Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?
A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?
While performing a SYN (half-open) scan using Nmap, you send a SYN packet to a target IP address and receive a SYN/ACK response. How should this result be interpreted?
A penetration tester suspects that a web application ' s user profile page is vulnerable to SQL injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?
A hacker is analyzing a system that uses two rounds of symmetric encryption with different keys. To speed up key recovery, the attacker encrypts the known plaintext with all possible values of the first key and stores the intermediate ciphertexts. Then, they decrypt the final ciphertext using all possible values of the second key and compare the results to the stored values. Which cryptanalytic method does this approach represent?
During a scheduled red team engagement at a regional investment firm in Phoenix, Arizona, security consultants were permitted limited after-hours access to employee workstations. As part of the evaluation, a small intermediary device was placed inline between a keyboard and its connected desktop system.
Over time, the device began forwarding captured keystroke activity through the company’s established wireless environment, allowing the assessment team to collect periodic log data without interacting further with the workstation.
What type of keylogger does this scenario describe?
A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches. Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy. To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?
During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?
During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?
Which method best bypasses client-side controls without triggering server-side alarms?
This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.
An organization uses SHA-256 for data integrity verification but still experiences unauthorized data modification. Which cryptographic tool would best resolve this issue?
During a penetration test at Rocky Mountain Insurance in Denver, ethical hacker Sophia Nguyen attempts to evade detection by fragmenting malicious traffic into smaller packets. The IT security team counters her strategy with a system that monitors traffic for deviations from established baselines, flagging behavior that does not match normal network activity. This allows them to stop Sophia’s evasion attempts in real time.
Which detection technique is the IT team most likely using in this case?
You perform a SYN (half-open) scan and receive a SYN/ACK packet in response. How should this result be interpreted?
A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?
An ethical hacker needs to gather sensitive information about a company ' s internal network without engaging directly with the organization ' s systems to avoid detection. Which method should be employed to obtain this information discreetly?
Malware uses Background Intelligent Transfer Service (BITS) to evade detection. Why is BITS attractive to attackers?
During which step of the incident response process would you be tasked with building the team, identifying roles, and testing the communication system?
This type of security test usually takes on an adversarial role and looks to see what an outsider can access and control.
At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.
Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?
You are an ethical hacker at RedOak Cyber Solutions, contracted to perform a penetration test for MetroHealth Hospital in Cleveland, Ohio. While assessing the hospital ' s appointment booking portal, you craft and submit multiple malicious inputs into the patient search field. One of your payloads successfully manipulates the backend query, returning additional appointment data that was not intended to be displayed.
Based on the observed behavior, which step of the SQL injection methodology are you performing?
An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?
“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?
You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?
A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections, transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack. Which attack is most likely responsible?
A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?
On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.
What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?
An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?
A REST API uses user-provided object IDs without authorization checks. What flaw is this?
A Windows machine shows disabled Windows Defender without admin approval. What phase is this?
A cloud storage provider discovers that an unauthorized party obtained a complete backup of encrypted database files containing archived client communications. The attacker did not compromise the encryption keys, nor is there evidence that any original plaintext records were exposed.
A forensic cryptography specialist reviewing the breach considers the possibility that the adversary is attempting to analyze the encrypted data in isolation, searching for statistical irregularities or structural repetition within the encrypted output to infer meaningful information.
To properly assess the organization’s exposure, the specialist must determine which cryptanalytic approach best matches an attack conducted using only the intercepted encrypted data.
As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?
In the bustling tech hub of Boston, Massachusetts, ethical hacker Zara Nguyen dives into the digital fortifications of CloudCrafter, a US-based platform hosting web applications for small businesses. Tasked with probing the application’s input processing, Zara submits specially crafted inputs to a server administration panel. Her tests uncover a severe vulnerability: the system performs unintended operations at the system level, enabling access to restricted server resources. Further scrutiny reveals the flaw lies in the application’s failure to sanitize user input passed to system-level execution, not in altering directory service queries, injecting newline characters, or targeting cloud-specific environments. Dedicated to strengthening the platform, Zara drafts a precise report to guide CloudCrafter’s security team toward urgent fixes.
Which injection attack type is Zara most likely exploiting in CloudCrafter’s web application?
During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?
An IoT traffic light shows anomalous traffic to an external IP and has an open port. What should be your next step?
Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges.
A penetration tester discovers that a web application is using outdated SSL/TLS protocols (TLS 1.0) to secure communication. What is the most effective way to exploit this vulnerability?
Joe, a cybersecurity analyst at Norwest Freight Services, has been assigned to run a vulnerability scan across the organization ' s infrastructure. He is specifically tasked with detecting weaknesses such as missing patches, unnecessary services, weak encryption, and authentication flaws across multiple servers. His scan identifies open ports and active services throughout the environment, providing a clear map of potential entry points for attackers.
Which type of vulnerability scanning best matches Joe ' s assignment?
A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?
During a review for DoS threats, several IP addresses generate excessive traffic. Packet inspection shows the TCP three-way handshake is never completed, leaving many connections in a SYN_RECEIVED state and consuming server resources without completing sessions. What type of DoS attack is most likely occurring?
During routine network monitoring, the blue team notices several LLMNR and NBT-NS broadcasts originating from a workstation attempting to resolve an internal hostname. They also observe suspicious responses coming from a non-corporate IP address that claims to be the requested host. Upon further inspection, the security team suspects that an attacker is impersonating network resources to capture authentication attempts. What type of password-cracking setup is likely being staged?
During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?
