-state table with crafted packets
- It saturates the target's bandwidth with sheer traffic volume
- It abuses application logic to consume CPU per request
- It poisons the target's ARP cache
Correct answer: It saturates the target's bandwidth with sheer traffic volume
Saying it saturates the target's bandwidth with sheer traffic volume is correct because volumetric attacks aim to consume all available network capacity. Exhausting a firewall's state table describes a protocol or state-exhaustion attack, consuming CPU per request describes an application-layer attack, and poisoning an ARP cache is a Layer 2 interception technique, so the other options describe different attack classes.
- A defender wants a clear, measurable property to evaluate how dangerous a particular reflection vector is for amplification DDoS. Which quantity best expresses this danger?
- The number of broadcast domains on the LAN
- The DHCP lease duration in hours
- The amplification factor, or ratio of response size to request size
- The CAM table size of the access switch
Correct answer: The amplification factor, or ratio of response size to request size
Saying the amplification factor is correct because the ratio of response size to spoofed request size measures how much a reflector multiplies the attacker's traffic toward the victim, expressing the vector's danger. The number of broadcast domains, DHCP lease duration, and CAM table size are unrelated network parameters that do not quantify amplification potential, so the other options are incorrect.
- A defender deploys ingress filtering at the network edge to drop outbound packets whose source addresses do not belong to the internal network. How does this practice reduce the effectiveness of reflection-and-amplification DDoS attacks across the internet?
- It encrypts all outbound DNS queries
- It increases the CAM table capacity of internal switches
- It forces all internal hosts onto a single VLAN
- It prevents spoofed-source packets from leaving the network, undercutting the source spoofing these attacks rely on
Correct answer: It prevents spoofed-source packets from leaving the network, undercutting the source spoofing these attacks rely on
Saying it prevents spoofed-source packets from leaving the network is correct because reflection-and-amplification attacks depend on forging the victim's source address, and source-address filtering at the edge blocks packets that do not match the internal range. Such filtering does not encrypt DNS, change CAM capacity, or consolidate VLANs, so the other options misstate its effect.
- An attacker captures and reuses a victim's session token after the victim has authenticated. As an analysis, why can session hijacking grant access even when the application enforces a strong password policy?
- The hijacker rides the already-authenticated session and never needs to defeat the password at all
- Strong passwords cause session tokens to be transmitted in cleartext
- A strong password policy disables the use of session tokens
- Session tokens contain the plaintext password by design
Correct answer: The hijacker rides the already-authenticated session and never needs to defeat the password at all
Saying the hijacker rides the already-authenticated session is correct because a stolen valid session token represents a completed authentication, so password strength is irrelevant once the token is in the attacker's hands. Strong passwords do not force tokens into cleartext, do not disable tokens, and tokens do not embed the plaintext password, so the other options are incorrect.
- A web application sets its session cookie with the SameSite attribute restricting it from being sent on cross-site requests. Which related attack does the SameSite cookie attribute most directly help mitigate at the network and request level?
- MAC flooding on the access switch
- Cross-site request forgery that relies on the browser auto-sending the session cookie
- A SYN flood against the server
- ARP poisoning on the LAN
Correct answer: Cross-site request forgery that relies on the browser auto-sending the session cookie
Saying cross-site request forgery that relies on the browser auto-sending the session cookie is correct because SameSite restricts cookies on cross-site requests, undercutting attacks that abuse the browser automatically attaching the session cookie. MAC flooding, a SYN flood, and ARP poisoning are network-layer attacks unaffected by a cookie attribute, so the other options are incorrect.
- A penetration tester explains that predictable, sequential session identifiers are dangerous. Why does issuing session tokens that are long and generated with a cryptographically strong random source defend against hijacking?
- It encrypts the switch's CAM table
- It prevents the browser from storing any cookies
- It makes guessing or brute-forcing a valid active token computationally infeasible
- It shortens the TCP three-way handshake
Correct answer: It makes guessing or brute-forcing a valid active token computationally infeasible
Saying it makes guessing or brute-forcing a valid token infeasible is correct because long, cryptographically random identifiers leave attackers no predictable pattern to exploit and far too large a space to guess. Such tokens do not encrypt a CAM table, do not stop cookie storage, and do not change the TCP handshake, so the other options misstate the defense.
- An attacker who has sniffed an unencrypted web session wants to take over the victim's account without triggering a fresh login. Binding sessions to the client's source IP would frustrate this. Why does tying a session to its originating IP raise the bar for a hijacker on a different network?
- It encrypts the token with the client's password
- It floods the switch to fail open
- It forces the resolver to randomize its transaction ID
- Reusing the token from a different source address fails the server's binding check
Correct answer: Reusing the token from a different source address fails the server's binding check
Saying reusing the token from a different source address fails the binding check is correct because binding a session to its originating IP means a stolen token presented from another address is rejected, raising the bar for a remote hijacker. IP binding does not encrypt the token with a password, does not flood a switch, and does not control DNS transaction IDs, so the other options are incorrect.
- A security architect describes a sensor placed inline at the perimeter that not only detects but also drops packets matching malicious signatures before they reach internal hosts. Which device is this?
- An intrusion prevention system
- A passive network tap
- A forward proxy
- A DHCP relay agent
Correct answer: An intrusion prevention system
An intrusion prevention system is correct because it sits inline and can actively block or drop traffic matching malicious patterns, going beyond mere detection. A passive network tap only copies traffic, a forward proxy relays outbound requests, and a DHCP relay agent forwards address requests, none of which inline-block malicious packets at the perimeter.
- An attacker pads a malicious request with large amounts of benign filler so that the meaningful attack pattern is separated across the stream, hoping a sensor that inspects only a limited window misses the signature. Which IDS evasion concept does this exploit?
- The switch's CAM table aging timer
- The sensor's limited inspection depth or buffer for pattern matching
- The DHCP server's lease pool size
- The DNS resolver's cache TTL
Correct answer: The sensor's limited inspection depth or buffer for pattern matching
Saying the sensor's limited inspection depth or buffer is correct because spreading the attack pattern beyond the bytes a sensor examines can cause it to miss the signature, a recognized evasion approach. The CAM aging timer, DHCP lease pool, and DNS cache TTL are unrelated network parameters that do not govern how an IDS matches signatures, so the other options are incorrect.
- A SOC team tuning an IDS wants to reduce the volume of alerts triggered by harmless activity that resembles attacks. Which IDS metric are they trying to lower without raising the danger of missed attacks?
- The DHCP lease duration
- The CAM table capacity
- The false positive rate
- The amplification factor
Correct answer: The false positive rate
Saying the false positive rate is correct because false positives are alerts on benign traffic, and reducing them eases analyst load, though it must be done carefully to avoid increasing missed real attacks. DHCP lease duration, CAM table capacity, and amplification factor are unrelated parameters that do not describe nuisance alerts on benign traffic, so the other options are incorrect.
- An ethical hacker explains that signature-based detection has a fundamental blind spot. Which limitation is inherent to purely signature-based intrusion detection?
- It can never produce a false positive
- It works only on encrypted traffic
- It blocks all traffic by default
- It cannot detect novel attacks for which no signature yet exists
Correct answer: It cannot detect novel attacks for which no signature yet exists
Saying it cannot detect novel attacks for which no signature exists is correct because signature matching relies on known patterns, so a brand-new attack with no signature slips through, which is its inherent blind spot. Signature-based detection can produce false positives, does not work only on encrypted traffic, and does not block all traffic by default, so the other options are incorrect.
- A network team aggregates logs and alerts from IDS sensors, firewalls, and hosts into a central platform that correlates events to surface real incidents. Which type of system performs this correlation and centralized analysis?
- A security information and event management system
- A spanning-tree root bridge
- A DHCP relay agent
- A reverse proxy cache
Correct answer: A security information and event management system
A security information and event management system is correct because it collects and correlates logs and alerts from many sources to detect incidents that individual sensors might miss in isolation. A spanning-tree root bridge anchors a loop-free topology, a DHCP relay forwards address requests, and a reverse proxy cache fronts servers, none of which correlate security events centrally.
- An ethical hacker probing a perimeter wants to learn the order in which a firewall's rules are evaluated, since most firewalls process rules top to bottom and stop at the first match. As an analysis, why does understanding this evaluation order help craft evasive traffic?
- Rule order encrypts the firewall's traffic automatically
- An overly broad early permit rule may match and allow traffic the administrator intended a later rule to deny
- Rule order determines the switch's CAM table size
- Rule order sets the DNS cache TTL
Correct answer: An overly broad early permit rule may match and allow traffic the administrator intended a later rule to deny
Saying an overly broad early permit rule may match and allow unintended traffic is correct because firewalls stop at the first matching rule, so a permissive early rule can let through traffic a more specific later deny rule was meant to block. Rule order does not encrypt traffic, set CAM table size, or control DNS cache TTL, so the other options are incorrect.
- A penetration tester sends scan packets with a source port set to a commonly trusted port such as the DNS port, hoping a misconfigured firewall permits them based on that source port. Which firewall weakness does this source-port manipulation exploit?
- The switch's promiscuous mode setting
- The DHCP server's lease timer
- Rules that allow traffic based on a trusted source port without validating the connection
- The IDS signature database version
Correct answer: Rules that allow traffic based on a trusted source port without validating the connection
Saying rules that allow traffic based on a trusted source port is correct because some misconfigured firewalls permit packets that appear to come from a trusted source port, which a tester can forge to slip probes through. The switch's promiscuous mode, the DHCP lease timer, and the IDS signature version are unrelated to a firewall trusting a source port, so the other options are incorrect.
- An organization deploys a next-generation firewall that identifies applications by inspecting traffic content rather than relying solely on port numbers. How does this application-aware inspection counter a common evasion tactic?
- It encrypts the attacker's payload automatically
- It increases the switch's CAM table size
- It shortens the TCP three-way handshake
- It can recognize disallowed applications tunneled over allowed ports like 80 or 443
Correct answer: It can recognize disallowed applications tunneled over allowed ports like 80 or 443
Saying it can recognize disallowed applications tunneled over allowed ports is correct because identifying the actual application by content defeats attackers who hide forbidden traffic inside permitted ports such as web ports. Application-aware inspection does not encrypt the attacker's payload, change CAM table size, or alter the TCP handshake, so the other options misstate its capability.
- A tester observes that a perimeter firewall rejects probes to one closed port with an explicit reset but silently drops probes to another, giving no response. As an analysis, what does this difference let the tester infer about the firewall's handling of those ports?
- The reset indicates a closed-but-reachable port while the silent drop indicates a filtered port behind the firewall
- Both responses prove the ports are open
- The silent drop proves the switch has failed open
- The reset proves the DNS cache is poisoned
Correct answer: The reset indicates a closed-but-reachable port while the silent drop indicates a filtered port behind the firewall
Saying the reset indicates a closed-but-reachable port while the silent drop indicates a filtered port is correct because an explicit reset shows the probe reached a host that refused it, whereas no response signals the firewall is silently filtering. Neither response proves the ports are open, indicates a switch failing open, or shows a poisoned DNS cache, so the other options misread the behavior.
- A penetration tester needs to determine the actual hop where filtering occurs along a path to a target behind a firewall. Which technique, by incrementing TTL values and observing where responses stop, helps map the path and locate the filtering device?
- A rainbow table lookup
- A traceroute-style TTL-incrementing probe
- A WPA2 handshake capture
- A directory traversal request
Correct answer: A traceroute-style TTL-incrementing probe
A traceroute-style TTL-incrementing probe is correct because progressively increasing the TTL reveals each hop and shows where responses cease, helping locate the filtering device along the path. A rainbow table lookup reverses hashes, a WPA2 handshake capture is wireless, and a directory traversal request abuses web paths, none of which map the network path to find a filtering point.
- A research team configures a honeypot that fully emulates a vulnerable industrial control system to attract and study attackers targeting operational technology. As an analysis, what is the principal intelligence value of running such a specialized decoy?
- It automatically patches the organization's real control systems
- It increases the plant's network bandwidth
- It reveals the tools, tactics, and intent of adversaries interested in that specific environment
- It encrypts the attacker's command channel
Correct answer: It reveals the tools, tactics, and intent of adversaries interested in that specific environment
Saying it reveals the tools, tactics, and intent of adversaries is correct because a realistic decoy draws targeted attackers and records how they operate, yielding intelligence specific to that environment. The decoy does not patch real systems, add bandwidth, or encrypt attacker channels, so the other options misstate its purpose.
- A defender weighs the risk of a high-interaction honeypot. Which downside is the primary concern that must be managed when deploying one?
- It can never collect any attacker data
- It automatically blocks all production traffic
- It permanently encrypts the organization's backups
- If not carefully contained, an attacker could use the fully functional decoy as a pivot to reach real systems
Correct answer: If not carefully contained, an attacker could use the fully functional decoy as a pivot to reach real systems
Saying an attacker could use the decoy as a pivot to real systems is correct because a high-interaction honeypot is a real, fully functional system, so without strict containment it could be turned against the production network. A high-interaction honeypot does collect rich data, does not block production traffic, and does not encrypt backups, so the other options are incorrect.
- An attacker inspects a suspected decoy and finds it advertises a well-known commercial honeypot's default service fingerprint and process names. As an analysis, which detection approach is the attacker using to identify the honeypot?
- Fingerprinting known honeypot software artifacts and signatures
- Cracking the honeypot's WPA2 key
- Performing a DNS zone transfer against the honeypot
- Flooding the honeypot's CAM table
Correct answer: Fingerprinting known honeypot software artifacts and signatures
Saying fingerprinting known honeypot software artifacts and signatures is correct because attackers identify decoys by recognizing telltale default fingerprints, process names, or banners left by common honeypot software. Cracking a WPA2 key, performing a zone transfer, and flooding a CAM table are unrelated wireless, DNS, and Layer 2 actions, so the other options do not describe honeypot fingerprinting.
- A defender plants a decoy administrator account in the directory that no real person uses, configured to alert the security team the instant anyone attempts to authenticate with it. This account is an example of which detection construct?
