Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.
Q101
An ethical hacker is conducting a penetration test and needs to bypass a web application firewall (WAF). Which technique involves encoding payloads to evade detection?
A) Obfuscation
B) Port scanning
C) Banner grabbing
D) DNS enumeration
Answer: A
Explanation:
This question addresses evasion techniques used to bypass security controls during penetration testing. Understanding WAF bypass methods helps both attackers and defenders improve their capabilities. Obfuscation is the correct technique that involves encoding or altering payloads to evade WAF detection while maintaining malicious functionality. Web application firewalls analyze HTTP requests for known attack patterns and malicious signatures. Attackers use obfuscation to transform payloads so they bypass WAF rules while still executing as intended. Common obfuscation techniques include character encoding using hex, unicode, or URL encoding, case variation in SQL keywords, adding comments within SQL queries, using alternative syntax, inserting whitespace or null bytes, concatenating strings, and exploiting parser inconsistencies between WAFs and applications. For example, SQL injection payloads can be obfuscated by replacing spaces with comments or using hex encoding for strings. XSS payloads can use HTML entity encoding or JavaScript obfuscation. Successful obfuscation requires understanding both WAF detection mechanisms and target application parsing behavior. Organizations should implement multiple security layers, regularly update WAF rules, and use positive security models. Port scanning is incorrect because it identifies open ports and services on target systems, not a technique for evading WAF detection or encoding malicious payloads. Banner grabbing is incorrect because it retrieves service version information from network services to identify potential vulnerabilities, unrelated to bypassing WAFs or payload encoding. DNS enumeration is incorrect because it gathers DNS information about target domains including subdomains and DNS records, which is a reconnaissance technique unrelated to bypassing web application firewalls.
Q102
During a wireless security assessment, you discover a network using WEP encryption. What is the PRIMARY weakness of WEP that makes it vulnerable to attacks?
A) Weak initialization vectors (IVs)
B) No encryption at all
C) Uses only MAC filtering
D) Requires physical access
Answer: A
Explanation:
This question tests understanding of wireless encryption protocols and their vulnerabilities. Knowledge of WEP weaknesses is essential for assessing wireless security and recommending appropriate protections. Weak initialization vectors are the primary weakness that makes WEP vulnerable to attacks. WEP uses the RC4 stream cipher with 24-bit initialization vectors combined with shared keys to encrypt wireless traffic. The critical vulnerability is that 24-bit IVs are too short, causing IV reuse after relatively few packets on busy networks. When IVs repeat with the same key, attackers can exploit keystream reuse to decrypt traffic and recover the WEP key. Additionally, WEP uses weak key scheduling and has predictable IV generation. Attacks like the FMS attack and PTW attack enable recovering WEP keys by capturing sufficient packets, often requiring only tens of thousands of frames which can be collected in minutes. Tools like Aircrack-ng automate WEP cracking, making compromise trivial. Attackers can inject packets to generate traffic and accelerate key recovery. Organizations must migrate to WPA2 or WPA3 which use strong encryption with proper key management. No encryption at all is incorrect because WEP does provide encryption, although it is cryptographically broken encryption that offers no meaningful security. Uses only MAC filtering is incorrect because MAC filtering is a separate access control mechanism independent of WEP encryption, not WEP’s primary cryptographic weakness. Requires physical access is incorrect because WEP attacks can be conducted remotely from anywhere within wireless range without requiring physical proximity to network equipment.
Q103
An ethical hacker discovers that a web application includes dynamic content from user-controlled URLs without proper validation. Which vulnerability is this?
A) Server-side request forgery (SSRF)
B) Cross-site scripting (XSS)
C) SQL injection
D) Directory traversal
Answer: A
Explanation:
This question addresses web application vulnerabilities that allow attackers to abuse server-side functionality. Understanding SSRF helps security professionals identify and prevent attacks that leverage trusted server positions. Server-side request forgery is the vulnerability where applications include content from user-controlled URLs without proper validation. SSRF occurs when web applications accept user-supplied URLs and make requests to those URLs from the server side, allowing attackers to abuse the server’s trusted position to access internal resources, interact with backend systems, scan internal networks, or exploit services that trust requests from the application server. Common SSRF exploitation includes accessing internal services like metadata APIs in cloud environments, scanning internal network ports, reading local files, bypassing firewall restrictions, and attacking internal systems. For example, attackers might manipulate a profile image URL to point to internal metadata services and extract cloud credentials. SSRF is particularly dangerous in cloud environments. Defenses include validating URLs, implementing allowlists of permitted domains, blocking requests to internal IP ranges, and disabling unused URL schemes. Cross-site scripting is incorrect because XSS involves injecting malicious scripts into web pages that execute in victims’ browsers, not making server-side requests to user-controlled URLs. SQL injection is incorrect because it exploits database query construction vulnerabilities by injecting malicious SQL code, unrelated to server-side URL requests. Directory traversal is incorrect because it manipulates file paths to access unauthorized files on the server, not making HTTP requests to external or internal URLs.
