Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

312-50v13 Questions and Answers

Question # 6

Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?

A.

Honey trap

B.

Diversion theft

C.

Piggybacking

D.

Baiting

Full Access
Question # 7

A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?

A.

Use directory traversal in the search field to access sensitive files on the server

B.

Input a SQL query such as 1 OR 1=1 — into the search field to check for SQL injection

C.

Perform a brute-force attack on the login page to identify weak passwords

D.

Inject JavaScript into the search field to perform a Cross-Site Scripting (XSS) attack

Full Access
Question # 8

While performing a SYN (half-open) scan using Nmap, you send a SYN packet to a target IP address and receive a SYN/ACK response. How should this result be interpreted?

A.

The scanned port is open and ready to establish a connection

B.

The target IP is unreachable

C.

The port is filtered by a firewall

D.

The port is closed but acknowledged

Full Access
Question # 9

A penetration tester suspects that a web application ' s user profile page is vulnerable to SQL injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?

A.

Use the userID parameter to perform a brute-force attack on the admin login page

B.

Modify the userID parameter in the URL to ' OR ' 1 ' = ' 1 and check if it returns multiple profiles

C.

Inject HTML code into the userID parameter to test for Cross-Site Scripting (XSS)

D.

Attempt a directory traversal attack using the userID parameter

Full Access
Question # 10

A hacker is analyzing a system that uses two rounds of symmetric encryption with different keys. To speed up key recovery, the attacker encrypts the known plaintext with all possible values of the first key and stores the intermediate ciphertexts. Then, they decrypt the final ciphertext using all possible values of the second key and compare the results to the stored values. Which cryptanalytic method does this approach represent?

A.

Flood memory with brute-forced credentials

B.

Scrape electromagnetic leakage for bits

C.

Use midpoint collision to identify key pair

D.

Reverse permutations to bypass encryption

Full Access
Question # 11

During a scheduled red team engagement at a regional investment firm in Phoenix, Arizona, security consultants were permitted limited after-hours access to employee workstations. As part of the evaluation, a small intermediary device was placed inline between a keyboard and its connected desktop system.

Over time, the device began forwarding captured keystroke activity through the company’s established wireless environment, allowing the assessment team to collect periodic log data without interacting further with the workstation.

What type of keylogger does this scenario describe?

A.

Hardware Keylogger

B.

Acoustic/CAM Keylogger

C.

Wi-Fi Keylogger

D.

Bluetooth Keylogger

Full Access
Question # 12

A technology consulting firm in Portland, Oregon began experiencing repeated topology recalculations across its switching infrastructure. Shortly after a newly connected device came online in a conference room, spanning-tree convergence events were triggered across multiple distribution switches. Engineers determined that the access-layer interface connected to that device was influencing path-selection decisions, introducing a more favorable bridge priority value into the environment and affecting the established hierarchy. To preserve the intended switching structure and prevent unauthorized devices from altering root selection decisions, which control should be employed?

A.

Configuring Loop Guard on non-designated ports

B.

Activating UDLD (Unidirectional Link Detection) on uplinks

C.

Applying Root Guard on designated interfaces

D.

Enabling BPDU Guard on edge ports

Full Access
Question # 13

What does ATT & CK tactic “Persistence” mean?

A.

Initial exploit

B.

Data theft

C.

Cleanup

D.

Long-term access

Full Access
Question # 14

During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?

A.

ARP poisoning causing routing inconsistencies

B.

DHCP snooping improperly configured

C.

Legitimate ARP table refresh on all clients

D.

Port security restricting all outbound MAC responses

Full Access
Question # 15

During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?

A.

DHCP starvation

B.

Rogue DHCP relay injection

C.

DNS cache poisoning

D.

ARP spoofing

Full Access
Question # 16

Which method best bypasses client-side controls without triggering server-side alarms?

A.

Disable JavaScript in the browser

B.

Intercept and modify requests using a proxy tool

C.

Inject malicious JavaScript into the login form

D.

Reverse-engineer the encryption algorithm

Full Access
Question # 17

This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.

A.

Stolen equipment

B.

Insider attack

C.

Physical entry

D.

Outsider attack

Full Access
Question # 18

An organization uses SHA-256 for data integrity verification but still experiences unauthorized data modification. Which cryptographic tool would best resolve this issue?

A.

Asymmetric encryption

B.

Symmetric encryption

C.

SSL/TLS certificates

D.

Digital signatures

Full Access
Question # 19

During a penetration test at Rocky Mountain Insurance in Denver, ethical hacker Sophia Nguyen attempts to evade detection by fragmenting malicious traffic into smaller packets. The IT security team counters her strategy with a system that monitors traffic for deviations from established baselines, flagging behavior that does not match normal network activity. This allows them to stop Sophia’s evasion attempts in real time.

Which detection technique is the IT team most likely using in this case?

A.

Deep Packet Inspection

B.

Stateful Packet Inspection

C.

Signature-Based Detection

D.

Anomaly-Based Detection

Full Access
Question # 20

You perform a SYN (half-open) scan and receive a SYN/ACK packet in response. How should this result be interpreted?

A.

The target IP is not reachable

B.

The scanned port is open

C.

The scanned port is filtered

D.

The scanned port is closed

Full Access
Question # 21

A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?

A.

Perform a brute-force attack on the server to gain access

B.

Ignore the high-risk vulnerability and proceed with testing other systems

C.

Focus on exploiting the low-risk vulnerabilities first

D.

Verify if the high-risk vulnerability is exploitable by checking for known exploits

Full Access
Question # 22

Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

A.

Check MITRE.org for the latest list of CVE findings

B.

Use a scan tool like Nessus

C.

Create a disk image of a clean Windows installation

D.

Use the built-in Windows Update tool

Full Access
Question # 23

An ethical hacker needs to gather sensitive information about a company ' s internal network without engaging directly with the organization ' s systems to avoid detection. Which method should be employed to obtain this information discreetly?

A.

Analyze the organization ' s job postings for technical details

B.

Exploit a public vulnerability in the company ' s web server

C.

Perform a WHOIS lookup on the company ' s domain registrar

D.

Use port scanning tools to probe the company ' s firewall

Full Access
Question # 24

Malware uses Background Intelligent Transfer Service (BITS) to evade detection. Why is BITS attractive to attackers?

A.

It uses IP fragmentation

B.

It encrypts DNS packets

C.

It looks like normal Windows Update traffic

D.

It works only through HTTP tunneling

Full Access
Question # 25

During which step of the incident response process would you be tasked with building the team, identifying roles, and testing the communication system?

A.

Containment

B.

Notification

C.

Preparation

D.

Recovery

Full Access
Question # 26

This type of security test usually takes on an adversarial role and looks to see what an outsider can access and control.

A.

Penetration test

B.

Policy assessment

C.

High-level evaluation

D.

Network evaluation

Full Access
Question # 27

At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.

Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?

A.

DNS Cache Poisoning

B.

ARP Poisoning

C.

MAC Flooding

D.

Switch Port Stealing

Full Access
Question # 28

You are an ethical hacker at RedOak Cyber Solutions, contracted to perform a penetration test for MetroHealth Hospital in Cleveland, Ohio. While assessing the hospital ' s appointment booking portal, you craft and submit multiple malicious inputs into the patient search field. One of your payloads successfully manipulates the backend query, returning additional appointment data that was not intended to be displayed.

Based on the observed behavior, which step of the SQL injection methodology are you performing?

A.

Identifying Data Entry Paths

B.

Launching SQL Injection Attacks

C.

Database Enumeration

D.

Information Gathering and Vulnerability Detection

Full Access
Question # 29

An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?

A.

The domain has expired

B.

The record was cached and returned

C.

The DNS server failed

D.

No recent client from that network accessed the domain

Full Access
Question # 30

A system allows execution from /tmp directory. What risk exists?

A.

Malware execution

B.

SQLi

C.

XSS

D.

DoS

Full Access
Question # 31

“ShadowFlee” is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?

A.

Restrict and monitor script and system tool execution

B.

Isolate systems and inspect traffic

C.

Schedule frequent reboots

D.

Clean temporary folders

Full Access
Question # 32

You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?

A.

Develop a custom exploit using obfuscation techniques

B.

Use Metasploit to deploy a known payload

C.

Install a rootkit to manipulate the device

D.

Use SMS phishing to trick the user

Full Access
Question # 33

A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections, transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack. Which attack is most likely responsible?

A.

A UDP flooding attack targeting random ports.

B.

An ICMP Echo Request flooding attack.

C.

A Slowloris attack that keeps numerous HTTP connections open to exhaust server resources.

D.

A fragmented packet attack with overlapping offset values.

Full Access
Question # 34

A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?

A.

Conduct a denial-of-service (DoS) attack to disrupt the system’s services

B.

Execute a Cross-Site Request Forgery (CSRF) attack to steal session data

C.

Perform a brute-force attack on the system ' s root password

D.

Use a privilege escalation exploit to gain administrative privileges on the system

Full Access
Question # 35

On July 9, 2025, during a security penetration test at MedSecure Health in Phoenix, Arizona, the ethical hacking team evaluates the resilience of the company ' s patient portal system. Ethical hacker Aisha Khan initiates a controlled test that generates sustained traffic pressure against the web application servers. As system responsiveness declines, the IT operations team reallocates backend resources, suspending lower-priority modules such as system alerts and notification services, allowing high-priority functions like prescription refills and patient check-ins to remain accessible. Aisha’s controlled simulation is designed to assess the IT team’s ability to maintain critical functionality under partial resource exhaustion.

What DoS DDoS countermeasure strategies is Aisha’s exercise primarily simulating?

Full Access
Question # 36

A Python API allows unlimited file upload size. What attack is possible?

A.

DoS

B.

XSS

C.

SQLi

D.

CSRF

Full Access
Question # 37

An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?

A.

Seek identical digests across hash outputs

B.

Test every possible password through automation

C.

Force encryption key through quantum solving

D.

Analyze output length to spot anomalies

Full Access
Question # 38

A REST API uses user-provided object IDs without authorization checks. What flaw is this?

A.

Mass assignment

B.

XSS

C.

SQLi

D.

BOLA

Full Access
Question # 39

A Windows machine shows disabled Windows Defender without admin approval. What phase is this?

A.

Delivery

B.

Persistence

C.

Recon

D.

Defense evasion

Full Access
Question # 40

A cloud storage provider discovers that an unauthorized party obtained a complete backup of encrypted database files containing archived client communications. The attacker did not compromise the encryption keys, nor is there evidence that any original plaintext records were exposed.

A forensic cryptography specialist reviewing the breach considers the possibility that the adversary is attempting to analyze the encrypted data in isolation, searching for statistical irregularities or structural repetition within the encrypted output to infer meaningful information.

To properly assess the organization’s exposure, the specialist must determine which cryptanalytic approach best matches an attack conducted using only the intercepted encrypted data.

A.

Chosen-Ciphertext Attack

B.

Known-Plaintext Attack

C.

Chosen-Plaintext Attack

D.

Ciphertext-Only Attack

Full Access
Question # 41

As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?

A.

Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

B.

Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker’s network.

C.

Immediately reset all server credentials and instruct all users to change their passwords.

D.

Immediately disconnect the affected server from the network to prevent further data exfiltration.

