Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.
Q61
An ethical hacker is performing a penetration test and needs to identify the operating system of target hosts without sending packets directly to them. Which technique should be used?
A) Active OS fingerprinting with Nmap
B) Passive OS fingerprinting by analyzing traffic
C) Banner grabbing
D) Port scanning
Answer: B
Explanation:
This question addresses stealthy reconnaissance techniques that minimize detection during penetration testing. Understanding the difference between active and passive fingerprinting is essential for ethical hackers who need to gather intelligence while avoiding security alerts. Passive OS fingerprinting by analyzing traffic is the technique that identifies operating systems without sending packets directly to targets. Passive fingerprinting works by capturing and analyzing existing network traffic generated by target systems, examining subtle characteristics in packet structures and protocol implementations that reveal operating system identities. Different operating systems implement TCP/IP stacks with unique characteristics including varying initial TTL values, different TCP window sizes, specific TCP options ordering, unique responses to certain protocol conditions, and distinctive packet fragmentation behaviors. Tools like p0f specialize in passive OS fingerprinting by analyzing captured packets and comparing observed characteristics against fingerprint databases. This technique is completely passive because it only observes traffic without generating any packets that might trigger intrusion detection systems or appear in target logs. Passive fingerprinting is ideal for reconnaissance against heavily monitored networks or when stealth is paramount. However, it requires that targets generate network traffic during the observation period and may take longer than active methods. Ethical hackers use passive fingerprinting during initial reconnaissance to map network assets while maintaining operational security. Active OS fingerprinting with Nmap is incorrect because it sends specially crafted packets directly to targets and analyzes responses, making it detectable by security monitoring systems. Banner grabbing is incorrect because it involves connecting to services and retrieving version banners, which constitutes active interaction with targets. Port scanning is incorrect because it actively probes target ports to identify open services, generating traffic that can be detected and logged.
Q62
During a web application test, you discover that the application stores sensitive data in cookies without encryption. Which vulnerability does this represent?
A) Insecure cryptographic storage
B) SQL injection
C) Cross-site scripting
D) Directory traversal
Answer: A
Explanation:
This question focuses on data protection vulnerabilities in web applications, specifically how applications handle sensitive information. Proper cryptographic implementation is critical for protecting confidential data from unauthorized access. Insecure cryptographic storage is the vulnerability represented when applications store sensitive data in cookies without encryption. This weakness occurs when applications fail to properly protect sensitive information at rest, including data stored in databases, files, cookies, session storage, or other persistence mechanisms. Storing unencrypted sensitive data in cookies is particularly dangerous because cookies are transmitted with every HTTP request, stored on client systems where they may be accessible to other applications or malware, and can be intercepted if communications are not encrypted. Sensitive data that should never be stored unencrypted in cookies includes passwords, credit card numbers, social security numbers, authentication tokens, personal identification information, and other confidential data. Even with HTTPS encryption protecting transmission, cookies stored on client systems remain vulnerable if not encrypted. Proper security requires encrypting sensitive data before storage using strong encryption algorithms, implementing secure key management, using HTTPOnly and Secure flags on cookies, and preferably avoiding storing sensitive data client-side altogether. Ethical hackers test for insecure cryptographic storage by examining cookie contents, analyzing how applications handle sensitive data, reviewing source code when available, and attempting to access stored data. Organizations should implement data classification policies that define what information requires encryption and enforce cryptographic controls throughout application architectures. SQL injection is incorrect because it involves exploiting database query construction vulnerabilities, not improper data storage encryption. Cross-site scripting is incorrect because it involves injecting malicious scripts into web pages, not storing unencrypted sensitive data. Directory traversal is incorrect because it involves manipulating file paths to access unauthorized files, unrelated to cryptographic storage issues.
Q63
An attacker wants to capture the initial authentication handshake to crack a WPA2 wireless network password offline. Which attack technique should be used?
