EC-Council CEH Exam Questions

Page 4 of 65

61.

Which scanning technique is particularly useful for detecting the availability of services that run on UDP, given that UDP is a connectionless protocol? 

  • UDP scan

  • SYN scan

  • FIN scan

  • ACK scan

Correct answer: UDP scan

A UDP scan is designed specifically to detect the availability of services that operate over the UDP protocol since UDP doesn't establish a formal connection like TCP. 

SYN scan, FIN scan, and ACK scan are used for TCP port scanning, leveraging the different states and characteristics of the TCP protocol.

62.

Of the following, which type of attack is not often implemented via SQL injection?

  • DDoS

  • Information disclosure

  • RCE 

  • Authentication bypass 

Correct answer: DDoS

Distributed Denial of Service (DDoS) attacks seek to make services and sites unavailable to legitimate users by sending traffic from multiple systems. SQL injection is not typically a method used in distributed denial of service attacks. 

SQL injection can be used to carry out information disclosure, Remote Code Execution (RCE), and authentication bypass attacks. 

63.

Which of the following tools is primarily used for Bluetooth penetration testing? 

  • BlueScanner

  • Bluejacking Tool

  • BlueSnarf++

  • Bluesmack Attack Toolkit

Correct answer: BlueScanner

BlueScanner is a Bluetooth penetration testing tool that scans for Bluetooth-enabled devices and can help identify potential threats or vulnerabilities. 

Bluejacking Tool, BlueSnarf++, and Bluesmack Attack Toolkit are associated with executing specific types of Bluetooth attacks rather than protecting against them.

64.

What is the primary method attackers use to perform DNS server hijacking?

  • Unauthorized access and modification of DNS records

  • Physical tampering with DNS server hardware

  • Exploiting outdated DNS software

  • Flooding the DNS server via DDoS attacks

Correct answer: Unauthorized access and modification of DNS records

The primary method used by attackers to perform DNS server hijacking involves gaining unauthorized access to the DNS server and modifying DNS records. By altering these records, attackers can redirect traffic from legitimate servers to malicious ones. 

Physical tampering is a security concern but not typically associated with DNS hijacking. Exploiting outdated DNS software could be a means to gain access but is not related to hijacking itself. DDoS attacks can disrupt services but do not involve modification of DNS records.

65.

Which technique uses deliberately slow traffic patterns to bypass firewalls that rely on detecting rapid malicious activities?

  • Slow and steady attack

  • Insertion attack

  • Reverse shell

  • Protocol tunneling

Correct answer: Slow and steady attack

A slow and steady attack involves sending malicious traffic slowly over time to evade firewalls that primarily detect rapid, aggressive activities. 

Insertion attacks send ambiguous packets, reverse shells leverage outbound connections, and protocol tunneling disguises traffic.

66.

Jose wants to see the route a packet takes across the internet to reach its destination. Which tool can Jose use to do this?

  • Tracert

  • HTTrack

  • CrossLinked

  • Dig

Correct answer: Tracert

The command line tool tracert shows the route (in hops) taken by a packet from one point to another. 

HTTrack is a website mirroring tool. CrossLinked is a LinkedIn enumeration tool. The program dig is another command line utility, but it is used for name resolution. 

67.

What is the primary benefit for an attacker to use encryption in a web server attack?

  • To conceal the attack from network monitoring tools

  • To ensure data integrity

  • To authenticate the web server

  • To speed up the attack process

Correct answer: To conceal the attack from network monitoring tools

The primary benefit for an attacker to use encryption in a web server attack is to conceal the attack from network monitoring tools. Encrypted traffic can make it harder for Intrusion Detection Systems (IDS) and other security tools to detect and analyze malicious activities. 

Data integrity and server authentication are legitimate purposes of encryption but not typically a focus of attackers, and encryption does not inherently speed up the attack process.

68.

In NetBIOS enumeration, what does the <20> hexadecimal code represent?

  • Server service

  • A domain controller

  • Network adapter MAC address

  • Client's IP address 

Correct answer: Server service

The nbtstat program can be used to gather information about the local network, including a code that provides context about the names returned. The <20> hexadecimal code in NetBIOS refers to the Server service on a machine. 

The <20> code does not indicate a domain controller, represent a MAC address, or signify an IP address.

69.

What type of attack involves an attacker relaying or altering the communication between two parties?

  • Man-in-the-middle

  • Pass-the-hash

  • Dictionary 

  • Kerberoasting

Correct answer: Man-in-the-middle

A Man-in-the-Middle (MitM) attack occurs when an attacker is able to intercept or alter communications between two parties. Sometimes this attack is also referred to as an on-path attack. Ettercap is one tool used to perform MitM attacks. 

Pass-the-hash attacks, dictionary attacks, and kerberoasting are all attack types relating to stealing credentials and password cracking. 

70.

Which of the following nmap scan types can be used to scan UDP ports?

  • Nmap -sU scan

  • Xmas scan

  • FIN scan

  • Half-open scan

Correct answer: Nmap -sU scan

There is only one scan type for UDP scanning, and the parameter to use nmap for a UDP scan is nmap -sU. UDP scans are very basic in that nmap sends out a UDP message and then watches any responses that may be returned. 

Half-open scans, Xmas scans, and FIN scans are only applicable to TCP scanning because they make use of flags. There are no flag options for UDP, which is why there is only one scan type. 

71.

What does the process of key exchange in cryptography involve?

  • The secure transfer of cryptographic keys between parties

  • Distributing copies of a database key to authorized users

  • Exchanging encrypted messages to verify key validity

  • The systematic replacement of cryptographic keys at regular intervals

Correct answer: The secure transfer of cryptographic keys between parties

Key exchange in cryptography involves the process by which cryptographic keys are securely exchanged between two parties, allowing them to use a symmetric key algorithm for secure communication. 