Full Access
Question # 42

In the bustling tech hub of Boston, Massachusetts, ethical hacker Zara Nguyen dives into the digital fortifications of CloudCrafter, a US-based platform hosting web applications for small businesses. Tasked with probing the application’s input processing, Zara submits specially crafted inputs to a server administration panel. Her tests uncover a severe vulnerability: the system performs unintended operations at the system level, enabling access to restricted server resources. Further scrutiny reveals the flaw lies in the application’s failure to sanitize user input passed to system-level execution, not in altering directory service queries, injecting newline characters, or targeting cloud-specific environments. Dedicated to strengthening the platform, Zara drafts a precise report to guide CloudCrafter’s security team toward urgent fixes.

Which injection attack type is Zara most likely exploiting in CloudCrafter’s web application?

A.

Shell Injection

B.

CRLF Injection

C.

LDAP Injection

D.

Command Injection

Full Access
Question # 43

During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?

A.

LDAP directory data is protected by Access Control Lists (ACLs)

B.

LDAP is running on a non-standard port

C.

Hosts are in a different subnet

D.

Network congestion is causing dropped requests

Full Access
Question # 44

An IoT traffic light shows anomalous traffic to an external IP and has an open port. What should be your next step?

A.

Attempt reverse connections

B.

Isolate the device and investigate firmware

C.

Modify firewall rules only

D.

Conduct full network penetration testing

Full Access
Question # 45

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges.

A.

Chang

B.

Micah

C.

Sheela

D.

Rebecca

E.

Somia

F.

John

G.

Shawn

Full Access
Question # 46

A penetration tester discovers that a web application is using outdated SSL/TLS protocols (TLS 1.0) to secure communication. What is the most effective way to exploit this vulnerability?

A.

Conduct a Cross-Site Scripting (XSS) attack on the application

B.

Use a man-in-the-middle (MitM) attack to intercept and decrypt traffic

C.

Perform a brute-force attack on the SSL/TLS handshake

D.

Execute a SQL injection attack on the application ' s backend

Full Access
Question # 47

Joe, a cybersecurity analyst at Norwest Freight Services, has been assigned to run a vulnerability scan across the organization ' s infrastructure. He is specifically tasked with detecting weaknesses such as missing patches, unnecessary services, weak encryption, and authentication flaws across multiple servers. His scan identifies open ports and active services throughout the environment, providing a clear map of potential entry points for attackers.

Which type of vulnerability scanning best matches Joe ' s assignment?

A.

Network-based Scanning

B.

External Scanning

C.

Application Scanning

D.

Host-based Scanning

Full Access
Question # 48

A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

A.

Shut down the server

B.

Apply a virtual patch using a WAF

C.

Perform regular backups and prepare IR plans

D.

Monitor for suspicious activity

Full Access
Question # 49

During a review for DoS threats, several IP addresses generate excessive traffic. Packet inspection shows the TCP three-way handshake is never completed, leaving many connections in a SYN_RECEIVED state and consuming server resources without completing sessions. What type of DoS attack is most likely occurring?

A.

SYN Flood

B.

Ping of Death

C.

UDP Flood

D.

Smurf Attack

Full Access
Question # 50

During routine network monitoring, the blue team notices several LLMNR and NBT-NS broadcasts originating from a workstation attempting to resolve an internal hostname. They also observe suspicious responses coming from a non-corporate IP address that claims to be the requested host. Upon further inspection, the security team suspects that an attacker is impersonating network resources to capture authentication attempts. What type of password-cracking setup is likely being staged?

A.

Decrypt login tokens from wireless networks

B.

Use CPU resources to guess passphrases quickly

C.

Exploit name resolution to capture password hashes

D.

Match captured credentials with rainbow tables

Full Access
Question # 51

During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?

A.

Date and time of message sent

B.

Sender ' s mail server

C.

Sender ' s IP address

D.

Authentication system used by sender ' s mail server

Full Access
Question # 52

Bluetooth devices are suspected of being targeted by a Bluesnarfing attack. What is the most effective countermeasure?

A.

Disable discoverable mode

B.

Update firmware regularly

C.

Increase Bluetooth PIN complexity

D.

Encrypt Bluetooth traffic

Full Access
Question # 53

You’ve just performed a port scan against an internal device during a routine pen test. Nmap returned the following response: Starting NMAP 7.30 at 2021-10-10 11:06 NMAP scan report for 192.168.123.100 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 80/tcp open http 161/tcp open snmp 515/tcp open lpd MAC Address: 00:1B:A9:01:3a:21 Based on this scan result, which of the following is most likely correct?

A.

The host is a printer.

B.

The host is most likely a Windows computer.

C.

The host is a Cisco router.

D.

The host is most likely a Linux computer.

Full Access
Question # 54

A media streaming company in Los Angeles, California engages a certified ethical hacker to evaluate the resilience of its cloud-hosted infrastructure. After initial access is obtained through an exposed credential in a development repository, the tester systematically modifies logging configurations, establishes alternate access keys for persistence, and documents privilege relationships between services within the tenant.

The tester’s actions are focused on maintaining continued access and mapping the internal structure of the environment after initial compromise has occurred.

Within the cloud attack lifecycle, which phase best represents this stage of activity?

A.

Exploitation

B.

Information Gathering

C.

Vulnerability Assessment

D.

Post-Exploitation

Full Access
Question # 55

An authorized security assessment is performed on a public-sector services portal in Madison, Wisconsin. After authenticating with a controlled test account, the assessor captures the authentication identifier issued by the application.

Under controlled lab conditions, she attempts to reuse the captured identifier from a separate machine connected through a different encrypted channel. Although the identifier remains valid and within its lifetime, the application rejects the request when presented from the alternate environment.

Analysis indicates that the server evaluates characteristics associated with the original secure exchange before allowing continued use of the issued identifier.

Which defensive mechanism most likely explains this behavior?

A.

Encrypting DNS resolution traffic using DNS over HTTPS

B.

Cryptographically binding authentication tokens to the TLS connection context

C.

Applying IPsec protection at the network layer

D.

Enforcing HTTP Strict Transport Security

Full Access
Question # 56

A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably. Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission. Based on the observed behavior, what malware is most consistent with this incident?

A.

Mamo

B.

Pegasus

C.

Agent Smith

D.

GoldPickaxe

Full Access
Question # 57

During a penetration test at a manufacturing company in Detroit, Amanda, a senior security consultant, scans several legacy Linux servers. On one host, she discovers an open port used for file transfer that allows anonymous login. Once connected, she is able to view the directory structure and check available files, which helps her identify potential sensitive information exposure. She also notices background traffic on a UDP service related to NetBIOS name lookups, but she continues probing the file transfer service to confirm user access weaknesses.

Which ports and services should Amanda prioritize for this enumeration activity?

A.

TCP 23 and UDP 137, 138

B.

TCP 21 and UDP 137

C.

TCP 25 and UDP 138

D.

TCP 139 and UDP 137, 138

Full Access
Question # 58

You are Sameer Das, an ethical hacker hired by a national utilities provider to assess the resilience of its power grid infrastructure. During your red team operation, you conduct a phishing campaign targeting field engineers and successfully gain access to the internal OT network. From there, you identify unsecured access to the substation’s programmable controllers and replace one of the system’s firmware components with a custom payload. This payload silently processes your commands while maintaining access across reboots. Based on this action, which type of IoT OT threat are you simulating?

A.

Forged malicious device

B.

Firmware update attack

C.

Remote access using backdoor

D.

Exploit kits

Full Access
Question # 59

In a controlled testing environment in Houston, Sarah, an ethical hacker, is tasked with evaluating the security posture of a financial firm’s network using the cyber kill chain methodology. She begins by simulating an attack, starting with gathering publicly available data about the company’s employees and infrastructure. Next, she plans to craft a mock phishing email to test employee responses, followed by deploying a harmless payload to assess system vulnerabilities. As part of her authorized penetration test, what phase of the cyber kill chain should Sarah prioritize to simulate the adversary’s approach effectively?

A.

Exploitation

B.

Reconnaissance

C.

Weaponization

D.

Delivery

Full Access
Question # 60

During a network security audit at Jefferson National Bank in Richmond, Virginia, ethical hacker Thomas Reed is tasked with identifying vulnerabilities in employee login processes on VLAN 20, which connects client services workstations to the customer account database server. He sets up a Wireshark instance on a monitoring workstation configured in mirror mode behind a managed switch to capture traffic. His goal is to detect unencrypted authentication credentials transmitted over HTTP during login sessions. Which Wireshark feature should Thomas use to isolate and analyze these credentials in real time, and how does it assist him?

A.

Use the " Filtering by IP Address " to set a filter for HTTP traffic before capturing

B.

Use the " Monitoring the Specific Ports " to generate a traffic summary and identify HTTP packets

C.

Use the " Follow TCP Stream " to reconstruct and read HTTP session data

D.

Use the " Display Filtering by Protocol " to isolate HTTP traffic and view packet details

Full Access
Question # 61

Which of the following best describes an attack that altered the contents of two critical files?

A.

Availability

B.

Authentication

C.

Confidentially

D.

Integrity

Full Access
Question # 62

As part of an authorized security assessment at a maritime logistics firm in Charleston, South Carolina, an ethical hacker evaluated the organization’s resilience to coordinated endpoint compromise.

Employees received a carefully crafted email attachment disguised as a routine operational update. After execution on several systems, monitoring tools later revealed that the infected machines periodically contacted an external host controlled by the tester.

Over time, the compromised systems began receiving commands from a centralized control server and simultaneously generated coordinated network traffic toward designated targets when instructed, without any direct user interaction.

From a malware classification standpoint, what component is being simulated in this scenario?

A.

Spyware

B.

Scareware

C.

Potentially Unwanted Applications (PUAs)

D.

Botnet Agents

Full Access
Question # 63

A penetration tester is hired to legally assess the security of a company ' s network by identifying vulnerabilities and attempting to exploit them. What type of hacker is this?

A.

Black Hat

B.

Grey Hat

C.

Script Kiddie

D.

White Hat

Full Access
Question # 64

An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?

A.

Engage a forensic team immediately

B.

Power down the server and isolate it

C.

Monitor, analyze, and then isolate the server

D.

Conduct a vulnerability scan on all servers

Full Access
Question # 65

A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?

A.

Injecting JavaScript to steal session cookies via cross-site scripting

B.

DNS cache poisoning to redirect users to fake sites

C.

Session fixation by pre-setting the token in a URL

D.

Cross-site request forgery exploiting user trust in websites

Full Access
Question # 66

A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.

After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.

Which cloud attack technique best corresponds to this activity?

A.

IMDS Attack

B.

CPDoS Attack

C.

Cloud Snooper Attack

D.

Wrapping Attack

Full Access
Question # 67

While assessing a web server, a tester sends malformed HTTP requests and compares responses to identify the server type and version. What technique is being employed?

A.

Fingerprinting server identity using banner-grabbing techniques

B.

Sending phishing emails to extract web server login credentials

C.

Conducting session fixation using malformed cookie headers

D.

Injecting scripts into headers for persistent XSS attacks

Full Access
Question # 68

During a routine security audit, administrators discover that cloud storage backups were illegally accessed and modified. Which countermeasure would most directly mitigate such incidents in the future?

A.

Implementing resource auto-scaling

B.

Regularly conducting SQL injection testing

C.

Deploying biometric entry systems

D.

Adopting the 3-2-1 backup model

Full Access
Question # 69

An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker ' s access token, allowing automatic synchronization of internal files to the attacker’s cloud storage. What type of attack has likely occurred?

A.

Cloud Snooper attack leveraging port masquerading

B.

Man-in-the-Cloud (MITC) attack

C.

