ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 141 

Which technique is most effective for detecting rogue wireless access points in an enterprise network?

A) Packet sniffing
B) Wireless site survey
C) MAC cloning
D) ARP flooding

Answer: B) Wireless site survey

Explanation: 

Packet sniffing involves capturing wireless traffic and analyzing frames that devices transmit in the air. While it can reveal some nearby access points, it does not provide full environmental mapping, signal localization, or comprehensive rogue AP identification on its own. Packet sniffing is useful for monitoring and troubleshooting but depends on the tester being within reasonable range of each transmitter and may miss APs that broadcast on obscure channels or low-power modes. It can also capture legitimate and illegitimate signals without giving structured visibility of placement, coverage, or relative risk.

Wireless site survey refers to a structured process of scanning the entire wireless environment using specialized tools and walking through physical areas to detect all broadcasting and hidden SSIDs. This method provides heat maps, identifies unauthorized devices, shows channel usage, highlights overlapping signals and signal leakage, and reveals rogue APs whether malicious or accidental. Because the survey covers the full environment rather than a single capture point, it is the most reliable technique for detecting unauthorized transmitters. It also helps validate organizational WLAN policies and ensures no insecure access point has been attached to the internal network.

MAC cloning involves changing the MAC address of a device to impersonate another machine on the network. This technique is associated with authentication bypass, network evasion, or identity spoofing. It does not help detect rogue access points; instead, attackers may use MAC cloning to blend in with trusted devices. Therefore, it has no direct relevance to discovering unauthorized wireless infrastructure.

ARP flooding focuses on overwhelming the network’s Address Resolution Protocol tables with large numbers of spoofed entries. This attack aims to disrupt communications or perform man-in-the-middle attacks. ARP flooding does not scan wireless frequencies, detect transmitters, or identify rogue access points. It is purely a network-layer disruption technique and does not interact with wireless signals.

Based on all these points, the correct technique for reliably detecting rogue access points is wireless site survey because it systematically scans the environment, maps signals, and reveals all access points, both authorized and unauthorized.

Question 142 

Which type of malware primarily spreads by adding malicious code to legitimate executable files?

A) Worm
B) Bootkit
C) File infector virus
D) Keylogger

Answer: C) File infector virus

Explanation:

A worm is a type of malware designed to self-replicate without attaching itself to a host file. Worms propagate across networks, exploiting vulnerabilities, misconfigurations, or weak passwords. They do not typically modify existing executable files; instead, they operate independently. While worms can deliver payloads, create backdoors, or consume network bandwidth, their propagation mechanism is entirely different from file-infecting behavior.

A bootkit targets the system boot process, specifically modifying components such as the Master Boot Record or UEFI firmware to intercept system loading at the earliest stage. Bootkits aim to gain persistent and stealthy control of a system. Because they operate below the operating system level, they are extremely difficult to detect or remove. However, they do not attach themselves to legitimate executable files nor propagate by modifying applications.

A file infector virus spreads by inserting malicious code into legitimate executable files. When a user runs an infected file, the virus executes, often injecting itself into additional programs. It may append, overwrite, or prepend code to executables, corrupt data, or replicate through shared folders and removable drives. This characteristic—embedding its code within other executable files—is the defining behavior of this malware category. Therefore, this is the correct answer because the question specifically identifies malware that spreads through file modification.

A keylogger, on the other hand, records keystrokes to capture passwords, messages, or sensitive information. Keyloggers do not reproduce by infecting executable files. They are designed for espionage rather than replication. They may be installed manually, delivered through phishing, or packaged with other malware, but they lack the self-replicating infection mechanism described.

Given these distinctions, the type of malware that primarily spreads by modifying legitimate executable files is the file infector virus.

Question 143 

Which scanning method attempts to determine open ports by sending TCP packets without completing the three-way handshake?

A) TCP connect scan
B) SYN scan
C) Xmas scan
D) RPC scan

Answer: B) SYN scan

Explanation: 

A TCP connect scan fully completes the three-way handshake. It sends SYN, receives SYN-ACK from an open port, and then sends ACK, establishing a complete connection. Because it completes the connection, it is easier for intrusion detection systems to log and detect. It is not considered a stealthy scan and does not match the description of a scanning method that avoids finishing the handshake.