A) Evil twin attack
B) Deauthentication attack followed by handshake capture
C) MAC address spoofing
D) Wardriving
Answer: B
Explanation:
This question addresses wireless network security testing, specifically attacks against WPA2 encrypted networks. Understanding wireless attack methodologies helps security professionals assess wireless infrastructure security and implement appropriate protections. A deauthentication attack followed by handshake capture is the technique used to obtain WPA2 authentication handshakes for offline password cracking. WPA2 uses a four-way handshake process when clients connect to access points, exchanging encrypted authentication information that includes password-derived keys. To crack WPA2 passwords, attackers need to capture this complete four-way handshake. The process involves using tools like Aircrack-ng to monitor the target wireless network, sending deauthentication frames to connected clients forcing them to disconnect, waiting for legitimate clients to reconnect which triggers a new four-way handshake, capturing the handshake packets, and then performing offline dictionary or brute force attacks against the captured handshake to recover the password. This technique is effective because the handshake contains enough information to verify password guesses without further network access. Once the handshake is captured, attackers can conduct unlimited password cracking attempts offline without generating additional suspicious network activity. Defenses include using long complex passwords that resist dictionary attacks, implementing WPA3 which provides better protection against offline attacks, monitoring for deauthentication attacks, and using wireless intrusion detection systems. Ethical hackers use this technique during authorized wireless security assessments to demonstrate password strength vulnerabilities. Evil twin attack is incorrect because it involves creating a rogue access point that impersonates legitimate networks to capture credentials, not capturing WPA2 handshakes for offline cracking. MAC address spoofing is incorrect because it involves changing device MAC addresses to bypass MAC filtering, not capturing authentication handshakes. Wardriving is incorrect because it involves driving around to discover and map wireless networks, not specifically capturing handshakes for password cracking.
Q64
Which of the following describes a vulnerability in which an application does not properly restrict access to resources based on user permissions?
A) Broken authentication
B) Broken access control
C) Security misconfiguration
D) Insufficient logging
Answer: B
Explanation:
This question tests understanding of application security vulnerabilities, specifically authorization failures that allow users to access resources beyond their intended permissions. Access control is fundamental to application security and failures can lead to serious data breaches. Broken access control describes vulnerabilities where applications fail to properly restrict access to resources based on user permissions. Access control determines what authenticated users are allowed to do and which resources they can access. Broken access control occurs when applications do not adequately enforce authorization checks, allowing users to access functionality or data they should not have permission to view or modify. Common broken access control vulnerabilities include insecure direct object references where applications expose internal identifiers that can be manipulated to access other users’ resources, missing function-level access control where administrative functions are accessible to regular users, and privilege escalation where users can modify their roles or permissions. Examples include changing a URL parameter to view another user’s account information, accessing administrative pages by guessing URLs, modifying API requests to access unauthorized data, or manipulating user IDs in requests. Ethical hackers test for broken access control by attempting to access resources belonging to other users, testing whether lower-privileged accounts can access administrative functions, and verifying that authorization checks are enforced server-side. Proper access control requires implementing least privilege principles, enforcing authorization checks on every request server-side, using indirect object references, denying access by default, and thoroughly testing authorization logic. Broken authentication is incorrect because it relates to vulnerabilities in authentication mechanisms that verify user identity rather than authorization that controls resource access. Security misconfiguration is incorrect because it involves improper security settings, default configurations, or missing security controls rather than specifically inadequate access control. Insufficient logging is incorrect because it relates to inadequate security monitoring and audit trails rather than authorization failures.
Q65
An ethical hacker discovers that a target organization’s employees frequently post about work activities on social media. Which type of attack could exploit this information?
A) Buffer overflow
B) Social engineering
C) SQL injection
D) DDoS attack
Answer: B
Explanation:
This question addresses how publicly available information can be leveraged for security attacks. Social media has created new attack vectors where personal information sharing enables sophisticated targeting of individuals and organizations. Social engineering is the type of attack that exploits information employees post on social media about work activities. Social engineering manipulates human psychology and trust to trick people into divulging confidential information, granting unauthorized access, or performing actions that compromise security. Information from social media provides attackers with valuable intelligence for crafting convincing social engineering attacks. Employees who post about projects they are working on, technologies they use, colleagues they interact with, travel schedules, organizational structures, or personal interests provide attackers with context for creating highly targeted and believable pretexts. For example, attackers might use knowledge of current projects to impersonate vendors or partners, reference specific colleagues to build credibility, exploit travel schedules to impersonate absent employees, or use personal interests to establish rapport. This reconnaissance through social media is called social media profiling or OSINT gathering. Ethical hackers analyze social media during reconnaissance phases to understand organizational culture, identify potential phishing targets, craft convincing social engineering scenarios, and demonstrate to organizations how much information employees inadvertently disclose. Organizations should implement social media policies that educate employees about information sharing risks, establish guidelines for appropriate work-related posting, and conduct security awareness training that includes social engineering recognition. Buffer overflow is incorrect because it is a technical memory corruption vulnerability in software, not related to exploiting publicly shared information. SQL injection is incorrect because it exploits database query construction vulnerabilities, not information gathered from social media. DDoS attack is incorrect because it overwhelms systems with traffic to cause service disruption, not leveraging social media intelligence.