- A spanning-tree root bridge
- A honeytoken decoy account
- A forward proxy server
- A DHCP relay agent
Correct answer: A honeytoken decoy account
A honeytoken decoy account is correct because a fake account that no legitimate user touches generates a high-confidence alert on any authentication attempt, serving as a tripwire for intruders. A spanning-tree root bridge, a forward proxy, and a DHCP relay are normal network components, not decoy lures designed to detect attackers, so the other options are incorrect.
- An attacker on a LAN runs a tool that pretends to be the DHCP server and responds to client discovery messages faster than the legitimate server. To win the race reliably, what does the rogue DHCP attack depend on?
- Cracking the client's password hash offline
- Holding a valid TLS certificate for the gateway
- Answering the client's request before the legitimate DHCP server's offer arrives
- Owning the company's DNS registrar
Correct answer: Answering the client's request before the legitimate DHCP server's offer arrives
Saying answering before the legitimate server's offer arrives is correct because clients typically accept the first DHCP offer they receive, so the rogue server must respond faster to push its malicious configuration. Cracking a hash, holding a TLS certificate, and owning a DNS registrar are unrelated to winning the DHCP race, so the other options do not describe what the attack depends on.
- An attacker depletes a DHCP server's address pool with spoofed requests and then sets up a rogue DHCP server, but legitimate clients with current leases keep working until renewal. As an analysis, why does the impact of DHCP starvation often appear gradually rather than instantly?
- The switch must reboot before any client loses connectivity
- DNSSEC signatures must expire first
- The CAM table must overflow before leases are affected
- Existing clients keep their valid leases until those leases expire and need renewal
Correct answer: Existing clients keep their valid leases until those leases expire and need renewal
Saying existing clients keep their valid leases until expiry is correct because starvation prevents new or renewing clients from getting addresses, while those with active leases remain connected until renewal, so the effect spreads gradually. The impact does not require a switch reboot, DNSSEC expiry, or a CAM overflow, so the other options misstate the timing.
- A network engineer wants to limit DHCP starvation by restricting how quickly DHCP requests can arrive on an access port and capping requests per second. Which switch feature enforces this rate cap on DHCP traffic per port?
- DHCP snooping rate limiting on untrusted ports
- Spanning Tree Protocol root guard
- Jumbo-frame negotiation
- Promiscuous mode on the uplink
Correct answer: DHCP snooping rate limiting on untrusted ports
Saying DHCP snooping rate limiting on untrusted ports is correct because rate limiting the number of DHCP messages allowed per second on untrusted access ports throttles the flood that starvation relies on. Spanning Tree root guard prevents rogue root bridges, jumbo-frame negotiation changes payload size, and promiscuous mode aids sniffing, none of which cap DHCP request rates per port.
- An attacker sniffing a switched LAN finds that, despite ARP poisoning, they capture little because most internal traffic is between two hosts that are not the gateway. To intercept that specific host-to-host traffic, what must the attacker do?
- Crack the gateway's administrative password
- Poison the ARP caches of both communicating hosts so each maps the other's IP to the attacker's MAC
- Perform a WHOIS lookup on the internal subnet
- Increase the switch's CAM table size
Correct answer: Poison the ARP caches of both communicating hosts so each maps the other's IP to the attacker's MAC
Saying poison the ARP caches of both communicating hosts is correct because intercepting host-to-host traffic requires each host to send to the attacker's MAC for the other's IP, routing their direct conversation through the attacker. Cracking the gateway password, performing a WHOIS lookup, and increasing CAM size do not position the attacker between two specific internal hosts, so the other options are incorrect.
- A defender argues that even a perfect ARP poisoning attack yields limited payoff if a particular control is in place network-wide. Which control most reduces the value an attacker gains from successful ARP poisoning?
- Increasing the DHCP lease time
- Enabling jumbo frames
- Strong end-to-end encryption of application traffic so intercepted data is unreadable
- Reducing the number of broadcast domains
Correct answer: Strong end-to-end encryption of application traffic so intercepted data is unreadable
Saying strong end-to-end encryption is correct because even if ARP poisoning routes traffic through the attacker, encrypted payloads remain unreadable, sharply reducing the attack's value. Longer DHCP leases, jumbo frames, and fewer broadcast domains do not protect the confidentiality of intercepted traffic, so the other options do not reduce the attacker's payoff.
- An attacker captures a four-way exchange of an unencrypted protocol's authentication and later resends the captured packets verbatim to authenticate without knowing the secret. Which network attack does this resending of captured traffic represent?
- A directory traversal attack
- A MAC flooding attack
- A Smurf attack
- A replay attack
Correct answer: A replay attack
A replay attack is correct because capturing valid traffic and resending it later to gain access defines a replay, succeeding when exchanges are reusable. Directory traversal abuses web paths, MAC flooding overwhelms a switch, and a Smurf attack is broadcast ICMP amplification, none of which describe resending captured authentication traffic.
- A coffee-shop attacker broadcasts a network name identical to nearby trusted networks so that devices set to auto-connect join the attacker's access point believing it is a known network. This rogue access point that mimics a trusted network's name to lure clients is best described as what?
- An evil twin access point
- A spanning-tree root bridge
- A DHCP relay agent
- A forward proxy
Correct answer: An evil twin access point
An evil twin access point is correct because it broadcasts a network name matching a trusted one so devices connect to the attacker, placing them in position to intercept traffic. A spanning-tree root bridge anchors a loop-free topology, a DHCP relay forwards address requests, and a forward proxy relays outbound traffic, none of which describe a look-alike rogue access point used to capture client traffic.
- An attacker who has established a man-in-the-middle position wants to capture credentials a victim submits to a site that normally redirects from HTTP to HTTPS. Beyond simply relaying, what active step lets the attacker keep the victim on unencrypted HTTP while still reaching the real HTTPS server?
- Cracking the server's RSA key by brute force in real time
- Stripping the upgrade-to-HTTPS redirect so the victim's browser stays on plaintext HTTP
- Flooding the switch's CAM table
- Performing a DNS zone transfer
Correct answer: Stripping the upgrade-to-HTTPS redirect so the victim's browser stays on plaintext HTTP
Saying stripping the upgrade-to-HTTPS redirect is correct because preventing the browser from upgrading keeps the victim on plaintext HTTP while the attacker maintains HTTPS to the server, exposing submitted credentials. Brute-forcing the RSA key in real time is infeasible, flooding the CAM table is unrelated, and a zone transfer pulls DNS records, so the other options do not describe this downgrade step.
- A defender wants browsers to refuse any plaintext connection to the site even on a user's very first visit, closing the gap that a downgrade attacker exploits before a strict-transport policy is cached. Which mechanism allows a site to be hardcoded into browsers as HTTPS-only ahead of time?
- Increasing the DHCP lease duration
- Enabling promiscuous mode on the server
- Submitting the domain to the browser HSTS preload list
- Expanding the switch's CAM table
Correct answer: Submitting the domain to the browser HSTS preload list
Saying submitting the domain to the browser HSTS preload list is correct because preloading hardcodes the site as HTTPS-only into browsers, so even a first visit cannot be downgraded to plaintext. Longer DHCP leases, promiscuous mode, and a bigger CAM table do not enforce HTTPS-only behavior in browsers, so the other options are incorrect.
- An attacker repeatedly sends spoofed Spanning Tree Protocol messages claiming superior priority so that a switch elects the attacker's device as the root bridge, allowing the attacker to see and influence traffic flows. This Layer 2 attack against the switching topology is best described as what?
- A directory traversal attack
- A rainbow table attack
- A banner-grabbing attack
- A spanning-tree (STP) manipulation attack
Correct answer: A spanning-tree (STP) manipulation attack
Saying a spanning-tree manipulation attack is correct because forging superior bridge messages to become the root bridge lets the attacker alter traffic paths and position to intercept frames, a recognized Layer 2 network attack. Directory traversal abuses web paths, a rainbow table attack reverses hashes, and banner grabbing reads service strings, none of which manipulate the switching topology.
- A network engineer enables a feature that prevents an access port from ever becoming the spanning-tree root by blocking superior bridge messages received on that port. Which protection most directly defeats spanning-tree root takeover from an access port?
- Root guard on access ports
- Jumbo-frame negotiation
- Promiscuous mode
- DNSSEC validation
Correct answer: Root guard on access ports
Saying root guard on access ports is correct because it blocks superior spanning-tree messages on those ports, preventing an attacker's device from being elected root bridge. Jumbo-frame negotiation changes payload size, promiscuous mode aids sniffing, and DNSSEC validation protects DNS, none of which prevent a rogue device from claiming the spanning-tree root role.
- An attacker uses a tool that intentionally sends bogus router solicitation and advertisement traffic to overwhelm an IPv6 segment's hosts and disrupt their addressing. As an analysis, this denial-of-service against the local segment is best categorized under which broad attack goal?
- Stealing the administrator's password hash
- Disrupting availability of the local network through protocol abuse
- Encrypting the hosts' files for ransom
- Exfiltrating data through a covert DNS tunnel
Correct answer: Disrupting availability of the local network through protocol abuse
Saying disrupting availability of the local network through protocol abuse is correct because flooding the segment with bogus IPv6 control traffic degrades hosts' ability to address and communicate, a denial-of-service goal. The attack does not steal a password hash, encrypt files for ransom, or exfiltrate via DNS tunneling, so the other options describe unrelated objectives.
- A blue team wants to distinguish a legitimate traffic surge from a DDoS attack on their web service. Which characteristic most strongly points to a malicious distributed flood rather than an organic spike?
- A gradual increase in traffic during a planned marketing launch
- A rise in valid logins from known customers
- A sudden surge of requests from a vast number of unrelated source addresses with abnormal patterns
- An increase in cache hits for popular pages
Correct answer: A sudden surge of requests from a vast number of unrelated source addresses with abnormal patterns
Saying a sudden surge from a vast number of unrelated sources with abnormal patterns is correct because distributed floods come from many disparate, often spoofed or botnet hosts exhibiting unnatural request behavior. A planned marketing surge, more valid customer logins, and increased cache hits reflect organic legitimate growth, so the other options do not indicate a malicious DDoS.
- A defender configures connection rate limiting and SYN-flood thresholds on the perimeter firewall. As an analysis, which attack category are these threshold-based controls primarily intended to blunt?
- Steganographic data hiding in images
- Offline rainbow table cracking
- Directory traversal on a web server
- Flooding and connection-exhaustion denial-of-service attempts
Correct answer: Flooding and connection-exhaustion denial-of-service attempts
Saying flooding and connection-exhaustion denial-of-service attempts is correct because rate limiting and SYN-flood thresholds cap excessive connection attempts to blunt floods that exhaust resources. Steganography hides data in files, rainbow table cracking is offline hash reversal, and directory traversal abuses web paths, none of which are addressed by connection-rate thresholds, so the other options are incorrect.
- An attacker captures a victim's session cookie by sniffing an unencrypted wireless network, then immediately uses it before the victim logs out. As an analysis, which single defensive change would most directly have prevented the capture itself on that network?
- Serving the application exclusively over encrypted HTTPS so the cookie is never sent in cleartext
- Renaming the application's database tables
- Increasing the wireless channel width
- Disabling server-side logging
Correct answer: Serving the application exclusively over encrypted HTTPS so the cookie is never sent in cleartext
Saying serving the application exclusively over HTTPS is correct because encrypting all traffic ensures the session cookie is never transmitted in cleartext, preventing a sniffer from capturing it in the first place. Renaming database tables, widening the wireless channel, and disabling logging do nothing to keep the cookie off the wire in plaintext, so the other options do not stop the capture.
- An ethical hacker explains that a network-based IDS struggles increasingly as a network adopts pervasive encryption. As an analysis, which mitigation lets defenders regain inspection visibility for an inline sensor without abandoning encryption end-user-to-edge?
- Enabling promiscuous mode on every client
- Decrypting traffic at a controlled inspection point before re-encrypting it onward
- Increasing the DHCP lease duration
- Expanding the switch's CAM table
Correct answer: Decrypting traffic at a controlled inspection point before re-encrypting it onward
Saying decrypting traffic at a controlled inspection point before re-encrypting it onward is correct because terminating and inspecting traffic at a managed proxy or decryption appliance restores visibility for the sensor while preserving encryption beyond that point. Promiscuous mode on clients, longer DHCP leases, and a bigger CAM table do not give an IDS the ability to inspect encrypted payloads, so the other options are incorrect.
- An attacker on a LAN sends crafted DHCP discover messages with many distinct spoofed hardware addresses purely to exhaust the address pool, with no intent to host a rogue server. As an analysis, what is the immediate effect on legitimate clients attempting to join the network?
- New clients receive an encrypted IP automatically
- New clients are forced onto a separate VLAN
- New clients are denied an IP address because the pool is depleted
- New clients gain administrative rights on the switch
Correct answer: New clients are denied an IP address because the pool is depleted
Saying new clients are denied an IP address because the pool is depleted is correct because exhausting the DHCP address pool leaves no leases available, so legitimate clients cannot obtain an address. Starvation does not hand out encrypted IPs, move clients to another VLAN, or grant switch administrative rights, so the other options misstate the effect.
- A penetration tester wants to fragment scan packets so that no single fragment contains a complete, recognizable probe, aiming to slip past a simple packet filter that inspects individual packets. As an analysis, why can fragmentation sometimes evade a stateless filtering device?
- The filter automatically encrypts each fragment
- Fragmentation increases the switch's CAM table capacity
- Fragmentation forces the resolver to randomize its transaction ID
- The filter may pass individual fragments because no single fragment matches a blocking rule, while the host reassembles the full probe
Correct answer: The filter may pass individual fragments because no single fragment matches a blocking rule, while the host reassembles the full probe
Saying the filter may pass individual fragments while the host reassembles the full probe is correct because a stateless device judging each fragment in isolation may not recognize the threat that only appears once the target reassembles them. Fragmentation does not encrypt fragments, change CAM capacity, or affect DNS transaction IDs, so the other options are incorrect.
