ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 121 

Which reconnaissance technique gathers exposed information about a target by analyzing publicly available metadata from files? 

A) Metadata extraction
B) Port scanning
C) DNS zone transfer
D) Banner grabbing

Answer: A) Metadata extraction

Explanation:

Metadata extraction is a reconnaissance method where attackers analyze publicly available documents, images, PDFs, spreadsheets, or presentations to gather hidden details embedded within their metadata. These details may include usernames, software versions, internal IP addresses, organizational structures, timestamps, GPS locations, and revision history. Metadata extraction helps attackers build profiles and identify potential attack vectors without directly interacting with the target’s systems. Because metadata is often overlooked, organizations may unintentionally expose sensitive operational details. Tools like ExifTool, FOCA, and online metadata viewers make extraction simple, enabling attackers to gather intelligence efficiently. Metadata extraction plays a vital role in the early phase of ethical hacking, helping assess the risk surface before active probing occurs.

Port scanning identifies open ports and services on a host using tools like Nmap. While essential for network recon, it does not analyze information hidden within public files. Port scanning is active reconnaissance, whereas metadata extraction is passive.

DNS zone transfer retrieves DNS records from authoritative servers but relies on misconfigured DNS settings. It reveals subdomains and hostnames but not metadata inside documents. This is a specific DNS-focused technique and does not apply to document analysis.

Banner grabbing collects version information from services or applications by connecting to open ports and reading response banners. Although useful for identifying vulnerabilities, it requires interaction with remote systems and is not focused on metadata inside files.

The correct answer is metadata extraction because it uniquely targets the hidden information embedded in publicly accessible documents. Port scanning, DNS zone transfer, and banner grabbing do not extract metadata from files and therefore do not match the described technique.

Question 122 

Which attack abuses the trust a browser has in a previously authenticated session to perform unwanted actions?

A) Cross-site request forgery
B) Rootkit installation
C) SQL injection
D) Keylogging

Answer: A) Cross-site request forgery

Explanation: 

Cross-site request forgery (CSRF) forces a victim’s browser to perform actions on a trusted website where the user is already authenticated. Attackers craft malicious links or scripts that trigger unintended operations such as fund transfers, password changes, or account modifications. Because browsers automatically include cookies and authentication tokens, the targeted site processes the request as if it came from the legitimate user. CSRF exploits trust relationships and weak token validation. Prevention includes CSRF tokens, same-site cookies, and user confirmation workflows.

Rootkit installation hides malicious processes or files on a compromised system. It maintains persistence and stealth but does not rely on browser trust or authenticated sessions. It operates at the system level, not the browser or web application layer.

SQL injection manipulates backend database queries via improper input handling. It affects server-side logic and data rather than authenticated browser actions. SQL injection cannot exploit preexisting browser sessions in the same way CSRF does.

Keylogging captures keystrokes to record passwords, logins, or sensitive data. While it may compromise credentials, it does not hijack authenticated browser sessions or force unauthorized actions using existing trust.

The correct answer is cross-site request forgery because it specifically abuses authenticated browser sessions to execute unwanted actions. Rootkit installation, SQL injection, and keylogging operate in entirely different domains.

Question 123 

Which type of malware disguises itself as legitimate software while performing harmful actions in the background?

A) Trojan
B) Worm
C) Logic bomb
D) Bot

Answer: A) Trojan

Explanation:

 A Trojan is malware that appears to be legitimate software but secretly performs harmful or unauthorized actions, such as installing backdoors, exfiltrating data, or granting remote control to attackers. Unlike worms or viruses, Trojans do not self-replicate but rely on users to install or execute them. Attackers use social engineering and misleading appearances to convince victims to trust the software. Trojans can take many forms: remote access Trojans, password stealers, droppers, and banking Trojans. They often run silently to avoid detection while granting persistent attacker control.

Worms are self-replicating malware that spread automatically across networks without user interaction. While harmful, worms do not disguise themselves as legitimate programs and instead rely on exploiting vulnerabilities to propagate.

Logic bombs are pieces of code triggered by specific conditions such as dates, system events, or user actions. They do not masquerade as legitimate software and are typically placed intentionally inside existing systems.

Bots are compromised machines controlled remotely in a botnet. Bot malware may arrive through a Trojan, but bots themselves are defined by remote control capability, not by disguising themselves as legitimate programs.