Side-channel attack exploiting CPU cache

D.

Cryptojacking using Coin Hive scripts

Full Access
Question # 70

An ethical hacker audits a hospital’s wireless network secured with WPA using TKIP and successfully performs packet injection and decryption attacks. Which WPA vulnerability most likely enabled this?

A.

Use of weak Initialization Vectors (IVs)

B.

Dependence on weak passwords

C.

Lack of AES-based encryption

D.

Predictable Group Temporal Key (GTK)

Full Access
Question # 71

A Java app allows file download via user-controlled path. What attack is possible?

A.

SQLi

B.

Path traversal

C.

XSS

D.

CSRF

Full Access
Question # 72

During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?

A.

Leverage tools like Netcraft or DNSdumpster to gather subdomain information

B.

Attempt to guess admin credentials and access the company’s DNS portal

C.

Conduct a brute-force DNS subdomain enumeration

D.

Request internal DNS records using spoofed credentials

Full Access
Question # 73

A penetration tester is assessing a web application that employs secure, HTTP-only cookies, regenerates session IDs upon login, and uses strict session timeout policies. To hijack a user ' s session without triggering the application ' s security defenses, which advanced technique should the tester utilize?

A.

Perform a session token prediction by analyzing session ID entropy and patterns

B.

Conduct a network-level man-in-the-middle attack to intercept and reuse session tokens

C.

Execute a Cross-Site Request Forgery (CSRF) attack to manipulate session states

D.

Implement a session fixation strategy by pre-setting a session ID before user authentication

Full Access
Question # 74

A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?

A.

Use publicly available tools to exploit the vulnerabilities and confirm their impact

B.

Ignore the vulnerabilities since they are medium-risk

C.

Perform a brute-force attack on the web server ' s login page

D.

Conduct a denial-of-service (DoS) attack to test the server ' s resilience

Full Access
Question # 75

A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?

A.

Quid Pro Quo

B.

Baiting

C.

Elicitation

D.

Honey Trap

Full Access
Question # 76

An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?

A.

Deploy a packet sniffer to capture and analyze network traffic

B.

Perform a DNS zone transfer to obtain internal domain details

C.

Exploit null sessions to connect anonymously to the IPC$ share

D.

Utilize SNMP queries to extract user information from network devices

Full Access
Question # 77

A penetration tester extracts NTLM hashes but does not crack them, instead reuses them to authenticate. What attack is this?

A.

Kerberoasting

B.

Pass-the-hash

C.

Brute force

D.

Replay attack

Full Access
Question # 78

An employee finds a USB drive labeled “Employee Salary Info 2024” and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?

A.

Tempting the victim to engage with a malicious device using curiosity.

B.

Impersonating a senior staff member to extract login credentials.

C.

Using a discarded document to retrieve sensitive information.

D.

Bypassing physical security by following an authorized employee.

Full Access
Question # 79

Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.

Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?

A.

Break data into fragments and distribute it across multiple locations

B.

Encrypt stored data with quantum-resistant algorithms

C.

Use quantum-specific firewalls to protect quantum communication channels

D.

Include quantum-resistance checks in SDLC and code review processes

Full Access
Question # 80

Kevin and his friends are going through a local IT firm ' s garbage. Which of the following best describes this activity?

A.

Intelligence gathering

B.

Reconnaissance

C.

Dumpster diving

D.

Social engineering

Full Access
Question # 81

As an Ethical Hacker, you have been asked to test an application’s vulnerability to SQL injection. During testing, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection techniques have failed to produce useful information. Which advanced SQL injection technique should you apply next?

A.

Content-Based Blind SQL Injection

B.

Time-Based Blind SQL Injection

C.

Union-Based SQL Injection

D.

Error-Based SQL Injection

Full Access
Question # 82

Prior to a federal audit, a cybersecurity consulting firm conducted an exposure review for a software company in Salt Lake City, Utah. The engagement focused on evaluating infrastructure reachable through the organization’s publicly registered domain records. The consultants identified open service ports on several servers, examined their patch levels for outdated components, and reviewed available DNS zone information to understand how systems were presented to remote systems. Based on the activities described, what type of vulnerability scanning is being performed?

A.

Internal Scanning

B.

External Scanning

C.

Manual Scanning

D.

Network-based Scanning

Full Access
Question # 83

You are an ethical hacker at Northpoint Assessments, engaged to map the wireless footprint around Harborview Plaza in San Francisco, California. To enumerate nearby networks and prompt devices to reveal SSIDs and capabilities, you actively send crafted management frames from your laptop and log each AP ' s immediate responses (including probe responses and capability information), rather than only listening for broadcasts. Based on the described activity, which Wi-Fi discovery technique are you performing?

A.

Network Discovery Software

B.

Passive Footprinting

C.

Wash Command

D.

Active Footprinting

Full Access
Question # 84

Ethan works as a penetration tester at CyberGuard Solutions, a cybersecurity consulting firm in Raleigh, North Carolina. During an authorized security assessment of a regional insurance company, Ethan was provided with a set of password hashes to evaluate the strength of employee-generated credentials.

To test resistance against word-based password creation patterns, Ethan supplied a single custom wordlist containing common organizational terms and department names into his cracking tool. The tool automatically generated password candidates by linking multiple entries from that same list in varying combinations before attempting to match them against the hashes.

This approach proved highly effective against passwords formed by concatenating familiar words.

Which of the following password-cracking techniques is Ethan using?

A.

PRINCE Attack

B.

Combinator Attack

C.

Markov-Chain Attack

D.

Fingerprint Attack

Full Access
Question # 85

The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

A.

Intrusion Prevention Server

B.

Security Incident and Event Monitoring

C.

Network Sniffer

D.

Vulnerability Scanner

Full Access
Question # 86

You are conducting a security audit at a government agency. During your walkthrough, you observe a temporary contractor sitting in the staff lounge using their smartphone to discretely record employees as they enter passwords into their systems. Upon further investigation, you find discarded documents in a nearby trash bin containing sensitive project information. What type of attack is most likely being performed?

A.

Cisco-in attack

B.

Insider attack

C.

Distribution attack

D.

Passive attack

Full Access
Question # 87

A vulnerability has a score of 9.8. What does this rating help explain?

A.

It quantifies impact and exploitability to prioritize remediation

B.

It measures authentication errors

C.

It generates exploit payloads

D.

It classifies attacks qualitatively

Full Access
Question # 88

In Dallas, Texas, ethical hacker Ethan Brooks is hired by Lone Star Credit Union to assess the security of their online banking portal, which processes customer transactions. During his penetration test, Ethan probes the web server hosting the portal, experimenting with crafted URL requests. He notices that by altering the URL parameters in a specific way, the server returns data from areas of the system that should be restricted, revealing configuration files not intended for public access. Suspecting this behavior indicates a vulnerability, Ethan documents the issue to help the security team strengthen their defenses against potential unauthorized access.

Which technique is Ethan most likely using to uncover the vulnerability in Lone Star Credit Union’s web server?

A.

Password Cracking

B.

Web Cache Poisoning

C.

HTTP Response Splitting

D.

Directory Traversal

Full Access
Question # 89

During a penetration test at a telecom provider in Denver, Colorado, Maria, a senior ethical hacker, notices that her scans are immediately flagged by intrusion detection systems. She modifies her technique, and as a result, the IDS devices are unable to reassemble the packets correctly, allowing her probes to slip through without detection. Which scanning evasion technique is Maria applying in this case?

A.

Packet Fragmentation

B.

Source Routing

C.

Decoy Scanning

D.

IP Spoofing

Full Access
Question # 90

A penetration tester evaluates an industrial control system (ICS) that manages critical infrastructure. The tester discovers that the system uses weak default passwords for remote access. What is the most effective method to exploit this vulnerability?

A.

Perform a brute-force attack to guess the system ' s default passwords

B.

Execute a Cross-Site Request Forgery (CSRF) attack to manipulate system settings

C.

Conduct a denial-of-service (DoS) attack to disrupt the system temporarily

D.

Use the default passwords to gain unauthorized access to the ICS and control system operations

Full Access
Question # 91

At a power distribution facility in Phoenix, Arizona, ethical hacker Sameer Das is performing an OT security assessment. He demonstrates that a programmable controller accepts modifications delivered over the network without checking the origin or cryptographic validity of the package. By uploading altered instructions, he changes how the controller processes commands during operations. Which IoT/OT threat best represents this technique?

A.

Firmware update attack

B.

Forged malicious device

C.

Remote access using backdoor

D.

Exploit kits

Full Access
Question # 92

An internal audit at a pharmaceutical research company in San Diego, California, revealed that a directory server was reachable from a restricted testing subnet. Security analyst Daniel Harper initiated a basic directory query using simple authentication to validate connectivity. The query succeeded, confirming that the server was responding to unauthenticated search requests.

To understand the structural layout of the directory before performing deeper queries, Daniel needed to retrieve the base-level naming context entries exposed by the server. His objective was to identify the root domain components and configuration partitions before constructing targeted search filters.

Which command should Daniel execute to obtain the directory naming context information?

A.

ldapsearch -x -h < host > -b " DC=htb,DC=local " objectclass= " * "

B.

ldapsearch -h < host > -x

C.

ldapsearch -h < host > -x -b " DC=htb,DC=local "

D.

ldapsearch -h < host > -x -s base namingContexts

Full Access
Question # 93

A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?

A.

A synchronized Layer 3 Smurf attack flooding routers with ICMP echo requests

B.

A distributed SQL injection attack against online banking database servers causing resource exhaustion

C.

A zero-day buffer overflow exploit against the web server causing service unavailability via RCE

D.

A coordinated UDP flood targeting authoritative DNS servers to disrupt domain resolution

Full Access
Question # 94

Which encryption method supports secure key distribution?

A.

Disk encryption

B.

Symmetric encryption

C.

Hash functions

D.

Asymmetric encryption

Full Access
Question # 95

Which attack manipulates hidden fields?

A.

SQLi

B.

XSS

C.

Parameter tampering

D.

CSRF

Full Access
Question # 96

Which strategy best mitigates session hijacking?

A.

IPsec VPN encryption

B.

Physical security

C.

Network IPS

D.

Security awareness training

Full Access
Question # 97

After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?

A.

Disable unused ports and restrict outbound firewall traffic

B.

Perform weekly backups and store them off-site

C.

Ensure antivirus and firewall software are up to date

D.

Monitor file hashes of critical executables for unauthorized changes

Full Access
Question # 98

During a cryptographic audit of a legacy system, a security analyst observes that an outdated block cipher is leaking key-related information when analyzing large sets of plaintext–ciphertext pairs. What approach might an attacker exploit here?

A.

Launch a key replay through IV duplication

B.

Use linear approximations to infer secret bits

C.

Modify the padding to obtain plaintext

D.

Attack the hash algorithm for collisions

Full Access
Question # 99

During a reconnaissance engagement at a law firm in Houston, Texas, you are tasked with analyzing the physical movement of employees through their publicly shared media. By examining geotagged images and mapping them to specific locations, you aim to evaluate whether staff are unintentionally disclosing sensitive information about office routines. Which tool from the reconnaissance toolkit would best support this task?

A.

Creepy

B.

Social Searcher

C.

Sherlock

D.

Maltego

Full Access
Question # 100

During a penetration test at Cascade Financial in Raleigh, ethical hacker Ethan Brooks evaluates the security of the company ' s authentication system. He observes that the application accepts a high volume of repeated credential submissions without introducing any additional challenge, allowing automated scripts to cycle rapidly through large password lists. Ethan advises the IT team to deploy a control that forces interaction steps designed to disrupt automation.

