Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.
Q141
An ethical hacker is performing a penetration test and discovers that a web application allows unrestricted file uploads. Which attack should be prioritized?
A) SQL injection
B) Uploading a web shell for remote code execution
C) Cross-site scripting
D) DNS poisoning
Answer: B
Explanation:
Uploading a web shell for remote code execution should be prioritized when unrestricted file uploads are discovered. File upload vulnerabilities allowing unrestricted uploads represent critical security risks because attackers can upload malicious executable files that provide remote access and control. Web shells are scripts written in languages like PHP, ASP, JSP, or Python that when uploaded to web servers provide command execution capabilities through web interfaces. Attackers upload web shells to accessible directories, then access them through browsers to execute system commands, browse file systems, upload additional malware, modify files, access databases, pivot to internal networks, and maintain persistent access. The severity is critical because web shells often provide complete server compromise. Successful exploitation requires uploading the malicious file, determining its location on the server, and accessing it to trigger execution. Organizations must implement strict file upload controls including validating file types based on content not extensions, restricting allowed file types to only necessary formats, storing uploads outside web-accessible directories, using random filenames, implementing size limits, scanning uploads with antivirus, processing uploads in sandboxed environments, and executing uploaded files with minimal privileges. SQL injection is incorrect because while serious, it targets database vulnerabilities not file upload functionality, and unrestricted uploads represent more direct paths to code execution. Cross-site scripting is incorrect because it involves injecting malicious scripts into web pages, which is less severe than achieving direct server compromise through web shell uploads. DNS poisoning is incorrect because it manipulates DNS responses to redirect traffic, completely unrelated to exploiting file upload vulnerabilities.
Q142
During a wireless penetration test, you capture a WPA2 handshake. What is the NEXT step to compromise the network?
A) Perform ARP poisoning
B) Conduct offline password cracking
C) Execute a deauthentication attack
D) Scan for open ports
Answer: B
Explanation:
Conducting offline password cracking is the next step after capturing a WPA2 handshake. Once the four-way handshake is captured, it contains sufficient information to verify password guesses without further network access. The captured handshake includes encrypted authentication data derived from the wireless network password. Attackers use password cracking tools like Aircrack-ng or Hashcat to perform dictionary attacks testing wordlists of common passwords, brute force attacks trying all possible character combinations, or hybrid attacks combining dictionary words with character substitutions against the captured handshake. Cracking success depends on password complexity, with weak passwords cracking quickly while strong complex passwords may be computationally infeasible to crack. The offline nature means unlimited cracking attempts can be made without detection or network interaction. Organizations defend against handshake capture attacks by using long complex passwords resistant to dictionary attacks, implementing WPA3 which provides better protection against offline attacks, and monitoring for deauthentication attacks indicating potential handshake capture attempts. Performing ARP poisoning is incorrect because it is a local network attack for intercepting traffic that requires already being connected to the network, not the next step after handshake capture. Executing a deauthentication attack is incorrect because this step occurs before handshake capture to force client reconnection, not after the handshake is already captured. Scanning for open ports is incorrect because it identifies services on network hosts but does not help crack the captured WPA2 handshake password.
Q143
An attacker modifies the hosts file on a victim’s computer to redirect legitimate domains to malicious IP addresses. What type of attack is this?
A) DNS spoofing
B) Pharming
C) Phishing
D) Session hijacking
Answer: B
Explanation:
Pharming is the attack where attackers modify hosts files on victim computers to redirect legitimate domains to malicious IP addresses. Pharming redirects users from legitimate websites to fraudulent ones without their knowledge, typically to steal credentials, financial information, or distribute malware. Unlike phishing which requires user interaction with malicious links, pharming operates transparently by manipulating name resolution mechanisms. Attackers accomplish pharming through several methods including modifying local hosts files that override DNS lookups, compromising DNS servers to return malicious IP addresses, exploiting DNS cache poisoning vulnerabilities, or using malware that intercepts DNS queries. When hosts files are modified, legitimate domain names resolve to attacker-controlled servers hosting fake websites that mimic authentic sites. Users typing correct URLs are directed to malicious sites despite entering accurate addresses. Pharming is particularly dangerous because users cannot detect it through URL inspection. Defenses include using antimalware software that monitors critical system files, implementing DNS security extensions, using trusted DNS servers, enabling HTTPS to detect certificate mismatches when redirected, maintaining file integrity monitoring, restricting hosts file modifications, and educating users about HTTPS indicators. DNS spoofing is incorrect because while related, it specifically refers to providing false DNS responses rather than modifying local hosts files on victim systems. Phishing is incorrect because it involves sending deceptive communications to trick users into clicking malicious links, requiring user interaction rather than transparent redirection. Session hijacking is incorrect because it involves stealing session tokens to impersonate authenticated users, not redirecting domain name resolution.