Bluetooth devices are suspected of being targeted by a Bluesnarfing attack. What is the most effective countermeasure?
You’ve just performed a port scan against an internal device during a routine pen test. Nmap returned the following response: Starting NMAP 7.30 at 2021-10-10 11:06 NMAP scan report for 192.168.123.100 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 80/tcp open http 161/tcp open snmp 515/tcp open lpd MAC Address: 00:1B:A9:01:3a:21 Based on this scan result, which of the following is most likely correct?
A media streaming company in Los Angeles, California engages a certified ethical hacker to evaluate the resilience of its cloud-hosted infrastructure. After initial access is obtained through an exposed credential in a development repository, the tester systematically modifies logging configurations, establishes alternate access keys for persistence, and documents privilege relationships between services within the tenant.
The tester’s actions are focused on maintaining continued access and mapping the internal structure of the environment after initial compromise has occurred.
Within the cloud attack lifecycle, which phase best represents this stage of activity?
An authorized security assessment is performed on a public-sector services portal in Madison, Wisconsin. After authenticating with a controlled test account, the assessor captures the authentication identifier issued by the application.
Under controlled lab conditions, she attempts to reuse the captured identifier from a separate machine connected through a different encrypted channel. Although the identifier remains valid and within its lifetime, the application rejects the request when presented from the alternate environment.
Analysis indicates that the server evaluates characteristics associated with the original secure exchange before allowing continued use of the issued identifier.
Which defensive mechanism most likely explains this behavior?
A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?
During a penetration test at a manufacturing company in Detroit, Amanda, a senior security consultant, scans several legacy Linux servers. On one host, she discovers an open port used for file transfer that allows anonymous login. Once connected, she is able to view the directory structure and check available files, which helps her identify potential sensitive information exposure. She also notices background traffic on a UDP service related to NetBIOS name lookups, but she continues probing the file transfer service to confirm user access weaknesses.
Which ports and services should Amanda prioritize for this enumeration activity?
You are Sameer Das, an ethical hacker hired by a national utilities provider to assess the resilience of its power grid infrastructure. During your red team operation, you conduct a phishing campaign targeting field engineers and successfully gain access to the internal OT network. From there, you identify unsecured access to the substation’s programmable controllers and replace one of the system’s firmware components with a custom payload. This payload silently processes your commands while maintaining access across reboots. Based on this action, which type of IoT OT threat are you simulating?
In a controlled testing environment in Houston, Sarah, an ethical hacker, is tasked with evaluating the security posture of a financial firm’s network using the cyber kill chain methodology. She begins by simulating an attack, starting with gathering publicly available data about the company’s employees and infrastructure. Next, she plans to craft a mock phishing email to test employee responses, followed by deploying a harmless payload to assess system vulnerabilities. As part of her authorized penetration test, what phase of the cyber kill chain should Sarah prioritize to simulate the adversary’s approach effectively?
During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?
Which of the following best describes an attack that altered the contents of two critical files?
As part of an authorized security assessment at a maritime logistics firm in Charleston, South Carolina, an ethical hacker evaluated the organization’s resilience to coordinated endpoint compromise.
Employees received a carefully crafted email attachment disguised as a routine operational update. After execution on several systems, monitoring tools later revealed that the infected machines periodically contacted an external host controlled by the tester.
Over time, the compromised systems began receiving commands from a centralized control server and simultaneously generated coordinated network traffic toward designated targets when instructed, without any direct user interaction.
From a malware classification standpoint, what component is being simulated in this scenario?
A penetration tester is hired to legally assess the security of a company ' s network by identifying vulnerabilities and attempting to exploit them. What type of hacker is this?
An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?
A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?
A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.
After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.
Which cloud attack technique best corresponds to this activity?
While assessing a web server, a tester sends malformed HTTP requests and compares responses to identify the server type and version. What technique is being employed?
During a routine security audit, administrators discover that cloud storage backups were illegally accessed and modified. Which countermeasure would most directly mitigate such incidents in the future?
An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker ' s access token, allowing automatic synchronization of internal files to the attacker’s cloud storage. What type of attack has likely occurred?
An ethical hacker audits a hospital’s wireless network secured with WPA using TKIP and successfully performs packet injection and decryption attacks. Which WPA vulnerability most likely enabled this?
A Java app allows file download via user-controlled path. What attack is possible?
During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?
A penetration tester is assessing a web application that employs secure, HTTP-only cookies, regenerates session IDs upon login, and uses strict session timeout policies. To hijack a user ' s session without triggering the application ' s security defenses, which advanced technique should the tester utilize?
A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?
A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?
An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?
A penetration tester extracts NTLM hashes but does not crack them, instead reuses them to authenticate. What attack is this?
An employee finds a USB drive labeled “Employee Salary Info 2024” and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?
Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.
Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?
Kevin and his friends are going through a local IT firm ' s garbage. Which of the following best describes this activity?
As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?
Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?
You are an ethical hacker at Northpoint Assessments, engaged to map the wireless footprint around Harborview Plaza in San Francisco, California. To enumerate nearby networks and prompt devices to reveal SSIDs and capabilities, you actively send crafted management frames from your laptop and log each AP ' s immediate responses (including probe responses and capability information), rather than only listening for broadcasts. Based on the described activity, which Wi-Fi discovery technique are you performing?
Ethan works as a penetration tester at CyberGuard Solutions, a cybersecurity consulting firm in Raleigh, North Carolina. During an authorized security assessment of a regional insurance company, Ethan was provided with a set of password hashes to evaluate the strength of employee-generated credentials.
