CeH Test 2

Which of the following indicators in the OSINT framework indicates a URL that contains the search term, where the URL itself must be edited manually? (T) (D) (R) (M)

(M)

Which of the following features in FOCA allows an attacker to find more servers in the same segment of a determined address? PTR scanning Web search DNS search IP resolution

PTR Scanning - Finds more servers in the same segment of a determined address; IP FOCA executes a PTR log scan.

Which Google search query will search for any files a target certifiedhacker.com may have? site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini allinurl: certifiedhacker.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini site: certifiedhacker.com ext:xml || ext:conf || ext:cnf || ext:reg || ext:inf || ext:rdp || ext:cfg || ext:txt || ext:ora || ext:ini site: certifiedhacker.com intext:xml | intext:conf | intext:cnf | intext:reg | intext:inf | intext:rdp | intext:cfg | intext:txt | intext:ora | intext:ini

site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini

Which of the following UDDI information structures takes the form of keyed metadata and represents unique concepts or constructs in UDDI? businessEntity businessService bindingTemplate technicalModel

technicalModel

Which of the following GNU radio tools is used to capture and listen to incoming signals on an audio device? uhd_rx_cfile uhd_siggen_gui uhd_rx_nogui uhd_ft

uhd_rx_nogui

Which of the following smtp-user-enum options is used to select the file containing hostnames running the SMTP service? -u user -U file -t host -T file

-T file: Select the file containing hostnames running the SMTP service -U file: Select the file containing usernames to check via the SMTP service -t host: Specify the server host running the SMTP service -u user: Check if a user exists on the remote system

Which of the following ntpdate parameters is used by an attacker to perform a function that can force the time to always be stepped? -q -B -d -b

-b Force the time to be stepped -B Force the time to always be slewed -d Enable debugging mode -q Query only; do not set the clock

Which of the following options in the finger command-line utility is used for preventing the matching of usernames? -p -s -m -l

-m: Prevents the matching of usernames. -s: Displays the user's login name, real name, terminal name, idle time, login time, office location, and office phone number -l: Produces a multi-line format displaying all of the information described for the -s option as well as the user's home directory, home phone number, login shell, mail status, and the contents of the files ".plan," ".project," ".pgpkey," and ".forward" from the user's home directory -p: Prevents the -l option of finger from displaying the contents of the ".plan," ".project," and ".pgpkey" files.

Which of the following Nbtstat parameters is used to display the count of all names resolved by a broadcast or WINS server? -r -RR -R -n

-r Displays a count of all names resolved by a broadcast or WINS server

Which of the following Nbtstat parameters lists the current NetBIOS sessions and their status with the IP addresses?

-s The Nbtstat parameter that lists the current NetBIOS sessions and their status with the IP addresses is -s. This parameter displays the current NetBIOS sessions table with the destination IP addresses. The status of the sessions is also displayed, indicating whether the session is active or inactive.

Given below are the various stages involved in a DCSync attack. Escalating local privileges Performing malicious remote code execution Performing external reconnaissance Gaining domain admin credentials Performing internal reconnaissance Performing admin-level reconnaissance Compromising the target machine Compromising credentials by sending commands to the DC Identify the correct sequence of stages involved in a DCSync attack. 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 8 3 -> 7 -> 5 -> 1 -> 8 -> 6 -> 2 -> 4 5 -> 7 -> 4 -> 3 -> 1 -> 8 -> 2 -> 6 3 -> 4 -> 8 -> 6 -> 1 -> 2 -> 7 -> 2

3 -> 7 -> 5 -> 1 -> 8 -> 6 -> 2 -> 4 start from lower privileges and proceed to higher privileges. Stage 1: Performs external reconnaissance Stage 2: Compromises the targeted machine Stage 3: Performs internal reconnaissance Stage 4: Escalates local privileges Stage 5: Compromises credentials by sending commands to DC Stage 6: Performs admin-level reconnaissance Stage 7: Performs malicious remote code execution Stage 8: Gains domain admin credentials

Which of the following viruses combines the approach of file infectors and boot record infectors and attempts to simultaneously attack both the boot sector and executable or program files? System or boot-sector viruses Multipartite viruses Macro viruses Cluster viruses

A multipartite virus combines the approach of file infectors and boot record infectors and attempts to simultaneously attack both the boot sector and executable or program files. This type of virus can spread rapidly and cause widespread damage by infecting multiple parts of a system at once.