Q144
Which tool is commonly used to intercept and modify HTTP/HTTPS traffic between a browser and web application during security testing?
A) Nmap
B) Wireshark
C) Burp Suite
D) Metasploit
Answer: C
Explanation:
Burp Suite is commonly used to intercept and modify HTTP/HTTPS traffic between browsers and web applications during security testing. Burp Suite is a comprehensive web application security testing platform featuring an intercepting proxy that positions itself between browsers and web servers, capturing all HTTP and HTTPS requests and responses. Security testers can inspect, modify, replay, and analyze web traffic to identify vulnerabilities. The proxy allows pausing requests before they reach servers, modifying parameters and headers, testing how applications respond to unexpected input, bypassing client-side validation, and manipulating authentication tokens. Burp Suite includes additional features like automated scanners detecting common vulnerabilities, repeater for manual testing, intruder for automated attacks, sequencer for analyzing session token randomness, and extensions for specialized testing. For HTTPS traffic interception, Burp presents its own certificate requiring installation in browsers to establish trust. Ethical hackers use Burp Suite extensively during web application penetration tests to test for SQL injection, XSS, authentication flaws, authorization issues, and other web vulnerabilities. The tool provides comprehensive capabilities for thorough web application security assessment. Nmap is incorrect because it performs network scanning and service detection identifying open ports and running services, not intercepting or modifying web traffic. Wireshark is incorrect because while it captures and analyzes network traffic, it operates as a passive packet analyzer without the ability to easily modify and replay HTTP requests like intercepting proxies. Metasploit is incorrect because it is an exploitation framework for testing and exploiting vulnerabilities, not specifically designed for web traffic interception and modification.
Q145
An ethical hacker discovers that a database server is directly accessible from the internet without firewall protection. What vulnerability does this represent?
A) SQL injection
B) Security misconfiguration
C) Broken authentication
D) Cross-site scripting
Answer: B
Explanation:
Security misconfiguration is the vulnerability represented when database servers are directly accessible from the internet without firewall protection. Security misconfigurations occur when systems lack appropriate security settings, use default configurations, have unnecessary services enabled, or fail to implement security hardening. Exposing database servers directly to the internet represents a critical misconfiguration because databases contain sensitive information and should only be accessible from authorized application servers within protected network segments. Direct internet exposure creates numerous risks including unauthorized access attempts from anywhere globally, vulnerability exploitation by automated scanning tools, brute force attacks against authentication, data theft if weak credentials exist, and increased attack surface. Proper architecture implements network segmentation placing databases in protected internal networks, uses firewalls to restrict access to only necessary application servers, implements additional network security controls, and follows defense-in-depth principles. Organizations should conduct regular security assessments identifying misconfigurations, implement configuration management ensuring consistent security settings, use security baselines and hardening guides, disable unnecessary services, change default credentials, apply principle of least privilege, and monitor for configuration drift. Ethical hackers identifying direct database exposure should report it as critical finding requiring immediate remediation. SQL injection is incorrect because it is an application vulnerability exploiting improper query construction, not infrastructure misconfiguration exposing databases to the internet. Broken authentication is incorrect because it involves weaknesses in authentication mechanisms, not network exposure issues. Cross-site scripting is incorrect because it involves injecting malicious scripts into web applications, unrelated to database server network exposure.
Q146
Which attack technique involves overwhelming a target system with UDP packets to consume bandwidth and system resources?
