Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.
Q181
An ethical hacker discovers that a web application includes external JavaScript libraries from third-party CDNs without integrity checks. Which attack could exploit this?
A) SQL injection
B) Supply chain attack
C) Buffer overflow
D) ARP poisoning
Answer: B
Explanation:
A supply chain attack could exploit web applications that include external JavaScript libraries from third-party CDNs without integrity checks. Supply chain attacks compromise software distribution channels, third-party components, or dependencies to inject malicious code that affects downstream users. When applications load JavaScript from external CDNs without verifying file integrity, attackers who compromise the CDN, perform DNS hijacking, or execute man-in-the-middle attacks can substitute malicious scripts. These compromised scripts execute with full application privileges in users’ browsers, enabling credential theft, session hijacking, data exfiltration, cryptojacking, or malicious redirects. The vulnerability exists because applications blindly trust external resources without verification. Subresource Integrity (SRI) defends against this by allowing developers to specify cryptographic hashes of expected file contents in script tags. Browsers verify downloaded files match specified hashes before execution, preventing tampered content from running. Organizations should implement SRI for all external resources, use trusted CDNs with strong security, consider hosting critical libraries locally, implement Content Security Policy, monitor for unexpected script changes, and maintain software bill of materials tracking dependencies. Recent high-profile supply chain attacks demonstrated significant impact when trusted libraries were compromised. SQL injection is incorrect because it exploits database query construction vulnerabilities in application code, not third-party library integrity issues. Buffer overflow is incorrect because it corrupts memory through excessive input in compiled applications, unrelated to JavaScript library verification. ARP poisoning is incorrect because it manipulates network address resolution at layer 2, not exploiting missing integrity checks on external scripts.
Q182
Which technique involves an attacker registering domains similar to legitimate ones to capture mistyped URLs?
A) Phishing
B) Typosquatting
C) Session hijacking
D) SQL injection
Answer: B
Explanation:
Typosquatting is the technique where attackers register domains similar to legitimate ones to capture mistyped URLs. Typosquatting, also called URL hijacking, exploits common typing errors users make when entering website addresses. Attackers register domain variations including common misspellings, alternative top-level domains, character substitutions, missing characters, additional characters, and homograph attacks using similar-looking characters from different alphabets. For example, legitimate domain “example.com” might have typosquatting variants like “exampel.com,” “exampl.com,” “example.net,” or using Cyrillic characters that appear identical. When users accidentally visit typosquatting domains, attackers can display phishing pages harvesting credentials, serve malware, display advertisements generating revenue, redirect to competitor sites, or damage brand reputation through inappropriate content. Organizations protect against typosquatting by registering common variations of their domains, monitoring for similar domain registrations, implementing trademark protection, using HTTPS to prevent malicious lookalikes from obtaining legitimate certificates, educating users about verifying URLs, reporting malicious domains for takedown, and deploying brand monitoring services. Users should carefully verify URLs before entering sensitive information and use bookmarks for important sites rather than typing addresses. Phishing is incorrect because while related, it involves sending fraudulent communications to trick recipients, not specifically registering similar domains though phishing may use typosquatting domains. Session hijacking is incorrect because it steals authentication tokens to impersonate users, unrelated to domain registration. SQL injection is incorrect because it exploits database vulnerabilities, not domain name similarity.
Q183
An attacker uses automated tools to systematically try username and password combinations obtained from data breaches against multiple services. What is this attack called?
A) Brute force attack
B) Credential stuffing
C) Password spraying
D) Dictionary attack
Answer: B
Explanation:
Credential stuffing is the attack where attackers use automated tools to systematically try username and password combinations obtained from data breaches against multiple services. Credential stuffing exploits the common practice of password reuse across multiple accounts. When attackers obtain credential databases from breached services, they attempt using those same credentials on other platforms assuming users reuse passwords. Attackers use botnets and automation tools to test millions of credentials rapidly against target services, rotating IP addresses to avoid detection and rate limiting. Success rates vary but even small percentages translate to significant compromises given large credential databases. Successful attacks result in account takeovers, unauthorized access to sensitive data, financial fraud, and further credential harvesting. Organizations defend against credential stuffing by implementing multi-factor authentication making stolen passwords insufficient, using CAPTCHA to block automated login attempts, monitoring for unusual login patterns indicating automated attacks, implementing account lockouts after multiple failures, requiring password resets for accounts matching breached credential databases, using threat intelligence feeds identifying compromised credentials, and educating users about password reuse dangers. Users should use unique passwords for each service, employ password managers, and enable multi-factor authentication. Brute force attack is incorrect because it systematically tries all possible password combinations rather than using credential lists from breaches. Password spraying is incorrect because it tries common passwords against many accounts to avoid lockouts, not using breach data. Dictionary attack is incorrect because it tests passwords from wordlists, not specifically credential pairs from breaches.
