312-50v12 Certified Ethical Hacker (CEHv12) Real Questions

test2022-10-11T07:17:26+00:00

312-50v12 is the latest version for Certified Ethical Hacker certification. The v12 is an upgraded version of CEH v11 and includes the latest modules, tools, and case studies of strategies employed by hackers and information security experts to legal ends. C|EH v12 will teach you the latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organizations. Our professionals have created 312-50v12 Certified Ethical Hacker (CEHv12) Real Questions for candidates who want to ensure that they receive the maximum possible score on the actual exam.

You should try 312-50v12 practice exam to assess yourself.

Page 1 of 13

1. What did the following commands determine?

That the Joe account has a SID of 500

These commands demonstrate that the guest account has NOT been disabled

These commands demonstrate that the guest account has been disabled

That the true administrator is Joe

Issued alone, these commands prove nothing

2. What is the common name for a vulnerability disclosure program opened by companies In platforms such as HackerOne?

Vulnerability hunting program

Bug bounty program

White-hat hacking program

Ethical hacking program

3. Daniel Is a professional hacker who Is attempting to perform an SQL injection attack on a target website. www.movlescope.com. During this process, he encountered an IDS that detects SQL Injection attempts based on predefined signatures. To evade any comparison statement, he attempted placing characters such as ‘'or '1'='1" In any bask injection statement such as "or 1=1." Identify the evasion technique used by Daniel in the above scenario.

Null byte

IP fragmentation

Char encoding

Variation

4. How is the public key distributed in an orderly, controlled fashion so that the users can be sure of the sender’s identity?

Hash value

Private key

Digital signature

Digital certificate

5. An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file.

What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

Protocol analyzer

Network sniffer

Intrusion Prevention System (IPS)

Vulnerability scanner

6. You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity, what tool would you most likely select?

Nmap

Cain & Abel

Nessus

Snort

7. DHCP snooping is a great solution to prevent rogue DHCP servers on your network.

Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?

Spanning tree

Dynamic ARP Inspection (DAI)

Port security

Layer 2 Attack Prevention Protocol (LAPP)

8. Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities.

During analysis, he found that these issues are not true vulnerabilities.

What will you call these issues?

False positives

True negatives

True positives

False negatives

9. Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501.

What needs to happen before Matthew has full administrator access?

He must perform privilege escalation.

He needs to disable antivirus protection.

He needs to gain physical access.

He already has admin privileges, as shown by the “501” at the end of the SI

10. George is a security professional working for iTech Solutions. He was tasked with securely transferring sensitive data of the organization between industrial systems. In this process, he used a short-range communication protocol based on the IEEE 203.15.4 standard. This protocol is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m.

What is the short-range wireless communication technology George employed in the above scenario?

MQTT

LPWAN

Zigbee

NB-IoT

Page 2 of 13

11. Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

USER, NICK

USER, PASS

12. This TCP flag instructs the sending system to transmit all buffered data immediately.

SYN

RST

PSH

URG

FIN

13. Jacob works as a system administrator in an organization. He wants to extract the source code of a mobile application and disassemble the application to analyze its design flaws. Using this technique, he wants to fix any bugs in the application, discover underlying vulnerabilities, and improve defense strategies against attacks.

What is the technique used by Jacob in the above scenario to improve the security of the mobile application?

Reverse engineering

App sandboxing

Jailbreaking

Social engineering

14. Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor".

Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

John

Rebecca

Sheela

Shawn

Somia

Chang

Micah

15. Which among the following is the best example of the third step (delivery) in the cyber kill chain?

An intruder sends a malicious attachment via email to a target.

An intruder creates malware to be used as a malicious attachment to an email.

An intruder's malware is triggered when a target opens a malicious email attachment.

An intruder's malware is installed on a target's machine.

16. Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers.

Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?

Hardware, Software, and Sniffing.

Hardware and Software Keyloggers.

Passwords are always best obtained using Hardware key loggers.

Software only, they are the most effective.

17. Which of the following programs is usually targeted at Microsoft Office products?

Polymorphic virus

Multipart virus

Macro virus

Stealth virus

18. Given below are different steps involved in the vulnerability-management life cycle.

1) Remediation

2) Identify assets and create a baseline

3) Verification

4) Monitor

5) Vulnerability scan

6) Risk assessment

Identify the correct sequence of steps involved in vulnerability management.