- A defender reviews captures and notices an internal host making frequent, regularly timed DNS queries for unusually long, random-looking subdomain labels under a single external domain. As an analysis, which malicious activity does this pattern most strongly suggest?
- DNS tunneling used as a covert channel to evade the perimeter firewall
- A legitimate software update download
- Normal recursive resolution of popular websites
- An increase in cache hits for static content
Correct answer: DNS tunneling used as a covert channel to evade the perimeter firewall
Saying DNS tunneling used as a covert channel is correct because encoding data into long, random subdomain labels sent at regular intervals is a hallmark of smuggling traffic through allowed DNS to bypass the firewall. A legitimate update, normal website resolution, and increased cache hits do not produce streams of long random subdomain queries, so the other options do not fit the pattern.
- A web application passes user-supplied input directly into a backend database query without sanitization, allowing an attacker to alter the structure of the query by submitting characters like a single quote. Which web application attack does this describe?
- ARP poisoning
- SQL injection
- Banner grabbing
- MAC flooding
Correct answer: SQL injection
SQL injection is correct because it occurs when untrusted input is concatenated into a database query, letting an attacker change the query's logic by injecting characters such as quotes or SQL keywords. ARP poisoning manipulates Layer 2 address mappings, banner grabbing reads service identification strings, and MAC flooding exhausts a switch's CAM table, none of which involve tampering with a database query through application input.
- An attacker injects a malicious script into a comment field of a forum, and the script later runs in the browsers of other users who view that comment because the application stores and redisplays the input. Which specific variant of cross-site scripting is this?
- DOM-based XSS
- Reflected XSS
- Stored XSS
- Self XSS
Correct answer: Stored XSS
Stored XSS is correct because the malicious script is persistently saved on the server, in this case in the forum's stored comment, and is served back to every user who views the affected page. Reflected XSS bounces the payload back immediately from a single request, DOM-based XSS executes entirely client-side without the payload reaching the server, and self XSS requires tricking a user into pasting code into their own console, none of which match a payload saved and redisplayed to many visitors.
- A user who is already authenticated to their bank clicks a malicious link that silently submits a funds-transfer request to the bank using the user's existing session, with no script execution required. Which web application attack is being exploited?
- SQL injection
- Directory traversal
- Clickjacking
- Cross-site request forgery
Correct answer: Cross-site request forgery
Cross-site request forgery is correct because it tricks a victim's browser into sending an unwanted authenticated request to a site where the victim is already logged in, abusing the automatically attached session cookie. SQL injection targets the database through input, directory traversal abuses file paths to reach unauthorized files, and clickjacking overlays hidden UI elements, none of which describe forcing the victim's authenticated browser to submit a forged state-changing request.
- A penetration tester references a widely used awareness document that lists the most critical web application security risks, such as broken access control and injection, to structure a web app assessment. Which framework is the tester using?
- MITRE ATT&CK
- OWASP Top 10
- NIST 800-53
- PCI DSS
Correct answer: OWASP Top 10
OWASP Top 10 is correct because it is the standard awareness list of the most critical web application security risks, including injection and broken access control, and is commonly used to scope web app testing. MITRE ATT&CK catalogs adversary tactics and techniques broadly, NIST 800-53 is a security and privacy controls catalog, and PCI DSS governs payment card data, none of which is the canonical web application risk top-ten list.
- A web application builds a file path from user input, and an attacker supplies a value containing repeated ../ sequences to read /etc/passwd outside the intended web directory. Which attack does this represent?
- Session fixation
- Cross-site scripting
- Directory traversal
- DNS spoofing
Correct answer: Directory traversal
Directory traversal is correct because it abuses unsanitized path input, using sequences like ../ to escape the intended directory and access files such as /etc/passwd elsewhere on the server. Cross-site scripting injects browser-executed scripts, session fixation forces a known session ID on a victim, and DNS spoofing falsifies name resolution, none of which involve walking the file system through manipulated path input.
- An attacker probes a login form by entering ' OR '1'='1 as the username and observes that they are logged in without valid credentials. What does this successful result most directly demonstrate?
- The application uses strong parameterized queries
- The application is vulnerable to SQL injection authentication bypass
- The web server is misconfigured for directory listing
- The session cookie lacks the HttpOnly flag
Correct answer: The application is vulnerable to SQL injection authentication bypass
SQL injection authentication bypass is correct because the payload ' OR '1'='1 makes the WHERE clause always evaluate true, returning a row and authenticating the attacker without valid credentials, which only succeeds when input is not safely parameterized. Strong parameterized queries would have neutralized the payload, directory listing concerns server file exposure, and a missing HttpOnly flag relates to cookie theft via script, none of which explain logging in through a tautology in the query.
- A developer wants to eliminate SQL injection in a data-access layer. Which countermeasure most directly prevents user input from altering the structure of a SQL query?
- Enabling HTTPS for all traffic
- Increasing the database connection pool size
- Using parameterized queries with bound variables
- Hashing all stored passwords with bcrypt
Correct answer: Using parameterized queries with bound variables
Parameterized queries with bound variables are correct because they separate the query's code from the data, so user input is treated strictly as a value and can never change the query's structure. Enabling HTTPS protects data in transit, increasing the connection pool affects performance, and hashing passwords protects stored credentials, none of which stops injected input from altering query logic.
- During a web app test, an attacker submits a script through a vulnerable parameter that reads document.cookie and sends it to an attacker-controlled server. What is the primary goal of this cross-site scripting payload?
- To overflow a memory buffer on the server
- To poison the ARP cache of the gateway
- To brute-force the victim's password
- To steal the victim's session cookie
Correct answer: To steal the victim's session cookie
Stealing the victim's session cookie is correct because the script reads document.cookie and exfiltrates it to an attacker server, enabling session hijacking of the victim's authenticated session. Overflowing a memory buffer is a binary exploitation technique, poisoning the ARP cache is a Layer 2 network attack, and brute-forcing a password guesses credentials, none of which describe a browser-side script harvesting and sending the cookie.
- A security team adds the HttpOnly attribute to all session cookies in a web application. Which web application threat does this control most directly mitigate?
- SQL injection of the login query
- Cross-site scripting reading the cookie via JavaScript
- Directory traversal to configuration files
- Brute-force attacks against the password field
Correct answer: Cross-site scripting reading the cookie via JavaScript
Cross-site scripting reading the cookie via JavaScript is correct because the HttpOnly attribute prevents client-side scripts from accessing the cookie through document.cookie, blocking the cookie theft that XSS payloads typically attempt. SQL injection is mitigated by parameterized queries, directory traversal is mitigated by path validation, and brute-force is mitigated by lockouts or rate limiting, none of which are addressed by marking a cookie HttpOnly.
- An ethical hacker tests a search box by submitting a unique string with HTML tags and immediately sees that string rendered as active markup in the response page for that same request only. Which type of cross-site scripting is most likely present?
- Stored XSS
- Blind SQL injection
- Reflected XSS
- CSRF
Correct answer: Reflected XSS
Reflected XSS is correct because the injected input is echoed back and executed within the immediate response to that single request without being persistently stored. Stored XSS would persist the payload server-side and serve it to other users later, blind SQL injection targets a database with no visible output, and CSRF forces authenticated requests rather than reflecting script, none of which match input executing only in the response to the same request.
- A tester submits a SQL injection payload but the application returns identical responses whether the injected condition is true or false, except that a true condition causes a measurable delay because the payload calls a sleep function. Which SQL injection technique is being used?
- Union-based SQL injection
- Error-based SQL injection
- Time-based blind SQL injection
- Second-order SQL injection
Correct answer: Time-based blind SQL injection
Time-based blind SQL injection is correct because when the application gives no visible data or error differences, the attacker infers true or false conditions by triggering a deliberate database delay and measuring the response time. Union-based injection appends a UNION SELECT to return data directly, error-based injection extracts data through database error messages, and second-order injection executes a stored payload later, none of which rely on measuring response delays to infer results.
- A web application reflects an attacker-controlled value into a page, but the malicious script never reaches the server because it is processed entirely by client-side JavaScript that writes the value into the page via innerHTML. Which class of cross-site scripting is this?
- DOM-based XSS
- Stored XSS
- Reflected XSS
- Server-side template injection
Correct answer: DOM-based XSS
DOM-based XSS is correct because the vulnerability and execution occur entirely within the browser's Document Object Model when client-side script writes untrusted data into the page, with the payload never being sent to or processed by the server. Stored and reflected XSS both involve the server handling the payload, and server-side template injection executes within a server template engine, none of which describe a purely client-side DOM sink causing execution.
- An attacker places a transparent iframe of a banking transfer page over a deceptive game and tricks users into clicking buttons that actually perform actions on the hidden bank page. Which web application attack is this, and which header best defends against it?
- Clickjacking, defended by X-Frame-Options or frame-ancestors
- SQL injection, defended by input length limits
- Cross-site scripting, defended by output encoding
- Directory traversal, defended by chroot jails
Correct answer: Clickjacking, defended by X-Frame-Options or frame-ancestors
Clickjacking defended by X-Frame-Options or frame-ancestors is correct because the attack overlays a hidden framed page to hijack clicks, and framing controls like the X-Frame-Options header or the Content-Security-Policy frame-ancestors directive prevent the page from being embedded in a malicious frame. SQL injection involves database input, XSS involves script execution, and directory traversal involves file paths, and none of their listed defenses address being loaded inside a hostile iframe.
- A web application accepts a parameter that is used to fetch a remote URL on the server side, and an attacker manipulates it to make the server request an internal metadata endpoint at 169.254.169.254. Which web application vulnerability is being exploited?
- Cross-site request forgery
- Cross-site scripting
- Server-side request forgery
- SQL injection
Correct answer: Server-side request forgery
Server-side request forgery is correct because the attacker abuses a server-side URL-fetching feature to make the server itself issue requests to internal resources such as cloud metadata endpoints. Cross-site request forgery abuses the victim's browser rather than the server, cross-site scripting executes scripts in a victim's browser, and SQL injection targets a database query, none of which describe coercing the server to make attacker-chosen requests.
- An attacker wants to defeat a CSRF protection that relies on an unpredictable token embedded in each form. Which condition would most undermine the effectiveness of an anti-CSRF token?
- The token is unique per session and validated on every state-changing request
- The token value is readable by an attacker through an XSS flaw on the same site
- The token is rotated after each successful submission
- The token is delivered only in the page body and never in the URL
Correct answer: The token value is readable by an attacker through an XSS flaw on the same site
The token being readable by an attacker through an XSS flaw is correct because if cross-site scripting on the same origin can read the anti-CSRF token, the attacker can include the valid token in forged requests and bypass the protection entirely. A token that is per-session and validated, rotated after submission, or kept out of the URL all strengthen CSRF defenses rather than undermine them, so those conditions would not defeat the token.
- A penetration tester finds that a web server reveals its full directory contents when no index file is present, exposing backup files and scripts to anyone browsing a folder. Which web server security weakness does this represent?
- Cross-site scripting
- Directory listing (directory browsing) enabled
- SQL injection
- Session fixation
Correct answer: Directory listing (directory browsing) enabled
Directory listing enabled is correct because when directory browsing is turned on and no default document exists, the web server displays the contents of the folder, exposing files such as backups and scripts that should not be publicly enumerable. Cross-site scripting involves browser script execution, SQL injection targets the database, and session fixation forces a session ID on a victim, none of which describe a server exposing a folder's file listing.
- While assessing a web application, a tester maps its structure, identifies entry points, and analyzes how the server handles parameters before launching attacks. Which phase of the web application hacking methodology does this describe?
- Covering tracks by clearing logs
- Cracking the WPA2 handshake
- Escalating privileges on the domain controller
- Footprinting the web infrastructure and analyzing the application
Correct answer: Footprinting the web infrastructure and analyzing the application
Footprinting the web infrastructure and analyzing the application is correct because the early stage of web application hacking focuses on discovering the application's structure, entry points, and parameter handling to inform later attacks. Clearing logs is a post-exploitation covering-tracks activity, cracking a WPA2 handshake is a wireless attack, and escalating privileges on a domain controller is a system or network hacking step, none of which describe mapping and analyzing a web application.
- A developer mitigates stored cross-site scripting in a comment system. Which technique most directly prevents the stored input from executing as script when displayed?
- Encrypting the database at rest
- Output encoding the data in the appropriate HTML context
- Adding a CAPTCHA to the login page
- Disabling TRACE on the web server
Correct answer: Output encoding the data in the appropriate HTML context
Output encoding the data in the appropriate HTML context is correct because converting characters such as angle brackets into their HTML entities ensures stored input is rendered as inert text rather than executed as markup or script. Encrypting the database protects data at rest, a login CAPTCHA deters automated logins, and disabling TRACE mitigates cross-site tracing, none of which stop stored content from running as script in the browser.
- An attacker submits a payload that appends UNION SELECT username, password FROM users to a vulnerable query and sees the credentials appear in the application's normal output. Which SQL injection technique is being demonstrated?
- Boolean-based blind injection
- Out-of-band injection
- Union-based injection
- Time-based blind injection
Correct answer: Union-based injection
Union-based injection is correct because it uses the SQL UNION operator to append the results of an attacker-controlled SELECT to the legitimate query, causing the extracted data to appear directly in the application's visible output. Boolean-based and time-based blind injection infer data indirectly when no output is returned, and out-of-band injection exfiltrates through a separate channel such as DNS, none of which return the data inline via a UNION.
- A bank's web app is found to perform a sensitive money transfer through a simple GET request with predictable parameters and no anti-CSRF token. Which single control would most effectively close this CSRF exposure?
- Requiring an unpredictable per-request anti-CSRF token validated server-side
- Forcing all users to use a longer password
- Encoding all output to prevent script execution
- Restricting file path input to prevent traversal
Correct answer: Requiring an unpredictable per-request anti-CSRF token validated server-side
Requiring an unpredictable per-request anti-CSRF token validated server-side is correct because it ensures a forged cross-site request cannot include the secret token, so the server rejects state-changing requests that the victim's browser did not legitimately originate. Longer passwords address credential strength, output encoding addresses XSS, and path input restriction addresses directory traversal, none of which prevent a forged authenticated request from being accepted.
