EC-Council Certified Ethical Hacker (CEH v13) (312-50v13)

Sarah, a system administrator, was alerted of potential malicious activity on the network of her company. She discovered a malicious program spread through the instant messenger application used by her team. The attacker had obtained access to one of her teammate's messenger accounts and started sending files across the contact list. Which best describes the attack scenario and what measure could have prevented it?

An ethical hacker needs to enumerate user accounts and shared resources within a company's internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?

penetration tester suspects that a web application’s user profiplaege is vulnteo SrQL ainjebctilon,e as it

uses the useriD parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?

A multinational corporation's computer system was infiltrated by an advanced persistent threat (APT). During forensic analysis, it was discovered that the malware was utilizing a blend of two highly sophisticated techniques to stay undetected and continue its operations.

Firstly, the malware was embedding its harmful code into the actual binary or executable part of genuine system files rather than appending or prepending itself to the files. This made it exceptionally difficult to detect and eradicate, as doing so risked damaging the system files themselves.

Secondly, the malware exhibited characteristics of a type of malware that changes its code as it propagates, making signature-based detection approaches nearly impossible.

On top of these, the malware maintained a persistent presence by installing itself in the registry, making it able to survive system reboots.

Given these distinctive characteristics, which two types of malware techniques does this malware most closely embody?

A penetration tester is evaluating the security of a mobile application and discovers that it lacks proper input validation. The tester suspects that the application is vulnerable to a malicious code injection attack. What is the most effective way to confirm and exploit this vulnerability?

During an internal penetration test, a security analyst assesses a web application that interfaces with a

backend Oracle database. Initial atternpts using standard SQL injection payloads such as ‘ OR '1'="1 and UNION SELECT return no useful output and do not affect application behavior. Suspecting input sanitization and error suppression, the analyst crafts a new payload:

1AND 1< (SELECT COUNT(*) FROM all_users A, all_users B, all_users

Recently, the employees of a company have been receiving emails that seem to be from their colleagues, but with suspicious attachments. When opened, these attachments appear to install malware on their systems. The IT department suspects that this is a targeted malware attack. Which of the following measures would be the most effective in preventing such attacks?

During a security evaluation of a smart agriculture setup, an analyst investigates a cloud-managed irrigation controller. The device is found to transmit operational commands and receive firmware updates over unencrypted HTTP. Additionally, it lacks mechanisms to verify the integrity or authenticity of those updates. This vulnerability could allow an adversary to intercept communications or inject malicious firmware, leading to unauthorized control over the device's behavior or denial of essential functionality. Which IoT threat category does this situation best illustrate?

As a cybersecurity consultant, you have been hired by a multinational corporation to identify potential

security risks in their network. During the enumeration phase, you utilize LDAP to gather information about the network infrastructure. However, you observe that some critical information isn't retrievable. What could be the primary reason for this?

Which among the following is the best example of the third step (delivery) in the cyber kill chain?

A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user's session without triggering security alerts, which advanced session hijacking technique should the tester employ?

During a routine security audit, administrators found that cloud storage backups were illegally accessed and modified. What countermeasure would most directly mitigate such incidents in the future?

A security analyst is preparing to analyze a potentially malicious program believed to have infiltrated an organization's network. To ensure the safety and integrity of the production environment, the analyst decided to use a sheep dip computer for the analysis. Before initiating the analysis, what key step should the analyst take?

A penetration tester suspects that the web application's "Order History" page is vulnerable to SQL Injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?

As a security expert for a prominent tech company, you've noticed an increasing number of attacks on your

web services. You've concluded that the best course of action is to enhance your patch management strategies. Considering the information presented, which of the following strategies would be most effective in ensuring the secure and efficient management of patches and hotfixes?

Martin, a Certified Ethical Hacker (CEH), is conducting a penetration test on a large enterprise network. He suspects that sensitive information might be leaking out of the network. Martin decides to use network sniffing as part of his testing methodology. Which of the following sniffing techniques should Martin employ to get a comprehensive understanding of the data flowing across the network?