Q66
Which cryptographic attack involves pre-computing hash values for common passwords and storing them in a database for rapid password cracking?
A) Brute force attack
B) Dictionary attack
C) Rainbow table attack
D) Birthday attack
Answer: C
Explanation:
This question tests understanding of password cracking techniques and cryptographic attacks. Different attack methods offer varying trade-offs between computational requirements, storage needs, and cracking speed. Rainbow table attack involves pre-computing hash values for passwords and storing them in databases for rapid cracking. Rainbow tables are pre-calculated lookup tables that contain hash values for large numbers of possible passwords, typically organized using reduction functions that compress storage requirements while maintaining effectiveness. When attackers obtain password hashes, they can quickly search rainbow tables to find matching hash values and retrieve the corresponding plaintext passwords without performing time-consuming hashing calculations during the attack. Rainbow tables represent a time-memory trade-off where significant computational effort is invested upfront to create the tables, but actual password cracking becomes very fast. Rainbow tables are particularly effective against unsalted password hashes because the same password always produces the same hash value. The primary defense against rainbow table attacks is salting, where random data is added to each password before hashing, making pre-computed tables impractical since each password with a unique salt produces a different hash. Rainbow tables can be extremely large, sometimes hundreds of gigabytes, containing billions of pre-computed hashes. Ethical hackers use rainbow tables when testing password security to demonstrate the importance of proper password storage mechanisms. Organizations should implement salted hashing algorithms like bcrypt, scrypt, or Argon2 that include built-in salts and are computationally expensive, making both rainbow tables and brute force attacks impractical. Brute force attack is incorrect because it systematically tries all possible password combinations without pre-computed values, making it slower but working against salted hashes. Dictionary attack is incorrect because it tests passwords from wordlists during the attack without pre-computation. Birthday attack is incorrect because it exploits mathematical properties of hash functions to find collisions, not for password cracking.
Q67
During a penetration test, you identify that a web application accepts file uploads without proper validation. Which attack should you attempt?
A) File upload vulnerability exploitation
B) DNS spoofing
C) ARP poisoning
D) Session fixation
Answer: A
Explanation:
This question addresses web application vulnerabilities related to file handling, which can lead to severe compromises including remote code execution. Proper file upload validation is critical for application security. File upload vulnerability exploitation should be attempted when applications accept file uploads without proper validation. File upload vulnerabilities occur when applications allow users to upload files without adequately verifying file types, contents, sizes, or names, potentially allowing attackers to upload malicious files that compromise the application or underlying server. Common exploitation techniques include uploading web shells that provide remote command execution capabilities, uploading malicious executable files, using double extensions to bypass filters, manipulating content-type headers, uploading files that exploit server-side processing vulnerabilities, uploading oversized files to cause denial of service, and placing files in directories where they will be executed. For example, uploading a PHP web shell to a web-accessible directory allows attackers to execute arbitrary commands on the server. Attackers may bypass inadequate validation by changing file extensions, using alternate file types that still execute maliciously, embedding malicious code in metadata, or exploiting path traversal to place files in sensitive locations. Ethical hackers test file upload functionality by attempting to upload various file types, testing validation mechanisms, analyzing how uploaded files are stored and processed, and attempting to execute uploaded malicious files. Proper defenses include validating file types based on content rather than extensions, restricting allowed file types to only those necessary, storing uploaded files outside web-accessible directories, using random filenames, implementing size limits, scanning uploads with antivirus, and processing uploads in sandboxed environments. DNS spoofing is incorrect because it manipulates DNS responses to redirect traffic, unrelated to file upload vulnerabilities. ARP poisoning is incorrect because it redirects network traffic at layer 2, not related to exploiting file uploads. Session fixation is incorrect because it forces known session identifiers onto users, not related to file upload vulnerabilities.
Q68
An attacker sends specially crafted packets with the SYN flag set but never completes the TCP three-way handshake. What type of attack is this?
