Weekend Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Questions 4

In the neon-lit sprawl of Las Vegas, Nevada, a luxury hotel’s smart room control system suffered a breach, allowing an intruder to manipulate guest room settings. The incident investigation revealed that the IoT devices lacked any mechanism to verify the integrity or authenticity of software prior to execution, allowing tampered instructions to run unchecked. As Emna Ruza, a cybersecurity consultant brought in to assess the breach, you recommend a solution that ensures only authorized, validated code is executed on the devices.

Which secure development practice are you advising the hotel to implement?

Options:

A.

Allow code signing

B.

Ensure secure boot

C.

Secure firmware or software updates

D.

Utilize secure communication protocols

Buy Now
Questions 5

An attacker uses many plaintext–ciphertext pairs and applies statistical analysis to XOR combinations of specific bits. Which technique is being used?

Options:

A.

Brute-force attack

B.

Differential cryptanalysis

C.

Linear cryptanalysis

D.

Side-channel attack

Buy Now
Questions 6

A cloud service provider in Singapore is refining its defensive monitoring strategy to identify large-scale denial-of-service attempts against hosted applications. The security engineering team wants a detection mechanism that continuously evaluates incoming traffic streams and statistically determines the exact moment when normal behavior shifts into anomalous activity.

Rather than relying solely on static baselines or historical comparisons, the team prefers an approach that detects abrupt deviations in real time by identifying structural breaks in traffic metrics as they occur.

Which DDoS detection technique best fits this requirement?

Options:

A.

Sequential Change-Point Detection

B.

Wavelet-Based Signal Analysis

C.

Traffic Pattern Analysis

D.

Activity Profiling

Buy Now
Questions 7

A cybersecurity team at a regional healthcare provider is conducting an internal red team exercise to assess their exposure to service enumeration attacks. Amanda, a senior penetration tester, is assigned to probe the internal network for services that may reveal usernames, group information, or system details without requiring prior authentication. She decides to target common services running on specific ports that are often misconfigured or loosely monitored. During her reconnaissance, Amanda identifies several open ports across various hosts and must now prioritize which ones to probe first for maximum information gain related to enumeration. Which of the following services should Amanda target as a priority to enumerate usernames and group information without authentication?

Options:

A.

TCP 139 and UDP 137, 138

B.

TCP 21 and UDP 137, 138

C.

TCP 23 and UDP 137, 138

D.

TCP 25 and UDP 133

Buy Now
Questions 8

Packet fragmentation is used as an evasion technique. Which IDS configuration best counters this?

Options:

A.

Recognizing regular fragmented packet intervals

B.

Anomaly-based IDS detecting irregular traffic patterns

C.

Rejecting all fragmented packets

D.

Signature-based IDS detecting fragmented packet signatures

Buy Now
Questions 9

Maya Patel from SecureHorizon Consulting is called to investigate a security breach at Dallas General Hospital in Dallas, Texas, where a lost employee smartphone was used to access sensitive patient records. During her analysis, Maya finds that the hospital ' s mobile security policy failed to include a contingency to remotely secure compromised devices, allowing continued access to confidential data even after the device was lost. Based on this gap, which mobile security guideline should Maya recommend preventing similar incidents?

Options:

A.

Utilize a secure VPN connection while accessing public Wi-Fi networks

B.

Install device tracking software that allows the device to be located remotely

C.

Register devices with a remote locate and wipe facility

D.

Use anti-virus and data loss prevention DLP solutions

Buy Now
Questions 10

In the sunlit tech oasis of Phoenix, Arizona, ethical hacker Nadia Patel explores the security posture of LearnSphere, a U.S.-based e-learning platform serving thousands of students. During her testing, Nadia intentionally submits invalid inputs to the platform ' s content delivery system. Instead of returning a generic failure notice, the application responds with detailed system information, including database query strings and directory paths. Such responses provide attackers with valuable insights into the application ' s internal workings, which could be used to craft more precise and damaging attacks.

Which issue is being demonstrated?

Options:

A.

Improper Error Handling

B.

Directory Traversal

C.

Verbose Error Messages

D.

CORS Misconfiguration

Buy Now
Questions 11

During a penetration test, you perform extensive DNS interrogation to gather intelligence about a target organization. Considering the inherent limitations of DNS-based reconnaissance, which of the following pieces of information cannot be directly obtained through DNS interrogation?

Options:

A.

The specific usernames and passwords used by the organization’s employees.

B.

The estimated geographical location of the organization’s servers derived from IP addresses.

C.

The subdomains associated with the organization’s primary internet domain.

D.

The IP addresses associated with the organization’s mail servers.

Buy Now
Questions 12

During a red team simulation at a bank in Chicago, Illinois, the SOC team suspects that some of the incoming traffic may be spoofed. To verify this, an analyst begins monitoring the sequence values assigned to packets, looking for irregularities that indicate they were not generated by the legitimate source. Which spoofing detection technique is the analyst using?

Options:

Buy Now
Questions 13

A regional hospital network is conducting incident containment after discovering that an internal file server was accessed by unauthorized actors. While forensic analysis is ongoing, a security engineer must immediately protect sensitive medical records stored on a mounted partition without shutting down the system.

The solution must support strong encryption, including 256-bit AES, allow creation of encrypted containers within existing storage volumes, and provide the capability to conceal protected data inside standard-looking volumes to reduce visibility during continued investigation.

Select the disk encryption tool that best satisfies these operational and security requirements.

Options:

A.

FileVault

B.

Rohos Disk Encryption

C.

VeraCrypt

D.

BitLocker Drive Encryption

Buy Now
Questions 14

Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

Options:

A.

John the Ripper

B.

Dsniff

C.

Snort

D.

Nikto

Buy Now
Questions 15

A penetration tester is hired by a company to assess its vulnerability to social engineering attacks targeting its IT department. The tester decides to use a sophisticated pretext involving technical jargon and insider information to deceive employees into revealing their network credentials. What is the most effective social engineering technique the tester should employ to maximize the chances of obtaining valid credentials without raising suspicion?

Options:

A.

Conduct a phone call posing as a high-level executive requesting urgent password resets

B.

Send a generic phishing email with a malicious attachment to multiple employees

C.

Create a convincing fake IT support portal that mimics the company ' s internal systems

D.

Visit the office in person as a maintenance worker to gain physical access to terminals

Buy Now
Questions 16

Which tool is best for sniffing plaintext HTTP traffic?

Options:

A.

Nessus

B.

Nmap

C.

Netcat

D.

Wireshark

Buy Now
Questions 17

A Windows endpoint generates alerts for credential dumping tools. What asset is targeted?

Options:

A.

Network

B.

Logs

C.

Availability

D.

Credentials

Buy Now
Questions 18

Joe, a cybersecurity analyst at XYZ-FinTech, has been assigned to perform a quarterly vulnerability assessment across the organization ' s Windows-based servers and employee workstations. His objective is to detect issues such as software configuration errors, incorrect registry or file permissions, native configuration table problems, and other system-level misconfigurations. He is instructed to log into each system using valid credentials to ensure comprehensive data collection. Based on this assignment, which type of vulnerability scanning should Joe perform?

Options:

A.

Application Scanning

B.

Host-based Scanning

C.

Network-based Scanning

D.

External Scanning

Buy Now
Questions 19

Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?

Options:

A.

Aggressive zero-trust shutdown

B.

Deep forensic analysis

C.

Behavioral analytics profiling normal interactions

D.

Employee awareness training

Buy Now
Questions 20

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably.

Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission.

Based on the observed behavior, what malware is most consistent with this incident?

Options:

A.

GoldPickaxe

B.

Agent Smith

C.

Pegasus

D.

Mamont

Buy Now
Questions 21

During a red team assessment of a multinational financial firm, you are tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior.

The team has shortlisted multiple tools for the task. Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?

Options:

A.

Maltego

B.

Creepy

C.

Sherlock

D.

Social Searcher

Buy Now
Questions 22

A web app deserializes untrusted data leading to RCE. What flaw exists?

Options:

A.

SSTI

B.

Insecure deserialization

C.

SQLi

D.

XSS

Buy Now
Questions 23

During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?

Options:

Buy Now
Questions 24

A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?

Options:

A.

Attempt SQL Injection

B.

Hijack a session and modify server configuration

C.

Launch brute-force attacks

D.

Perform automated vulnerability scanning

Buy Now
Questions 25

At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.

Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?

Options:

A.

DNS Cache Poisoning

B.

ARP Poisoning

C.

MAC Flooding

D.

Switch Port Stealing

Buy Now
Questions 26

Scenario:

    Victim opens the attacker ' s website.

    Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.

    Victim clicks the attractive content URL.

    The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.

What is the name of the attack mentioned in the scenario?

Options:

A.

HTTP Parameter Pollution

B.

Clickjacking Attack

C.

HTML Injection

D.

Session Fixation

Buy Now
Questions 27

Multiple internal workstations and IoT devices are compromised and transmitting large volumes of traffic to numerous external targets under botnet control. Which type of denial-of-service attack best describes this situation?

Options:

A.

An attack where compromised internal devices participate in a botnet and flood external targets

B.

An attack relying on spoofed IP addresses to trick external servers

C.

A direct botnet flood without spoofing intermediary services

D.

An internal amplification attack using spoofed DNS responses

Buy Now
Questions 28

A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?

Options:

A.

Internal Monologue attack technique executed through OS authentication protocol manipulations

B.

Replay attack attempt by reusing captured authentication traffic sequences

C.

Hash injection approach using credential hashes for authentication purposes

D.

Pass-the-ticket attack method involving forged tickets for network access

Buy Now
Questions 29

During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.

Which type of keylogger did Tyler most likely deploy?

Options:

A.

JavaScript Keylogger

B.

Hardware Keylogger

C.

Kernel Keylogger

D.

Application Keylogger

Buy Now
Questions 30

During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?

Options:

A.

ARP poisoning causing routing inconsistencies

B.

DHCP snooping improperly configured

C.

Legitimate ARP table refresh on all clients

D.

Port security restricting all outbound MAC responses

Buy Now
Questions 31

Arjun Mehta, a red team specialist at Sentinel Dynamics, is conducting a controlled reconnaissance assessment against the company’s perimeter network. During testing, the security operations team observes that the firewall logs display several different originating systems associated with the same scanning activity. Arjun’s objective is to ensure that his actual testing machine cannot be easily distinguished from other recorded entries.

What technique is Arjun using in this scenario?

Options:

A.

Source Routing

B.

IP Address Decoy

C.

Source Port Manipulation

D.

IP Address Spoofing

Buy Now
Questions 32

A multinational corporation deploys a major internal tool built on a PowerShell-based automation framework. Shortly after a scheduled rollout, the IT team notices intermittent system slowdowns and unexplained bandwidth spikes. Despite running updated endpoint protection and restrictive firewall rules, traditional scanning tools report no malicious files on disk. However, internal telemetry flags a trusted process repeatedly executing obfuscated PowerShell commands in memory. The anomalous activity vanishes upon reboot and appears to leave no footprint behind on the system.

Which type of malware is most likely responsible for this behavior?

Options:

A.

Worm

B.

Trojan

C.

Rootkit

D.

Fileless Malware

Buy Now
Questions 33

A financial clearinghouse in Newark, New Jersey, initiated a structured vulnerability review across its enterprise servers. The scanning platform was configured to collect detailed information about installed updates, local security configurations, and system policy settings on each target machine. The resulting report contained granular host-level findings, including configuration inconsistencies and patch gaps that required direct system-level inspection to obtain. Based on the activity described, what type of vulnerability scanning is being performed?

Options:

A.

Automated Scanning

B.

Non-Credentialed Scanning

C.

Application Scanning

D.

Credentialed Scanning

Buy Now
Questions 34

A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?

Options:

A.

Utilize a session fixation attack by forcing a known session ID during login

B.

Perform a Cross-Site Scripting (XSS) attack to steal the session token

C.

Exploit a timing side-channel vulnerability to predict session tokens

D.

Implement a Man-in-the-Middle (MitM) attack by compromising a trusted certificate authority

Buy Now
Questions 35

During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?

Options:

A.

DHCP starvation

B.

Rogue DHCP relay injection

C.

DNS cache poisoning

D.

ARP spoofing

Buy Now
Questions 36

A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?

Options:

A.

The WAP does not recognize the client ' s MAC address

B.

The client cannot see the SSID of the wireless network

C.

The wireless client is not configured to use DHCP

D.