- An attacker exploits a file upload feature on a web application by uploading a .php file disguised with a double extension, then browses to it to execute server-side code. Which web application weakness made this possible?
- Missing HttpOnly flag on the session cookie
- Unrestricted file upload allowing executable content
- Weak TLS cipher suite negotiation
- ARP cache poisoning on the LAN
Correct answer: Unrestricted file upload allowing executable content
Unrestricted file upload allowing executable content is correct because failing to validate file type, content, and storage location lets an attacker upload server-executable code such as a PHP web shell and then run it by requesting the file. A missing HttpOnly flag relates to cookie theft, weak TLS ciphers concern transport encryption, and ARP cache poisoning is a Layer 2 network attack, none of which explain executing uploaded code on the server.
- A tester reviews a URL like https://shop.example/account?id=1003 and changes the value to 1004, gaining access to another customer's account details with no additional check. Which web application vulnerability does this illustrate?
- Reflected cross-site scripting
- SQL injection via the id parameter
- Insecure direct object reference (broken access control)
- Server-side request forgery
Correct answer: Insecure direct object reference (broken access control)
Insecure direct object reference is correct because the application exposes an internal object identifier and fails to enforce authorization, letting an attacker access another user's data simply by changing the reference value. Reflected XSS requires script execution in the response, SQL injection requires altering a database query, and server-side request forgery coerces the server to make requests, none of which describe accessing another record purely by incrementing an exposed ID without an access check.
- An ethical hacker wants to enumerate hidden directories and files on a target web server, such as /admin or /backup, that are not linked anywhere on the site. Which technique is most appropriate?
- ARP poisoning
- Forced browsing (directory and file brute-forcing)
- WEP cracking
- SNMP community string guessing
Correct answer: Forced browsing (directory and file brute-forcing)
Forced browsing is correct because it brute-forces likely directory and file names against the web server to discover unlinked resources such as admin panels or backups. ARP poisoning is a Layer 2 sniffing attack, WEP cracking targets wireless encryption, and SNMP community string guessing enumerates network devices, none of which discover hidden paths on a web server.
- A web application stores user-supplied data and only later, when that data is processed by a different routine, does an injected SQL payload execute against the database. Which SQL injection variant is this?
- Error-based injection
- Union-based injection
- Time-based blind injection
- Second-order (stored) SQL injection
Correct answer: Second-order (stored) SQL injection
Second-order SQL injection is correct because the malicious input is first stored safely and only triggers the injection later when a separate part of the application uses that stored data in a query without re-sanitizing it. Error-based, union-based, and time-based injection all execute at the moment of the initial request rather than being stored and detonating in a later operation, so none describe this delayed, stored behavior.
- A web server is found running with verbose error pages that disclose stack traces, software versions, and internal file paths to anyone who triggers an error. From an attacker's perspective, what is the primary value of this misconfiguration?
- It encrypts traffic so it cannot be intercepted
- It prevents session hijacking by rotating tokens
- It provides reconnaissance information that aids further targeted attacks
- It blocks SQL injection by hiding query syntax
Correct answer: It provides reconnaissance information that aids further targeted attacks
Providing reconnaissance information that aids further targeted attacks is correct because detailed error output reveals technology versions, internal paths, and code behavior that an attacker can use to tailor exploits. Verbose errors do not encrypt traffic, do not rotate session tokens, and certainly do not block SQL injection; if anything they leak the query details that make injection easier, so none of the other options describe their effect.
- A penetration tester is selecting a tool to intercept, inspect, and modify HTTP requests between the browser and a web application during a web app assessment. Which tool is purpose-built for this?
- Burp Suite (intercepting proxy)
- Aircrack-ng
- John the Ripper
- Nmap
Correct answer: Burp Suite (intercepting proxy)
Burp Suite is correct because it functions as an intercepting web proxy that lets a tester capture, inspect, and modify HTTP and HTTPS requests and responses while testing a web application. Aircrack-ng cracks wireless keys, John the Ripper cracks password hashes offline, and Nmap maps networks and ports, none of which are designed to proxy and manipulate web application traffic.
- A web application includes user input inside a server-side template, and an attacker submits {{7*7}} and sees 49 returned in the page. Which vulnerability has the attacker just confirmed?
- Reflected cross-site scripting
- Directory traversal
- Server-side template injection
- Open redirect
Correct answer: Server-side template injection
Server-side template injection is correct because the template engine evaluating {{7*7}} into 49 proves attacker input is being processed as template code on the server, which can escalate to remote code execution. Reflected XSS would execute script in the browser rather than evaluate math server-side, directory traversal manipulates file paths, and an open redirect sends users to arbitrary URLs, none of which would cause the server to compute and return 49 from injected template syntax.
- An attacker abuses a web app feature that takes a url parameter and redirects the user, crafting a link that appears to point to the trusted site but forwards victims to a phishing page. Which web application flaw is being exploited?
- SQL injection
- Cross-site request forgery
- Buffer overflow
- Unvalidated redirects and forwards (open redirect)
Correct answer: Unvalidated redirects and forwards (open redirect)
Unvalidated redirects and forwards is correct because the application redirects to a user-controlled destination without validating it, letting an attacker leverage the trusted domain to send victims to a malicious site. SQL injection targets a database query, cross-site request forgery forces authenticated actions, and a buffer overflow corrupts memory, none of which describe abusing a redirect parameter to forward users to an attacker-chosen URL.
- During web app testing, a tester finds the application uses the same session identifier before and after login and that the ID can be set via a URL parameter. An attacker who fixes a victim's session ID then waits for them to authenticate. Which attack is this?
- Session fixation
- SQL injection
- MAC flooding
- DNS poisoning
Correct answer: Session fixation
Session fixation is correct because the attacker forces a known session identifier onto the victim before authentication, and because the application does not regenerate the ID at login, the attacker can reuse that fixed ID to hijack the now-authenticated session. SQL injection targets a database, MAC flooding attacks a switch, and DNS poisoning falsifies name resolution, none of which involve pre-setting and reusing a victim's web session ID.
- A web application firewall is deployed to inspect HTTP requests and block patterns associated with injection and scripting attacks. At which layer of the OSI model does a WAF primarily operate?
- Data link layer (Layer 2)
- Network layer (Layer 3)
- Application layer (Layer 7)
- Physical layer (Layer 1)
Correct answer: Application layer (Layer 7)
Application layer (Layer 7) is correct because a web application firewall inspects and filters HTTP and HTTPS traffic by understanding application-layer content such as parameters and payloads to detect web attacks. The data link, network, and physical layers handle MAC addressing, IP routing, and raw transmission respectively, none of which is where a WAF examines web request content.
- An attacker bypasses a basic web application firewall that blocks the keyword UNION by submitting UNiOn and inserting inline comments between keywords. Which WAF-evasion concept does this demonstrate?
- ARP cache poisoning
- Obfuscation through case variation and comment insertion
- TCP SYN flooding
- DNS zone transfer
Correct answer: Obfuscation through case variation and comment insertion
Obfuscation through case variation and comment insertion is correct because mixed-case keywords and inline comments can defeat signature-based filters that match only exact strings while the database still interprets the payload normally. ARP cache poisoning, TCP SYN flooding, and DNS zone transfer are network-layer techniques unrelated to disguising a web injection payload to slip past a WAF signature.
- A web application returns generic error messages on injection attempts but its behavior changes subtly based on injected true or false conditions, letting an attacker extract data one bit at a time by observing different responses. Which SQL injection technique is this?
- Boolean-based blind SQL injection
- Union-based SQL injection
- Error-based SQL injection
- Out-of-band SQL injection
Correct answer: Boolean-based blind SQL injection
Boolean-based blind SQL injection is correct because when no data or detailed errors are returned, the attacker injects conditions that change the application's response between two states and infers data bit by bit from those differences. Union-based injection returns data inline, error-based injection relies on visible error text, and out-of-band injection uses an external channel, none of which describe inferring data from true-versus-false response differences.
- An ethical hacker wants to automate the detection and exploitation of SQL injection flaws across many parameters of a web application. Which tool is specifically designed for this purpose?
- Wireshark
- Hydra
- Sqlmap
- Nikto
Correct answer: Sqlmap
sqlmap is correct because it is the dedicated open-source tool that automates the detection and exploitation of SQL injection vulnerabilities, including data extraction and database fingerprinting. Wireshark is a packet analyzer, Hydra is an online password brute-forcer, and Nikto is a web server vulnerability scanner, none of which is purpose-built to automate SQL injection exploitation.
- A web application includes a parameter that is inserted unencoded into a JavaScript event handler attribute in the response, so a tester must craft a payload that breaks out of the attribute context to execute script. What does the need to break out of a specific context most clearly indicate about defending against XSS?
- Output encoding must be context-aware (HTML, attribute, JavaScript, URL)
- A single global input filter is always sufficient
- Only stored data needs encoding, not reflected data
- Encoding is unnecessary if HTTPS is enabled
Correct answer: Output encoding must be context-aware (HTML, attribute, JavaScript, URL)
Context-aware output encoding is correct because injected data can land in HTML body, attribute, JavaScript, or URL contexts, each requiring its own encoding rules, so defenses must match the output context to be effective. A single global filter misses context-specific escapes, both stored and reflected data require encoding, and HTTPS only protects data in transit rather than preventing script execution, so none of the other options correctly address context-specific XSS defense.
- A penetration tester scans a web server and finds it is running an outdated version of the HTTP server software with several known, published vulnerabilities. Which web server hacking step does identifying the exact software and version support?
- Clearing the web server access logs
- Web server footprinting to match the version against known exploits
- Performing a deauthentication attack
- Encrypting the server's stored data
Correct answer: Web server footprinting to match the version against known exploits
Web server footprinting to match the version against known exploits is correct because identifying the precise server software and version lets the attacker look up published vulnerabilities and select a matching exploit. Clearing access logs is a covering-tracks step, a deauthentication attack is wireless, and encrypting stored data is a defensive measure, none of which describe fingerprinting the web server to find applicable exploits.
- A web developer implements a Content Security Policy that restricts scripts to those served from the same origin and disallows inline script. Which web application attack class is this policy primarily intended to reduce?
- SQL injection
- Directory traversal
- Cross-site scripting
- Brute-force login attacks
Correct answer: Cross-site scripting
Cross-site scripting is correct because a Content Security Policy that whitelists script sources and blocks inline script makes it much harder for injected scripts to execute, directly reducing XSS impact. SQL injection is addressed by parameterized queries, directory traversal by path validation, and brute-force attacks by lockouts and rate limiting, none of which a script-source CSP is designed to control.
- A login form is vulnerable to SQL injection, and an attacker terminates the original query and comments out the rest by submitting admin'-- as the username. What is the purpose of the -- sequence in this payload?
- It encrypts the injected portion of the query
- It comments out the remainder of the original SQL statement
- It escapes the input so it is treated as plain text
- It opens a reverse shell to the attacker
Correct answer: It comments out the remainder of the original SQL statement
Commenting out the remainder of the original SQL statement is correct because the SQL comment marker -- causes the database to ignore everything after the injected portion, such as a password check, allowing the attacker to log in as admin. The sequence does not encrypt the query, it does not safely escape input, and it does not by itself open a shell, so none of the other options describe what the comment marker does.
- A web application is found to deserialize attacker-controlled data without validation, and a tester crafts a serialized object that triggers code execution when the server reconstructs it. Which web application vulnerability is this?
- Cross-site scripting
- Open redirect
- Insecure deserialization
- Session fixation
Correct answer: Insecure deserialization
Insecure deserialization is correct because the server reconstructs untrusted serialized data without validation, allowing a crafted object to alter application logic or execute code during deserialization. Cross-site scripting executes in the browser, an open redirect forwards users to arbitrary URLs, and session fixation reuses a forced session ID, none of which involve abusing the object reconstruction process on the server.
- A tester observes that an application's anti-CSRF defense relies on checking that the Referer header matches the site's domain. Why is this approach considered weaker than a synchronizer token?
- The Referer header can be absent or stripped, leading to bypass or broken functionality
- The Referer header is encrypted and cannot be read by the server
- The Referer header changes the database query structure
- The Referer header automatically enables HttpOnly cookies
Correct answer: The Referer header can be absent or stripped, leading to bypass or broken functionality
The Referer header being absent or stripped is correct because privacy settings, proxies, and certain navigations remove the header, so the application must either fail open and allow the request or break legitimate traffic, making Referer checking unreliable compared with a secret synchronizer token. The Referer header is not encrypted from the server, does not alter query structure, and has nothing to do with enabling HttpOnly cookies, so none of the other options explain its weakness.
- An attacker exploits a directory traversal flaw to read a web application's configuration file containing database credentials. After confirming the read, what is the most logical next escalation an ethical hacker would document?
- Use the recovered database credentials to access the database directly
- Launch a wireless deauthentication attack against the server
- Perform ARP poisoning to capture the credentials again
- Crack the WPA2 handshake to reach the database
Correct answer: Use the recovered database credentials to access the database directly
Using the recovered database credentials to access the database directly is correct because once traversal exposes valid credentials, the natural escalation within web application hacking is to leverage those credentials to reach the backing data store. A wireless deauthentication attack and WPA2 cracking are wireless techniques, and ARP poisoning is a network sniffing attack, none of which logically follow from already possessing plaintext credentials read from a config file.
- A web application reflects user input into an HTML page and a tester confirms reflected XSS, but a same-site colleague argues it is low risk because it is not stored. From an attacker's standpoint, how is reflected XSS typically weaponized despite not being persistent?
- By waiting for any visitor to load the page and run the stored script
- By poisoning the server's ARP cache to redirect traffic
- By brute-forcing the application's admin password
- By delivering a crafted malicious link to a victim who then triggers the payload
Correct answer: By delivering a crafted malicious link to a victim who then triggers the payload
Delivering a crafted malicious link to a victim is correct because reflected XSS executes when a targeted user follows an attacker-supplied URL containing the payload, so it is weaponized through phishing-style link delivery rather than persistence. Waiting for any visitor describes stored XSS, ARP cache poisoning is a network attack, and brute-forcing the admin password is a credential attack, none of which is how reflected XSS is delivered.