A) SYN flood
B) UDP flood
C) Ping flood
D) HTTP flood
Answer: B
Explanation:
Knowledge of different DoS attack vectors helps security professionals implement appropriate protections and detection mechanisms. UDP flood is the attack that involves overwhelming target systems with UDP packets to consume bandwidth and system resources. UDP floods send massive volumes of UDP packets to random or specific ports on target systems. Since UDP is a connectionless protocol without handshakes or acknowledgments, attackers can generate floods efficiently with spoofed source addresses making attribution difficult. When targets receive UDP packets, they check for applications listening on destination ports, and if none exist, they generate ICMP destination unreachable responses. This processing consumes CPU resources, bandwidth, and network capacity. Large-scale UDP floods can saturate network links preventing legitimate traffic from reaching targets. Amplification attacks using UDP protocols like DNS, NTP, or SSDP achieve massive traffic volumes by sending small requests with spoofed victim addresses to servers that respond with much larger replies to victims. Defenses include implementing rate limiting on UDP traffic, using anti-DDoS services that filter malicious traffic, deploying firewalls configured to drop unnecessary UDP traffic, disabling UDP services not required, implementing ingress and egress filtering to prevent IP spoofing, and using network capacity that can absorb attack traffic. SYN flood is incorrect because it exploits TCP handshake by sending numerous SYN packets without completing connections, consuming server connection tables rather than using UDP. Ping flood is incorrect because it uses ICMP echo requests to overwhelm targets, not UDP packets. HTTP flood is incorrect because it sends legitimate-looking HTTP requests to overwhelm web servers, operating at the application layer rather than using UDP.
Q147
An ethical hacker needs to test whether a web application properly implements access controls. Which vulnerability involves accessing resources without proper authorization?
A) Broken access control
B) SQL injection
C) Cross-site scripting
D) Buffer overflow
Answer: A
Explanation:
Understanding access control failures helps security professionals identify and remediate critical authorization weaknesses. Broken access control is the vulnerability involving accessing resources without proper authorization. Access control determines what authenticated users can do and which resources they can access based on their permissions and roles. Broken access control occurs when applications fail to properly enforce authorization checks, allowing users to access functionality or data beyond their intended privileges. Common manifestations include insecure direct object references where users modify parameters to access other users’ resources, missing function-level access control where administrative functions are accessible to regular users, forced browsing to unprotected pages, privilege escalation where users modify their roles or permissions, and accessing APIs without proper authorization. Examples include changing user ID parameters in URLs to view other accounts, accessing admin pages by guessing URLs, manipulating API requests to access unauthorized data, or modifying account identifiers in requests. Ethical hackers test access controls by attempting to access resources belonging to other users, testing whether lower-privileged accounts can access administrative functions, verifying authorization checks are enforced server-side, and exploring whether parameter manipulation grants unauthorized access. Organizations implement proper access control through least privilege principles, server-side authorization checks on every request, indirect object references, denying access by default, logging access control failures, and thorough testing. SQL injection is incorrect because it exploits database query construction vulnerabilities, not authorization failures. Cross-site scripting is incorrect because it injects malicious scripts into web pages, not accessing unauthorized resources. Buffer overflow is incorrect because it exploits memory corruption in applications, unrelated to authorization enforcement.
Q148
During a penetration test, you discover that a web application accepts serialized objects from users without validation. Which vulnerability should you test for?
A) Insecure deserialization
B) SQL injection
C) Cross-site scripting
D) Directory traversal
Answer: A
Explanation:
Understanding insecure deserialization helps security professionals identify serious vulnerabilities that can lead to remote code execution. Insecure deserialization should be tested when applications accept serialized objects from users without validation. Serialization converts objects into formats for storage or transmission, while deserialization reconstructs objects from serialized data. Insecure deserialization occurs when applications deserialize untrusted data without proper validation, allowing attackers to manipulate serialized objects to achieve various malicious outcomes. Exploitation can lead to remote code execution where attackers craft malicious serialized objects that execute arbitrary code when deserialized, authentication bypass by manipulating user role attributes in session objects, data tampering, denial of service through resource-intensive deserialization, or injection attacks. The vulnerability is particularly dangerous because deserialization often occurs with application privileges, and exploitation can achieve complete system compromise. Common vulnerable implementations include Java serialization, Python pickle, PHP object serialization, and .NET deserialization. Attackers use tools like ysoserial to generate malicious payloads for various platforms. Testing involves identifying deserialization points, attempting to modify serialized data, and observing application behavior. Organizations defend by avoiding deserialization of untrusted data when possible, implementing integrity checks on serialized data, restricting deserialization to expected classes, running deserialization with minimal privileges, monitoring deserialization failures, and using secure serialization alternatives. SQL injection is incorrect because it targets database queries, not object deserialization processes. Cross-site scripting is incorrect because it injects scripts into web pages, unrelated to object serialization. Directory traversal is incorrect because it manipulates file paths to access unauthorized files, not exploiting deserialization.