The correct answer is Trojan because it uniquely disguises itself as legitimate software to trick users, unlike worms, logic bombs, or bots.

Question 124

Which attack deliberately slows down server responses by sending HTTP requests one header at a time?

A) Slow HTTP header attack
B) Ping flood
C) DNS tunneling
D) ARP poisoning

Answer: A) Slow HTTP header attack

Explanation: 

A slow HTTP header attack sends HTTP requests extremely slowly, transmitting each header field separately over time. This forces the server to keep connections open while waiting for the full request, consuming threads and preventing legitimate traffic from being processed. The attack targets poorly configured web servers and exploits their connection timeout mechanisms. It requires minimal bandwidth and is difficult to detect because the traffic appears legitimate. Slowloris is a well-known implementation. Proper mitigation includes connection timeout limits, reverse proxies, and traffic anomaly detection.

Ping flood overwhelms a target with ICMP echo requests. It saturates network bandwidth rather than manipulating HTTP headers or server connections. This attack focuses on network-level exhaustion, not application-layer request handling.

DNS tunneling encodes arbitrary data into DNS queries to bypass firewalls. It is used for data exfiltration or covert communication and is unrelated to HTTP request throttling or server slowdown.

ARP poisoning manipulates ARP tables on a LAN to intercept or redirect traffic. It does not involve HTTP request timing or server-level DoS attacks.

The correct answer is slow HTTP header attack because it specifically sends partial headers slowly to exhaust server resources, unlike ping floods, DNS tunneling, or ARP poisoning.

Question 125

Which technique is used to gather information about running services and their versions on a remote host?

A) Banner grabbing
B) Social engineering
C) Wi-Fi deauthentication
D) SQL injection

Answer: A) Banner grabbing

Explanation:

Banner grabbing is a reconnaissance technique used to collect information about running services, their versions, and configuration details on a remote system. When a network service such as HTTP, FTP, SMTP, SSH, or Telnet is running, it often responds to a connection request with a banner. This banner can include details like the software name, version number, operating system, and other metadata that can be extremely useful to attackers and penetration testers. By examining this information, security professionals can determine potential vulnerabilities, outdated software, or misconfigurations that might be exploitable. Tools such as Netcat, Nmap, Telnet, and specialized scanners can be used to connect to open ports and retrieve banners. In addition, automated scripts may be deployed to systematically gather banners across multiple hosts in a network. Banner grabbing helps build an attack surface map and prioritize which services may need patching or further investigation. Ethical hackers use banner information to simulate real-world attacks in a controlled and legal environment, allowing organizations to remediate weaknesses before malicious actors exploit them.

Social engineering, option B, is a human-centric technique that relies on manipulating people to disclose sensitive information, credentials, or access details. Although social engineering can be highly effective in gathering information, it does not interact with network services to retrieve technical metadata such as service names or versions. It is primarily focused on psychological manipulation rather than technical reconnaissance.

Wi-Fi deauthentication, option C, involves sending spoofed deauthentication frames to wireless clients, forcing them to disconnect from access points. This attack is commonly used to capture WPA/WPA2 handshakes or disrupt network connectivity. While impactful for wireless attacks, it does not provide information about running services or software versions on remote hosts.

SQL injection, option D, targets web applications with improperly validated input fields to manipulate backend databases. It can extract sensitive data, modify records, or escalate privileges. However, SQL injection is an active exploitation technique and is not intended for passive discovery of running services or their version information.

The correct answer is banner grabbing, as it is the only technique among the options that allows an attacker or tester to retrieve service identification and version information. By collecting and analyzing banners, one can accurately determine potential vulnerabilities and understand the network or system footprint, making it an essential step in the reconnaissance phase of ethical hacking or penetration testing.

Question 126 

Which attack involves sending unsolicited and often malicious advertisements through Bluetooth?

A) Bluejacking
B) Bluesnarfing
C) BlueBugging
D) BlueBorne

Answer: A) Bluejacking

Explanation: 

Bluejacking is a Bluetooth-based attack in which an attacker sends unsolicited messages—often advertisements, random notes, or social engineering content—to nearby Bluetooth-enabled devices. The typical payload is a vCard, text note, or contact entry. The underlying concept of Bluejacking revolves around exploiting the Bluetooth device discovery and object exchange features (OBEX Push Profile), which some devices accept without requiring user authentication. Although the attack is generally considered harmless because it does not grant access to data or system functions, it can serve as a stepping stone for social engineering. Attackers may use Bluejacking to lure users into opening harmful links, responding to deceptive messages, or lowering their security awareness. Importantly, Bluejacking highlights the security implications of leaving Bluetooth permanently enabled or in discoverable mode, especially in crowded public places.