Which countermeasure should the IT team adopt in this scenario?

A.

Use strong hashing algorithms

B.

Implement 2FA/MFA

C.

Use CAPTCHA challenges on login and registration pages

D.

Force periodic password changes

Full Access
Question # 101

A fintech startup in Austin, Texas authorizes a controlled red team engagement to evaluate the resilience of its web-based loan management platform. At the outset of the engagement, the assessment team concentrates on developing a structural understanding of the application.

They examine publicly exposed endpoints, observe server responses under different navigation paths, identify accessible directories, and document the relationships between client-side scripts, form parameters, and backend behaviors. Error handling patterns and response variations are cataloged to understand how user interactions are processed across various components of the platform.

The collected information is used to guide strategic planning for subsequent phases of the engagement.

Within the web application hacking methodology, which phase is most accurately demonstrated in this scenario?

A.

Maintaining Access

B.

Scanning

C.

Gaining Access

D.

Reconnaissance

Full Access
Question # 102

Which wireless attack captures handshake?

A.

Deauth

B.

Jamming

C.

Spoofing

D.

Replay

Full Access
Question # 103

What is a “Collision attack” in cryptography?

A.

Collision attacks try to find two inputs producing the same hash

B.

Collision attacks try to get the public key

C.

Collision attacks try to break the hash into three parts to get the plaintext value

D.

Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key

Full Access
Question # 104

An attacker exploits a misconfigured S3 bucket containing application backups with database credentials. What cloud security failure category does this fall under?

A.

Misconfiguration

B.

Insider threat

C.

Zero-day vulnerability

D.

Malware infection

Full Access
Question # 105

A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?

A.

Organized hackers

B.

State-sponsored hackers

C.

Hacktivists

D.

Gray hat hackers

Full Access
Question # 106

Anthony works as a security consultant for a financial services firm in Chicago, Illinois. During an internal engagement, he reviews traffic logs and observes repeated connection attempts to a service that appears to provide directory-related information beyond a single domain. The responses suggest that the underlying database contains entries representing objects across the entire organization rather than being limited to a single segment.

As Anthony continues his assessment, he notices that administrators commonly connect to this service when troubleshooting directory-related issues. The service listens on a dedicated port and allows object searches across multiple domains without requiring prior knowledge of the specific domain name.

Which service is Anthony most likely enumerating?

A.

Microsoft RPC Endpoint Mapper (TCP/UDP 135)

B.

Global Catalog Service (TCP/UDP 3268)

C.

Lightweight Directory Access Protocol (TCP/UDP 389)

D.

Session Initiation Protocol (TCP/UDP 5060, 5061)

Full Access
Question # 107

You are an ethical hacker at SecureNet Solutions, conducting a penetration test for BlueRidge Manufacturing in Denver, Colorado. While auditing their wireless network, you observe that the access point uses a security protocol that employs the RC4 algorithm with a 24-bit initialization vector IV to encrypt data between network clients. Based on the observed encryption characteristics, which wireless encryption protocol is the access point using?

A.

WPA

B.

WPA2

C.

WEP

D.

WPA3

Full Access
Question # 108

Which attack best demonstrates covert eavesdropping via smartphone sensors?

A.

Malicious APK exploitation

B.

Man-in-the-Disk attack

C.

Spearphone attack

D.

Tap ‘n Ghost attack

Full Access
Question # 109

You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?

A.

Finney Attack

B.

DeFi Sandwich Attack

C.

51% Attack

D.

Eclipse Attack

Full Access
Question # 110

During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.

Which technique is Sofia most likely using in this assessment?

A.

Vulnerability Scanning

B.

Information Gathering from robots.txt File

C.

Web Server Footprinting/Banner Grabbing

D.

Directory Brute Forcing

Full Access
Question # 111

During a red team exercise for a global insurance provider in Chicago, ethical hacker Maria tests the effectiveness of the company ' s endpoint defenses. She launches an attack by injecting malicious PowerShell commands into a trusted process without dropping any executables to disk. The code executes entirely in memory, generating abnormal spikes in resource usage. After a reboot, Maria notes that the system returns to normal and traditional antivirus logs show no evidence of infection.

Which type of malware technique did Maria most likely use in this test?

A.

Rootkit

B.

Trojan

C.

Fileless Malware

D.

Ransomware

Full Access
Question # 112

What is sandbox evasion?

A.

Malware hiding

B.

Firewall bypass

C.

Encryption

D.

IDS bypass

Full Access
Question # 113

As part of an insider threat simulation at a multinational insurance firm, lead red teamer John is asked to assess whether internal directory services are exposing sensitive user data. Gaining limited VPN access, he begins probing port 389 on a staging environment connected to the main domain infrastructure. After discovering that anonymous binds are accepted by the directory service, John launches a utility from his Kali machine that allows command-line interaction with directory entries. He structures his query to search for user objects with associated organizational units. Moments later, John reviews the output which includes usernames, group memberships, and departmental hierarchies all retrieved without authentication.

Which tool is John MOST likely using to perform this enumeration?

Full Access
Question # 114

A penetration tester discovers that a web application is vulnerable to Local File Inclusion (LFI) due to improper input validation in a URL parameter. Which approach should the tester take to exploit this vulnerability?

A.

Conduct a brute-force attack on the admin login page to gain access

B.

Inject SQL commands into the URL parameter to test for database vulnerabilities

C.

Perform a Cross-Site Scripting (XSS) attack by injecting malicious scripts into the URL

D.

Use directory traversal to access sensitive files on the server, such as /etc/passwd

Full Access
Question # 115

During testing against a network protected by a signature-based IDS, the tester notices that standard scans are blocked. To evade detection, the tester sends TCP headers split into multiple small IP fragments so the IDS cannot reassemble or interpret them, but the destination host can. What technique is being used?

A.

IP decoying with randomized address positions

B.

SYN scan with spoofed MAC address

C.

Packet crafting with randomized window size

D.

Packet fragmentation to bypass filtering logic

Full Access
Question # 116

A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?

A.

Access the local storage to retrieve sensitive data directly from the device

B.

Use SQL injection to retrieve sensitive data from the backend server

C.

Execute a Cross-Site Scripting (XSS) attack to steal session cookies

D.

Perform a brute-force attack on the application ' s login credentials

Full Access
Question # 117

During a targeted intrusion against a cloud infrastructure company in Salt Lake City, Utah, an attacker distributes a modified installation package of a legitimate network diagnostic utility widely used by employees. Before distributing the package, the attacker binds a malicious remote-access payload with the original executable so that both components are installed together.

When users launch the diagnostic tool, it performs its normal troubleshooting functions, while the hidden payload simultaneously executes in the background and establishes communication with a remote command server.

From a malware deployment perspective, what technique best describes this approach?

A.

Wrapper

B.

Downloader

C.

Packer

D.

Dropper

Full Access
Question # 118

You are Alex, a forensic responder at HarborHealth in Seattle, Washington. During a live incident response you must secure an enterprise Windows server ' s system partition and attached data volumes without rebooting user machines or disrupting domain authentication. The IT team prefers a solution that integrates with Windows platform features (including hardware-backed startup protection and centralized key escrow via Active Directory/management policies) and provides transparent full-disk protection for the OS volume. Which disk-encryption solution should you deploy?

A.

FileVault

B.

BitLocker Drive Encryption

C.

VeraCrypt

D.

Rohos Disk Encryption

Full Access
Question # 119

During a physical penetration test at Sterling Electronics in Cleveland, ethical hacker Priya waits near the employee entrance during a shift change. When a group of staff enters the building using their access cards, Priya closely follows behind without swiping her own badge. None of the employees confront her, assuming she belongs there. Once inside, Priya proceeds to the break area where she documents the success of the exercise.

Which social engineering technique is Priya demonstrating?

A.

Shoulder Surfing

B.

Dumpster Diving

C.

Tailgating

D.

Piggybacking

Full Access
Question # 120

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing " server publishing " ?

A.

Static Network Address Translation

B.

Overloading Port Address Translation

C.

Address Translation

D.

Dynamic Network

E.

Dynamic Port Address Translation

Full Access
Question # 121

You are Michael, an ethical hacker at a New York–based e-commerce company performing a security review of their payment-signing service. While observing the signing process (without access to private keys), you note the service generates a fresh random value for each signature operation, the signature algorithm uses modular arithmetic in a subgroup defined by public domain parameters, and signatures are verified with a public verification key rather than by decrypting the message. Which asymmetric algorithm best matches the signing mechanism you observed?

A.

DSA

B.

RSA

C.

Diffie-Hellman

D.

ElGamal

Full Access
Question # 122

While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information such as serial number and refresh interval.

Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?

A.

TXT

B.

MX

C.

NS

D.

SOA

Full Access
Question # 123

A university authorizes a wireless protocol resilience assessment on its WPA2-secured network. An ethical hacker positions a testing device within range of an access point and observes the key negotiation exchange between the client and the access point.

By selectively retransmitting a previously captured handshake message at a precise moment in the exchange, the tester causes the client device to reinstall an already negotiated encryption key. Subsequent traffic patterns reveal that certain protections expected from unique session parameters are no longer consistently enforced.

What kind of wireless attack technique is being illustrated in this scenario?

A.

Key Reinstallation Attack (KRACK)

B.

Replay Attack

C.

Man-in-the-Middle Attack

D.

WPA2 PSK Offline Cracking

Full Access
Question # 124

A health-tech startup in Raleigh, North Carolina operates a Kubernetes cluster supporting patient-facing microservices. During an authorized security assessment, a certified ethical hacker reviews internal cluster activity records available to operations personnel.

While analyzing these records, the tester notices that authentication artifacts associated with service accounts are recorded within system-generated output. The tester determines that if an individual obtained access to these records, they could reuse the captured authentication material to interact with cluster resources under the same privileges.

Which Kubernetes vulnerability best corresponds to this condition?

A.

No Certificate Revocation

B.

Unauthenticated HTTPS Connections

C.

No Non-repudiation

D.

Exposed Bearer Tokens in Logs

Full Access
Question # 125

Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

A.

John the Ripper

B.

Dsniff

C.

Snort

D.

Nikto

Full Access
Question # 126

A manufacturing company in Columbus, Ohio, reported a surge in internal support tickets after employees received an alarming email appearing to originate from an independent cybersecurity researcher.

The message claimed that a newly discovered malware strain was actively targeting corporate email systems and stated that several Fortune 500 organizations had already been compromised. It encouraged recipients to immediately circulate the message within their departments “to minimize exposure,” warning that failure to act quickly could result in data loss.

The email did not request credentials, payment, or direct downloads. However, it relied heavily on dramatic language and cited unverifiable statistics to increase urgency and credibility.

From a social engineering classification standpoint, how should this technique be categorized?

A.

Scareware Designed to Trick Users into Installing Rogue Software

B.

Spam Email Used for Mass Unsolicited Distribution

C.

Chain Letters that Incentivize Forwarding Messages

D.

Hoax Letters that Spread False Security Warnings

Full Access
Question # 127

A penetration tester targets a company ' s executive assistants by referencing upcoming board meetings in an email requesting access to confidential agendas. What is the most effective social engineering technique to obtain the necessary credentials without raising suspicion?

A.

Create a personalized email referencing specific meetings and request access

B.

Call posing as a trusted IT support to verify credentials

C.

Send a mass phishing email with a fake meeting link

D.

