×

Quiz Session - Attempts With Random Questions

EC-Council CEH Exam Questions

Page 9 of 65

161.

Which type of DDoS attack exploits the three-way handshake of TCP connections?

  • SYN flood

  • ICMP flood

  • HTTP flood

  • ARP poisoning

Correct answer: SYN flood

A SYN flood attack exploits the TCP three-way handshake by initiating connections rapidly and then abandoning them. 

ICMP flood attacks involve sending an overwhelming amount of ping requests, HTTP flood attacks target web servers with HTTP requests, and ARP poisoning misleads network devices via incorrect ARP data.

162.

Which evasion technique involves an attacker sending data in tiny amounts at irregular intervals to avoid detection?

  • Session splicing

  • TTL evasion

  • Fragmentation attack

  • Encryption

Correct answer: Session splicing

Session splicing is a technique where an attacker sends data in very small fragments at irregular intervals to evade IDS detection. 

TTL evasion manipulates packet Time-To-Live values, fragmentation splits malicious payloads into smaller packets, and encryption hides payload contents.

163.

Which scoring system provides a standardized method to rate vulnerabilities?

  • CVSS

  • DNSSEC

  • WAF

  • HIDS

Correct answer: CVSS

The Common Vulnerability Scoring System (CVSS) provides a standardized method to rate vulnerabilities based on their severity. 

DNSSEC is used for DNS security. WAF stands for Web Application Firewall. HIDS is an acronym for Host-based Intrusion Detection Systems. 

164.

Which section of a vulnerability assessment report typically provides a detailed analysis of each identified vulnerability?

  • Findings and Analysis

  • Executive Summary

  • Recommendations

  • Assessment Scope

Correct answer: Findings and Analysis

The Findings and Analysis section of a vulnerability assessment report dives deep into each identified vulnerability, providing details such as its impact, risk rating, and evidence. 

The Executive Summary provides a high-level overview for leadership, the Recommendations section offers guidance on mitigation, and the Assessment Scope states the boundaries of the assessment.

165.

Why would an attacker be interested in executing a DHCP Starvation attack followed by a rogue DHCP server setup?

  • To serve malicious IP configurations to victims

  • To encrypt the DHCP traffic

  • To detect unauthorized devices on the network

  • To enhance the network's security

Correct answer: To serve malicious IP configurations to victims

By first launching a DHCP Starvation attack, the attacker can exhaust the available IP addresses from the legitimate DHCP server. After this, setting up a rogue DHCP server allows the attacker to provide malicious IP configurations (like DNS settings) to victim devices, potentially redirecting them to malicious sites or intercepting their traffic. 

This isn't done to encrypt DHCP traffic, detect unauthorized devices, or enhance network security.

166.

You have been tasked with performing a SYN scan on a client's 192.168.1.0/24 subnet. Which command could you run to perform this task?

  • nmap -sS 192.168.1.0/24

  • nmap -sS 192.168.1.1

  • nmap -sT 192.168.1.0/24

  • nmap -sT 192.168.1.1

Correct answer: nmap -sS 192.168.1.0/24 

To run a SYN scan (sometimes known as a half-open scan), you will use the -sS parameter in your nmap scan. In nmap, you can specify a single IP address, a range, or a CIDR network block as shown in the example. 

The command nmap -sS 192.168.1.1 will perform a SYN scan but only against the single target IP address of 192.168.1.1 instead of the network block of 192.168.1.0/24. The -sT parameter in an nmap command will perform a full connect scan instead of a SYN scan. 

167.

How many devices were thought to be compromised as part of Mirai botnet?

  • Over 100,000

  • About 50,000

  • Less than 10,000

  • One million

Correct answer: Over 100,000

The Mirai botnet infected small, special-purpose devices running on an embedded implementation of Linux. The number of devices thought to have been infected by the Mirai botnet is over 100,000. 

It's easy to underestimate the number of systems that are compromised each year. Since 2005, there has not been a year without at least 10 million data records being compromised.

168.

Which feature does AndroRAT not inherently provide?

  • Encrypting device data 

  • Capturing screenshots

  • Retrieving contact lists

  • Recording videos

Correct answer: Encrypting device data 

Encrypting data is related to security tools that aim to protect information, not tools designed for remote administration or monitoring.

AndroRAT does not inherently provide encryption services for device data. Its main features include retrieving contact lists, capturing screenshots, and recording videos as part of its surveillance capabilities. 

169.

How do IoT devices typically connect to the internet?

  • Through various communication protocols such as Wi-Fi, Bluetooth, Zigbee, or cellular networks

  • Exclusively through Ethernet cables

  • By using only near-field communication (NFC)

  • IoT devices do not connect to the internet; they operate independently

Correct answer: Through various communication protocols such as Wi-Fi, Bluetooth, Zigbee, or cellular networks

IoT devices require connectivity to communicate with the internet and other devices, which is achieved through various wireless protocols including Wi-Fi, Bluetooth, Zigbee, and cellular networks, depending on the device's specific needs and capabilities. 

The other options are incorrect because they either limit the connection method, such as Ethernet cables or NFC—which are not the sole methods of connection—or inaccurately state that IoT devices do not connect to the internet.

170.

What kind of information can you gather from DNS enumeration?

  • IP addresses and domain names

  • Usernames and passwords

  • Physical locations of devices

  • Operating system versions

Correct answer: IP addresses and domain names

DNS enumeration allows the gathering of IP addresses and domain names. DNS would be enumerated using port TCP/UDP 53.

Usernames and passwords, physical locations of devices, and operating system versions are not typically information that would be gathered through DNS enumeration.

171.

Which technique helps attackers gather information to make their impersonation on social media more believable?