Bluesnarfing, on the other hand, is significantly more dangerous because it involves unauthorized access to a victim’s private data. Attackers exploit vulnerabilities allowing them to download contacts, messages, calendars, or files from a Bluetooth device without the user’s knowledge. Unlike Bluejacking, which only pushes messages outward, Bluesnarfing pulls sensitive data inward to the attacker, making it a form of data theft rather than simple message sending.

BlueBugging escalates the threat even further by enabling attackers to gain remote control of a victim’s phone. This attack can allow unauthorized calls, message sending, call forwarding, phonebook manipulation, and even deeper system compromise depending on device vulnerabilities. BlueBugging is fundamentally about privilege escalation and unauthorized control, making it far more severe than Bluejacking.

BlueBorne refers to a set of vulnerabilities that enable attackers to compromise devices through Bluetooth without pairing or user interaction. It allows remote code execution, device takeover, and propagation similar to worms. BlueBorne does not involve sending unsolicited messages; rather, it focuses on exploiting protocol-level weaknesses.

Thus, the correct answer is Bluejacking because it specifically involves sending unsolicited Bluetooth messages, unlike the other attacks which focus on unauthorized access, device control, or system compromise.

Question 127

Which tool is commonly used for wireless network auditing and packet capture on Wi-Fi networks?

A) Aircrack-ng
B) Metasploit
C) Burp Suite
D) John the Ripper

Answer: A) Aircrack-ng

Explanation:

Aircrack-ng is a comprehensive suite of wireless auditing tools designed specifically for analyzing, testing, and assessing the security of Wi-Fi networks. Its functionality spans multiple key components: airodump-ng enables packet capture and monitoring of wireless traffic, aireplay-ng performs packet injection and deauthentication attacks to obtain handshakes or test network resilience, and aircrack-ng executes cryptographic attacks to recover WEP or WPA/WPA2-PSK keys using captured handshake data. Ethical hackers rely on Aircrack-ng to evaluate encryption strength, identify misconfigured access points, test WPA key robustness, and observe wireless device behaviors. The suite is widely used in penetration testing because of its compatibility with monitor-mode wireless adapters, its modular tools, and its focus on 802.11-based security assessment. While Aircrack-ng requires user permissions and proper authorization for legal use, it remains the industry standard for Wi-Fi auditing.

Metasploit, by contrast, is a broad exploitation framework designed for delivering and managing payloads across endpoints, servers, and applications. It is not a wireless-specific toolkit, nor does it capture Wi-Fi packets or attack wireless encryption.

Burp Suite is specialized for web application security testing. It focuses on HTTP/S interception, API scanning, client-side vulnerability analysis, and web traffic manipulation. It has no functionality related to Wi-Fi frames, radio frequency monitoring, or wireless encryption.

John the Ripper targets password hash cracking in offline environments. It is valuable for credential recovery and hash analysis but plays no role in wireless packet capture or auditing.

Thus, Aircrack-ng is the correct answer because it is purpose-built for wireless security auditing, unlike the other tools which belong to entirely different domains.

Question 128 

Which malware activates only when specific conditions such as dates or events occur? 

A) Logic bomb
B) Worm
C) Trojan
D) Spyware

Answer: A) Logic bomb

Explanation:

A logic bomb is a form of hidden malicious code that remains dormant inside a system until a predetermined condition triggers its activation. These conditions may include system dates (such as holidays or anniversaries), specific times, user login activities, execution of certain programs, detection of particular files, or even termination of an employee’s user account. Logic bombs are frequently associated with sabotage cases involving disgruntled insiders who embed the code into legitimate software or scripts they maintain. Once triggered, a logic bomb may delete files, corrupt databases, disable system functions, encrypt data, or cause operational failure. Because the malicious code integrates into normal processes and remains inactive for long periods, detection is difficult. Logic bombs rely on conditional statements inside the malicious code—”if this event, then execute this payload”—making them uniquely dependent on logical triggers.

A worm, by contrast, is a self-replicating malicious program that spreads autonomously across networks. Worms do not wait for conditional triggers; they propagate continuously and aggressively.