A) SYN flood attack
B) Smurf attack
C) Ping of death
D) Teardrop attack
Answer: A
Explanation:
This question tests understanding of denial of service attacks that exploit networking protocols. Understanding TCP vulnerabilities helps security professionals implement appropriate protections and detect malicious activity. A SYN flood attack occurs when attackers send packets with the SYN flag set but never complete the TCP three-way handshake. In normal TCP connections, clients send SYN packets to initiate connections, servers respond with SYN-ACK packets, and clients complete the handshake by sending ACK packets. During SYN flood attacks, attackers send massive numbers of SYN packets, often with spoofed source IP addresses, but never send the final ACK to complete connections. This causes servers to maintain half-open connections in their connection tables, consuming memory and connection slots. When connection tables fill with these half-open connections, servers cannot accept new legitimate connections, resulting in denial of service. SYN floods are effective because they exploit fundamental TCP protocol behavior and can be launched with relatively little bandwidth by attackers while consuming significant server resources. Defenses include SYN cookies that allow servers to avoid maintaining state for initial connection attempts, reducing timeout values for half-open connections, increasing connection table sizes, implementing rate limiting, using firewalls to filter suspicious traffic, and deploying load balancers that can absorb attack traffic. Ethical hackers may conduct controlled SYN flood tests to assess defensive capabilities and verify that protective mechanisms function properly. Smurf attack is incorrect because it amplifies ICMP traffic by sending ping requests to broadcast addresses with spoofed source IPs, causing many responses to overwhelm victims. Ping of death is incorrect because it sends malformed or oversized ping packets that crash vulnerable systems. Teardrop attack is incorrect because it sends fragmented packets with overlapping offsets that cause systems to crash when attempting reassembly.
Q69
Which technique involves analyzing electromagnetic emissions from electronic devices to extract sensitive information?
A) TEMPEST attack
B) Acoustic cryptanalysis
C) Cold boot attack
D) Evil maid attack
Answer: A
Explanation:
This question addresses side-channel attacks that extract information through unintended emissions rather than direct system access. Understanding these sophisticated attack vectors helps organizations implement comprehensive security measures. TEMPEST attack involves analyzing electromagnetic emissions from electronic devices to extract sensitive information. TEMPEST, originally a codename for a US government program, refers to techniques for intercepting and analyzing compromising emanations from electronic equipment. All electronic devices generate electromagnetic radiation during operation, and these emissions can contain information about data being processed. Using specialized receiving equipment and analysis techniques, attackers positioned near target devices can capture electromagnetic emissions and reconstruct displayed information, typed keystrokes, processed data, or cryptographic keys. For example, emissions from computer monitors can be captured and used to reconstruct displayed images from significant distances, keyboard emanations can reveal typed passwords, and electromagnetic radiation from CPUs can leak cryptographic key information during encryption operations. TEMPEST attacks require sophisticated equipment, technical expertise, and physical proximity to targets, making them primarily concerns for high-security environments protecting classified information. Defenses include electromagnetic shielding of sensitive equipment, using TEMPEST-approved hardware with reduced emissions, implementing secure facilities with emission controls, maintaining security zones around sensitive areas, and using noise generators that mask legitimate emissions. Organizations handling extremely sensitive information may implement comprehensive TEMPEST protections. Acoustic cryptanalysis is incorrect because it analyzes sounds produced by electronic devices or mechanical systems rather than electromagnetic emissions. Cold boot attack is incorrect because it involves recovering data from computer memory after power loss by exploiting memory remanence. Evil maid attack is incorrect because it involves physical access to unattended systems to install malicious hardware or software.
Q70
An ethical hacker needs to test whether a web application properly validates SSL/TLS certificates. Which tool would be MOST appropriate?
A) Burp Suite
B) John the Ripper
C) Aircrack-ng
D) Metasploit
Answer: A
Explanation:
This question focuses on web application security testing tools, specifically those designed for intercepting and analyzing HTTPS traffic. Understanding proper tool selection is essential for efficient and effective security testing. Burp Suite is the most appropriate tool for testing SSL/TLS certificate validation in web applications. Burp Suite is a comprehensive web application security testing platform that includes an intercepting proxy allowing security testers to capture, inspect, and modify HTTP and HTTPS traffic between browsers and web applications. To test certificate validation, Burp Suite acts as a proxy with its own SSL certificate that intercepts HTTPS connections. If web applications or mobile apps properly validate certificates, they should reject Burp’s certificate and refuse connections. However, many applications improperly implement certificate validation, accepting invalid certificates and allowing interception. This vulnerability enables man-in-the-middle attacks where attackers can intercept supposedly secure communications. Burp Suite includes features for SSL certificate testing, identifying certificate validation weaknesses, testing for certificate pinning bypasses, and analyzing SSL/TLS configuration issues. The tool also provides extensive capabilities for testing other web application vulnerabilities including injection flaws, authentication weaknesses, and session management issues. Ethical hackers use Burp Suite extensively during web and mobile application penetration tests. Proper certificate validation requires applications to verify certificate chains, check certificate revocation status, validate hostnames, and reject self-signed or invalid certificates. John the Ripper is incorrect because it is a password cracking tool, not a web application security testing platform. Aircrack-ng is incorrect because it is a wireless network security testing suite, not designed for web application or SSL/TLS testing. Metasploit is incorrect because while it is a powerful exploitation framework, it is not specifically designed for testing SSL/TLS certificate validation in web applications.