An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?

Emily, a security engineer at a Chicago-based healthcare provider, is auditing the organization's new cloud environment after a breach where sensitive patient records were exposed. Her investigation reveals that the root cause was the lack of encryption during data transmission between end-user devices and cloud storage. To mitigate this issue and align with HIPAA compliance requirements, Emily must prioritize addressing the correct cloud computing security risk

Which cloud computing threat should Emily address to mitigate the risk of sen tive data being exposed during transmission?

You are a security analyst of a large IT company and are responsible for maintaining the organization’s security posture. You are evaluating multiple vulnerability assessment tools for your network. Given that your network has a hybrid IT environment with on-premise and cloud assets, which tool would be most appropriate considering its comprehensive coverage and visibility, continuous scanning, and ability to monitor unexpected changes before they turn into breaches?

A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization's security monitoring systems. The network employs strict VLAN segmentation and port security measures to restrict unauthorized access. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?

On July 2S, 2025, during a penetration test at Horizon Financial Services in Chicago, Illinois, cybersecurity specialist Laura Bennett is analyzing an attack simulation targeting the company's online banking portal. The system logs reveal a coordinated barrage of traffic from multiple compromised systems. orchestrated through a central command-and-control server. flooding the portal and rendering it unavailable to legitimate users. The attack leverages a network of infected devices, likely recruited via malicious links on social media.

What is the structure or concept most likely used to launch this coordinated attack?

Morris, an attacker, wanted to check whether the target AP is in a locked state. He attempted using different utilities to identify WPS-enabled APs in the target wireless network. Ultimately, he succeeded with one special command-line utility.

Which of the following command-line utilities allowed Morris to discover the WPS-enabled APs?

During a black-box internal penetration test, a security analyst is tasked with identifying potentially exploitable services running on an SNMP-enabled Linux server. The target organization uses SNMPv2, and the default community string "public" has not been changed. The analyst confirms that UDP port 161 is open and accessible. To gather service-related intelligence for privilege escalation or lateral movement, the analyst decides to enumerate all running processes on the host. Which Nmap command would most effectively retrieve the required information?

You've recently Joined an international software firm as part of the cybersecurity governance team. While

preparing for an internal compliance review, your supervisor asks you to identify the ISO/IEC standard that

serves as a comprehensive framework for managing an organization's information security. You examine

several standards. including those focusing on risk management. cybersecurity. and control implementation. However, you need to select the one that defines the overarching structure for managing information security programs across the organization.

Which of the following standards should you choose?

Robert, a professional hacker, is attempting to execute a fault injection attack on a target IoT device. In this process, he injects faults into the power supply that can be used for remote execution, also causing the skipping of key instructions. He also injects faults into the clock network used for delivering a synchronized signal across the chip.

Which of the following types of fault injection attack is performed by Robert in the above scenario?

During an internal red team engagement, an operator discovers that TCP port 389 is open on a target system identified as a domain controller. To assess the extent of LDAP exposure, the operator runs the command lapser -h <Target IP> -x -s base naming Contexts and receives a response revealing the base distinguished name (DN): DC=internal DC=corp. This naming context indicates the root of the LDAP directory structure used by the organization's Active Directory. With this discovery, the operator plans the next step to continue LDAP enumeration and expand visibility into users and objects in the domain. What is the most logical next action?

Emma, an ethical hacker at a Chicago-based healthcare provider, is performing a penetration test on the

organization's patient record system following a recent data breach. During her investigation. she discovers

that attackers gained access to a large volume of encrypted patient records but had no knowledge of the

original data or encryption keys. Emma observes that the system uses a block cipher and suspects the

attackers may have applied a cryptanalytic method that examines encrypted outputs in bulk to detect

structural or statistical patterns in the encrypted data.