Client is configured for the wrong channel

Buy Now
Questions 37

A penetration tester is running a vulnerability scan on a company’s network. The scan identifies an open port with a high-severity vulnerability linked to outdated software. What is the most appropriate next step for the tester?

Options:

A.

Execute a denial-of-service (DoS) attack on the open port

B.

Perform a brute-force attack on the service running on the open port

C.

Research the vulnerability and determine if it has a publicly available exploit

D.

Ignore the vulnerability and focus on finding more vulnerabilities

Buy Now
Questions 38

As part of a controlled red-team engagement, an ethical hacker evaluates the resilience of a corporate campus against radio-frequency disruption. The tester activates a portable multi-antenna signal suppression device from a nearby building.

The interference affects wireless communication across several departments within an estimated coverage radius of approximately 120 meters. The disruption persists for slightly over an hour before the device requires recharge. Analysis confirms that multiple frequency bands, including Wi-Fi and cellular standards, were simultaneously impacted.

Based on the operational characteristics observed, identify the jamming device most consistent with this activity.

Options:

A.

PCB-1016 Jammer

B.

CPB-2612H-5G Jammer

C.

CPB-2920 Jammer

D.

PCB-4510 Jammer

Buy Now
Questions 39

A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?

Options:

A.

Inject a SQL query into the input field to perform SQL injection

B.

Use directory traversal to access sensitive system files on the server

C.

Provide a URL pointing to a remote malicious script to include it in the web application

D.

Upload a malicious shell to the server and execute commands remotely

Buy Now
Questions 40

You are a security analyst conducting a footprinting exercise for a new client to gather information without direct interaction. After using search engines and public databases, you consider using Google Hacking (Google Dorking) techniques to uncover further vulnerabilities. Which option best justifies this decision?

Options:

A.

Google Hacking can help locate phishing websites that mimic the client’s website.

B.

Google Hacking can help discover hidden organizational data from the Deep Web.

C.

Google Hacking can help identify weaknesses in the client’s website code.

D.

Google Hacking can assist in mapping the client’s internal network structure.

Buy Now
Questions 41

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

Options:

A.

DNS Scheme

B.

DNSSEC

C.

DynDNS

D.

Split DNS

Buy Now
Questions 42

During a forensic investigation of an attack on a media company in New York, analysts discovered that a non-privileged process loaded a malicious library instead of the intended library because the attacker placed the rogue file in a directory Windows searched before the legitimate location. When the trusted application started, the attacker’s code executed with the application’s privileges. No registry changes or kernel exploits were involved. Which technique most likely enabled the privilege escalation?

Options:

A.

Privilege Escalation by Exploiting Vulnerabilities

B.

Privilege Escalation Using DLL Hijacking

C.

Access Token Manipulation

D.

Privilege Escalation by Bypassing User Account Control

Buy Now
Questions 43

During a penetration test, an analyst repeatedly initiates TCP connections to a target host and records the sequence numbers returned in the SYN/ACK responses. By examining predictable or incremental patterns in these values, the analyst attempts to infer characteristics of the underlying operating system.

What OS fingerprinting attribute is being analyzed in this scenario?

Options:

A.

TCP Timestamp Analysis

B.

TCP Window Size

C.

Initial Sequence Number (ISN)

D.

Time to Live (TTL)

Buy Now
Questions 44

A security analyst is tasked with gathering detailed information about an organization ' s network infrastructure without making any direct contact that could be logged or trigger alarms. Which method should the analyst use to obtain this information covertly?

Options:

A.

Examine leaked documents or data dumps related to the organization

B.

Use network mapping tools to scan the organization ' s IP range

C.

Initiate social engineering attacks to elicit information from employees

D.

Perform a DNS brute-force attack to discover subdomains

Buy Now
Questions 45

At a federal research agency, cybersecurity officer Nikhil is drafting a vulnerability assessment report. In this section, he documents the scanning methodology used, the information about the targets, the type and scope of scans performed, and the tools involved. He does not yet include specific vulnerabilities or affected assets, as this portion of the report is meant to provide context for how the assessment was conducted.

Which section of the vulnerability assessment report is Nikhil working on?

Options:

A.

Supporting Information

B.

Risk Assessment

C.

Assessment Overview

D.

Findings

Buy Now
Questions 46

Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?

Options:

A.

Honey trap

B.

Diversion theft

C.

Piggybacking

D.

Baiting

Buy Now
Questions 47

During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.

Which social engineering technique is Priya demonstrating?

Options:

A.

Shoulder Surfing

B.

Dumpster Diving

C.

Tailgating

D.

Piggybacking

Buy Now
Questions 48

As part of an annual security awareness program at BrightPath Consulting in Denver, Colorado, the cybersecurity team conducts an ethical hacking experiment to test employee vigilance against physical social engineering threats. During a simulated attack, ethical hacker Liam Carter strategically places a USB drive labeled “Confidential 2025 Budget Plans” in the company’s parking lot, designed to look like it was accidentally dropped. The USB is programmed to install a harmless tracking script when plugged into a workstation, alerting the security team. Sarah, a project coordinator, finds the USB and considers plugging it into her office laptop to identify its owner.

What social engineering technique is being tested in this experiment?

Options:

A.

Phishing

B.

Hoax

C.

Pretexting

D.

Baiting

Buy Now
Questions 49

During a stealth penetration test at a defense research facility, ethical hacker Daniel installs a payload that survives even after multiple operating system reinstalls. The implant resides deep inside the system hardware and executes before the OS is loaded, ensuring that forensic scans and antivirus tools at the OS level cannot detect or remove it. Administrators notice unusual activity on network cards and storage devices, but repeated scans show no malware traces within the file system.

Which type of rootkit most likely enabled this level of persistence?

Options:

A.

Boot-Loader-Level Rootkit

B.

Hypervisor-Level Rootkit

C.

Kernel-Level Rootkit

D.

Hardware/Firmware Rootkit

Buy Now
Questions 50

A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?

Options:

A.

Perform a brute-force attack on the server to gain access

B.

Ignore the high-risk vulnerability and proceed with testing other systems

C.

Focus on exploiting the low-risk vulnerabilities first

D.

Verify if the high-risk vulnerability is exploitable by checking for known exploits

Buy Now
Questions 51

A Java app allows file download via user-controlled path. What attack is possible?

Options:

A.

SQLi

B.

Path traversal

C.

XSS

D.

CSRF

Buy Now
Questions 52

During an external security review of a manufacturing firm in Detroit, Michigan, you ' re asked to prioritize patch baselines for internet-facing servers without logging in or establishing full sessions. To achieve this, you analyze network-level responses and capture application output in order to determine the underlying system and its software release. Which technique best fits this objective?

Options:

A.

Service Version Discovery

B.

Port Scanning

C.

OS Discovery

D.

Vulnerability Scanning

Buy Now
Questions 53

As part of a quarterly security review at EvoTrans Logistics, a global freight optimization firm, you have been brought in as a senior cybersecurity analyst to audit perimeter firewall configurations across cloud-hosted application clusters. During your investigation, you notice that TCP port 1433 is open on a virtual machine tagged as svc-node-east-14, which was provisioned by a now-defunct third-party vendor. The node is not referenced in any current infrastructure diagrams, yet live traffic logs suggest it is still handling requests during peak hours. No documentation exists regarding its service role, but you are tasked with flagging misconfigurations that may violate policy or expose critical services unnecessarily. Based on your understanding of standard port assignments, you must determine what service this port likely represents and whether its exposure warrants escalation.

Which of the following services is most likely running on this port and requires immediate review?

Options:

A.

sqlsrv

B.

SqlNet

C.

ms-sql-s

D.

ms-sql-m

Buy Now
Questions 54

At a financial headquarters in Denver, Colorado, ethical hacker Jordan Lee moves beyond cataloging IoT devices and begins testing them for weaknesses. He runs specialized tools against smart lighting and HVAC systems to check for outdated firmware, default passwords, and open service ports. Which step of the IoT hacking methodology is Jordan carrying out?

Options:

A.

Vulnerability scanning

B.

Gain remote access

C.

Information gathering

D.

Launch attacks

Buy Now
Questions 55

What is MAC spoofing used for?

Options:

A.

Encryption

B.

IDS

C.

Bypass filters

D.

Logging

Buy Now
Questions 56

During a security compliance audit at Nexus Tech Solutions in Boston, Massachusetts, the ethical hacking team launches a controlled social engineering exercise to assess help desk vulnerabilities. Ethical hacker Rachel Kim calls the company ' s help desk, posing as a stressed employee named Laura Bennett from the marketing department. Rachel claims her laptop is running slowly and offers to share her login credentials if the help desk can provide a quick fix to meet a tight project deadline. The call is designed to test whether help desk staff follow proper verification protocols or fall for the offer of credentials in exchange for assistance.

What social engineering technique is Rachel employing in this exercise?

Options:

A.

Shoulder Surfing

B.

Vishing

C.

Impersonation

D.

Quid Pro Quo

Buy Now
Questions 57

After the completion of the pen test, you have provided the client with a list of controls to implement to reduce the identified risk. What term best describes the risk that remains after the controls have been implemented?

Options:

A.

Inherent risk

B.

Residual risk

C.

Gap analysis

D.

Total risk

Buy Now
Questions 58

You are investigating unauthorized access to a web application using token-based authentication. Tokens expire after 30 minutes. Server logs show multiple failed login attempts using expired tokens within a short window, followed by successful access with a valid token. What is the most likely attack scenario?

Options:

A.

The attacker captured a valid token before expiration and reused it

B.

The attacker brute-forced the token generation algorithm

C.

The attacker exploited a race condition allowing expired tokens to be validated

D.

The attacker performed a token replay attack that confused the server

Buy Now
Questions 59

During an internal investigation at a healthcare billing firm in Denver, Colorado, the security team analyzes suspicious activity involving a senior accountant’s corporate smartphone. The user reports that the device behaved normally and that no links were clicked or applications installed during the timeframe in question.

Telecom monitoring reveals that the device received several binary-formatted SMS messages shortly before the incident. These messages were not visible in the messaging application. Within minutes of receiving them, the phone began transmitting cellular location identifiers and device-related data to an unfamiliar external system. The transmissions occurred automatically and did not require any user interaction.

Which mobile attack technique most accurately explains this behavior?

Options:

A.

Call Spoofing

B.

OTP Hijacking

C.

SMiShing

D.

SIMjacker

Buy Now
Questions 60

A cyber adversary wants to enumerate firewall rules while minimizing noise and mimicking normal traffic behavior. Which reconnaissance technique enables mapping of firewall filtering behavior using TTL-manipulated packets?

Options:

A.

Sending ICMP Echo requests to the network ' s broadcast address

B.

Passive DNS monitoring to observe domain-to-IP relationships

C.

Conducting full SYN scans on all ports for each discovered IP

D.

Firewalking with manipulated TTL values to analyze ACL responses

Buy Now
Questions 61

Why is using Google Hacking justified during passive footprinting?

Options:

A.

Identifying weaknesses in website source code

B.

Locating phishing sites mimicking the organization

C.

Mapping internal network structures

D.

Discovering hidden organizational data indexed by search engines

Buy Now
Questions 62

A biotech research firm in Boston, Massachusetts, migrates its laboratory management platform to the cloud. The vendor provides an environment where developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage. The firm controls the application logic but not the runtime infrastructure.

Which cloud service model is the company using?

Options:

A.

Infrastructure as a Service (IaaS)

B.

Platform as a Service (PaaS)

C.

Software as a Service (SaaS)

D.

Anything as a Service (XaaS)

Buy Now
Questions 63

A municipal data center in Phoenix, Arizona, deploys a network intrusion detection system to monitor traffic entering its public records portal. During a scheduled red team exercise, authorized testers successfully exploit a vulnerable web service and gain restricted administrative access.

Post-exercise review reveals that the IDS generated a high-severity alert precisely at the time the exploit traffic reached the server. Log correlation confirms that the alert corresponded directly to the malicious activity performed during the test window.

How should this IDS outcome be classified?

Options:

A.

False Negative

B.

True Positive

C.

False Positive

D.

True Negative

Buy Now
Questions 64

In sunny San Diego, California, security consultant Maya Ortiz is engaged by PacificGrid, a regional utilities provider, to analyze suspicious access patterns on their employee portal. While reviewing authentication logs, Maya notices many accounts each receive only a few login attempts before the attacker moves on to other targets; the attempts reuse a very small set of likely credentials across a large number of accounts and are spread out over several days and IP ranges to avoid triggering automated lockouts. Several low-privilege accounts were successfully accessed before the pattern was detected. Maya prepares a forensic timeline to help PacificGrid contain the incident.