Q149
Which reconnaissance technique involves identifying employee information through professional networking sites like LinkedIn?
A) Social engineering
B) OSINT gathering
C) Port scanning
D) Network mapping
Answer: B
Explanation:
This question focuses on passive information gathering techniques. Understanding OSINT helps ethical hackers conduct thorough reconnaissance while remaining undetected. OSINT gathering is the reconnaissance technique that identifies employee information through professional networking sites like LinkedIn. Open Source Intelligence collection gathers information from publicly available sources including social media platforms, professional networks, company websites, job postings, public records, search engines, and online databases. LinkedIn is particularly valuable for OSINT because it contains detailed professional information including employee names, job titles, roles, responsibilities, skills, technologies used, organizational structures, and professional relationships. Ethical hackers analyze LinkedIn profiles to identify potential social engineering targets, understand organizational hierarchy, determine technology stack from skills listings, identify key personnel, discover email address formats, and gather intelligence for targeted attacks. Additional OSINT sources include Twitter revealing personal interests, Facebook showing relationships and activities, company websites exposing organizational information, job postings indicating technologies and projects, and press releases announcing initiatives. OSINT is completely passive and legal as it uses publicly available information. Tools like theHarvester, Maltego, and Recon-ng automate OSINT collection. Organizations should educate employees about information sharing risks, implement social media policies, limit sensitive information disclosure, and understand what intelligence adversaries can gather from public sources. Social engineering is incorrect because it involves manipulating people to divulge information or take actions, whereas gathering information from LinkedIn is passive observation. Port scanning is incorrect because it actively probes systems to identify open ports, not collecting employee information. Network mapping is incorrect because it discovers network topology and connected devices, unrelated to LinkedIn reconnaissance.
Q150
An attacker exploits a vulnerability that allows reading sensitive files by manipulating file paths in application parameters. What is this attack called?
A) SQL injection
B) Directory traversal
C) Cross-site scripting
D) Command injection
Answer: B
Explanation:
Understanding directory traversal helps security professionals identify and prevent unauthorized file access. Directory traversal is the attack that exploits vulnerabilities allowing reading sensitive files by manipulating file paths in application parameters. Directory traversal, also called path traversal, occurs when applications use user-supplied input to construct file paths without proper validation. Attackers manipulate file path parameters using special character sequences like “../” to navigate outside intended directories and access sensitive files anywhere on the file system. Common targets include configuration files containing credentials, application source code, system files like /etc/passwd on Linux or boot.ini on Windows, log files, and sensitive documents. Example attacks include modifying filename parameters from “file=report.pdf” to “file=../../../../etc/passwd” to access password files. Successful exploitation reveals sensitive information, exposes application logic, discloses credentials, or provides intelligence for further attacks. Applications become vulnerable when they directly use user input in file operations, fail to validate or sanitize paths, use weak filtering easily bypassed, or lack proper access controls. Defenses include avoiding user input in file paths when possible, validating input against allowlists of permitted files, using indirect references like file IDs instead of names, sanitizing input to remove traversal sequences, implementing chroot jails or sandbox environments, using proper file permissions, and conducting security testing. SQL injection is incorrect because it exploits database queries, not file path manipulation. Cross-site scripting is incorrect because it injects malicious scripts into web pages, unrelated to file access. Command injection is incorrect because it executes operating system commands, not manipulating file paths for unauthorized access.
Q151
Which type of malware spreads automatically across networks by exploiting vulnerabilities without requiring user interaction?