To test resistance against word-based password creation patterns, Ethan supplied a single custom wordlist containing common organizational terms and department names into his cracking tool. The tool automatically generated password candidates by linking multiple entries from that same list in varying combinations before attempting to match them against the hashes.
This approach proved highly effective against passwords formed by concatenating familiar words.
Which of the following password-cracking techniques is Ethan using?
The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?
You are conducting a security audit at a government agency. During your walkthrough, you observe a temporary contractor sitting in the staff lounge using their smartphone to discretely record employees as they enter passwords into their systems. Upon further investigation, you find discarded documents in a nearby trash bin containing sensitive project information. What type of attack is most likely being performed?
In Dallas, Texas, ethical hacker Ethan Brooks is hired by Lone Star Credit Union to assess the security of their online banking portal, which processes customer transactions. During his penetration test, Ethan probes the web server hosting the portal, experimenting with crafted URL requests. He notices that by altering the URL parameters in a specific way, the server returns data from areas of the system that should be restricted, revealing configuration files not intended for public access. Suspecting this behavior indicates a vulnerability, Ethan documents the issue to help the security team strengthen their defenses against potential unauthorized access.
Which technique is Ethan most likely using to uncover the vulnerability in Lone Star Credit Union’s web server?
During a penetration test at a telecom provider in Denver, Colorado, Maria, a senior ethical hacker, notices that her scans are immediately flagged by intrusion detection systems. She modifies her technique, and as a result, the IDS devices are unable to reassemble the packets correctly, allowing her probes to slip through without detection. Which scanning evasion technique is Maria applying in this case?
A penetration tester evaluates an industrial control system (ICS) that manages critical infrastructure. The tester discovers that the system uses weak default passwords for remote access. What is the most effective method to exploit this vulnerability?
At a power distribution facility in Phoenix, Arizona, ethical hacker Sameer Das is performing an OT security assessment. He demonstrates that a programmable controller accepts modifications delivered over the network without checking the origin or cryptographic validity of the package. By uploading altered instructions, he changes how the controller processes commands during operations. Which IoT/OT threat best represents this technique?
An internal audit at a pharmaceutical research company in San Diego, California, revealed that a directory server was reachable from a restricted testing subnet. Security analyst Daniel Harper initiated a basic directory query using simple authentication to validate connectivity. The query succeeded, confirming that the server was responding to unauthenticated search requests.
To understand the structural layout of the directory before performing deeper queries, Daniel needed to retrieve the base-level naming context entries exposed by the server. His objective was to identify the root domain components and configuration partitions before constructing targeted search filters.
Which command should Daniel execute to obtain the directory naming context information?
A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?
After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?
During a cryptographic audit of a legacy system, a security analyst observes that an outdated block cipher is leaking key-related information when analyzing large sets of plaintext–ciphertext pairs. What approach might an attacker exploit here?
During a reconnaissance engagement at a law firm in Houston, Texas, you are tasked with analyzing the physical movement of employees through their publicly shared media. By examining geotagged images and mapping them to specific locations, you aim to evaluate whether staff are unintentionally disclosing sensitive information about office routines. Which tool from the reconnaissance toolkit would best support this task?
During a penetration test at Cascade Financial in Raleigh, ethical hacker Ethan Brooks evaluates the security of the company ' s authentication system. He observes that the application accepts a high volume of repeated credential submissions without introducing any additional challenge, allowing automated scripts to cycle rapidly through large password lists. Ethan advises the IT team to deploy a control that forces interaction steps designed to disrupt automation.
Which countermeasure should the IT team adopt in this scenario?
A fintech startup in Austin, Texas authorizes a controlled red team engagement to evaluate the resilience of its web-based loan management platform. At the outset of the engagement, the assessment team concentrates on developing a structural understanding of the application.
They examine publicly exposed endpoints, observe server responses under different navigation paths, identify accessible directories, and document the relationships between client-side scripts, form parameters, and backend behaviors. Error handling patterns and response variations are cataloged to understand how user interactions are processed across various components of the platform.
The collected information is used to guide strategic planning for subsequent phases of the engagement.
Within the web application hacking methodology, which phase is most accurately demonstrated in this scenario?
An attacker exploits a misconfigured S3 bucket containing application backups with database credentials. What cloud security failure category does this fall under?
A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?
Anthony works as a security consultant for a financial services firm in Chicago, Illinois. During an internal engagement, he reviews traffic logs and observes repeated connection attempts to a service that appears to provide directory-related information beyond a single domain. The responses suggest that the underlying database contains entries representing objects across the entire organization rather than being limited to a single segment.
As Anthony continues his assessment, he notices that administrators commonly connect to this service when troubleshooting directory-related issues. The service listens on a dedicated port and allows object searches across multiple domains without requiring prior knowledge of the specific domain name.
Which service is Anthony most likely enumerating?
You are an ethical hacker at SecureNet Solutions, conducting a penetration test for BlueRidge Manufacturing in Denver, Colorado. While auditing their wireless network, you observe that the access point uses a security protocol that employs the RC4 algorithm with a 24-bit initialization vector IV to encrypt data between network clients. Based on the observed encryption characteristics, which wireless encryption protocol is the access point using?
Which attack best demonstrates covert eavesdropping via smartphone sensors?
You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?
During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.
Which technique is Sofia most likely using in this assessment?