Which attack technique is being used?

Options:

A.

Session Hijacking

B.

Password Spraying

C.

Cross-Site Request Forgery (CSRF)

D.

Brute Force Attack

Buy Now
Questions 65

A penetration tester discovers that a system is infected with malware that encrypts all files and demands payment for decryption. What type of malware is this?

Options:

A.

Worm

B.

Spyware

C.

Keylogger

D.

Ransomware

Buy Now
Questions 66

In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.

Which session hijacking technique is Michael using in this red team exercise?

Options:

A.

Session donation attack

B.

Session replay attack

C.

Session sniffing

D.

Session fixation attack

Buy Now
Questions 67

You are Evelyn, an ethical hacker at LoneStar Health in Austin, Texas, engaged to investigate a recent compromise of archived patient records. During the investigation you recover a large set of encrypted records from a compromised backup and, separately, obtain several original template records (standard headers and form fields) that correspond to some entries in the encrypted set. You plan to use these paired examples (the original templates and their encrypted counterparts) to attempt to recover keys or deduce other plaintext values. Which cryptanalytic approach is most appropriate for this situation?

Options:

A.

Chosen-ciphertext attack

B.

Known-plaintext attack

C.

Chosen-plaintext attack

D.

Ciphertext-only attack

Buy Now
Questions 68

A penetration tester is assessing a company ' s HR department for vulnerability to social engineering attacks using knowledge of recruitment and onboarding processes. What is the most effective technique to obtain network access credentials without raising suspicion?

Options:

A.

Develop a fake social media profile to connect with HR employees and request sensitive information

B.

Create a convincing fake onboarding portal that mimics the company’s internal systems

C.

Send a generic phishing email with a link to a fake HR policy document

D.

Conduct a phone call posing as a new employee to request password resets

Buy Now
Questions 69

A competing technology firm begins releasing products that closely mirror the design, pricing strategy, and feature roadmap of ApexDynamics Inc. An internal review reveals that detailed information about ApexDynamics’ upcoming initiatives had been gradually collected through publicly available sources and external disclosures before product launch.

Which footprinting-related threat does this scenario best represent?

Options:

A.

Social Engineering

B.

Information Leakage

C.

Business Loss

D.

Corporate Espionage

Buy Now
Questions 70

During a red team engagement at a biotechnology firm in San Diego, California, the security team observed that a compromised internal workstation was generating an unusually high number of outbound name resolution requests to external servers.

Upon deeper inspection, analysts discovered that the query strings contained encoded data segments rather than typical lookup patterns. Further analysis revealed that these outbound requests were being used to transfer sensitive information to an attacker-controlled system outside the corporate network.

Which technique was most likely used to covertly transfer the data in this scenario?

Options:

A.

TCP Parameter Manipulation

B.

Reverse ICMP Tunnel

C.

DNS Tunneling

D.

Reverse HTTP Shell

Buy Now
Questions 71

As part of a cybersecurity assessment for a healthcare provider in Denver, Colorado, you are asked to recommend a framework that addresses how organizations should identify, assess, and treat information security risks as part of their ISMS. Which international standard best meets this requirement?

Options:

A.

ISO/IEC 27701:2019

B.

ISO/IEC 27002:2022

C.

ISO/IEC 27005:2022

D.

ISO/IEC 27001:2022

Buy Now
Questions 72

A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization ' s security monitoring systems. The network employs strict VLAN segmentation and port security measures. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?

Options:

A.

Deploy a rogue DHCP server to redirect network traffic

B.

Exploit a VLAN hopping vulnerability to access multiple VLANs

C.

Implement switch port mirroring on all VLANs

D.

Use ARP poisoning to perform a man-in-the-middle attack

Buy Now
Questions 73

A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?

Options:

A.

Moving the document root directory to a different disk

B.

Regularly updating and patching the server software

C.

Changing the server’s IP address regularly

D.

Implementing an open-source web server architecture such as LAMP

Buy Now
Questions 74

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

Options:

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Buy Now
Questions 75

A REST API uses user-provided object IDs without authorization checks. What flaw is this?

Options:

A.

Mass assignment

B.

XSS

C.

SQLi

D.

BOLA

Buy Now
Questions 76

A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyzes client behavior while transmitting carefully crafted 802.11 management frames toward the organization’s primary access point.

Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent.

Identify the wireless attack illustrated by this activity.

Options:

A.

Eavesdropping Attack

B.

Jamming Attack

C.

Deauthentication Attack

D.

Evil Twin Attack

Buy Now
Questions 77

A system administrator observes that several machines in the network are repeatedly sending out traffic to unknown IP addresses. Upon inspection, these machines were part of a coordinated spam campaign. What is the most probable cause?

Options:

A.

Keyloggers were harvesting user credentials

B.

Devices were enslaved into a botnet network

C.

Browsers were redirected to adware-injected sites

D.

Worms exploited zero-day vulnerabilities

Buy Now
Questions 78

As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?

Options:

A.

Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

B.

Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker’s network.

C.

Immediately reset all server credentials and instruct all users to change their passwords.

D.

Immediately disconnect the affected server from the network to prevent further data exfiltration.

Buy Now
Questions 79

During a security assessment of a fintech startup in San Francisco, ethical hacker Michael analyzes the company ' s cloud platform. He observes that the system automates deployment, scaling, service discovery, and workload management across multiple nodes, ensuring smooth operation of critical services without requiring manual coordination. Which Kubernetes capability is primarily responsible for these functions?

Options:

A.

Kube-controller-manager

B.

Self-healing

C.

Container orchestration

D.

Container vulnerabilities

Buy Now
Questions 80

A serverless application was compromised through an insecure third-party API used by a function. What is the most effective countermeasure?

Options:

A.

Deploy a cloud-native security platform

B.

Enforce function-level least privilege permissions

C.

Use a CASB for third-party services

D.

Regularly update serverless functions

Buy Now
Questions 81

During a red team assessment at a banking client in Chicago, ethical hacker David gains access to the internal LAN. He sets up a test machine and injects crafted messages into the network. Soon, all traffic between a finance workstation and the authentication server is silently routed through his system without changing switch configurations. He observes usernames and passwords passing through his interface, even though no proxy or VPN is in use.

Which sniffing technique did David most likely use?

Options:

A.

Switch Port Stealing

B.

ARP Spoofing

C.

STP Attack

D.

IRDP Spoofing

Buy Now
Questions 82

A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?

Options:

A.

Launching a DDoS attack to overload IoT devices

B.

Compromising the system using stolen user credentials

C.

Exploiting zero-day vulnerabilities in IoT device firmware

D.

Performing an encryption-based Man-in-the-Middle attack

Buy Now
Questions 83

At a biomedical analytics firm in Raleigh, North Carolina, security consultant Marcus Ellison was reviewing exposed services on a legacy Linux host located in a screened subnet. While mapping available services, he observed that the machine was responding to time synchronization queries from multiple internal systems.

Curious whether the service might reveal additional intelligence, Marcus issued targeted queries against the time service and received responses that exposed internal client addresses and system identifiers interacting with it. The information provided unexpected visibility into internal network structure without requiring authentication.

From the available options, what enumeration technique is illustrated in this scenario?

Options:

A.

NFS Enumeration

B.

NetBIOS Enumeration

C.

SNMP Enumeration

D.

NTP Enumeration

Buy Now
Questions 84

A penetration tester finds that a web application does not properly validate user input and is vulnerable to reflected Cross-Site Scripting (XSS). What is the most appropriate approach to exploit this vulnerability?

Options:

A.

Perform a brute-force attack on the user login form to steal credentials

B.

Embed a malicious script in a URL and trick a user into clicking the link

C.

Inject a SQL query into the search form to attempt SQL injection

D.

Use directory traversal to access sensitive files on the server

Buy Now
Questions 85

During a red team engagement at a healthcare organization in Chicago, ethical hacker Devon intercepts Kerberos authentication material from a compromised workstation. Instead of cracking the data, he reuses the stolen tickets to authenticate directly to other systems within the domain. This allows him to access shared resources and servers without needing the users ' plaintext credentials. No NTLM hashes or broadcast poisoning were involved.

Which attack technique did Devon most likely perform?

Options:

A.

LLMNR/NBT-NS Poisoning

B.

Pass-the-Ticket Attack

C.

Kerberoasting

D.

Pass-the-Hash

Buy Now
Questions 86

As part of a red team campaign against a pharmaceutical company in Boston, ethical hacker Alex begins with a successful spear-phishing attack that delivers an initial payload to a manager ' s laptop. After gaining access, Alex pivots to harvesting cached credentials and using them to move laterally across the internal network. Soon, routers, printers, and several file servers are compromised, expanding the red team ' s control beyond the original host. At this point, Alex has not yet targeted sensitive research data, but the team has built a broader foothold within the environment.

Which phase of the Advanced Persistent Threat (APT) lifecycle is Alex simulating?

Options:

A.

Initial Intrusion

B.

Persistence

C.

Search & Exfiltration

D.

Expansion

Buy Now
Questions 87

What is CVSS used for?

Options:

A.

Auditing

B.

Encryption

C.

Severity scoring

D.

Exploitation

Buy Now
Questions 88

As a security analyst, you are testing a company’s network for potential vulnerabilities. You suspect an attacker may be using MAC flooding to compromise network switches and sniff traffic. Which of the following indicators would most likely confirm your suspicion?

Options:

A.

An increased number of ARP requests in network traffic.

B.

Multiple MAC addresses assigned to a single IP address.

C.

Multiple IP addresses assigned to a single MAC address.

D.

Numerous MAC addresses associated with a single switch port.

Buy Now
Questions 89

During a red team exercise, a Certified Ethical Hacker (CEH) is attempting to exploit a potential vulnerability in a target organization’s web server. The CEH has completed the information gathering and footprinting phases and has mirrored the website for offline analysis. It has also been discovered that the server is vulnerable to session hijacking. Which of the following steps is most likely to be part of a successful attack methodology while minimizing the possibility of detection?

Options:

A.

Hijack an active session and immediately modify server configuration files.

B.

Attempt SQL injection to extract sensitive database information.

C.

Perform vulnerability scanning using automated tools to identify additional weaknesses.

D.

Launch a direct brute-force attack to crack the server’s administrative password.

Buy Now
Questions 90

A penetration tester performs a vulnerability scan on a company ' s network and identifies a critical vulnerability related to an outdated version of a database server. What should the tester prioritize as the next step?

Options:

A.

Attempt to exploit the vulnerability using publicly available tools or exploits

B.

Conduct a brute-force attack on the database login page

C.

Ignore the vulnerability and move on to testing other systems

D.

Perform a denial-of-service (DoS) attack on the database server

Buy Now
Questions 91

A publicly traded blockchain startup conducts a forensic review after irregular transaction reversals are detected on its distributed ledger platform. Network telemetry indicates that a single coordinated entity controlled a dominant share of the computational power participating in block validation during the affected time window.

As a result, certain confirmed transactions were replaced with alternate versions, enabling double-spending before the broader network regained balance. No individual node isolation or transaction front-running behavior is observed; rather, the anomaly stems from disproportionate influence over block creation.

Identify the blockchain attack most consistent with this incident.

Options:

A.

Eclipse Attack

B.

Finney Attack

C.

51% Attack

D.

DeFi Sandwich Attack

Buy Now
Questions 92

In the heart of Silicon Valley, California, network administrator Jake Henderson oversees the web infrastructure for TechTrend Innovations, a startup specializing in cloud solutions. During a routine architecture review, Jake evaluates the setup of their web server, which handles high-traffic API requests. He notes that the server’s primary module processes incoming requests and works with additional modules to manage encryption, URL rewriting, and authentication. Curious about the server’s design, Jake consults the documentation to ensure optimal performance and security.

Which web server component is Jake analyzing as part of TechTrend Innovations’ architecture?

Options:

A.

Virtual Document Tree

B.

Application Server

C.

Document Root

D.

HTTP Server Core

Buy Now
Questions 93

Attackers exfiltrate data using steganography embedded in images. What is the best countermeasure?

Options:

A.

Block all outbound traffic

B.

Deploy IPS

C.

Monitor outbound traffic for anomalies

D.

Use steganalysis tools

Buy Now
Questions 94

A multinational healthcare provider headquartered in Boston, Massachusetts relies on federated authentication to allow employees to access multiple cloud-hosted applications using a single sign-on portal. During an authorized red team engagement, a security consultant gains access to the organization’s identity infrastructure and extracts signing material used in trust relationships between the internal identity provider and external cloud services.