Sam, an attacker, was hired to launch an attack on an organization to disrupt its operations and gain access to a remote system for compromising the organization's internal network. In the process, Sam launched an attack to tamper with the data in transit to break into the organization's network. What is the type of attack Sam has performed against the target organization? Insider attack Active attack Passive attack Distribution attack

Active Attacks: Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems

Which of the following tools is not a NetBIOS enumeration tool? NetScanTools Pro OpUtils Hyena SuperScan

Among the given options, Hyena, SuperScan, and NetScanTools Pro can be used to perform NetBIOS enumeration, whereas OpUtils is an SNMP enumeration tool.

Which of the following is an open-source technology that provides PaaS through OS-level virtualization and delivers containerized software packages? Serverless computing Virtual machines Docker Microservices

An open-source technology that provides Platform as a Service (PaaS) through OS-level virtualization and delivers containerized software packages is Docker. Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow developers to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package.

Ethan, a blackhat hacker, created a fake social media account impersonating an organization's helpdesk account and started connecting with disgruntled individuals via social media posts. He started posting fake service links on social media. When victims click on the link, they are redirected to another site requesting them to provide their details. Which of the following types of attacks did Ethan perform in the above scenario? Angler phishing Eavesdropping Dumpster diving Diversion theft

Angler phishing

Which of the following IDS/firewall evasion techniques is used by an attacker to bypass Internet censors and evade certain IDS and firewall rules? Anonymizers Source port manipulation IP address decoy Sending bad checksums

Anonymizers: The attacker uses anonymizers, which allows them to bypass Internet censors and evade certain IDS and firewall rules.

Which of the following activities of an organization on social networking sites helps an attacker footprint or collect information regarding the type of business handled by the organization? User support Background checks to hire employees Promotion of products User surveys

Background checks to hire employees

Name an attack where the attacker connects to nearby devices and exploits the vulnerabilities of the Bluetooth protocol to compromise the device? Rolling code attack Jamming attack DDoS attack BlueBorne attack

BlueBorne attack

In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process? Extracting usernames using email IDs Extracting information using default passwords Extracting usernames using SNMP Brute-force Active Directory

Brute force Active Directory: This is a design error in the Microsoft Active Directory implementation. If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages.

Malcolm, a professional hacker, targeted a Windows-based system to gain backdoor access. For this purpose, he escalated privileges by replacing the Windows App switcher accessibility feature with cmd.exe to gain backdoor access when a key combination is pressed at the login screen. Identify the Windows accessibility feature exploited by Malcolm in the above scenario. C:\Windows\System32\osk.exe C:\Windows\System32\AtBroker.exe C:\Windows\System32\sethc.exe C:\Windows\System32\Magnify.exe

C:\Windows\System32\AtBroker.exe In a Windows environment, accessibility features are stored at the location C:\Windows\System32\ and can be launched by pressing specific keys during a system reboot. Attackers gain escalated privileges by replacing one of the accessibility features with cmd.exe or by replacing binaries in the registry to gain backdoor access when a key combination is pressed at the login screen. This technique allows attackers to obtain system-level access.

Bob, a professional hacker, gained unauthorized access to a Windows-based system. To escalate privileges, he abused an interface module in Windows that enables a software component to interact with another software component. He manipulated valid object references by replacing them with malicious content in Windows Registry. When the victim executes that object, the malicious code is automatically executed, allowing Bob to escalate privileges. Which of the following privilege escalation methods did Bob employ in the above scenario? COM hijacking Modifying domain policy Application shimming Kernel exploits

COM hijacking

Elijah, a malicious hacker, targeted an organization's cloud environment and created oversized HTTP requests to trick the origin web server into responding with error content, which can be cached at the CDN servers. The error-based content that is cached in the CDN server is delivered to legitimate users, resulting in a DoS attack on the target cloud environment. Which of the following attacks did Elijah initiate in the above scenario? Cloudborne attack Wrapping attack CPDoS attack Golden SAML attack

CPDoS attack

Which of the following is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities? CVSS NIST OWASP IETF

CVSS The Common Vulnerability Scoring System (CVSS) is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS is designed to provide a standardized method for rating the severity of vulnerabilities, allowing organizations to prioritize their response and remediation efforts based on the potential impact of the vulnerability.