2-->5-->6-->1-->3-->4

2-->1-->5-->6-->4-->3

2-->4-->5-->3-->6--> 1

1-->2-->3-->4-->5-->6

19. Which of the following statements is TRUE?

Packet Sniffers operate on the Layer 1 of the OSI model.

Packet Sniffers operate on Layer 2 of the OSI model.

Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

Packet Sniffers operate on Layer 3 of the OSI model.

20. Gilbert, a web developer, uses a centralized web API to reduce complexity and increase the Integrity of updating and changing data. For this purpose, he uses a web service that uses HTTP methods such as PUT. POST. GET. and DELETE and can improve the overall performance, visibility, scalability, reliability, and portability of an application.

What is the type of web-service API mentioned in the above scenario?

JSON-RPC

SOAP API

RESTful API

REST API

Page 3 of 13

21. Rebecca, a security professional, wants to authenticate employees who use web services for safe and secure communication. In this process, she employs a component of the Web Service Architecture, which is an extension of SOAP, and it can maintain the integrity and confidentiality of SOAP messages.

Which of the following components of the Web Service Architecture is used by Rebecca for securing the communication?

WSDL

WS Work Processes

WS-Policy

WS-Security

22. Ron, a security professional, was pen testing web applications and SaaS platforms used by his company. While testing, he found a vulnerability that allows hackers to gain unauthorized access to API objects and perform actions such as view, update, and delete sensitive data of the company.

What is the API vulnerability revealed in the above scenario?

Code injections

Improper use of CORS

No ABAC validation

Business logic flaws

23. Peter is surfing the internet looking for information about DX Company.

Which hacking process is Peter doing?

Scanning

Footprinting

Enumeration

System Hacking

24. Which wireless security protocol replaces the personal pre-shared key (PSK) authentication with Simultaneous Authentication of Equals (SAE) and is therefore resistant to offline dictionary attacks?

WPA3-Personal

WPA2-Enterprise

Bluetooth

ZigBee

25. Kate dropped her phone and subsequently encountered an issue with the phone's internal speaker. Thus, she is using the phone's loudspeaker for phone calls and other activities. Bob, an attacker, takes advantage of this vulnerability and secretly exploits the hardware of Kate's phone so that he can monitor the loudspeaker's output from data sources such as voice assistants, multimedia messages, and audio files by using a malicious app to breach speech privacy.

What is the type of attack Bob performed on Kate in the above scenario?

Man-in-the-disk attack

aLTEr attack

SIM card attack

Spearphone attack

26. Harper, a software engineer, is developing an email application. To ensure the confidentiality of email messages. Harper uses a symmetric-key block cipher having a classical 12- or 16-round Feistel network with a block size of 64 bits for encryption, which includes large 8 x 32-bit S-boxes (S1, S2, S3, S4) based on bent functions, modular addition and subtraction, key-dependent rotation, and XOR operations. This cipher also uses a masking key(Km1)and a rotation key (Kr1) for performing its functions.

What is the algorithm employed by Harper to secure the email messages?

CAST-128

AES

GOST block cipher

DES

27. John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization.

Which of the following attack techniques is used by John?

Advanced persistent theft

threat Diversion theft

Spear-phishing sites

insider threat

28. The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

network Sniffer

Vulnerability Scanner

Intrusion prevention Server

Security incident and event Monitoring

29. Which of the following is not a Bluetooth attack?

Bluedriving

Bluesmacking

Bluejacking

Bluesnarfing

30. When discussing passwords, what is considered a brute force attack?

You attempt every single possibility until you exhaust all possible combinations or discover the password

You threaten to use the rubber hose on someone unless they reveal their password

You load a dictionary of words into your cracking program

You create hashes of a large number of words and compare it with the encrypted passwords

You wait until the password expires

Page 4 of 13

31. Susan, a software developer, wants her web API to update other applications with the latest information. For this purpose, she uses a user-defined HTTP tailback or push APIs that are raised based on trigger events: when invoked, this feature supplies data to other applications so that users can instantly receive real-time Information.

Which of the following techniques is employed by Susan?

web shells

Webhooks

REST API

SOAP API

32. An organization is performing a vulnerability assessment tor mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization's machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests.

What is the type of vulnerability assessment solution that James employed in the above scenario?

Product-based solutions

Tree-based assessment

Service-based solutions

inference-based assessment

33. On performing a risk assessment, you need to determine the potential impacts when some of the critical business processes of the company interrupt its service.