Develop a fake LinkedIn profile to connect and request information

Full Access
Question # 128

During a quarterly vulnerability management review at RedCore Motors, Priya finalizes the deployment of Nessus Essentials across the company ' s IT infrastructure. The solution is selected for its ability to support diverse technologies including operating systems, databases, web servers, and virtual environments. While preparing a training session for junior analysts, Priya asks them to identify a capability that Nessus Essentials is specifically designed to provide as part of its scanning process.

Which capability is Nessus Essentials specifically designed to provide?

A.

Patch management for operating systems and third-party applications

B.

High-speed asset discovery

C.

Checks for outdated versions across a wide range of server and service technologies

D.

Agent-based detection

Full Access
Question # 129

Which of the following is the primary goal of ethical hacking?

A.

To disrupt services by launching denial-of-service attacks

B.

To identify and fix security vulnerabilities in a system

C.

To steal sensitive information from a company ' s network

D.

To spread malware to compromise multiple systems

Full Access
Question # 130

During a red team assessment at Sunshine Credit Union in Miami, ethical hacker Laura demonstrates a weakness in the company ' s session handling process. She shows that once a user logs in, the same authentication token assigned before login continues to be valid without being refreshed. Laura explains that an attacker could exploit this flaw by tricking a victim into authenticating with a value already known to the attacker, gaining access afterward. To mitigate this risk, the IT team agrees to apply a countermeasure focused on proper session lifecycle management.

Which countermeasure should the IT team implement?

A.

Implement SSL to encrypt all information in transit via the network

B.

Use restrictive cache directives for all the web traffic through HTTP and HTTPS

C.

Regenerate the session ID after a successful login to prevent session fixation attacks

D.

Do not create sessions for unauthenticated users unless necessary

Full Access
Question # 131

A state benefits processing platform in Sacramento, California, implemented a multi-step identity verification process before granting access to sensitive citizen records. During a controlled assessment, security analyst Daniel Kim observed that by altering specific request parameters within the transaction sequence, it was possible to bypass an intermediate verification stage and retrieve restricted account data.

Further analysis revealed that the authentication workflow advanced through sequential client-driven interactions, but the server did not enforce strict validation of completion for each required stage before granting access.

Based on the scenario, which vulnerability classification best describes the issue identified?

A.

Poor Patch Management

B.

Design Flaws

C.

Application Flaws

D.

Misconfigurations / Weak Configurations

Full Access
Question # 132

A penetration tester submits altered ciphertexts to a web server and pays close attention to how the server responds. When the server produces different error messages for certain inputs, the tester starts to infer which inputs result in valid internal processing. Which cryptanalytic method is being used in this scenario?

A.

Exploit padding error feedback to recover data

B.

Compare traffic timing to deduce the key

C.

Flip bits randomly to scramble the decryption

D.

Inspect randomness across multiple sessions

Full Access
Question # 133

In Seattle, Washington, ethical hacker Mia Chen is hired by Pacific Trust Bank to test the security of their corporate network, which stores sensitive customer financial data. During her penetration test, Mia conducts a thorough reconnaissance, targeting a server that appears to host a critical database of transaction records. As she interacts with the server, she notices it responds promptly to her queries but occasionally returns error messages that seem inconsistent with a production system’s behavior, such as unexpected protocol responses. Suspicious that this server might be a decoy designed to monitor her actions, Mia applies a technique to detect inconsistencies that may reveal the system as a honeypot.

Which technique is Mia most likely using to determine if the server at Pacific Trust Bank is a honeypot?

A.

Analyzing Response Time

B.

Analyzing MAC Address

C.

Fingerprinting the Running Service

D.

Analyzing System Configuration and Metadata

Full Access
Question # 134

While auditing legacy network devices at a public hospital in Miami, Jason, a penetration tester, needs to verify what SNMP traffic is leaking across the internal segment. Instead of running structured queries, he decides to capture live network traffic and manually review the protocol fields. This method allows him to see SNMP requests and responses in transit but requires manual parsing of OIDs, community strings, and variable bindings.

Which method should Jason use in this situation?

A.

Nmap

B.

Wireshark

C.

SnmpWalk

D.

SoftPerfect Network Scanner

Full Access
Question # 135

An attacker abuses PowerShell heavily. Which log helps most?

A.

DNS logs

B.

Firewall logs

C.

Syslog

D.

PowerShell script block logs

Full Access
Question # 136

In the bustling digital marketplace of Miami ' s tech corridor, ethical hacker Sofia Alvarez probes the virtual defenses of RetailRush, a US-based online retailer hosting thousands of daily transactions. Tasked with exposing weaknesses in the web server ' s URL processing, Sofia submits crafted requests to manipulate resource paths. Her tests uncover a severe flaw: the server grants access to restricted system files, exposing sensitive configuration data. Further scrutiny reveals the issue stems from the server ' s failure to validate input paths, not from header manipulation, cached content tampering, or credential compromise. Committed to hardening the platform, Sofia drafts a precise report to direct the security team toward immediate fixes.

Which web server attack type is Sofia most likely exploiting in RetailRush ' s web server?

A.

Directory Traversal Attack

B.

Web Cache Poisoning Attack

C.

HTTP Response Splitting Attack

D.

Password Cracking Attack

Full Access
Question # 137

A security researcher reviewing an organization ' s website source code finds references to Amazon S3 file locations. What is the most effective way to identify additional publicly accessible S3 bucket URLs used by the target?

A.

Exploit XSS to force the page to reveal the S3 links

B.

Use Google advanced search operators to enumerate S3 bucket URLs

C.

Use SQL injection to extract internal file paths from the database

D.

Perform packet sniffing to intercept internal S3 bucket names

Full Access
Question # 138

At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?

A.

Measured service

B.

Broad network access

C.

On-demand self-service

D.

Resource pooling

Full Access
Question # 139

A red team member uses an access token obtained from an Azure function to authenticate with Azure PowerShell and retrieve storage account keys. What kind of abuse does this scenario demonstrate?

A.

Gathering NSG rule information

B.

Exploiting managed identities for unauthorized access

C.

Lateral movement via Stormspotter

D.

Enumeration of user groups with AzureGraph

Full Access
Question # 140

While evaluating a smart card implementation, a security analyst observes that an attacker is measuring fluctuations in power consumption and timing variations during encryption operations on the chip. The attacker uses this information to infer secret keys used within the device. What type of exploitation is being carried out?

A.

Disrupt control flow to modify instructions

B.

Observe hardware signals to deduce secrets

C.

Crack hashes using statistical collisions

D.

Force session resets through input flooding

Full Access
Question # 141

Packet fragmentation is used as an evasion technique. Which IDS configuration best counters this?

A.

Recognizing regular fragmented packet intervals

B.

Anomaly-based IDS detecting irregular traffic patterns

C.

Rejecting all fragmented packets

D.

Signature-based IDS detecting fragmented packet signatures

Full Access
Question # 142

During a penetration test at Pacific Shipping Co. in Seattle, ethical hacker Mia Chen evaluates the defenses protecting the company ' s web-facing servers. She observes that the security system is not only checking basic packet headers but also validating session state and performing some application-level analysis. This multilayer approach makes it more difficult for Mia to bypass the firewall using simple fragmentation or tunneling attacks.

Which type of firewall is Mia most likely facing?

A.

Packet Filtering Firewall

B.

Stateful Multilayer Inspection Firewall

C.

Application-Level Firewall

D.

Circuit-Level Gateway Firewall

Full Access
Question # 143

What is SMB relay attack?

A.

DoS

B.

Spoofing

C.

MITM

D.

Replay

Full Access
Question # 144

Which vulnerability exploits memory corruption?

A.

XSS

B.

Buffer overflow

C.

CSRF

D.

SQLi

Full Access
Question # 145

In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.

Which session hijacking technique is Michael using in this red team exercise?

A.

Session donation attack

B.

Session replay attack

C.

Session sniffing

D.

Session fixation attack

Full Access
Question # 146

During an external assessment of a regional retail company ' s digital infrastructure, security analyst Joe is assigned to map internal services without active intrusion. While testing the behavior of a publicly exposed resolution system, he discovers that a secondary system responds unusually to structured queries. When he issues a specific request format, the server replies with a full list of internal mappings, including subdomains, mail hosts, and system aliases without requiring credentials or triggering alerts.

Which technique was most likely used to obtain this information?

A.

LDAP Enumeration

B.

NTP Enumeration

C.

DNS Zone Transfer Enumeration

D.

NetBIOS Enumeration

Full Access
Question # 147

A DNS server responds with different IP addresses rapidly for the same domain, pointing to constantly changing hosts. What technique is being used?

A.

DNS tunneling

B.

DNS poisoning

C.

Fast flux

D.

Zone transfer

Full Access
Question # 148

During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?

A.

Unencrypted FTP services storing software data

B.

The SNMP agent allowed anonymous bulk data queries due to default settings

C.

Remote access to encrypted Windows registry keys

D.

SNMP trap messages logged in plain text

Full Access
Question # 149

Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical for verifying the identity of the signatory. He aims to assess if the algorithm’s configuration could be vulnerable to a man-in-the-middle attack due to its key structure.

Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?

A.

Diffie-Hellman

B.

RSA

C.

ElGamal

D.

DSA

Full Access
Question # 150

A financial clearinghouse in Newark, New Jersey, initiated a structured vulnerability review across its enterprise servers. The scanning platform was configured to collect detailed information about installed updates, local security configurations, and system policy settings on each target machine. The resulting report contained granular host-level findings, including configuration inconsistencies and patch gaps that required direct system-level inspection to obtain. Based on the activity described, what type of vulnerability scanning is being performed?

A.

Automated Scanning

B.

Non-Credentialed Scanning

C.

Application Scanning

D.

Credentialed Scanning

Full Access
Question # 151

A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

A.

Perform a dictionary attack using a list of commonly used passwords against the stolen hash values

B.

Input a SQL query to check for SQL injection vulnerabilities in the login form

C.

Conduct a brute-force attack on the login form to guess weak passwords

D.

Capture the login request using a proxy tool and attempt to decrypt the passwords

Full Access
Question # 152

During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?

A.

Lack of secure update mechanisms

B.

Denial-of-service through physical tampering

C.

Insecure network service exposure

D.

Use of insecure third-party components

Full Access
Question # 153

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

A.

Wireshark

B.

Aircrack-ng

C.

Ettercap

D.

Tcpdump

Full Access
Question # 154

During a penetration test for a U.S.-based retail company, John gains access to a secondary server that responds unusually to structured queries. By sending a specially crafted request, he receives a full list of subdomains, MX records, and aliases belonging to the target organization. The response exposes sensitive internal mappings that could be leveraged for further attacks.

Which tool was MOST likely used to perform this enumeration?

A.

smtp-user-enum.pl -u user -t host

B.

ldapsearch -h -x

C.

nbtstat -A

D.

dig @server axfr

Full Access
Question # 155

User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?

A.

Transport

B.

Presentation

C.

Application

D.

Session

Full Access
Question # 156

A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?

A.

Moving the document root directory to a different disk

B.

Regularly updating and patching the server software

C.

Changing the server’s IP address regularly

D.

Implementing an open-source web server architecture such as LAMP

Full Access
Question # 157

A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

A.

Tautology-based SQL injection

B.

Error-based SQL injection

C.

Union-based SQL injection

D.

Time-based blind SQL injection

Full Access
Question # 158

Using nbtstat -A < IP > , NetBIOS names including < 20 > and < 03 > are retrieved, but shared folders cannot be listed. Why?