Lisa, a security analyst, was tasked with analyzing and documenting the possibility of cyberattacks against an organization. In this task, she followed the diamond model of intrusion analysis. During the initial analysis, Lisa started determining the strategies, methods, procedures, or tools that an attacker might use against the organization's network. Which of the following features of the diamond model did Lisa employ in the above scenario? Adversary Capability Victim Infrastructure

Capability: Capability refers to all the strategies, methods, and procedures associated with an attack. It can also be malware or a tool used by an adversary against the target.

In which of the following steganography attacks does an attacker perform probability analysis to test whether a given stego-object and original data are the same? Known-cover Distinguishing statistical Chosen-message Chi-square

Chi-square: The attacker performs probability analysis to test whether a given stego object and original data are the same or not.

Which of the following attacks involves unauthorized use of a victim's computer to stealthily mine digital currency? Cloud cryptojacking Cloudborne attack Cryptanalysis attack Metadata spoofing attack

Cloud cryptojacking The attack that involves unauthorized use of a victim's computer to stealthily mine digital currency is known as cryptojacking. In this type of attack, an attacker installs malware on the victim's computer or compromises a website to run cryptocurrency mining scripts in the background without the user's knowledge or consent. This can result in increased CPU usage and decreased performance on the victim's computer. When the term is preceded by "cloud," it refers to cryptojacking attacks that specifically target cloud infrastructure.

Which of the following location and data examination tools allows ethical hackers to perform two or more scans on different machines in the network? Agent-based scanner Proxy scanner Network-based scanner Cluster scanner

Cluster scanner: Cluster scanners are similar to proxy scanners, but they can simultaneously perform two or more scans on different machines in the network.

Which of the following hping commands is used by an attacker to collect the initial sequence number? hping3 192.168.1.103 -Q -p 139 -s hping3 -2 10.0.0.25 -p 80 hping3 -A 10.0.0.25 -p 80 hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Collecting Initial Sequence Number: hping3 192.168.1.103 -Q -p 139 -s

A pen tester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pen tester pivot using Metasploit? Issue the pivot exploit and set the meterpreter. Create a route statement in the meterpreter. Set the payload to propagate through the meterpreter. Reconfigure the network settings in the meterpreter.

Create a route statement in the meterpreter. When malicious activities are performed on the system with Metasploit Framework, the Logs of the target system can be wiped out by launching meterpreter shell prompt of the Metasploit Framework and typing clearev command in meterpreter shell prompt followed by typing Enter.

Which of the following categories of information warfare involves the use of information systems against the virtual personas of individuals or groups and includes information terrorism, semantic attacks, and simula-warfare? Economic warfare Intelligence-based warfare Cyberwarfare Electronic warfare

Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use).

Which of the following is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and generates an HTML report with clickable links? DPAT Power Spy Stegais Snow

DPAT: DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking. It also generates an HTML report with clickable links. An attacker can open each link and analyze usernames, current passwords, and other password statistics.

In which of the following threat modelling steps does the administrator break down an application to obtain details about the trust boundaries, data flows, entry points, and exit points? Identify security objectives Identify threats Application overview Decompose the application

Decompose the application

Which of the following practices helps security professionals defend the organizational network against DNS enumeration attempts? Restrict the auditing of DNS zones. Ensure that the resolver can be accessed only by the hosts outside the network. Never restrict DNS zone transfers to specific slave nameserver IP addresses. Disable DNS recursion in the DNS server configuration.

Disable DNS recursion: Disable DNS recursion in the DNS server configuration to recursively restrict queries from other or third-party domains and mitigate DNS amplification and poisoning attacks.

In which of the following steganography techniques does a user implement a sequence of modifications to the cover to obtain a stego-object? Spread spectrum techniques Substitution techniques Distortion techniques Transform domain techniques

Distortion Techniques: In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message.