What is the name of the process by which you can determine those critical businesses?

Emergency Plan Response (EPR)

Business Impact Analysis (BIA)

Risk Mitigation

Disaster Recovery Planning (DRP)

34. You are analysing traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs

- 192.168.8.0/24.

What command you would use?

wireshark --fetch ''192.168.8*''

wireshark --capture --local masked 192.168.8.0 ---range 24

tshark -net 192.255.255.255 mask 192.168.8.0

sudo tshark -f''net 192 .68.8.0/24''

35. A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems.

What is the best security policy concerning this setup?

Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.

As long as the physical access to the network elements is restricted, there is no need for additional measures.

There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.

The operator knows that attacks and down time are inevitable and should have a backup site.

36. Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer and the response of a honeypot to a manual SYN request.

Which of the following techniques is employed by Dayn to detect honeypots?

Detecting honeypots running on VMware

Detecting the presence of Honeyd honeypots

Detecting the presence of Snort_inline honeypots

Detecting the presence of Sebek-based honeypots

37. What would be the purpose of running "wget 192.168.0.15 -q -S" against a web server?

Performing content enumeration on the web server to discover hidden folders

Using wget to perform banner grabbing on the webserver

Flooding the web server with requests to perform a DoS attack

Downloading all the contents of the web page locally for further examination

38. Which tool can be used to silently copy files from USB devices?

USB Grabber

USB Snoopy

USB Sniffer

Use Dumper

39. Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, President, or Managers. The time a hacker spends performing

research to locate this information about a company is known as?

Exploration

Investigation

Reconnaissance

Enumeration

40. Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored?

symmetric algorithms

asymmetric algorithms

hashing algorithms

integrity algorithms

Page 5 of 13

41. Which results will be returned with the following Google search query? site:target.com C site:Marketing.target.com accounting

Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting.

Results matching all words in the query.

Results for matches on target.com and Marketing.target.com that include the word “accounting”

Results matching “accounting” in domain target.com but not on the site Marketing.target.com

42. Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?

Overloading Port Address Translation

Dynamic Port Address Translation

Dynamic Network Address Translation

Static Network Address Translation

43. A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm’s public facing web servers. The engineer decides to start by using netcat to port 80.

The engineer receives this output:

HTTP/1.1 200 OK

Server: Microsoft-IIS/6

Expires: Tue, 17 Jan 2011 01:41:33 GMT

Date: Mon, 16 Jan 2011 01:41:33 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last Modified: Wed, 28 Dec 2010 15:32:21 GMT

ETag:“b0aac0542e25c31:89d”

Content-Length: 7369

Which of the following is an example of what the engineer performed?

Banner grabbing

SQL injection

Whois database query

Cross-site scripting

44. is a set of extensions to DNS that provide the origin authentication of DNS data to DNS clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

DNSSEC

Resource records

Resource transfer

Zone transfer

45. What useful information is gathered during a successful Simple Mail Transfer Protocol (SMTP) enumeration?

The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.

Reveals the daily outgoing message limits before mailboxes are locked

The internal command RCPT provides a list of ports open to message traffic.

A list of all mail proxy server addresses used by the targeted host

46. what is the port to block first in case you are suspicious that an loT device has been compromised?

443

48101

47. What does a firewall check to prevent particular ports and applications from getting packets into an organization?

Transport layer port numbers and application layer headers

Presentation layer headers and the session layer port numbers

Network layer headers and the session layer port numbers

Application layer port numbers and the transport layer headers

48. You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ““FTP on the network!””;)

A firewall IPTable

FTP Server rule

A Router IPTable

An Intrusion Detection System

49. Study the snort rule given below:

From the options below, choose the exploit against which this rule applies.

WebDav

SQL Slammer

MS Blaster

MyDoom

50. What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.

Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.

Symmetric encryption allows the server to security transmit the session keys out-of-band.

Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely negotiate keys for use with symmetric cryptography.

Page 6 of 13

51. Peter, a system administrator working at a reputed IT firm, decided to work from his home and login remotely. Later, he anticipated that the remote connection could be exposed to session hijacking. To curb this possibility, he implemented a technique that creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information and prevent hackers from decrypting the data flow between the endpoints.

What is the technique followed by Peter to send files securely through a remote connection?

DMZ

SMB signing

VPN

Switch network

52. What is the file that determines the basic configuration (specifically activities, services, broadcast receivers, etc.) in an Android application?