A.

File and printer sharing is disabled

B.

NetBIOS runs on a non-standard port

C.

nbtstat cannot enumerate shared folders

D.

The host is not in an AD domain

Full Access
Question # 159

During a red team assessment of a mid-sized insurance provider in Denver, Colorado, testers established persistent access on an internal developer workstation after exploiting a misconfigured automation service. To sustain command-and-control without triggering perimeter defenses, they configured a low-bandwidth outbound channel designed to blend into infrastructure traffic that is routinely permitted through egress controls.

Security operations later identified periodic outbound communication from the compromised host to a single unfamiliar external endpoint not associated with approved vendors or user activity. The traffic was distributed over time rather than bursty. Although the exchanges resembled legitimate service requests, packet inspection revealed irregular payload sizing and structured encoding patterns inconsistent with typical client behavior across the environment.

What covert communication technique was most likely used to sustain the red team’s access?

A.

ICMP Tunneling

B.

TCP Sequence Tunneling

C.

HTTP/S Tunneling

D.

DNS Tunneling

Full Access
Question # 160

At a government research lab, cybersecurity officer Nikhil is compiling a vulnerability assessment report after scanning the internal subnet. As part of his documentation, he lists the IP addresses of all scanned hosts and specifies which machines are affected. He includes tables categorizing discovered vulnerabilities by type such as outdated software, default credentials, and open ports.

Which section of the vulnerability assessment report is Nikhil working on?

A.

Findings

B.

Risk Assessment

C.

Supporting Information

D.

Assessment Overview

Full Access
Question # 161

An attacker uses many plaintext–ciphertext pairs and applies statistical analysis to XOR combinations of specific bits. Which technique is being used?

A.

Brute-force attack

B.

Differential cryptanalysis

C.

Linear cryptanalysis

D.

Side-channel attack

Full Access
Question # 162

A Windows system shows LSASS memory access by unknown processes. What attack is likely?

A.

SQLi

B.

XSS

C.

Credential dumping

D.

DoS

Full Access
Question # 163

Which social engineering attack involves impersonating a co-worker or authority figure to extract confidential information?

A.

Phishing

B.

Pretexting

C.

Quid pro quo

D.

Baiting

Full Access
Question # 164

You are Jordan, a cryptographic assessor at Cascade Data in Portland, Oregon, reviewing the protection applied to telemetry logs. Your review finds an algorithm that operates on 128-bit blocks, accepts keys up to 256 bits, and the documentation notes it was one of the finalists in the AES selection process that aimed to replace legacy DES. Which symmetric encryption algorithm should you identify as being used?

A.

RC4

B.

AES

C.

Blowfish

D.

Twofish

Full Access
Question # 165

What is lateral movement?

A.

Data exfiltration

B.

Pivoting

C.

Privilege escalation

D.

Network traversal

Full Access
Question # 166

During a red team exercise at Orion Tech Systems in San Jose, ethical hacker Nadia creates a campaign of fraudulent messages targeting employees. She uses compromised social media accounts to distribute bulk invitations that contain links to a fake cloud collaboration site. Several employees click the links and are prompted to log in with their corporate credentials, which Nadia captures. Although the lure appears to be a professional networking opportunity, the tactic relies on unsolicited deceptive messages delivered at scale.

Which social engineering threat is Nadia simulating in this campaign?

A.

Catfishing

B.

Angler Phishing

C.

Spam and Phishing

D.

Involuntary Data Leakage

Full Access
Question # 167

You are an ethical hacker at HarborLine Assessments, engaged to audit the Wi-Fi at Portside Freight in Tacoma, Washington. During an overnight reconnaissance, you enable your wireless interface’s monitor mode and run a command that silently records beacon frames, probe responses, and authentication frames from nearby APs and clients into a capture file for later offline analysis—you do not transmit any frames from your laptop. Based on the described activity, which Wi-Fi security auditing tool are you most likely using?

A.

Aireplay-ng

B.

Aircrack-ng

C.

Airbase-ng

D.

Airodump-ng

Full Access
Question # 168

The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?

A.

The document can be sent to the accountant using an exclusive USB for that document

B.

The CFO can use an excel file with a password

C.

The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure is the same document

D.

The CFO can use a hash algorithm in the document once he approved the financial statements

Full Access
Question # 169

In Atlanta, Georgia, ethical hacker James Patel is hired by Southern Retail, a major e-commerce chain, to test the security of their online shopping platform. During his penetration test, James aims to simulate a session hijacking attack by setting up a proxy to intercept HTTP traffic between customers and the platform, log the requests, and perform advanced searches on the captured data to identify session tokens. He needs a lightweight tool specifically designed for security research that can handle these tasks in a controlled environment to demonstrate vulnerabilities to the company ' s security team.

Which tool should James use to perform this session hijacking simulation?

A.

Caido

B.

Hetty

C.

Bettercap

D.

Wireshark

Full Access
Question # 170

A penetration tester is conducting an external assessment of a corporate web server. They start by accessing https://www.targetcorp.com/robots.txt and observe multiple Disallow entries that reference directories such as /admin-panel/, /backup/, and /confidentialdocs/. When the tester directly visits these paths via a browser, they find that access is not restricted by authentication and gain access to sensitive files, including server configuration and unprotected credentials. Which stage of the web server attack methodology is demonstrated in this scenario?

A.

Injecting malicious SQL queries to access sensitive database records

B.

Performing a cross-site request forgery (CSRF) attack to manipulate user actions

C.

Gathering information through exposed indexing instructions

D.

Leveraging the directory traversal flaw to access critical server files

Full Access
Question # 171

A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?

A.

Continuous code review and penetration testing

B.

Deploy WAF with evasion detection

C.

SIEM monitoring

D.

Enforce 2FA

Full Access
Question # 172

An ethical hacker conducts testing with full knowledge and permission. What type of hacking is this?

A.

Blue Hat

B.

Grey Hat

C.

White Hat

D.

Black Hat

Full Access
Question # 173

In a highly secure online banking environment, customers report unauthorized access to their accounts despite robust authentication controls. Investigation reveals attackers are using advanced session hijacking techniques to perform fraudulent transactions. Which advanced session-hijacking attack, resembling a scenario-based attack, presents the greatest challenge to detect and mitigate?

A.

Covert Cross-Site Scripting (XSS) attack injecting malicious scripts into banking pages

B.

Man-in-the-Browser (MitB) attack using malicious browser extensions to intercept sessions

C.

Session fixation attack manipulating HTTP session identifiers

D.

Passive sniffing attack capturing encrypted session tokens over unsecured Wi-Fi

Full Access
Question # 174

During a forensic log review at a satellite communications provider in Denver, Colorado, cybersecurity analyst Kevin Morales identified subtle timestamp irregularities in archived telemetry records. Although the discrepancies were minor, regulatory reporting standards required confirmation that the system clock was synchronizing correctly with its configured time sources.

Kevin needed to interact directly with the host’s running time service to review its current associations and operational state. He was not attempting to reset the clock or trace the hierarchy of upstream time authorities, but rather to query the active service for detailed status information from the target machine.

Identify the command Kevin should execute to obtain this information.

A.

ntptrace [-n] [-m maxhosts] [servername/IP address]

B.

ntpq [-inp] [-c command] [host] [...]

C.

ntpdc [-ilnps] [-c command] [host] [...]

D.

ntpq -p [host]

Full Access
Question # 175

During a red team engagement at Apex Biotech in Dallas, ethical hacker Rachel calls the company ' s HR desk pretending to be Mark Stevens, a senior finance manager. She pressures the HR staffer by citing his “upcoming presentation for the CFO” and insists he urgently needs a copy of the updated employee benefits spreadsheet. The staffer feels compelled to help due to Rachel’s convincing manner and authoritative tone.

Which social engineering technique is Rachel demonstrating in this exercise?

A.

Quid Pro Quo

B.

Impersonation

C.

Vishing

D.

Reverse Social Engineering

Full Access
Question # 176

During a late-night shift at IronWave Logistics in Seattle, cybersecurity analyst Marcus Chen notices a pattern of high-port outbound traffic from over a dozen internal machines to a previously unseen external IP. Each system had recently received a disguised shipping report, which, when opened, initiated a process that spread autonomously to other workstations using shared folders and stolen credentials. Upon investigation, Marcus discovers that the machines now contain hidden executables that silently accept remote instructions and occasionally trigger coordinated background tasks. The compromised endpoints are behaving like zombies, and malware analysts confirm that the payload used worm-like propagation to deliver a backdoor component across the network.

Which is the most likely objective behind this attack?

A.

To exfiltrate sensitive information and tracking data

B.

To execute a ransomware payload and encrypt all data

C.

To establish a botnet for remote command and control

D.

To deploy a Remote Access Trojan (RAT) for stealthy surveillance

Full Access
Question # 177

What is the proper response for a NULL scan if the port is closed?

A.

No response

B.

FIN

C.

RST

D.

SYN

E.

ACK

F.

PSH

Full Access
Question # 178

A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user ' s session without triggering security alerts, which advanced session hijacking technique should the tester employ?

A.

Perform a man-in-the-middle attack by exploiting certificate vulnerabilities

B.

Use a session fixation attack by setting a known session ID before the user logs in

C.

Conduct a session token prediction attack by analyzing session ID patterns

D.

Implement a Cross-Site Scripting (XSS) attack to steal session tokens

Full Access
Question # 179

A penetration tester evaluates a company ' s secure web application, which uses HTTPS, secure cookie flags, and strict session management to prevent session hijacking. To bypass these protections and hijack a legitimate user ' s session without detection, which advanced technique should the tester employ?

A.

Utilize a session fixation attack by forcing a known session ID during login

B.

Perform a Cross-Site Scripting (XSS) attack to steal the session token

C.

Exploit a timing side-channel vulnerability to predict session tokens

D.

Implement a Man-in-the-Middle (MitM) attack by compromising a trusted certificate authority

Full Access
Question # 180

In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MediVault, a U.S.-based healthcare platform used by regional clinics to manage patient data. During her review, Lila discovers that sensitive records are weakly protected, allowing attackers to intercept and manipulate the information in transit. She warns that such weaknesses could be exploited to commit credit-card fraud, identity theft, or similar crimes. Further analysis reveals that MediVault is vulnerable to well-documented flaws such as cookie snooping and downgrade attacks.

Which issue is MOST clearly indicated?

A.

Broken Access Control

B.

Cryptographic Failures

C.

Security Misconfiguration

D.

Identification and Authentication Failures

Full Access
Question # 181

You suspect a Man-in-the-Middle (MitM) attack inside the network. Which network activity would help confirm this?

A.

Sudden increase in traffic

B.

Multiple login attempts from one IP

C.

IP addresses resolving to multiple MAC addresses

D.

Abnormal DNS request volumes

Full Access
Question # 182

In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.

Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?

A.

Deep Packet Inspection

B.

Anomaly-Based Detection

C.

Signature-Based Detection

D.

Stateful Packet Inspection

Full Access
Question # 183

A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender ' s private key. During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization ' s secure communications infrastructure. Which encryption algorithm is being used in this implementation?

A.

ElGamal

B.

Diffie-Hellman

C.

DSA

D.

RSA

Full Access
Question # 184

You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile application security of Sterling & Associates, a law firm in New York City. During a covert assessment, your objective is to simulate an attacker attempting to exploit vulnerabilities in the firm’s client case management app. You discover that the app stores user credentials in plain text on the device, enabling you to extract sensitive client login information using a rooted device. Based on this finding, which OWASP Top 10 Mobile Risk are you identifying in the app?