In which of the following malware components does an attacker embed notorious malware files that can perform the installation task covertly? Injector Obfuscator Dropper Packer

Dropper

Jake, a professional hacker, was hired to perform attacks on a target organization and disrupt its services. In this process, Jake decided to exploit a buffer overflow vulnerability and inject malicious code into the buffer to damage files. He started performing a stack-based buffer overflow to gain shell access to the target system. Which of the following types of registers in the stack-based buffer overflow stores the address of the next data element to be stored onto the stack? EIP EDI ESP EBP

ESP: Extended Stack Pointer (ESP) stores the address of the next data element to be stored onto the stack

Which of the following SMTP in-built commands tells the actual delivery addresses of aliases and mailing lists? EXPN RCPT TO VRFY PSINFO

EXPN - Tells the actual delivery addresses of aliases and mailing lists VRFY - Validates users RCPT TO - Defines the recipients of the message

Which of the following practices can be adopted by security experts to defend against buffer overflow attacks within an organization? Never use the NX bit to mark certain areas of memory as executable and nonexecutable. Disallow the compiler to add bounds to all the buffers. Do not use stack canaries, a random value, or a string of characters. Employ the latest OSes that offer high protection.

Employ the latest OSes that offer more protection.

Which of the following enumeration tools allows an attacker to fetch the IPv6 address of a machine through SNMP? ike-scan dig Svmap Enyx

Enyx: It is an enumeration tool that fetches the IPv6 address of a machine through SNMP. Svmap: Svmap is an open-source scanner that identifies SIP devices and PBX servers on a target network. It can be helpful for system administrators when used as a network inventory tool. ike-scan: ike-scan discovers IKE hosts and can fingerprint them using the retransmission backoff pattern.

Highlander, Incorporated, decides to hire an ethical hacker to identify vulnerabilities at the regional locations and ensure system security. What is the main difference between a hacker and an ethical hacker when they are trying to compromise the regional offices? Hackers don't have any knowledge of the network before they compromise the network. Hackers have more sophisticated tools. Ethical hackers have the permission of upper management. Ethical hackers have the permission of the regional server administrators.

Ethical hackers have the permission of upper management (those with authority to approve the test)

Which of the following tools provides complete visibility, real-time detection, and intelligent response to malicious network scanning attempts? WinHex CyberGhost VPN Orbot ExtraHop

ExtraHop: ExtraHop provides complete visibility, real-time detection, and intelligent response to malicious network scanning. This tool allows security professionals to automatically discover and identify every device and its vulnerabilities, including unmanaged Internet of things (IoT) devices in a network.

Identify the technique used by the attackers to execute malicious code remotely? Modify or delete logs Install malicious programs Rootkits and steganography Sniffing network traffic

Install malicious programs

Which of the following is a visualization and exploration tool that allows attackers to explore and understand graphs, create hypotheses, and discover hidden patterns between social networking connections? Netcraft Mention theHarvester Gephi

Gephi: Gephi is a visualization and exploration tool for all types of graphs and networks. It allows the easy creation of social data connectors to map community organizations and small-world networks. Attackers use Gephi to explore and understand graphs, create hypotheses, and discover hidden patterns between social networking connections.

Charlie, a professional hacker, was hired to enumerate critical information from the target organization's Active Directory (AD) environment. In this process, he executed a PowerView command that retrieves information related to the currently active domain user. Identify the command executed by Charlie in the above scenario. Find-LocalAdminAccess (Get-DomainPolicy)."SystemAccess" Get-DomainSID Get-NetLoggedon -ComputerName <computer-name>

Get-NetLoggedon -ComputerName <computer-name> This command is part of the PowerView toolset and can be used to enumerate information about currently logged on users on a specified computer within an Active Directory environment.

Which type of rootkit is created by attackers by exploiting hardware features such as Intel VT and AMD-V? Kernel level rootkit Hardware/firmware rootkit Boot loader level rootkit Hypervisor level rootkit

Hypervisor Level Rootkit: Attackers create Hypervisor level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor.

