CEH

Module 1 – Module 5

1. At what stage of the cyber kill chain theory model does data
exfiltration occur?
A. Weaponization
B. Actions on objectives
C. Command and control
D. Installation

2. Which among the following is the best example of the third step
(delivery) in the cyber kill chain?
A. An intruder creates malware to be used as a malicious
attachment to an email.
B. An intruder's malware is triggered when a target opens a
malicious email attachment.
C. An intruder's malware is installed on a targets machine.
D. An intruder sends a malicious attachment via email to a
target.

3. A bank stores and processes sensitive privacy information related to

home loans. However, auditing has never been enabled on the
system. What is the first step that the bank should take before
enabling the audit feature?
A. Perform a vulnerability scan of the system.
B. Determine the impact of enabling the audit feature.
C. Perform a cost/benefit analysis of the audit feature.
D. Allocate funds for staffing of audit log review.

4. Which Metasploit Framework tool can help penetration tester for

evading Anti-virus Systems?
A. msfpayload
B. msfcli
C. msfd
D. msfencode
5. You are using a public Wi-Fi network inside a coffee shop. Before
surfing the web, you use your VPN to prevent intruders from sniffing
your traffic. If you did not have a VPN, how would you identify
whether someone is performing an ARP spoofing attack on your
laptop?
A. You should check your ARP table and see if there is one IP
address with two different MAC addresses.
B. You should scan the network using Nmap to check the MAC
addresses of all the hosts and look for duplicates.
C. You should use netstat to check for any suspicious connections
with another IP address within the LAN.
D. You cannot identify such an attack and must use a VPN to protect
your traffic.

6. Bob was recently hired by a medical company after it experienced a

major cyber security breach. Many patients are complaining that
their personal medical records are fully exposed on the Internet and
someone can find them with a simple Google search. Bob’s boss is
very worried because of regulations that protect those data. Which
of the following regulations is mostly violated?
A. PCI DSS
B. PII
C. ISO 2002
D. HIPPA/PHI

7. Which IOS jailbreaking technique patches the kernel during the

device boot so that it becomes jailbroken after each successive
reboot?
A. Tethered jailbreaking
B. Semi-untethered jailbreaking
C. Semi-tethered jailbreaking
D. Untethered jailbreaking

8. An organization has automated the operation of critical

infrastructure from a remote location. For this purpose, all the
industrial control systems are connected to the Internet. To
empower the manufacturing process, ensure the reliability of
industrial networks, and reduce downtime and service disruption,
the organization decided to install an OT security tool that further
protects against security incidents such as cyber espionage,zero-
day attacks, and malware. Which of the following tools must the
organization employ to protect its critical infrastructure?
A. Robotium
B. BalenaCloud
C. Flowmon
D. IntentFuzzer
9. Widespread fraud at Enron, WorldCom, and Tyco led to the creation
of a law that was designed to improve the accuracy and
accountability of corporate disclosures. It covers accounting firms
and third parties that provide financial services to some
organizations and came into effect in 2002. This law is known by
what acronym?
A. SOX
B. FedRAMP
C. HIPAA
D. PCI DSS

10. To hide the file on a Linux system, you have to start the filename
with a specific character. What is the character?
A. Tilde (~)
B. Underscore (_)
C. Period (.)
D. Exclamation mark (!)

11. Which access control mechanism allows for multiple systems to

use a central authentication server (CAS) that permits users to
authenticate once and gain access to multiple systems?
A. Role Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Single sign-on
D. Windows authentication
12. Your company performs penetration tests and security
assessments for small and medium-sized business in the local area.
During a routinesecurity assessment, you discover information that
suggests your client is involved with human trafficking. What should
you do?
A. Confront the client in a respectful manner and ask her about the
data.
B. Copy the data to removable media and keep it in case you need
it.
C. Ignore the data and continue the assessment until completed as
agreed.
D. Immediately stop work and contact the proper legal
authorities.
13. If executives are found liable for not properly protecting their
company’s assets and information systems, what type of law would
apply in this situation?
A. Criminal
B. International
C. Common
D. Civil

14. What term describes the amount of risk that remains after the
vulnerabilities are classified and the countermeasures have been
deployed?
A. Residual risk
B. Impact risk
C. Deferred risk
D. Inherent risk

15. Which regulation defines security and privacy controls for Federal
information systems and organizations?
A. HIPAA
B. EU Safe Harbor
C. PCI-DSS
D. NIST-800-53

16. Which type of security feature stops vehicles from crashing through
the doors of a building?
A. Bollards
B. Receptionist
C. Mantrap
D. Turnstile

17. A hacker is an intelligent individual with excellent computer skills

and the ability to explore a computer’s software and hardware
without theowner’s permission. Their intention can either be to
simply gain knowledge or to illegally make changes. Which of the
following class of hacker refers to an individual who works both
offensively and defensively at various times?
A. White Hat
B. Suicide Hacker
C. Gray Hat
D. Black Hat
18. What information security law or standard aims at protecting
stakeholders and the general public from accounting errors and
fraudulent activities within organizations?
A. FISMA
B. PCI-DSS
C. SOX
D. ISO/IEC 27001:2013

19. Louis, a professional hacker, had used specialized tools or search

engines to encrypt all his browsing activity and navigate
anonymously to obtain sensitive/hidden information about official
government or federal databases. After gathering the information,
he successfully performed an attack on the target government
organization without being traced. Which of the following
techniques is described in the above scenario?
A. Website footprinting
B. Dark web footprinting
C. VPN footprinting
D. VoIP footprinting

20. Becky has been hired by a client from Dubai to perform a

penetration test against one of their remote offices. Working from
her location in Columbus, Ohio, Becky runs her usual
reconnaissance scans to obtain basic information about their
network. When analyzing the results of herWhois search, Becky
notices that the IP was allocated to a location in Le Havre, France.
Which regional Internet registry should Becky go to for detailed
information?
A. ARIN
B. LACNIC
C. APNIC
D. RIPE