AndroidManifest.xml

info

resources.asrc

classes.dex

53. This form of encryption algorithm is asymmetric key block cipher that is characterized by a 128-bit block size, and its key size can be up to 256 bits.

Which among the following is this encryption algorithm?

Twofish encryption algorithm

HMAC encryption algorithm

IDEA

Blowfish encryption algorithm

54. An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.

Which AAA protocol is the most likely able to handle this requirement?

TACACS+

DIAMETER

Kerberos

RADIUS

55. A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library

are required to allow the NIC to work in promiscuous mode?

Libpcap

Awinpcap

Winprom

Winpcap

56. Bob was recently hired by a medical company after it experienced a major cyber security breach. Many patients are complaining that their personal medical records are fully exposed on the Internet and someone can find them with a simple Google search. Bob's boss is very worried because of regulations that protect those data.

Which of the following regulations is mostly violated?

HIPPA/PHl

Pll

PCIDSS

ISO 2002

57. You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line.

Which command would you use?

c:compmgmt.msc

c:services.msc

c:
cpa.cp

c:gpedit

58. Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

msfpayload

msfcli

msfd

msfencode

59. Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker.

AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non-whitelisted programs, what type of malware did the attacker use to bypass the company's application whitelisting?

Phishing malware

Zero-day malware

File-less malware

Logic bomb malware

60. Shiela is an information security analyst working at HiTech Security Solutions. She is performing service version discovery using Nmap to obtain information about the running services and their versions on a target system.

Which of the following Nmap options must she use to perform service version discovery on the target host?

-SN

-SX

-sV

-SF

Page 7 of 13

61. Leverox Solutions hired Arnold, a security professional, for the threat intelligence process. Arnold collected information about specific threats against the organization. From this information, he retrieved contextual information about security events and incidents that helped him disclose potential risks and gain insight into attacker methodologies. He collected the information from sources such as humans, social media, and chat rooms as well as from events that resulted in cyberattacks. In this process, he also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks.

What is the type of threat intelligence collected by Arnold in the above scenario?

Strategic threat intelligence

Tactical threat intelligence

Operational threat intelligence

Technical threat intelligence

62. Abel, a cloud architect, uses container technology to deploy applications/software including all its dependencies, such as libraries and configuration files, binaries, and other resources that run independently from other processes in the cloud environment. For the containerization of applications, he follows the five-tier container technology architecture. Currently. Abel is verifying and validating image contents, signing images, and sending them to the registries.

Which of the following tiers of the container technology architecture Is Abel currently working in?

Tier-1: Developer machines

Tier-4: Orchestrators

Tier-3: Registries

Tier-2: Testing and accreditation systems

63. During the enumeration phase. Lawrence performs banner grabbing to obtain information such as OS details and versions of services running. The service that he enumerated runs directly on TCP port 445.

Which of the following services is enumerated by Lawrence in this scenario?

Server Message Block (SMB)

Network File System (NFS)

Remote procedure call (RPC)

Telnet

64. Richard, an attacker, targets an MNC. in this process, he uses a footprinting technique to gather as much information as possible. Using this technique, he gathers domain information such as the target domain name, contact details of its owner, expiry date, and creation date. With this information, he creates a map of the organization's network and misleads domain owners with social engineering to obtain internal details of its network.

What type of footprinting technique is employed by Richard?

VoIP footprinting

VPN footprinting

Whois footprinting

Email footprinting

65. Widespread fraud ac Enron. WorldCom, and Tyco led to the creation of a law that was designed to improve the accuracy and accountability of corporate disclosures. It covers accounting firms and third parties that provide financial services to some organizations and came into effect in 2002.

This law is known by what acronym?

Fed RAMP

PCIDSS

SOX

HIPAA

66. An attacker can employ many methods to perform social engineering against unsuspecting employees, including scareware.

What is the best example of a scareware attack?

A pop-up appears to a user stating, "You have won a free cruise! Click here to claim your prize!"

A banner appears to a user stating, "Your account has been locked. Click here to reset your password and unlock your account."

A banner appears to a user stating, "Your Amazon order has been delayed. Click here to find out your new delivery date."

A pop-up appears to a user stating, "Your computer may have been infected with spyware. Click here to install an anti-spyware tool to resolve this issue."

67. When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners.

What proxy tool will help you find web vulnerabilities?