During a red team exercise for a global insurance provider in Chicago, ethical hacker Maria tests the effectiveness of the company ' s endpoint defenses. She launches an attack by injecting malicious PowerShell commands into a trusted process without dropping any executables to disk. The code executes entirely in memory, generating abnormal spikes in resource usage. After a reboot, Maria notes that the system returns to normal and traditional antivirus logs show no evidence of infection.
Which type of malware technique did Maria most likely use in this test?
As part of an insider threat simulation at a multinational insurance firm, lead red teamer John is asked to assess whether internal directory services are exposing sensitive user data. Gaining limited VPN access, he begins probing port 389 on a staging environment connected to the main domain infrastructure. After discovering that anonymous binds are accepted by the directory service, John launches a utility from his Kali machine that allows command-line interaction with directory entries. He structures his query to search for user objects with associated organizational units. Moments later, John reviews the output which includes usernames, group memberships, and departmental hierarchies all retrieved without authentication.
Which tool is John MOST likely using to perform this enumeration?
A penetration tester discovers that a web application is vulnerable to Local File Inclusion (LFI) due to improper input validation in a URL parameter. Which approach should the tester take to exploit this vulnerability?
During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?
A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?
During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.
When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.
From a malware deployment perspective, what technique best describes this approach?
You are Alex, a forensic responder at HarborHealth in Seattle, Washington. During a live incident response you must secure an enterprise Windows server ' s system partition and attached data volumes without rebooting user machines or disrupting domain authentication. The IT team prefers a solution that integrates with Windows platform features (including hardware-backed startup protection and centralized key escrow via Active Directory/management policies) and provides transparent full-disk protection for the OS volume. Which disk-encryption solution should you deploy?
During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.
Which social engineering technique is Priya demonstrating?
Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing " server publishing " ?
You are Michael, an ethical hacker at a New York–based e-commerce company performing a security review of their payment-signing service. While observing the signing process (without access to private keys), you note the service generates a fresh random value for each signature operation, the signature algorithm uses modular arithmetic in a subgroup defined by public domain parameters, and signatures are verified with a public verification key rather than by decrypting the message. Which asymmetric algorithm best matches the signing mechanism you observed?
While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information such as serial number and refresh interval.
Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?
A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.
By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.
What kind of wireless attack technique is being illustrated in this scenario?
A health-tech startup in Raleigh, North Carolina operates a Kubernetes cluster supporting patient-facing microservices. During an authorized security assessment, a certified ethical hacker reviews internal cluster activity records available to operations personnel.
While analyzing these records, the tester notices that authentication artifacts associated with service accounts are recorded within system-generated output. The tester determines that if an individual obtained access to these records, they could reuse the captured authentication material to interact with cluster resources under the same privileges.
Which Kubernetes vulnerability best corresponds to this condition?
Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?
A manufacturing company in Columbus, Ohio, reported a surge in internal support tickets after employees received an alarming email appearing to originate from an independent cybersecurity researcher.
The message claimed that a newly discovered malware strain was actively targeting corporate email systems and stated that several Fortune 500 organizations had already been compromised. It encouraged recipients to immediately circulate the message within their departments “to minimize exposure,” warning that failure to act quickly could result in data loss.
The email did not request credentials, payment, or direct downloads. However, it relied heavily on dramatic language and cited unverifiable statistics to increase urgency and credibility.
From a social engineering classification standpoint, how should this technique be categorized?
A penetration tester targets a company ' s executive assistants by referencing upcoming board meetings in an email requesting access to confidential agendas. What is the most effective social engineering technique to obtain the necessary credentials without raising suspicion?
During a quarterly vulnerability management review at RedCore Motors, Priya finalizes the deployment of Nessus Essentials across the company ' s IT infrastructure. The solution is selected for its ability to support diverse technologies including operating systems, databases, web servers, and virtual environments. While preparing a training session for junior analysts, Priya asks them to identify a capability that Nessus Essentials is specifically designed to provide as part of its scanning process.
Which capability is Nessus Essentials specifically designed to provide?
During a red team assessment at Sunshine Credit Union in Miami, ethical hacker Laura demonstrates a weakness in the company ' s session handling process. She shows that once a user logs in, the same authentication token assigned before login continues to be valid without being refreshed. Laura explains that an attacker could exploit this flaw by tricking a victim into authenticating with a value already known to the attacker, gaining access afterward. To mitigate this risk, the IT team agrees to apply a countermeasure focused on proper session lifecycle management.
Which countermeasure should the IT team implement?
A state benefits processing platform in Sacramento, California, implemented a multi-step identity verification process before granting access to sensitive citizen records. During a controlled assessment, security analyst Daniel Kim observed that by altering specific request parameters within the transaction sequence, it was possible to bypass an intermediate verification stage and retrieve restricted account data.
Further analysis revealed that the authentication workflow advanced through sequential client-driven interactions, but the server did not enforce strict validation of completion for each required stage before granting access.
Based on the scenario, which vulnerability classification best describes the issue identified?
A penetration tester submits altered ciphertexts to a web server and pays close attention to how the server responds. When the server produces different error messages for certain inputs, the tester starts to infer which inputs result in valid internal processing. Which cryptanalytic method is being used in this scenario?
In Seattle, Washington, ethical hacker Mia Chen is hired by Pacific Trust Bank to test the security of their corporate network, which stores sensitive customer financial data. During her penetration test, Mia conducts a thorough reconnaissance, targeting a server that appears to host a critical database of transaction records. As she interacts with the server, she notices it responds promptly to her queries but occasionally returns error messages that seem inconsistent with a production system’s behavior, such as unexpected protocol responses. Suspicious that this server might be a decoy designed to monitor her actions, Mia applies a technique to detect inconsistencies that may reveal the system as a honeypot.