21. A penetration tester is performing the footprinting process and is

reviewing publicly available information about an organization by
using theGoogle search engine. Which of the following advanced
operators would allow the pen tester to restrict the search to the
organization’s web domain?
A. [allinurl:]
B. [location:]
C. [site:]
D. [link:]
22. Juliet, a security researcher in an organization, was tasked with
checking for the authenticity of images to be used in the
organization’s magazines. She used these images as a search query
and tracked the original source and details of the images, which
included photographs,profile pictures, and memes. Which of the
following footprinting techniques did Rachel use to finish her task?
A. Google advanced search
B. Meta search engines
C. Reverse image search
D. Advanced image search

23. Which results will be returned with the following Google search
query? site:target.com `” site:Marketing.target.com accounting
A. Results from matches on the site marketing.target.com that are
in the domain target.com but do not include the word accounting
B. Results matching all words in the query.
C. Results for matches on target.com and Marketing.target.com that
include the word ‫ג‬€accounting‫ג‬€
D. Results matching ‫ג‬€accounting‫ג‬€ in domain target.com
but not on the site Marketing.target.com

24. Which of the following Linux commands will resolve a domain name
into IP address?
A. >host-t a hackeddomain.com
B. >host-t ns hackeddomain.com
C. >host -t soa hackeddomain.com
D. >host -t AXFR hackeddomain.com

25. You have been authorized to perform a penetration test against a

website. You want to use Google dorks to footprint the site but only
want results that show file extensions. What Google dork operator
would you use?
A. inurl
B. site
C. ext
D. filetype

26. Which of the following information security controls creates an

appealing isolated environment for hackers to prevent them from
compromising critical targets while simultaneously gathering
information about the hacker?
 A. Botnet
B. Intrusion detection system
C. Firewall
D. Honeypot

27. Which of the following tools can be used for passive OS

fingerprinting?
A. nmap
B. tcpdump
C. tracert
D. ping

28. John, a professional hacker, targeted an organization that uses

LDAP for accessing distributed directory services. He used an
automated tool to anonymously query the LDAP service for sensitive
information such as usernames, addresses, departmental details,
and server names to launch further attacks on the target
organization. What is the tool employed by John to gather
information from the LDAP service?
A. ike-scan
B. Zabasearch
C. JXplorer
D. EarthExplorer

29. Richard, an attacker, targets an MNC. In this process, he uses a

footprinting technique to gather as much information as possible.
Using this technique, he gathers domain information such as the
target domain name, contact details of its owner, expiry date, and
creation date. With this information, he creates a map of the
organization’s network and misleads domain owners with social
engineering to obtain internal details of its network. What type of
footprinting technique is employed by Richard?
A. VoIP footprinting
B. Email footprinting
C. Whois footprinting
D. VPN footprinting

30. The collection of potentially actionable, overt, and publicly

available information is known as
A. Open-source intelligence
B. Real intelligence
C. Social intelligence
 D. Human intelligence

31. Which system consists of a publicly available set of databases that

contain domain name registration contact information?
A. WHOIS
B. CAPTCHA
C. IANA
D. IETF

32. Which of the following is a low-tech way of gaining unauthorized

access to systems?
A. Social Engineering
B. Eavesdropping
C. Scanning
D. Sniffing

33. Peter is surfing the internet looking for information about DX

Company. Which hacking process is Peter doing?
A. Scanning
B. Footprinting
C. Enumeration
D. System Hacking

34. In an attempt to damage the reputation of a competitor

organization, Hailey, a professional hacker, gathers a list of
employee and client email addresses and other related information
by using various search engines, social networking sites, and web
spidering tools. In this process, shealso uses an automated tool to
gather a list of words from the target website to further perform a
brute-force attack on the previously gatheredemail addresses. What
is the tool used by Hailey for gathering a list of words from the
target website?
A. CeWL
B. Orbot
C. Shadowsocks
D. Psiphon

35. Which of the following is the least-likely physical characteristic to

be used in biometric control that supports a large company?
A. Iris patterns
 B. Voice
C. Height and Weight
D. Fingerprints

36. When purchasing a biometric system, one of the considerations

that should be reviewed is the processing speed. Which of the
following best describes what it is meant by processing?
A. The amount of time and resources that are necessary to maintain
a biometric system
B. How long it takes to setup individual user accounts
C. The amount of time it takes to be either accepted or
rejected from when an individual provides identification
and authentication information
D. The amount of time it takes to convert biometric data into a
template on a smart card

37. Hackers often raise the trust level of a phishing message by

modeling the email to look similar to the internal email used by the
target company.This includes using logos, formatting, and names of
the target company. The phishing message will often use the name
of the company CEO, President, or Managers. The time a hacker
spends performing research to locate this information about a
company is known as?
A. Exploration
B. Investigation
C. Reconnaissance
D. Enumeration

38. Clark, a professional hacker, was hired by an organization to gather

sensitive information about its competitors surreptitiously. Clark
gathers theserver IP address of the target organization using Whois
footprinting. Further, he entered the server IP address as an input to
an online tool to retrieve information such as the network range of
the target organization and to identify the network topology and
operating system used in the network. What is the online tool
employed by Clark in the above scenario?
A. DuckDuckGo
 B. AOL
C. ARIN
D. Baidu

39. Harris is attempting to identify the OS running on his target

machine. He inspected the initial TTL in the IP header and the
related TCP window size and obtained the following results:

TTL: 64 –

Window Size: 5840 –

What the OS running on the target machine?