Maskgen

Dimitry

Burpsuite

Proxychains

68. Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files.

What is the type of injection attack Calvin's web application is susceptible to?

Server-side template injection

Server-side JS injection

CRLF injection

Server-side includes injection

69. This type of injection attack does not show any error message. It is difficult to exploit as it returns information when the application is given SQL payloads that elicit a true or false response from the server. By observing the response, an attacker can extract sensitive information.

What type of attack is this?

Time-based SQL injection

Union SQL injection

Error-based SQL injection

Blind SQL injection

70. Which is the first step followed by Vulnerability Scanners for scanning a network?

OS Detection

Firewall detection

TCP/UDP Port scanning

Checking if the remote host is alive

Page 8 of 13

71. Why is a penetration test considered to be more thorough than vulnerability scan?

Vulnerability scans only do host discovery and port scanning by default.

A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.

It is not C a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.

The tools used by penetration testers tend to have much more comprehensive vulnerability databases.

72. Attacker Simon targeted the communication network of an organization and disabled the security controls of NetNTLMvl by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. He then extracted all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks.

What is the type of attack performed by Simon?

Internal monologue attack

Combinator attack

Rainbow table attack

Dictionary attack

73. A DDOS attack is performed at layer 7 to take down web infrastructure. Partial HTTP requests are sent to the web infrastructure or applications. Upon receiving a partial request, the target servers opens multiple connections and keeps waiting for the requests to complete.

Which attack is being described here?

Desynchronization

Slowloris attack

Session splicing

Phlashing

74. Attacker Rony installed a rogue access point within an organization's perimeter and attempted to intrude into its internal network. Johnson, a security auditor, identified some unusual traffic in the internal network that is aimed at cracking the authentication mechanism. He immediately turned off the targeted network and tested for any weak and outdated security mechanisms that are open to attack.

What is the type of vulnerability assessment performed by johnson in the above scenario?

Host-based assessment

Wireless network assessment

Application assessment

Distributed assessment

75. Which definition among those given below best describes a covert channel?

A server program using a port that is not well known.

Making use of a protocol in a way it is not intended to be used.

It is the multiplexing taking place on a communication link.

It is one of the weak channels used by WEP which makes it insecure

76. Which of the following program infects the system boot sector and the executable files at the same time?

Polymorphic virus

Stealth virus

Multipartite Virus

Macro virus

77. Tony is a penetration tester tasked with performing a penetration test. After gaining initial access to a target system, he finds a list of hashed passwords.

Which of the following tools would not be useful for cracking the hashed passwords?

John the Ripper

Hashcat

netcat

THC-Hydra

78. Don, a student, came across a gaming app in a third-party app store and Installed it. Subsequently, all the legitimate apps in his smartphone were replaced by deceptive applications that appeared legitimate. He also received many advertisements on his smartphone after Installing the app.

What is the attack performed on Don in the above scenario?

SMS phishing attack

SIM card attack

Agent Smith attack

Clickjacking

79. The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport Layer Security (TLS) protocols defined in RFC6520.

What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?

Public

Private

Shared

Root

80. You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine.

What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?

tcp.srcport= = 514 && ip.src= = 192.168.0.99

tcp.srcport= = 514 && ip.src= = 192.168.150

tcp.dstport= = 514 && ip.dst= = 192.168.0.99

tcp.dstport= = 514 && ip.dst= = 192.168.0.150

Page 9 of 13

81. Tony wants to integrate a 128-bit symmetric block cipher with key sizes of 128,192, or 256 bits into a software program, which involves 32 rounds of computational operations that include substitution and permutation operations on four 32-bit word blocks using 8-variable S-boxes with 4-bit entry and 4-bit exit.

Which of the following algorithms includes all the above features and can be integrated by Tony into the software program?

TEA

CAST-128

RC5

serpent

82. Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?

tcptrace

Nessus

OpenVAS

tcptraceroute

83. You are a penetration tester and are about to perform a scan on a specific server. The agreement that you signed with the client contains the following specific condition for the scan: “The attacker must scan every port on the server several times using a set of spoofed sources IP addresses. ” Suppose that you are using Nmap to perform this scan.

What flag will you use to satisfy this requirement?

The -A flag

The -g flag

The -f flag

The -D flag

84. If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

Birthday

Brute force

Man-in-the-middle

Smurf

85. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms.

What is this document called?