- A web application serves documents through a filename parameter, and a developer must stop directory traversal while still allowing legitimate file downloads. Which approach most effectively prevents traversal while preserving functionality?
- Trusting the client to send only valid filenames
- Logging every download request for later review
- Lengthening the session timeout for download pages
- Canonicalizing the path and validating it against an allowlist within the intended directory
Correct answer: Canonicalizing the path and validating it against an allowlist within the intended directory
Canonicalizing the path and validating it against an allowlist within the intended directory is correct because resolving the final path and confirming it stays inside the approved folder defeats ../ sequences and encoded variants while still serving permitted files. Trusting the client provides no protection, logging requests only records abuse after the fact, and lengthening the session timeout is unrelated to file path security, so none of those options prevent traversal.
- A tester reviewing why WEP allows attackers to forge and modify encrypted frames without knowing the key learns that WEP protects frame integrity with a linear CRC-32 checksum called the Integrity Check Value. Why does this design choice let an attacker tamper with WEP frames undetected?
- Because CRC-32 is a linear, unkeyed checksum, so an attacker can flip ciphertext bits and predictably adjust the ICV so the altered frame still validates
- Because the ICV is encrypted with a separate RSA key the attacker can factor
- Because the ICV is transmitted in a beacon frame the access point signs
- Because CRC-32 requires the access point to share its private key with every client
Correct answer: Because CRC-32 is a linear, unkeyed checksum, so an attacker can flip ciphertext bits and predictably adjust the ICV so the altered frame still validates
A linear unkeyed CRC-32 allowing predictable bit-flipping is correct because WEP's Integrity Check Value is a non-cryptographic checksum with no secret key, so an attacker can flip bits in the ciphertext and compute the corresponding ICV change, producing a modified frame the receiver still accepts as valid. The ICV is not protected by an RSA key, is not carried in a signed beacon, and WEP uses a symmetric RC4 key rather than a shared private key, so the other options misstate the integrity flaw.
- An access point advertises WPA2 with the AES-CCMP cipher, while an older one offers WPA with TKIP. A tester needs to explain to the client which cipher provides genuinely modern confidentiality and integrity. Which statement is accurate?
- AES-CCMP provides authenticated encryption based on the AES block cipher, whereas TKIP is a transitional wrapper around the legacy RC4 stream cipher
- TKIP uses the AES block cipher while CCMP uses RC4, making TKIP stronger
- Both TKIP and CCMP rely on WEP's 24-bit initialization vector with no improvement
- CCMP transmits the passphrase in each frame while TKIP does not
Correct answer: AES-CCMP provides authenticated encryption based on the AES block cipher, whereas TKIP is a transitional wrapper around the legacy RC4 stream cipher
AES-CCMP being AES-based authenticated encryption while TKIP wraps RC4 is correct because CCMP uses the AES block cipher in counter mode with CBC-MAC to deliver both confidentiality and integrity, while TKIP was a stopgap that layered fixes onto the old RC4 stream cipher and is now deprecated. Option B reverses the cipher assignments, claiming TKIP uses AES while CCMP uses RC4, which is wrong. Neither modern cipher reuses WEP's 24-bit IV unchanged, and no WPA2 cipher transmits the passphrase per frame, so the other options are wrong.
- After capturing a WPA2 handshake, a tester explains that the pairwise transient key the client and access point derive is computed from several inputs run through a pseudorandom function. Besides the pairwise master key, which combination of inputs feeds that PTK derivation?
- The SSID and the channel number only
- The DHCP lease time and the router's serial number
- The client nonce, the access point nonce, and both device MAC addresses
- The RADIUS shared secret and the beacon interval
Correct answer: The client nonce, the access point nonce, and both device MAC addresses
Combining both nonces and both MAC addresses is correct because WPA2 derives the pairwise transient key by feeding the pairwise master key together with the client and access point nonces and the two station MAC addresses into a pseudorandom function, which is exactly why capturing the handshake exposes those public inputs for offline guessing. The channel number, DHCP lease, router serial, RADIUS secret, and beacon interval are not inputs to the PTK derivation, so the other options are incorrect.
- A penetration tester needs to test a captured WPA2 handshake against a precomputed pairwise-master-key table that was already generated for the target SSID. Which tool is designed to run a captured handshake against such a precomputed table for fast verification?
- Nikto
- TheHarvester
- Responder
- Cowpatty
Correct answer: Cowpatty
cowpatty is correct because it can perform a WPA2-PSK dictionary attack and, when paired with a genpmk-built precomputed table for the target SSID, test a captured handshake against those prehashed pairwise master keys very quickly. Nikto scans web servers, theHarvester gathers OSINT such as emails and subdomains, and Responder poisons LLMNR and NBT-NS on a LAN, so none of those test a WPA2 handshake against a precomputed PMK table.
- A tester explains that capturing a WPA2 four-way handshake reveals only public values, yet an offline crack can still confirm a guessed passphrase. What lets the attacker verify whether a candidate passphrase is correct without ever seeing the key transmitted?
- The handshake includes a copy of the passphrase encrypted with the candidate key
- The attacker derives a candidate key from the guess and checks whether it reproduces the captured Message Integrity Code on a handshake frame
- The access point replies with a success or failure message visible in the capture
- The handshake contains the SHA-256 hash of the plaintext passphrase to compare against
Correct answer: The attacker derives a candidate key from the guess and checks whether it reproduces the captured Message Integrity Code on a handshake frame
Reproducing the captured Message Integrity Code is correct because the attacker turns each guessed passphrase into a candidate pairwise key, uses it to recompute the MIC over a captured EAPOL frame, and a match means the guess is the real passphrase, all done offline. The passphrase is never encrypted into the handshake, the AP does not leave a usable success or failure marker for offline guessing, and no plaintext-passphrase hash is sent, so the other options are wrong.
- A tester compares two disruptive wireless techniques: one forges 802.11 deauthentication management frames spoofing the access point, and the other blasts raw radio energy across the channel. What is the key distinction between a deauthentication attack and an RF jamming attack?
- Deauthentication forges protocol-level management frames to evict clients, while RF jamming overwhelms the channel with raw radio noise regardless of protocol
- Both attacks require the attacker to first crack the WPA2 passphrase
- Deauthentication operates at the radio layer while jamming operates at the application layer
- RF jamming only affects WEP networks while deauthentication only affects WPA3 networks
Correct answer: Deauthentication forges protocol-level management frames to evict clients, while RF jamming overwhelms the channel with raw radio noise regardless of protocol
Deauth forging management frames versus jamming flooding raw noise is correct because a deauthentication attack abuses the 802.11 management-frame protocol to tell clients to disconnect, whereas RF jamming simply saturates the frequency with interference that blocks any communication regardless of encryption or protocol. Neither requires cracking the passphrase, deauthentication is a protocol-layer attack rather than radio-layer, and both techniques can affect networks regardless of WEP or WPA3, so the other options are incorrect.
- A tester wants to differentiate a legitimate access point from an evil twin that is broadcasting an identical SSID. Beyond the matching network name, which observable characteristic most reliably reveals that two access points sharing one SSID are physically different radios?
- They will always advertise different SSIDs once a client connects
- Their BSSID (the access point MAC address) will differ between the genuine AP and the impostor
- The evil twin cannot transmit beacon frames at all
- The legitimate access point stops responding to probe requests when an impostor appears
Correct answer: Their BSSID (the access point MAC address) will differ between the genuine AP and the impostor
Differing BSSIDs is correct because while an evil twin can copy the human-readable SSID, each radio still has its own BSSID, the access point's MAC address advertised in beacons, so a defender or tool comparing BSSIDs (and signal characteristics) can spot that two distinct radios share one network name. The impostor does not later change its SSID, an evil twin must transmit beacons to attract clients, and the legitimate AP does not stop answering probes because an impostor exists, so the other options are wrong.
- A tester explains that a deauthentication attack and a disassociation attack both abuse 802.11 management frames to disconnect clients, but they correspond to different states. What does sending a disassociation frame specifically tell the client to do?
- To leave the associated state with the access point while potentially remaining authenticated, breaking the active connection
- To completely restart its wireless adapter hardware
- To upgrade its encryption from WPA2 to WPA3 immediately
- To broadcast its saved passphrase to nearby radios
Correct answer: To leave the associated state with the access point while potentially remaining authenticated, breaking the active connection
Leaving the associated state is correct because in 802.11 a station first authenticates and then associates, and a forged disassociation frame terminates the association so the client loses its working connection, similar in effect to deauthentication but targeting the association stage. A disassociation frame does not restart adapter hardware, does not trigger a WPA3 upgrade, and never causes the client to broadcast its passphrase, so the other options are incorrect.
- A red teamer needs a high-gain directional antenna instead of the laptop's built-in omnidirectional antenna to attack a target access point from across a large parking lot. Why does the directional antenna improve the wireless attack at long range?
- It decrypts WPA2 frames automatically as it receives them
- It focuses transmit and receive energy in one direction, increasing effective range and signal strength toward the distant target
- It changes the attacker's MAC address to bypass filtering
- It forces the target access point to lower its own encryption
Correct answer: It focuses transmit and receive energy in one direction, increasing effective range and signal strength toward the distant target
Focusing energy in one direction is correct because a high-gain directional antenna concentrates the radio pattern toward the target, boosting effective range and the received and transmitted signal strength so the attacker can capture frames and inject at distances an omnidirectional antenna could not reach. The antenna does not decrypt frames, does not alter the MAC address, and cannot force the access point to weaken its encryption, so the other options are wrong.
- A tester wants to capture a WPA2 handshake but the target network has only a single client that rarely reconnects on its own. Which action most directly increases the chance of observing a four-way handshake during the limited engagement window?
- Performing a WHOIS lookup on the access point's IP address
- Sending a spoofed deauthentication frame to the connected client so it reauthenticates and emits a fresh handshake
- Running an SNMP walk against the wireless gateway
- Launching a SQL injection against the router's web interface
Correct answer: Sending a spoofed deauthentication frame to the connected client so it reauthenticates and emits a fresh handshake
Sending a spoofed deauthentication frame is correct because forcing the lone client off the network makes it reconnect, producing the four-way handshake the attacker needs to capture for an offline crack rather than waiting passively for a rare natural reconnection. A WHOIS lookup, an SNMP walk, and a SQL injection target internet registration data, device enumeration, and web databases respectively, none of which trigger an 802.11 reassociation, so the other options are incorrect.
- A tester is investigating WPA3-Personal's resistance to offline cracking and explains how the SAE handshake converts a password into a starting point on an elliptic curve before the key exchange. What is this password-to-curve-point conversion step commonly called?
- The four-way EAPOL exchange
- The WPS registrar negotiation
- The RC4 keystream initialization
- The hunting-and-pecking (hash-to-element) password-element derivation
Correct answer: The hunting-and-pecking (hash-to-element) password-element derivation
The hunting-and-pecking password-element derivation is correct because WPA3's SAE converts the shared password into a cryptographic password element on the elliptic curve through a hash-to-element process historically called hunting and pecking, and timing leaks in early implementations of this step were a focus of the Dragonblood research. The four-way EAPOL exchange and RC4 keystream initialization belong to WPA2 and WEP, and the WPS registrar negotiation is the setup protocol, so none describe SAE's password-element step.
- A tester needs to confirm a wireless adapter is suitable for an Aircrack-ng engagement before arriving on site. Which adapter capability is the essential prerequisite for both capturing handshakes and injecting deauthentication frames?
- A built-in cellular modem for out-of-band control
- Hardware AES acceleration for faster cracking
- Support for monitor mode and packet injection in the chipset and driver
- A gigabit Ethernet port for wired fallback
Correct answer: Support for monitor mode and packet injection in the chipset and driver
Monitor mode and packet injection support is correct because capturing all 802.11 frames requires the adapter to enter monitor mode, and sending forged deauthentication or fake-authentication frames requires the chipset and driver to support raw packet injection, so both must be present for a full Aircrack-ng workflow. A cellular modem, AES acceleration, and a gigabit Ethernet port do not enable 802.11 frame capture or injection, so the other options are incorrect.
- A tester scanning an enterprise environment finds an access point broadcasting the company SSID with open authentication and no encryption, sitting alongside the real WPA2-Enterprise network. Treating it as a likely threat, why is an unauthorized open access point bridged to the internal LAN especially dangerous?
- It automatically upgrades all nearby clients to WPA3
- It provides an unauthenticated, unencrypted wireless entry point into the trusted network, bypassing the perimeter and exposing internal traffic
- It can only be reached by devices that already know the WPA2 passphrase
- It encrypts internal traffic more strongly than the legitimate network
Correct answer: It provides an unauthenticated, unencrypted wireless entry point into the trusted network, bypassing the perimeter and exposing internal traffic
Providing an unauthenticated open entry point into the trusted network is correct because a rogue open access point bridged to the internal LAN lets anyone in range join without credentials and reach internal resources, bypassing the firewall and the controls protecting the sanctioned WPA2-Enterprise network. It does not upgrade clients to WPA3, an open network requires no passphrase to join, and it weakens rather than strengthens security, so the other options are wrong.
- A tester attacking a WEP network with very little traffic uses a technique that recovers a larger block of keystream by exploiting predictable headers and the way WEP allows a frame to be split into smaller pieces, each reusing the same keystream. Which classic WEP attack does this describe?
- A pass-the-hash attack
- A Slowloris attack
- A DNS amplification attack
- The fragmentation attack against WEP
Correct answer: The fragmentation attack against WEP
The fragmentation attack against WEP is correct because it leverages known plaintext from predictable 802.11 headers and WEP's support for fragmenting a frame into pieces that share keystream, letting the attacker build up a large amount of usable keystream from minimal captured traffic to forge packets and accelerate key recovery. A pass-the-hash attack reuses credential hashes, Slowloris exhausts web-server connections, and DNS amplification is a denial-of-service technique, none of which recover WEP keystream through fragmentation.