Q104
Which tool is commonly used to perform automated SQL injection attacks and database enumeration?
A) Metasploit
B) SQLmap
C) Nmap
D) Wireshark
Answer: B
Explanation:
This question tests knowledge of specialized security tools for specific attack types. Understanding tool capabilities helps ethical hackers select appropriate tools for different testing scenarios. SQLmap is the tool commonly used to perform automated SQL injection attacks and database enumeration. SQLmap is a powerful open-source penetration testing tool that automates detecting and exploiting SQL injection vulnerabilities in web applications. The tool supports numerous database systems including MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. SQLmap can automatically detect SQL injection vulnerabilities by testing various injection techniques, determine database type and version, extract database contents including schema information, enumerate tables and columns, dump entire databases, execute arbitrary SQL commands, and sometimes execute operating system commands. The tool implements sophisticated techniques including boolean-based blind injection, time-based blind injection, error-based injection, and UNION query injection. SQLmap handles authentication, manages sessions, and can bypass WAFs through various evasion techniques. Ethical hackers use SQLmap during web application penetration tests to identify SQL injection vulnerabilities and demonstrate exploitation impact. Organizations defending against SQL injection should implement parameterized queries, input validation, and least privilege database accounts. Metasploit is incorrect because while it is an exploitation framework that includes some database exploitation modules, it is not specifically focused on automated SQL injection and database enumeration like SQLmap. Nmap is incorrect because it performs network scanning and service detection to identify open ports and running services, not SQL injection attacks. Wireshark is incorrect because it is a network protocol analyzer that captures and analyzes network traffic for troubleshooting and analysis, not an attack tool for SQL injection.
Q105
An attacker creates a fake wireless access point with the same SSID as a legitimate network to intercept user traffic. What is this attack called?
A) Rogue access point
B) Evil twin attack
C) Deauthentication attack
D) WPS attack
Answer: B
Explanation:
This question addresses wireless network attacks that exploit user trust and lack of authentication verification. Understanding these attacks helps organizations implement wireless security best practices. An evil twin attack occurs when attackers create fake wireless access points with SSIDs matching legitimate networks to intercept user traffic. Evil twin attacks exploit the fact that wireless clients typically connect based solely on SSID matching without verifying access point authenticity. Attackers position rogue access points near target locations, configure them with identical SSIDs to legitimate networks, often use stronger signals to ensure clients connect to the malicious AP, and may employ deauthentication attacks to force client reconnection. When users connect to evil twin access points, attackers can intercept all network traffic, capture credentials, perform man-in-the-middle attacks, inject malicious content, and harvest sensitive information. These attacks are particularly effective in public locations like airports and coffee shops. Defenses include using VPNs that encrypt all traffic, verifying network security settings, implementing certificate pinning, educating users about wireless security risks, and deploying wireless intrusion detection systems. Rogue access point is incorrect because while related, it is a broader term for any unauthorized access point on a network, not specifically one deliberately impersonating legitimate networks with matching SSIDs. Deauthentication attack is incorrect because it forces clients to disconnect from access points by sending forged deauthentication frames but doesn’t involve creating fake networks. WPS attack is incorrect because it exploits Wi-Fi Protected Setup vulnerabilities through brute force PIN attacks to crack wireless passwords, not impersonating networks.
Q106
During a penetration test, you gain access to a Windows domain controller. Which tool would be MOST effective for extracting password hashes from Active Directory?