Which of the following are valid types of rootkits? (Choose three.) Application level Kernel level Data access level Hypervisor level Physical level Network level

Hypervisor level Kernel level Application level

Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping? UDP ping scan ICMP ECHO ping scan ICMP address mask ping scan ICMP ECHO ping sweep

ICMP Address Mask Ping Scan: This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping

Which of the following practices helps security professionals defend against LLMNR/NBT-NS poisoning attacks on an organizational network? Enable NBT-NS Enable LMBNR Implement SMB signing Allow changes to the DWORD registry

Implement SMB signing to prevent relay attacks.

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? Distributive Active Reflective Passive

In active OS fingerprinting, specially crafted packets are sent to remote OS and the responses are noted. The responses are then compared with a database to determine the OS. Response from different OSes varies due to differences in TCP/IP stack implementation.

Which of the following categories of information warfare is a sensor-based technology that can directly disrupt technological systems? Economic warfare Psychological warfare Electronic warfare Intelligence-based warfare

Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, "intelligence-based warfare" is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace

Peter, a security professional, was tasked with performing a vulnerability assessment on an organization's network. During the assessment, Peter identified that an Apache server was improperly configured, potentially posing serious threats to the organization. Identify the type of vulnerability identified by Peter in the above scenario. Internet service misconfiguration User account vulnerabilities Default password and settings Network device misconfiguration

Internet service misconfiguration Misconfiguring internet services can pose serious security risks. For example, enabling JavaScript and misconfiguring IIS, Apache, FTP, and Terminal services, can create security vulnerabilities in the network

Which of the following types of rootkits replaces original system calls with fake ones to hide information about the attacker? Boot-loader-level rootki Hardware/firmware rootkit Hypervisor-level rootkit Library-level rootkit

Library Level Rootkit: Replaces the original system calls with fake ones to hide information about the attacker.

Which of the following tools helps an ethical hacker detect buffer overflow vulnerabilities in an application? Medusa OllyDbg THC-Hydra Hashcat

OllyDbg: It is a buffer overflow detection tool and is a 32-bit assembler-level analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis makes it particularly useful when the source is unavailable.

Which of the following attacks is similar to a brute-force attack but recovers passwords from hashes with a specific set of characters based on information known to the attacker? Wire sniffing Combinator attack Mask attack Fingerprint attack

Mask Attack: Mask attack is like brute-force attack but recovers passwords from hashes with a more specific set of characters based on information known to the attacker.

In a GNSS spoofing technique, attackers block and re-broadcast the original signals for masking the actual signal sent to the targeted receiver. In this manner, the attackers manipulate the original signal with false positioning data and delay timings. Identify this technique. Meaconing method Cancellation methodology Drag-off strategy Interrupting the lock mechanism

Meaconing method

Ronald, a professional hacker, is launching a few attacks on a target organization. In this process, he exploited a vulnerability found in all Intel and ARM processors deployed by Apple to trick a process into accessing out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution. Which of the following vulnerabilities was exploited by Ronald in the above scenario? Dylib hijacking Meltdown Unattended installs Open services

Meltdown Ronald launched a Meltdown attack. This type of attack exploits a vulnerability found in Intel and ARM processors to trick a process into accessing out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution. This allows an attacker to access sensitive data that would normally be protected by the operating system's memory isolation mechanisms.

Which of the following layers in the IoT architecture is responsible for bridging the gap between two endpoints and performs functions such as message routing, message identification, and subscribing? Internet layer Access gateway layer Middleware layer Edge technology layer

Middleware layer

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? NMAP -P0 -A -sT -p0-65535 192.168.0/16 NMAP -PN -A -O -sS 192.168.2.0/24 NMAP -PN -O -sS -p 1-1024 192.168.0/8 NMAP -P0 -A -O -p1-65535 192.168.0/24

NMAP -PN -A -O -sS 192.168.2.0/24

Which of the following tools is used by an attacker for SMTP enumeration and to extract all the email header parameters, including confirm/urgent flags? Wireshark NetScanTools Pro Snmpcheck JXplorer

NetScanTools Pro: NetScanTools Pro's SMTP Email Generator tool tests the process of sending an email message through an SMTP server.

Which of the following IoC categories is useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information? Network indicators Email indicators Behavioral indicators Host-based indicators

Network Indicators: They are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information.