- A penetration tester is profiling the entry points an attacker could use to compromise a smartphone. Which of the following is the broadest and most commonly exploited mobile attack surface that lets a malicious app reach the user without the device being physically handled?
- Physically desoldering the flash memory chip to read it offline
- Replacing the device's display assembly with a tampered panel
- Downloading and installing a trojanized application from an app store or third-party source
- Swapping the rear camera module for one containing a microphone
Correct answer: Downloading and installing a trojanized application from an app store or third-party source
Installing a trojanized application is correct because malicious or repackaged apps are the dominant remote mobile attack vector, reaching the victim without physical access and running inside the user's device. Desoldering flash, swapping the display, and replacing the camera all require hands-on hardware tampering, which is far narrower and not the broad app-based surface the question describes.
- An attacker takes a legitimate Android banking app, decompiles it, inserts a malicious payload that captures login credentials, then redistributes the modified version on a third-party store. What is this mobile attack technique called?
- Coil writing
- Beacon flooding
- Zone walking
- App repackaging
Correct answer: App repackaging
App repackaging is correct because the attacker decompiles a legitimate app, injects malicious code, and republishes the tampered version to trick users into installing it, a core Android attack vector. Coil writing is a Modbus OT action, beacon flooding is a wireless attack, and zone walking targets DNS records, none of which describe modifying and redistributing a mobile app.
- A security reviewer finds that an Android app writes the user's session token in cleartext to a world-readable file in external storage. Which OWASP Mobile Top 10 category does this finding map to most directly?
- Insecure data storage
- Use of strong TLS pinning
- Excessive battery optimization
- Cellular handover latency
Correct answer: Insecure data storage
Insecure data storage is correct because storing a sensitive session token in cleartext where other apps or users can read it is the classic example of this OWASP Mobile risk category. TLS pinning is a protective control rather than a weakness, and battery optimization and cellular handover latency are operational concerns, not security categories, so they do not match the finding.
- During an iOS app assessment, a tester wants to read class names and method calls from the app at runtime and hook functions to bypass a jailbreak-detection check. Which type of tool is best suited to this dynamic instrumentation task?
- A WHOIS lookup service
- A switch CAM table flooder
- A dynamic instrumentation framework such as a runtime hooking toolkit
- A DHCP starvation script
Correct answer: A dynamic instrumentation framework such as a runtime hooking toolkit
A dynamic instrumentation framework is correct because it lets the tester hook and modify a running app's functions, inspect method calls, and bypass checks like jailbreak detection during a live iOS assessment. A WHOIS lookup gathers domain data, a CAM table flooder attacks switches, and a DHCP starvation script exhausts address pools, none of which instrument a running mobile app.
- A device-management policy blocks rooted and jailbroken phones from accessing corporate email. From the defender's perspective, why is detecting a rooted or jailbroken state important before granting access?
- Rooting and jailbreaking improve the device's encryption and should be rewarded with access
- Rooted devices automatically join the carrier's premium support tier
- Jailbroken devices can no longer run any third-party software at all
- A rooted or jailbroken device has had its sandbox and integrity protections removed, so corporate data on it can be more easily accessed or exfiltrated
Correct answer: A rooted or jailbroken device has had its sandbox and integrity protections removed, so corporate data on it can be more easily accessed or exfiltrated
Removing sandbox and integrity protections is correct because rooting or jailbreaking strips the isolation and code-signing controls that normally protect data, so malware or other apps can reach corporate information, justifying the access block. The other options are false: these processes weaken rather than improve security, do not grant carrier support, and do not prevent running third-party software.
- An attacker positions a malicious Wi-Fi access point that mobile devices automatically connect to, then captures and manipulates the apps' traffic. To defend against credential theft when an app's API calls are intercepted this way, which app-side control is most effective?
- Increasing the app's icon resolution
- Certificate (SSL/TLS) pinning so the app rejects any certificate other than the expected one
- Disabling the device vibration motor
- Lowering the screen brightness while on Wi-Fi
Correct answer: Certificate (SSL/TLS) pinning so the app rejects any certificate other than the expected one
Certificate pinning is correct because pinning forces the app to trust only its expected certificate or public key, so an interception proxy presenting a different certificate is rejected, defeating the man-in-the-middle. Icon resolution, the vibration motor, and screen brightness have no bearing on whether intercepted TLS traffic can be decrypted, so they are incorrect.
- A CEH candidate must classify a strategy where an organization lets employees use their personally owned phones for work, raising the risk of mixing untrusted apps with corporate data. Which mobile deployment model is being described?
- SCADA supervisory control
- PKI cross-certification
- Modbus master/slave polling
- BYOD (Bring Your Own Device)
Correct answer: BYOD (Bring Your Own Device)
BYOD is correct because it is the model in which employees use their personal devices for work, blending unmanaged personal apps with corporate data and expanding the mobile attack surface. SCADA supervisory control and Modbus polling are OT concepts and PKI cross-certification is a cryptographic trust mechanism, so none describe a personal-device work policy.
- A mobile malware sample displays a full-screen overlay that imitates a legitimate banking login prompt whenever the real banking app is launched, capturing whatever the user types. What is this Android attack technique commonly called?
- A SYN-flood attack
- An overlay (tapjacking-style) attack
- A rainbow-table attack
- A DNS amplification attack
Correct answer: An overlay (tapjacking-style) attack
An overlay attack is correct because the malware draws a fake interface on top of a legitimate app to capture credentials or hijack taps, a well-known Android technique. A SYN flood and DNS amplification are network denial-of-service attacks, and a rainbow table is a password-cracking method, none of which describe drawing a deceptive screen overlay on a phone.
- While testing an IoT product, an analyst maps how data flows from the physical sensor up to the user's phone app. Which ordering correctly reflects the typical layers of an IoT communication architecture?
- Application layer, then sensing/edge devices, with no network in between
- Cloud first, then the user app, and finally the sensors are added at the end
- Edge/sensing devices, then network/transport, then cloud/data processing, then the application layer presented to the user
- User app, then PLC ladder logic, then a certificate authority
Correct answer: Edge/sensing devices, then network/transport, then cloud/data processing, then the application layer presented to the user
Edge devices, then network, then cloud, then application is correct because IoT data originates at sensing devices, traverses a network/transport layer, is processed in the cloud or backend, and is finally surfaced to the user through an application layer. The other sequences omit the network, invert the data origin, or insert unrelated OT and PKI components, so they misrepresent the IoT layered model.
- An attacker captures the unencrypted RF signal a wireless key fob sends to an IoT garage door opener, stores it, and later replays the identical signal to open the door. Which IoT attack does this describe?
- An SQL union injection
- A cross-site scripting attack
- A Diffie-Hellman downgrade
- A replay attack
Correct answer: A replay attack
A replay attack is correct because the attacker records a valid transmission and resends it later to trigger the same action, a common weakness in IoT devices that lack rolling codes or freshness checks. SQL union injection and cross-site scripting are web-application attacks and a Diffie-Hellman downgrade is a key-exchange attack, none of which describe capturing and resending an IoT control signal.
- A red team is enumerating short-range protocols on a smart-building deployment. Which set of communication technologies is most characteristic of low-power IoT devices that a tester would need to assess?
- Only fiber-optic SONET links
- Zigbee, Z-Wave, BLE (Bluetooth Low Energy), and LoRaWAN
- Only legacy dial-up modems
- Exclusively SCSI storage cabling
Correct answer: Zigbee, Z-Wave, BLE (Bluetooth Low Energy), and LoRaWAN
Zigbee, Z-Wave, BLE, and LoRaWAN is correct because these are the prevalent low-power wireless protocols used by IoT devices, and each is a distinct radio surface a tester must enumerate and assess. SONET fiber, dial-up modems, and SCSI cabling are not IoT short-range radio technologies, so they do not represent the IoT communication stack.
- An IoT smart camera sends telemetry to its backend over plain HTTP and accepts firmware updates that are not cryptographically signed. Which single weakness most directly allows an attacker to push malicious firmware to the device?
- The use of a colorful LED status indicator
- The presence of a physical power button
- The lack of secure (signed and verified) firmware update validation
- The device supporting more than one language in its menus
Correct answer: The lack of secure (signed and verified) firmware update validation
Lack of signed, verified firmware updates is correct because without signature verification the device will accept and run attacker-supplied firmware, enabling full compromise, an OWASP IoT Top 10 weakness. The LED indicator, power button, and multi-language menus are benign device features that do not affect whether malicious firmware can be installed, so they are incorrect.
- An analyst is selecting a methodology to structure an IoT penetration test. Which phased approach best matches the recognized IoT hacking methodology taught in CEH?
- Immediately wiping the device firmware before any reconnaissance
- Encrypting the cloud backend so the device cannot phone home
- Disabling the corporate VPN to reduce noise
- Information gathering, vulnerability scanning, exploitation/launching attacks, gaining access, and maintaining access on the IoT ecosystem
Correct answer: Information gathering, vulnerability scanning, exploitation/launching attacks, gaining access, and maintaining access on the IoT ecosystem
Information gathering, scanning, exploitation, gaining access, and maintaining access is correct because the IoT hacking methodology mirrors the general phased model applied across the device, communication, cloud, and app components. Wiping firmware first, encrypting the backend, and disabling the VPN are not reconnaissance-led testing steps, so they do not describe the IoT methodology.
- An OT engineer must explain why the security priority ordering in an industrial control environment differs from a typical IT network. Which prioritization correctly reflects most OT environments?
- Confidentiality first, then integrity, then availability, exactly as in IT
- Availability and safety first, then integrity, with confidentiality typically last
- Only confidentiality matters because OT data is highly sensitive
- Only billing accuracy matters in OT environments
Correct answer: Availability and safety first, then integrity, with confidentiality typically last
Availability and safety first, then integrity, with confidentiality last is correct because OT systems control physical processes where keeping equipment running safely outranks secrecy, inverting the usual IT confidentiality-first emphasis. The IT-style ordering, a confidentiality-only view, and a billing-only view all misstate the safety-and-uptime priorities that define OT security.
- Within an industrial control system, a component continuously gathers data from multiple remote PLCs and RTUs and presents plant-wide status to operators on a central console. Which ICS element provides this supervisory data acquisition and operator-facing role?
- A web application firewall
- A DNS resolver
- A SCADA system
- A mobile MDM server
Correct answer: A SCADA system
A SCADA system is correct because supervisory control and data acquisition platforms collect data from distributed field controllers like PLCs and RTUs and present plant-wide status to operators for monitoring and control. A web application firewall protects web apps, a DNS resolver maps names, and an MDM server manages mobile devices, none of which perform ICS supervisory data acquisition.
- An OT field device converts analog and digital signals from remote sensors into data transmitted back to a control center, often over telemetry links in geographically dispersed utilities. Which device is being described?
- A certificate authority
- A load balancer
- A remote terminal unit (RTU)
- A honeypot sensor
Correct answer: A remote terminal unit (RTU)
A remote terminal unit is correct because RTUs interface with remote sensors and actuators, digitize signals, and relay telemetry back to a control center, making them central to distributed SCADA deployments like utilities. A certificate authority issues certificates, a load balancer distributes traffic, and a honeypot is a decoy, none of which perform remote field telemetry conversion.
- A tester examines a substation that uses a protocol designed for electric utility automation and SCADA telemetry over serial and IP, distinct from Modbus. Which industrial protocol is most likely in use?
- HTTP/2
- SMTP
- DNP3 (Distributed Network Protocol)
- POP3
Correct answer: DNP3 (Distributed Network Protocol)
DNP3 is correct because it is an industrial protocol widely deployed in electric and water utility SCADA systems for telemetry between master stations and outstations, distinct from Modbus. HTTP/2 serves web traffic, while SMTP and POP3 handle email, so none of those are utility-automation OT protocols a substation would rely on.
- An attacker on a plant network sends a Modbus request using function code 6 to alter a single value a PLC uses as a setpoint. Which Modbus operation is the attacker performing?
- Writing a single holding register
- Negotiating a TLS session ticket
- Performing a DNS zone transfer
- Issuing an HTTP GET request
Correct answer: Writing a single holding register
Writing a single holding register is correct because Modbus function code 6 writes one holding register, which commonly stores a numeric setpoint, so the attacker can alter process parameters on the PLC. Negotiating a TLS ticket, performing a DNS zone transfer, and issuing an HTTP GET are unrelated IT operations that Modbus function code 6 does not perform, so they are incorrect.
- An ICS security architect wants to limit the blast radius of a compromise by separating the corporate network from the control network with an intermediary buffer zone that brokers all cross-boundary traffic. Which control is being implemented?
- An industrial DMZ (demilitarized zone) between IT and OT
- A rainbow table for the historian
- A jailbreak of the operator workstation
- An evil twin access point in the control room
Correct answer: An industrial DMZ (demilitarized zone) between IT and OT
An industrial DMZ is correct because placing a buffer zone that brokers and inspects all traffic between the IT and OT networks is the standard ICS segmentation control that limits how far an IT compromise can spread. A rainbow table cracks hashes, a jailbreak weakens a mobile device, and an evil twin is a wireless attack, so none of those provide IT/OT boundary segmentation.
- A SCADA attacker who can reach an unauthenticated DNP3 outstation issues a control command that trips a circuit breaker, causing a physical outage. Which property of legacy ICS protocols most directly enabled this?
- The protocol enforces mutual certificate authentication on every message
- The protocol encrypts all payloads with AES-GCM by default
- The protocol lacks authentication, so commands are accepted without verifying the sender's identity
- The protocol requires a hardware security module to send any command
Correct answer: The protocol lacks authentication, so commands are accepted without verifying the sender's identity
Lacking authentication is correct because legacy ICS protocols like DNP3 and Modbus historically transmit control commands without verifying who sent them, so any reachable attacker can issue a breaker-tripping command. The options describing mutual certificates, default AES-GCM encryption, and mandatory hardware security modules describe protections these legacy protocols do not natively have, so they are wrong.