A SYN scan, often referred to as half-open scanning, sends a SYN packet to a port and waits for the response. If the target replies with SYN-ACK, the scanner knows the port is open but instead of completing the connection, it sends an RST packet to avoid completing the handshake. Because the connection never fully establishes, SYN scans are stealthier and more efficient. This behavior fits exactly the description in the question, making it the correct answer.

An Xmas scan sends packets with unusual flag combinations, such as FIN, URG, and PSH flags set. Its goal is to identify how systems respond to unexpected or malformed flag combinations. This scan can identify open, closed, or filtered ports depending on the system’s TCP stack behavior. However, it does not use the SYN packet method nor mimic a partial handshake.

An RPC scan focuses on discovering Remote Procedure Call services and enumerating associated program identifiers. It is used to detect vulnerabilities or exposed services on systems that rely on RPC. It does not involve manipulating the TCP handshake in the way described in the question.

The only technique that avoids completing the TCP handshake while identifying port status is the SYN scan.

Question 144 

What type of vulnerability occurs when an application includes user-supplied input directly into a command executed on the operating system?

A) Command injection
B) XML injection
C) Insecure deserialization
D) LDAP injection

Answer:  A) Command injection

Explanation: 

XML injection involves manipulating XML data structures or queries by inserting crafted XML content. Attackers may alter SOAP requests, APIs, or XML documents. While dangerous, XML injection affects XML processing, not operating system command execution. It does not generally involve embedding OS-level commands into system calls.

Insecure deserialization occurs when applications deserialize untrusted data without validation. Attackers may insert malicious serialized objects leading to remote code execution, privilege escalation, or logic manipulation. Although insecure deserialization can allow arbitrary code execution, it is not characterized by directly inserting input into operating system commands.

LDAP injection targets Lightweight Directory Access Protocol queries. Attackers manipulate LDAP filters by crafting user-input strings to bypass authentication or extract directory information. LDAP injection exploits applications that use LDAP queries unsafely, but it does not involve operating system command execution.

Command injection occurs when user input is passed directly to an operating system command without proper validation or sanitization. Attackers can append or modify commands, such as adding semicolons, pipes, or logical connectors, allowing them to execute arbitrary system commands. Because the question explicitly describes user-supplied input being included in OS-level commands, command injection is the correct answer.

Question 145 

Which protocol is primarily exploited during a DHCP starvation attack?

A) SMTP
B) DNS
C) DHCP
D) RDP

Answer: C) DHCP

Explanation: 

Simple Mail Transfer Protocol (SMTP) is primarily designed to facilitate the sending and receiving of emails between clients and mail servers. While SMTP can be involved in certain types of attacks, including phishing campaigns, email spoofing, and mail server exploitation, it plays no role in the allocation or management of IP addresses within a network. 

Therefore, SMTP is unrelated to DHCP starvation, which specifically targets IP address exhaustion. DNS, or Domain Name System, resolves human-readable domain names into IP addresses, providing a crucial service for internet navigation. Although DNS servers can be exploited through attacks such as cache poisoning, amplification, or DDoS, they do not directly assign IP addresses to hosts on a local network. Hence, DNS is not the protocol exploited in DHCP starvation attacks. Dynamic Host Configuration Protocol (DHCP), on the other hand, is explicitly responsible for dynamically assigning IP addresses and other network configuration details to devices joining a network. In a DHCP starvation attack, the attacker floods the DHCP server with numerous fake or spoofed DHCP requests. Each request consumes one IP lease from the available address pool. 

Because the server has a limited number of leases, the continuous influx of forged requests eventually exhausts the pool, leaving legitimate devices unable to obtain IP addresses. This denial of service can be coupled with the deployment of a rogue DHCP server, allowing the attacker to redirect traffic, perform man-in-the-middle attacks, or intercept sensitive network communications. 

DHCP is therefore the direct target of this type of attack, making it the correct answer. Remote Desktop Protocol (RDP) enables users to establish remote desktop sessions to access systems over a network. While RDP may be subject to attacks like brute forcing or credential exploitation, it has no mechanism for IP address assignment and is unaffected by DHCP starvation techniques.

DHCP is the protocol inherently exploited during these attacks, as it manages IP allocation and is vulnerable to exhaustion through spoofed requests, whereas SMTP, DNS, and RDP are unrelated to this specific threat vector.