A Trojan disguises itself as legitimate software to trick a user into executing it. Although Trojans may contain logic-bomb-like triggers, they are primarily defined by deception and user-initiated activation rather than conditional execution.

Spyware passively collects user information, tracks browsing activities, logs keystrokes, or monitors behavior. It typically operates continuously once installed and does not wait for a specific triggering condition.

Therefore, the correct answer is logic bomb, as it is the only malware type designed specifically to activate under defined conditions.

Question 129

Which type of testing involves assessing a system without any prior knowledge of internal architecture?

A) Black-box testing
B) White-box testing
C) Gray-box testing
D) Stress testing

Answer: A) Black-box testing

Explanation:

Black-box testing is a methodology in which testers evaluate a system solely through its external interfaces without any access to internal architecture, source code, or operational logic. This approach simulates the perspective of an external attacker who begins with zero internal knowledge. Testers focus on input-output behavior, response patterns, error messages, system functionalities, and exposed attack surfaces. In security contexts, black-box testing includes techniques such as port scanning, banner grabbing, vulnerability probing, network enumeration, web application fuzzing, login brute-forcing, and behavior-based assessments. Because testers do not rely on inside information, black-box testing closely approximates real-world threat scenarios and provides valuable insight into what an outsider can discover or exploit. It also highlights externally visible weaknesses that an organization may have overlooked.

White-box testing contrasts sharply with this approach because it provides full internal transparency. Testers receive source code, architecture diagrams, configuration details, credentials, and documentation. This deep access enables code review, static analysis, and thorough logic-based testing, but it is fundamentally different from black-box assessment.

Gray-box testing blends both approaches by giving testers partial knowledge, such as limited documentation or low-privilege credentials. It offers a balance between realism and depth but does not reflect a fully external attacker’s perspective.

Stress testing focuses on performance evaluation under heavy load. It aims to identify scalability limits, resource exhaustion points, and failure thresholds. It is not a security assessment and does not involve varying levels of system knowledge.

For these reasons, black-box testing is the correct answer because it uniquely requires no internal information whatsoever.

Question 130 

Which wireless attack forces a device to disconnect from an access point by sending spoofed frames?

A) Deauthentication attack
B) Evil twin attack
C) WEP cracking
D) MAC spoofing

Answer: A) Deauthentication attack

Explanation:

A deauthentication attack targets Wi-Fi networks by sending spoofed deauthentication or disassociation management frames to clients or access points. These frames exploit a weakness in the 802.11 protocol in which management frames—historically—were neither encrypted nor authenticated. By forging deauth frames that appear to originate from the legitimate access point, the attacker forces connected devices to disconnect. This disruption is frequently used during penetration tests to capture WPA/WPA2 handshakes as clients reconnect, which enables offline password-cracking attempts. Tools like aireplay-ng automate this process by repeatedly sending crafted frames until the victim device drops its connection. While modern standards such as 802.11w (Protected Management Frames) help mitigate this attack by authenticating management frames, many networks still lack proper support, making the attack feasible in many environments.

An evil twin attack sets up a rogue access point that mimics a legitimate one to trick users into connecting. Although attackers often combine deauthentication attacks with evil twin setups to force users onto the rogue AP, the core mechanism of evil twin attacks is impersonation and credential harvesting, not disconnection through spoofed frames.

WEP cracking focuses on exploiting weaknesses in WEP encryption by analyzing initialization vectors, gathering enough packets, and recovering the key. It does not involve forcibly disconnecting clients.

MAC spoofing involves altering a device’s MAC address to impersonate another device, evade filters, or bypass MAC-based restrictions. It does not inherently cause disconnections.

Thus, the correct answer is deauthentication attack because it directly uses spoofed frames to force devices offline, unlike the other security techniques listed.

Question 131 

Which enumeration technique retrieves usernames, shares, and services from a Windows system using NetBIOS?

A) NetBIOS enumeration
B) SNMP enumeration
C) SMTP enumeration
D) SSH enumeration

Answer: A) NetBIOS enumeration

Explanation:

NetBIOS enumeration is a technique used to gather detailed information about Windows systems by querying the NetBIOS protocol, which handles communication and name resolution in older and some modern Windows environments. Through NetBIOS enumeration, an attacker or penetration tester can retrieve valuable data such as usernames, open shares, workgroup names, active sessions, and services running on a Windows host. Tools like nbtscan, NBTEnum, and the built-in nbtstat command allow testers to query NetBIOS Name Service (NBNS) or exploit Null Sessions to extract information without authentication. Because many legacy systems and improperly configured environments still allow excessive NetBIOS exposure, attackers can map out shared folders, identify potential misconfigurations, and locate paths for lateral movement. This technique is especially useful during internal penetration testing, where devices reside on the same broadcast domain and NetBIOS traffic is more visible. Even though Windows networks increasingly use newer technologies like SMB over TCP and Active Directory, NetBIOS enumeration remains relevant due to backward compatibility and misconfigured systems that still respond to queries.