A) John the Ripper
B) Mimikatz
C) Aircrack-ng
D) Nikto
Answer: B
Explanation:
This question tests knowledge of post-exploitation tools specific to Windows environments. Understanding credential extraction techniques helps security professionals protect against these attacks and respond effectively to compromises. Mimikatz is the most effective tool for extracting password hashes from Active Directory on compromised domain controllers. Mimikatz is a powerful post-exploitation tool designed to extract credentials from Windows systems, targeting authentication mechanisms and credential storage. The tool can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory, perform pass-the-hash attacks, generate Kerberos golden tickets for persistent domain access, and dump password hashes from Active Directory databases. When run on domain controllers with appropriate privileges, Mimikatz can access the NTDS.dit file containing all domain password hashes and extract credentials for all domain accounts. This provides complete domain compromise capabilities. Defenses include implementing Credential Guard, using Protected Users security group, enabling LSA protection, restricting privileged account usage, implementing tiered administration models, and deploying endpoint detection solutions. Organizations must treat domain controller security as critical priority. John the Ripper is incorrect because while it is an excellent password cracking tool that recovers passwords from hashes using dictionary and brute force attacks, it works on already-extracted password hashes rather than extracting credentials directly from live Windows systems or Active Directory. Aircrack-ng is incorrect because it is a wireless security testing suite used for monitoring, attacking, and cracking WiFi networks, completely unrelated to Windows credential extraction. Nikto is incorrect because it is a web server vulnerability scanner that identifies web application security issues, misconfigurations, and outdated software, not a tool for extracting Windows credentials.
Q107
Which type of attack involves manipulating input fields to include commands that are executed by the underlying operating system?
A) SQL injection
B) Command injection
C) Cross-site scripting
D) Buffer overflow
Answer: B
Explanation:
This question addresses injection vulnerabilities that allow attackers to execute arbitrary system commands. Understanding command injection helps security professionals identify and prevent these critical vulnerabilities. Command injection is the attack that involves manipulating input fields to include commands executed by the underlying operating system. Command injection vulnerabilities occur when applications pass user-supplied input to system shell commands without proper validation or sanitization. Attackers exploit these vulnerabilities by injecting shell metacharacters and commands into input fields that are processed by system calls. Common injection points include input fields processed by functions that execute system commands, file upload filenames, image processing parameters, and any user input incorporated into shell commands. Attackers use shell metacharacters like semicolons, pipes, ampersands, and backticks to chain commands or execute arbitrary code. For example, if an application executes a ping command with user-supplied IP addresses without validation, attackers might inject commands like “127.0.0.1; cat /etc/passwd” to execute additional commands. Successful command injection can result in complete system compromise, data theft, malware installation, and lateral movement through networks. Defenses include avoiding system calls when possible, using parameterized APIs instead of shell commands, implementing strict input validation with allowlists, applying least privilege principles, and using security libraries. SQL injection is incorrect because it targets database queries by injecting malicious SQL code, not operating system commands. Cross-site scripting is incorrect because it injects malicious scripts into web pages that execute in users’ browsers, not operating system commands. Buffer overflow is incorrect because it exploits memory corruption vulnerabilities in applications by overwriting memory buffers, not injecting OS commands.
Q108
An ethical hacker wants to identify all subdomains associated with a target domain. Which technique would be MOST effective?
A) Port scanning
B) DNS enumeration
C) SQL injection
D) Session hijacking
Answer: B
Explanation:
This question focuses on information gathering techniques for mapping organizational infrastructure. Understanding DNS enumeration helps penetration testers discover attack surface comprehensively. DNS enumeration is the most effective technique for identifying all subdomains associated with a target domain. DNS enumeration systematically queries DNS servers to collect information about domain names, subdomains, IP addresses, mail servers, name servers, and other DNS records. Common DNS enumeration techniques include zone transfers where testers attempt to retrieve complete DNS zone files from misconfigured name servers, brute force subdomain discovery using wordlists of common subdomain names, reverse DNS lookups identifying hostnames associated with IP ranges, and examining various DNS record types including A, MX, NS, TXT, and CNAME records. Tools like dnsrecon, dnsenum, fierce, and Sublist3r automate subdomain discovery through multiple techniques including brute forcing, search engine queries, and certificate transparency logs. Discovering subdomains helps penetration testers identify forgotten systems, development servers, administrative interfaces, and other assets that may have weaker security. DNS enumeration is largely passive as it queries public DNS infrastructure. Organizations can limit DNS reconnaissance by restricting zone transfers, using split DNS configurations, and avoiding overly descriptive hostnames. Port scanning is incorrect because it identifies open ports and services on known target systems by sending probe packets and analyzing responses, not discovering subdomains. SQL injection is incorrect because it exploits database vulnerabilities in web applications by injecting malicious SQL queries, unrelated to subdomain discovery. Session hijacking is incorrect because it involves stealing or predicting session tokens to impersonate authenticated users, not identifying subdomains.