  • OSINT

  • Cryptography

  • Network sniffing

  • Data encryption

Correct answer: OSINT

OSINT, or Open Source INTelligence, involves gathering information from publicly available sources. Attackers can use OSINT to collect details about their targets, making their impersonation attempts more credible and convincing on social media. 

Cryptography is used for securing information, network sniffing captures data packets on a network, and data encryption converts data into a code to prevent unauthorized access. 

172.

Which of the following can be a potential sign of a Trojan infection?

  • Unexpected system behavior or crashes

  • Quick replication across all network devices

  • Automatic software updates

  • Improved system performance

Correct answer: Unexpected system behavior or crashes

Unexpected system behavior, slowdowns, or crashes can be indicative of a Trojan infection as the malicious code may interfere with regular operations. 

Quick replication across network devices is characteristic of worms. Automatic software updates, while potentially suspicious in certain contexts, aren't specific indicators of Trojans. Improved system performance is unlikely to result from malware.

173.

In which type of application vulnerability can an attacker manipulate variables to gain unauthorized access to resources?

  • IDOR

  • Verbose error messages

  • Weak encryption algorithms

  • Third-party integrations

Correct answer: IDOR

Insecure Direct Object References (IDOR) occur when an attacker can directly access references to objects, such as files, database keys, or internal data without proper authorization. This can lead to unauthorized data exposure or modification. 

Verbose error messages provide too much information to the user. Weak encryption algorithms pose risks related to data encryption, not object references. Third-party integrations can introduce vulnerabilities but not specifically direct object reference issues.

174.

What type of attack exploits vulnerabilities in web applications to divert users from a trusted to an untrusted site, potentially leading to further exploitation?

  • Redirection attack

  • Frame injection

  • HTTP header injection 

  •  ActiveX control attacks 

Correct answer: Redirection attack

Redirection attacks exploit vulnerabilities in web applications to redirect users from a trusted site to an untrusted one, often as a precursor to phishing or malware delivery. 

Frame injection attacks inject a malicious frame or iframe into a web page. HTTP header injection involves adding or modifying HTTP headers. ActiveX control attacks exploit vulnerabilities in ActiveX components.

175.

What potential risk do geotagged photos on social media platforms pose?

  • They can reveal the physical locations of individuals or assets

  • They decrease the image's resolution

  • They allow direct access to the user's device

  • They tag the individual's IP address

Correct answer: They can reveal the physical locations of individuals or assets

Geotagged photos contain metadata about where the photo was taken, which can inadvertently reveal sensitive location information. 

Geotagging does not present the risk of decreasing the image's resolution, allowing direct access to the user's device, or tagging the individual's IP address. 

176.

Which tool is primarily used for the purpose of bluesnarfing, allowing attackers to copy data from a victim's Bluetooth-enabled device?

  • BlueSnarf++

  • BlueScanner

  • BluejackXX

  • Bluebugger

Correct answer: BlueSnarf++

BlueSnarf++ is a tool specifically designed for carrying out Bluesnarfing attacks. It exploits vulnerabilities in Bluetooth-enabled devices to access and copy data without authorization. 

BlueScanner is used for detecting Bluetooth-enabled devices. BluejackXX is for Bluejacking attacks. Bluebugger is used for exploiting Bluetooth device vulnerabilities, typically in Bluebugging attacks.

177.

Which feature of Malwarebytes aims to block malicious websites?

  • Web Protection

  • Scan Scheduler

  • Password Vault

  • Encryption Tuner

Correct answer: Web Protection

Malwarebytes' Web Protection feature is designed to block connections to known malicious websites, adding an extra layer of security while browsing the web. 

The Scan Scheduler feature automates malware scans, but it doesn't deal with website blocking. Malwarebytes does not have features called Password Vault or Encryption Tuner. 

178.

What characterizes a Trojan in the realm of cybersecurity?

  • A malicious program disguised as legitimate software

  • A program that replicates itself to infect multiple systems

  • Software that encrypts user data for a ransom

  • A script that logs keyboard inputs

Correct answer: A malicious program disguised as legitimate software

A Trojan is a type of malware that masquerades as legitimate software but performs malicious actions once executed. 

Worms, not Trojans, have the capability to replicate and spread across systems without user intervention. Ransomware is a distinct type of malware that encrypts user data and demands payment for decryption. While some Trojans might have keylogging functionalities, not all of them log keyboard inputs.

179.

You are doing reconnaissance on a target company for a red team engagement using OSINT techniques. You'd like to look up public filings associated with the target company, such as their annual and quarterly reports, which show details about the company's finances. Where could you look to find this information?

  • EDGAR

  • Domain registrars

  • Whois

  • LinkedIn

Correct answer: EDGAR

The Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system is a Securities and Exchange Commission (SEC) database that stores public information about public companies. Using this system, you can look up public filings such as an annual report in Form 10-K or quarterly reports in Form 10-Q. 

Domain registrars also have public information about companies and can be used in OSINT, but they don't provide the same type of information (e.g., annual and quarterly reports) as EDGAR. Whois is an internet record listing that identifies who owns a domain and how to contact the domain owner if you need to. LinkedIn is a social networking site primarily used by professionals. LinkedIn is great for OSINT but would not be useful in this particular scenario. 

180.

A social engineering attack that was once very common was the Nigerian Prince scam. What is another name for this scam?

  • 419

  • 412

  • 619

  • 612

Correct answer: 419

A social engineering attack that was once very popular was the Nigerian Prince scam, also known as the 419 scam. 419 refers to a section of the Nigerian criminal code. The scam requests the victim send an advance fee to a Nigerian Prince in exchange for future riches. 

412, 619, and 612 are numbers that are not related to any specific scam. 

×