Q184
During a penetration test, you discover that a mobile application stores sensitive data in plain text within device storage. What vulnerability does this represent?
A) Insecure data storage
B) SQL injection
C) Cross-site scripting
D) Buffer overflow
Answer: A
Explanation:
Insecure data storage is the vulnerability when mobile applications store sensitive data in plain text within device storage. Mobile devices face unique security challenges including potential physical theft or loss, multiple applications sharing device storage, backup systems potentially exposing data, and varied security capabilities across platforms. When applications store sensitive information like passwords, authentication tokens, personal data, financial information, or encryption keys in unencrypted form on device storage, it becomes vulnerable if devices are compromised, stolen, or accessed by malicious apps. Common insecure storage locations include shared preferences without encryption, internal storage files, external SD card storage, log files, temporary caches, and clipboard data. Attackers with physical device access, malware on devices, or cloud backup access can retrieve unencrypted sensitive data. Mobile applications should encrypt sensitive data using platform-provided secure storage mechanisms like Android Keystore or iOS Keychain, avoid storing sensitive data unnecessarily, implement proper key management, use secure containers, clear sensitive data from memory after use, and implement certificate pinning. Ethical hackers test mobile applications by examining device file systems, analyzing application data directories, reviewing shared preferences, checking SQLite databases, and using tools like Frida or objection for runtime analysis. Organizations should conduct mobile security assessments following standards like OWASP Mobile Security Testing Guide. SQL injection is incorrect because it exploits database queries in web or server applications, not mobile data storage security. Cross-site scripting is incorrect because it injects malicious scripts into web applications, unrelated to mobile storage. Buffer overflow is incorrect because it corrupts memory in compiled applications, not about data storage encryption.
Q185
Which Windows utility displays active network connections, listening ports, and protocol statistics useful during penetration tests?
A) ipconfig
B) netstat
C) ping
D) tracert
Answer: B
Explanation:
Netstat is the Windows utility that displays active network connections, listening ports, and protocol statistics useful during penetration tests. Netstat provides valuable information about network activity on compromised systems including established connections revealing communication with other systems, listening ports indicating running services, foreign addresses showing external systems being contacted, process IDs associating network activity with applications, and protocol statistics. Ethical hackers use netstat during post-exploitation to identify network services, discover internal network communications, detect security tools, find persistence mechanisms, identify lateral movement targets, and understand network architecture. Common useful options include netstat -ano showing all connections with process IDs, netstat -r displaying routing tables, and netstat -s providing protocol statistics. During incident response, netstat helps identify suspicious connections, unauthorized services, and malware communications. Security professionals should regularly monitor netstat output for unexpected connections or listening ports indicating compromise. However, sophisticated malware may hide from netstat through rootkit techniques or by hooking network APIs. Organizations should complement netstat monitoring with network-based detection, endpoint security solutions, and comprehensive logging. Ipconfig is incorrect because it displays IP configuration information like IP addresses, subnet masks, and default gateways, not active connections or listening ports. Ping is incorrect because it tests network connectivity by sending ICMP echo requests, not displaying connection information. Tracert is incorrect because it traces network packet routes showing hops between source and destination, not listing active connections.
Q186
An attacker exploits a vulnerability in a web application’s XML parser to access internal files or perform denial of service. What is this attack called?