Q109
Which attack technique involves sending ICMP echo requests to a broadcast address with a spoofed source IP to amplify traffic toward a victim?
A) SYN flood
B) Smurf attack
C) Ping of death
D) Land attack
Answer: B
Explanation:
This question tests understanding of amplification denial of service attacks that exploit network protocols. Knowledge of these attacks helps organizations implement appropriate network protections. A Smurf attack involves sending ICMP echo requests to broadcast addresses with spoofed source IP addresses to amplify traffic toward victims. In Smurf attacks, attackers send ICMP ping requests to network broadcast addresses while spoofing the source IP to match the victim’s address. All hosts on the broadcast network respond to the ping request, sending ICMP replies to the spoofed source address, which is actually the victim. This creates an amplification effect where a single malicious packet generates responses from potentially hundreds of systems, overwhelming the victim with traffic. The amplification factor makes Smurf attacks effective denial of service weapons. Modern networks are less vulnerable because administrators disable IP-directed broadcasts on routers, preventing broadcast packets from being forwarded. Additionally, many systems now ignore ICMP packets sent to broadcast addresses. However, misconfigured legacy networks may still be vulnerable. Defenses include disabling IP-directed broadcasts, configuring routers to drop packets with broadcast destination addresses, implementing ingress and egress filtering to prevent IP spoofing, and rate limiting ICMP traffic. SYN flood is incorrect because it exploits TCP handshake by sending numerous SYN packets without completing connections, consuming server resources through half-open connections rather than ICMP amplification. Ping of death is incorrect because it sends malformed or oversized ICMP packets that crash vulnerable systems, not amplification attacks. Land attack is incorrect because it sends packets with identical source and destination addresses causing some systems to crash, not using broadcast amplification.
Q110
An ethical hacker discovers that a web application stores session tokens in URL parameters. Which vulnerability does this represent?
A) Broken authentication
B) Sensitive data exposure
C) Security misconfiguration
D) Insecure session management
Answer: D
Explanation:
This question addresses web application security vulnerabilities related to session handling. Understanding session management weaknesses helps security professionals identify critical authentication and authorization flaws. Insecure session management is the vulnerability represented when applications store session tokens in URL parameters. Session tokens should be stored in HTTP-only cookies that are not accessible to JavaScript and are only transmitted over encrypted connections. Storing session tokens in URLs creates multiple security risks including token exposure in browser history where attackers with physical access can retrieve them, tokens appearing in server logs and proxy logs, tokens being leaked through HTTP Referer headers when users click external links, tokens visible in browser address bars where shoulder surfing or screenshots capture them, and tokens being shared when users copy and paste URLs. If users share URLs containing session tokens, recipients can hijack their sessions. Session fixation attacks are also easier when tokens are in URLs. Proper session management requires generating cryptographically random session identifiers, storing tokens in secure HTTP-only cookies with Secure flags, transmitting tokens only over HTTPS, implementing appropriate session timeouts, regenerating session IDs after authentication, and binding sessions to additional factors. Ethical hackers test session management by analyzing how tokens are transmitted and stored, attempting session fixation, testing token randomness, and verifying proper timeout implementation. Broken authentication is incorrect because it is a broader category encompassing various authentication mechanism weaknesses, not specifically about session token storage location. Sensitive data exposure is incorrect because while related, it is a broader category about protecting confidential information, not specifically session management issues. Security misconfiguration is incorrect because it involves improper security settings generally, not specifically the vulnerability of storing session tokens in URLs.
Q111
Which technique involves an attacker physically following an authorized person through a secure entry point without proper authentication?