Q71
During a penetration test, you discover that a web application reflects user input in error messages without encoding. Which vulnerability should you report?
A) Reflected cross-site scripting (XSS)
B) Stored XSS
C) SQL injection
D) CSRF
Answer: A
Explanation:
This question addresses web application vulnerabilities, specifically the different types of cross-site scripting that result from improper input handling. Understanding XSS variants helps security professionals properly classify and remediate vulnerabilities. Reflected cross-site scripting should be reported when applications reflect user input in responses without proper encoding. Reflected XSS, also called non-persistent XSS, occurs when malicious scripts are immediately reflected back to users in web responses without being stored in the application. This typically happens when applications include user-supplied data from requests in error messages, search results, or other dynamic content without proper HTML encoding or validation. Attackers exploit reflected XSS by crafting malicious URLs or forms containing JavaScript payloads that victims are tricked into submitting, often through phishing emails or malicious websites. When victims click these crafted links, their browsers execute the injected scripts with the vulnerable application’s security context, potentially allowing session theft, credential capture, page defacement, or malicious actions performed as the victim. Error messages are common locations for reflected XSS because developers often display user input to help users understand problems without realizing this creates vulnerability. For example, an error message stating “Invalid username: [user input]” reflects input that could contain malicious scripts. Ethical hackers test for reflected XSS by injecting various payloads into input fields and URL parameters, observing whether scripts execute in responses. Defenses include output encoding based on context, implementing content security policies, using security libraries, and validating input. Stored XSS is incorrect because it involves malicious scripts permanently stored in databases and executed whenever accessed, rather than immediately reflected. SQL injection is incorrect because it exploits database query construction, not script injection in responses. CSRF is incorrect because it tricks authenticated users into submitting unauthorized requests, not injecting scripts.
Q72
An attacker gains access to a network and installs software that allows remote access while hiding its presence from administrators. What type of malware is this?
A) Virus
B) Worm
C) Backdoor
D) Adware
Answer: C
Explanation:
This question tests understanding of malware classifications based on functionality and purpose. Different malware types serve specific purposes for attackers and require different detection and removal approaches. A backdoor is malware that provides remote access to systems while hiding its presence from administrators. Backdoors are designed to establish persistent unauthorized access channels that bypass normal authentication mechanisms, allowing attackers to remotely control compromised systems whenever desired. Backdoors may be installed after initial compromise to maintain access even if the original vulnerability is patched or credentials are changed. Common backdoor capabilities include remote command execution, file transfer, screen capture, keylogging, network pivoting, and system manipulation. Sophisticated backdoors implement stealth techniques to avoid detection including rootkit functionality that hides processes and files, encryption of network communications to avoid detection, using legitimate protocols that blend with normal traffic, and implementing dormancy periods to reduce suspicious activity. Backdoors may be standalone malware or components of larger malware suites. Common backdoor examples include remote access trojans (RATs), web shells on compromised servers, and covert channels through network protocols. Detection requires comprehensive monitoring, file integrity checking, network traffic analysis, and behavioral analysis that identifies anomalous activities. Removal can be challenging as advanced backdoors may reinstall themselves or have multiple components. Organizations defend against backdoors through endpoint protection, network monitoring, regular security audits, and incident response capabilities. Virus is incorrect because viruses are self-replicating malware that attach to legitimate files and spread when infected files are shared, rather than specifically providing remote access. Worm is incorrect because worms are self-propagating malware that spread across networks automatically, rather than primarily providing remote access. Adware is incorrect because it displays unwanted advertisements, not providing hidden remote access capabilities.
Q73
Which of the following best describes a security control that detects and prevents malicious traffic based on known attack signatures?