A.

Insecure Communication

B.

Improper Credential Usage

C.

Inadequate Privacy Controls

D.

Insecure Data Storage

Full Access
Question # 185

A DevOps engineer at a Toronto-based SaaS provider deploys a multi-tenant application within a shared orchestration environment. During a security assessment, a penetration tester discovers that a compromised workload is able to access host-level system resources and interact with adjacent workloads beyond its intended isolation controls.

Further investigation reveals that the workload was launched with elevated privileges and insufficient runtime restrictions, allowing the attacker to cross the intended isolation boundary and gain unauthorized access to the underlying infrastructure.

Which cloud attack technique best describes this security weakness?

A.

Man-in-the-Cloud Attack

B.

Side-Channel Attack

C.

Container Escape

D.

Golden SAML Attack

Full Access
Question # 186

You are an ethical hacker at SilverRock Security, engaged by BayState Credit Union in Boston, Massachusetts, to evaluate their online loan application portal. While testing the customer dashboard, you inject crafted input into a numeric parameter. Instead of returning only the expected loan details, the response also displays sensitive employee information from another table, merged into the same page results. This behavior indicates that the attacker’s input successfully combined multiple datasets into a single output.

Based on the observed behavior, which type of SQL injection attack are you exploiting?

A.

Error-Based SQL Injection

B.

Blind SQL Injection

C.

Second-Order SQL Injection

D.

UNION SQL Injection

Full Access
Question # 187

You are Olivia Chen, an ethical hacker at CyberGuardians Inc., hired to test the wireless network of Skyline Media, a broadcasting company in Chicago, Illinois. Your mission is to breach their WPA2-protected Wi-Fi during a late-night penetration test. Using a laptop in monitor mode, you execute a command to transmit packets that force client devices to disconnect and reconnect, enabling you to capture a four-way handshake for cracking. Based on the described action, which tool are you using?

A.

Aircrack-ng

B.

Airbase-ng

C.

Aireplay-ng

D.

Airodump-ng

Full Access
Question # 188

A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?

A.

Configure firewalls to block all incoming SYN and HTTP requests from external IPs

B.

Increase server bandwidth and apply basic rate limiting on incoming traffic

C.

Deploy an Intrusion Prevention System (IPS) with deep packet inspection capabilities

D.

Utilize a cloud-based DDoS protection service that offers multi-layer traffic scrubbing and auto-scaling

Full Access
Question # 189

A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?

A.

Rootkit

B.

Ransomware

C.

Keylogger

D.

Worm

Full Access
Question # 190

At a digital marketing firm in Atlanta, Georgia, employees began reporting that access to a widely used cloud collaboration portal was intermittently redirecting them to a counterfeit interface hosted on an unfamiliar IP address. Security engineers observed that when multiple users across different departments attempted to access the legitimate domain, they consistently received the same incorrect IP resolution. The anomalous behavior persisted across sessions and affected numerous internal clients until the organization ' s name resolution service was restarted, after which normal resolution resumed. What DNS manipulation technique best explains this scenario?

A.

Performing Intranet DNS Spoofing within the local network

B.

Injecting malicious records through DNS Cache Poisoning

C.

Executing Proxy Server DNS Poisoning to alter resolution paths

D.

Conducting Internet DNS Spoofing from a remote network

Full Access
Question # 191

Which encoding often bypasses filters?

A.

ROT13

B.

Base64

C.

Unicode

D.

Hex

Full Access
Question # 192

During a security compliance audit at Nexus Tech Solutions in Boston, Massachusetts, the ethical hacking team launches a controlled social engineering exercise to assess help desk vulnerabilities. Ethical hacker Rachel Kim calls the company ' s help desk, posing as a stressed employee named Laura Bennett from the marketing department. Rachel claims her laptop is running slowly and offers to share her login credentials if the help desk can provide a quick fix to meet a tight project deadline. The call is designed to test whether help desk staff follow proper verification protocols or fall for the offer of credentials in exchange for assistance.

What social engineering technique is Rachel employing in this exercise?

A.

Shoulder Surfing

B.

Vishing

C.

Impersonation

D.

Quid Pro Quo

Full Access
Question # 193

Upon completing a vulnerability evaluation for a financial services firm in Cincinnati, Ohio, the security team finalized its formal report for executive review. One portion of the document grouped identified weaknesses into severity tiers and highlighted systems with elevated exposure levels across the environment. This part of the report emphasized the relative impact and prioritization of identified weaknesses across affected assets. Which component of the vulnerability assessment report is represented in this scenario?

A.

Recommendations

B.

Risk Assessment

C.

Assessment Overview

D.

Findings

Full Access
Question # 194

At Bayview University in San Francisco, California, ethical hacker Sofia Patel is evaluating security controls on Android 11 tablets used by staff. To simulate an attack, she installs KingoRoot.apk directly on one of the devices. The application leverages system vulnerabilities to elevate privileges without requiring a computer connection. Based on the module, which feature of this rooting approach makes the attack effective?

A.

It uses a tethered jailbreak to restart the device with patched kernel functions

B.

It is an APK that can run directly on the device without a PC

C.

It relies on weak SSL validation to bypass application controls

D.

It exploits Bluetooth pairing flaws to gain device-level privileges

Full Access
Question # 195

A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?

A.

HTTP flood attack

B.

ICMP flood attack

C.

UDP flood attack

D.

SYN flood attack

Full Access
Question # 196

A private equity firm in Minneapolis, Minnesota allows employees to access internal reporting tools from their personally owned smartphones under its BYOD program. During a routine security assessment, a consultant observes that when an employee leaves their unlocked phone unattended, a colleague can immediately open the firm’s financial application and review client investment records without any additional verification step inside the application.

The operating system itself requires a passcode to unlock the device, but once unlocked, corporate applications open directly to sensitive dashboards.

Identify the BYOD security guideline that would directly mitigate this exposure.

A.

Use Encryption Mechanism to Store Data

B.

Set a Strong Passcode on the Device and Change It Relatively Often

C.

Maintain a Clear Separation between Business and Personal Data

D.

Set Passwords for Apps to Restrict Others from Accessing Them

Full Access
Question # 197

A Windows endpoint generates alerts for credential dumping tools. What asset is targeted?

A.

Network

B.

Logs

C.

Availability

D.

Credentials

Full Access
Question # 198

Which WPA vulnerability allowed packet injection and decryption attacks?

A.

Lack of AES encryption

B.

Predictable GTK

C.

Weak Initialization Vectors (IVs)

D.

Weak passwords

Full Access
Question # 199

A national retail chain headquartered in Minneapolis, Minnesota operates a customer rewards portal supported by front-end delivery layers designed to improve performance during peak shopping periods. During an authorized security assessment, a tester submits a specially crafted request containing unusual header combinations and a modified query parameter while accessing a promotional page.

Shortly afterward, other legitimate users requesting the same promotional page through standard browsers begin receiving altered content that differs from what the application normally generates. When the tester accesses the underlying origin system directly, the response reflects the expected legitimate version. After some time and additional routine traffic, the unexpected content is no longer served.

Identify the attack technique that best explains this observed behavior.

A.

DNS Server Hijacking

B.

DNS Rebinding Attack

C.

Web Cache Poisoning Attack

D.

SQL Injection Vulnerability

Full Access
Question # 200

A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?

A.

Whaling

B.

Pharming

C.

Spear Phishing

D.

Search Engine Phishing

Full Access
Question # 201

A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?

A.

Attempt SQL Injection

B.

Hijack a session and modify server configuration

C.

Launch brute-force attacks

D.

Perform automated vulnerability scanning

Full Access
Question # 202

In a vertical privilege escalation scenario, the attacker attempts to gain access to a user account with higher privileges than their current level. Which of the following examples describes vertical privilege escalation?

A.

An attacker exploits weak access controls to access and steal sensitive information from another user ' s account with alike privileges.

B.

An attacker leverages a lack of session management controls to switch accounts and access resources assigned to another user with the same permissions.

C.

An attacker uses an unquoted service path vulnerability to gain unauthorized access to another user ' s data with equivalent privileges.

D.

An attacker escalates from a regular user to an administrator by exploiting administrative functions.

Full Access
Question # 203

During a simulated attack against a university ' s IT network in California, ethical hacker Sophia deploys custom malicious code onto one lab workstation. Without requiring further user interaction, she observes the malware automatically copying itself into shared folders and spreading through weak admin credentials. Within a short time, dozens of computers across multiple departments are infected with the same payload, even though only one machine was initially targeted.

Which type of malware is Sophia most likely demonstrating?

A.

Logic Bomb

B.

Worm

C.

Backdoor

D.

Fileless Malware

Full Access
Question # 204

A web app deserializes untrusted data leading to RCE. What flaw exists?

A.

SSTI

B.

Insecure deserialization

C.

SQLi

D.

XSS

Full Access
Question # 205

During an authorized security assessment at a municipal power distribution facility in Omaha, Nebraska, a certified ethical hacker performs passive traffic analysis between the control center and several remote substations.

The tester observes structured request-response messages used to read coil status and write register values on industrial controllers. All communication occurs over TCP port 502, and the protocol does not provide built-in encryption or authentication.

Based on these characteristics, which OT communication protocol is operating within this environment?

A.

IEC 60870-5-104

B.

MODBUS

C.

DNP3

D.

OPC UA

Full Access
Question # 206

You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?

A.

Use specialized rootkit detection tools followed by tailored removal procedures

B.

Deploy high-interaction honeypots to observe attacker behavior

C.

Perform a complete system format and reinstall the operating system from a trusted source

D.

Immediately power down the system and disconnect it from the network

Full Access
Question # 207

An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?

A.

Side-channel attack

B.

Cloud cryptojacking

C.

Cache poisoned denial of service (CPDoS)

D.

Metadata spoofing

Full Access
Question # 208

A U.S.-based online securities trading firm in New York is reviewing its transaction authentication process. The security team confirms that each transaction is processed by first generating a hash of the transaction data. The hash value is then signed using the sender’s private key.

During verification, the recipient uses the corresponding public key to validate the signature before approving the transaction. The system documentation specifies that the same algorithm supports encryption, digital signatures, and key exchange mechanisms within the organization’s secure communications infrastructure.

Which encryption algorithm is being used in this implementation?

A.

DSA

B.

ElGamal

C.

RSA

D.

Diffie-Hellman

Full Access
Question # 209

During network analysis, clients are receiving incorrect gateway and DNS settings due to a rogue DHCP server. What security feature should the administrator enable to prevent this in the future?

A.

DHCP snooping on trusted interfaces

B.

ARP inspection across VLANs

C.

Port security on all trunk ports

D.

Static DHCP reservations for clients

Full Access
Question # 210

A smart building management company in Seattle, Washington deploys wireless door sensors and badge-based access systems throughout its corporate headquarters. During a security assessment, an analyst captures legitimate radio transmissions between employee access badges and the entry control units.

Later that evening, without modifying or decrypting the original communication, the analyst retransmits the previously captured signal toward a secured entrance. The access control system accepts the transmission as valid and unlocks the door, even though the legitimate badge is not present.

Determine the attack technique demonstrated in this assessment.

A.

BlueBorne Attack

B.

Replay Attack

C.

Rolling Code Attack

D.

Sybil Attack

Full Access
Question # 211

Which advanced session-hijacking technique is hardest to detect and mitigate?

A.

Covert XSS attack

B.