Information Audit Policy (IAP)

Information Security Policy (ISP)

Penetration Testing Policy (PTP)

Company Compliance Policy (CCP)

86. Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bab denies that he had ever sent a mail.

What do you want to ““know”” to prove yourself that it was Bob who had send a mail?

Non-Repudiation

Integrity

Authentication

Confidentiality

87. Bob wants to ensure that Alice can check whether his message has been tampered with.

He creates a checksum of the message and encrypts it using asymmetric cryptography.

What key does Bob use to encrypt the checksum for accomplishing this goal?

Alice's private key

Alice's public key

His own private key

His own public key

88. You start performing a penetration test against a specific website and have decided to start from grabbing all the links from the main page.

What Is the best Linux pipe to achieve your milestone?

dirb https://site.com | grep "site"

curl -s https://sile.com | grep ‘’< a href-’http" | grep "Site-com- | cut -d "V" -f 2

wget https://stte.com | grep "< a href=*http" | grep "site.com"

wgethttps://site.com | cut-d"http-

89. Which of the following web vulnerabilities would an attacker be attempting to exploit if they delivered the following input?

<!DOCTYPE blah [ < IENTITY trustme SYSTEM "file:///etc/passwd" > ] >

XXE

SQLi

IDOR

XXS

90. Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

Produces less false positives

Can identify unknown attacks

Requires vendor updates for a new threat

Cannot deal with encrypted network traffic

Page 10 of 13

91. Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passwords that correspond to these hashes.

Which type of attack can she implement in order to continue?

LLMNR/NBT-NS poisoning

Internal monologue attack

Pass the ticket

Pass the hash

92. Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111

(content:"|00 01 86 a5|"; msG. "mountd access";)

An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

93. What type of analysis is performed when an attacker has partial knowledge of inner-workings of the application?

Black-box

Announced

White-box

Grey-box

94. What is the proper response for a NULL scan if the port is open?

SYN

ACK

FIN

PSH

RST

No response

95. As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

Use the same machines for DNS and other applications

Harden DNS servers

Use split-horizon operation for DNS servers

Restrict Zone transfers

Have subnet diversity between DNS servers

96. Elante company has recently hired James as a penetration tester. He was tasked with performing enumeration on an organization's network. In the process of enumeration, James discovered a service that is accessible to external sources. This service runs directly on port 21.

What is the service enumerated byjames in the above scenario?

Border Gateway Protocol (BGP)

File Transfer Protocol (FTP)

Network File System (NFS)

Remote procedure call (RPC)

97. Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful.

What type of SQL injection is Elliot most likely performing?

Error-based SQL injection

Blind SQL injection

Union-based SQL injection

NoSQL injection

98. Which utility will tell you in real time which ports are listening or in another state?

Netstat

TCPView

Nmap

Loki

99. What would you enter if you wanted to perform a stealth scan using Nmap?

nmap -sM

nmap -sU

nmap -sS

nmap -sT

100. Annie, a cloud security engineer, uses the Docker architecture to employ a client/server model in the application she is working on. She utilizes a component that can process API requests and handle various Docker objects, such as containers, volumes. Images, and networks.

What is the component of the Docker architecture used by Annie in the above scenario?

Docker client

Docker objects

Docker daemon

Docker registries

Page 11 of 13

101. Roma is a member of a security team. She was tasked with protecting the internal network of an organization from imminent threats. To accomplish this task, Roma fed threat intelligence into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the organization's network.

Which type of threat intelligence is used by Roma to secure the internal network?

Technical threat intelligence

Operational threat intelligence

Tactical threat intelligence

Strategic threat intelligence

102. Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)

BA810DBA98995F1817306D272A9441BB

44EFCE164AB921CQAAD3B435B51404EE

0182BD0BD4444BF836077A718CCDF409

CEC52EB9C8E3455DC2265B23734E0DAC

B757BF5C0D87772FAAD3B435B51404EE

E52CAC67419A9A224A3B108F3FA6CB6D

103. The security team of Debry Inc. decided to upgrade Wi-Fi security to thwart attacks such as dictionary attacks and key recovery attacks. For this purpose, the security team started implementing cutting-edge technology that uses a modern key establishment protocol called the simultaneous authentication of equals (SAE), also known as dragonfly key exchange, which replaces the PSK concept.

What is the Wi-Fi encryption technology implemented by Debry Inc.?