A) Virus
B) Trojan
C) Worm
D) Adware
Answer: C
Explanation:
Knowledge of different malware types helps security professionals implement appropriate detection and prevention strategies. A worm is malware that spreads automatically across networks by exploiting vulnerabilities without requiring user interaction. Worms are self-replicating malware that autonomously propagate by scanning for vulnerable systems, exploiting security weaknesses, copying themselves to compromised hosts, and repeating the process. Unlike viruses requiring host files and user actions to spread, worms operate independently and spread rapidly without user involvement. Famous worms like Code Red, Nimda, and WannaCry demonstrated massive destructive potential by infecting hundreds of thousands of systems within hours. Worms exploit various vulnerabilities including buffer overflows, weak authentication, unpatched software, misconfigured services, and insecure protocols. Modern worms may combine multiple exploitation techniques, use encryption to avoid detection, implement polymorphic code that changes with each infection, and include additional malicious payloads like ransomware or backdoors. Worm infections cause network congestion from scanning traffic, system resource exhaustion, data destruction, service disruption, and provide attackers with access. Organizations defend against worms by maintaining current security patches, implementing network segmentation limiting spread, using intrusion prevention systems detecting scanning behavior, deploying antimalware with behavior-based detection, disabling unnecessary services, and implementing least privilege. Rapid patching of critical vulnerabilities is essential. Virus is incorrect because viruses require host files and typically need user actions like opening infected files to spread, not autonomous network propagation. Trojan is incorrect because trojans disguise themselves as legitimate software and require user installation, lacking self-replication capabilities. Adware is incorrect because it displays unwanted advertisements and typically spreads through software bundling, not autonomous exploitation.
Q152
An ethical hacker wants to identify vulnerabilities in a web application without exploiting them. Which type of assessment is this?
A) Penetration test
B) Vulnerability assessment
C) Red team exercise
D) Social engineering test
Answer: B
Explanation:
Understanding assessment types helps organizations select appropriate testing methodologies for their security needs. A vulnerability assessment is the type of assessment that identifies vulnerabilities without exploiting them. Vulnerability assessments systematically scan and analyze systems, networks, and applications to discover security weaknesses, misconfigurations, missing patches, and potential vulnerabilities. Unlike penetration tests that actively exploit vulnerabilities to demonstrate impact, vulnerability assessments focus on identifying and cataloging security issues. Assessments use automated scanning tools like Nessus, Qualys, or OpenVAS to detect known vulnerabilities, analyze configurations against security baselines, identify outdated software versions, discover weak authentication mechanisms, and flag security misconfigurations. Results provide comprehensive inventories of potential security issues with severity ratings, affected systems, and remediation recommendations. Vulnerability assessments are typically less intrusive than penetration tests, can be performed more frequently, cover broader scope, and help organizations prioritize patching efforts. However, they may generate false positives requiring validation and cannot demonstrate real-world exploitation feasibility. Organizations use vulnerability assessments for regular security hygiene monitoring, compliance verification, and identifying remediation priorities. Penetration test is incorrect because it involves actively exploiting vulnerabilities to demonstrate actual security impact and determine what attackers could accomplish, going beyond mere identification. Red team exercise is incorrect because it simulates real-world adversary tactics using various attack vectors to test overall security program effectiveness, not just identifying vulnerabilities. Social engineering test is incorrect because it specifically tests human vulnerabilities through manipulation and deception techniques, not technical vulnerability identification.
Q153
Which protocol provides secure remote command-line access to systems using encryption?
A) Telnet
B) SSH
C) FTP
D) HTTP
Answer: B
Explanation:
Understanding secure protocols helps security professionals implement appropriate communication security. SSH (Secure Shell) provides secure remote command-line access to systems using encryption. SSH is a cryptographic network protocol that creates secure encrypted channels over unsecured networks for remote system administration, command execution, file transfers, and port forwarding. SSH operates on port 22 by default and provides strong authentication through passwords or public key cryptography, encrypted communications protecting confidentiality and integrity, and secure file transfer capabilities through SCP and SFTP. SSH replaced insecure protocols like Telnet and rlogin that transmitted credentials and data in cleartext. Common SSH uses include remote server administration, secure file transfers, tunneling other protocols through encrypted connections, and automated authentication for scripts using keys. SSH implementations include OpenSSH on Unix systems and various clients like PuTTY on Windows. Security best practices include disabling password authentication in favor of key-based authentication, using strong key algorithms, disabling root login, implementing two-factor authentication, restricting SSH access through firewalls, monitoring for suspicious authentication attempts, and keeping SSH software updated. Organizations should enforce SSH for all remote administration replacing insecure alternatives. Telnet is incorrect because it provides unencrypted remote command-line access transmitting credentials and data in cleartext, making it completely insecure. FTP is incorrect because while it provides file transfer capabilities, standard FTP transmits data unencrypted, though SFTP over SSH provides secure alternative. HTTP is incorrect because it is a protocol for web content transfer, not command-line access, though HTTPS provides encrypted web communications.
Q154. An attacker gains access to an organization by tailgating through a secure door behind an employee. What type of security control would BEST prevent this?