Question 146 

Which tool is commonly used to identify vulnerable web applications by crawling and scanning for weaknesses?

A) John the Ripper
B) WinDump
C) Nikto
D) Cain & Abel

Answer: C) Nikto

Explanation: 

John the Ripper is widely recognized as a password-cracking utility, designed to identify weak passwords through brute force attacks, dictionary-based techniques, or hybrid methods combining both. Its functionality is strictly focused on password recovery and security auditing for credentials and does not include scanning, crawling, or analyzing web servers for vulnerabilities. 

While it is a valuable tool within penetration testing, it is unrelated to web application reconnaissance or automated vulnerability detection. WinDump, a Windows port of the Unix-based tcpdump, is a packet analysis tool that captures and inspects network traffic. Although WinDump is useful for network troubleshooting, traffic monitoring, and detecting suspicious activity, it does not actively enumerate web application components, crawl directories, or identify misconfigurations on web servers. Consequently, it cannot be used for automated web vulnerability assessments. Nikto, however, is a specialized web server vulnerability scanner designed to analyze web applications, identifying insecure configurations, outdated software, default files, directory exposure, and known vulnerabilities. 

Nikto operates by systematically crawling web servers, testing for common issues such as executable scripts, potentially dangerous files, missing security headers, and vulnerable modules. This makes it particularly effective for reconnaissance in penetration testing engagements, as it allows security professionals to gather intelligence about the web server environment before launching targeted attacks or reporting security gaps. 

Cain & Abel primarily focuses on password recovery, ARP poisoning, network sniffing, and cryptanalysis. It does not include automated web vulnerability scanning or directory crawling capabilities. Given that the question asks for a tool that is specifically used to identify vulnerable web applications by scanning and crawling for weaknesses, Nikto is the only option that directly fulfills this role. 

Its combination of automated scanning, signature-based vulnerability checks, and the ability to enumerate web server components makes it the correct and precise answer for this scenario.

Question 147 

Which wireless security mode uses TKIP for encryption?

A) WPA2-Enterprise
B) WEP
C) WPA
D) WPA3

Answer: C) WPA

Explanation:

Wi-Fi Protected Access 2 (WPA2) in its Enterprise mode primarily employs AES-CCMP encryption, which provides robust security by encrypting data at the frame level. WPA2-Enterprise also integrates 802.1X authentication for enterprise networks, ensuring that clients authenticate before accessing network resources. AES-CCMP is significantly more secure than the older TKIP encryption and does not rely on temporal key mechanisms used by WPA. 

Therefore, WPA2-Enterprise cannot be considered the correct answer when the focus is on TKIP encryption. Wired Equivalent Privacy (WEP) is an outdated wireless security protocol that relies on the RC4 stream cipher for encryption. WEP employs static keys and predictable initialization vectors, rendering it highly vulnerable to a wide range of attacks such as key recovery and replay attacks. Importantly, WEP does not use TKIP; it relies solely on RC4 with weak key management, making it unsuitable for this question. 

WPA, or Wi-Fi Protected Access, was introduced as an interim solution to address WEP’s vulnerabilities without requiring significant hardware upgrades. WPA uses TKIP (Temporal Key Integrity Protocol) to provide dynamic key generation, per-packet keying, and message integrity checks, making it significantly more secure than WEP. TKIP was specifically designed to allow older hardware to implement stronger security features without replacing wireless cards. 

Because the question asks which mode relies on TKIP, WPA directly matches this requirement. WPA3, the most recent wireless security standard, employs advanced cryptographic methods such as Simultaneous Authentication of Equals (SAE) and robust encryption algorithms. 

It does not use TKIP and represents a fundamental departure from older WPA/TKIP mechanisms. In conclusion, only WPA uses TKIP as its encryption method, making it the correct selection among the options.

Question 148 

What is the primary goal of an attacker performing banner grabbing?

A) Flooding the target with traffic
B) Identifying service versions
C) Exploiting SQL databases
D) Cracking encryption keys

Answer: B) Identifying service versions

Explanation:

Flooding a target with traffic is the defining characteristic of Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. These attacks aim to overwhelm a network, server, or service by saturating it with requests or data, causing disruption of legitimate user access. While effective for disrupting services, flooding traffic is unrelated to the process of banner grabbing, which is focused on intelligence gathering rather than service disruption. 