A. Windows OS
B. Mac OS
C. Linux OS
D. Solaris OS

40. Gerard, a disgruntled ex-employee of Sunglass IT Solutions, targets

this organization to perform sophisticated attacks and bring down
itsreputation in the market. To launch the attacks process, he
performed DNS footprinting to gather information about DNS
servers and to identify the hosts connected in thetarget network. He
used an automated tool that can retrieve information about DNS
zone data including DNS domain names, computer names, IP
addresses, DNSrecords, and network Whois records. He further
exploited this information to launch other sophisticated attacks.
What is the tool employed by Gerard in the above scenario?
A. Towelroot
B. Knative
C. zANTI
D. Bluto

41. Emily, an extrovert obsessed with social media, posts a large

amount of private information, photographs, and location tags of
recently visited places. Realizing this, James, a professional hacker,
targets Emily and her acquaintances, conducts a location search to
detect their geolocationby using an automated tool, and gathers
 information to perform other sophisticated attacks. What is the tool
employed by James in the above scenario?
A. ophcrack
B. VisualRoute
C. Hootsuite
D. HULK

42. John the Ripper is a technical assessment tool used to test the
weakness of which of the following?
A. Passwords
B. File permissions
C. Firewall rulesets
D. Usernames

43. A technician is resolving an issue where a computer is unable to

connect to the Internet using a wireless access point. The computer
is able totransfer files locally to other machines, but cannot
successfully reach the Internet. When the technician examines the
IP address and default gateway they are both on the
192.168.1.0/24. Which of the following has occurred?
A. The computer is not using a private IP address.
B. The gateway is not routing to a public IP address.
C. The gateway and the computer are not on the same network.
D. The computer is using an invalid IP address.

44. Which of the following allows attackers to draw a map or outline

the target organization’s network infrastructure to know about the
actual environment that they are going to hack?
A. Vulnerability analysis
B. Malware analysis
C. Scanning networks
D. Enumeration

45. After an audit, the auditors inform you that there is a critical finding
that you must tackle immediately. You read the audit report, and the
problemis the service running on port 389. Which service is this and
how can you tackle the problem?
A. The service is NTP, and you have to change it from UDP to TCP in
order to encrypt it.
B. The service is LDAP, and you must change it to 636, which
is LDAPS.
 C. The findings do not require immediate actions and are only
suggestions.
D. The service is SMTP, and you must change it to SMIME, which is
an encrypted way to send emails.

46. Which of the following provides a security professional with most

information about the system’s security posture?
A. Phishing, spamming, sending trojans
B. Social engineering, company site browsing tailgating
C. Wardriving, warchalking, social engineering
D. Port scanning, banner grabbing service identification

47. What is the least important information when you analyze a public
IP address in a security alert?
A. DNS
B. Whois
C. Geolocation
D. ARP

48. Which of the following Google advanced search operators helps an

attacker in gathering information about websites that are similar to
a specified target URL?
A. [inurl:]
B. [info:]
C. [site:]
D. [related:]

49. Henry is a cyber security specialist hired by BlackEye `” Cyber

Security Solutions. He was tasked with discovering the operating
system (OS) of ahost. He used the Unicornscan tool to discover the
OS of the target system. As a result, he obtained a TTL value, which
indicates that the target system is running a Windows OS. Identify
the TTL value Henry obtained, which indicates that the target OS is
Windows.
A. 128
B. 255
C. 64
D. 138

50. Wilson, a professional hacker, targets an organization for financial

benefit and plans to compromise its systems by sending malicious
emails. For this purpose, he uses a tool to track the emails of the
target and extracts information such as sender identities, mail
 servers, sender IP addresses, and sender locations from different
public sources. He also checks if an email address was leaked using
the haveibeenpwned.com API. Which of the following tools is used
by Wilson in the above scenario?
A. Factiva
B. ZoomInfo
C. Netcraft
D. Infoga

51. James is working as an ethical hacker at Technix Solutions. The

management ordered James to discover how vulnerable its network
is towardsfootprinting attacks. James took the help of an open-
source framework for performing automated reconnaissance
activities. This framework helped James in gathering information
using free tools and resources. What is the framework used by
James to conduct footprinting and reconnaissance activities?
A. OSINT framework
B. WebSploit Framework
C. Browser Exploitation Framework
D. SpeedPhish Framework

52. Consider the following Nmap output:

Starting Nmap X.XX (http://nmap.org) at XXX-XX-XX XX:XX EDT

Nmap scan report for 192.168.1.42 Host is up (0.00023s latency).
Not shown: 932 filtered ports, 56 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
 Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds
What command-line parameter could you use to determine the type
and version number of the web server?

A. -sV
B. -sS
C. -Pn
D. -V

53. To create a botnet, the attacker can use several techniques to scan
vulnerable machines. The attacker first collects information about a
large number of vulnerable machines to create a list. Subsequently,
they infect the machines. The list is divided by assigning half of the
list to the newlycompromised machines. The scanning process runs
simultaneously. This technique ensures the spreading and
installation of malicious code in little time. Which technique is
discussed here?
A. Subnet scanning technique
B. Permutation scanning technique
C. Hit-list scanning technique.
D. Topological scanning technique

54. An attacker scans a host with the below command. Which three
flags are set?
A. This is SYN scan. SYN flag is set.
B. This is Xmas scan. URG, PUSH and FIN are set.
C. This is ACK scan. ACK flag is set.
D. This is Xmas scan. SYN and ACK flags are set.