A) Firewall
B) Antivirus software
C) Mantrap
D) Encryption
Answer: C
Explanation:
Understanding physical security helps organizations implement comprehensive security programs protecting against both digital and physical threats. A mantrap would best prevent tailgating attacks where attackers follow employees through secure doors. Mantraps are physical security controls consisting of small spaces with two interlocking doors where only one door can be open at a time, requiring individual authentication for passage. When someone enters the mantrap and authenticates, the first door closes and locks before the second door opens, preventing multiple people from passing with single authentication. Mantraps physically enforce one-person-per-authentication policies making tailgating impossible. Advanced mantraps include weight sensors detecting multiple occupants, cameras for visual verification, biometric authentication, and security guard monitoring. Mantraps are deployed at high-security facilities protecting sensitive areas like data centers, research laboratories, financial institutions, and government facilities. Additional anti-tailgating controls include turnstiles allowing single-person passage, security guards actively monitoring entry points, surveillance cameras deterring unauthorized access, visitor management systems, access cards with photo identification, and security awareness training teaching employees to challenge tailgaters politely. Organizations should implement layered physical security appropriate to asset value and threat levels. Firewall is incorrect because it is a network security control filtering traffic between networks, not a physical security measure preventing tailgating. Antivirus software is incorrect because it protects against malware on computer systems, unrelated to physical access control. Encryption is incorrect because it protects data confidentiality through cryptographic transformation, not preventing physical unauthorized entry.
Q155
During a penetration test, you discover that a web application reflects user input in error messages without encoding. To confirm XSS vulnerability, which payload should you test?
A) ‘ OR ‘1’=’1
B) <script>alert(‘XSS’)</script>
C) ../../../../etc/passwd
D) ; cat /etc/passwd
Answer: B
Explanation:
Understanding appropriate payloads for different vulnerabilities helps ethical hackers efficiently identify security issues. The payload <script>alert(‘XSS’)</script> should be tested to confirm XSS vulnerability when applications reflect user input in error messages without encoding. This is a standard XSS proof-of-concept payload that attempts to execute JavaScript code in the context of the vulnerable page. When input is reflected without proper HTML encoding, the script tags are interpreted as executable code rather than text, causing the browser to display an alert dialog. Successfully triggering the alert demonstrates that arbitrary JavaScript can be executed, confirming the XSS vulnerability. While alert dialogs are benign, the same vulnerability allows attackers to steal session cookies, capture keystrokes, redirect users, deface pages, or perform actions as victims. Ethical hackers use various XSS payloads to test different contexts including HTML context, JavaScript context, attribute context, and URL context, each requiring different encoding bypasses. After confirming XSS, testers should document the vulnerability, demonstrate realistic exploitation scenarios, and provide remediation guidance. Organizations fix XSS through output encoding based on context, input validation, Content Security Policy implementation, and security libraries. ‘ OR ‘1’=’1 is incorrect because it is an SQL injection payload testing database query vulnerabilities, not XSS. ../../../../etc/passwd is incorrect because it is a directory traversal payload testing file access vulnerabilities. ; cat /etc/passwd is incorrect because it is a command injection payload testing operating system command execution, not cross-site scripting.
Q156
Which attack technique involves sending specially crafted packets with both SYN and FIN flags set to identify open ports through firewall responses?
A) SYN scan
B) FIN scan
C) XMAS scan
D) NULL scan
Answer: C
Explanation:
Understanding various scan types helps ethical hackers select appropriate reconnaissance methods. XMAS scan involves sending packets with SYN, FIN, and URG flags set simultaneously to identify open ports through firewall responses. The name comes from the packet having multiple flags “lit up” like a Christmas tree. XMAS scans exploit how systems respond to unusual flag combinations according to RFC specifications. Closed ports should respond with RST packets while open ports should not respond at all or drop the packets. This behavior allows mapping open ports stealthily because XMAS scans may bypass simple firewalls that only filter SYN packets. However, XMAS scans have limitations including unreliability on Windows systems that do not follow RFC specifications correctly, potential detection by intrusion detection systems recognizing unusual flag combinations, and modern firewalls increasingly filtering these anomalous packets. XMAS scans are used during penetration tests to identify open ports when standard SYN scans are blocked, though results require careful interpretation. Other stealthy scan types include FIN scans, NULL scans, and ACK scans, each using different flag combinations to elicit responses revealing port states. Organizations detect unusual scans through intrusion detection systems, monitor for scan patterns, and implement firewalls that filter malformed packets. SYN scan is incorrect because it uses only SYN flags to initiate connections, the most common and reliable scan type but not using multiple flags simultaneously. FIN scan is incorrect because it sends only FIN flags, not combined with SYN. NULL scan is incorrect because it sends packets with no flags set, the opposite of multiple flags like XMAS scans.