A) Phishing
B) Tailgating
C) Shoulder surfing
D) Dumpster diving
Answer: B
Explanation:
This question tests understanding of physical security threats. Knowledge of physical attack vectors helps organizations implement comprehensive security programs that address both technical and physical risks. Tailgating is the technique where attackers physically follow authorized persons through secure entry points without proper authentication. Tailgating exploits human courtesy and social norms where people hold doors open for others following behind them. Attackers may pose as employees, delivery personnel, contractors, or visitors, carrying items that make holding doors seem helpful, creating urgency that discourages questions, engaging in distracting conversation, or simply following closely behind legitimate users. Successful tailgating grants physical access to restricted areas where attackers can steal equipment, install malicious devices, access sensitive documents, compromise systems directly, or gather intelligence for subsequent attacks. Tailgating is effective because challenging people who appear legitimate feels socially awkward, and many employees prioritize politeness over security. Organizations defend against tailgating by implementing turnstiles or mantraps that allow only one person per authentication, using security guards to monitor entry points, installing surveillance cameras, requiring visible identification badges, conducting security awareness training that empowers employees to challenge unauthorized persons politely, implementing visitor management systems, and creating security culture where challenging strangers is normalized. During physical penetration tests, ethical hackers attempt tailgating to assess security awareness and physical controls. Phishing is incorrect because it involves sending fraudulent electronic communications to trick recipients into revealing information or clicking malicious links, not physical unauthorized access. Shoulder surfing is incorrect because it involves observing people entering sensitive information like passwords or PINs by looking over their shoulders, not following through secure doors. Dumpster diving is incorrect because it involves searching through trash to find sensitive documents or information, not gaining physical access through secure entry points.
Q112
An attacker exploits a vulnerability that allows executing code in a format string function. What type of vulnerability is this?
A) Buffer overflow
B) Format string vulnerability
C) Integer overflow
D) Race condition
Answer: B
Explanation:
This question addresses memory corruption vulnerabilities in applications. Understanding format string vulnerabilities helps security professionals identify coding errors that lead to serious security compromises. Format string vulnerability is the type that allows executing code in format string functions. Format string vulnerabilities occur when applications pass user-controlled input directly to format string functions like printf, sprintf, or fprintf in C without proper validation. Format strings use special characters like %s, %x, and %n to specify how data should be formatted and displayed. When attackers control format strings, they can read from arbitrary memory locations using format specifiers, write to arbitrary memory locations using the %n specifier which writes the number of characters printed, cause crashes through invalid memory access, and potentially achieve arbitrary code execution. For example, an attacker might provide “%x %x %x %x” as input to leak stack contents or use “%n” specifiers to overwrite function pointers or return addresses. Format string vulnerabilities are less common in modern code due to compiler warnings and secure coding education, but they remain serious when present. Exploitation requires understanding stack layout and memory organization. Defenses include never using user input directly as format strings, always providing static format strings as first arguments to formatting functions, using functions with bounds checking, enabling compiler warnings, conducting code reviews, and using static analysis tools. Buffer overflow is incorrect because it involves writing data beyond buffer boundaries to overwrite adjacent memory, not exploiting format string functions. Integer overflow is incorrect because it occurs when arithmetic operations produce values exceeding the maximum representable value for integer types, causing unexpected behavior. Race condition is incorrect because it involves timing-dependent bugs where multiple processes access shared resources concurrently without proper synchronization.
Q113
During a penetration test, you identify that a Linux system has a misconfigured sudoers file allowing a regular user to execute commands as root. What is this an example of?
A) Privilege escalation
B) Buffer overflow
C) SQL injection
D) Cross-site scripting
Answer: A
Explanation:
This question addresses post-exploitation techniques for gaining higher privileges. Understanding privilege escalation helps security professionals identify and fix configuration weaknesses that enable attackers to gain administrative access. Privilege escalation is what a misconfigured sudoers file represents, allowing regular users to execute commands as root. Privilege escalation exploits system misconfigurations, vulnerable software, weak permissions, or implementation flaws to elevate from limited user access to administrative privileges. On Linux systems, the sudoers file controls which users can execute commands with elevated privileges using sudo. Misconfigurations like allowing users to run all commands as root, permitting execution of powerful utilities without restrictions, or allowing editing of system files can enable privilege escalation. Attackers search for various escalation vectors including SUID binaries with vulnerabilities, world-writable files in privileged directories, exploitable kernel vulnerabilities, scheduled tasks running as root, misconfigured sudo permissions, and weak file permissions. Ethical hackers systematically enumerate system configurations, running processes, installed software, and permissions to identify escalation paths. Tools like LinPEAS automate privilege escalation enumeration. Successful escalation demonstrates complete system compromise and helps organizations understand the full risk of initial compromises. Organizations defend against privilege escalation by following least privilege principles, regularly auditing sudo configurations, keeping systems patched, monitoring for suspicious privilege use, removing unnecessary SUID binaries, and implementing proper file permissions. Buffer overflow is incorrect because it is a memory corruption vulnerability exploiting insufficient bounds checking, not related to misconfigured permissions. SQL injection is incorrect because it exploits web application database queries, not system privilege configurations. Cross-site scripting is incorrect because it injects malicious scripts into web applications, unrelated to Linux system privilege escalation.