 

Banner grabbing itself is a reconnaissance technique in which an attacker sends crafted requests to network services such as FTP, HTTP, SSH, or SMTP. These requests prompt the server or service to reveal metadata, commonly in the form of a “banner,” that provides information about the software type, version, and sometimes operating system or configuration details. Attackers use this information to identify potential vulnerabilities associated with specific software versions, outdated applications, or misconfigurations that may be exploited later in the attack chain. 

 

Exploiting SQL databases, typically achieved through SQL injection, involves manipulating queries to exfiltrate data, bypass authentication, or modify database contents. This requires a direct interaction with the application’s database logic rather than gathering preliminary system information through banners. Cracking encryption keys, on the other hand, involves cryptanalysis, brute force, or exploitation of weak cryptographic implementations, none of which are related to collecting banners for reconnaissance. 

 

Banner grabbing serves as an essential preparatory step for attackers because knowing the software version and service configuration allows precise targeting of vulnerabilities, reducing trial-and-error efforts and increasing the likelihood of a successful intrusion. Consequently, the primary goal of banner grabbing is intelligence collection focused on identifying service types and versions. It enables attackers to develop targeted strategies, plan exploitation paths, and avoid unnecessary noise that could trigger intrusion detection systems. 

 

Therefore, the correct answer is identifying service versions.

Question 149 

Which technique attempts to predict TCP sequence numbers to hijack an existing session?

A) Replay attack
B) Session fixation
C) Sequence number prediction
D) Brute force enumeration

Answer: C) Sequence number prediction

Explanation: 

A replay attack involves capturing valid data packets during communication and retransmitting them to achieve unauthorized repetition of authenticated actions. While replay attacks can compromise security in some contexts, they do not involve predicting future TCP sequence numbers to hijack ongoing sessions. Session fixation, in contrast, is a web-based attack technique where an attacker forces a user to use a predetermined session identifier, typically by sending crafted URLs or embedding session IDs into links or cookies. 

While session fixation can allow unauthorized access once a user authenticates, it does not involve lower-level TCP sequence prediction or network packet manipulation. Sequence number prediction is a sophisticated attack method targeting the TCP protocol itself. TCP communications rely on sequence numbers to ensure packets are delivered in order and to maintain session integrity. In this attack, an adversary observes patterns in sequence number increments and uses them to predict subsequent sequence numbers in an active TCP session. 

By injecting forged packets with correctly predicted sequence numbers, the attacker can manipulate the session, inject malicious data, or hijack the communication without alerting the endpoints. This technique requires careful analysis of TCP behavior, timing, and sequence number generation methods to achieve successful hijacking. Brute force enumeration involves systematically trying multiple values or credentials to gain unauthorized access. 

Although brute forcing could theoretically attempt sequence numbers, it is generally inefficient and not considered the targeted method described in the question. Because the question explicitly focuses on predicting TCP sequence numbers to hijack an active session, the correct answer is sequence number prediction. 

This technique directly exploits TCP protocol mechanics rather than application-layer session management or general brute forcing, making it a precise match.

Question 150 

Which type of reconnaissance involves gathering information without directly interacting with the target system?

A) Passive reconnaissance
B) Active reconnaissance
C) Social engineering
D) Black box scanning

Answer:  A) Passive reconnaissance

Explanation:

Active reconnaissance is characterized by direct interaction with the target system, typically involving scanning, probing, or sending specific requests to collect information about open ports, services, or network configurations. While active reconnaissance yields detailed intelligence, it inherently risks detection because the target system may log these interactions. Passive reconnaissance, on the other hand, is performed without sending packets to or querying the target system directly. 

Instead, attackers leverage publicly available information, including open-source intelligence (OSINT), domain registration records, DNS lookups, job postings, social media profiles, archived documents, and metadata. By analyzing these sources, attackers can gain insights into organizational infrastructure, technologies used, personnel details, or network architecture, all without alerting the target. Social engineering involves direct interaction with humans to extract information, often by manipulating or deceiving employees to reveal passwords, internal processes, or confidential data. 