A) Firewall
B) Intrusion Detection System (IDS)
C) Intrusion Prevention System (IPS)
D) Proxy server
Answer: C
Explanation:
This question addresses network security controls, specifically the differences between detection and prevention systems. Understanding security architecture components helps organizations implement layered defense strategies. An Intrusion Prevention System is a security control that detects and prevents malicious traffic based on known attack signatures. IPS devices sit inline on network paths, actively monitoring traffic flows and taking action to block detected threats in real-time. IPS systems use multiple detection techniques including signature-based detection that compares traffic against databases of known attack patterns, anomaly-based detection that identifies deviations from normal behavior baselines, protocol analysis that detects protocol violations, and heuristic analysis that identifies suspicious patterns. When IPS detects malicious traffic, it can automatically block connections, drop malicious packets, reset connections, modify traffic to remove malicious content, or generate alerts for security teams. IPS provides active protection compared to passive IDS systems that only alert. However, inline deployment means IPS must process traffic efficiently to avoid impacting network performance, and false positives can block legitimate traffic causing business disruption. Organizations tune IPS systems by adjusting signatures, setting appropriate thresholds, implementing exception rules for legitimate traffic, and balancing security with operational requirements. Modern IPS solutions often include additional capabilities like application awareness, SSL inspection, and integration with threat intelligence feeds. Ethical hackers may test IPS effectiveness by attempting various attacks to verify detection and prevention capabilities. Firewall is incorrect because while firewalls block traffic based on rules, they primarily focus on network and port-level filtering rather than deep packet inspection for attack signatures. IDS is incorrect because it detects and alerts on malicious activity but does not actively prevent or block threats. Proxy server is incorrect because it intermediates connections and may provide some security, but is not specifically designed for signature-based attack prevention.
Q74
An ethical hacker discovers that a target system has port 3389 open. Which service is likely running on this port?
A) SSH
B) Remote Desktop Protocol (RDP)
C) FTP
D) Telnet
Answer: B
Explanation:
This question tests knowledge of common network ports and associated services, which is fundamental for network reconnaissance and security testing. Understanding port assignments helps ethical hackers identify services and potential attack vectors. Remote Desktop Protocol is the service likely running on port 3389. RDP is Microsoft’s proprietary protocol for providing graphical remote desktop connections to Windows systems, allowing users to control remote computers as if physically present. Port 3389 is the default TCP port for RDP services. During penetration tests, discovering open RDP ports indicates remote administration capabilities that may be targeted for attacks. Common RDP attack vectors include brute force attacks against credentials, exploiting known RDP vulnerabilities, session hijacking, man-in-the-middle attacks on unencrypted connections, and exploiting weak encryption configurations. Historical RDP vulnerabilities like BlueKeep have enabled remote code execution without authentication, making exposed RDP services significant security concerns. Ethical hackers test RDP security by attempting authentication attacks, checking for vulnerable versions, testing encryption strength, and verifying network-level authentication requirements. Organizations should protect RDP by restricting access through firewalls, implementing network-level authentication, enforcing strong passwords, enabling account lockout policies, using VPNs for remote access, disabling RDP when unnecessary, implementing multi-factor authentication, and monitoring for suspicious login attempts. Discovery of open RDP on public-facing systems often represents critical findings requiring immediate remediation. SSH is incorrect because it typically runs on port 22, providing encrypted remote command-line access primarily to Unix and Linux systems. FTP is incorrect because it typically runs on ports 20 and 21, providing file transfer capabilities. Telnet is incorrect because it typically runs on port 23, providing unencrypted remote command-line access.
Q75
Which social engineering technique involves searching through trash to find sensitive information?
A) Phishing
B) Dumpster diving
C) Tailgating
D) Shoulder surfing
Answer: B
Explanation:
This question addresses physical security threats and social engineering techniques that exploit improper information disposal. Understanding diverse attack vectors helps organizations implement comprehensive security programs. Dumpster diving is the social engineering technique that involves searching through trash to find sensitive information. Organizations and individuals often dispose of documents containing confidential information without proper destruction, making dumpsters and trash bins valuable intelligence sources for attackers. Dumpster diving can reveal printed documents with passwords, financial information, employee lists, network diagrams, business plans, internal communications, discarded storage media, and other sensitive materials. Attackers may legally search through trash placed in public areas, though trespassing on private property to access dumpsters may be illegal depending on jurisdiction. Information gathered through dumpster diving provides valuable intelligence for subsequent attacks including detailed knowledge for social engineering, credentials for unauthorized access, organizational insights for targeted attacks, and confidential business information. During security assessments, ethical hackers may conduct authorized dumpster diving exercises to demonstrate information security weaknesses and educate organizations about proper disposal practices. Defenses include implementing secure document destruction policies requiring shredding or burning of sensitive documents, using cross-cut shredders rather than strip-cut, destroying electronic media properly before disposal, training employees on information disposal procedures, securing trash areas with locks and surveillance, and conducting periodic audits of disposal practices. Organizations handling highly sensitive information should use certified document destruction services. Phishing is incorrect because it involves sending fraudulent electronic communications to trick recipients, not searching physical trash. Tailgating is incorrect because it involves following authorized persons through secure entry points without proper authentication. Shoulder surfing is incorrect because it involves observing people entering sensitive information by looking over their shoulders.
Q76
An attacker modifies the packet header to make malicious traffic appear as if it originates from a trusted source. What technique is being used?