Q114
Which protocol operates on port 161 and is commonly used for network device management but often has weak community strings?
A) FTP
B) Telnet
C) SNMP
D) SSH
Answer: C
Explanation:
This question tests knowledge of network protocols and their security weaknesses. Understanding protocol vulnerabilities helps ethical hackers identify and exploit weak configurations during assessments. SNMP (Simple Network Management Protocol) operates on port 161 and is commonly used for network device management with frequently weak community strings. SNMP enables centralized monitoring and management of network devices including routers, switches, servers, printers, and other equipment. SNMP uses community strings as simple authentication mechanisms, essentially passwords that control access to management information. The critical security weakness is that many organizations use default community strings like “public” for read access and “private” for write access, or choose weak easily-guessed strings. Additionally, SNMPv1 and SNMPv2c transmit community strings in cleartext, allowing network eavesdroppers to capture them. Attackers discovering SNMP services attempt common community strings to gain read access revealing detailed network configuration, system information, routing tables, and sensitive data, or write access allowing device reconfiguration, denial of service, or complete device compromise. During penetration tests, ethical hackers scan for SNMP services and attempt default and common community strings using tools like snmpwalk and onesixtyone. Organizations should disable SNMP when unnecessary, use SNMPv3 which provides encryption and strong authentication, change default community strings to complex values, restrict SNMP access through ACLs and firewalls, use read-only community strings when write access is unnecessary, and monitor for unauthorized SNMP queries. FTP is incorrect because it operates on ports 20 and 21 for file transfer, not network device management. Telnet is incorrect because it operates on port 23 providing remote command-line access, not specifically network management. SSH is incorrect because it operates on port 22 providing secure remote access, not the protocol operating on port 161.
Q115
An attacker creates malware that monitors user keystrokes to capture passwords and sensitive information. What type of malware is this?
A) Virus
B) Keylogger
C) Rootkit
D) Worm
Answer: B
Explanation:
This question tests understanding of malware classifications based on functionality. Knowledge of different malware types helps security professionals implement appropriate detection and prevention strategies. A keylogger is malware that monitors user keystrokes to capture passwords and sensitive information. Keyloggers record every keystroke users make, storing the data locally or transmitting it to attackers remotely. Captured information includes usernames, passwords, credit card numbers, private messages, and any other typed content. Keyloggers can be software-based running as background processes or drivers, or hardware-based physical devices installed between keyboards and computers. Software keyloggers may operate at various levels including application level hooking keyboard APIs, kernel level using device drivers, or hypervisor level monitoring virtual machines. Advanced keyloggers include additional capabilities like screen capture, clipboard monitoring, application tracking, and email capture. Attackers install keyloggers through malware infections, social engineering, physical access, or software supply chain compromises. Keyloggers are particularly dangerous because they capture information before encryption occurs and can bypass many security controls. Defenses include using antimalware software with behavior-based detection, implementing application whitelisting, conducting regular security scans, using virtual keyboards for sensitive input, enabling two-factor authentication, monitoring for suspicious processes, maintaining physical security, and educating users. Organizations handling sensitive information should implement additional keylogger protections. Virus is incorrect because viruses are self-replicating malware that spread by attaching to files, not specifically focused on keystroke monitoring. Rootkit is incorrect because rootkits hide malware presence by modifying operating system components, though they may include keylogging functionality as one feature. Worm is incorrect because worms are self-propagating malware that spread across networks automatically, not specifically for keystroke capture.
Q116
Which attack involves intercepting and modifying data transmitted between two parties without their knowledge?