Identify the scripts allocated using AD or GPOs, which are executed using any valid user's credentials and abused by attackers to gain local or administrator credentials based on the access configuration. Logon script (Windows) Startup items RC scripts Network logon scripts

Network Logon Scripts: Attackers leverage network logon scripts for escalating privileges and maintaining persistence. These scripts are allocated using AD or GPOs. Such logon scripts are executed using any valid user's credentials. The initialization of a network logon script can be utilized for different systems based on the networked systems. For this reason, attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration to escalate their privileges.

Which of the following tools allows attackers to construct and analyze social networks and obtain critical information about the target organization/users? NodeXL Burp Suite HTTrack Web Site Copier Mention

NodeXL: Attackers use various tools such as Gephi, SocNetV, and NodeXL to construct and analyze social networks and obtain critical information about the target organization/users.

Which of the following OS discovery techniques is used by an attacker to identify a target machine's OS by observing the TTL values in the acquired scan result? OS discovery using IPv6 fingerprinting OS discovery using Nmap Script Engine OS discovery using Unicornscan OS discovery using Nmap

OS Discovery using Unicornscan: In unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan <target IP address> is used.

Which of the following techniques is used to place an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target? Application shimming Scheduled task File system permissions weakness Path interception

Path interception is a method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target. Attackers can take advantage of several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.

In which of the following enumeration steps does an penetration tester extract information about encryption and hashing algorithms, authentication types, key distribution algorithms, SA LifeDuration, etc.? Perform IPsec enumeration Perform SMTP enumeration Perform DNS enumeration Perform NTP enumeration

Perform IPsec enumeration

Which of the following types of scanning involves the process of checking the services running on a target computer by sending a sequence of messages to break in? Port scanning Banner grabbing Network scanning Vulnerability scanning

Port Scanning: Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in.

Which of the following command-line tools displays the CPU and memory information or thread statistics? PsList PsGetSid PsFile PsLogList

PsList: It is a command-line tool that displays a central processing unit (CPU) and memory information or thread statistics.

Jim, an ethical hacker, was hired to perform a vulnerability assessment on an organization to check the security posture of the organization and its vulnerabilities. Jim used a tool that helped him continuously identify threats and monitor unexpected changes in the network before they turn into breaches. Which of the following tools did Jim employ in the above scenario? Sherlock theHarvester Octoparse Qualys VM

Qualys VM: Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches

Which of the following Encryption techniques is used in WEP?\ RC4 TKIP AES DES

RC4

George, a professional hacker, wanted to test his computer skills. So, he decided to execute an attack on a company and access important files of the company. In this process, he performed NFS enumeration using a tool to download important files shared through the NFS server. Which of the following tools helps George perform NFS enumeration? OllyDbg Dependency Walker RPCScan KeyGrabber

RPCScan: RPCScan communicates with RPC services and checks misconfigurations on NFS shares.

Which of the following attack techniques uses the cryptanalytic time-memory trade-off and requires less time than other techniques? Rainbow table attack Distributed network attack Toggle-case attack PRINCE attack

Rainbow table attack

In machine-learning classification techniques, which of the following is a subcategory of supervised learning that is used when the data classes are not separated or the data are continuous? Dimensionality reduction Classification Clustering Regression

Regression: Regression is used when data classes are not separated, such as when the data is continuous.

You are doing research on SQL injection attacks. Which of the following combination of Google operators will you use to find all Wikipedia pages that contain information about SQL, injection attacks, or SQL injection techniques? SQL injection site:Wikipedia.org allinurl: Wikipedia.org intitle:"SQL Injection" site:Wikipedia.org intitle:"SQL Injection" site:Wikipedia.org related:"SQL Injection"

SQL injection site:Wikipedia.org

Which of the following scanning techniques is used by an attacker to check whether a machine is vulnerable to UPnP exploits? UDP scanning SCTP INIT scanning SSDP scanning List scanning

SSDP scanning UPnP (Universal Plug and Play) is a service that allows devices on the same local network to discover each other and automatically connect through standard networking protocols (such as TCP/IP HTTP, and DHCP

What is the output returned by search engines when extracting critical details about a target from the Internet? Advanced search operators Operating systems, location of web servers, users, and passwords Search engine results pages ("SERPs") Open ports and services

Search engine results pages ("SERPs")

For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key? Sender's public key Receiver's private key Receiver's public key Sender's private key

Sender's private key While using a digital signature, the message digest is encrypted with the sender's private key. This creates a digital signature that can be verified by anyone with access to the sender's public key. The receiver can use the sender's public key to decrypt the message digest and verify that it matches the original message. This provides assurance that the message was sent by the claimed sender and has not been tampered with in transit.