55. The network in ABC company is using the network address

192.168.1.64 with mask 255.255.255.192. In the network the
servers are in the addresses 192.168.1.122, 192.168.1.123 and
192.168.1.124. An attacker is trying to find those servers but he
cannot see them in his scanning. The command he is using is: nmap
192.168.1.64/28. Why he cannot see the servers?
A. He needs to add the command ip address just before the IP
address
B. He needs to change the address to 192.168.1.0 with the same
mask
 C. He is scanning from 192.168.1.64 to 192.168.1.78
because of the mask /28 and the servers are not in that
range
D. The network must be dawn and the nmap command and IP
address are ok

56. While performing an Nmap scan against a host, Paola determines

the existence of a firewall. In an attempt to determine whether the
firewall is stateful or stateless, which of the following options would
be best to use?
A. -sA
B. -sX
C. -sT
D. -sF

57. Jim, a professional hacker, targeted an organization that is

operating critical industrial infrastructure. Jim used Nmap to scan
open ports and running services on systems connected to the
organization’s OT network. He used an Nmap command to identify
Ethernet/IP devices connectedto the Internet and further gathered
information such as the vendor name, product code and name,
device name, and IP address. Which of the following Nmap
commands helped Jim retrieve the required information?
A. nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p < Port List >
< Target IP >
B. nmap -Pn -sU -p 44818 --script enip-info < Target IP >
C. nmap -Pn -sT -p 46824 < Target IP >
D. nmap -Pn -sT -p 102 --script s7-info < Target IP >

58. Which Nmap switch helps evade IDS or firewalls?

A. -D
B. -n/-R
C. -T
D. -oN/-oX/-oG

59. Which is the first step followed by Vulnerability Scanners for

scanning a network?
A. OS Detection
B. Firewall detection
 C. TCP/UDP Port scanning
D. Checking if the remote host is alive

60. When you are getting information about a web server, it is very
important to know the HTTP Methods (GET, POST, HEAD, PUT,
DELETE, TRACE) thatare available because there are two critical
methods (PUT and DELETE). PUT can upload a file to the server and
DELETE can delete a file from the server. You can detect all these
methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script
engine. What Nmap script will help you with this task?
A. http-methods
B. http enum
C. http-headers
D. http-git

61. You are a penetration tester and are about to perform a scan on a
specific server. The agreement that you signed with the client
contains the following specific condition for the scan: `The attacker
must scan every port on the server several times using a set of
spoofed source IP addresses.` Suppose that you are using Nmap to
perform this scan. What flag will you use to satisfy this requirement?
A. The -g flag
B. The -A flag
C. The -f fag
D. The -D flag

62. What would you enter if you wanted to perform a stealth scan
using Nmap?
A. nmap -sM
B. nmap -sU
C. nmap -sS
D. nmap -sT

63. You start performing a penetration test against a specific website

and have decided to start from grabbing all the links from the main
page. What is the best Linux pipe to achieve your milestone?
A. wget https://site.com | grep ‫ג‬€
B. curl -s https://site.com | grep ‫ג‬€
 C. dirb https://site.com | grep ‫ג‬€site‫ג‬€
D. wget https://site.com | cut -d ‫ג‬€http‫ג‬€

64. If you send a TCP ACK segment to a known closed port on a firewall
but it does not respond with an RST, what do you know about the
firewall you are scanning?
A. It is a non-stateful firewall.
B. There is no firewall in place.
C. It is a stateful firewall.
D. This event does not tell you anything about the firewall.

65. Internet Protocol Security IPsec is actually a suite pf protocols. Each

protocol within the suite provides different functionality. Collective
IPsec does everything except.
A. Protect the payload and the headers
B. Encrypt
C. Work at the Data Link Layer
D. Authenticate

66. You want to do an ICMP scan on a remote computer using hping2.

What is the proper syntax?
A. hping2 -1 host.domain.com
B. hping2 host.domain.com
C. hping2 -l host.domain.com
D. hping2 --set-ICMP host.domain.com

67. If you want to only scan fewer ports than the default scan using
Nmap tool, which option would you use?
A. -r
B. -F
C. -P
D. -sP

68. Shiela is an information security analyst working at HiTech Security

Solutions. She is performing service version discovery using Nmap
to obtaininformation about the running services and their versions
on a target system. Which of the following Nmap options must she
use to perform service version discovery on the target host?
A. -sN
B. -sV
C. -sX
D. -sF
69. Which Nmap option would you use if you were not concerned about
being detected and wanted to perform a very fast scan?
A. -T5
B. -O
C. -T0
D. -A

70. Which of the following commands checks for valid users on an

SMTP server?
A. RCPT
B. CHK
C. VRFY
D. EXPN

71. By using a smart card and pin, you are using a two-factor
authentication that satisfies
A. Something you are and something you remember
B. Something you have and something you know
C. Something you know and something you are
D. Something you have and something you are

72. What does the `”oX flag do in an Nmap scan?

A. Perform an eXpress scan
B. Output the results in truncated format to the screen
C. Output the results in XML format to a file
D. Perform an Xmas scan

73. A Security Engineer at a medium-sized accounting firm has been

tasked with discovering how much information can be obtained from
the firm’s public facing web servers. The engineer decides to start
by using netcat to port 80. The engineer receives this output:
HTTP/1.1 200 OK –
Server: Microsoft-IIS/6 –
Expires: Tue, 17 Jan 2011 01:41:33 GMT
Date: Mon, 16 Jan 2011 01:41:33 GMT
Content-Type: text/html –
Accept-Ranges: bytes –
Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT
ETag: “b0aac0542e25c31:89d”
 Content-Length: 7369 –
Which of the following is an example of what the engineer
performed?

A. Banner grabbing
B. SQL injection
C. Whois database query
D. Cross-site scripting

74. Judy created a forum. One day, she discovers that a user is posting
strange images without writing comments. She immediately calls a
security expert, who discovers that the following code is hidden
behind those images:
What issue occurred for the users who clicked on the image?
A. This php file silently executes the code and grabs the
user's session cookie and session ID.
B. The code redirects the user to another site.
C. The code injects a new cookie to the browser.
D. The code is a virus that is attempting to gather the user's
username and password.