Using this material, the consultant generates authentication responses that grant administrative-level access to several cloud applications without interacting with user credentials or triggering multifactor authentication challenges. The access appears legitimate within the cloud service logs.

Which cloud attack technique best aligns with this behavior?

Options:

A.

Golden SAML Attack

B.

Living off the Cloud (LotC) Attack

C.

Cloud Hopper Attack

D.

Man-in-the-Cloud (MITC) Attack

Buy Now
Questions 95

In the financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by TrustBank, a regional U.S. bank, to evaluate their online loan application portal. During testing, Raj submits crafted input into the portal ' s form fields and notices that the server ' s HTTP responses are unexpectedly altered. His payloads cause additional headers to appear and even inject unintended content into the output, creating opportunities for attackers to manipulate web page behavior and deliver malicious data to users.

Which type of vulnerability is Raj most likely exploiting in TrustBank ' s online loan application portal?

Options:

A.

HTTP Response Splitting

B.

XML Poisoning

C.

XML External Entity (XXE) Injection

D.

Server-Side Request Forgery (SSRF)

Buy Now
Questions 96

A security analyst is investigating a network compromise where malware communicates externally using common protocols such as HTTP and DNS. The malware operates stealthily, modifies system components, and avoids writing payloads to disk. What is the most effective action to detect and disrupt this type of malware communication?

Options:

A.

Blocking commonly known malware ports such as 6667 and 12345.

B.

Relying solely on frequent antivirus signature updates.

C.

Using behavioral analytics to monitor abnormal outbound traffic and application behavior.

D.

Blocking all unencrypted HTTP traffic at the proxy level.

Buy Now
Questions 97

During a penetration test at a financial services firm in Boston, ethical hacker Daniel simulates a DDoS against the customer portal. To handle the surge, the IT team sets a rule that caps the number of requests a single user can make per second; aggressive connections are delayed or dropped while most legitimate customers continue to use the service.

Which countermeasure strategy is the IT team primarily using?

Options:

A.

Rate Limiting

B.

Shutting Down Services

C.

Absorb the Attack

D.

Degrading Services

Buy Now
Questions 98

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

Options:

A.

Check MITRE.org for the latest list of CVE findings

B.

Use a scan tool like Nessus

C.

Create a disk image of a clean Windows installation

D.

Use the built-in Windows Update tool

Buy Now
Questions 99

At a government research lab, cybersecurity officer Nikhil is compiling a vulnerability assessment report after scanning the internal subnet. As part of his documentation, he lists the IP addresses of all scanned hosts and specifies which machines are affected. He includes tables categorizing discovered vulnerabilities by type such as outdated software, default credentials, and open ports.

Which section of the vulnerability assessment report is Nikhil working on?

Options:

A.

Findings

B.

Risk Assessment

C.

Supporting Information

D.

Assessment Overview

Buy Now
Questions 100

MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.

The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.

Which approach best satisfies this requirement?

Options:

Buy Now
Questions 101

You discover a Web API integrated with webhooks and an existing administrative web shell. Your objective is to compromise the system while leaving minimal traces. Which technique is most effective?

Options:

A.

SSRF to perform unauthorized API calls

B.

IDOR exploitation

C.

Upload malicious scripts via the web shell

D.

Manipulate the webhook for unintended data transfer

Buy Now
Questions 102

Which WPA vulnerability allowed packet injection and decryption attacks?

Options:

A.

Lack of AES encryption

B.

Predictable GTK

C.

Weak Initialization Vectors (IVs)

D.

Weak passwords

Buy Now
Questions 103

A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?

Options:

A.

Perform a SQL injection attack to extract sensitive database information

B.

Upload a shell script disguised as an image file to execute commands on the server

C.

Conduct a brute-force attack on the server ' s FTP service to gain access

D.

Use a Cross-Site Scripting (XSS) attack to steal user session cookies

Buy Now
Questions 104

A financial institution in Chicago deploys an internal HTTPS-based customer portal that uses response compression to optimize bandwidth. During an authorized security assessment, a tester gains a vantage point along the communication path between internal clients and the gateway device.

By repeatedly initiating controlled requests and analyzing subtle differences in encrypted response sizes, the tester correlates variations in compressed output with specific input patterns. Over time, this analysis enables extraction of portions of a protected authentication value transmitted within the secure channel.

Which session hijacking technique best describes this activity?

Options:

A.

Forbidden Attack

B.

CRIME Attack

C.

Man-in-the-Browser (MITB) Attack

D.

Man-in-the-Middle (MITM) Attack

Buy Now
Questions 105

Attackers persisted by modifying legitimate system utilities and services. What key step helps prevent similar threats?

Options:

A.

Weekly off-site backups

B.

Monitor file hashes of sensitive executables

C.

Update antivirus and firewalls

D.

Disable unused ports

Buy Now
Questions 106

During a security penetration test at Sterling Manufacturing in Cleveland, Ohio, the ethical hacking team evaluates the company ' s physical security controls. On a chilly evening in July 2025, ethical hacker Priya Desai, posing as a facilities contractor, accesses the company ' s loading dock area after regular business hours. Behind the employee entrance, she comes across an unsecured maintenance container with discarded packaging, shipping labels, and shredded office material. Among the clutter, Priya retrieves a crumpled document listing temporary access codes for the employee break room, along with a partially shredded memo referencing an upcoming audit. The exercise tests whether sensitive information discarded improperly can be exploited. The next day, Priya uses the recovered access codes to enter the break room undetected during a shift change, logging her entry on a controlled test system to simulate a breach.

What social engineering technique is Priya ' s exercise primarily simulating?

Options:

A.

Tailgating

B.

Eavesdropping

C.

Dumpster Diving

D.

Shoulder Surfing

Buy Now
Questions 107

You are part of a red team hired to assess the cybersecurity posture of a large retail chain headquartered in New York. The client wants to know whether their defenses can anticipate future attack patterns before they occur. To meet this objective, your team deploys an AI-enabled platform that analyzes previous breaches and anomaly data to forecast potential attack vectors. Which benefit of AI-driven ethical hacking is most critical in this case?

Options:

A.

Scalability

B.

Predictive analysis

C.

Enhanced reporting

D.

Simulation and testing

Buy Now
Questions 108

Which of the following best describes the role of a penetration tester?

Options:

A.

A security professional hired to identify and exploit vulnerabilities with permission

B.

A developer who writes malicious code for cyberattacks

C.

A hacker who gains unauthorized access to systems for malicious purposes

D.

A hacker who spreads malware to compromise systems

Buy Now
Questions 109

A retail brand based in San Diego, California, authorized a controlled mobile security exercise to evaluate risks associated with third-party application distribution channels. Testers acquired a version of the company ' s customer rewards application from an unofficial marketplace frequently used by overseas customers. The application ' s visual layout and functionality were indistinguishable from the officially released version available in mainstream app stores. Behavioral monitoring conducted in a sandbox environment revealed that, in addition to its normal operations, the application initiated outbound connections unrelated to its documented features. A binary comparison against the vendor-supplied build confirmed structural differences between the two versions. What mobile-based social engineering technique does this scenario most accurately represent?

Options:

A.

Repackaging Legitimate Apps after modifying their internal structure

B.

Publishing Malicious Apps designed to mimic trusted brands

C.

Conducting SMiShing campaigns through fraudulent text messages

D.

Deploying Fake Security Applications disguised as protection tools

Buy Now
Questions 110

Which payload is most effective for testing time-based blind SQL injection?

Options:

A.

AND 1=0 UNION ALL SELECT ' admin ' , ' admin

B.

UNION SELECT NULL, NULL, NULL --

C.

OR ' 1 ' = ' 1 ' ;

D.

AND BENCHMARK(5000000,ENCODE( ' test ' , ' test ' ))

Buy Now
Questions 111

During a covert red team engagement, a penetration tester is tasked with identifying live hosts in a target organization’s internal subnet (10.0.0.0/24) without triggering intrusion detection systems (IDS). To remain undetected, the tester opts to use the command nmap -sn -PE 10.0.0.0/24, which results in several " Host is up " responses, even though the organization’s IDS is tuned to detect high-volume scans. After the engagement, the client reviews the logs and is surprised that the scan was not flagged. What allowed the scan to complete without triggering alerts?

Options:

A.

It used TCP ACK packets that were allowed through.

B.

It used UDP packets that bypassed ICMP inspection.

C.

It scanned only the ports open in the firewall whitelist.

D.

It performed an ICMP Echo ping sweep without port probing.

Buy Now
Questions 112

In Seattle, Washington, ethical hacker Mia Chen is tasked with testing the network defenses of Pacific Shipping Co., a major logistics firm. During her penetration test, Mia targets the company ' s external-facing web server, which handles customer tracking requests. She observes that the security system filtering traffic to this server analyzes incoming SSH and DNS requests to block unauthorized access attempts. Mia plans to craft specific payloads to bypass this system to expose vulnerabilities to the IT department.

Which security system is Mia attempting to bypass during her penetration test of Pacific Shipping Co. ' s web server?

Options:

A.

Stateful Multilayer Inspection Firewall

B.

Application-Level Firewall

C.

Packet Filtering Firewall

D.

Circuit-Level Gateway Firewall

Buy Now
Questions 113

You are a wireless auditor at SeaFront Labs in San Diego, California, engaged to review the radio-layer protections used by a biotech research facility. While capturing traffic in monitor mode, you observe frames that include a CCMP-like header and AES-based encryption, and you note the use of a four-way handshake with a packet number (PN) for replay protection — features that were introduced to replace older TKIP/RC4 approaches. Based on these observed characteristics, which wireless encryption protocol is the access point most likely using?

Options:

A.

WPA2

B.

WPA

C.

WPA3

D.

WEP

Buy Now
Questions 114

Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?

Options:

A.

Enforce VPN usage

B.

Adopt biometric authentication

C.

Disable ADB except in strictly controlled environments

D.

Frequently update MDM systems

Buy Now
Questions 115

A senior executive receives a personalized email with the subject line “Annual Performance Review 2024.” The email contains a downloadable PDF that installs a backdoor when opened. The email appears to come from the CEO and includes company branding. Which phishing method does this best illustrate?

Options:

A.

Broad phishing sent to all employees

B.

Pharming using DNS poisoning

C.

Whaling attack aimed at high-ranking personnel

D.

Email clone attack with altered attachments

Buy Now
Questions 116

Massive outbound HTTPS traffic hides inside normal web traffic. Likely objective?

Options:

A.

DoS

B.

Data exfiltration

C.

Scanning

D.

Recon

Buy Now
Questions 117

An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments. The test email claimed to originate from the corporate compliance office and instructed employees to “complete a mandatory regulatory update within the next 30 minutes to avoid account suspension.” The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications. Additionally, security analysts observed that the embedded hyperlink displayed the organization ' s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host. From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?

Options:

Buy Now
Questions 118

You’ve recently joined an international software firm as part of the cybersecurity governance team. While preparing for an internal compliance review, your supervisor asks you to identify the ISO/IEC standard that serves as a comprehensive framework for managing an organization ' s information security. You examine several standards, including those focusing on risk management, cybersecurity, and control implementation. However, you need to select the one that defines the overarching structure for managing information security programs across the organization.

Which of the following standards should you choose?

Options:

A.

ISO/IEC 27002:2022

B.

ISO/IEC 27005:2022

C.

ISO/IEC 27001:2022

D.

ISO/IEC 27701:2019

Buy Now
Questions 119

A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?

Options:

A.

Black Hat hackers

B.

Hacktivists

C.

Script Kiddies

D.

White Hat hackers

Buy Now
Questions 120

During an internal red team engagement at a software company in Boston, ethical hacker Meera gains access to a developer ' s workstation. To ensure long-term persistence, she plants a lightweight binary in a hidden directory and configures it to automatically launch every time the system is restarted. Days later, even after the host was rebooted during patching, the binary executed again without requiring user interaction, giving Meera continued access.

Which technique most likely enabled this persistence?

Options:

A.

Scheduled Tasks

B.

Creating a new service

C.

Startup Folder

D.

Registry run keys

Buy Now
Questions 121

By using a smart card and pin, you are using a two-factor authentication that satisfies

Options:

A.

Something you know and something you are

B.

Something you have and something you know

C.

Something you have and something you are

D.

Something you are and something you remember

Buy Now
Questions 122

In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.

Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?