Which cryptanalysis technique should Emma investigate to assess the system's vuln ility in this scenario?

Kevin, an encryption specialist, implemented a technique that enhances the security of keys used for encryption and authentication. Using this technique, Kevin input an initial key to an algorithm that generated an enhanced key that is resistant to brute-force attacks.

What is the technique employed by Kevin to improve the security of encryption keys?

A penetration tester is tasked with compromising a company's wireless network, which uses WPA2-PSK encryption. The tester wants to capture the WPA2 handshake and crack the pre-shared key. What is the most appropriate approach to achieve this?

While conducting a security review for a public healthcare data center, Jason, a senior penetration tester, is asked to gather system descriptions, contact details, and interface metrics from a set of legacy network

devices running SNMPv2. These devices respond on UDP port 161 and use default community strings. Jason must retrieve this structured SNMP data in a format that can be fed into a reporting script without requiring GUI based tools or raw packet captures.

Which of the following methods should Jason use?

In an attempt to damage the reputation of a competitor organization, Hailey, a professional hacker, gathers a list of employee and client email addresses and other related information by using various search engines, social networking sites, and web spidering tools. In this process, she also uses an automated tool to gather a list of words from the target website to further perform a brute-force attack on the previously gathered email addresses.

What is the tool used by Hailey for gathering a list of words from the target website?

A penetration tester runs a vulnerability scan and identifies an outdated version of a web application running on the company's server. The scan flags this as a medium-risk vulnerability. What is the best next step for the tester?

During a security penetration test at ABC Financial Services in Miami, Florida, on July 9, 2025, ethical hacker Javier Morales targets the company's online banking portal to assess its resilience. Over several hours. The portal's web server begins to fatter, with legitimate users reporting inability to log in or complete transactions.

The IT team notices the server is struggling to accept new connections, as its maximum connection limit is

nearly reached. despite no significant spike in overall network traffic. Javier's controlled test, run from a secure system, logs interactions to simulate a real attack, aiming to evaluate the IT team's a

to identify the threat.

What DoS/DDoS attack technique is Javier's exercise primarily simulating?

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files.

What is the type of injection attack Calvin's web application is susceptible to?

A penetration tester targets a company's executive assistants by referencing upcoming board meetings in an email requesting access to confidential agendas. What is the most effective social engineering technique to obtain the necessary credentials without raising suspicion?

During a security assessment in San Francisco, an ethical hacker is tasked with evaluating a network's

resilience against stealthy reconnaissance attempts. The hacker needs to employ a scanning technique that leverages TCP nags to evade detection by intrusion detection systems. relying on the targetts response

behavior to infer port states without completing a full connection. Which approach best aligns with this

strategy. ensuring minimal visibility during the assessment?

Harris is attempting to identify the OS running on his target machine. He inspected the initial TTL in the IP header and the related TCP window size and obtained the following results:

TTL: 64 -

Window Size: 5840 -

What the OS running on the target machine?

During an internal assessment, a penetration tester gains access to a hash dump containing NTLM password hashes from a compromised Windows system. To crack the passwords efficiently, the tester uses a high-performance GPU setup with the hash cat tool, configuring it to attempt millions of password combinations per second using a known hash algorithm. This setup drastically reduces the time required for password recovery compared to CPU-based cracking methods. Which technique is being optimized in this scenario?

In the heart of Silicon Valley, ethical hacker Sophia Nguyen is hired by InnoVate Solutions, a San Francisco- based startup, to secure their cloud-based task management platform. On March IS, 2025, Sophia begins testing a feature that allows users to upload custom workflow templates to streamline project assignments. By carefully crafting a template file, she manipulates the platform's data processing, triggering unexpected behavior that grants her administrative access to restricted project dashboards. The issue arises from the platform's handling of user-supplied data during object reconstruction, not from dat

se queries, client-side code execution, or session manipulation. Sophia documents her findings to help Innovate's developers strengthen their application.