75. Techno Security Inc. recently hired John as a penetration tester. He

was tasked with identifying open ports in the target network and
determiningwhether the ports are online and any firewall rule sets
are encountered. John decided to perform a TCP SYN ping scan on
the target network. Which of the following Nmap commands must
John use to perform the TCP SYN ping scan?
A. nmap -sn -PO < target IP address >
B. nmap -sn -PS < target IP address >
C. nmap -sn -PA < target IP address >
D. nmap -sn -PP < target IP address >

76. Firewalk has just completed the second phase (the scanning phase)
and a technician receives the output shown below. What conclusions
can be drawn based on these scan results?
TCP port 21 no response –
TCP port 22 no response –
TCP port 23 Time-to-live exceeded
A. The lack of response from ports 21 and 22 indicate that those
services are not running on the destination server
B. The scan on port 23 was able to make a connection to the
destination host prompting the firewall to respond with a TTL
error
 C. The scan on port 23 passed through the filtering device.
This indicates that port 23 was not blocked at the firewall
D. The firewall itself is blocking ports 21 through 23 and a service is
listening on port 23 of the target host

77. Bill is a network administrator. He wants to eliminate unencrypted

traffic inside his company’s network. He decides to setup a SPAN
port andcapture all traffic to the datacenter. He immediately
discovers unencrypted traffic in port UDP 161. What protocol is this
port using and how can he secure that traffic?
A. RPC and the best practice is to disable RPC completely.
B. SNMP and he should change it to SNMP V3.
C. SNMP and he should change it to SNMP V2, which is encrypted.
D. It is not necessary to perform any actions, as SNMP is not
carrying important information.

78. Which of the following scanning method splits the TCP header into
several packets and makes it difficult for packet filters to detect the
purpose of the packet?
A. ACK flag probe scanning
B. ICMP Echo scanning
C. SYN/FIN scanning using IP fragments
D. IPID scanning

79. A security analyst uses Zenmap to perform an ICMP timestamp

ping scan to acquire information related to the current time from the
target hostmachine. Which of the following Zenmap options must
the analyst use to perform the ICMP timestamp ping scan?
A. -Pn
B. -PU
C. -PP
D. -PY

80. A penetration tester is conducting a port scan on a specific host.

The tester found several ports opened that were confusing in
concluding theOperating System (OS) version installed. Considering
that NMAP result below, which of the following is likely to be
installed on the target machine by the OS?
A. The host is likely a Linux machine.
B. The host is likely a printer.
C. The host is likely a router.
D. The host is likely a Windows machine.
81. You are attempting to run an Nmap port scan on a web server.
Which of the following commands would result in a scan of common
ports with the least amount of noise in order to evade IDS?
A. nmap -A - Pn
B. nmap -sP -p-65535 -T5
C. nmap -sT -O -T0
D. nmap -A --host-timeout 99 -T1

82. Andrew is an Ethical Hacker who was assigned the task of

discovering all the active devices hidden by a restrictive firewall in
the IPv4 range in agiven target network. Which of the following host
discovery techniques must he use to perform the given task?
A. UDP scan
B. ARP ping scan
C. ACK flag probe scan
D. TCP Maimon scan

83. Allen, a professional pen tester, was hired by XpertTech Solutions

to perform an attack simulation on the organization’s network
resources. To perform the attack, he took advantage of the NetBIOS
API and targeted the NetBIOS service. By enumerating NetBIOS, he
found that port 139 wasopen and could see the resources that could
be accessed or viewed on a remote system. He came across many
NetBIOS codes during enumeration. Identify the NetBIOS code used
for obtaining the messenger service running for the logged-in user?
A. <00>
B. <20>
C. <03>
D. <1B>

84. Leverox Solutions hired Arnold, a security professional, for the

threat intelligence process. Arnold collected information about
specific threats against the organization. From this information, he
retrieved contextual information about security events and
incidents that helped him disclose potential risks and gain insight
into attacker methodologies. He collected the information from
sources such as humans, social media, and chat rooms as well as
from events that resulted in cyberattacks. In this process, he also
prepared a report that includes identified malicious activities,
recommended courses of action, and warnings for emerging
attacks. What is the type of threat intelligence collected by Arnold
in the above scenario?
A. Strategic threat intelligence
B. Operational threat intelligence
 C. Technical threat intelligence
D. Tactical threat intelligence

85. Sam is a penetration tester hired by Inception Tech, a security

organization. He was asked to perform port scanning on a target
host in the network. While performing the given task, Sam sends
FIN/ACK probes and determines that an RST packet is sent in
response by the target host,indicating that the port is closed. What
is the port scanning technique used by Sam to discover open ports?
A. Xmas scan
B. IDLE/IPID header scan
C. TCP Maimon scan
D. ACK flag probe scan

86. You have compromised a server on a network and successfully

opened a shell. You aimed to identify all operating systems running
on the network. However, as you attempt to fingerprint all machines
in the network using the nmap syntax below, it is not going through.
invictus@victim_server.~$ nmap -T4 -O 10.10.0.0/24 TCP/IP
fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
What seems to be wrong?
A. The nmap syntax is wrong.
B. This is a common behavior for a corrupted nmap application.
C. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
D. OS Scan requires root privileges.