Options:

A.

Source Routing

B.

Tiny Fragments

C.

HTTP Tunneling

D.

IP Address Spoofing

Buy Now
Questions 123

An attacker plans to compromise IoT devices to pivot into OT systems. What should be the immediate action?

Options:

A.

Perform penetration testing

B.

Secure IoT–OT communications with encryption and authentication

C.

Deploy ML-based threat prediction

D.

Deploy an IPS

Buy Now
Questions 124

A large online retail platform in Seattle, Washington, maintains continuous telemetry of inbound network flows to detect abnormal surges that may indicate a distributed denial-of-service condition.

During a recent monitoring exercise, the security engineering team implemented a statistical mechanism that continuously evaluates streaming traffic metrics and mathematically determines the exact point at which normal behavior shifts into an anomalous state. Rather than comparing traffic against static baselines or clustering historical profiles, the system dynamically identifies the precise moment when distribution characteristics deviate beyond an established threshold.

This approach is designed to flag sudden structural changes in traffic behavior in near real time, even if the overall traffic volume appears similar to prior peaks.

Which detection technique is being applied in this scenario?

Options:

A.

Wavelet-Based Signal Analysis

B.

Traffic Pattern Analysis

C.

Activity Profiling

D.

Sequential Change-Point Detection

Buy Now
Questions 125

A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider’s API. What is the most likely threat arising from this flaw?

Options:

A.

Distributed Denial-of-Service (DDoS) attacks on cloud servers

B.

Unauthorized access to cloud resources

C.

Physical security compromise of data centers

D.

Compromise of encrypted data at rest

Buy Now
Questions 126

A cybersecurity research team identifies suspicious behavior on a user’s Android device. Upon investigation, they discover that a seemingly harmless app, downloaded from a third-party app store, has silently overwritten several legitimate applications such as WhatsApp and SHAREit. These fake replicas maintain the original icon and user interface but serve intrusive advertisements and covertly harvest credentials and personal data in the background. The attackers achieved this by embedding malicious code in utility apps like video editors and photo filters, which users were tricked into installing. The replacement occurred without user consent, and the malicious code communicates with a command-and-control (C & C) server to execute further instructions. What type of attack is being carried out in this scenario?

Options:

A.

Simjacker attack

B.

Man-in-the-Disk attack

C.

Agent Smith attack

D.

Camfecting attack

Buy Now
Questions 127

Which patch management strategy is most effective?

Options:

A.

External-only patches

B.

Automated patch management with monitoring

C.

Manual patching on live servers

D.

Applying all patches regardless of source

Buy Now
Questions 128

A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' C ' ll-T; —, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

Options:

A.

Tautology-based SQL injection

B.

Error-based SQL injection

C.

Union-based SQL injection

D.

Time-based blind SQL injection

Buy Now
Questions 129

Javier Ruiz from CyberFortress Solutions is tasked with auditing the mobile security practices of Apex Financial Services, a financial firm in Houston, Texas. During a covert penetration test, Javier targets employees ' personal smartphones used to access corporate financial systems. He exploits a vulnerability by installing a malicious app that bypasses access controls, granting him unauthorized entry to sensitive financial data because the devices lack a specific security measure to restrict app access. Based on this vulnerability, which BYOD security guideline is most likely missing in Apex Financial Services ' policy?

Options:

A.

Review permissions requested by apps before installing them

B.

Set passwords for apps to restrict others from accessing them

C.

Enforce automatic device locking or implement biometric authentication

D.

Use encryption mechanisms to store data

Buy Now
Questions 130

A municipal services portal in Lexington, Kentucky includes a search parameter that retrieves citizen service requests. During an authorized security review, an analyst alters the parameter value by introducing single quotation marks, logical expressions such as AND 1=1, and variations like AND 1=2, observing how the application responds to each modification.

By comparing differences in the application’s output and behavior after each structured input change, the analyst evaluates whether the parameter affects the underlying query processing.

Which SQL injection detection method is being applied?

Options:

A.

Static Testing

B.

Dynamic Testing

C.

Function Testing

D.

Fuzz Testing

Buy Now
Questions 131

A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?

Options:

A.

Quid Pro Quo

B.

Baiting

C.

Elicitation

D.

Honey Trap

Buy Now
Questions 132

A regional investment firm in Denver, Colorado, recently migrated to a fully switched Ethernet infrastructure. During an authorized security evaluation, a consultant connected a test device to an access-layer switch and initiated a scripted network interaction.

Within minutes, administrators observed irregular switching behavior. Frames that were normally delivered directly between specific workstations began appearing across multiple switch ports. Users reported brief connectivity instability, but no configuration changes were made to the switch. After the activity subsided, forwarding operations gradually stabilized.

Based on the observed behavior, which sniffing technique was most likely performed?

Options:

A.

Switch Port Stealing

B.

ARP Poisoning

C.

MAC Flooding

D.

DNS Poisoning

Buy Now
Questions 133

During a red team engagement at a healthcare provider in Miami, ethical hacker Rachel suspects that a compromised workstation is running a sniffer in promiscuous mode. To confirm her suspicion, she sends specially crafted ICMP packets with a mismatched MAC address but a correct IP destination. Minutes later, the suspected machine responds to the probe even though ordinary systems would ignore it.

Which detection technique is Rachel most likely using to validate the presence of a sniffer?

Options:

A.

Ping Method

B.

ARP Method

C.

DNS Method

D.

Nmap sniffer-detect (NSE)

Buy Now
Questions 134

A technology consulting firm in Denver, Colorado, recently experienced a wave of suspicious account compromise incidents. Several employees reported receiving an email that appeared identical to a legitimate cloud storage notification they had received earlier that week. The message reused the original branding, formatting, sender display name, and subject line. However, it informed recipients that the previously shared document had been “updated due to synchronization errors” and instructed them to reauthenticate using the embedded link. The link directed users to a convincing replica of the organization’s authentication portal. Investigation revealed that the attacker had reused content from a genuine prior communication and modified only the embedded hyperlink. Which type of social engineering attack does this scenario most accurately represent?

Options:

A.

Clone Phishing

B.

Consent Phishing

C.

Search Engine Phishing

D.

Tabnabbing

Buy Now
Questions 135

A red team member uses an access token obtained from an Azure function to authenticate with Azure PowerShell and retrieve storage account keys. What kind of abuse does this scenario demonstrate?

Options:

A.

Gathering NSG rule information

B.

Exploiting managed identities for unauthorized access

C.

Lateral movement via Stormspotter

D.

Enumeration of user groups with AzureGraph

Buy Now
Questions 136

Sarah, a cybersecurity analyst at a US-based e-commerce company in New York, is tasked with evaluating the company ' s transition to a cloud-based infrastructure to support its growing online platform. The company aims to optimize resource allocation to handle fluctuating customer demand during peak shopping seasons, such as Black Friday. Sarah must recommend a key characteristic of cloud computing that ensures resources are efficiently shared across multiple users while maintaining scalability.

Which cloud computing characteristic should Sarah recommend ensuring efficient resource sharing and scalability for the e-commerce platform?

Options:

A.

Measured service

B.

Broad network access

C.

Resource pooling

D.

On-demand self-service

Buy Now
Questions 137

A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?

Options:

A.

Conduct a denial-of-service (DoS) attack to disrupt the system’s services

B.

Execute a Cross-Site Request Forgery (CSRF) attack to steal session data

C.

Perform a brute-force attack on the system ' s root password

D.

Use a privilege escalation exploit to gain administrative privileges on the system

Buy Now
Questions 138

In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MediVault, a U.S.-based healthcare platform used by regional clinics to manage patient data. During her review, Lila discovers that sensitive records are weakly protected, allowing attackers to intercept and manipulate the information in transit. She warns that such weaknesses could be exploited to commit credit-card fraud, identity theft, or similar crimes. Further analysis reveals that MediVault is vulnerable to well-documented flaws such as cookie snooping and downgrade attacks.

Which issue is MOST clearly indicated?

Options:

A.

Broken Access Control

B.

Cryptographic Failures

C.

Security Misconfiguration

D.

Identification and Authentication Failures

Buy Now
Questions 139

A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?

Options:

A.

Upload the file to VirusTotal and rely on engine consensus

B.

Disassemble the PDF using PE Explorer

C.

Extract and analyze stream objects using PDFStreamDumper

D.

Compute file hashes using HashMyFiles for signature matching

Buy Now
Questions 140

Which individuals believe that hacking and defacing websites can promote social change?

Options:

A.

Gray hat hackers

B.

Hacktivists

C.

Ethical hackers

D.

Black hat hackers

Buy Now
Questions 141

A penetration tester evaluates a secure web application using HTTPS, secure cookies, and multi-factor authentication. To hijack a legitimate user’s session without triggering alerts, which technique should be used?

Options:

A.

Exploit a browser zero-day vulnerability to inject malicious scripts

B.

Implement a man-in-the-middle attack by compromising a trusted network device

C.

Perform a Cross-Site Request Forgery (CSRF) attack to manipulate session tokens

D.

Utilize a session token replay attack by capturing encrypted tokens

Buy Now
Questions 142

A penetration tester observes that traceroutes to various internal devices always show 10.10.10.1 as the second-to-last hop, regardless of the destination subnet. What does this pattern most likely indicate?

Options:

A.

DNS poisoning at the local resolver used by the compromised host

B.

Loopback misconfiguration at the destination endpoints

C.

A core router facilitating communication across multiple internal subnets

D.

Presence of a transparent proxy device acting as a forwarder

Buy Now
Questions 143

Which algorithm best protects encrypted traffic patterns?

Options:

A.

PSA

B.

AES

C.

DES

D.

HMAC

Buy Now
Questions 144

On July 25, 2025, during a penetration test at Horizon Financial Services in Chicago, Illinois, cybersecurity specialist Laura Bennett is analyzing an attack simulation targeting the company ' s online banking portal. The system logs reveal a coordinated barrage of traffic from multiple compromised systems, orchestrated through a central command-and-control server, flooding the portal and rendering it unavailable to legitimate users. The attack leverages a network of infected devices, likely recruited via malicious links on social media.

What is the structure or concept most likely used to launch this coordinated attack?

Options:

Buy Now
Questions 145

Scenario: Joe turns on his home computer to access personal online banking. When he enters the URL www.bank.com, the website is displayed, but it prompts him to re-enter his credentials as if he has never visited the site before. When he examines the website URL closer, he finds that the site is not secure and the web address appears different. What type of attack is he experiencing?

Options:

A.

DNS hijacking

B.

ARP cache poisoning

C.

DHCP spoofing

D.

DoS attack

Buy Now
Questions 146

On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.

What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?

Options:

Buy Now
Questions 147

A multinational healthcare provider headquartered in Boston, Massachusetts relies on federated authentication to allow employees to access multiple cloud-hosted applications using a single sign-on portal. During an authorized red team engagement, a security consultant gains access to the organization ' s identity infrastructure and extracts signing material used in trust relationships between the internal identity provider and external cloud services. Using this material, the consultant generates authentication responses that grant administrative-level access to several cloud applications without interacting with user credentials or triggering multifactor authentication challenges. The access appears legitimate within the cloud service logs. Which cloud attack technique best aligns with this behavior?

Options:

A.

Golden SAML Attack

B.

Man-in-the-Cloud (MITC) Attack

C.

Cloud Hopper Attack

D.

Living off the Cloud (LotC) Attack

Buy Now
Questions 148

Ethan works as a penetration tester at CyberGuard Solutions, a cybersecurity consulting firm in Raleigh, North Carolina. During an authorized security assessment of a regional insurance company, Ethan was provided with a set of password hashes to evaluate the strength of employee-generated credentials.

To test resistance against word-based password creation patterns, Ethan supplied a single custom wordlist containing common organizational terms and department names into his cracking tool. The tool automatically generated password candidates by linking multiple entries from that same list in varying combinations before attempting to match them against the hashes.

This approach proved highly effective against passwords formed by concatenating familiar words.

Which of the following password-cracking techniques is Ethan using?

Options:

A.

PRINCE Attack

B.

Combinator Attack

C.

Markov-Chain Attack

D.

Fingerprint Attack

Buy Now
Questions 149

During a security evaluation of a smart agriculture setup, an analyst investigates a cloud-managed irrigation controller. The device is found to transmit operational commands and receive firmware updates over unencrypted HTTP. Additionally, it lacks mechanisms to verify the integrity or authenticity of those updates. This vulnerability could allow an adversary to intercept communications or inject malicious firmware, leading to unauthorized control over the device ' s behavior or denial of essential functionality. Which IoT threat category does this situation best illustrate?