While highly effective, social engineering is not passive because it requires engagement with individuals. Black box scanning refers to security testing performed with no prior knowledge of the target system’s internal details. Although it simulates an external attacker’s perspective, it still entails direct probing or scanning to discover services, vulnerabilities, or open ports. Consequently, black box scanning constitutes active reconnaissance rather than passive. 

The defining feature of passive reconnaissance is its reliance on observation and research without initiating direct communication with the target system. It serves as an initial phase of information gathering in penetration testing, enabling attackers to build a profile and identify potential attack vectors while minimizing the likelihood of detection. 

Given this approach, passive reconnaissance perfectly matches the question’s requirement of indirect, non-intrusive information collection, making it the correct answer.

Question 151 

Which type of attack forces wireless clients to disconnect from an access point to capture authentication data?

A) Deauthentication attack
B) Evil twin attack
C) War-driving
D) MAC flooding

Answer: A) Deauthentication attack

Explanation:

An evil twin attack involves setting up a rogue access point that mimics a legitimate AP to trick clients into connecting. This type of attack focuses on credential capture but does not actively disconnect users from their current network. Therefore, it does not fit the description of forcing clients offline to capture authentication data.

War-driving is a reconnaissance method where attackers drive around an area mapping Wi-Fi networks, recording SSIDs, encryption types, and signal strength. This technique is passive in nature and does not interfere with the operation of clients connected to access points. It is primarily for information gathering and cannot be used to capture authentication handshakes.

MAC flooding attacks target network switches by overloading their MAC address tables, causing them to broadcast traffic to all ports. While this can allow an attacker to sniff network traffic, it does not forcibly disconnect clients from wireless networks and is unrelated to capturing WPA/WPA2 handshakes.

Deauthentication attacks work by sending forged deauthentication frames to clients, effectively forcing them to disconnect from their AP. When the clients attempt to reconnect, the attacker can capture the WPA or WPA2 four-way handshake, which contains encrypted authentication information. This handshake can later be used in offline password-cracking attacks. Because the question explicitly mentions disconnecting clients to capture authentication data, deauthentication attacks are the correct choice.

Question 152

Which attack targets a user by sending phishing emails to steal credentials?

A) Social engineering
B) SQL injection
C) Brute force attack
D) ARP spoofing

Answer: A) Social engineering

Explanation:

SQL injection is a code injection technique targeting databases. Attackers manipulate input fields to extract, modify, or delete data, but it does not involve tricking users into revealing credentials. Therefore, SQL injection does not match the scenario described in the question.

Brute force attacks systematically guess passwords through trial and error, using every possible combination. While this can lead to account compromise, it is a technical attack and does not rely on deceiving the user. Thus, it is unrelated to phishing emails.

ARP spoofing is a network-based attack where an attacker manipulates the ARP table to intercept traffic between devices. While it can capture data, it does not involve directly tricking users into voluntarily providing their credentials.

Social engineering is the practice of manipulating human behavior to gain unauthorized access to sensitive information. Phishing emails are a common form of social engineering. They are designed to look legitimate, prompting users to click malicious links, provide passwords, or disclose other personal information. Since the question explicitly refers to sending emails to steal credentials, social engineering is the correct answer.

Question 153 

Which attack involves an adversary injecting additional queries into an SQL statement?

A) Blind SQL injection
B) Piggy-backed SQL injection
C) Tautology injection
D) Union-based SQL injection

Answer: B) Piggy-backed SQL injection

Explanation: 

Blind SQL injection occurs when an application suppresses error messages, preventing the attacker from seeing the result of their injected queries. The attacker relies on analyzing the application’s behavior, responses, or timing to infer information. This technique does not involve appending additional queries.

Piggy-backed SQL injection appends one or more extra SQL queries after a legitimate statement using a semicolon. Each query executes sequentially, potentially modifying the database or extracting sensitive information. This approach directly matches the description of injecting additional queries into an existing statement.

Tautology injection modifies the logical structure of a query so that it always evaluates to true, often bypassing authentication checks. While powerful, it does not involve appending new queries to a statement.

Union-based SQL injection uses the UNION operator to combine attacker-controlled query results with legitimate queries. This method does not append multiple queries sequentially but merges datasets. Because the question specifically asks for injecting additional queries into an SQL statement, piggy-backed SQL injection is the correct answer.