A) SQL injection
B) XXE (XML External Entity) injection
C) Cross-site scripting
D) Command injection
Answer: B
Explanation:
XXE (XML External Entity) injection is the attack that exploits vulnerabilities in web application XML parsers to access internal files or perform denial of service. XXE attacks occur when applications parse XML input from untrusted sources and XML parsers are configured to process external entity references. Attackers craft malicious XML documents containing external entity declarations that reference local files, internal network resources, or URLs. When vulnerable parsers process these documents, they resolve external entities, potentially reading local files and returning contents in error messages or responses, accessing internal network resources exploiting the application’s position within trusted networks, causing denial of service through billion laughs attacks that exponentially expand entities consuming resources, or performing server-side request forgery. Common targets include configuration files, application code, system files like /etc/passwd, and internal API endpoints. XXE is particularly dangerous because applications often process XML from various sources including SOAP requests, RSS feeds, document uploads, and API communications. Modern applications using JSON have reduced XML usage, but legacy systems remain vulnerable. Organizations prevent XXE by disabling external entity processing in XML parsers, using less complex data formats like JSON when possible, validating and sanitizing XML input, implementing input whitelisting, using updated XML processors with secure defaults, and conducting security testing of XML processing functionality. SQL injection is incorrect because it exploits database queries, not XML parsers. Cross-site scripting is incorrect because it injects malicious scripts into web pages, not XML processing. Command injection is incorrect because it executes operating system commands, not exploiting XML entity processing.
Q187
Which social engineering technique involves leaving malware-infected USB drives in public places hoping victims will plug them in?
A) Phishing
B) Baiting
C) Pretexting
D) Tailgating
Answer: B
Explanation:
Baiting is the social engineering technique that involves leaving malware-infected USB drives in public places hoping victims will plug them in. Baiting exploits human curiosity and desire for free items by offering something enticing that delivers malicious payloads. Attackers strategically place infected USB drives in parking lots, reception areas, elevators, or other locations where target organization employees might find them, often labeling drives with intriguing names like “Confidential,” “Salaries,” or “Executive Bonus List” to increase likelihood of use. When victims insert drives into their computers, malware automatically executes through autorun features or user curiosity about contents, compromising systems. Baiting extends beyond USB drives to include infected optical media, devices left for “charging,” or malicious files on peer-to-peer networks promising desirable content. The technique is effective because it combines physical and digital attack vectors and exploits trust and curiosity. Organizations defend against baiting through security awareness training educating about USB drive risks, disabling autorun features that automatically execute code from removable media, implementing endpoint protection detecting malicious code, establishing policies prohibiting personal removable media, using USB port controls restricting unauthorized devices, and conducting simulated baiting exercises to test effectiveness. Users should never insert unknown USB drives into corporate or personal systems. Phishing is incorrect because it sends fraudulent electronic communications, not leaving physical infected devices. Pretexting is incorrect because it creates fabricated scenarios to manipulate victims into divulging information, not offering physical bait. Tailgating is incorrect because it involves following authorized persons through secure entry points, not leaving malicious devices.
Q188
An ethical hacker needs to test for SQL injection in a login form. Which payload tests for time-based blind SQL injection?
A) ‘ OR ‘1’=’1
B) ‘ AND SLEEP(5)–
C) <script>alert(‘XSS’)</script>
D) ../../../../etc/passwd
Answer: B
Explanation:
The payload ‘ AND SLEEP(5)– tests for time-based blind SQL injection vulnerabilities. Time-based blind SQL injection exploits situations where applications are vulnerable to SQL injection but do not return database errors or data in responses, making traditional injection techniques ineffective. Attackers use database-specific time delay functions to infer information based on response times. When the SLEEP(5) function executes successfully in MySQL databases, the application delays response by 5 seconds, confirming vulnerability without visible output. By crafting conditional queries with time delays, attackers extract data bit by bit through binary search techniques asking true/false questions. For example, testing if first character of admin password is ‘a’ with a query causing 5-second delay if true and immediate response if false. Different databases use different delay functions: SLEEP() for MySQL, WAITFOR DELAY for SQL Server, and pg_sleep() for PostgreSQL. Time-based blind SQL injection is slower than other techniques but works when error messages are suppressed and data is not reflected in responses. Organizations defend against all SQL injection types through parameterized queries, stored procedures with type checking, input validation, least privilege database accounts, and web application firewalls. ‘ OR ‘1’=’1 is incorrect because it tests for basic authentication bypass and visible SQL injection where results appear in responses, not time-based blind injection. <script>alert(‘XSS’)</script> is incorrect because it is an XSS payload testing for script injection, not SQL injection. ../../../../etc/passwd is incorrect because it is a directory traversal payload testing file access vulnerabilities, not SQL injection.