Options:

A.

Insecure default settings

B.

Insecure ecosystem interfaces

C.

Insufficient privacy protection

D.

Insecure network services

Buy Now
Questions 150

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company ' s HTTP servers. The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation. Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

OpenVAS

B.

Nessus

C.

Qualys VM

D.

Nikto

Buy Now
Questions 151

An attacker abuses PowerShell heavily. Which log helps most?

Options:

A.

DNS logs

B.

Firewall logs

C.

Syslog

D.

PowerShell script block logs

Buy Now
Questions 152

A penetration tester needs to identify open ports and services on a target network without triggering the organization ' s intrusion detection systems, which are configured to detect high-volume traffic and common scanning techniques. To achieve stealth, the tester decides to use a method that spreads out the scan over an extended period. Which scanning technique should the tester employ to minimize the risk of detection?

Options:

A.

Use a stealth scan by adjusting the scan timing options to be slow and random

B.

Perform a TCP SYN scan using a fast scan rate

C.

Execute a UDP scan targeting all ports simultaneously

D.

Conduct a TCP Xmas scan sending packets with all flags set

Buy Now
Questions 153

During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.

Options:

A.

Whaling

B.

Spear Phishing

C.

Clone Phishing

D.

Consent Phishing

Buy Now
Questions 154

A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?

Options:

A.

Configure firewalls to block all incoming SYN and HTTP requests from external IPs

B.

Increase server bandwidth and apply basic rate limiting on incoming traffic

C.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection capabilities

D.

Utilize a cloud-based DDoS protection service that offers multi-layer traffic scrubbing and auto-scaling

Buy Now
Questions 155

A penetration tester is evaluating a web application that does not properly validate the authenticity of HTTP requests. The tester suspects the application is vulnerable to Cross-Site Request Forgery (CSRF). Which approach should the tester use to exploit this vulnerability?

Options:

A.

Execute a directory traversal attack to access restricted server files

B.

Create a malicious website that sends a crafted request on behalf of the user when visited

C.

Perform a brute-force attack on the application’s login page to guess weak credentials

D.

Inject a SQL query into the input fields to perform SQL injection

Buy Now
Questions 156

A critical flaw exists in a cloud provider’s API. What is the most likely threat?

Options:

A.

Physical security breaches

B.

Unauthorized access to cloud resources

C.

DDoS attacks

D.

Compromise of encrypted data at rest

Buy Now
Questions 157

Which scenario best describes a slow, stealthy scanning technique?

Options:

A.

FIN scanning

B.

TCP connect scanning

C.

Xmas scanning

D.

Zombie-based idle scanning

Buy Now
Questions 158

Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.

Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?

Options:

A.

Break data into fragments and distribute it across multiple locations

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Include quantum-resistance checks in SDLC and code review processes

Buy Now
Questions 159

At a smart retail outlet in San Diego, California, ethical hacker Sophia Bennett assesses IoT-based inventory sensors that synchronize with a cloud dashboard. She discovers that sensitive business records are sent across the network without encryption and are also stored in a retrievable format on the provider ' s cloud platform.

Which IoT attack surface area is most directly demonstrated in this finding?

Options:

A.

Insecure ecosystem interfaces

B.

Insecure data transfer and storage

C.

Insecure network services

D.

Insecure default settings

Buy Now
Questions 160

At RedCore Motors, the IT security lead, Priya, is tasked with selecting a vulnerability management solution for their expanding hybrid infrastructure. During the evaluation, she prioritizes tools that support agent-based detection across endpoints, offer constant monitoring and alerting capabilities, and provide comprehensive visibility into both on-premises and cloud-based systems. After thorough testing, she selects a platform that promises to scan for vulnerabilities everywhere accurately and efficiently, aligning with her organization’s need for centralized visibility and real-time risk assessment.

Which vulnerability assessment tool did Priya MOST LIKELY select?

Options:

A.

Nessus

B.

Nikto

C.

Qualys VM

D.

OpenVAS

Buy Now
Questions 161

A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?

Options:

A.

Deploying self-replicating malware

B.

Fragmenting malicious packets into smaller segments

C.

Flooding the IDS with ICMP packets

D.

Sending phishing emails

Buy Now
Questions 162

A global media streaming platform experiences traffic surges every 10 minutes, with spikes over 300 Gbps followed by quiet intervals. Which DDoS attack explains this behavior?

Options:

A.

UDP flood sustained attack

B.

Recursive HTTP GET flood

C.

Permanent DoS (PDoS)

D.

Pulse Wave attack

Buy Now
Questions 163

While conducting a covert penetration test on a UNIX-based infrastructure, the tester decides to bypass intrusion detection systems by sending specially crafted TCP packets with an unusual set of flags enabled. These packets do not initiate or complete any TCP handshake. During the scan, the tester notices that when certain ports are probed, there is no response from the target, but for others, a TCP RST (reset) packet is received. The tester notes that this behavior consistently aligns with open and closed ports. Based on these observations, which scanning technique is most likely being used?

Options:

A.

ACK flag scan to evaluate firewall behavior

B.

TCP Connect scan to complete the three-way handshake

C.

Xmas scan leveraging RFC 793 quirks

D.

FIN scan using stealthy flag combinations

Buy Now
Questions 164

In Portland, Oregon, ethical hacker Olivia Harper is hired by Cascade Biotech to test the security of their research network. During her penetration test, she simulates an attack by sending malicious packets to a server hosting sensitive genetic data. To evade detection, she needs to understand the monitoring system deployed near the network’s perimeter firewall, which analyzes incoming and outgoing traffic for suspicious patterns across the entire subnet. Olivia’s goal is to bypass this system to highlight vulnerabilities for the security team.

Which security system is Olivia attempting to bypass during her penetration test of Cascade Biotech’s network?

Options:

A.

Network-Based Intrusion Detection System

B.

Host-Based Firewalls

C.

Network-Based Firewalls

D.

Host-Based Intrusion Detection System

Buy Now
Questions 165

After responding to an alert involving unauthorized access to payroll data, forensic analyst Jason Miller traces the breach to a Windows workstation previously used by a temporary staff member in Chicago. While analyzing the event timeline, Jason identifies a non-elevated process that launched a signed Microsoft binary — one of several auto-elevate executables such as fodhelper.exe, eventvwr.exe, or sdclt.exe — which resulted in execution of unauthorized code without prompting the user. Registry analysis reveals manipulation of shell-related keys under the current user hive, redirecting the trusted binary to invoke a malicious payload.

Which technique most likely enabled the privilege escalation?

Options:

A.

Kernel Exploitation

B.

Scheduled Task

C.

UAC Bypass

D.

DLL Hijacking

Buy Now
Questions 166

Who are “script kiddies” in the context of ethical hacking?

Options:

A.

Highly skilled hackers who write custom scripts

B.

Novices who use scripts developed by others

C.

Ethical hackers using scripts for penetration testing

D.

Hackers specializing in scripting languages

Buy Now
Questions 167

A digital publishing firm in Charlotte, North Carolina, noticed suspicious probing activity against its public website. To proactively assess exposure, the security team initiated a focused scan of the company’s HTTP servers.

The chosen tool examined server headers, identified installed web server software through file signatures and favicon analysis, checked for outdated components, and searched for potentially dangerous files and misconfigurations. The scan also supported SSL connections and generated exportable reports in multiple formats for documentation.

Which vulnerability assessment tool most closely aligns with the capabilities described?

Options:

A.

Nessus

B.

OpenVAS

C.

Qualys VM

D.

Nikto

Buy Now
Questions 168

During a penetration testing engagement at First Union Bank in Chicago, ethical hacker Rachel Morgan is assigned to assess the internal network for potential sniffing activity that could compromise sensitive customer data. While inspecting traffic in the loan processing department, Rachel observes that a workstation is receiving packets not addressed to it, raising suspicion of a sniffing tool operating in promiscuous mode. To validate her hypothesis, she prepares to conduct an active verification using a classic detection approach.

Which detection technique should Rachel use to confirm the presence of a sniffer in this case?

Options:

A.

Sniffer detection using an NSE script to check for promiscuous mode

B.

DNS method by monitoring reverse DNS lookup traffic

C.

ARP method by sending non-broadcast ARP requests

D.

Ping method by sending packets with an incorrect MAC address

Buy Now
Questions 169

At TechTrend Innovations in Silicon Valley, network administrator Jake Henderson reviews the configuration of their web infrastructure. While inspecting the web server setup, he identifies the directory that stores the publicly accessible website content such as HTML files, images, and client-side scripts. Jake highlights this area as a frequent target for attackers, since improper permissions could expose sensitive files to unauthorized users.

Which web server component is Jake analyzing in this scenario?

Options:

A.

Application Server

B.

Document Root

C.

HTTP Server (Core)

D.

Virtual Document Tree

Buy Now
Questions 170

During a red team operation for XYZ Financial Services, security analyst Lily Jensen is assigned to scan a critical subnet that is protected by an IDS. Her initial scan attempt is immediately flagged and blocked. To evade detection while continuing reconnaissance, she adjusts the scanning configuration to include multiple spoofed IP addresses alongside her own. This makes it difficult for network defenses to isolate her real scanning activity, while still allowing her to receive accurate results.

Which scanning technique is Lily using?

Options:

A.

SYN FIN Scanning

B.

Source Routing

C.

IP Spoofing

D.

Decoy Scanning

Buy Now
Questions 171

Which advanced session-hijacking technique is hardest to detect and mitigate?

Options:

A.

Covert XSS attack

B.

Man-in-the-Browser (MitB) attack

C.

Passive sniffing on Wi-Fi

D.

Session fixation

Buy Now
Questions 172

Amid the vibrant buzz of Miami’s digital scene, ethical hacker Sofia Alvarez embarks on a mission to fortify the web server of Sunshine Media’s streaming platform. Diving into her security assessment, Sofia sends a meticulously crafted GET / HTTP/1.0 request to the server, scrutinizing its response. The server obligingly returns headers exposing its software version and operating system, a revelation that could empower malicious actors to tailor their attacks. Committed to bolstering the platform’s defenses, Sofia documents her findings to urge the security team to address this exposure.

What approach is Sofia using to expose the vulnerability in Sunshine Media’s web server?

Options:

A.

Information Gathering from Robots.txt File

B.

Vulnerability Scanning

C.

Directory Brute Forcing

D.

Web Server Footprinting Banner Grabbing

Buy Now
Questions 173

On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.

Which of the following best explains the technique Sofia used to trigger the server crashes?

Options:

A.

ICMP Flood Attack

B.

Ping of Death PoD

C.

Smurf Attack

D.

ACK Flood Attack

Buy Now
Questions 174

A city’s power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?

Options:

A.

Measuring unusual physical or electrical fluctuations during device operation at the hardware level.

B.

Identifying weak cryptographic configurations in device communications.

C.

Assessing SCADA user interfaces for unauthorized access or misuse.

Buy Now
Questions 175

Which attack targets WPA WPS PIN?

Options:

A.

Wireshark

B.

Reaver

C.

Aircrack

D.

Kismet

Buy Now
Questions 176

Which advanced mobile hacking technique is the hardest to detect and mitigate in a healthcare environment?

Options:

A.

Zero-day mobile exploits

B.

App spoofing

C.

Bluejacking

D.

Side-channel attacks

Buy Now
Questions 177

During a quarterly security audit at a multinational logistics firm, network security manager Priya initiates a scheduled vulnerability assessment across the organization’s hybrid infrastructure. Her team begins by identifying all active IT assets and assigning them risk scores based on business criticality. The following week, they deploy scanning tools to detect security weaknesses, validate the findings manually, and classify vulnerabilities based on severity and exploitability. After coordinating with the IT operations team, they develop a structured timeline to address the confirmed vulnerabilities, giving priority to high-risk findings affecting mission-critical systems. Finally, after the vulnerabilities are addressed, Priya ensures the affected systems are rescanned to confirm resolution and generates a compliance report for executive review.

Based on this workflow, which phase of the Vulnerability-Management Life Cycle is Priya executing?

Options:

A.

Remediation

B.

Vulnerability Analysis

C.

Verification

D.

Risk Assessment

Buy Now
Questions 178

A digital media company in Seattle, Washington deploys an Nginx-based infrastructure to support its internal analytics dashboard and content publishing portal. During an authorized red team engagement, a tester evaluates the web-based administrative interface used to upload configuration bundles and manage application components.

