×

Quiz Session - Attempts With Random Questions

EC-Council CEH Exam Questions

Page 3 of 65

41.

In which scenario is a race condition most likely to be exploited for privilege escalation?

  • When an application writes data to a file without proper locking mechanisms

  • When encrypted data is transmitted over a network

  • When a user inputs a large amount of data into a form

  • When an application filters out malicious input

Correct answer: When an application writes data to a file without proper locking mechanisms

Race conditions can be exploited for privilege escalation when there's a small window of opportunity between when a system checks a condition (like a permission check) and when it takes action based on that condition. If an application writes to a file without proper locking, an attacker might exploit this window to manipulate the file or its permissions. 

The other options don't describe typical scenarios where race conditions lead to privilege escalation.

42.

When a SYN scan is performed, what type of message does nmap receive when a port is closed?

  • RST

  • URG

  • FIN

  • PSH

Correct answer: RST

During a SYN scan, nmap sends a SYN message to the target. If the port is open, the host replies with a SYN/ACK message. If the port is closed, the host replies with an RST message. 

The URG, FIN, and PSH flags are flags that are set during an Xmas scan. 

43.

Which type of malware can potentially spread to other systems by copying itself to removable drives?

  • Worm

  • Trojan

  • Spyware

  • Rootkit

Correct answer: Worm

Worms can self-replicate and have the ability to spread to other systems, including through methods like copying themselves to removable drives. 

Trojans disguise themselves as legitimate software but have malicious intent. Spyware's primary function is to gather user data covertly. Rootkits aim to gain elevated access to a computer while remaining hidden.

44.

Which stage of the Mandiant Attack Lifecycle concerns the attacker's efforts to maintain their position within a compromised network over a prolonged period?

  • Maintain Presence

  • Deliver Malware

  • Internal Reconnaissance

  • Complete Mission

Correct answer: Maintain Presence

In the Maintain Presence phase, the attacker makes efforts to ensure their continued access to the target environment. There are numerous techniques to establish persistence, such as using the Windows registry or scheduled tasks to keep malware running. 

The Deliver Malware stage is for introducing malicious software to the target. Internal Reconnaissance is when the attacker scouts within the network for more information. Complete Mission denotes the stage where the attacker accomplishes their primary objective.

45.

Which advanced search operator for search engines allows an ethical hacker to search for specific file types related to a target domain?

  • filetype:

  • inurl:

  • site:

  • cache:

Correct answer: filetype:

Valuable information about a target can be gathered by performing Google Hacking, a term used to describe the use of advanced search operators to extract sensitive information. The advanced search operator filetype: lets users search for specific file extensions related to the domain.

The inurl: operator searches for specific text within URLs. The site: operator restricts the search to a specific domain or website. The cache: displays what a page looked like the last time Google visited it.

46.

Which tool can perform a dictionary attack against web server passwords and also supports plugins for extended functionality?

  • John the Ripper

  • Netstat

  • Nslookup

  • Route

Correct answer: John the Ripper

John the Ripper is capable of performing dictionary attacks against various password hashes and supports plugins for extended functionality, making it adaptable to many types of password cracking requirements. 

Netstat displays network connections, Nslookup queries DNS to obtain domain name or IP address mapping, and Route is used to view or modify the IP routing table.

47.

What is the goal of an HTTP response splitting attack?

  • To create two separate HTTP responses from a single HTTP request

  • To double the server's response time

  • To increase the size of HTTP headers

  • To remove cookies from HTTP responses

Correct answer: To create two separate HTTP responses from a single HTTP request

The goal of an HTTP response splitting attack is to create two separate HTTP responses from a single HTTP request. By carefully crafting input that includes header fields and CRLF characters, an attacker can trick the server into sending an additional response, leading to various attacks such as cache poisoning or cross-site scripting.

Doubling response time, increasing header size, or removing cookies are not the objectives of this attack.

48.

What is a common characteristic of fileless malware attacks initiated via web browsers?

  • Exploiting browser extensions

  • Sending spam emails

  • Encrypting user files

  • Modifying the user's homepage

Correct answer: Exploiting browser extensions

Exploiting browser extensions is a common initiation vector for fileless malware attacks, as malicious extensions can execute scripts directly within the browser environment, often with elevated privileges. 

Sending spam emails, encrypting user files, and modifying a user's homepage are tactics seen in various types of malware, but they aren't features of fileless malware attacks initiated via browsers. 

49.

Which iOS feature, if disabled, can increase the risk of unauthorized access to the device's data?

  • Touch ID/Face ID

  • Siri

  • Control Center

  • Notification Center

Correct answer: Touch ID/Face ID

Disabling Touch ID/Face ID, which are biometric authentication features, can increase the risk of unauthorized access because the device would then rely solely on passcodes, which can be more easily bypassed or guessed. 

Siri, Control Center, and Notification Center provide convenience and functionality but do not secure the device against unauthorized physical access.

50.

What is a passive technique used by attackers to monitor and capture data packets over a wireless network? 

  • Wireless sniffing

  • MAC flooding

  • IP spoofing

  • Port scanning

Correct answer: Wireless sniffing

Wireless sniffing is a technique used to monitor and capture data packets traveling over a wireless network without altering the traffic. This is a useful passive technique to gather information.

MAC flooding is an attack that overwhelms the switch's MAC table. Port scanning is used to find open ports. IP spoofing involves creating IP packets with a forged source IP address.

51.

What is one way to quickly determine that systems on a target network are alive?