Q189
Which type of attack involves intercepting communication between a user and a legitimate website by positioning between them?
A) Phishing
B) Man-in-the-browser attack
C) Man-in-the-middle attack
D) Cross-site scripting
Answer: C
Explanation:
A man-in-the-middle attack involves intercepting communication between users and legitimate websites by positioning between them. MITM attacks position adversaries in the communication path between two parties, allowing interception, monitoring, and modification of data in transit without either party’s knowledge. Attackers achieve MITM positioning through various techniques including ARP poisoning on local networks associating attacker MAC addresses with gateway IPs, DNS spoofing providing false DNS responses, rogue wireless access points impersonating legitimate networks, compromised routers redirecting traffic, SSL stripping downgrading HTTPS to HTTP, and BGP hijacking at internet routing level. Once positioned, attackers can eavesdrop on communications capturing sensitive data, modify messages altering transaction details or injecting malicious content, impersonate either party manipulating both sides, steal credentials from login attempts, and perform session hijacking. MITM attacks are particularly dangerous because victims typically remain unaware of interception. Defenses include using strong encryption with HTTPS and certificate validation, implementing certificate pinning in applications, using VPNs for sensitive communications, verifying security indicators before entering credentials, implementing HSTS forcing HTTPS connections, deploying mutual TLS authentication, and monitoring for ARP spoofing or DNS manipulation. Phishing is incorrect because it sends deceptive communications to trick victims, not intercepting live communications between parties. Man-in-the-browser attack is incorrect because malware specifically compromises browsers on user systems, not positioning between parties. Cross-site scripting is incorrect because it injects malicious scripts into web applications, not intercepting communications.
Q190
An ethical hacker discovers that a wireless network uses WPS with PIN authentication. Which attack is most effective against this configuration?
A) Deauthentication attack
B) WPS PIN brute force attack
C) Evil twin attack
D) Packet sniffing
Answer: B
Explanation:
WPS PIN brute force attack is most effective against wireless networks using WPS with PIN authentication. Wi-Fi Protected Setup was designed to simplify wireless network configuration by allowing devices to connect using 8-digit PINs instead of complex passwords. However, critical cryptographic flaws make WPS PIN authentication extremely vulnerable. The 8-digit PIN is actually validated in two parts, with the last digit being a checksum, reducing effective entropy to only 7 digits. Additionally, protocol design allows attackers to determine if the first 4 digits are correct before testing the last 3 digits. This reduces possible PIN combinations from 100,000,000 to approximately 11,000 attempts, achievable in hours. Tools like Reaver automate WPS PIN attacks, systematically testing all possible PINs until successful authentication occurs, then revealing the actual WPA/WPA2 password. Once compromised, attackers have complete network access. Some routers implement lockouts after failed attempts, but many allow attacks to continue. WPS vulnerabilities are severe enough that security professionals universally recommend disabling WPS entirely. Organizations should disable WPS on all wireless access points, use strong WPA2 or WPA3 encryption with complex passwords, implement wireless intrusion detection, regularly audit wireless security configurations, and educate users about secure wireless practices. Deauthentication attack is incorrect because it forces clients to disconnect but doesn’t directly compromise WPS, though it may be used in conjunction with other attacks. Evil twin attack is incorrect because it creates rogue access points impersonating legitimate networks, not exploiting WPS vulnerabilities. Packet sniffing is incorrect because it captures wireless traffic but doesn’t exploit WPS PIN weakness.
Q191
Which technique involves modifying the MAC address of a network interface to impersonate another device?