Which technique is Mia most likely using to determine if the server at Pacific Trust Bank is a honeypot?
While auditing legacy network devices at a public hospital in Miami, Jason, a penetration tester, needs to verify what SNMP traffic is leaking across the internal segment. Instead of running structured queries, he decides to capture live network traffic and manually review the protocol fields. This method allows him to see SNMP requests and responses in transit but requires manual parsing of OIDs, community strings, and variable bindings.
Which method should Jason use in this situation?
In the bustling digital marketplace of Miami ' s tech corridor, ethical hacker Sofia Alvarez probes the virtual defenses of RetailRush, a US-based online retailer hosting thousands of daily transactions. Tasked with exposing weaknesses in the web server ' s URL processing, Sofia submits crafted requests to manipulate resource paths. Her tests uncover a severe flaw: the server grants access to restricted system files, exposing sensitive configuration data. Further scrutiny reveals the issue stems from the server ' s failure to validate input paths, not from header manipulation, cached content tampering, or credential compromise. Committed to hardening the platform, Sofia drafts a precise report to direct the security team toward immediate fixes.
Which web server attack type is Sofia most likely exploiting in RetailRush ' s web server?
A security researcher reviewing an organization ' s website source code finds references to Amazon S3 file locations. What is the most effective way to identify additional publicly accessible S3 bucket URLs used by the target?
At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?
A red team member uses an access token obtained from an Azure function to authenticate with Azure PowerShell and retrieve storage account keys. What kind of abuse does this scenario demonstrate?
While evaluating a smart card implementation, a security analyst observes that an attacker is measuring fluctuations in power consumption and timing variations during encryption operations on the chip. The attacker uses this information to infer secret keys used within the device. What type of exploitation is being carried out?
Packet fragmentation is used as an evasion technique. Which IDS configuration best counters this?
During a penetration test at Pacific Shipping Co. in Seattle, ethical hacker Mia Chen evaluates the defenses protecting the company ' s web-facing servers. She observes that the security system is not only checking basic packet headers but also validating session state and performing some application-level analysis. This multilayer approach makes it more difficult for Mia to bypass the firewall using simple fragmentation or tunneling attacks.
Which type of firewall is Mia most likely facing?
In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.
Which session hijacking technique is Michael using in this red team exercise?
During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.
Which technique was most likely used to obtain this information?
A DNS server responds with different IP addresses rapidly for the same domain, pointing to constantly changing hosts. What technique is being used?
During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?
Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical for verifying the identity of the signatory. He aims to assess if the algorithm’s configuration could be vulnerable to a man-in-the-middle attack due to its key structure.
Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?
A financial clearinghouse in Newark, New Jersey, initiated a structured vulnerability review across its enterprise servers. The scanning platform was configured to collect detailed information about installed updates, local security configurations, and system policy settings on each target machine. The resulting report contained granular host-level findings, including configuration inconsistencies and patch gaps that required direct system-level inspection to obtain. Based on the activity described, what type of vulnerability scanning is being performed?
A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?
During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?
During a penetration test for a U.S.-based retail company, John gains access to a secondary server that responds unusually to structured queries. By sending a specially crafted request, he receives a full list of subdomains, MX records, and aliases belonging to the target organization. The response exposes sensitive internal mappings that could be leveraged for further attacks.
Which tool was MOST likely used to perform this enumeration?
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?
A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?
A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
Using nbtstat -A < IP > , NetBIOS names including < 20 > and < 03 > are retrieved, but shared folders cannot be listed. Why?
During a red team assessment of a mid-sized insurance provider in Denver, Colorado, testers established persistent access on an internal developer workstation after exploiting a misconfigured automation service. To sustain command-and-control without triggering perimeter defenses, they configured a low-bandwidth outbound channel designed to blend into infrastructure traffic that is routinely permitted through egress controls.
Security operations later identified periodic outbound communication from the compromised host to a single unfamiliar external endpoint not associated with approved vendors or user activity. The traffic was distributed over time rather than bursty. Although the exchanges resembled legitimate service requests, packet inspection revealed irregular payload sizing and structured encoding patterns inconsistent with typical client behavior across the environment.
What covert communication technique was most likely used to sustain the red team’s access?
At a government research lab, cybersecurity officer Nikhil is compiling a vulnerability assessment report after scanning the internal subnet. As part of his documentation, he lists the IP addresses of all scanned hosts and specifies which machines are affected. He includes tables categorizing discovered vulnerabilities by type such as outdated software, default credentials, and open ports.
Which section of the vulnerability assessment report is Nikhil working on?
An attacker uses many plaintext–ciphertext pairs and applies statistical analysis to XOR combinations of specific bits. Which technique is being used?
A Windows system shows LSASS memory access by unknown processes. What attack is likely?
Which social engineering attack involves impersonating a co-worker or authority figure to extract confidential information?
You are Jordan, a cryptographic assessor at Cascade Data in Portland, Oregon, reviewing the protection applied to telemetry logs. Your review finds an algorithm that operates on 128-bit blocks, accepts keys up to 256 bits, and the documentation notes it was one of the finalists in the AES selection process that aimed to replace legacy DES. Which symmetric encryption algorithm should you identify as being used?
During a red team exercise at Orion Tech Systems in San Jose, ethical hacker Nadia creates a campaign of fraudulent messages targeting employees. She uses compromised social media accounts to distribute bulk invitations that contain links to a fake cloud collaboration site. Several employees click the links and are prompted to log in with their corporate credentials, which Nadia captures. Although the lure appears to be a professional networking opportunity, the tactic relies on unsolicited deceptive messages delivered at scale.