Question 154 

Which type of malware captures sensitive data such as passwords and credit card numbers?

A) Spyware
B) Ransomware
C) Rootkit
D) Worm

Answer: A) Spyware

Explanation:

Ransomware is malware that encrypts a victim’s files and demands payment for decryption. While disruptive, its primary purpose is extortion, not data theft. Therefore, ransomware does not match the requirement of capturing sensitive information.

Rootkits are designed to hide malware or malicious activity on a system, providing persistence and stealth. They can facilitate data collection but are not inherently designed to capture sensitive user information.

Worms replicate themselves across networks or devices without user interaction. Their main goal is propagation rather than stealing sensitive information, so they are unrelated to credential or financial data capture.

Spyware is specifically created to monitor user activity and collect confidential information, including passwords, keystrokes, browsing history, and credit card details. It often operates stealthily to avoid detection and transmits collected data to an attacker. Since the question emphasizes malware that captures sensitive data, spyware is the correct answer.

Question 155 

Which attack attempts all possible password combinations until access is gained?

A) Brute force attack
B) Dictionary attack
C) Hybrid attack
D) Credential stuffing

Answer: A) Brute force attack

Explanation:

Dictionary attacks rely on the use of precompiled lists that contain commonly used passwords, everyday words, predictable phrases, and credentials gathered from previous data breaches. While these lists may be extensive, the attack method is fundamentally limited by the contents of the dictionary itself. The attacker only tests passwords that appear in the list, meaning the approach is inherently finite and not exhaustive. Because the attacker does not attempt every possible character combination, dictionary attacks are effective only when users choose weak or common passwords. Therefore, this technique does not align with the question’s description, which emphasizes systematically testing all possible combinations rather than relying on predefined lists.

Hybrid attacks expand upon dictionary attacks by applying mutation rules to dictionary words in order to simulate user password habits. For example, attackers might append numbers or symbols, capitalize certain letters, reverse words, or substitute characters with visually similar alternatives (such as replacing “a” with “@”). Although hybrid attacks cover more possibilities than a standard dictionary attack, they remain dependent on a base word list and a set of transformation rules. Consequently, they still do not evaluate every possible combination of characters in a systematic manner. Hybrid attacks aim to balance efficiency with increased coverage, not to exhaustively search the entire password space, and therefore do not meet the criteria described in the question.

Credential stuffing is an automated attack strategy that leverages previously compromised username‑password pairs to attempt logins on multiple systems or platforms. The method exploits the common habit of credential reuse, where individuals use the same password across different accounts. Credential stuffing does not involve guessing or generating new password combinations; rather, it recycles known credentials. Because it relies exclusively on existing leaked data and avoids generating new combinations, it falls completely outside the category described by the question. It does not attempt every potential password and therefore cannot be considered exhaustive.

Brute force attacks, in contrast, operate by systematically generating and testing every possible combination of characters within the defined password policy—often including letters, numbers, and symbols. This approach is comprehensive and mathematically guaranteed to succeed if given sufficient time and computational resources. Because brute force attacks do not rely on predefined lists or transformation rules⁠—but instead attempt all conceivable combinations⁠—they match the question’s description precisely. The defining characteristic of brute force attacks is this exhaustive method of trying every possible option until the correct password is ultimately identified.

Question 156 

Which reconnaissance method gathers information without direct interaction with the target system?

A) Passive reconnaissance
B) Active reconnaissance
C) Social engineering
D) Phishing

Answer: A) Passive reconnaissance

Explanation:

Reconnaissance is the first phase of an attack or penetration test, where an attacker or ethical hacker gathers information about a target to identify potential vulnerabilities and plan subsequent actions. There are two main categories of reconnaissance: active and passive. Active reconnaissance involves direct interaction with the target system or network. This could include port scanning, ping sweeps, vulnerability scans, or banner grabbing, all of which generate network traffic that may be detected by security systems and are therefore considered intrusive. Because active reconnaissance interacts with the target directly, it can leave traces in logs, making detection possible.