87. You are logged in as a local admin on a Windows 7 system, and you
need to launch the Computer Management Console from the
command line. Which command would you use?
A. c:\compmgmt.msc
B. c:\ncpa.cpl
C. c:\gpedit
D. c:\services.msc

88. Elante company has recently hired James as a penetration tester.

He was tasked with performing enumeration on an organization’s
network. In theprocess of enumeration, James discovered a service
that is accessible to external sources. This service runs directly on
port 21. What is the service enumerated by James in the above
scenario?
 A. Network File System (NFS)
B. Remote procedure call (RPC)
C. Border Gateway Protocol (BGP)
D. File Transfer Protocol (FTP)

89. You have successfully comprised a server having an IP address of

10.10.0.5. You would like to enumerate all machines in the same
network quickly. What is the best Nmap command you will use?
A. nmap -T4 -q 10.10.0.0/24
B. nmap -T4 -F 10.10.0.0/24
C. nmap -T4 -r 10.10.1.0/24
D. nmap -T4 -O 10.10.0.0/24

90. DNS cache snooping is a process of determining if the specified

resource address is present in the DNS cache records. It may be
useful during theexamination of the network to determine what
software update resources are used, thus discovering what software
is installed. What command is used to determine if the entry is
present in DNS cache?
A. nslookup -fullrecursive update.antivirus.com
B. dnsnooping -rt update.antivirus.com
C. nslookup -norecursive update.antivirus.com
D. dns --snoop update.antivirus.com

91. ______________is a set of extensions to DNS that provide the origin

authentication of DNS data to DNS clients (resolvers) so as to
reduce the threat of DNS poisoning, spoofing, and similar types of
attacks.
A. DNSSEC
B. Resource records
C. Resource transfer
D. Zone transfer

92. Some clients of TPNQM SA were redirected to a malicious site when

they tried to access the TPNQM main site. Bob, a system
administrator atTPNQM SA, found that they were victims of DNS
Cache Poisoning. What should Bob recommend to deal with such a
threat?
A. The use of security agents in clients' computers
B. The use of DNSSEC
 C. The use of double-factor authentication
D. Client awareness

93. Although FTP traffic is not encrypted by default, which layer 3

protocol would allow for end-to-end encryption of the connection?
A. SFTP
B. Ipsec
C. SSL
D. FTPS

94. Identify the UDP port that Network Time Protocol (NTP) uses as its
primary means of communication?
A. 113
B. 69
C. 123
D. 161

95. John, a professional hacker, decided to use DNS to perform data

exfiltration on a target network. In this process, he embedded
malicious data intothe DNS protocol packets that even DNSSEC
cannot detect. Using this technique, John successfully injected
malware to bypass a firewall and maintained communication with
the victim machine and C&C server. What is the technique
employed by John to bypass the firewall?
A. DNSSEC zone walking
B. DNS cache snooping
C. DNS enumeration
D. DNS tunneling method

96. In an internal security audit, the white hat hacker gains control
over a user account and attempts to acquire access to another
account’s confidential files and information. How can he achieve
this?
A. Privilege Escalation
B. Shoulder-Surfing
C. Hacking Active Directory
D. Port Scanning

97. Attacker Steve targeted an organization’s network with the aim of

redirecting the company’s web traffic to another malicious website.
To achieve this goal, Steve performed DNS cache poisoning by
exploiting the vulnerabilities in the DNS server software and
modified the original IP address of the target website to that of a
 fake website. What is the technique employed by Steve to gather
information for identity theft?
A. Pharming
B. Skimming
C. Pretexting
D. Wardriving

98. the enumeration phase, Lawrence performs banner grabbing to

obtain information such as OS details and versions of services
running. Theservice that he enumerated runs directly on TCP port
445. Which of the following services is enumerated by Lawrence in
this scenario?
A. Remote procedure call (RPC)
B. Telnet
C. Server Message Block (SMB)
D. Network File System (NFS)

99. What useful information is gathered during a successful Simple

Mail Transfer Protocol (SMTP) enumeration?
A. A list of all mail proxy server addresses used by the targeted
host.
B. The internal command RCPT provides a list of ports open to
message traffic.
C. The two internal commands VRFY and EXPN provide a
confirmation of valid users, email addresses, aliases, and
mailing lists.
D. Reveals the daily outgoing message limits before mailboxes are
locked.

100. Henry is a penetration tester who works for XYZ organization.

While performing enumeration on a client organization, he queries
the DNS server for a specific cached DNS record. Further, by using
this cached record, he determines the sites recently visited by the
organization’s user. What is the enumeration technique used by
Henry on the organization?
A. DNS zone walking
B. DNS cache snooping
C. DNS cache poisoning
D. DNSSEC zone walking

101. Your company was hired by a small healthcare provider to

perform a technical assessment on the network. What is the best
 approach for discovering vulnerabilities on a Windows-based
computer?
A. Use the built-in Windows Update tool
B. Use a scan tool like Nessus
C. Check MITRE.org for the latest list of CVE findings
D. Create a disk image of a clean Windows installation

102. Jack, a professional hacker, targets an organization and performs

vulnerability scanning on the target web server to identify any
possible weaknesses, vulnerabilities, and misconfigurations. In this
process, Jack uses an automated tool that eases his work and
performs vulnerabilityscanning to find hosts, services, and other
vulnerabilities in the target server. Which of the following tools is
used by Jack to perform vulnerability scanning?
A. Infoga
B. NCollector Studio
C. Netsparker
D. WebCopier Pro

103. When you are testing a web application, it is very useful to

employ a proxy tool to save every request and response. You can
manually test every request and analyze the response to find
vulnerabilities. You can test parameter and headers manually to get
more precise results than if using web vulnerability scanners. What
proxy tool will help you find web vulnerabilities?
A. Maskgen
B. Dimitry
C. Burpsuite
D. Proxychains

104. Which is the first step followed by Vulnerability Scanners for

scanning a network?
A. OS Detection
B. Firewall detection
C. TCP/UDP Port scanning
D. Checking if the remote host is alive

105. Mr. Omkar performed tool-based vulnerability assessment and

found two vulnerabilities. During analysis, he found that these
issues are not truevulnerabilities. What will you call these issues?
 A. False positives
B. True negatives
C. True positives
D. False negatives