A) Packet sniffing
B) IP spoofing
C) Session hijacking
D) Port scanning
Answer: B
Explanation:
This question addresses network attack techniques that manipulate packet headers to deceive security controls and targets. Understanding header manipulation helps security professionals implement appropriate detection and prevention mechanisms. IP spoofing is the technique where attackers modify packet headers to make traffic appear to originate from trusted sources. IP spoofing involves changing the source IP address field in packet headers to impersonate other systems. Attackers use IP spoofing for various purposes including bypassing firewall rules that trust specific IP addresses, hiding attack origins to avoid attribution, amplifying DDoS attacks by spoofing victim addresses in requests sent to reflectors, evading detection systems, and exploiting trust relationships between systems. In amplification attacks, attackers send requests with spoofed source addresses matching victims, causing responses to overwhelm targets. IP spoofing is also used in blind attacks where attackers send malicious packets without receiving responses. While IP spoofing allows sending packets with false source addresses, receiving responses is challenging because replies go to spoofed addresses rather than attackers. This limits some attack types but is still effective for DDoS, certain exploitation techniques, and attacks against trust-based authentication. Defenses include implementing ingress and egress filtering that blocks packets with impossible or inappropriate source addresses, using authentication mechanisms that don’t rely solely on IP addresses, implementing network access controls, deploying anti-spoofing measures on network devices, and monitoring for anomalous traffic patterns. Organizations should filter outbound traffic to prevent systems from being used in spoofing attacks. Packet sniffing is incorrect because it involves capturing and analyzing network traffic, not modifying packet headers. Session hijacking is incorrect because it involves taking over authenticated sessions, typically through different techniques than simple IP spoofing. Port scanning is incorrect because it identifies open ports through probe packets, not spoofing source addresses.
Q77
During a penetration test, you need to exploit a buffer overflow vulnerability. Which technique involves inserting a series of NOP instructions before the shellcode?
A) Heap spraying
B) NOP sled
C) Return-to-libc
D) Format string attack
Answer: B
Explanation:
This question tests understanding of exploit development techniques, specifically methods for improving reliability of buffer overflow exploits. Understanding exploitation mechanics helps security professionals better defend against these attacks. NOP sled is the technique that involves inserting a series of NOP (no operation) instructions before shellcode in buffer overflow exploits. Buffer overflow exploits work by overwriting return addresses or function pointers to redirect program execution to attacker-controlled shellcode. However, determining the exact memory address where shellcode begins can be challenging due to address space variations, different system configurations, and memory layout unpredictability. NOP sleds solve this problem by creating a large landing zone of NOP instructions that do nothing except advance to the next instruction. Attackers place NOP sleds before their shellcode, then point the overwritten return address anywhere within the NOP sled region. When execution reaches any NOP instruction in the sled, the processor slides through all NOPs until reaching the actual shellcode, hence the name NOP sled or NOP slide. This dramatically increases exploit reliability by allowing imprecise targeting while still achieving code execution. On x86 architectures, the NOP instruction is 0x90, so attackers fill buffer space with long sequences of 0x90 bytes. Modern defenses against buffer overflows include address space layout randomization that randomizes memory locations making exploits harder, data execution prevention that marks memory regions non-executable, stack canaries that detect buffer overwrites, and safe programming practices. Heap spraying is incorrect because it fills memory with multiple copies of shellcode to increase exploitation probability, used primarily against heap-based vulnerabilities. Return-to-libc is incorrect because it bypasses non-executable stack protection by chaining existing library functions rather than executing injected shellcode. Format string attack is incorrect because it exploits format string vulnerabilities in printf-like functions, not buffer overflows.
Q78. An ethical hacker is performing a black box test against a web application. Which phase involves identifying entry points and understanding application functionality?
A) Reconnaissance
B) Scanning
C) Mapping the application
D) Exploitation
Answer: C
Explanation:
This question addresses web application penetration testing methodology, specifically the systematic approach to understanding application architecture before testing. Proper methodology ensures comprehensive assessment coverage. Mapping the application involves identifying entry points and understanding application functionality during web application penetration testing. Application mapping is a critical phase where testers systematically explore all accessible functionality, identify input vectors, understand application flow, discover hidden content, analyze client-side code, and document the attack surface. This phase includes walking through all application features as normal users, spidering or crawling the application to discover all accessible pages, analyzing HTML source code for comments and hidden fields, reviewing JavaScript for client-side logic and AJAX endpoints, examining cookies and session management, identifying all forms and input fields, discovering file upload functionality, testing different user roles if multiple levels exist, and creating a comprehensive map of application structure. Thorough application mapping ensures testers understand how the application works before attempting exploits, helps identify all potential attack vectors, reveals forgotten functionality or debug features, and prevents missing vulnerabilities due to incomplete coverage. Tools like Burp Suite’s spider and content discovery features assist with automated mapping, but manual exploration remains essential for understanding complex applications. Unlike reconnaissance which gathers general information about targets, mapping specifically focuses on understanding the application’s architecture, functionality, and attack surface. Reconnaissance is incorrect because it refers to broader information gathering about targets before detailed testing, not specifically understanding application functionality. Scanning is incorrect because it typically refers to automated vulnerability identification ratherthan manual exploration and understanding of application structure. Exploitation is incorrect because it occurs after mapping is complete and involves actually attacking identified vulnerabilities rather than understanding how the application works.