Henry, a professional hacker, united with a disgruntled employee of an organization to launch a few attacks on the organization internally. To communicate with the employee, Henry used a tool that hides data in a text file by appending sequences of up to seven spaces interspersed with tabs. Which of the following tools did Henry use to communicate with the disgruntled employee? Snow OllyDbg pwdump7 BeRoot

Snow: Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent 0s and 1s.

Which of the following vulnerabilities allows attackers to trick a processor to exploit speculative execution to read restricted data? Spectre Dylib hijacking DLL hijacking Meltdown

Spectre vulnerability: Spectre vulnerability is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future and to complete the execution faster.

Which of the following tools allows attackers to search for people belonging to the target organization? OpenVAS GFI LanGuard Netcraft Spokeo

Spokeo: Attackers can use the Spokeo people search online service to search for people belonging to the target organization. Using this service, attackers obtain information such as phone numbers, email addresses, address history, age, date of birth, family members, social profiles, and court records.

Which of the following static malware analysis techniques provides information about the basic functionality of any program and is also used to determine the harmful actions that a program can perform? Identifying packing/obfuscation methods Strings search Finding information on portable executables (PE) Malware disassembly

Strings search

Which of the following scanning techniques used by attackers involves resetting the TCP connection between a client and server abruptly before the completion of the three-way handshake signals? TCP connect scan Stealth scan Inverse TCP flag scan Xmas scan

TCP connect scan

Which of the following is the active banner grabbing technique used by an attacker to determine the OS running on a remote target system? TCP sequence ability test Banner grabbing from error messages Banner grabbing from page extensions Sniffing of network traffic

TCP sequence ability test

In which of the following attack techniques does an attacker exploit an NFC-enabled Android device by establishing a remote connection with the target mobile device and taking full control of the device? Advanced SMS phishing Hooking Spearphone attack Tap 'n Ghost attack

Tap 'n Ghost attack

How does the SAM database in Windows operating system store the user accounts and passwords? The operating system stores all passwords in a protected segment of volatile memory. The operating system uses key distribution center (KDC) for storing all user passwords. The operating system stores the passwords in a secret file that users cannot find. The operating system performs a one-way hash of the passwords.

The operating system performs a one-way hash of the passwords. The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file. As this file consists of a file system lock, this provides some measure of security for the storage of passwords.

Given below are the different steps followed in pivoting. Exploit vulnerable services. Discover live hosts in the network. Scan ports of live systems. Set up routing rules. What is the correct sequence of steps involved in pivoting? 1 -> 2 -> 3 -> 4 2 -> 1 -> 3 -> 4 2 -> 4 -> 3 -> 1 2 -> 3 -> 1 -> 4

The sequence of steps to perform pivoting: Discover live hosts in the network Set up routing rules Scan ports of live systems Exploit vulnerable services

An attacker uses the following SQL query to perform an SQL injection attack SELECT * FROM users WHERE name = '' OR '1'='1'; Identify the type of SQL injection attack performed. Tautology Illegal/logically incorrect query UNION SQL injection End-of-line comment

The type of SQL injection attack performed in the given scenario is a tautology attack. In this type of attack, the attacker injects a condition that is always true (in this case, '1'='1') into the WHERE clause of an SQL query. This causes the query to return all rows from the table, potentially exposing sensitive data.

Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment? TCP SNMP UDP SMTP

Transmission control protocol (TCP) is a connection-oriented protocol. It is capable of carrying messages or e-mail over the Internet. It provides reliable multiprocess communication service in a multinetwork environment.