In contrast, passive reconnaissance is designed to collect information without directly contacting the target system, thereby minimizing the risk of detection. Passive reconnaissance relies entirely on publicly available resources and indirect methods. Common techniques include analyzing WHOIS databases to obtain domain registration information, retrieving DNS records, examining public IP allocations, monitoring network ranges, and reviewing social media profiles or corporate websites. The attacker may also use search engines, public forums, job postings, or news articles to identify technical details, organizational structure, employee information, or system configurations. These sources provide valuable intelligence about the target without generating any traffic directed at the target system itself.

Social engineering, while sometimes considered part of the reconnaissance phase, requires human interaction and psychological manipulation to obtain confidential information. Techniques include pretexting, baiting, or tailgating, all of which involve engaging directly with individuals. Similarly, phishing attacks use deceptive messages, emails, or websites to trick users into revealing sensitive credentials or personal information. Both social engineering and phishing rely on interaction with the target and do not qualify as non-intrusive information-gathering methods.

Because the question explicitly asks for a reconnaissance method that gathers information without direct interaction, passive reconnaissance fits this description perfectly. It allows attackers or testers to acquire intelligence about the target’s systems, users, and network infrastructure safely and silently, leveraging only publicly available information. This makes it a foundational step for planning attacks, crafting targeted social engineering schemes, or performing detailed penetration tests while remaining undetected.

Question 157 

Which attack uses ARP messages to intercept traffic between two systems?

A) ARP spoofing
B) DNS spoofing
C) DHCP spoofing
D) ICMP redirect attack

Answer: A) ARP spoofing

Explanation:

ARP spoofing, also known as ARP poisoning, is a network-level attack that exploits the Address Resolution Protocol (ARP) in a local area network (LAN). ARP is used to map IP addresses to physical MAC addresses, allowing devices on a LAN to communicate efficiently. In a typical ARP exchange, a device requests the MAC address corresponding to a known IP address, and the rightful device responds with its hardware address. ARP spoofing works by sending forged ARP messages to the target machines, associating the attacker’s MAC address with the IP address of another device, such as the default gateway. This misleads the victim’s system into sending traffic intended for another device through the attacker’s machine. By doing so, attackers can intercept, monitor, or modify communications between two endpoints.

DNS spoofing, by contrast, targets the Domain Name System by providing false IP addresses in response to DNS queries. While it can redirect users to malicious websites, it does not manipulate ARP tables or intercept LAN traffic at the MAC layer. DHCP spoofing involves setting up rogue DHCP servers to assign incorrect IP configurations to clients, potentially causing network misrouting or denial of service, but it does not allow direct interception of traffic via ARP manipulation. Similarly, ICMP redirect attacks trick hosts into changing their routing tables to send traffic via a specific router, but they do not change MAC-IP bindings and thus cannot transparently capture all LAN traffic between endpoints.

By sending falsified ARP replies, an attacker positions themselves as a man-in-the-middle between two devices. Once the ARP tables of the victims are poisoned, all communication flows through the attacker’s system. This enables eavesdropping, packet modification, and even injection of malicious content into network sessions. The attack is highly effective in Ethernet networks where ARP does not have built-in authentication or verification mechanisms. Since the question explicitly refers to using ARP messages to intercept traffic between systems, ARP spoofing precisely fits the described scenario.

Question 158 

Which attack intercepts, modifies, or injects network traffic between two endpoints?

A) Man-in-the-middle
B) Passive sniffing
C) Replay attack
D) Denial-of-service

Answer: A) Man-in-the-middle

Explanation: 

A man-in-the-middle (MITM) attack is a sophisticated network-level exploit where an attacker secretly intercepts and potentially alters communications between two parties who believe they are directly communicating with each other. MITM attacks compromise the confidentiality and integrity of transmitted data, making them highly dangerous in contexts involving sensitive information, such as financial transactions, login credentials, or confidential communications. The attacker may passively intercept data or actively manipulate it by injecting malicious content or commands.

Passive sniffing is limited to monitoring and recording network traffic. Although it can expose sensitive information, it does not alter or inject data into the communication stream. Replay attacks, on the other hand, involve capturing previously transmitted messages and resending them to produce an unauthorized effect, but they do not modify live communications between endpoints. Denial-of-service (DoS) attacks focus on overwhelming systems or networks to render them unusable, but they do not intercept or manipulate traffic between communicating entities.