106. Suppose your company has just passed a security risk

assessment exercise. The results display that the risk of the breach
in the main companyapplication is 50%. Security staff has taken
some measures and implemented the necessary controls. After that,
another security risk assessment was performed showing that risk
has decreased to 10%. The risk threshold for the application is 20%.
Which of the following risk decisions will be the best for the project
in terms of its successful continuation with the most business profit?
A. Accept the risk
B. Introduce more controls to bring risk to 0%
C. Mitigate the risk
D. Avoid the risk

107. In the Common Vulnerability Scoring System (CVSS) v3.1 severity

ratings, what range does medium vulnerability fall in?
A. 4.0-6.0
B. 3.9-6.9
C. 3.0-6.9
D. 4.0-6.9

108. An organization is performing a vulnerability assessment for

mitigating threats. James, a pen tester, scanned the organization by
building an inventory of the protocols found on the organization’s
machines to detect which ports are attached to services such as an
email server, a web server, or a database server. After identifying
the services, he selected the vulnerabilities on each machine and
started executing only the relevanttests. What is the type of
vulnerability assessment solution that James employed in the above
scenario?
A. Service-based solutions
B. Product-based solutions
C. Tree-based assessment
D. Inference-based assessment
109. Attacker Rony installed a rogue access point within an
organization’s perimeter and attempted to intrude into its internal
network. Johnson, a security auditor, identified some unusual traffic
in the internal network that is aimed at cracking the authentication
mechanism. He immediatelyturned off the targeted network and
tested for any weak and outdated security mechanisms that are
open to attack. What is the type of vulnerability assessment
performed by Johnson in the above scenario?
A. Wireless network assessment
B. Application assessment
C. Host-based assessment
D. Distributed assessment

110. Sam is working as a system administrator in an organization. He

captured the principal characteristics of a vulnerability and
produced a numericalscore to reflect its severity using CVSS v3.0 to
properly assess and prioritize the organization’s vulnerability
management processes. The base score that Sam obtained after
performing CVSS rating was 4.0. What is the CVSS severity level of
the vulnerability discovered by Sam in the above scenario?
A. Critical
B. Medium
C. High
D. Low
111. What is the most common method to exploit the `Bash Bug` or
`Shellshock` vulnerability?
A. SYN Flood
B. SSH
C. Through Web servers utilizing CGI (Common Gateway
Interface) to send a malformed environment variable to a
vulnerable Web server
D. Manipulate format strings in text fields

112. Mary found a high vulnerability during a vulnerability scan and

notified her server team. After analysis, they sent her proof that a
fix to that issue had already been applied. The vulnerability that
Marry found is called what?
A. False-negative
B. False-positive
C. Brute force attack
D. Backdoor
113. Jude, a pen tester, examined a network from a hacker’s
perspective to identify exploits and vulnerabilities accessible to the
outside world by usingdevices such as firewalls, routers, and
servers. In this process, he also estimated the threat of network
security attacks and determined the level of security of the
corporate network. What is the type of vulnerability assessment
that Jude performed on the organization?
A. Application assessment
B. External assessment
C. Passive assessment
D. Host-based assessment

114. The Heartbleed bug was discovered in 2014 and is widely referred
to under MITRE’s Common Vulnerabilities and Exposures (CVE) as
CVE-2014-0160. This bug affects the OpenSSL implementation of
the Transport Layer Security (TLS) protocols defined in RFC6520.
What type of key does this bug leave exposed to the Internet
making exploitation of any compromised system very easy?
A. Public
B. Private
C. Shared
D. Root

115. Insecure direct object reference is a type of vulnerability where

the application does not verify if the user is authorized to access the
internalobject via its name or key. Suppose a malicious user Rob
tries to get access to the account of a benign user Ned. Which of the
following requests best illustrates an attempt to exploit an insecure
direct object reference vulnerability?
A. ‫ג‬€GET /restricted/goldtransfer?to=Rob&from=1 or 1=1'
HTTP/1.1Host: westbank.com‫ג‬€
B. ‫ג‬€GET /restricted/\r\n\%00account%00Ned%00access HTTP/1.1
Host: westbank.com‫ג‬€
C. ‫ג‬€GET /restricted/accounts/?name=Ned HTTP/1.1 Host
westbank.com‫ג‬€
D. ‫ג‬€GET /restricted/ HTTP/1.1 Host: westbank.com

116. A post-breach forensic investigation revealed that a known

vulnerability in Apache Struts was to blame for the Equifax data
breach that affected 143 million customers. A fix was available from
 the software vendor for several months prior to the intrusion. This is
likely a failure in which of the following security processes?
A. Secure development lifecycle
B. Security awareness training
C. Vendor risk management
D. Patch management

117. Why is a penetration test considered to be more thorough than

vulnerability scan?
A. Vulnerability scans only do host discovery and port scanning by
default.
B. A penetration test actively exploits vulnerabilities in the
targeted infrastructure, while a vulnerability scan does
not typically involve active exploitation.
C. It is not ‫ג‬€" a penetration test is often performed by an
automated tool, while a vulnerability scan requires active
engagement.
D. The tools used by penetration testers tend to have much more
comprehensive vulnerability databases.