A) Replay attack
B) Man-in-the-middle attack
C) Denial of service
D) Phishing
Answer: B
Explanation:
This question tests understanding of network attacks compromising communication integrity and confidentiality. Recognizing MITM attacks helps security professionals implement appropriate cryptographic protections. A man-in-the-middle attack involves intercepting and modifying data transmitted between two parties without their knowledge. MITM attacks position adversaries between communicating parties, allowing them to eavesdrop, modify messages, inject malicious content, impersonate either party, and compromise entire communication sessions. The distinguishing characteristic is active manipulation of communications rather than passive observation. Attackers may alter financial transaction amounts, modify software updates to inject malware, change email contents, redirect users to malicious websites, or steal credentials. MITM attacks occur through techniques including ARP poisoning on local networks, DNS spoofing, rogue wireless access points, compromised routers, SSL stripping downgrading encrypted connections, and BGP hijacking. Success requires positioning in the communication path and often exploits lack of proper encryption or certificate validation. Defenses include using strong encryption with mutual authentication, implementing certificate pinning, deploying HTTPS with proper validation, using VPNs, monitoring for ARP spoofing, implementing DNSSEC, and educating users to verify security indicators. Replay attack is incorrect because it involves capturing and retransmitting valid authentication data to gain unauthorized access, but does not involve modifying communications during active sessions. Denial of service is incorrect because it aims to make services unavailable by overwhelming systems with traffic or exploiting vulnerabilities, not intercepting communications. Phishing is incorrect because it involves sending deceptive communications to trick victims into revealing information or clicking malicious links, not intercepting live communications between parties.
Q117
An ethical hacker needs to test a web application’s resistance to automated attacks. Which technique involves using CAPTCHAs?
A) Rate limiting
B) Bot detection
C) Input validation
D) Session management
Answer: B
Explanation:
This question addresses web application defenses against automated attacks. Understanding bot detection helps security professionals implement appropriate protections while maintaining usability. Bot detection is the technique that involves using CAPTCHAs to test web application resistance to automated attacks. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) present challenges designed to be easily solved by humans but difficult for automated systems. Common CAPTCHA types include distorted text recognition, image selection tasks, audio challenges, and puzzle solving. CAPTCHAs protect against automated attacks including credential stuffing, web scraping, spam submission, automated account creation, and brute force attacks. By requiring human interaction, CAPTCHAs rate-limit attacker capabilities and increase attack costs significantly. However, CAPTCHAs also create usability challenges for legitimate users and accessibility issues for users with disabilities. Modern alternatives include reCAPTCHA which analyzes user behavior, invisible CAPTCHAs that run in the background, and risk-based authentication that selectively challenges suspicious activities. Ethical hackers test CAPTCHA effectiveness by attempting automated attacks and evaluating whether protections successfully prevent abuse while maintaining acceptable user experience. Organizations should balance security needs against usability, implement accessible alternatives, use CAPTCHAs selectively for high-risk operations, and consider modern behavior-based solutions. Rate limiting is incorrect because while it restricts request frequency to prevent abuse, it does not specifically involve CAPTCHAs which verify human presence. Input validation is incorrect because it verifies that user input meets expected format and type requirements, unrelated to distinguishing humans from bots. Session management is incorrect because it handles user authentication state across requests, not detecting automated attacks.
Q118
During reconnaissance, an ethical hacker uses search engines to find sensitive information exposed publicly. What is this technique called?
A) Google dorking
B) Port scanning
C) SQL injection
D) Buffer overflow
Answer: A
Explanation:
This question focuses on passive reconnaissance techniques leveraging public information sources. Understanding Google dorking helps ethical hackers identify information leakage and helps organizations protect sensitive data. Google dorking is the technique that uses search engines to find sensitive information exposed publicly. Google dorking, also called Google hacking, involves using advanced search operators and specialized queries to discover sensitive information indexed by search engines that organizations unintentionally exposed. Common targets include configuration files, database dumps, directory listings, login pages, confidential documents, error messages revealing system information, exposed cameras, and vulnerable systems. Search operators like site: to limit results to specific domains, filetype: to find specific file types, intext: to search within page content, and intitle: to search page titles enable precise queries. Example dork queries might search for exposed database files, administrative login pages, or documents containing passwords. The Google Hacking Database (GHDB) catalogs thousands of useful dork queries. Google dorking is completely passive and legal as it only searches indexed public information, making it ideal for initial reconnaissance. However, accessing discovered sensitive resources might be unauthorized. Organizations defend against Google dorking by using robots.txt to prevent indexing of sensitive areas, implementing proper authentication on administrative interfaces, avoiding storing sensitive information in publicly accessible locations, regularly searching for exposed information about their domains, and monitoring for sensitive data leakage. Port scanning is incorrect because it actively probes target systems to identify open ports and services, not searching indexed information. SQL injection is incorrect because it exploits database vulnerabilities by injecting malicious queries, not a reconnaissance technique. Buffer overflow is incorrect because it is an exploitation technique targeting memory corruption vulnerabilities, unrelated to search engine reconnaissance.