Which social engineering threat is Nadia simulating in this campaign?
You are an ethical hacker at HarborLine Assessments, engaged to audit the Wi-Fi at Portside Freight in Tacoma, Washington. During an overnight reconnaissance, you enable your wireless interface’s monitor mode and run a command that silently records beacon frames, probe responses, and authentication frames from nearby APs and clients into a capture file for later offline analysis—you do not transmit any frames from your laptop. Based on the described activity, which Wi-Fi security auditing tool are you most likely using?
The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?
In Atlanta, Georgia, ethical hacker James Patel is hired by Southern Retail, a major e-commerce chain, to test the security of their online shopping platform. During his penetration test, James aims to simulate a session hijacking attack by setting up a proxy to intercept HTTP traffic between customers and the platform, log the requests, and perform advanced searches on the captured data to identify session tokens. He needs a lightweight tool specifically designed for security research that can handle these tasks in a controlled environment to demonstrate vulnerabilities to the company ' s security team.
Which tool should James use to perform this session hijacking simulation?
A penetration tester is conducting an external assessment of a corporate web server. They start by accessing https://www.targetcorp.com/robots.txt and observe multiple Disallow entries that reference directories such as /admin-panel/, /backup/, and /confidentialdocs/. When the tester directly visits these paths via a browser, they find that access is not restricted by authentication and gain access to sensitive files, including server configuration and unprotected credentials. Which stage of the web server attack methodology is demonstrated in this scenario?
A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?
An ethical hacker conducts testing with full knowledge and permission. What type of hacking is this?
In a highly secure online banking environment, customers report unauthorized access to their accounts despite robust authentication controls. Investigation reveals attackers are using advanced session hijacking techniques to perform fraudulent transactions. Which advanced session-hijacking attack, resembling a scenario-based attack, presents the greatest challenge to detect and mitigate?
During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.
Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.
Identify the command Kevin should execute to obtain this information.
During a red team engagement at Apex Biotech in Dallas, ethical hacker Rachel calls the company ' s HR desk pretending to be Mark Stevens, a senior finance manager. She pressures the HR staffer by citing his “upcoming presentation for the CFO” and insists he urgently needs a copy of the updated employee benefits spreadsheet. The staffer feels compelled to help due to Rachel’s convincing manner and authoritative tone.
Which social engineering technique is Rachel demonstrating in this exercise?
During a late-night shift at IronWave Logistics in Seattle, cybersecurity analyst Marcus Chen notices a pattern of high-port outbound traffic from over a dozen internal machines to a previously unseen external IP. Each system had recently received a disguised shipping report, which, when opened, initiated a process that spread autonomously to other workstations using shared folders and stolen credentials. Upon investigation, Marcus discovers that the machines now contain hidden executables that silently accept remote instructions and occasionally trigger coordinated background tasks. The compromised endpoints are behaving like zombies, and malware analysts confirm that the payload used worm-like propagation to deliver a backdoor component across the network.
Which is the most likely objective behind this attack?
A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user ' s session without triggering security alerts, which advanced session hijacking technique should the tester employ?
A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?
In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MediVault, a U.S.-based healthcare platform used by regional clinics to manage patient data. During her review, Lila discovers that sensitive records are weakly protected, allowing attackers to intercept and manipulate the information in transit. She warns that such weaknesses could be exploited to commit credit-card fraud, identity theft, or similar crimes. Further analysis reveals that MediVault is vulnerable to well-documented flaws such as cookie snooping and downgrade attacks.
Which issue is MOST clearly indicated?
You suspect a Man-in-the-Middle (MitM) attack inside the network. Which network activity would help confirm this?
In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.
Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?
A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?
You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?
A DevOps engineer at a Toronto-based SaaS provider deploys a multi-tenant application within a shared orchestration environment. During a security assessment, a penetration tester discovers that a compromised workload is able to access host-level system resources and interact with adjacent workloads beyond its intended isolation controls.
Further investigation reveals that the workload was launched with elevated privileges and insufficient runtime restrictions, allowing the attacker to cross the intended isolation boundary and gain unauthorized access to the underlying infrastructure.
Which cloud attack technique best describes this security weakness?
You are an ethical hacker at SilverRock Security, engaged by BayState Credit Union in Boston, Massachusetts, to evaluate their online loan application portal. While testing the customer dashboard, you inject crafted input into a numeric parameter. Instead of returning only the expected loan details, the response also displays sensitive employee information from another table, merged into the same page results. This behavior indicates that the attacker’s input successfully combined multiple datasets into a single output.
Based on the observed behavior, which type of SQL injection attack are you exploiting?
You are Olivia Chen, an ethical hacker at CyberGuardians Inc., hired to test the wireless network of Skyline Media, a broadcasting company in Chicago, Illinois. Your mission is to breach their WPA2-protected Wi-Fi during a late-night penetration test. Using a laptop in monitor mode, you execute a command to transmit packets that force client devices to disconnect and reconnect, enabling you to capture a four-way handshake for cracking. Based on the described action, which tool are you using?
A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?
A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?
At a digital marketing firm in Atlanta, Georgia, employees began reporting that access to a widely used cloud collaboration portal was intermittently redirecting them to a counterfeit interface hosted on an unfamiliar IP address. Security engineers observed that when multiple users across different departments attempted to access the legitimate domain, they consistently received the same incorrect IP resolution. The anomalous behavior persisted across sessions and affected numerous internal clients until the organization ' s name resolution service was restarted, after which normal resolution resumed. What DNS manipulation technique best explains this scenario?