- A mobile forensics question asks which feature of modern smartphones an attacker abuses by tricking the operating system into granting a malicious app excessive runtime permissions such as microphone, contacts, and location. What is the underlying issue being exploited?
- A Modbus coil overflow
- A WEP IV collision
- An OT historian misconfiguration
- Over-permissioned apps abusing the mobile permission model
Correct answer: Over-permissioned apps abusing the mobile permission model
Over-permissioned apps abusing the permission model is correct because mobile platforms gate sensitive resources behind permissions, and malware that obtains broad permissions can access the microphone, contacts, and location to spy on the user. A Modbus coil overflow and OT historian misconfiguration are industrial issues and a WEP IV collision is a wireless flaw, none of which involve mobile app permissions.
- An IoT botnet operator wants to maximize the number of devices conscripted with minimal effort. Beyond default credentials, which additional common IoT exposure is most often scanned for and exploited at scale to recruit devices?
- Devices that have disabled all remote management
- Devices exposing administrative services like Telnet or web interfaces directly to the internet
- Devices that require physical button presses for every action
- Devices stored in a locked, air-gapped cabinet
Correct answer: Devices exposing administrative services like Telnet or web interfaces directly to the internet
Exposing Telnet or web admin services to the internet is correct because internet-reachable management interfaces, often combined with weak credentials, let botnet scanners log in and infect devices at massive scale. Disabling remote management, requiring physical presses, and air-gapping all reduce exposure rather than enable mass recruitment, so they are incorrect.
- A CEH candidate must identify the assessment activity in which a tester intercepts and analyzes the BLE advertising and GATT traffic between a fitness tracker and its companion phone app to find unauthenticated characteristics. What is this activity best categorized as?
- Bluetooth Low Energy traffic sniffing and analysis of an IoT device
- A SQL blind-injection campaign
- A Modbus master poll of holding registers
- An iOS App Store review submission
Correct answer: Bluetooth Low Energy traffic sniffing and analysis of an IoT device
BLE traffic sniffing and analysis is correct because capturing the advertising and GATT exchanges between a BLE IoT device and its app reveals unauthenticated characteristics an attacker could read or write, a standard IoT wireless assessment. SQL injection targets databases, a Modbus poll is an OT action, and an App Store submission is a publishing step, none of which describe analyzing BLE IoT traffic.
- An organization discovers that an internet-exposed HMI for a water treatment plant allows operators to log in with the vendor's default password. Why does CEH treat exposed HMIs with default credentials as among the most severe OT findings?
- Because it slows down the plant's email delivery
- Because it forces the plant to adopt IPv6 addressing
- Because anyone reaching the HMI can directly view and manipulate the physical process controls, risking safety and outages
- Because it improves the plant's confidentiality posture
Correct answer: Because anyone reaching the HMI can directly view and manipulate the physical process controls, risking safety and outages
Allowing direct view and manipulation of physical controls is correct because an internet-exposed HMI with default credentials gives an attacker operator-level control over the physical process, creating safety and availability consequences that define OT risk severity. Email speed, IPv6 adoption, and an improved confidentiality posture are irrelevant or false, so they do not explain the severity.
- A tester compares how Android and iOS distribute applications to understand each platform's malware exposure. Which statement most accurately captures a key difference relevant to mobile attack risk?
- Both platforms forbid any installation outside their official store with no exceptions
- iOS allows unrestricted sideloading while Android blocks it entirely
- Neither platform reviews apps before publishing them
- Android more readily permits sideloading from third-party sources, widening malware exposure, while iOS restricts installs largely to its vetted App Store
Correct answer: Android more readily permits sideloading from third-party sources, widening malware exposure, while iOS restricts installs largely to its vetted App Store
Android more readily permitting sideloading while iOS restricts to its App Store is correct because Android's openness to third-party stores and sideloaded packages broadens its malware exposure compared with iOS's tighter distribution controls. The claims that both forbid all outside installs, that iOS allows unrestricted sideloading, or that neither reviews apps misstate how the platforms actually distribute software.
- An IoT vulnerability researcher notes that many low-cost devices reuse the same hardcoded cryptographic key or credential across every unit shipped. Why does this practice dramatically amplify the impact of a single compromise?
- Because each device generates a unique key at first boot, isolating compromises
- Because extracting the secret from one device lets the attacker compromise the entire fleet of identical devices
- Because hardcoded keys are rotated automatically every hour
- Because the key only protects the device's screen brightness
Correct answer: Because extracting the secret from one device lets the attacker compromise the entire fleet of identical devices
Extracting one secret to compromise the whole fleet is correct because a shared hardcoded key or credential means recovering it from a single inexpensive unit, often via firmware analysis, unlocks every identical device in the field. The other options falsely claim per-device key generation, automatic hourly rotation, or that the key only affects brightness, so they do not explain the amplified impact.
- An OT incident responder is asked to name the malware family that specifically targeted Siemens PLCs by manipulating their programmed logic to damage centrifuges while showing operators normal readings. Which threat is this, and what lesson does it teach about OT attacks?
- A standard email phishing kit with no physical effect
- Stuxnet, demonstrating that malware can cause real physical damage to industrial equipment by altering PLC logic
- A WPA3 handshake cracker limited to wireless networks
- A generic IT ransomware strain that only encrypts office documents
Correct answer: Stuxnet, demonstrating that malware can cause real physical damage to industrial equipment by altering PLC logic
Stuxnet is correct because it manipulated Siemens PLC logic to physically damage centrifuges while feeding operators falsified normal readings, proving cyberattacks can cause tangible physical harm to OT systems. An email phishing kit, a WPA3 cracker, and an office-document ransomware strain do not target PLC logic or cause physical industrial damage, so they do not fit the scenario.
- A tester needs to extract and examine the file system of an IoT router by retrieving its firmware image and unpacking embedded binaries to look for backdoor accounts. Which combination of weaknesses would make this firmware-extraction-to-compromise path easiest for the attacker?
- Strong secure-boot enforcement combined with encrypted, signed firmware images
- Per-device random credentials stored only in a hardware security module
- An exposed UART console plus unencrypted firmware containing hardcoded backdoor credentials
- Mandatory multi-factor authentication on the device's web panel
Correct answer: An exposed UART console plus unencrypted firmware containing hardcoded backdoor credentials
An exposed UART console plus unencrypted firmware with hardcoded backdoor credentials is correct because the open serial console gives low-level access while the unencrypted firmware lets the tester unpack the file system and recover embedded credentials, chaining directly to compromise. Secure boot with signed encrypted firmware, HSM-stored per-device credentials, and mandatory multi-factor authentication are protective controls that would block this path, so they are incorrect.
- A startup subscribes to a fully managed email and document suite where the provider operates the entire stack and the customer only configures user accounts and sharing settings. Which cloud service model does this describe?
- Bare-metal colocation hosting
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
Correct answer: Software as a Service (SaaS)
This describes Software as a Service. In SaaS the provider manages the application, runtime, operating system, and infrastructure, while the customer only configures application-level settings such as users and sharing. Infrastructure as a Service gives the customer the operating system and up, Platform as a Service gives a managed runtime for custom code, and bare-metal colocation is not a managed cloud application model.
- A development team wants the cloud provider to manage the operating system, runtime, and middleware so the team only has to deploy and run their own application code without provisioning servers. Which cloud service model best fits this requirement?
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Network as a Service (NaaS)
Correct answer: Platform as a Service (PaaS)
Platform as a Service best fits this requirement. PaaS provides a managed operating system, runtime, and middleware so developers can deploy application code without managing the underlying servers or patching the OS. Infrastructure as a Service would still leave the customer responsible for the operating system, Software as a Service delivers a finished application rather than a deployment platform, and Network as a Service only abstracts networking.
- During an engagement, an ethical hacker attempts to enumerate object-storage buckets belonging to a target organization by guessing predictable names derived from the company brand and appending common suffixes. What is the primary goal of this cloud reconnaissance technique?
- To crack the provider's hypervisor encryption keys
- To discover publicly accessible or misconfigured storage buckets that may leak data
- To deauthenticate users from the corporate wireless network
- To poison the ARP cache of the storage gateway
Correct answer: To discover publicly accessible or misconfigured storage buckets that may leak data
The primary goal is to discover publicly accessible or misconfigured storage buckets that may leak data. Because bucket names are often predictable and globally addressable, attackers brute-force or guess names to find buckets left open to public listing or reading. Cracking hypervisor keys, wireless deauthentication, and ARP poisoning are unrelated techniques that do not describe storage-bucket name enumeration.
- A cloud auditor finds that an object-storage bucket has its policy set so that the Principal is a wildcard and the action allows listing and reading objects with no condition restricting the source. What is the most accurate description of this finding?
- The bucket enforces least privilege correctly
- The bucket is encrypted end to end and inaccessible
- The bucket policy grants anonymous public access, exposing its contents to anyone
- The bucket can only be reached from inside the corporate VPN
Correct answer: The bucket policy grants anonymous public access, exposing its contents to anyone
The most accurate description is that the bucket policy grants anonymous public access, exposing its contents to anyone. A wildcard principal with read and list actions and no conditions means any unauthenticated user on the internet can enumerate and download objects. It is the opposite of least privilege, says nothing about encryption protecting access, and a wildcard principal does not restrict access to a corporate VPN.
- An organization wants to prevent accidental public exposure of any object-storage bucket across its entire cloud account, even if an individual developer later sets a permissive bucket policy. Which control most directly enforces this account-wide protection?
- An account-level public access block that overrides individual bucket settings
- Increasing the storage class to a colder tier
- Enabling versioning on each bucket
- Adding a content delivery network in front of the buckets
Correct answer: An account-level public access block that overrides individual bucket settings
An account-level public access block that overrides individual bucket settings most directly enforces this protection. Such a setting prevents buckets and objects from being made public regardless of more permissive policies set at the bucket level, providing a centralized guardrail. Changing storage class affects cost, versioning protects against deletion, and a content delivery network affects distribution, none of which blocks public access account-wide.
- A Kubernetes cluster stores database passwords and TLS keys that workloads need at runtime. A reviewer notes these values are kept in plain Base64 inside the cluster's default secret objects with no additional protection. Why is this still a meaningful container-security concern despite the secrets being separated from the pod spec?
- Base64 is a strong encryption algorithm, so there is no concern
- Base64 is only encoding, not encryption, so anyone with read access to secrets can trivially decode them
- Secrets cannot be read by any cluster user under any circumstances
- The secrets are automatically rotated every minute by default
Correct answer: Base64 is only encoding, not encryption, so anyone with read access to secrets can trivially decode them
The concern is real because Base64 is only encoding, not encryption, so anyone with read access to the secret objects can trivially decode the values. Without encryption at rest and tight access controls, a compromised account or over-permissioned service account can retrieve usable credentials. Base64 provides no confidentiality, secrets are not inaccessible to all users, and there is no default per-minute rotation.
- A penetration tester compromises a low-privilege pod and finds that its service account token is mounted into the container and that the associated role allows creating new pods. What is the most likely next step that makes this a serious container-orchestration risk?
- Using the token to launch a privileged pod that mounts the host filesystem and escalates to node access
- Cracking the WPA2 passphrase of the cluster
- Performing a DNS zone transfer against the registrar
- Sniffing cleartext FTP credentials on the LAN
Correct answer: Using the token to launch a privileged pod that mounts the host filesystem and escalates to node access
The most likely next step is using the token to launch a privileged pod that mounts the host filesystem and escalates to node access. An over-permissioned service account that can create pods lets an attacker schedule a malicious privileged workload, mount the host, and pivot to control the node and potentially the cluster. Wireless cracking, DNS zone transfers, and FTP sniffing are unrelated to abusing an in-cluster service account token.
- A security engineer wants to detect known vulnerable libraries and outdated packages inside container images before they are deployed to production. Which container-security practice most directly addresses this?
- Assigning each container a static MAC address
- Increasing the container's memory limit
- Disabling DNS resolution inside the container
- Scanning container images for known vulnerabilities during the build pipeline
Correct answer: Scanning container images for known vulnerabilities during the build pipeline
Scanning container images for known vulnerabilities during the build pipeline most directly addresses this. Image scanning inspects the layers and installed packages against vulnerability databases so that images containing known-flawed components are flagged or blocked before deployment. Assigning a MAC address, raising memory limits, and disabling DNS do nothing to identify vulnerable libraries inside an image.
- An attacker analyzing a serverless function notices that a downstream function is triggered automatically whenever a new file lands in a storage bucket, and that the attacker can write arbitrary files to that bucket. What serverless attack pattern does abusing this trigger represent?
- A wireless evil-twin attack
- Event injection that abuses an indirect, non-HTTP trigger to invoke the function with attacker-controlled data
- A rainbow-table password attack
- A TCP SYN scan of the function endpoint
Correct answer: Event injection that abuses an indirect, non-HTTP trigger to invoke the function with attacker-controlled data
This represents event injection that abuses an indirect, non-HTTP trigger to invoke the function with attacker-controlled data. Serverless functions react to many event sources, so an attacker who can drop a crafted object into a watched bucket effectively feeds malicious input to the triggered function without ever calling an HTTP endpoint. An evil-twin attack, a rainbow-table attack, and a SYN scan are unrelated to abusing storage-event triggers.
- A reviewer of a serverless application finds that one function reuses the same global database connection and writes temporary state to the function's local /tmp directory between invocations. Why is relying on this warm-execution-environment reuse a security and reliability concern?
- Functions never reuse execution environments, so the concern is impossible
- Reusing an environment permanently encrypts all data with the provider's key
- It forces the function onto dedicated hardware shared with no one
- Residual data left in a reused environment can leak between invocations and may persist sensitive information unexpectedly
Correct answer: Residual data left in a reused environment can leak between invocations and may persist sensitive information unexpectedly
The concern is that residual data left in a reused execution environment can leak between invocations and may persist sensitive information unexpectedly. Serverless platforms keep warm environments alive to reduce cold starts, so files in /tmp or in-memory state from one invocation can be exposed to a later one if not cleared. Environments are reused rather than never reused, reuse does not encrypt data, and it does not pin the function to isolated dedicated hardware.