  • Perform a ping sweep

  • Perform a vulnerability scan

  • Utilizing a packet crafting program 

  • Fragmenting packets before sending them

Correct answer: Perform a ping sweep

Performing a ping sweep is one way to quickly determine which systems are alive on a target network. A ping sweep is when you send ping messages to every system on the network. Tools such as fping and MegaPing can be used to perform ping sweeps. 

Many vulnerability scanners can tell you if a system is alive or not as well, but it will not be as quick as running a ping sweep. A packet crafting tool, such as hping, can be used to craft packets in a specific way that may be used to evade firewalls or other detection methods. Fragmenting packets will not assist in quickly determining which systems are alive. 

52.

What purpose could ARIN serve during the reconnaissance phase?

  • To determine the range of IP addresses associated with a target network

  • To perform a Denial of Service (DoS) attack on a target network

  • To infiltrate a target network and gain control over its systems

  • To modify the configuration of a target network's firewall

Correct answer: To determine the range of IP addresses associated with a target network

The American Registry for Internet Names (ARIN) is the Regional Internet Registry (RIR) for the United States, Canada, Antarctica, and parts of the Carribean. During footprinting and reconnaissance, ARIN can be queried to determine the range of IP addresses associated with a target network.

ARIN cannot be used for performing DoS attacks, infiltrating networks, or modifying firewall configurations.

53.

Which tool is used for cracking encrypted passwords and gaining access to user accounts?

  • John the Ripper

  •  OpenSSH 

  • KeePass

  • TrueCrypt

Correct answer: John the Ripper

John the Ripper is widely used for password cracking by trying various password combinations against the hashes of encrypted passwords until a match is found, which is its primary use.

OpenSSH is a suite of secure networking utilities based on the Secure SHell (SSH) protocol, not for cracking passwords. KeePass is a free open source password manager, which helps you manage your passwords securely, not crack them. TrueCrypt was used for disk encryption, not password cracking.

54.

Which protocol is primarily used for collecting user information from Windows systems? 

  • NetBIOS

  • DHCP

  • FTP

  • SNMP

Correct answer: NetBIOS

NetBIOS is used to enable communication between Windows systems and therefore can be exploited to gather user information. One tool that can be used for this purpose is NetBIOS Enumerator. 

DHCP assigns IP addresses in a network, FTP is for file transfer, and SNMP is for managing network devices.

55.

Which vulnerability could an attacker exploit to perform horizontal privilege escalation in a multi-user web application?

  • Broken access control

  • Broken authentication

  • Session management weakness

  • Insuficient cryptography 

Correct answer: Broken access control

Broken access control vulnerabilities can be exploited by attackers to perform horizontal privilege escalation, allowing them to access other users' data or functionalities at the same privilege level. 

Broken authentication deals with flaws in the login process, such as weak password policies. Session management weaknesses may lead to session hijacking. Insufficient cryptography usually pertains to data protection, not authorization schemes.

56.

When executing a web server attack, what is the purpose of using a payload?

  • To deliver code or commands that will be executed on the target server

  • To increase the bandwidth of the attacker's network

  • To provide a backup of the server's data

  • To document the steps of the attack for reporting purposes

Correct answer: To deliver code or commands that will be executed on the target server

In the context of a web server attack, the purpose of using a payload is to deliver code or commands that will be executed on the target server, resulting in the attacker gaining control or extracting data. 

Increasing bandwidth, backing up data, or documenting attack steps are not related to the use of a payload in an attack.

57.

Which tool is commonly used for forensic analysis of iOS devices?

  • iExplorer 

  • Xcode 

  • Cycript 

  • iTunes 

Correct answer: iExplorer 

iExplorer is a tool that can be used for the forensic analysis of iOS devices, as it allows access to the file system and can extract data. 

Xcode is an Integrated Development Environment (IDE) for macOS, not primarily for forensic analysis. Cycript is a tool used for exploring and modifying running iOS applications, and iTunes is a media player and mobile device management application, neither of which are designed for forensic analysis.

58.

You want to perform a search for a specific username to see if it is being used on any social media sites. Which tool would best achieve this?

  • Sherlock

  • CrossLinked

  • HTTrack

  • Rubeus 

Correct answer: Sherlock

Sherlock is a tool that is installed by default on ParrotOS. When you provide a list of usernames to Sherlock, the tool will go out and search for those usernames across hundreds of social networks. 

CrossLinked is a LinkedIn enumeration tool that can provide a list of employees who work for an organization. HTTrack is a tool for mirroring websites. Rubeus is a tool mainly used to perform Kerberoasting attacks. 

59.

What is the first stage of the cyber kill chain?

  • Reconnaissance 

  • Weaponization

  • Delivery

  • Installation 

Correct answer: Reconnaissance

The cyber kill chain is a commonly used framework in the information security space to outline the structure of an attack. Reconnaissance is the first stage in the cyber kill chain. 

Weaponization, delivery, and installation all occur after the reconnaissance stage. The correct order of the cyber kill chain is reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objective. 

60.

Which encryption standard was introduced with WPA2 to provide a stronger security framework?

  • AES

  • TKIP

  • LEAP

  • WEP

Correct answer: AES

Advanced Encryption Standard (AES), a symmetric-key encryption standard, was introduced with WPA2 as a mandatory encryption standard to enhance security. 

AES replaced Temporal Key Integrity Protocol (TKIP), which was used in the original WPA standard, due to its vulnerabilities. Wired Equivalent Privacy (WEP) is an outdated and insecure encryption standard that was common before WPA. Lightweight Extensible Authentication Protocol (LEAP) is an authentication protocol, not an encryption standard.

×