A) IP spoofing
B) MAC address spoofing
C) DNS spoofing
D) ARP poisoning
Answer: B
Explanation:
MAC address spoofing is the technique that involves modifying the MAC address of a network interface to impersonate another device. Media Access Control addresses are hardware identifiers assigned to network interfaces, theoretically unique to each device. MAC spoofing changes the MAC address reported by network interfaces to different values, allowing devices to impersonate others. Attackers use MAC spoofing for various purposes including bypassing MAC address filtering used for wireless or wired network access control, impersonating authorized devices to gain network access, evading detection by changing identifiable characteristics, hiding identity during attacks, or accessing services tied to specific MAC addresses. Most operating systems allow MAC address modification through software commands or network configuration tools. While MAC filtering is sometimes implemented as security control, it provides weak protection because addresses are easily observed on networks and spoofed. Organizations should not rely on MAC filtering as primary security mechanism but instead implement stronger authentication like 802.1X with certificates, use encryption, implement network access control with multiple factors, monitor for MAC address conflicts indicating spoofing, deploy intrusion detection systems, and combine MAC awareness with other security layers. Effective security requires defense-in-depth rather than single layer controls. IP spoofing is incorrect because it modifies source IP addresses in packet headers, not MAC addresses at layer 2. DNS spoofing is incorrect because it provides false DNS responses, not changing MAC addresses. ARP poisoning is incorrect because it sends false ARP messages associating IP addresses with attacker MAC addresses but is a different technique than directly spoofing MAC addresses.
Q192
An attacker uses a botnet to send massive amounts of traffic to overwhelm a target’s infrastructure. What type of attack is this?
A) Phishing
B) Distributed Denial of Service (DDoS)
C) SQL injection
D) Man-in-the-middle
Answer: B
Explanation:
Distributed Denial of Service is the attack where botnets send massive traffic to overwhelm target infrastructure. DDoS attacks use multiple compromised systems called botnets to flood targets with traffic, requests, or connections, exhausting resources and making services unavailable to legitimate users. The distributed nature using thousands or millions of attacking systems makes DDoS particularly difficult to defend against because blocking individual sources is ineffective and distinguishing attack traffic from legitimate traffic is challenging. DDoS attacks include volumetric attacks consuming bandwidth with massive data volumes, protocol attacks exhausting server resources or network equipment capacity through protocol exploitation, and application layer attacks targeting specific application functions with seemingly legitimate requests. Common DDoS techniques include UDP floods, SYN floods, HTTP floods, DNS amplification, and NTP amplification. Motivations include extortion demanding ransom payments, hacktivism making political statements, competitive sabotage, distraction from other attacks, or simple disruption. Organizations defend through multiple strategies including over-provisioning bandwidth and infrastructure to absorb attacks, implementing rate limiting and traffic filtering, using DDoS mitigation services that filter traffic before reaching infrastructure, deploying firewalls and intrusion prevention systems, implementing geographic blocking for attacks from specific regions, and maintaining incident response plans. Cloud-based DDoS protection services provide significant mitigation capabilities. Phishing is incorrect because it sends deceptive messages to trick recipients, not overwhelming infrastructure. SQL injection is incorrect because it exploits database vulnerabilities, not availability attacks. Man-in-the-middle is incorrect because it intercepts communications, not overwhelming targets.
Q193
During a penetration test, you need to escalate privileges on a Linux system. Which file should you examine for misconfigured sudo permissions?
A) /etc/passwd
B) /etc/shadow
C) /etc/sudoers
D) /etc/hosts
Answer: C
Explanation:
The /etc/sudoers file should be examined for misconfigured sudo permissions during privilege escalation attempts. The sudoers file controls which users can execute commands with elevated privileges using sudo, specifying what commands each user or group can run as other users including root. Misconfigurations in sudoers provide privilege escalation opportunities when regular users are granted excessive permissions. Common dangerous configurations include allowing users to run all commands as root, permitting execution of powerful utilities without restrictions like vi, nano, or find that allow shell escapes, allowing users to run scripts they can modify, or permitting commands that can be exploited for privilege escalation. During post-exploitation enumeration, ethical hackers run “sudo -l” to list allowed sudo commands for current users, then search for exploitable entries. Tools like GTFOBins document how various Unix binaries can be exploited for privilege escalation when sudo permissions exist. Organizations prevent sudo-based privilege escalation by following least privilege principles granting only necessary permissions, regularly auditing sudoers configuration, avoiding wildcards or overly permissive rules, requiring passwords for sudo commands, implementing logging of sudo usage, and educating administrators about secure sudo configuration. The /etc/passwd file is incorrect because while it contains user account information, it doesn’t control sudo permissions, though it may reveal valid usernames for other attacks. The /etc/shadow file is incorrect because it stores password hashes requiring root access to read, not sudo configuration. The /etc/hosts file is incorrect because it maps hostnames to IP addresses for name resolution, unrelated to sudo permissions.