Man-in-the-Browser (MitB) attack

C.

Passive sniffing on Wi-Fi

D.

Session fixation

Full Access
Question # 212

Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?

A.

CSRF

B.

Side jacking

C.

Session fixation

D.

Insecure deserialization

Full Access
Question # 213

You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.

Based on the described method, which Wi-Fi discovery technique are you employing?

A.

Network Discovery Software

B.

Passive Footprinting

C.

Wash Command

D.

Active Footprinting

Full Access
Question # 214

SCADA anomalies suggest a side-channel attack. Which investigation best confirms this?

A.

Review user interfaces

B.

Measure hardware-level operational fluctuations

C.

Identify weak crypto settings

D.

Assess network latency

Full Access
Question # 215

In the heart of Silicon Valley, ethical hacker Sophia Nguyen is hired by InnoVate Solutions, a San Francisco-based startup, to secure their cloud-based task management platform. On March 15, 2025, Sophia begins testing a feature that allows users to upload custom workflow templates to streamline project assignments. By carefully crafting a template file, she manipulates the platform’s data processing, triggering unexpected behavior that grants her administrative access to restricted project dashboards. The issue arises from the platform’s handling of user-supplied data during object reconstruction, not from database queries, client-side code execution, or session manipulation. Sophia documents her findings to help InnoVate’s developers strengthen their application.

Which web application vulnerability is Sophia most likely exploiting in InnoVate Solutions’ task management platform?

A.

Session Hijacking

B.

Local File Inclusion

C.

Verbose Error Messages

D.

Insecure Deserialization

Full Access
Question # 216

During a black-box penetration test, an attacker runs the following command:

nmap -p25 --script smtp-enum-users --script-args EXPN,RCPT < target IP >

The script successfully returns multiple valid usernames. Which server misconfiguration is being exploited?

A.

The SMTP server allows authentication without credentials

B.

The SMTP server has disabled STARTTLS, allowing plaintext enumeration

C.

SMTP user verification commands are exposed without restrictions

D.

DNS MX records point to an internal mail relay

Full Access
Question # 217

On July 25, 2025, during a penetration test at Horizon Financial Services in Chicago, Illinois, cybersecurity specialist Laura Bennett is analyzing an attack simulation targeting the company ' s online banking portal. The system logs reveal a coordinated barrage of traffic from multiple compromised systems, orchestrated through a central command-and-control server, flooding the portal and rendering it unavailable to legitimate users. The attack leverages a network of infected devices, likely recruited via malicious links on social media.

What is the structure or concept most likely used to launch this coordinated attack?

Full Access
Question # 218

A regional law firm authorizes a wireless resilience evaluation after employees report intermittent connectivity disruptions in conference rooms. An ethical hacker assigned to the assessment analyzes client behavior while transmitting carefully crafted 802.11 management frames toward the organization’s primary access point.

Each transmission immediately causes several connected laptops to lose association with the network, requiring users to reconnect manually. Connectivity interruptions occur only when the crafted frames are sent.

Identify the wireless attack illustrated by this activity.

A.

Eavesdropping Attack

B.

Jamming Attack

C.

Deauthentication Attack

D.

Evil Twin Attack

Full Access
Question # 219

Michael, an ethical hacker at a San Francisco-based fintech startup, is conducting a security assessment of the company ' s cloud-based payment processing platform, which uses Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. During his review, Michael identified a feature that automatically replaces and reschedules containers from failed nodes to ensure high availability of services a critical requirement for uninterrupted payment operations. Based on his study of cloud container technology principles, which Kubernetes feature should Michael highlight as responsible for this capability?

A.

Container vulnerabilities

B.

Kube-controller-manager

C.

Container orchestration

D.

Self-healing

Full Access
Question # 220

A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?

A.

Keylogger

B.

Ransomware

C.

Virus

D.

Worm

Full Access
Question # 221

An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization ' s machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?

A.

Tree-based assessment

B.

Inference-based assessment

C.

Product-based solutions

D.

Service-based solutions

Full Access
Question # 222

At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?

A.

System and Network Attacks

B.

Social Engineering

C.

Information Leakage

D.

Corporate Espionage

Full Access
Question # 223

In Miami, Florida, cybersecurity analyst Laura Bennett is responding to a series of unauthorized access attempts targeting Sunshine Credit Union’s online banking platform. She observes unusual network activity that suggests attackers may be intercepting session IDs transmitted over unsecured connections to hijack active user sessions. To prevent further compromise, Laura works with the network team to apply a control that secures session-related communications throughout the entire portal, ensuring sensitive tokens are no longer exposed to interception during user interactions.

What countermeasure should Laura implement to prevent session hijacking in this scenario?

A.

Regenerate the session ID after a successful login

B.

Implement SSL to encrypt all information in transit via the network

C.

Use restrictive cache directives such as Cache-Control no-cache

D.

Do not create sessions for unauthenticated users

Full Access
Question # 224

Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?

A.

OpenVAS

B.

Nessus

C.

tcptraceroute

D.

tcptrace

Full Access
Question # 225

Emily, a security engineer at a Chicago-based healthcare provider, is auditing the organization ' s new cloud environment after a breach where sensitive patient records were exposed. Her investigation reveals that the root cause was the lack of encryption during data transmission between end-user devices and cloud storage. To mitigate this issue and align with HIPAA compliance requirements, Emily must prioritize addressing the correct cloud computing security risk.

Which cloud computing threat should Emily address to mitigate the risk of sensitive data being exposed during transmission?

A.

Multi-Tenancy and Physical Security

B.

Incidence Analysis and Forensic Support

C.

Service and Data Integration

D.

Infrastructure Security

Full Access
Question # 226

During a penetration test, you perform extensive DNS interrogation to gather intelligence about a target organization. Considering the inherent limitations of DNS-based reconnaissance, which of the following pieces of information cannot be directly obtained through DNS interrogation?

A.

The specific usernames and passwords used by the organization’s employees.

B.

The estimated geographical location of the organization’s servers derived from IP addresses.

C.

The subdomains associated with the organization’s primary internet domain.

D.

The IP addresses associated with the organization’s mail servers.

Full Access
Question # 227

A global fintech company receives extortion emails threatening a severe DDoS attack unless ransom is paid. The attacker briefly launches an HTTP flood to demonstrate capability. The attack uses incomplete POST requests that overload application-layer resources, causing performance degradation. The attacker reinforces their demand with a second threat email. What type of DDoS attack is being carried out?

A.

RDDoS attack combining threat and extortion

B.

DRDoS attack using intermediaries

C.

Recursive GET flood disguised as crawling

D.

Pulse wave attack with burst patterns

Full Access
Question # 228

During a red team engagement at a retail company in Atlanta, ethical hacker James crafts a session with the company ' s shopping portal and deliberately shares that session ID with an unsuspecting employee by embedding it in a link. When the employee clicks and logs in, their activity is bound to the attacker ' s pre-assigned session. Later, James retrieves the employee ' s input from that same session to demonstrate the flaw to management.

Which session hijacking technique is James most likely using?

A.

Session Donation Attack

B.

Session Replay Attack

C.

Session Prediction

D.

Session Fixation Attack

Full Access
Question # 229

A technology consulting firm in Denver, Colorado, recently experienced a wave of suspicious account compromise incidents. Several employees reported receiving an email that appeared identical to a legitimate cloud storage notification they had received earlier that week. The message reused the original branding, formatting, sender display name, and subject line. However, it informed recipients that the previously shared document had been “updated due to synchronization errors” and instructed them to reauthenticate using the embedded link. The link directed users to a convincing replica of the organization’s authentication portal. Investigation revealed that the attacker had reused content from a genuine prior communication and modified only the embedded hyperlink. Which type of social engineering attack does this scenario most accurately represent?

A.

Clone Phishing

B.

Consent Phishing

C.

Search Engine Phishing

D.

Tabnabbing

Full Access
Question # 230

A payroll management portal used by a manufacturing firm in Toledo, Ohio allows administrators to configure customizable notification templates that are later incorporated into automated reporting functions. During an authorized assessment, an ethical hacker submits specially structured input into a template field while creating a test notification.

The application accepts and stores the value without any noticeable disruption to the interface. Days later, when a scheduled reporting task executes, the resulting dataset includes records beyond the expected scope defined by the report criteria.

Further review reveals that the reporting engine dynamically constructs database queries using previously stored template values during execution.

Determine the SQL injection variant illustrated in this scenario.

A.

Stored Procedure Injection

B.

Second-Order SQL Injection

C.

Error-Based SQL Injection

D.

Piggybacked Query Injection

Full Access
Question # 231

A Java app uses outdated libraries with known CVEs. What risk does this create?

A.

CSRF

B.

DoS

C.

Supply chain risk

D.

XSS

Full Access
Question # 232

A multinational corporation deploys a major internal tool built on a PowerShell-based automation framework. Shortly after a scheduled rollout, the IT team notices intermittent system slowdowns and unexplained bandwidth spikes. Despite running updated endpoint protection and restrictive firewall rules, traditional scanning tools report no malicious files on disk. However, internal telemetry flags a trusted process repeatedly executing obfuscated PowerShell commands in memory. The anomalous activity vanishes upon reboot and appears to leave no footprint behind on the system.

Which type of malware is most likely responsible for this behavior?

A.

Worm

B.

Trojan

C.

Rootkit

D.

Fileless Malware

Full Access
Question # 233

During a red team assessment at Apex Technologies in Austin, ethical hacker Ryan tests whether employees can be tricked into disclosing sensitive data over the phone. He poses as a vendor requesting payment details and reaches out to several staff members. To evaluate defenses, the security team emphasizes that beyond general training, there is a practical step employees must apply in every interaction to avoid being deceived by such calls.

Which countermeasure should Apex Technologies prioritize to directly prevent this type of social engineering attempt?

A.

Conduct security awareness programs

B.

Employees must verify the identity of individuals requesting information

C.

Establish policies and procedures

D.

Use two-factor authentication

Full Access
Question # 234

During a red team assessment at a university in Chicago, Jake, a penetration tester, scans a group of older Windows workstations in the administration department. On several hosts, he notices traffic on UDP ports 137 and 138 as well as an open TCP port 139. Curious, he uses a utility to query the name table and session services. Within moments, he collects information including machine names, logged-in usernames, and available shared folders without authentication.

Which enumeration method is being demonstrated in this scenario?

A.

NFS Enumeration

B.

NetBIOS Enumeration

C.

SMB Enumeration

D.

SNMP Enumeration

Full Access
Question # 235

A regional logistics provider in Charlotte, North Carolina operates its shipment tracking and partner API services on an Apache web platform configured to support a modern multiplexed communication protocol to improve efficiency under concurrent load. During a controlled stress assessment, testers simulate sustained client activity that repeatedly initiates and completes numerous lightweight exchanges over persistent connections.

Over time, system monitoring reveals that memory utilization steadily increases despite stable request volume and no proportional rise in active sessions. Even after the simulated clients disconnect normally, resource usage does not return to baseline levels. After several cycles, the service becomes sluggish and must be restarted to restore normal responsiveness. No unusual disk activity or database errors are observed during the test window.

The behavior is only present when the multiplexed protocol mode is enabled; reverting to legacy handling eliminates the issue.

Which Apache vulnerability best explains this behavior?

A.

DoS in HTTP/2 with Initial Window Size 0

B.

HTTP/2 Stream Memory Not Reclaimed on RST

C.

Insecure Default Configuration

D.

mod_macro Buffer Over-read

Full Access