Which web application vulnerability is Sophia most likely exploiting in Innovate Solutions' task management

platform?

What would be the purpose of running "wget 192.168.0.15 -q -S" against a web server?

A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?

In a high-stakes cybersecurity exercise in Boston, Emily, an ethical hacker, is tasked with tracing a mock

phishing email sent to a healthcare provider's staff. using the email header. she identifies a series of IP

addresses and server details, including multiple timestamps and server names. Her objective is to pinpoint the exact moment the email was processed by the sender's system. As part of her reconnaissance. what specific detail from the email header should Emily examine to determine this information?

James is working as an ethical hacker at Technix Solutions. The management ordered James to discover how vulnerable its network is towards footprinting attacks. James took the help of an open-source framework for performing automated reconnaissance activities. This framework helped James in gathering information using free tools and resources.

What is the framework used by James to conduct footprinting and reconnaissance activities?

system within a corporate network protected by advanced firewalls, IDS, and email security gateways. To maintain persistence and evade content inspection, the attacker crafts a malicious HTML email attachment containing obfuscated JavaScript code. When the user opens the attachment in a browser, a hidden JavaScript blob dynamically reconstructs a malware payload and triggers an automatic file download on the client side. No external connections are initiated during this process, making it difficult for network security tools to detect or block the attack. Which evasion technique is being employed to bypass the firewall and IDS protections?

In the heart of Silicon Valley, California, network administrator Jake Henderson oversees the web

infrastructure for Tech Trend innovations, a startup specializing in cloud solutions. During a routine architecture review. Jake evaluates the setup of their web server. which handles high-traffic API requests. He notes that the server's primary module processes incoming requests and works with additional modules to manage encryption, URL rewriting, and authentication. Curious about the server's design. Jake consults the documentation to ensure optimal performance and security.

Which web server component is Jake analyzing as part of Tech Trend Innovations' architecture?

An attacker identified that a user and an access point are both compatible with WPA2 and WPA3 encryption. The attacker installed a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to get connected. After the connection was established, the attacker used automated tools to crack WPA2-encrypted messages.

What is the attack performed in the above scenario?

A penetration tester suspects that a web application's user profile page is vulnerable to SQL Injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?

During a post-exploitation phase in a network compromise simulation, ethical hacker Devon Hughes gains a Meterpreter session on a managers Windows 10 workstation. To maintain stealth, he avoids actions that generate obvious signs of tampering such as privilege escalation or file system changes. Instead. he wants to monitor the user's live activity over time without their knowledge. focusing specifically on input patterns and active sessions.

Which Meterpreter command should he use to achieve this objective with minimal v

When considering how an attacker may exploit a web server, what is web server footprinting?

A penetration tester is running a vulnerability scan on a company's network. The scan identifies an open port with a high-severity vulnerability linked to outdated software. What is the most appropriate next step for the tester?

You are Ava Mitchell, an ethical hacker at Sentinel Cyberwars, hired to test the wireless defenses of

Horizon Financial. a bank in Boston, Massachusetts. During a covert nighttime assessment, your objective is to simulate an attacker attempting to breach the bank's WPA-protected Wi-Fi network. You deploy a tool that allows you to capture wireless packets, send de-authentication packets to force client reconnections. And attempt to recover the encryption key, all within a single graphical interface. Based on the described

functionality, which Wi-Fi security auditing tool are you using?

Which of the following types of SQL injection attacks extends the results returned by the original query, enabling attackers to run two or more statements if they have the same structure as the original one?

A penetration tester discovers that a web application uses unsensitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?

A penetration tester is assessing a company's HR department for vulnerability to social engineering attacks using knowledge of recruitment and onboarding processes. What is the most effective technique to obtain network access credentials without raising suspicion?