Q194
Which attack involves manipulating victim’s browser to execute unauthorized actions on a trusted website where the victim is authenticated?
A) Cross-site scripting (XSS)
B) Cross-site request forgery (CSRF)
C) SQL injection
D) Buffer overflow
Answer: B
Explanation:
Cross-site request forgery is the attack that manipulates victims’ browsers to execute unauthorized actions on trusted websites where victims are authenticated. CSRF exploits the trust websites have in users’ browsers by tricking authenticated users into submitting unwanted requests. Attackers craft malicious requests embedded in emails, websites, or advertisements that when accessed by authenticated victims cause their browsers to send requests to target applications. Since browsers automatically include authentication cookies with requests to corresponding domains, target applications process requests as legitimate user actions. CSRF can perform state-changing operations including transferring funds, changing passwords, modifying account settings, making purchases, posting content, or any action the authenticated user is authorized to perform. For example, attackers might embed image tags with URLs that trigger money transfers or forms that auto-submit password changes. The attack succeeds because applications cannot distinguish legitimate user-initiated requests from forged ones based solely on authentication cookies. Organizations prevent CSRF through anti-CSRF tokens requiring each state-changing request to include unique unpredictable tokens that attackers cannot guess, implementing SameSite cookie attributes preventing browsers from sending cookies with cross-site requests, requiring re-authentication for sensitive actions, validating origin and referer headers, and using custom headers that cross-site requests cannot set. Cross-site scripting is incorrect because XSS injects malicious scripts into web pages that execute in victims’ browsers, while CSRF tricks browsers into sending unwanted requests to other sites. SQL injection is incorrect because it exploits database queries. Buffer overflow is incorrect because it corrupts memory in compiled applications.
Q195
An ethical hacker discovers that an API returns different error messages for valid versus invalid usernames during login. What information does this leak?
A) SQL injection vulnerability
B) User enumeration vulnerability
C) Cross-site scripting vulnerability
D) Buffer overflow vulnerability
Answer: B
Explanation:
This question addresses information disclosure vulnerabilities. Understanding user enumeration helps security professionals implement proper error handling to prevent intelligence gathering. User enumeration vulnerability exists when APIs return different error messages for valid versus invalid usernames during login attempts. User enumeration allows attackers to determine which usernames or email addresses have accounts in systems by analyzing response differences. When applications provide distinct error messages like “Invalid password” for existing accounts versus “User not found” for non-existent accounts, response timing differences, different HTTP status codes, or varying response formats, attackers can systematically test potential usernames to identify valid accounts. This information enables targeted attacks including password guessing against confirmed accounts, social engineering using knowledge of employees, credential stuffing with breach data for verified accounts, and account takeover attempts. User enumeration reduces attacker effort by confirming valid targets before attempting authentication. The vulnerability commonly exists in login forms, password reset functionality, registration processes, and APIs. Organizations prevent user enumeration by returning identical generic error messages for all authentication failures like “Invalid username or password” without specifying which is incorrect, ensuring consistent response times regardless of username validity, using CAPTCHA after multiple attempts, implementing rate limiting, requiring multi-factor authentication making enumeration less valuable, monitoring for enumeration attempts, and carefully reviewing all authentication-related responses. SQL injection vulnerability is incorrect because it exploits database queries, not different error messages revealing user existence. Cross-site scripting vulnerability is incorrect because it involves script injection, not information disclosure. Buffer overflow vulnerability is incorrect because it corrupts memory, unrelated to error message differences.
Q196
Which encryption algorithm is asymmetric and commonly used for secure key exchange?