SNMP enumeration differs significantly, as it targets network devices such as routers, switches, and servers that expose a public or private community string. Through SNMP, attackers can retrieve system descriptions, routing tables, interface details, and configuration data, but it does not enumerate Windows user accounts or network shares.

SMTP enumeration focuses on mail servers and allows attackers to discover valid email addresses by using commands such as VRFY, EXPN, or RCPT TO. Although useful for preparing phishing attacks or credential harvesting, SMTP enumeration does not provide insight into Windows-based network resources.

SSH enumeration is centered around Secure Shell services, enabling attackers to gather server banners, supported algorithms, or brute-force login credentials. It is relevant to remote access security but does not provide Windows NetBIOS-specific data such as shares or usernames.

Therefore, the correct answer is NetBIOS enumeration, because it uniquely retrieves Windows-specific information such as share lists, usernames, and system identifiers, whereas SNMP, SMTP, and SSH enumeration each target different protocols and produce unrelated types of information.

Question 132 

Which attack redirects users to malicious IP addresses by altering DNS responses?

A) DNS spoofing
B) IP fragmentation
C) Watering hole attack
D) Buffer overflow

Answer: A) DNS spoofing

Explanation:

DNS spoofing, also referred to as DNS poisoning or DNS cache poisoning, is an attack in which an adversary manipulates DNS responses so that legitimate domain name queries resolve to malicious or attacker-controlled IP addresses. Since DNS acts as the foundational directory of the internet, users rely on it to locate websites, email servers, and online services. By injecting forged DNS replies or corrupting DNS cache entries, attackers deceive a system into redirecting a user away from an intended legitimate site to a fraudulent one. This can lead to credential theft, malware downloads, phishing attacks, or surveillance of sensitive communications. DNS spoofing can be executed at multiple levels — a local network attacker may intercept and forge DNS replies, a compromised DNS server may inject malicious entries, or a poorly secured caching resolver may accept forged responses due to weak transaction ID validation. Defenses include DNSSEC (DNS Security Extensions), source port randomization, proper cache protection, and secure recursive resolver configurations.

IP fragmentation refers to splitting IP packets into smaller segments to traverse networks with limited maximum transmission units (MTUs). Attackers may use fragmentation to bypass intrusion detection systems or firewalls, but it does not alter DNS behavior or redirect traffic.

A watering hole attack compromises a website commonly visited by targeted victims and injects malware into that site. This approach exploits user behavior but does not involve manipulating DNS responses.

Buffer overflow vulnerabilities occur when a program receives more data than allocated memory space, causing memory corruption and enabling arbitrary code execution. While dangerous, buffer overflow attacks do not manipulate domain resolution mechanisms.

Thus, the correct answer is DNS spoofing, because it specifically redirects users by altering DNS responses, unlike the other attacks which target different parts of network or application security.

Question 133 

Which security mechanism ensures data integrity by transforming data into a fixed-length output?

A) Hashing
B) Encryption
C) Steganography
D) Tokenization

Answer: A) Hashing

Explanation:

Hashing is a cryptographic process that transforms input data of any length into a fixed-length output known as a hash value or digest. Algorithms such as SHA-256, SHA-3, and older algorithms like MD5 take variable input—whether a file, password, or message—and generate a unique, fixed-size output. The primary purpose of hashing is to ensure data integrity. Even a single-bit change in the input produces a dramatically different hash, making tampering easy to detect. Hashing is a one-way function, meaning it cannot be reversed to reconstruct the original input. This makes hashes ideal for storing passwords securely (when combined with techniques like salting), verifying file integrity, constructing digital signatures, and supporting authentication protocols. A secure hashing algorithm resists collision attacks, where two different inputs generate the same hash, and preimage attacks, where an attacker attempts to reverse a hash back into input data.