Leverox Solutions hired Arnold, a security professional, for the threat intelligence process. Arnold collected information about specific threats against the organization. From this information, he retrieved contextual information about security events and incidents that helped him disclose potential risks and gain insight into attacker methodologies. He collected the information from sources such as humans, social media, and chat rooms as well as from events that resulted in cyberattacks. In this process, he also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks.

What is the type of threat intelligence collected by Arnold in the above scenario?

A penetration tester is testing a web application's product search feature, which takes user input and queries the database. The tester suspects the input is not properly sanitized. What is the best approach to confirm the presence of SQL injection?

A penetration tester is assessing an loT thermostat used in a smart home system. The device communicates with a cloud server for updates and commands. The tester discovers that communication between the device and the cloud server is not encrypted. What is the most effective way to exploit this vulnerability?

This type of injection attack does not show any error message. It is difficult to exploit as it returns information when the application is given SQL payloads that elicit a true or false response from the server. By observing the response, an attacker can extract sensitive information.

What type of attack is this?

An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?

A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?

Roma is a member of a security team. She was tasked with protecting the internal network of an organization from imminent threats. To accomplish this task, Roma fed threat intelligence into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the organization's network.

Which type of threat intelligence is used by Roma to secure the internal network?

A security researcher is analyzing a target organization's publicly accessible cloud infrastructure. While reviewing the website's HTML source code, the researcher discovers direct references to files hosted on Amazon S3. What is the most effective way to identify additional publicly accessible bucket URLs used by the target?

During a targeted phishing campaign, an attacker gains access to a trusted internal system within a corporate network protected by advanced firewalls, IDS, and email security gateways. To maintain persistence and evade content inspection, the attacker crafts a malicious HTML email attachment containing obfuscated JavaScript code. When the user opens the attachment in a browser, a hidden JavaScript blob dynamically reconstructs a malware payload and triggers an automatic file download on the client side. No external connections are initiated during this process, making it difficult for network security tools to detect or block the attack. Which evasion technique is being employed to bypass the firewall and IDS protections?

Sam, a web developer, was instructed to incorporate a hybrid encryption software program into a web application to secure email messages. Sam used an encryption software, which is a free implementation of the OpenPGP standard that uses both symmetric-key cryptography and asymmetric-key cryptography for improved speed and secure key exchange.

What is the encryption software employed by Sam for securing the email messages?

A security analyst investigates unusual east-west traffic on a corporate network. A previously MAC address is found actively communicating from a port connected to a trusted desktop. On closer inspection, a small computing device (Raspberry Pi) was physically inserted between the switch and the legitimate machine. This setup allows the rogue device to piggyback onto the network using the identity and privileges of the authenticated workstation without triggering any authentication processes or alarms. Which evasion technique is being used to blend unauthorized traffic with legitimate access?

During a red team engagement simulating a targeted attack on a smart office environment, an ethical hacker identifies a thermostat used for regulating temperature across multiple floors. While analyzing its firmware management process, the tester discovers that the device accepts older versions without verifying their integrity or authenticity. The attacker successfully loads a previously deprecated firmware that contains known vulnerabilities and gains unauthorized access to the broader network by exploiting reintroduced flaws. No mechanisms are in place to prevent version rollback or verify firmware trustworthiness. Which loT security issue is most accurately demonstrated in this scenario?

Which wireless security protocol replaces the personal pre-shared key (PSK) authentication with Simultaneous Authentication of Equals (SAE) and is therefore resistant to offline dictionary attacks?

A university's online registration system is experiencing disruptions due to a DDoS attack that combines DNS reflection and HTTP slow Loris techniques. Standard firewalls and load balancers are unable to mitigate the attack without impacting legitimate users. To ensure uninterrupted registration services, which advanced mitigation strategy should the university implement?

An ethical hacker needs to gather detailed information about a company's internal network without initiating any direct interaction that could be logged or raise suspicion. Which approach should be used to obtain this information covertly?