A) AES
B) DES
C) RSA
D) Blowfish
Answer: C
Explanation:
RSA is the asymmetric encryption algorithm commonly used for secure key exchange. Asymmetric cryptography, also called public key cryptography, uses mathematically related key pairs where public keys encrypt data that only corresponding private keys can decrypt, enabling secure communication without prior shared secrets. RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric algorithm, used for encrypting small amounts of data, creating digital signatures for authentication and non-repudiation, and primarily for secure key exchange in hybrid cryptosystems. In practice, asymmetric encryption is computationally expensive, so systems typically use RSA to securely exchange symmetric keys, then use faster symmetric algorithms like AES for bulk data encryption. RSA security relies on the computational difficulty of factoring large prime numbers. Common key sizes include 2048 and 4096 bits, with larger keys providing stronger security but requiring more processing. RSA is used in SSL/TLS for secure web communications, PGP for email encryption, SSH for secure remote access, and digital certificates for authentication. Organizations should use RSA with appropriate key lengths, implement proper key management including secure generation and storage, rotate keys periodically, and transition to post-quantum cryptography when standards mature. AES is incorrect because it is a symmetric algorithm using the same key for encryption and decryption, not designed for key exchange. DES is incorrect because it is an outdated symmetric algorithm no longer considered secure. Blowfish is incorrect because it is also a symmetric encryption algorithm, not asymmetric.
Q197
An attacker modifies data in transit between two systems without authorization. Which security principle is violated?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: B
Explanation:
Integrity is the security principle violated when attackers modify data in transit between systems without authorization. Integrity ensures data remains accurate, consistent, and unmodified except by authorized parties through authorized processes. The integrity principle protects against unauthorized modification, deletion, or creation of data during storage or transmission. When attackers intercept communications and alter messages, transaction amounts, configuration data, or software updates, they violate data integrity. Integrity violations have serious consequences including financial fraud through modified transactions, system compromise through altered software updates, incorrect business decisions based on tampered data, and loss of trust in information systems. Organizations protect integrity through cryptographic mechanisms including digital signatures verifying data origin and detecting modifications, message authentication codes proving data hasn’t changed, hashing algorithms creating unique fingerprints for verification, and checksums detecting accidental or malicious alterations. Additional integrity controls include access controls preventing unauthorized modification, version control tracking changes, file integrity monitoring detecting unexpected alterations, and audit logging recording all data modifications. Confidentiality is incorrect because it protects information from unauthorized disclosure or access, not modification, ensuring data privacy but not accuracy. Availability is incorrect because it ensures systems and data remain accessible when needed, protecting against denial of service but not data tampering. Authentication is incorrect because it verifies identity of users or systems, proving you are who you claim to be, not protecting data from modification.
Q198
During a penetration test, you discover a web application vulnerable to clickjacking. Which HTTP header should be implemented to prevent this attack?
A) X-Frame-Options
B) X-XSS-Protection
C) Content-Type
D) X-Content-Type-Options
Answer: A
Explanation:
X-Frame-Options is the HTTP header that should be implemented to prevent clickjacking attacks. Clickjacking, also called UI redress attacks, tricks users into clicking elements on hidden pages while believing they’re interacting with visible legitimate content. Attackers embed target pages in invisible iframes overlaying malicious pages, positioning the iframe so unsuspecting users’ clicks trigger unintended actions on the hidden target application like transferring funds, changing settings, or granting permissions. The vulnerability exploits how browsers allow pages to be framed by other sites. X-Frame-Options header instructs browsers whether pages can be displayed in frames, preventing clickjacking by disallowing framing. The header supports three values: DENY preventing any framing, SAMEORIGIN allowing framing only by pages from the same origin, and ALLOW-FROM specifying permitted domains. Modern applications should set X-Frame-Options to DENY or SAMEORIGIN unless legitimate reasons require framing. The newer Content-Security-Policy header with frame-ancestors directive provides more flexible frame control. Organizations should implement frame busting defenses on sensitive pages, test applications for clickjacking vulnerabilities, educate users about verifying they’re interacting with intended interfaces, and use security headers as defense-in-depth layers. Clickjacking particularly threatens actions requiring single clicks without confirmation. X-XSS-Protection is incorrect because it enables browser XSS filters, not frame protection. Content-Type is incorrect because it specifies response content MIME type for proper rendering, not preventing clickjacking. X-Content-Type-Options is incorrect because it prevents MIME type sniffing, not frame-based attacks.