During a security compliance audit at Nexus Tech Solutions in Boston, Massachusetts, the ethical hacking team launches a controlled social engineering exercise to assess help desk vulnerabilities. Ethical hacker Rachel Kim calls the company ' s help desk, posing as a stressed employee named Laura Bennett from the marketing department. Rachel claims her laptop is running slowly and offers to share her login credentials if the help desk can provide a quick fix to meet a tight project deadline. The call is designed to test whether help desk staff follow proper verification protocols or fall for the offer of credentials in exchange for assistance.
What social engineering technique is Rachel employing in this exercise?
Upon completing a vulnerability evaluation for a financial services firm in Cincinnati, Ohio, the security team finalized its formal report for executive review. One portion of the document grouped identified weaknesses into severity tiers and highlighted systems with elevated exposure levels across the environment. This part of the report emphasized the relative impact and prioritization of identified weaknesses across affected assets. Which component of the vulnerability assessment report is represented in this scenario?
At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?
A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?
A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.
The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.
Identify the BYOD security guideline that would directly mitigate this exposure.
A Windows endpoint generates alerts for credential dumping tools. What asset is targeted?
A national retail chain headquartered in Minneapolis, Minnesota operates a customer rewards portal supported by front-end delivery layers designed to improve performance during peak shopping periods. During an authorized security assessment, a tester submits a specially crafted request containing unusual header combinations and a modified query parameter while accessing a promotional page.
Shortly afterward, other legitimate users requesting the same promotional page through standard browsers begin receiving altered content that differs from what the application normally generates. When the tester accesses the underlying origin system directly, the response reflects the expected legitimate version. After some time and additional routine traffic, the unexpected content is no longer served.
Identify the attack technique that best explains this observed behavior.
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?
A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?
In a vertical privilege escalation scenario, the attacker attempts to gain access to a user account with higher privileges than their current level. Which of the following examples describes vertical privilege escalation?
During a simulated attack against a university ' s IT network in California, ethical hacker Sophia deploys custom malicious code onto one lab workstation. Without requiring further user interaction, she observes the malware automatically copying itself into shared folders and spreading through weak admin credentials. Within a short time, dozens of computers across multiple departments are infected with the same payload, even though only one machine was initially targeted.
Which type of malware is Sophia most likely demonstrating?
During an authorized security assessment at a municipal power distribution facility in Omaha, Nebraska, a certified ethical hacker performs passive traffic analysis between the control center and several remote substations.
The tester observes structured request-response messages used to read coil status and write register values on industrial controllers. All communication occurs over TCP port 502, and the protocol does not provide built-in encryption or authentication.
Based on these characteristics, which OT communication protocol is operating within this environment?
You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?
An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?
A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender’s private key.
During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization’s secure communications infrastructure.
Which encryption algorithm is being used in this implementation?
During network analysis, clients are receiving incorrect gateway and DNS settings due to a rogue DHCP server. What security feature should the administrator enable to prevent this in the future?
A smart building management company in Seattle, Washington deploys wireless door sensors and badge-based access systems throughout its corporate headquarters. During a security assessment, an analyst captures legitimate radio transmissions between employee access badges and the entry control units.
Later that evening, without modifying or decrypting the original communication, the analyst retransmits the previously captured signal toward a secured entrance. The access control system accepts the transmission as valid and unlocks the door, even though the legitimate badge is not present.
Determine the attack technique demonstrated in this assessment.
Which advanced session-hijacking technique is hardest to detect and mitigate?
Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?
You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.
Based on the described method, which Wi-Fi discovery technique are you employing?
SCADA anomalies suggest a side-channel attack. Which investigation best confirms this?
In the heart of Silicon Valley, ethical hacker Sophia Nguyen is hired by InnoVate Solutions, a San Francisco-based startup, to secure their cloud-based task management platform. On March 15, 2025, Sophia begins testing a feature that allows users to upload custom workflow templates to streamline project assignments. By carefully crafting a template file, she manipulates the platform’s data processing, triggering unexpected behavior that grants her administrative access to restricted project dashboards. The issue arises from the platform’s handling of user-supplied data during object reconstruction, not from database queries, client-side code execution, or session manipulation. Sophia documents her findings to help InnoVate’s developers strengthen their application.
Which web application vulnerability is Sophia most likely exploiting in InnoVate Solutions’ task management platform?
During a black-box penetration test, an attacker runs the following command:
nmap -p25 --script smtp-enum-users --script-args EXPN,RCPT < target IP >
The script successfully returns multiple valid usernames. Which server misconfiguration is being exploited?
On July 25, 2025, during a penetration test at Horizon Financial Services in Chicago, Illinois, cybersecurity specialist Laura Bennett is analyzing an attack simulation targeting the company ' s online banking portal. The system logs reveal a coordinated barrage of traffic from multiple compromised systems, orchestrated through a central command-and-control server, flooding the portal and rendering it unavailable to legitimate users. The attack leverages a network of infected devices, likely recruited via malicious links on social media.
What is the structure or concept most likely used to launch this coordinated attack?
A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyzes client behavior while transmitting carefully crafted 802.11 management frames toward the organization’s primary access point.
Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent.
Identify the wireless attack illustrated by this activity.