Q119
Which encryption protocol should be used to secure email communications and provides end-to-end encryption?
A) SSL/TLS
B) PGP/GPG
C) IPSec
D) WPA2
Answer: B
Explanation:
This question tests knowledge of cryptographic protocols for different use cases. Understanding appropriate encryption selection helps security professionals implement effective data protection. PGP/GPG (Pretty Good Privacy/GNU Privacy Guard) should be used to secure email communications with end-to-end encryption. PGP uses public key cryptography to encrypt email contents, ensuring only intended recipients with corresponding private keys can decrypt messages. PGP provides confidentiality through encryption, integrity through digital signatures, and authentication through identity verification. The end-to-end nature means messages remain encrypted during transit and storage, and only recipients decrypt them locally. This protects against email server compromises, network interception, and unauthorized access. PGP also enables signing messages to verify sender authenticity and detect tampering. Users exchange public keys through key servers or direct sharing while keeping private keys secure. Modern implementations like GPG provide open-source PGP compatibility. While PGP offers strong security, adoption challenges include complexity requiring technical knowledge, key management difficulties, and lack of seamless integration in email clients. Organizations handling sensitive communications should implement PGP with appropriate key management, user training, and policies. SSL/TLS is incorrect because while it encrypts connections between email clients and servers, it provides transport encryption not end-to-end encryption, meaning email providers can still access message contents. IPSec is incorrect because it secures IP communications at the network layer for VPNs and network encryption, not specifically designed for email encryption. WPA2 is incorrect because it is a wireless network security protocol that encrypts WiFi communications, not designed for securing email messages.
Q120
An attacker uses social engineering to manipulate a help desk employee into resetting a password for an account they do not own. What type of attack is this?
A) Phishing
B) Pretexting
C) Vishing
D) Baiting
Answer: B
Explanation:
This question addresses social engineering techniques that exploit human trust and organizational processes. Understanding these attacks helps organizations implement security awareness training and verification procedures. Pretexting is the attack where attackers use social engineering to manipulate help desk employees into resetting passwords for accounts they do not own. Pretexting involves creating fabricated scenarios or false pretexts to establish credibility and justify requests for sensitive information or actions. Attackers research target organizations, develop believable cover stories, impersonate legitimate users or authority figures, and exploit employees’ desire to be helpful. In password reset scenarios, attackers might claim to be locked out employees working on urgent projects, impersonate executives demanding immediate assistance, or pose as IT staff requiring access for maintenance. Successful pretexting exploits insufficient verification procedures, lack of security awareness, and social pressure. Attackers gather information through OSINT to make pretexts convincing, mentioning specific projects, colleagues, or organizational details. Pretexting is particularly effective against help desk personnel who regularly assist users and may prioritize customer service over security verification. Organizations defend against pretexting by implementing strict identity verification procedures for sensitive requests, training employees to recognize social engineering, establishing callback procedures to verify requestor identity, requiring multi-factor authentication for password resets, documenting and reviewing help desk interactions, and creating security culture where employees feel empowered to challenge suspicious requests. Phishing is incorrect because it involves sending fraudulent electronic communications containing malicious links or attachments to trick recipients, not interactive telephone or in-person manipulation of help desk staff. Vishing is incorrect because while it involves voice-based social engineering, the question describes general social engineering manipulation which is more specifically pretexting. Baiting is incorrect because it involves offering something enticing like free USB drives containing malware to trick victims into compromising security, not creating false scenarios to manipulate employees.