Encryption differs fundamentally from hashing because it is reversible. Encryption transforms plaintext into ciphertext using keys, and authorized parties can decrypt it back into readable form. Its purpose is confidentiality, not integrity.

Steganography hides information within images, audio, or other media files, making the message’s existence difficult to detect. It serves concealment rather than integrity verification.

Tokenization replaces sensitive information, such as credit card numbers, with non-sensitive placeholders or tokens. Tokens preserve the format of original data for safe processing but do not produce fixed-length cryptographic outputs.

Thus, the correct answer is hashing, as it is the only option that produces fixed-length outputs designed to verify data integrity.

Question 134 

Which attack involves exploiting vulnerabilities in XML input parsing to manipulate or extract sensitive data?

A) XML External Entity attack
B) Cross-site scripting
C) ARP spoofing
D) DDoS flood

Answer: A) XML External Entity attack

Explanation:

An XML External Entity (XXE) attack exploits insecure XML parsers that allow external entity references within XML documents. When an application processes user-supplied XML and external entity resolution is enabled, attackers can craft malicious XML payloads referencing local files, remote resources, or internal systems. This allows attackers to extract sensitive data such as configuration files, access tokens, or system credentials by tricking the parser into loading the referenced entities. In more advanced scenarios, XXE can enable server-side request forgery (SSRF), allowing attackers to pivot into internal networks or interact with restricted services. Some XXE payloads can also cause denial-of-service conditions by defining recursive entity expansions, leading to resource exhaustion. The vulnerability arises primarily when developers fail to disable external entity processing or use outdated insecure XML parsers. To mitigate XXE attacks, secure coding practices require disabling external entity resolution, using modern parsers with safe defaults, and validating or sanitizing user-supplied XML.

Cross-site scripting (XSS) involves injecting malicious scripts into web pages and targets client-side browsers, not XML parsing systems.

ARP spoofing manipulates LAN-level address resolution tables by associating a malicious MAC address with a legitimate IP address. It is unrelated to XML processing or entity resolution.

A DDoS flood overwhelms network or server resources with excessive traffic but does not exploit structured data parsing or XML vulnerabilities.

Therefore, the correct answer is XML External Entity attack, as it uniquely focuses on manipulating XML parsing mechanisms to access or exfiltrate sensitive information.

Question 135 

Which tool is primarily used for web application security testing, including request interception and scanning?

A) Burp Suite
B) Nmap
C) Wireshark
D) Cain and Abel

Answer: A) Burp Suite

Explanation:

Burp Suite is a comprehensive platform designed specifically for web application penetration testing. It provides numerous tools to intercept, inspect, modify, and manipulate HTTP and HTTPS traffic between a browser and a web server. One of its core components is the Proxy, which allows testers to capture live requests and responses in real time. Other modules include Intruder for automated attack sequencing and fuzzing, Repeater for manual request modification and behavioral testing, Spider for crawling applications and mapping functionalities, and Scanner (in the Professional version) which identifies vulnerabilities such as SQL injection, XSS, CSRF, insecure direct object references, and other common web flaws. Burp Suite’s extensibility through extensions and its integration with browser tools make it a central instrument for evaluating application-layer security. It enables testers to analyze session handling, authentication flows, API endpoints, and server behavior with precision, offering deep insight into vulnerabilities that cannot be detected through simple networking tools.

Nmap is a powerful network scanning tool used for port scanning, service detection, OS identification, and network reconnaissance. While valuable during early penetration testing phases, it does not intercept or manipulate web application traffic.

Wireshark is a packet capture and analysis tool that operates at the network level. It decodes protocols and analyzes traffic flows, but it does not provide web vulnerability scanning or request tampering capabilities.

Cain and Abel focus on password recovery, sniffing, and cryptanalysis. It is not designed for modern web application security testing or traffic interception.

Therefore, the correct answer is Burp Suite, as it is purpose-built for web application assessment.

Question 136 

Which attack involves flooding a network with broadcast packets to exhaust system resources?

A) Smurf attack
B) SQL injection
C) XSS
D) Social engineering

Answer: A) Smurf attack

Explanation:

In a Smurf attack, the attacker overwhelms a target system by exploiting the broadcast addressing feature of network protocols. The attack begins with the attacker crafting ICMP echo request packets in which the source IP address is spoofed to appear as the victim’s address, and the destination is a broadcast address within a network. When this spoofed packet reaches a network that allows directed broadcasts, every device on that subnet responds simultaneously with ICMP echo replies directed toward the spoofed address. This multiplicative effect generates far more traffic than the attacker would need to produce alone. The victim becomes bombarded with responses from many hosts at once, causing resource exhaustion, network congestion, and potential denial-of-service conditions. Smurf attacks exploit misconfigured routers that forward broadcast traffic, and mitigation strategies include disabling IP-directed broadcasts, implementing ingress filtering to block spoofed packets, and ensuring proper router configurations to prevent amplification.