Q199
Which attack involves an adversary observing electromagnetic radiation from electronic devices to gather sensitive information?
A) Acoustic cryptanalysis
B) TEMPEST attack
C) Cold boot attack
D) Rubber hose attack
Answer: B
Explanation:
TEMPEST attack involves observing electromagnetic radiation from electronic devices to gather sensitive information. TEMPEST originally referred to a US government program investigating compromising emanations from electronic equipment, now broadly describes techniques for intercepting electromagnetic radiation leaked by computers, monitors, cables, keyboards, and other devices during normal operation. All electronic equipment generates electromagnetic emissions containing information about data being processed. Using specialized receiving equipment, signal processing, and analysis techniques, sophisticated attackers positioned near targets can capture these emanations and reconstruct displayed information, typed keystrokes, processed data, or cryptographic operations. For example, electromagnetic emissions from monitors can be captured and used to reconstruct displayed images from significant distances, keyboard emanations reveal typed passwords, and CPU emissions during cryptographic operations can leak key material. TEMPEST attacks require expensive specialized equipment, technical expertise, and physical proximity, making them primarily concerns for high-security environments protecting classified or extremely sensitive information. Organizations defend through electromagnetic shielding of sensitive areas and equipment, using TEMPEST-certified hardware with reduced emissions, implementing secure facilities with emission controls, maintaining security perimeters preventing close approach, using Faraday cages for highly sensitive operations, deploying noise generators that mask legitimate emissions, and conducting emission testing. Most organizations face more immediate threats and TEMPEST protections are typically reserved for military, intelligence, and critical infrastructure. Acoustic cryptanalysis is incorrect because it analyzes sounds produced by devices during operation like hard drive noises or CPU sounds, not electromagnetic radiation. Cold boot attack is incorrect because it exploits memory remanence by quickly rebooting systems and dumping memory contents before data degrades, not intercepting electromagnetic emissions. Rubber hose attack is incorrect because it is a colloquial term for using physical coercion or threats to extract information like passwords, not technical signal interception.
Q200
An ethical hacker is performing reconnaissance and wants to identify all IP addresses assigned to a target organization. Which technique would be MOST effective?
A) Port scanning
B) Reverse DNS lookup and WHOIS queries
C) SQL injection
D) Session hijacking
Answer: B
Explanation:
Reverse DNS lookup and WHOIS queries are the most effective techniques for identifying all IP addresses assigned to target organizations. Reverse DNS lookups query DNS servers with IP addresses to retrieve associated hostnames and domain names, revealing which IP blocks belong to organizations. Starting with known organizational IP addresses, ethical hackers perform reverse lookups on surrounding address ranges to identify additional organizational assets. WHOIS queries provide registration information for IP address blocks, domain names, and autonomous system numbers, revealing registrant organizations, administrative contacts, allocated address ranges, and assignment dates. Regional Internet Registries like ARIN, RIPE, and APNIC maintain WHOIS databases with IP allocation records. Combining reverse DNS and WHOIS data maps organizational IP space comprehensively. Additional techniques include analyzing SSL certificates which often include multiple domain names in Subject Alternative Names fields, examining DNS records for IP addresses associated with organizational domains, searching Shodan or Censys databases indexing internet-connected devices, analyzing BGP routing tables showing announced IP prefixes, reviewing job postings mentioning specific technologies or network details, and searching Certificate Transparency logs revealing domains and potentially associated infrastructure. This reconnaissance remains passive and legal as it queries public databases without directly interacting with target systems. Organizations can limit information disclosure by using privacy protection services for domain registrations, minimizing public DNS information, and understanding what infrastructure information is publicly available. Port scanning is incorrect because it actively probes target systems to identify open ports and services, requiring known IP addresses rather than discovering them, and generates detectable traffic. SQL injection is incorrect because it exploits web application database vulnerabilities, not a reconnaissance technique for identifying IP addresses. Session hijacking is incorrect because it involves stealing authentication tokens to impersonate users, unrelated to discovering organizational IP allocations.