Which of the following types of vulnerability assessment solutions relies on the administrator providing a starting shot of intelligence and then scanning continuously without incorporating any information found at the time of scanning? Service-based solutions Tree-based assessment Product-based solutions Inference-based assessment

Tree-Based Assessment: In a tree-based assessment, the auditor (parent) selects different strategies for each machine or component (child nodes) of the information system. This approach relies on the administrator to provide a starting piece of intelligence and then to start scanning continuously without incorporating any information found at the time of scanning.

Which protocol and port number might be needed to send log messages to a log analysis tool that resides behind a firewall? UDP 123 UDP 415 UDP 541 UDP 514

UDP 514

Which of the following misconfigured services allows attackers to deploy Windows OS without the intervention of an administrator? Service object permissions Unattended installs Unquoted service paths Modifiable registry autoruns

Unattended Installs: Unattended installs allow attackers to deploy Windows OSs without the intervention of an administrator. Administrators need to manually clean up the unattended install details stored in the Unattend.xml file.

Which of the following practices makes an organization's network vulnerable to buffer overflow attacks? Implement Structured Exception Handler Overwrite Protection (SEHOP). Audit the libraries and frameworks used to develop source code to ensure that they are not vulnerable. Use C programming language instead of Python, COBOL, or Java. Ensure that the function does not perform a write operation when it reaches the end after determining the buffer's size.

Use C programming language instead of Python, COBOL, or Java.

In which of the following phases of the cyber kill chain methodology does an adversary select or create a tailored deliverable malicious payload using an exploit and a backdoor to send it to the victim? Reconnaissance Weaponization Installation Delivery

Weaponization

Which of the following techniques allows attackers to inject malicious script on a web server to maintain persistent access and escalate privileges? Web shel Access token manipulation Launch daemon Scheduled task

Web shell: A web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS, and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user's privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.

Which of the following is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system? TCP/IP Traceroute DNS lookup Whois lookup

Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases and it contains the personal information of domain owners. For each resource, Whois database provides text records with information about the resource itself, and relevant information of assignees, registrants, and administrative information (creation and expiration dates).

Don, a professional hacker, targeted a Windows-based system to implant a fake domain controller (DC). To achieve his goal, he modified the configuration settings of domain policies to perform unintended activities such as creating a new account, disabling or modifying internal tools, ingress tool transfer, unwanted service executions, and extracting passwords in plaintext. In which of the following paths did Don find the domain policies folder? \<DOMAIN>\SYSVOL\<DOMAIN>\ C:\Windows\Panther\ UnattendGC\ C:\Windows\system32>nltest/domain_trusts C:\Windows\System32\osk.exe

\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\: Attackers use this path to access the domain group policies and modify them to perform unintended activities such as creating a new account, disabling or modifying internal tools, ingress tool transfer, unwanted service executions, and modifying the policy to extract passwords in plaintext.

Which of the following operating systems allows loading of weak dylibs dynamically that is exploited by attackers to place a malicious dylib in the specified location? Linux Unix macOS Android

macOS provides several legitimate methods, such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to automatically load malicious libraries into a target running process. macOS allows the loading of weak dylibs (dynamic libraries) dynamically, which in turn allows an attacker to place a malicious dylib in the specified location.

Which of the following Nmap commands is used by an attacker to enumerate the SMB service running on the target IP address? # nmap -sR <target IP/network> # nmap -p 23 --script telnet-ntlm-info <target IP> # nmap -sV -v --script nbstat.nse <target IP address> # nmap -p 445 -A <target IP>

nmap -p 445 -A <target IP> [Used to enumerate the SMB service running on the target IP address]

commands to acquire the list of hosts connected to the NTP server. Which of the following NTP enumeration commands helps Sam in collecting system information such as the number of time samples from several time sources? ntpdc ntpq ntptrace ntpdate

ntpdate: This command collects the number of time samples from several time sources

Which of the following types of antennas is useful for transmitting weak radio signals over very long distances - on the order of 10 miles? Omnidirectional Parabolic grid Unidirectional Bidirectional

parabolic grid antenna is useful for transmitting weak radio signals over very long distances - on the order of 10 miles. This type of antenna has a parabolic reflector that focuses the radio waves into a narrow beam, allowing the signal to travel further than it would with an omnidirectional or bidirectional antenna. Parabolic grid antennas are commonly used for point-to-point communication links and for long-range wireless networking.