Michael, an ethical hacker at a San Francisco-based fintech startup, is conducting a security assessment of the company ' s cloud-based payment processing platform, which uses Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. During his review, Michael identified a feature that automatically replaces and reschedules containers from failed nodes to ensure high availability of services a critical requirement for uninterrupted payment operations. Based on his study of cloud container technology principles, which Kubernetes feature should Michael highlight as responsible for this capability?
A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?
An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization ' s machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?
At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?
In Miami, Florida, cybersecurity analyst Laura Bennett is responding to a series of unauthorized access attempts targeting Sunshine Credit Union’s online banking platform. She observes unusual network activity that suggests attackers may be intercepting session IDs transmitted over unsecured connections to hijack active user sessions. To prevent further compromise, Laura works with the network team to apply a control that secures session-related communications throughout the entire portal, ensuring sensitive tokens are no longer exposed to interception during user interactions.
What countermeasure should Laura implement to prevent session hijacking in this scenario?
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
Emily, a security engineer at a Chicago-based healthcare provider, is auditing the organization ' s new cloud environment after a breach where sensitive patient records were exposed. Her investigation reveals that the root cause was the lack of encryption during data transmission between end-user devices and cloud storage. To mitigate this issue and align with HIPAA compliance requirements, Emily must prioritize addressing the correct cloud computing security risk.
Which cloud computing threat should Emily address to mitigate the risk of sensitive data being exposed during transmission?
During a penetration test, you perform extensive DNS interrogation to gather intelligence about a target organization. Considering the inherent limitations of DNS-based reconnaissance, which of the following pieces of information cannot be directly obtained through DNS interrogation?
A global fintech company receives extortion emails threatening a severe DDoS attack unless ransom is paid. The attacker briefly launches an HTTP flood to demonstrate capability. The attack uses incomplete POST requests that overload application-layer resources, causing performance degradation. The attacker reinforces their demand with a second threat email. What type of DDoS attack is being carried out?
During a red team engagement at a retail company in Atlanta, ethical hacker James crafts a session with the company ' s shopping portal and deliberately shares that session ID with an unsuspecting employee by embedding it in a link. When the employee clicks and logs in, their activity is bound to the attacker ' s pre-assigned session. Later, James retrieves the employee ' s input from that same session to demonstrate the flaw to management.
Which session hijacking technique is James most likely using?
A technology consulting firm in Denver, Colorado, recently experienced a wave of suspicious account compromise incidents. Several employees reported receiving an email that appeared identical to a legitimate cloud storage notification they had received earlier that week. The message reused the original branding, formatting, sender display name, and subject line. However, it informed recipients that the previously shared document had been “updated due to synchronization errors” and instructed them to reauthenticate using the embedded link. The link directed users to a convincing replica of the organization’s authentication portal. Investigation revealed that the attacker had reused content from a genuine prior communication and modified only the embedded hyperlink. Which type of social engineering attack does this scenario most accurately represent?
A payroll management portal used by a manufacturing firm in Toledo, Ohio allows administrators to configure customizable notification templates that are later incorporated into automated reporting functions. During an authorized assessment, an ethical hacker submits specially structured input into a template field while creating a test notification.
The application accepts and stores the value without any noticeable disruption to the interface. Days later, when a scheduled reporting task executes, the resulting dataset includes records beyond the expected scope defined by the report criteria.
Further review reveals that the reporting engine dynamically constructs database queries using previously stored template values during execution.
Determine the SQL injection variant illustrated in this scenario.
A Java app uses outdated libraries with known CVEs. What risk does this create?
A multinational corporation deploys a major internal tool built on a PowerShell-based automation framework. Shortly after a scheduled rollout, the IT team notices intermittent system slowdowns and unexplained bandwidth spikes. Despite running updated endpoint protection and restrictive firewall rules, traditional scanning tools report no malicious files on disk. However, internal telemetry flags a trusted process repeatedly executing obfuscated PowerShell commands in memory. The anomalous activity vanishes upon reboot and appears to leave no footprint behind on the system.
Which type of malware is most likely responsible for this behavior?
During a red team assessment at Apex Technologies in Austin, ethical hacker Ryan tests whether employees can be tricked into disclosing sensitive data over the phone. He poses as a vendor requesting payment details and reaches out to several staff members. To evaluate defenses, the security team emphasizes that beyond general training, there is a practical step employees must apply in every interaction to avoid being deceived by such calls.
Which countermeasure should Apex Technologies prioritize to directly prevent this type of social engineering attempt?
During a red team assessment at a university in Chicago, Jake, a penetration tester, scans a group of older Windows workstations in the administration department. On several hosts, he notices traffic on UDP ports 137 and 138 as well as an open TCP port 139. Curious, he uses a utility to query the name table and session services. Within moments, he collects information including machine names, logged-in usernames, and available shared folders without authentication.
Which enumeration method is being demonstrated in this scenario?
A regional logistics provider in Charlotte, North Carolina operates its shipment tracking and partner API services on an Apache web platform configured to support a modern multiplexed communication protocol to improve efficiency under concurrent load. During a controlled stress assessment, testers simulate sustained client activity that repeatedly initiates and completes numerous lightweight exchanges over persistent connections.
Over time, system monitoring reveals that memory utilization steadily increases despite stable request volume and no proportional rise in active sessions. Even after the simulated clients disconnect normally, resource usage does not return to baseline levels. After several cycles, the service becomes sluggish and must be restarted to restore normal responsiveness. No unusual disk activity or database errors are observed during the test window.
The behavior is only present when the multiplexed protocol mode is enabled; reverting to legacy handling eliminates the issue.
Which Apache vulnerability best explains this behavior?