While analyzing a file-upload feature, the tester observes that certain user-supplied parameters submitted with uploaded content are incorporated into backend processing routines with limited validation. By adjusting specific values in the request, he alters how the server-side component interprets those inputs.

Subsequent log analysis shows that the modified input affected system-level operations executed under the web service context, despite no direct shell access being obtained.

Which Nginx-related vulnerability best describes the weakness identified in this scenario?

Options:

A.

NULL Pointer Dereference in HTTP/3

B.

Improper Certificate Validation

C.

Server-Side Request Forgery (SSRF) Vulnerability

D.

OS Command Injection in nginxWebUI

Buy Now
Questions 179

As the cybersecurity lead for an international news agency, you are alerted by your threat intelligence team that confidential communications between journalists and whistleblowers have been posted to an online activist forum. Further forensic analysis reveals that no financial transactions were tampered with and no ransomware was deployed. However, the agency’s internal systems were accessed and selectively leaked emails were published alongside a manifesto accusing the organization of biased reporting. The attackers also posted on social media claiming responsibility and justifying their actions as a fight against misinformation.

Based on this behavior, what category of hacker are you most likely dealing with?

Options:

A.

Script Kiddies

B.

Hacktivists

C.

Black Hat hackers

D.

White Hat hackers

Buy Now
Questions 180

An organization authorizes a wireless penetration test to evaluate the resilience of its WPA2-protected network. The assigned ethical hacker prepares the wireless adapter for packet capture and begins monitoring traffic from a nearby access point.

To accelerate the assessment, the tester transmits crafted 802.11 frames that momentarily interrupt active client connections. Shortly afterward, new authentication exchanges are observed in the capture logs, providing the necessary material for subsequent analysis.

The activity described corresponds to which component of the Aircrack-ng suite?

Options:

A.

airodump-ng

B.

airmon-ng

C.

aircrack-ng

D.

aireplay-ng

Buy Now
Questions 181

A penetration tester is assessing a company ' s executive team for vulnerability to sophisticated social engineering attacks by impersonating a trusted vendor and leveraging internal communications. What is the most effective social engineering technique to obtain sensitive executive credentials without being detected?

Options:

A.

Develop a fake social media profile to connect with executives and request private information

B.

Conduct a phone call posing as the CEO to request immediate password changes

C.

Create a targeted spear-phishing email that references recent internal projects and requests credential verification

D.

Send a mass phishing email with a malicious link disguised as a company-wide update

Buy Now
Questions 182

Upon completing a vulnerability evaluation for a financial services firm in Cincinnati, Ohio, the security team finalized its formal report for executive review. One portion of the document grouped identified weaknesses into severity tiers and highlighted systems with elevated exposure levels across the environment. This part of the report emphasized the relative impact and prioritization of identified weaknesses across affected assets. Which component of the vulnerability assessment report is represented in this scenario?

Options:

A.

Recommendations

B.

Risk Assessment

C.

Assessment Overview

D.

Findings

Buy Now
Questions 183

An attacker exploits legacy protocols to perform advanced sniffing. Which technique is the most difficult to detect and neutralize?

Options:

A.

HTTP header overflow extraction

B.

SMTP steganographic payloads

C.

Covert channel via Modbus protocol manipulation

D.

X.25 packet fragmentation

Buy Now
Questions 184

Which method best bypasses client-side controls without triggering server-side alarms?

Options:

A.

Disable JavaScript in the browser

B.

Intercept and modify requests using a proxy tool

C.

Inject malicious JavaScript into the login form

D.

Reverse-engineer the encryption algorithm

Buy Now
Questions 185

A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.

The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.

Identify the BYOD security guideline that would directly mitigate this exposure.

Options:

A.

Use Encryption Mechanism to Store Data

B.

Set a Strong Passcode on the Device and Change It Relatively Often

C.

Maintain a Clear Separation between Business and Personal Data

D.

Set Passwords for Apps to Restrict Others from Accessing Them

Buy Now
Questions 186

A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?

Options:

A.

Apply the vendor patch and reboot during maintenance

B.

Dismiss it as a false positive if unverified

C.

Reroute SSH traffic to another server

D.

Isolate the server, audit it, and apply patches

Buy Now
Questions 187

A DevOps engineer at a Toronto-based SaaS provider deploys a multi-tenant application within a shared orchestration environment. During a security assessment, a penetration tester discovers that a compromised workload is able to access host-level system resources and interact with adjacent workloads beyond its intended isolation controls.

Further investigation reveals that the workload was launched with elevated privileges and insufficient runtime restrictions, allowing the attacker to cross the intended isolation boundary and gain unauthorized access to the underlying infrastructure.

Which cloud attack technique best describes this security weakness?

Options:

A.

Man-in-the-Cloud Attack

B.

Side-Channel Attack

C.

Container Escape

D.

Golden SAML Attack

Buy Now
Questions 188

A subscription-based analytics platform in Portland, Oregon provides enterprise clients with API access to project dashboards. Each dashboard is associated with a unique identifier included in client-side API requests when retrieving project data.

While evaluating access controls, a security analyst signs in using a standard user account and captures a legitimate API request used to retrieve a specific project dashboard. By altering only the identifier value within the request and replaying it through the same authenticated session, the analyst receives data belonging to a different client organization.

The session remains valid, and no elevated privileges are granted. The behavior indicates that access validation does not adequately verify whether the requesting user is authorized to access the referenced resource.

Identify the OWASP API security risk illustrated in this scenario.

Options:

A.

Broken Object Level Authorization (BOLA)

B.

Broken Object Property Level Authorization

C.

Broken Function Level Authorization

D.

Broken Authentication

Buy Now
Questions 189

Which attack manipulates hidden fields?

Options:

A.

SQLi

B.

XSS

C.

Parameter tampering

D.

CSRF

Buy Now
Questions 190

A penetration tester evaluates a company ' s susceptibility to advanced social engineering attacks targeting its executive team. Using detailed knowledge of recent financial audits and ongoing projects, the tester crafts a highly credible pretext to deceive executives into revealing their network credentials. What is the most effective social engineering technique the tester should employ to obtain the necessary credentials without raising suspicion?

Options:

A.

Send a mass phishing email with a link to a fake financial report

B.

Create a convincing fake email from the CFO asking for immediate credential verification

C.

Conduct a phone call posing as an external auditor requesting access to financial systems

D.

Develop a spear-phishing email that references specific financial audit details and requests login confirmation

Buy Now
Questions 191

In a bustling tech firm in Seattle, Michael, an ethical hacker, is conducting a security assessment to identify potential risks. During his evaluation, he notices that sensitive employee details and system configurations have been exposed through public forums, likely due to careless online behavior. His manager suspects this could lead to unauthorized access or data theft. As part of his testing, what type of threat should Michael focus on to simulate the adversary ' s method of gathering this exposed information?

Options:

A.

Corporate Espionage

B.

Social Engineering

C.

System and Network Attacks

D.

Information Leakage

Buy Now
Questions 192

Noah Kim, an ethical hacker at Quantum Cyber Solutions in Austin, Texas, is assessing iPhones used for proprietary development. On one device, he demonstrates a technique that allows it to boot normally without a computer, but the elevated access is temporarily lost after restart until the user launches a special on-device app to reapply the modifications. Which jailbreaking method is this?

Options:

A.

Tethered Jailbreaking

B.

Untethered Jailbreaking

C.

Semi-untethered Jailbreaking

D.

Semi-tethered Jailbreaking

Buy Now
Questions 193

_____ is a set of extensions to DNS that provide the origin authentication of DNS data to DNS clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

Options:

A.

Resource transfer

B.

Resource records

C.

DNSSEC

D.

Zone transfer

Buy Now
Questions 194

A Java app uses outdated libraries with known CVEs. What risk does this create?

Options:

A.

CSRF

B.

DoS

C.

Supply chain risk

D.

XSS

Buy Now
Questions 195

A Python API allows unlimited file upload size. What attack is possible?

Options:

A.

DoS

B.

XSS

C.

SQLi

D.

CSRF

Buy Now
Questions 196

What does AXFR allow?

Options:

A.

Zone transfer

B.

Encryption

C.

DNS tunneling

D.

Resolution

Buy Now
Questions 197

A cybersecurity analyst wants to monitor competitors’ web content updates. What key element is missing from the plan?

Options:

A.

Hacking competitor databases

B.

Google Alerts for content monitoring

C.

Engaging in blog discussions

D.

Using a VPN

Buy Now
Questions 198

A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?

Options:

A.

Perform a replay attack by using the same session token after the user logs out

B.

Use a Cross-Site Request Forgery (CSRF) attack to steal the session tokens

C.

Use a brute-force attack to guess valid session tokens

D.

Execute a SQL injection attack to retrieve session tokens from the database

Buy Now
Questions 199

Which advanced evasion technique poses the greatest challenge to detect and mitigate?

Options:

A.

Covert channel communication using IP header fields

B.

Honeypot spoofing

C.

Polymorphic malware

D.

Packet fragmentation evasion

Buy Now
Questions 200

During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.

When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.

From a malware deployment perspective, what technique best describes this approach?

Options:

A.

Wrapper

B.

Downloader

C.

Packer

D.

Dropper

Buy Now
Questions 201

A digital forensics consultant in Portland, Oregon examines an iPhone seized as part of a corporate data leakage investigation. The device contains third-party extensions and system modifications not typically permitted by the operating system vendor.

The owner explains that whenever the device is powered off and restarted, it boots normally and remains fully functional for everyday tasks such as calls and messaging. However, the custom extensions and system-level tweaks do not function until a specific jailbreak application installed on the device is manually executed. No external computer is required during this reactivation process.

Determine the type of jailbreaking technique implemented on this device.

Options:

A.

Untethered Jailbreaking

B.

Tethered Jailbreaking

C.

Semi-Tethered Jailbreaking

D.

Semi-Untethered Jailbreaking

Buy Now
Questions 202

While evaluating a smart card implementation, a security analyst observes that an attacker is measuring fluctuations in power consumption and timing variations during encryption operations on the chip. The attacker uses this information to infer secret keys used within the device. What type of exploitation is being carried out?

Options:

A.

Disrupt control flow to modify instructions

B.

Observe hardware signals to deduce secrets

C.

Crack hashes using statistical collisions

D.

Force session resets through input flooding

Buy Now
Questions 203

“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?

Options:

A.

Restrict and monitor script and system tool execution

B.

Isolate systems and inspect traffic

C.

Schedule frequent reboots

D.

Clean temporary folders

Buy Now
Questions 204

A web application allows users to upload files and later include them in pages dynamically. Attackers exploit this to execute code. Which vulnerability exists?

Options:

A.

LFI

B.

RFI

C.

CSRF

D.

XSS

Buy Now
Questions 205

At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?

Options:

A.

Measured service

B.

Broad network access

C.

On-demand self-service

D.

Resource pooling

Buy Now
Questions 206

What does DEP block?

Options:

A.

Encryption

B.

Logging

C.

Execution in data memory

D.

Scanning

Buy Now
Questions 207

A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?

Options:

A.

There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.

B.

The operator knows that attacks and down time are inevitable and should have a backup site.

C.

Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.

D.

As long as the physical access to the network elements is restricted, there is no need for additional measures.

Buy Now
Questions 208

During a cloud security assessment, it was discovered that a former employee still had access to critical resources months after leaving the organization. Which practice would have most effectively prevented this issue?

Options:

A.

Using multi-cloud deployment models

B.

Implementing real-time traffic analysis

C.

Conducting regular penetration tests

D.

Enforcing timely user de-provisioning

Buy Now
Questions 209

You’ve just performed a port scan against an internal device during a routine pen test. Nmap returned the following response: Starting NMAP 7.30 at 2021-10-10 11:06 NMAP scan report for 192.168.123.100 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 80/tcp open http 161/tcp open snmp 515/tcp open lpd MAC Address: 00:1B:A9:01:3a:21 Based on this scan result, which of the following is most likely correct?

Options:

A.

The host is a printer.

B.

The host is most likely a Windows computer.

C.

The host is a Cisco router.

D.

The host is most likely a Linux computer.

Buy Now
Questions 210

A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?

Options:

A.

Organized hackers

B.

State-sponsored hackers

C.

Hacktivists

D.

Gray hat hackers

Buy Now
Questions 211

While conducting a red team exercise at a corporate office in San Diego, California, you observe employees working in an open-plan area. By discreetly watching their screens and hand movements as they log into internal systems, you are able to capture several usernames and partial passwords without touching any devices or interacting with the staff. Which social engineering technique does this scenario best illustrate?