- A serverless function calls a third-party library at runtime, and an attacker compromises that dependency upstream so it exfiltrates environment variables on import. Which serverless risk category does this exploited dependency represent?
- Insecure dependencies introducing a software supply-chain risk into the function
- A MAC flooding attack against the function's switch
- A WEP key-recovery attack
- A directory-traversal attack on a web server's document root
Correct answer: Insecure dependencies introducing a software supply-chain risk into the function
This represents insecure dependencies introducing a software supply-chain risk into the function. Serverless functions often bundle many third-party packages, and a malicious or compromised dependency runs with the function's permissions and can read its environment variables and secrets. MAC flooding and WEP recovery are network and wireless attacks, and directory traversal targets a web server's filesystem, none of which describes a poisoned function dependency.
- An ethical hacker explains to a client why placing many independent customers on the same shared cloud infrastructure introduces a distinct risk class compared to fully dedicated hardware. Which cloud characteristic is the source of that risk?
- Pay-as-you-go billing
- Broad network access from any device
- Multi-tenancy, where a flaw in the isolation between tenants can let one customer affect or reach another
- On-demand self-service provisioning
Correct answer: Multi-tenancy, where a flaw in the isolation between tenants can let one customer affect or reach another
The source of that risk is multi-tenancy, where a flaw in the isolation between tenants can let one customer affect or reach another. Because shared physical resources host multiple customers, weaknesses in the isolation layer such as side channels or escape flaws can cross tenant boundaries. Pay-as-you-go billing, broad network access, and on-demand self-service are cloud characteristics but they describe convenience and economics rather than the cross-tenant isolation risk.
- A cloud administrator discovers that a former contractor's long-lived access key is still active and was used from an unfamiliar location to enumerate resources. Which cloud-security weakness most directly enabled this unauthorized access?
- Weak identity and access management hygiene, specifically failure to rotate and revoke unused credentials
- An expired TLS certificate on the load balancer
- An overly aggressive auto-scaling policy
- A misconfigured time-zone setting on the logging service
Correct answer: Weak identity and access management hygiene, specifically failure to rotate and revoke unused credentials
The weakness is weak identity and access management hygiene, specifically the failure to rotate and revoke unused credentials. Long-lived static keys that are not deactivated when a person leaves become standing entry points an attacker can reuse from anywhere. An expired certificate, an aggressive scaling policy, and a logging time-zone setting are operational issues that would not grant an attacker authenticated access through a stale key.
- After stealing valid cloud API credentials, an attacker spins up large numbers of high-end compute instances across multiple regions to mine cryptocurrency, leaving the victim with an enormous bill. Which cloud-focused attack does this resource abuse represent?
- A WPA3 downgrade attack
- An XMAS scan of the billing portal
- Cloud cryptojacking, abusing the victim's compute resources for unauthorized mining
- A NetBIOS null-session enumeration
Correct answer: Cloud cryptojacking, abusing the victim's compute resources for unauthorized mining
This represents cloud cryptojacking, abusing the victim's compute resources for unauthorized mining. Attackers who obtain valid cloud credentials commonly launch many costly instances to mine cryptocurrency, which both racks up charges and consumes capacity until detected. A WPA3 downgrade is a wireless attack, an XMAS scan is a port-scanning technique, and NetBIOS null-session enumeration targets Windows hosts, none of which describes hijacking cloud compute for mining.
- A security engineer needs an encryption scheme in which the exact same secret key is used both to encrypt a file and to later decrypt it, and the key must be shared with anyone who needs access. Which category of cryptography does this describe?
- Symmetric-key encryption
- Asymmetric-key encryption
- A one-way hashing function
- A digital signature scheme
Correct answer: Symmetric-key encryption
Symmetric-key encryption is correct because it uses a single shared secret key for both encryption and decryption, which is exactly the property described. Asymmetric encryption is wrong because it uses a key pair where the encrypting and decrypting keys differ. A one-way hashing function does not decrypt at all, and a digital signature provides authenticity rather than confidential two-way encryption.
- An ethical hacker wants to send a confidential message to a recipient they have never exchanged a secret key with. The hacker encrypts the message so that only the recipient can read it. In a public-key system, which key should the sender use to encrypt the message?
- The sender's own private key
- The recipient's public key
- The recipient's private key
- A shared symmetric session key already known to both
Correct answer: The recipient's public key
Encrypting with the recipient's public key is correct because only the matching recipient's private key can decrypt the message, guaranteeing confidentiality to that single recipient. Using the sender's private key would let anyone with the corresponding public key decrypt it, defeating secrecy. The recipient's private key is secret and not available to the sender, and the scenario explicitly states no shared symmetric key exists yet.
- A CEH candidate is asked to identify the symmetric block cipher selected by NIST as the federal standard, which operates on 128-bit blocks and supports 128-, 192-, and 256-bit keys. Which algorithm is being described?
- RSA
- Diffie-Hellman
- AES (Advanced Encryption Standard)
- MD5
Correct answer: AES (Advanced Encryption Standard)
AES (Advanced Encryption Standard) is correct because it is the NIST-standardized symmetric block cipher that uses a 128-bit block size and 128-, 192-, or 256-bit keys. RSA and Diffie-Hellman are asymmetric algorithms, not symmetric block ciphers, and MD5 is a hashing algorithm that produces a digest rather than reversible ciphertext.
- An ethical hacker is documenting how the RSA algorithm derives its security. On what mathematical problem does the strength of RSA primarily rely?
- The difficulty of computing discrete logarithms in a finite field
- The difficulty of finding two inputs that produce the same hash output
- The difficulty of reversing an exclusive-OR operation
- The difficulty of factoring the product of two large prime numbers
Correct answer: The difficulty of factoring the product of two large prime numbers
RSA's security relies on the difficulty of factoring the product of two large prime numbers, since recovering the private key would require factoring the large modulus into its prime components. The discrete logarithm problem underpins Diffie-Hellman, not RSA. Finding hash collisions relates to hashing, and XOR reversal describes weak stream-cipher behavior, neither of which is the basis of RSA.
- While reviewing how passwords are stored, an analyst encounters MD5 being used to generate a fixed 128-bit digest of each value. What is the fundamental purpose of a hashing algorithm such as MD5?
- To produce a fixed-length, one-way digest from input data that cannot be feasibly reversed back to the original
- To encrypt data so it can later be decrypted with the same key
- To exchange a shared secret key over an insecure channel
- To bind a public key to an identity through a trusted certificate authority
Correct answer: To produce a fixed-length, one-way digest from input data that cannot be feasibly reversed back to the original
Producing a fixed-length, one-way digest that cannot feasibly be reversed is correct, because hashing algorithms like MD5 map arbitrary input to a fixed-size output and are designed to be irreversible. Reversible encryption with a key describes a cipher, not a hash. Exchanging a shared secret describes key exchange, and binding a public key to an identity describes PKI certificates, none of which are the purpose of a hash function.
- A penetration tester explains why MD5 and SHA-1 are no longer trusted for integrity verification. The tester demonstrates producing two different inputs that yield the identical digest. Why does this finding make the algorithm unsuitable for verifying integrity?
- It proves the algorithm can be decrypted back to plaintext, exposing the original data
- A collision means an attacker can substitute a malicious file whose hash matches a legitimate file, defeating integrity checks
- It means the digest length has become too short to store the original message
- It allows the attacker to recover the private key used to sign the hash
Correct answer: A collision means an attacker can substitute a malicious file whose hash matches a legitimate file, defeating integrity checks
A collision allowing a malicious file to share the legitimate file's hash is correct, because integrity verification assumes a unique digest per input; once two inputs collide, a swapped malicious file passes the hash check undetected. Hashes are not decrypted to plaintext, so reversibility is not the issue. Digest length does not store the message, and collisions do not reveal any signing private key.
- An organization wants a managed framework of certificate authorities, registration authorities, and digital certificates so that users can trust that a given public key genuinely belongs to a named entity. Which system provides this trust framework?
- A symmetric key distribution center using shared secrets
- A message authentication code keyed with a shared secret
- Public Key Infrastructure (PKI)
- A salted password hashing scheme
Correct answer: Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is correct because it is the framework of certificate authorities, registration authorities, and digital certificates that binds public keys to verified identities so users can trust them. A symmetric key distribution center handles shared secret keys, not public-key trust. A message authentication code and salted password hashing address integrity and password storage, not certificate-based identity binding.
- A developer wants recipients to verify both that a software update truly came from the developer and that it was not altered in transit. The developer hashes the update and encrypts that hash with their own private key, attaching the result. What has the developer created?
- A symmetric session key
- A salted password digest
- A self-signed root certificate
- A digital signature
Correct answer: A digital signature
A digital signature is correct because hashing the data and encrypting that hash with the signer's private key produces a value any recipient can verify with the signer's public key, confirming both origin authenticity and integrity. A symmetric session key provides confidentiality, not authentication. A salted password digest is for stored credentials, and a self-signed certificate binds a key to an identity rather than signing this specific update.
- Two parties who have never met need to establish a shared secret key over a public, untrusted network without ever transmitting the secret itself. Which cryptographic algorithm is specifically designed to let them agree on a shared key in this way?
- Diffie-Hellman key exchange
- AES in CBC mode
- The SHA-256 hashing algorithm
- A one-time pad printed and mailed in advance
Correct answer: Diffie-Hellman key exchange
Diffie-Hellman key exchange is correct because it allows two parties to derive a shared secret over an insecure channel using public values and the discrete logarithm problem, without ever sending the secret itself. AES is a symmetric cipher that requires a key to already be shared. SHA-256 is a hash that creates no shared key, and a mailed one-time pad does not use the public channel described.
- An architect is designing TLS-style secure communication and notes that asymmetric encryption is computationally slow while symmetric encryption is fast but needs a securely shared key. Which hybrid approach best resolves this trade-off?
- Encrypt the entire data stream with the recipient's public key and never use symmetric encryption
- Use asymmetric encryption only to securely exchange a symmetric session key, then encrypt the bulk data with that fast symmetric key
- Hash all data with MD5 and transmit only the digests to avoid encryption overhead
- Share one static symmetric key in plaintext at the start of every session
Correct answer: Use asymmetric encryption only to securely exchange a symmetric session key, then encrypt the bulk data with that fast symmetric key
Using asymmetric encryption only to exchange a symmetric session key and then encrypting bulk data symmetrically is correct, because it combines the secure key-distribution strength of public-key cryptography with the speed of symmetric ciphers. Encrypting all data asymmetrically is impractically slow. Sending only MD5 digests provides no confidentiality, and sharing a symmetric key in plaintext exposes it to any eavesdropper.
- A recipient verifies a digital signature on a contract by decrypting the attached signature with the sender's public key and comparing the result to a freshly computed hash of the document, which matches. Beyond confirming integrity, what additional security property does a valid digital signature provide that a plain hash alone cannot?
- Confidentiality, because the document contents are now hidden from eavesdroppers
- Forward secrecy, because each session uses a unique ephemeral key
- Non-repudiation, because only the holder of the sender's private key could have produced the signature
- Availability, because the signed document cannot be deleted
Correct answer: Non-repudiation, because only the holder of the sender's private key could have produced the signature
Non-repudiation is correct because only the sender's private key could create a signature that verifies with their public key, so the sender cannot later deny having signed the document. A plain hash provides integrity but no proof of who produced it. Confidentiality is not provided since the document itself is not encrypted, and forward secrecy and availability are unrelated to what a signature establishes.
- A team is configuring AES to encrypt many independent disk blocks and is warned that one particular mode encrypts each block independently with the same key, so identical plaintext blocks yield identical ciphertext blocks and can reveal data patterns. Which AES mode of operation has this weakness?
- Cipher Block Chaining (CBC) mode
- Counter (CTR) mode
- Galois/Counter Mode (GCM)
- Electronic Codebook (ECB) mode
Correct answer: Electronic Codebook (ECB) mode
Electronic Codebook (ECB) mode is correct because it encrypts each block independently with the same key, causing identical plaintext blocks to produce identical ciphertext and leaking patterns in the data. CBC chains each block with the previous ciphertext to hide patterns, while CTR and GCM use a counter and nonce so identical plaintext blocks encrypt differently.
- A user's browser receives a website's digital certificate during a TLS handshake. To decide whether to trust the certificate, what does the browser primarily check about it within the PKI trust model?
- That the certificate was signed by a trusted certificate authority, is unexpired, and has not been revoked
- That the certificate's private key is included so the browser can decrypt traffic
- That the certificate's hash collides with a known-good reference value
- That the certificate uses a symmetric key shared with the certificate authority
Correct answer: That the certificate was signed by a trusted certificate authority, is unexpired, and has not been revoked
Verifying that the certificate was signed by a trusted certificate authority, is unexpired, and is not revoked is correct, because PKI trust depends on the chain of trust to a recognized CA plus validity and revocation status. A certificate never contains the private key, which stays secret with the server. Trust is not based on hash collisions, and certificates use asymmetric key pairs, not a symmetric key shared with the CA.
- An attacker positions themselves between two parties performing a classic, unauthenticated Diffie-Hellman key exchange and separately negotiates a shared key with each side. Why is unauthenticated Diffie-Hellman vulnerable to this man-in-the-middle interception?
- Because Diffie-Hellman transmits the final shared secret in plaintext across the channel
- Because the discrete logarithm problem can be solved instantly for any key size
- Because the exchanged public values are not authenticated, so neither party can confirm they are talking to the intended peer rather than the attacker
- Because Diffie-Hellman reuses the same static symmetric key for every session
Correct answer: Because the exchanged public values are not authenticated, so neither party can confirm they are talking to the intended peer rather than the attacker
The lack of authentication on the exchanged public values is correct, because without verifying each peer's identity, an attacker can substitute their own values and establish separate keys with each party, relaying and reading traffic. Diffie-Hellman never sends the shared secret in plaintext, and its security against passive attackers still rests on the discrete logarithm problem being hard. The vulnerability is missing authentication, not key reuse.