Rebecca, a security professional, wants to authenticate employees who use web services for safe and secure communication. In this process, she employs a component of the Web Service Architecture, which is an extension of SOAP, and it can maintain the integrity and confidentiality of SOAP messages.

Which of the following components of the Web Service Architecture is used by Rebecca for securing the communication?

A penetration tester identifies that a web application's login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

A penetration tester is tasked with uncovering historical content from a company's website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization's web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?

Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering. Which of the following design flaws in the authentication mechanism is exploited by Calvin?

During a high-stakes engagement on a secure corporate network, a penetration tester discovers an opportunity to attack the domain controller. By abusing an API call from Microsoft's Encrypting File System Remote Protocol (MS-EFSRPC), the tester forces the domain controller to initiate NTLM authentication to a server controlled by the tester. The tester then captures the resulting NTLM hash and relays it to the Active Directory Certificate Services (AD CS), ultimately obtaining a certificate that confers administrative privileges over the network. This sophisticated method allows the tester to compromise the network without requiring direct access to the domain controller. Which network-level hijacking technique is illustrated in this scenario?

During a comprehensive security audit of a financial institution's online infrastructure, a penetration tester observes abnormal traffic redirection patterns affecting the institution's primary domain. Customers who attempt to access the legitimate website are seamlessly redirected to a visually identical phishing page, hosted on a suspicious IP address. After tracing the DNS resolution path, the tester discovers that the authoritative DNS server has been compromised, and its records have been altered to point to the attacker's server. The redirection affects all DNS queries for the domain, indicating unauthorized control over name resolution infrastructure, rather than local cache poisoning or client-side manipulation. The tester confirms that this redirection was achieved by tampering with the DNS zone records themselves. Which technique is being used in this scenario?

A group of hackers were roaming around a bank office building in a city, driving a luxury car. They were using hacking tools on their laptop with the intention to find a free-access wireless network.

What is this hacking process known as?

During a physical penetration test simulating a social engineering attack, a threat actor walks into the lobby of a target organization dressed as a field technician from a known external vendor. Carrying a fake ID badge and referencing a known company name, the attacker confidently claims they've been dispatched to perform a routine server room upgrade. Using internal-sounding terminology and referencing real employee names gathered via OSINT, the individual conveys urgency. The receptionist, recognizing the vendor name and the convincing language, allows access without verifying the credentials.

A company's online service is under a multi-vector DoS attack using both SYN floods and HTTP GET floods from a botnet. Standard firewalls and IDS are unable to prevent the outages. To mitigate the attack without disrupting legitimate traffic, which advanced defense should the company implement?

Geena, a cloud architect, uses a master component in the Kubernetes cluster architecture that scans newly generated pods and allocates a node to them. This component can also assign nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.

Which of the following master components is explained in the above scenario?

While conducting a covert penetration test on a UNIX-based infrastructure, the tester decides to bypass Intrusion detection systems by sending specially crafted TCP packets with an unusual set of flags enabled. These packets do not initiate or complete any TCP handshake. During the scan, the tester notices that when certain ports are probed, there is no response from the target, but for others, a TCP RST (reset) packet is received. The tester notes that this behavior consistently aligns with open and closed ports, respectively, without triggering detection systems configured to monitor connection-based scans. Based on these observations, which scanning technique is most likely being used?

A cyber adversary is performing external reconnaissance on a large enterprise network with multiple perimeter defenses in place, including packet-filtering firewalls and intrusion detection systems (IDS). The goal is to enumerate the firewall’s rule set to identify which TCP and UDP ports are permitted for inbound traffic to internal systems. To minimize noise and avoid immediate detection, the attacker wants to use a method that mimics normal traffic flows while providing insight into how the firewall handles packets based on port and protocol combinations. Which reconnaissance technique should the attacker choose to effectively map the firewall's filtering behavior without raising alerts?

Bill has been hired as a penetration tester and cyber security auditor for a major credit card company.