Q157
An ethical hacker discovers that an application uses predictable session tokens. Which attack can exploit this vulnerability?
A) Session hijacking
B) SQL injection
C) Buffer overflow
D) Directory traversal
Answer: A
Explanation:
Understanding session security helps organizations implement proper authentication state management. Session hijacking is the attack that exploits predictable session tokens. Session hijacking involves stealing or predicting session identifiers to impersonate authenticated users without knowing their passwords. When applications use predictable session tokens with patterns that can be guessed or calculated, attackers can generate valid session IDs for other users. Predictability occurs when applications use weak random number generators, sequential session IDs, timestamps, or other predictable values for token generation. Attackers analyze multiple session tokens to identify patterns, then generate tokens for target accounts. Once valid session tokens are obtained through prediction, stealing from network traffic, or other means, attackers submit them to applications to gain authenticated access. Session hijacking allows accessing sensitive data, performing unauthorized transactions, and compromising accounts. Proper session management requires cryptographically strong random session ID generation making prediction computationally infeasible, sufficient token length and complexity, token regeneration after authentication and privilege changes, secure transmission using HTTPS with secure and HTTPOnly cookie flags, appropriate timeouts, and binding sessions to additional factors like IP addresses. Organizations should regularly test session token randomness and implement comprehensive session security controls. SQL injection is incorrect because it exploits database query construction, not session token predictability. Buffer overflow is incorrect because it corrupts memory through excessive input, unrelated to session management. Directory traversal is incorrect because it manipulates file paths to access unauthorized files, not exploiting session tokens.
Q158
Which tool is specifically designed for password cracking and supports GPU acceleration for faster hash cracking?
A) Nmap
B) Wireshark
C) Hashcat
D) Burp Suite
Answer: C
Explanation:
Understanding tool capabilities helps ethical hackers select appropriate tools for different testing scenarios. Hashcat is specifically designed for password cracking and supports GPU acceleration for faster hash cracking. Hashcat is a powerful advanced password recovery tool supporting numerous hash algorithms including MD5, SHA1, SHA256, NTLM, bcrypt, and many others. The tool’s distinguishing feature is GPU acceleration using graphics processing units for parallel processing, dramatically increasing cracking speed compared to CPU-only tools. Modern GPUs with thousands of cores can test billions of password candidates per second. Hashcat supports various attack modes including dictionary attacks using wordlists, combinator attacks joining words, mask attacks defining character patterns for targeted brute force, hybrid attacks combining wordlists with rules, and rule-based attacks applying transformations to dictionary words. The tool handles various hash formats, can crack multiple hashes simultaneously, includes optimization for different hardware, and provides detailed performance statistics. Ethical hackers use Hashcat during penetration tests to crack captured password hashes, assess password policy effectiveness, and demonstrate weak password vulnerabilities. Organizations defend by implementing strong password policies requiring length and complexity, using slow hash algorithms like bcrypt or Argon2 resistant to GPU acceleration, implementing account lockouts, monitoring for credential stuffing, and enforcing multi-factor authentication. Nmap is incorrect because it performs network scanning and reconnaissance, not password cracking. Wireshark is incorrect because it captures and analyzes network traffic, not a cracking tool. Burp Suite is incorrect because it tests web application security through traffic interception and manipulation, not password hash cracking.
Q159
An attacker exploits a race condition vulnerability in a banking application to perform unauthorized transactions. What is a race condition?