Q79
An attacker intercepts communication between two parties and alters the messages before forwarding them. What type of attack is this?
A) Replay attack
B) Man-in-the-middle attack
C) Denial of service attack
D) Brute force attack
Answer: B
Explanation:
This question tests understanding of network attacks that compromise communication integrity and confidentiality. Recognizing different attack patterns helps security professionals implement appropriate cryptographic and network protections. A man-in-the-middle attack occurs when attackers intercept communication between two parties and alter messages before forwarding them. MITM attacks position adversaries between communicating parties, allowing them to eavesdrop on communications, modify data in transit, inject malicious content, impersonate either party, and potentially compromise entire communication sessions. The key characteristic distinguishing MITM from passive interception is the active manipulation of communications. Attackers may alter transaction amounts in financial communications, modify software updates to inject malware, change email contents, redirect users to malicious websites, or steal credentials by presenting fake login pages. MITM attacks can occur at various network layers through techniques including ARP poisoning on local networks, DNS spoofing to redirect domain lookups, rogue wireless access points, compromised routers, SSL stripping that downgrades encrypted connections, and BGP hijacking for internet-scale attacks. Success requires attackers to position themselves in the communication path and often depends on lack of proper encryption or certificate validation. Defenses include using strong encryption with mutual authentication, implementing certificate pinning in applications, deploying HTTPS with proper certificate validation, using VPNs for sensitive communications, monitoring for ARP spoofing and other MITM indicators, and implementing DNSSEC. Organizations should educate users to verify security indicators before entering sensitive information. A replay attack is incorrect because it involves capturing and retransmitting valid data to gain unauthorized access, but does not involve altering messages during active sessions. Denial of service attack is incorrect because it aims to make services unavailable rather than intercepting and modifying communications. Brute force attack is incorrect because it systematically tries different values to guess credentials or keys, not intercepting communications.
Q80
Which vulnerability assessment tool is specifically designed for scanning web applications and identifying issues like SQL injection and XSS?
A) Nessus
B) OpenVAS
C) Nikto
D) Wireshark
Answer: C
Explanation:
This question addresses security tools and their specific purposes, helping security professionals select appropriate tools for different assessment types. Understanding tool capabilities ensures efficient and effective security testing. Nikto is specifically designed for scanning web applications and identifying vulnerabilities including SQL injection, XSS, and other web-specific issues. Nikto is an open-source web server scanner that performs comprehensive tests against web servers to identify potential vulnerabilities, misconfigurations, dangerous files, outdated software versions, and security issues. The tool checks for over 6700 potentially dangerous files and programs, tests for outdated versions of over 1250 servers, examines server configuration issues, identifies default files and programs, tests for specific version-related problems, and can scan through proxies. Nikto sends numerous requests to target web servers examining responses for known vulnerability indicators, dangerous configurations, information disclosure, and common security weaknesses. The scanner identifies issues like directory indexing, unprotected administrative interfaces, backup files, default installations, insecure HTTP methods, missing security headers, and known vulnerable scripts. While Nikto is valuable for initial web application reconnaissance and vulnerability identification, it generates significant logs on target servers and is not stealthy. Ethical hackers use Nikto during authorized web application assessments to quickly identify common vulnerabilities and misconfigurations. Results should be verified manually as false positives can occur. Organizations use Nikto during security audits to identify web server hardening needs. Nessus is incorrect because while it is an excellent vulnerability scanner, it is designed for comprehensive network and system vulnerability assessment across various technologies rather than specifically focusing on web applications. OpenVAS is incorrect because it is a general-purpose vulnerability scanner similar to Nessus, covering network infrastructure and systems broadly rather than specializing in web application scanning. Wireshark is incorrect because it is a network protocol analyzer for capturing and examining traffic, not a vulnerability scanner for identifying web application security issues.