Which information security standard is most applicable to his role?

You're a security analyst conducting a foot printing exercise for a new client to uncover as much

information as possible without direct interaction. Your preliminary investigation using search engines and

public databases has provided a significant amount of data about the organization's online presence. You are now considering using Google Hacking techniques to find further vulnerabilities. Which of the following could best justify this decision?

A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?

Mirai malware targets IoT devices.

After infiltration, it uses them to propagate and create botnets that are then used to launch which types of attack?

While performing a vulnerability assessment for XYZ Corporation, you discover that several key systems are regularly interacting with unidentified external entities. These interactions often involve data transfers, both incoming and outgoing. While some of these might be legitimate, the nature and volume of this unmonitored traffic raise concerns about potential data exfiltration or malware introduction. Given the ambiguous nature of these interactions and the high stakes involved, which strategy would most directly identify and mitigate the vulnerabilities associated with these unsanctioned exchanges?

During a red team exercise, a certified ethical hacker (CEH) is working on exploiting a potential vulnerability

in the target's web server. The CEH has completed the information gathering and footprinting stages and

mirrored the website for offline analysis. They have also discovered the server is prone to session hijacking.

Which next step is most likely to be part of a successful attack methodology, keeping in mind the requirement to minimize the possibility of detection?

Jacob works as a system administrator in an organization. He wants to extract the source code of a mobile application and disassemble the application to analyze its design flaws. Using this technique, he wants to fix any bugs in the application, discover underlying vulnerabilities, and improve defense strategies against attacks.

What is the technique used by Jacob in the above scenario to improve the security of the mobile application?

A senior executive receives a personalized email with a subject line that reads "Annual Performance Review 2024." The email contains a downloadable PDF that installs a backdoor when opened. The email appears to come from the CEO and includes company branding. Which phishing method does this best illustrate?

A cybersecurity team at a multinational company notices unusual network traffic on their Bluetooth devices. It is suspected to be a Bluesnarfing attack, aimed at accessing unauthorized information from Bluetooth-enabled devices.

Which of the following would be the most effective countermeasure to prevent further unauthorized access?

To hide the file on a Linux system, you have to start the filename with a specific character.

What is the character?

A company's customer data stored in a cloud environment has been exposed due to an vulnerability. Which of the following types of attacks most likely led to this incident?

An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a

known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?

John, a professional hacker, targeted CyberSol Inc., an MNC. He decided to discover the IoT devices connected in the target network that are using default credentials and are vulnerable to various hijacking attacks. For this purpose, he used an automated tool to scan the target network for specific types of IoT devices and detect whether they are using the default, factory-set credentials.

What is the tool employed by John in the above scenario?

A multinational company is planning to integrate an IoT-based environmental control system for its manufacturing units worldwide. They engage a cybersecurity team to ensure that the new system remains secure from any potential threats. The cybersecurity team is tasked with identifying the most likely method an advanced persistent threat (APT) group might use to compromise the new IoT-based environmental control system. What is the most plausible attack vector?

A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic

patterns. Which of the following encryption algorithms should they utilize?

Jane is working as a security professional at CyberSol Inc. She was tasked with ensuring the authentication and integrity of messages being transmitted in the corporate network. To encrypt the messages, she implemented a security model in which every user in the network maintains a ring of public keys. In this model, a user needs to encrypt a message using the receiver’s public key, and only the receiver can decrypt the message using their private key.

What is the security model implemented by Jane to secure corporate messages?

After a recent breach, your team discovers that attackers used modified versions of legitimate system utilities and a Windows service to persist undetected for weeks, accessing internal credentials.

What key step can be taken to better protect against similar future threats?

During a penetration test on a legacy Windows network, you use the nbtstat -A <IP> command on a target

system and retrieve several NetBIOS names, including entries ending with <20> and <03>. However, attempts to list shared folders fail. Which of the following best explains this behavior?

What is the following command used for?