A) A SQL injection vulnerability
B) A timing-dependent bug where operations execute in unexpected order
C) A buffer overflow that corrupts memory
D) A cross-site scripting vulnerability
Answer: B
Explanation:
Understanding race conditions helps security professionals identify and prevent complex synchronization issues. A race condition is a timing-dependent bug where operations execute in unexpected order leading to security vulnerabilities. Race conditions occur when multiple processes or threads access shared resources concurrently without proper synchronization, and the outcome depends on the precise timing or sequence of execution. In security contexts, attackers exploit race conditions by manipulating timing to create situations where security checks pass but conditions change before actions execute. Common examples include time-of-check-time-of-use vulnerabilities where security verification and actual use of resources occur at different times, allowing attackers to modify resources between check and use. In banking applications, attackers might exploit race conditions to withdraw funds multiple times before account balances update, transfer money from accounts being closed, or bypass transaction limits through concurrent requests. Other vulnerable scenarios include file system operations, privilege checks, and resource allocation. Race conditions are difficult to detect through testing because they depend on precise timing and may occur infrequently. Organizations prevent race conditions through proper synchronization mechanisms like locks and semaphores, atomic operations, transaction isolation in databases, immutable objects, careful code review, and extensive testing including thread analysis tools. SQL injection vulnerability is incorrect because it exploits database queries, not timing-dependent bugs. Buffer overflow is incorrect because it corrupts memory through excessive input, not synchronization issues. Cross-site scripting is incorrect because it injects malicious scripts, unrelated to race conditions.
Q159
An attacker exploits a race condition vulnerability in a banking application to perform unauthorized transactions. What is a race condition?
A) A SQL injection vulnerability
B) A timing-dependent bug where operations execute in unexpected order
C) A buffer overflow that corrupts memory
D) A cross-site scripting vulnerability
Answer: B
Explanation:
A race condition is a timing-dependent bug where operations execute in unexpected order leading to security vulnerabilities. Race conditions occur when multiple processes or threads access shared resources concurrently without proper synchronization, and the outcome depends on the precise timing or sequence of execution. In security contexts, attackers exploit race conditions by manipulating timing to create situations where security checks pass but conditions change before actions execute. Common examples include time-of-check-time-of-use vulnerabilities where security verification and actual use of resources occur at different times, allowing attackers to modify resources between check and use. In banking applications, attackers might exploit race conditions to withdraw funds multiple times before account balances update, transfer money from accounts being closed, or bypass transaction limits through concurrent requests. Other vulnerable scenarios include file system operations, privilege checks, and resource allocation. Race conditions are difficult to detect through testing because they depend on precise timing and may occur infrequently. Organizations prevent race conditions through proper synchronization mechanisms like locks and semaphores, atomic operations, transaction isolation in databases, immutable objects, careful code review, and extensive testing including thread analysis tools. SQL injection vulnerability is incorrect because it exploits database queries, not timing-dependent bugs. Buffer overflow is incorrect because it corrupts memory through excessive input, not synchronization issues. Cross-site scripting is incorrect because it injects malicious scripts, unrelated to race conditions.
Q160
During a penetration test, you need to establish a reverse shell from a compromised system to your attack machine. What is the PRIMARY purpose of a reverse shell?
A) To scan for open ports
B) To provide remote command execution by connecting
C) To perform SQL injection attacks
D) To capture network traffic
Answer: B
Explanation:
The primary purpose of a reverse shell is to provide remote command execution by connecting back to the attacker. Reverse shells work opposite to normal remote access where clients connect to servers. Instead, the compromised system initiates an outbound connection to the attacker’s machine, which then provides command-line access. This technique is valuable because outbound connections typically face fewer firewall restrictions than inbound connections, allowing attackers to bypass network security controls. Firewalls commonly block incoming connections to protect internal systems but allow outbound connections for legitimate internet access. Reverse shells exploit this asymmetry by having compromised systems connect outward to attacker-controlled servers. Common reverse shell implementations use netcat, bash, Python, PowerShell, or other scripting languages available on target systems. Attackers set up listeners on their machines awaiting connections, then execute reverse shell commands on compromised systems. Once established, reverse shells provide interactive command execution allowing file system navigation, data exfiltration, lateral movement, and additional malware installation. Organizations detect reverse shells through network monitoring for unusual outbound connections, analyzing command-line process execution, implementing egress filtering restricting outbound connections, deploying endpoint detection and response solutions, and monitoring for suspicious process behaviors. Scanning for open ports is incorrect because port scanning identifies services on target systems for initial reconnaissance, not the purpose of reverse shells established after compromise. Performing SQL injection attacks is incorrect because SQL injection exploits database vulnerabilities during initial attack phases, not maintaining access through reverse shells. Capturing network traffic is incorrect because packet capture analyzes network communications, whereas reverse shells provide interactive command execution capabilities.