Options:

A.

Shoulder Surfing

B.

Dumpster Diving

C.

Impersonation

D.

Tailgating

Buy Now
Questions 212

What does ATT & CK tactic “Persistence” mean?

Options:

A.

Initial exploit

B.

Data theft

C.

Cleanup

D.

Long-term access

Buy Now
Questions 213

A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections, transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack. Which attack is most likely responsible?

Options:

A.

A UDP flooding attack targeting random ports.

B.

An ICMP Echo Request flooding attack.

C.

A Slowloris attack that keeps numerous HTTP connections open to exhaust server resources.

D.

A fragmented packet attack with overlapping offset values.

Buy Now
Questions 214

You are a security analyst at Sentinel Cyber Group, monitoring the web portal of Aspen Valley Bank in Salt Lake City, Utah. During log review, you notice repeated attempts by attackers to inject malicious strings into the login fields. However, despite these attempts, the application executes queries safely without altering their logic, since user inputs are kept separate from the SQL statements and bound as fixed values before execution.

Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?

Options:

A.

Perform user input validation

B.

Restrict database access

C.

Encoding the single quote

D.

Use parameterized queries or prepared statements

Buy Now
Questions 215

During an assessment for a tech company in Seattle, Washington, an ethical hacker seeks to uncover details about the organization’s domain ownership to identify potential points of contact. She uses an online service to retrieve publicly available records without direct interaction with the target. Which method is she most likely employing to achieve this?

Options:

A.

Email footprinting

B.

Network footprinting

C.

Whois lookup

D.

DNS interrogation

Buy Now
Questions 216

A penetration tester is tasked with identifying vulnerabilities on a web server running outdated software. The server hosts several web applications and is protected by a basic firewall. Which technique should the tester use to exploit potential server vulnerabilities?

Options:

A.

Conduct a SQL injection attack on the web application ' s login form

B.

Perform a brute-force login attack on the admin panel

C.

Execute a buffer overflow attack targeting the web server software

D.

Use directory traversal to access sensitive configuration files

Buy Now
Questions 217

You are an ethical hacker at HorizonSec Consulting, hired by Liberty Insurance in Philadelphia, Pennsylvania, to test the resilience of their online claim submission portal. During testing, you modify the claim ID parameter in the URL with conditions such as AND and AND 1=2. When the first condition is used, the portal displays claim details as normal; when the second condition is used, the page displays no results. You repeat this process to determine how the application responds to true and false conditions without error messages or delays.

Based on the observed behavior, which SQL injection technique are you employing?

Options:

A.

UNION SQL Injection

B.

Error-based SQL Injection

C.

Time-based Blind SQL Injection

D.

Boolean Exploitation

Buy Now
Questions 218

In Pittsburgh, Pennsylvania, a major steel manufacturer operates a production plant with numerous automated loops that regulate temperature, pressure, and conveyor speed. During an audit, ethical hacker Marcus Reed observes that these loops are coordinated by a centralized supervisory network that links multiple controllers across the facility. Based on this design, which OT system concept is being applied?

Options:

A.

Manual loop

B.

Distributed Control System (DCS)

C.

Open loop

D.

Closed loop

Buy Now
Questions 219

You are Liam Chen, an ethical hacker at CyberGuard Analytics, hired to test the social engineering defenses of Coastal Trends, a retail chain in Los Angeles, California. During a covert assessment, you craft a deceptive message sent to the employees’ company phones, claiming a critical account update is needed and directing them to a link that installs monitoring software. Several employees interact with the link, exposing a vulnerability to a specific mobile attack vector. Based on this approach, which mobile attack type are you simulating?

Options:

A.

Bluebugging

B.

SMS Phishing

C.

Call Spoofing

D.

OTP Hijacking

Buy Now
Questions 220

A state benefits processing platform in Sacramento, California, implemented a multi-step identity verification process before granting access to sensitive citizen records. During a controlled assessment, security analyst Daniel Kim observed that by altering specific request parameters within the transaction sequence, it was possible to bypass an intermediate verification stage and retrieve restricted account data.

Further analysis revealed that the authentication workflow advanced through sequential client-driven interactions, but the server did not enforce strict validation of completion for each required stage before granting access.

Based on the scenario, which vulnerability classification best describes the issue identified?

Options:

A.

Poor Patch Management

B.

Design Flaws

C.

Application Flaws

D.

Misconfigurations / Weak Configurations

Buy Now
Questions 221

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

Options:

A.

Wireshark

B.

Aircrack-ng

C.

Ettercap

D.

Tcpdump

Buy Now
Questions 222

A logistics technology provider in Kansas City, Missouri conducts an internal review after an ethical hacker demonstrates several recurring input-handling weaknesses across different customer-facing web applications. The findings show that validation logic varies between modules, with many controls implemented inconsistently across components developed by separate teams.

Although immediate patches are applied to address the identified flaws, similar issues have surfaced in previous platform iterations despite corrective updates. Leadership determines that isolated fixes are insufficient and initiates an effort to standardize how security requirements are defined and incorporated across future development initiatives.

Based on the web application attack countermeasures, which category best aligns with this remediation approach?

Options:

A.

Insecure Design

B.

Broken Access Control

C.

Security Misconfiguration

D.

Cryptographic Failures / Sensitive Data Exposure

Buy Now
Questions 223

A penetration tester is assessing an IoT thermostat used in a smart home system. The device communicates with a cloud server for updates and commands. The tester discovers that communication between the device and the cloud server is not encrypted. What is the most effective way to exploit this vulnerability?

Options:

A.

Conduct a Cross-Site Scripting (XSS) attack on the thermostat’s web interface

B.

Perform a brute-force attack on the thermostat’s local admin login

C.

Execute a SQL injection attack on the cloud server ' s login page

D.

Use a man-in-the-middle (MitM) attack to intercept and manipulate unencrypted communication

Buy Now
Questions 224

In the bustling digital marketplace of Miami ' s tech corridor, ethical hacker Sofia Alvarez probes the virtual defenses of RetailRush, a US-based online retailer hosting thousands of daily transactions. Tasked with exposing weaknesses in the web server ' s URL processing, Sofia submits crafted requests to manipulate resource paths. Her tests uncover a severe flaw: the server grants access to restricted system files, exposing sensitive configuration data. Further scrutiny reveals the issue stems from the server ' s failure to validate input paths, not from header manipulation, cached content tampering, or credential compromise. Committed to hardening the platform, Sofia drafts a precise report to direct the security team toward immediate fixes.

Which web server attack type is Sofia most likely exploiting in RetailRush ' s web server?

Options:

A.

Directory Traversal Attack

B.

Web Cache Poisoning Attack

C.

HTTP Response Splitting Attack

D.

Password Cracking Attack

Buy Now
Questions 225

Which social engineering attack involves impersonating a co-worker or authority figure to extract confidential information?

Options:

A.

Phishing

B.

Pretexting

C.

Quid pro quo

D.

Baiting

Buy Now
Questions 226

During a red team operation on a segmented enterprise network, the testers discover that the organization’s perimeter devices deeply inspect only connection-initiation packets (such as TCP SYN and HTTP requests). Response packets and ACK packets within established sessions, however, are minimally inspected. The red team needs to covertly transmit payloads to an internal compromised host by blending into normal session traffic. Which approach should they take to bypass these defensive mechanisms?

Options:

A.

Port knocking

B.

SYN scanning

C.

ICMP flooding

D.

ACK tunneling

Buy Now
Questions 227

During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?

Options:

A.

Date and time of message sent

B.

Sender ' s mail server

C.

Sender ' s IP address

D.

Authentication system used by sender ' s mail server

Buy Now
Questions 228

Which WPA2 vulnerability allows packet interception and replay?

Options:

A.

Hole196 vulnerability

B.

KRACK vulnerability

C.

WPS PIN recovery

D.

Weak RNG

Buy Now
Questions 229

During a cybersecurity awareness drill at Quantum Analytics in San Francisco, California, the ethical hacking team tests the company’s defenses against social media-based threats. Nadia creates a fake LinkedIn profile posing as a senior HR manager from Quantum Analytics, using a stolen company logo and publicly available employee details. Nadia sends connection requests to several employees, including data analyst Priya Sharma, inviting them to join a private group called Quantum Analytics Innovation Hub. The group’s page prompts members to share their work email and department role for exclusive project updates.

What social engineering threat to corporate networks is Nadia’s exercise primarily simulating?

Options:

A.

Loss of Productivity

B.

Involuntary Data Leakage

C.

Spam and Phishing

D.

Network Vulnerability Exploitation

Buy Now
Questions 230

During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?

Options:

A.

IP decoying with randomized address positions

B.

SYN scan with spoofed MAC address

C.

Packet crafting with randomized window size

D.

Packet fragmentation to bypass filtering logic

Buy Now
Questions 231

Which technique is commonly used by attackers to evade firewall detection?

Options:

A.

Spoofing source IP addresses to appear trusted

B.

Using open-source operating systems

C.

Using encrypted communication channels

D.

Social engineering employees

Buy Now
Questions 232

During an authorized engagement at IronClad Financial Services in Charlotte, the red team successfully exploits a weakness and obtains administrative access to a critical server. After achieving this objective, the team installs a backdoor mechanism to ensure continued access even if the original vulnerability is remediated. The team documents this activity as part of demonstrating long-term adversary behavior within the approved scope.

Within the CEH ethical hacking framework, which phase does this activity represent?

Options:

A.

Reconnaissance

B.

Vulnerability Scanning

C.

Maintaining Access

D.

Clearing Tracks

Buy Now
Questions 233

A penetration tester is assessing an organization ' s cloud infrastructure and discovers misconfigured IAM policies on storage buckets. The IAM settings grant read and write permissions to any authenticated user. What is the most effective way to exploit this misconfiguration?

Options:

A.

Use leaked API keys to access the cloud storage buckets and exfiltrate data

B.

Execute a SQL injection attack on the organization ' s website to retrieve sensitive information

C.

Create a personal cloud account to authenticate and access the misconfigured storage buckets

D.

Perform a Cross-Site Scripting (XSS) attack on the cloud management portal to gain access

Buy Now
Questions 234

A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.

What host discovery technique is being used in this scenario?

Options:

A.

UDP Ping Scan

B.

ICMP Echo Ping Sweep

C.

IP Protocol Scan

D.

ICMP Timestamp Ping Scan

Buy Now
Questions 235

Which of the following is a component of a risk assessment?

Options:

A.

Administrative safeguards

B.

Logical interface

C.

Physical security

D.

DMZ

Buy Now
Questions 236

The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?

Options:

A.

The document can be sent to the accountant using an exclusive USB for that document

B.

The CFO can use an excel file with a password

C.

The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure is the same document

D.

The CFO can use a hash algorithm in the document once he approved the financial statements

Buy Now
Questions 237

During a penetration test at a financial services company in Denver, ethical hacker Jason demonstrates how employees could be tricked by a rogue DHCP server. To help the client prevent such attacks in the future, Jason shows the administrators how to configure their Cisco switches to reject DHCP responses from untrusted ports. He explains that this global setting must be activated before more granular controls can be applied.

Which switch command should Jason recommend to implement this defense?

Options:

A.

Switch(config)# ip dhcp snooping

B.

Switch(config)# ip arp inspection vlan 10

C.

Switch(config)# ip dhcp snooping vlan 10

D.

Switch(config-if)# ip dhcp snooping trust

Buy Now
Questions 238

During a penetration test at a manufacturing company in Detroit, Amanda, a senior security consultant, scans several legacy Linux servers. On one host, she discovers an open port used for file transfer that allows anonymous login. Once connected, she is able to view the directory structure and check available files, which helps her identify potential sensitive information exposure. She also notices background traffic on a UDP service related to NetBIOS name lookups, but she continues probing the file transfer service to confirm user access weaknesses.

Which ports and services should Amanda prioritize for this enumeration activity?

Options:

A.

TCP 23 and UDP 137, 138

B.

TCP 21 and UDP 137

C.

TCP 25 and UDP 138

D.

TCP 139 and UDP 137, 138

Buy Now
Questions 239

At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?

Options:

A.

System and Network Attacks

B.

Social Engineering

C.

Information Leakage

D.

Corporate Espionage

Buy Now
Exam Code: 312-50v13
Exam Name: Certified Ethical Hacker Exam (CEHv13)
Last Update: Jul 19, 2026
Questions: 797

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99