Distributing copies of a database key to authorized users is related to databases and not cryptographic key exchange.The systematic replacement of cryptographic keys at regular intervals describes key rotation and not key exchange. The exchange of messages is not the key exchange itself, though it may be a part of the process to verify validity.

72.

Which of the following tools is commonly used for SNMP enumeration?

  • Snmpwalk

  • Aircrack-ng

  • Nikto

  • Cain and Abel

Correct answer: Snmpwalk

Snmpwalk is a tool used specifically for SNMP enumeration. Simple Network Management Protocol (SNMP) is commonly used on network equipment like routers and switches. 

Aircrack-ng is used for cracking wireless networks, Nikto is a vulnerability scanner, and Cain and Abel is a password recovery tool for Windows operating systems.

73.

Why is patch management critical in preventing privilege escalation attacks?

  • It fixes known software vulnerabilities

  • It enhances network speed

  • It monitors network traffic

  • It enforces password policies

Correct answer: It fixes known software vulnerabilities

Patch management is vital for preventing privilege escalation attacks because it addresses and fixes known software vulnerabilities that attackers might exploit to escalate their privileges. 

While network speed, traffic monitoring, and password policies are essential for various security reasons, they aren't directly related to preventing privilege escalation through known software vulnerabilities.

74.

Which type of attack involves a cybercriminal tricking an individual into revealing confidential information by pretending to be a known contact on social media?

  • Spear phishing

  • Pharming

  • Baiting

  • Whaling

Correct answer: Spear phishing

Spear phishing involves highly targeted attacks where cybercriminals trick specific individuals into revealing confidential information. When done through social media impersonation, they can pretend to be a known contact to make their request seem legitimate. 

Pharming redirects users to fake sites, baiting involves enticing victims using something they desire, and whaling targets high-profile individuals but not necessarily through social media impersonation.

75.

Which deployment model in cloud computing is owned, managed, and operated by the organization, or a third party, and exists on-premises?

  • Private cloud

  • Public cloud

  • A community cloud

  • A hybrid cloud

Correct answer: Private cloud

A private cloud is owned, managed, and operated by the organization, or a third party, and exists on-premises. It is designed to offer the same features and benefits of cloud computing but within a company’s private internal network. 

Public cloud services are owned and operated by third-party cloud service providers and deliver their computing resources like servers and storage over the internet. A hybrid cloud is a mix of on-premises, private cloud, and third-party public cloud services with orchestration between the two platforms. A community cloud is shared by several organizations and supports a specific community with shared concerns.

76.

The Common Vulnerability Scoring System (CVSS) is used to:

  • Assign severity scores to vulnerabilities

  • Identify malware hashes

  • Encrypt sensitive data

  • Monitor firewall logs

Correct answer: Assign severity scores to vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities based on various metrics and for providing a qualitative severity ranking. 

Identifying malware hashes is related to threat intelligence. Encrypting sensitive data is a data protection measure. Monitoring firewall logs is a network security activity.

77.

Vulnerabilities that have no known fixes and are unknown to the developer/creator are called:

  • Zero-day vulnerabilities

  • Legacy platform vulnerabilities

  • Misconfigurations

  • Application flaws

Correct answer: Zero-day vulnerabilities

Zero-day vulnerabilities are vulnerabilities that are unknown to the parties responsible for patching or fixing the vulnerability and are not publicly disclosed. An exploit taking advantage of a zero-day vulnerability is called a zero-day exploit, or zero-day attack.

Legacy platform vulnerabilities arise from using outdated systems or platforms. Misconfigurations are incorrect configurations, and application flaws are vulnerabilities in an application's design or code.

78.

Once an attacker has successfully injected SQL commands, what is a common next step?

  • Extracting sensitive data such as passwords or personal information

  • Announcing the vulnerability on public forums

  • Patching the SQL injection vulnerability

  • Encrypting all data within the database to protect it from other attackers

Correct answer: Extracting sensitive data such as passwords or personal information

After successfully injecting SQL commands, a common next step for an attacker is to launch SQL injection attacks to extract sensitive data like passwords or personal information from the database. 

The goal of the attack is often to gain unauthorized access to this information, not to patch the vulnerability, publicize it, or protect the database from others, which would be counterintuitive to a typical attacker's objectives.

79.

When an attacker exploits an application vulnerability to force a user's browser to send malicious requests they did not intend, which flaw is being taken advantage of?

  • CSRF

  • XSS

  • IDOR

  • Improper certificate management

Correct answer: CSRF

Cross-Site Request Forgery (CSRF) is an attack that involves an attacker tricking victims into executing actions on their behalf without their knowledge or consent, often by leveraging the victim's authenticated session.

Cross-Site Scripting (XSS), on the other hand, focuses on script injection into web pages. Insecure Direct Object References (IDOR) refers to direct references to objects without authorization checks. Improper certificate management deals with issues surrounding digital certificates, not unwanted web requests.

80.

Why is living off the land an effective technique for attackers seeking to maintain access?

  • It uses built-in system tools, making detection harder

  • It involves planting trees to hide physical access points

  • It ensures rapid data transmission

  • It involves loud and noticeable attack techniques

Correct answer: It uses built-in system tools, making detection harder

Living off the land refers to attackers using built-in or legitimate tools and processes on the compromised system to conduct malicious activities. Since they're using legitimate tools, detection becomes more challenging, making this a stealthy approach to maintain access. 

The other options don't accurately describe the technique's intent in a cybersecurity context.