MITM attacks often leverage ARP spoofing, DNS spoofing, or SSL stripping to achieve their objectives. For example, in ARP-based MITM attacks, the attacker poisons ARP tables to position themselves between a client and the gateway, enabling interception and potential modification of packets. Similarly, DNS spoofing can redirect traffic to an attacker-controlled server, where communication can be observed or altered. The attacker may then inject malicious payloads, redirect users to fraudulent sites, or steal sensitive credentials.

Because the question explicitly mentions intercepting and modifying traffic between two endpoints, MITM attacks precisely match this description. The defining characteristic is that the attacker gains control of the communication channel, enabling real-time manipulation of transmitted data while remaining undetected. This distinguishes MITM attacks from purely passive monitoring, replay attempts, or denial-of-service actions, which do not combine interception with active modification.

Question 159 

Which attack captures a session token or cookie to impersonate a user?

A) Session hijacking
B) Phishing
C) Keylogging
D) SQL injection

Answer: A) Session hijacking

Explanation: 

Session hijacking is a network or application-level attack where an adversary captures an active user session token or authentication cookie to assume the identity of that user. Web applications use session tokens or cookies to maintain authenticated sessions after a user logs in. These tokens act as digital keys that grant access without requiring repeated entry of credentials. If an attacker obtains a valid session token, they can impersonate the user, bypassing authentication mechanisms entirely.

Phishing attacks rely on social engineering and deception to trick users into voluntarily providing credentials or personal information. While phishing may eventually lead to account compromise, it does not directly target session tokens or cookies. Keylogging captures keystrokes from users, potentially revealing passwords or other sensitive inputs, but it does not inherently provide access to active sessions. SQL injection exploits vulnerabilities in web application input handling to manipulate database queries, allowing data extraction or manipulation, but it does not directly intercept session data unless combined with other techniques.

Session hijacking can occur through multiple vectors, including packet sniffing on unsecured networks, cross-site scripting (XSS) attacks that steal cookies from users’ browsers, or exploitation of poorly secured session tokens. Once the token is obtained, the attacker can seamlessly access the target account, execute actions, and retrieve sensitive information, all while appearing as a legitimate user. Because the attack does not require the victim’s login credentials but relies on the session token itself, it is particularly stealthy and effective in real-time scenarios.

Given that the question specifically describes capturing session data to impersonate a user, session hijacking is the correct answer. It is distinguished from phishing, keylogging, and SQL injection by its direct exploitation of session tokens, making it a core attack technique in web security assessments and penetration testing scenarios.

Question 160 

Which attack collects credentials by exploiting reused usernames and passwords across multiple sites?

A) Credential stuffing
B) Brute force attack
C) Dictionary attack
D) Social engineering

Answer: A) Credential stuffing

Explanation:

Credential stuffing is an automated attack method that exploits the common practice of password reuse across multiple platforms. Attackers obtain large datasets of usernames and passwords from previous security breaches and systematically attempt to use these credentials on various websites or services, aiming to gain unauthorized access. The effectiveness of credential stuffing relies heavily on human behavior, specifically the tendency to reuse identical login information across accounts.

Brute force attacks, by contrast, attempt every possible combination of characters within a defined password space. They do not rely on previously leaked credentials but instead systematically test the entire set of potential passwords, making them computationally intensive and independent of prior data. Dictionary attacks similarly attempt to guess passwords using precompiled lists of common words, phrases, or leaked passwords, but they do not exploit known valid credentials across multiple sites. Social engineering manipulates humans to voluntarily disclose sensitive information, often through deception or persuasion, and does not rely on automated credential reuse.

Credential stuffing attacks are particularly effective because many users recycle passwords across multiple accounts. Attackers often use automated tools to test thousands or millions of leaked credentials against login portals, frequently leveraging proxies or distributed systems to avoid detection and bypass rate-limiting defenses. The attack can compromise accounts without needing to crack passwords, relying solely on the validity of reused credentials.

Since the question explicitly describes exploiting reused credentials across multiple sites, credential stuffing aligns perfectly with the scenario. The attack combines knowledge of previously leaked usernames and passwords with automation to achieve rapid, large-scale account compromise, making it distinct from brute force, dictionary, or social engineering attacks. It represents a major threat in modern cybersecurity, particularly given the prevalence of credential reuse among users.