118. On performing a risk assessment, you need to determine the

potential impacts when some of the critical business processes of
the companyinterrupt its service. What is the name of the process
by which you can determine those critical businesses?
A. Emergency Plan Response (EPR)
B. Business Impact Analysis (BIA)
C. Risk Mitigation
D. Disaster Recovery Planning (DRP)

119. You are the Network Admin, and you get a complaint that some of
the websites are no longer accessible. You try to ping the servers
and find themto be reachable. Then you type the IP address and
then you try on the browser, and find it to be accessible. But they
are not accessible when you try using the URL. What may be the
problem?
A. Traffic is Blocked on UDP Port 53
B. Traffic is Blocked on TCP Port 80
C. Traffic is Blocked on TCP Port 54
D. Traffic is Blocked on UDP Port 80

120. What type of a vulnerability/attack is it when the malicious person

forces the user’s browser to send an authenticated request to a
server?
 A. Session hijacking
B. Server-side request forgery
C. Cross-site request forgery
D. Cross-site scripting

121. While using your bank’s online servicing you notice the following
string in the URL bar: `http://www.MyPersonalBank.com/account?
id=368940911028389&Damount=10980&Camount=21` You
observe that if you modify the Damount & Camount values and
submit the request, that data on the web page reflect the changes.
Which type of vulnerability is present on this site?
A. Cookie Tampering
B. SQL Injection
C. Web Parameter Tampering
D. XSS Reflection

122. Nicolas just found a vulnerability on a public-facing system that is

considered a zero-day vulnerability. He sent an email to the owner
of the publicsystem describing the problem and how the owner can
protect themselves from that vulnerability. He also sent an email to
Microsoft informing them of the problem that their systems are
exposed to. What type of hacker is Nicolas?
A. Black hat
B. White hat
C. Gray hat
D. Red hat

123. During a recent security assessment, you discover the

organization has one Domain Name Server (DNS) in a Demilitarized
Zone (DMZ) and asecond DNS server on the internal network. What
is this type of DNS configuration commonly called?
A. DynDNS
B. DNS Scheme
C. DNSSEC
D. Split DNS

124. John, a security analyst working for an organization, found a

critical vulnerability on the organization’s LAN that allows him to
view financial andpersonal information about the rest of the
employees. Before reporting the vulnerability, he examines the
information shown by the vulnerability for two days without
 disclosing any information to third parties or other internal
employees. He does so out of curiosity about the other employees
and may take advantage of this information later. What would John
be considered as?
A. Cybercriminal
B. White hat
C. Gray hat
D. Black hat

125. John, a disgruntled ex-employee of an organization, contacted a

professional hacker to exploit the organization. In the attack
process, the professional hacker installed a scanner on a machine
belonging to one of the victims and scanned several machines on
the same network toidentify vulnerabilities to perform further
exploitation. What is the type of vulnerability assessment tool
employed by John in the above scenario?
A. Agent-based scanner
B. Network-based scanner
C. Cluster scanner
D. Proxy scanner

126. A newly joined employee, Janet, has been allocated an existing

system used by a previous employee. Before issuing the system to
Janet, it wasassessed by Martin, the administrator. Martin found that
there were possibilities of compromise through user directories,
registries, and other system parameters. He also identified
vulnerabilities such as native configuration tables, incorrect registry
or file permissions, and software configurationerrors. What is the
type of vulnerability assessment performed by Martin?
A. Database assessment
B. Host-based assessment
C. Credentialed assessment
D. Distributed assessment

127. Attacker Simon targeted the communication network of an

organization and disabled the security controls of NetNTLMv1 by
modifying the values of LMCompatibilityLevel, NTLMMinClientSec,
and RestrictSendingNTLMTraffic. He then extracted all the non-
network logon tokens from all the active processes to masquerade
as a legitimate user to launch further attacks. What is the type of
attack performed by Simon?
A. Combinator attack
B. Dictionary attack
 C. Rainbow table attack
D. Internal monologue attack

128. David is a security professional working in an organization, and he

is implementing a vulnerability management program in the
organization toevaluate and control the risks and vulnerabilities in
its IT infrastructure. He is currently executing the process of
applying fixes on vulnerable systems to reduce the impact and
severity of vulnerabilities. Which phase of the vulnerability-
management life cycle is David currently in?
A. Remediation
B. Verification
C. Risk assessment
D. Vulnerability scan

129. Morris, a professional hacker, performed a vulnerability scan on a

target organization by sniffing the traffic on the network to identify
the activesystems, network services, applications, and
vulnerabilities. He also obtained the list of the users who are
currently accessing the network. What is the type of vulnerability
assessment that Morris performed on the target organization?

 Credentialed assessment

 Internal assessment

 External assessment

 Passive assessment

Given below are different steps involved in the vulnerability-

management life cycle.

1) Remediation
2) Identify assets and create a baseline
3) Verification
4) Monitor
5) Vulnerability scan
6) Risk assessment

Identify the correct sequence of steps involved in vulnerability

management.

A. 2 4 ’† ‫ ’†ג‬5‫ ’† ג‬6‫ ’† ג‬1‫ ’† ג‬3‫ג‬

B. 2 1 ’† ‫ ’†ג‬4‫ ’† ג‬5‫ ’† ג‬3‫ ’† ג‬6‫ג‬
C. 2 3 ’† ‫ ’†ג‬1‫ ’† ג‬5‫ ’† ג‬6‫ ’† ג‬4‫ג‬
D. 1 6 ’† ‫ ’†ג‬2‫ ’† ג‬3‫ ’† ג‬4‫ ’† ג‬5‫ג‬
130. Which of the following is a component of a risk assessment?
A. Administrative safeguards
B. Physical security
C. DMZ
D. Logical interface

131. A post-breach forensic investigation revealed that a known

vulnerability in Apache Struts was to blame for the Equifax data
breach that affected 143 million customers. A fix was available from
the software vendor for several months prior to the intrusion. This is
likely a failure in which of the following security processes?
A. Secure development lifecycle
B. Security awareness training
C. Vendor risk management
D. Patch management

132. Morris, a professional hacker, performed a vulnerability scan on a

target organization by sniffing the traffic on the network to identify
the active systems, network services, applications, and
vulnerabilities. He also obtained the list of the users who are
currently accessing the network. What is the type of vulnerability
assessment that Morris performed on the target organization?
A. Credentialed assessment
B. Internal assessment
C. External assessment
D. Passive assessment