WEP

WPA

WPA2

WPA3

104. What does the CoX flag do in an Nmap scan?

Perform an eXpress scan

Output the results in truncated format to the screen

Output the results in XML format to a file

Perform an Xmas scan

105. Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP).

Which of the following is an incorrect definition or characteristics of the protocol?

Exchanges data between web services

Only compatible with the application protocol HTTP

Provides a structured model for messaging

Based on XML

106. Taylor, a security professional, uses a tool to monitor her company's website, analyze the website's traffic, and track the geographical location of the users visiting the company's website.

Which of the following tools did Taylor employ in the above scenario?

WebSite Watcher

web-Stat

Webroot

WAFW00F

107. A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating.

What sort of security breach is this policy attempting to mitigate?

Attempts by attackers to access the user and password information stored in the company’s SQL database.

Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.

Attempts by attackers to access password stored on the user’s computer without the user’s knowledge.

Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.

108. Which of the following is a low-tech way of gaining unauthorized access to systems?

Social Engineering

Eavesdropping

Scanning

Sniffing

109. How does a denial-of-service attack work?

A hacker prevents a legitimate user (or group of users) from accessing a service

A hacker uses every character, word, or letter he or she can think of to defeat authentication

A hacker tries to decipher a password by using a system, which subsequently crashes the network

A hacker attempts to imitate a legitimate user by confusing a computer or even another person

110. Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network.

Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.

SNMPUtil

SNScan

SNMPScan

Solarwinds IP Network Browser

NMap

Page 12 of 13

111. 16 (WiMax) 30 miles

802.16 (WiMax)

802.11g

802.11b

802.11a

112. While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then decided to conduct: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com. kiosk.adobe.com is the host with incremental IP ID sequence.

What is the purpose of using "-si" with Nmap?

Conduct stealth scan

Conduct ICMP scan

Conduct IDLE scan

Conduct silent scan

113. An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", the user is directed to a phishing site.

Which file does the attacker need to modify?

Boot.ini

Sudoers

Networks

Hosts

114. Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules.

Which of the following types of firewalls can protect against SQL injection attacks?

Data-driven firewall

Packet firewall

Web application firewall

Stateful firewall

115. Mike, a security engineer, was recently hired by BigFox Ltd. The company recently experienced disastrous DoS attacks. The management had instructed Mike to build defensive strategies for the company's IT infrastructure to thwart DoS/DDoS attacks. Mike deployed some countermeasures to handle jamming and scrambling attacks.

What is the countermeasure Mike applied to defend against jamming and scrambling attacks?

Allow the usage of functions such as gets and strcpy

Allow the transmission of all types of addressed packets at the ISP level

Implement cognitive radios in the physical layer

A Disable TCP SYN cookie protection

116. George, an employee of an organization, is attempting to access restricted websites from an official computer. For this purpose, he used an anonymizer that masked his real IP address and ensured complete and continuous anonymity for all his online activities.

Which of the following anonymizers helps George hide his activities?

https://www.baidu.com

https://www.guardster.com

https://www.wolframalpha.com

https://karmadecay.com

117. When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network.

Which of the following cannot be performed by the passive network sniffing?

Identifying operating systems, services, protocols and devices

Modifying and replaying captured network traffic

Collecting unencrypted information about usernames and passwords

Capturing a network traffic for further analysis

118. E-mail scams and mail fraud are regulated by which of the following?

par. 1030 Fraud and Related activity in connection with Computers

par. 1029 Fraud and Related activity in connection with Access Devices

par. 1362 Communication Lines, Stations, or Systems

par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

119. Which of the following is the BEST way to defend against network sniffing?

Using encryption protocols to secure network communications

Use Static IP Address

Restrict Physical Access to Server Rooms hosting Critical Servers

120. During the process of encryption and decryption, what keys are shared?

Private keys

User passwords

Public keys

Public and private keys

Page 13 of 13

121. Attacker creates a transparent 'iframe' in front of the URL which victim attempts to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' URL but actually he/she clicks to the content or URL that exists in the transparent 'iframe' which is setup by the attacker.

What is the name of the attack which is mentioned in the scenario?

Session Fixation

HTML Injection

HTTP Parameter Pollution

Clickjacking Attack

122. Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days. Bob denies that he had ever sent a mail.

What do you want to ""know"" to prove yourself that it was Bob who had send a mail?

Authentication

Confidentiality

Integrity

Non-Repudiation