SQL injection, mentioned in option B, is a database-focused attack in which an attacker manipulates input fields to alter backend SQL queries. It has nothing to do with network flood techniques, packet spoofing, or broadcast amplification. It targets application logic rather than network infrastructure. Option C, XSS, is a client-side attack in which malicious scripts are injected into trusted websites. These scripts execute in the victim’s browser but do not flood networks, do not use broadcast packets, and do not overwhelm systems through traffic amplification. XSS aims to steal cookies, perform unauthorized actions, or manipulate browser sessions rather than generating denial-of-service traffic. Social engineering, option D, relies on human manipulation rather than technical packet-based strategies. Techniques such as phishing, pretexting, and baiting attempt to trick individuals into revealing information or performing insecure actions; they do not involve sending network broadcast packets or exhausting technical resources.

The correct answer is Smurf attack because it uniquely relies on broadcast amplification, IP spoofing, and ICMP traffic floods to overwhelm a target. Its reliance on network broadcast behavior and misconfigured routers makes it distinct from database exploitation, script injection, or psychological manipulation. Only the Smurf attack uses this particular method of leveraging intermediary devices to multiply traffic volume indirectly and create a large-scale denial-of-service effect.

Question 137 

Which type of malware records every key pressed by the user to steal sensitive data?

A) Keylogger
B) Worm
C) Ransomware
D) Rootkit

Answer: A) Keylogger

Explanation:

A keylogger is a specialized form of malware designed to record every keystroke a user types on a computer or mobile device. This enables attackers to collect sensitive data such as login credentials, banking information, personal messages, and authentication details. Keyloggers may appear as standalone malware, but they are also frequently integrated into Trojan horse programs, spyware bundles, or rootkit frameworks that conceal their presence. They operate silently, usually avoiding detection by hiding within system processes, injecting themselves into browsers, or hooking operating system APIs that handle keyboard input. Keyloggers may also transmit captured data to remote servers or store it locally for later retrieval by the attacker. Because they operate covertly, victims are often unaware of their presence until after data theft occurs. Keyloggers exist in both software and hardware forms, with hardware variants embedded in USB devices, keyboard cables, or modified peripheral components.

A worm, option B, is a self-replicating piece of malware designed to spread across networks without user interaction. Worms consume bandwidth, exploit vulnerabilities for propagation, and sometimes deploy payloads, but they do not record keystrokes. Their focus is replication rather than espionage. Ransomware, option C, encrypts user files or locks entire systems and demands payment for restoration. It aims at extortion, not covert monitoring. While some ransomware strains may include auxiliary data-stealing components, capturing keystrokes is not a defining characteristic. Option D, rootkits, are concealment mechanisms that hide malicious files, processes, or activities from detection tools and security software. Although rootkits may be used to mask the presence of keyloggers, they do not inherently perform keystroke recording themselves. Rootkits act as stealth enablers rather than active data collectors.

The correct answer is keylogger because it uniquely performs keystroke monitoring as its primary and defining purpose. While worms, ransomware, and rootkits may contribute to broader attack strategies, they do not inherently record a user’s keyboard activity in the manner essential to keyloggers.

Question 138 

Which cryptographic attack attempts to find collisions where two different inputs generate the same hash?

A) Birthday attack
B) Brute force attack
C) Rainbow table attack
D) Side-channel attack

Answer: A) Birthday attack

Explanation:

A birthday attack targets hash functions by exploiting the mathematical principles behind the birthday paradox, which states that in a large enough group, the probability of two individuals sharing a birthday is surprisingly high. In the context of cryptography, the attack involves generating many different inputs and hashing them until two distinct inputs produce the same output hash value. This event is known as a collision. The probability-driven nature of this attack allows adversaries to find collisions more efficiently than performing a full brute-force search, reducing the effective security of the hash function. The attack challenges the collision resistance property of hashing algorithms, highlighting that hash functions with small output sizes or structural weaknesses are more susceptible. To mitigate such risks, modern cryptographic standards recommend hash functions with large output lengths and strong mathematical properties, such as SHA-256 or SHA-3, to ensure collision resistance.

Brute force attacks, option B, involve systematically trying all possible inputs or keys to find a match. While brute force may eventually lead to collision discovery, its intent is typically to find a specific preimage, not to exploit collision probability. Rainbow table attacks, option C, rely on precomputed hash chains used to reverse hashed values, primarily for password cracking. These attacks target hash reversal rather than collision discovery and require tables keyed to specific hashing algorithms. Side-channel attacks, option D, gather information by analyzing physical characteristics of a system—such as timing variations, electromagnetic emissions, or power consumption—during cryptographic operations. These attacks bypass mathematical weakness by exploiting implementation flaws, not collisions.

The birthday attack is the correct answer because it uniquely leverages the probability of two different inputs producing the same hash. It aims specifically at collision identification—a feature not shared by brute force, rainbow tables, or side-channel techniques—and forms a vital concept in evaluating the strength of hashing algorithms.

Question 139 

Which type of firewall inspects traffic based on packet headers without analyzing payloads?

A) Packet-filtering firewall
B) Application firewall
C) Stateful firewall
D) Next-generation firewall

Answer: A) Packet-filtering firewall

Explanation:

A packet-filtering firewall is one of the simplest and earliest forms of network protection. It examines packets solely based on header information such as source and destination IP addresses, port numbers, and protocol types. These firewalls enforce access control policies by permitting or denying packets according to predefined rules. Because packet-filtering firewalls focus exclusively on header-level attributes, they do not track connection state or inspect the deeper structure of packets. Their lightweight nature provides high performance and minimal latency, making them suitable for basic traffic filtering or perimeter configurations. However, this simplicity also creates limitations; packet-filtering firewalls cannot detect application-layer attacks, cannot verify payload legitimacy, and are vulnerable to IP spoofing or session manipulation. They operate strictly at the network layer, offering foundational security but lacking advanced threat detection.

In contrast, an application firewall, option B, inspects packet payloads and analyzes communication at the application layer. These firewalls understand protocols such as HTTP, FTP, or DNS in detail, enabling them to detect malicious content or suspicious behavior. Stateful firewalls, option C, track the state of connections, allowing them to differentiate between legitimate traffic flows and unsolicited packets. They maintain session tables and ensure packets belong to valid ongoing communications. Next-generation firewalls, option D, integrate stateful inspection with deep packet analysis, intrusion prevention, and application awareness. They examine both headers and payloads, detect complex threats, and provide granular traffic control based on user identity or application behavior.

The packet-filtering firewall is the correct answer because it is the only option that relies exclusively on header-level inspection without session tracking or payload analysis. Its narrow focus distinguishes it clearly from application, stateful, and next-generation firewalls, all of which include deeper inspection capabilities.

Question 140 

Which technique involves hiding malicious data inside legitimate image or audio files?

A) Steganography
B) Hashing
C) Tokenization
D) VLAN hopping

Answer: A) Steganography

Explanation:

Steganography is the practice of concealing information within other seemingly innocuous files such as images, audio recordings, or videos. The technique modifies the underlying data—often through methods such as least significant bit (LSB) manipulation—in ways that remain visually or audibly undetectable to casual observers. Its primary purpose is to hide the very existence of secret data rather than simply encrypting it. Attackers use steganography to embed malware payloads, command-and-control instructions, or exfiltrated data within files that appear harmless, allowing them to bypass traditional security controls such as firewalls, antivirus software, or content filters. Because steganographic content blends seamlessly with legitimate media, detecting it typically requires specialized forensic analysis, statistical examination, or signature-matching techniques. The stealth-oriented nature of steganography makes it a powerful tool in covert communication, data smuggling, and sophisticated cyberattacks.

Hashing, option B, is a cryptographic function that produces a fixed-length output from an input. It ensures data integrity verification but does not hide information within media files. Tokenization, option C, replaces sensitive data with non-sensitive placeholders known as tokens to enable secure processing. It does not embed hidden data within multimedia content. VLAN hopping, option D, is a network attack technique in which an attacker manipulates switch configurations or trunking protocols to gain access to unauthorized VLANs. It is unrelated to the concealment of data within images or audio files.

Steganography is the correct answer because it uniquely focuses on embedding hidden information within ordinary media, enabling covert communication and bypassing typical detection mechanisms.