ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 181 

Which attack exploits vulnerabilities in input validation to execute arbitrary commands on a server?

A) SQL injection
B) Command injection
C) Cross-site scripting
D) Directory traversal

Answer: B) Command injection

Explanation: 

SQL injection targets database queries by inserting malicious SQL code into input fields. It manipulates backend databases to extract, modify, or delete data. While it can indirectly affect application behavior, it does not execute arbitrary operating system commands, which is the focus of the question.

Command injection occurs when user input is improperly validated and included in operating system commands. Attackers can execute arbitrary commands on the server, potentially gaining full system control. This is a common vulnerability in web applications that directly invoke shell commands using user input. Since the question specifically asks for execution of arbitrary commands on a server, command injection is the correct answer.

Cross-site scripting (XSS) injects scripts into web pages viewed by other users. It primarily affects clients’ browsers and does not allow execution of commands on the server. XSS is focused on client-side exploitation, so it does not match the scenario described.

Directory traversal attacks attempt to access files outside the web root by manipulating file path inputs. While dangerous, this technique focuses on unauthorized file access rather than executing system commands, making it incorrect for this question.

Because the scenario involves execution of arbitrary commands through improper input validation, command injection is the correct and precise match.

Question 182 

Which protocol is primarily used for secure remote login and file transfer over an untrusted network?

A) FTP
B) SSH
C) Telnet
D) HTTP

Answer: B) SSH

Explanation:

FTP (File Transfer Protocol) is used to transfer files but transmits credentials in plaintext. This makes it unsuitable for secure communication over untrusted networks. FTP does not provide encryption for login sessions, so it is not the correct answer.

SSH (Secure Shell) provides encrypted communication for both remote login and file transfer (via SCP or SFTP). It protects authentication and data in transit, making it highly secure against eavesdropping and MITM attacks. Because the question specifically asks for secure remote login and file transfer over an untrusted network, SSH is the correct answer.

Telnet is a legacy protocol for remote login but transmits all data, including passwords, in plaintext. It is vulnerable to interception and cannot be considered secure over untrusted networks.

HTTP is the standard protocol for web traffic and does not inherently provide encrypted remote login or file transfer capabilities. HTTPS provides encryption but is not designed for terminal-based remote login.

SSH’s combination of encrypted authentication and secure file transfer capabilities makes it the correct protocol for this scenario.

Question 183 

Which attack tricks a user’s browser into sending unauthorized requests to a trusted application?

A) Cross-site request forgery
B) SQL injection
C) ARP spoofing
D) Directory traversal

Answer:  A) Cross-site request forgery

Explanation: 

Cross-Site Request Forgery (CSRF) is a web application attack that exploits the implicit trust a server places in a user’s browser. Unlike other attacks that target the server or database directly, CSRF manipulates the user into performing actions they did not intend while authenticated to a trusted application. When a user is logged in to a web application, their browser automatically includes session cookies or authentication tokens with requests. A CSRF attack leverages this behavior by tricking the user into submitting a malicious request, typically through a crafted link, image, or hidden form on an attacker-controlled site. Because the browser automatically attaches valid authentication credentials, the server interprets the request as legitimate, executing operations such as changing account details, performing transactions, or deleting data—all without the user’s knowledge or consent.

CSRF differs significantly from other common web attacks. SQL injection targets the server-side database by injecting malicious SQL statements into input fields or URL parameters. While SQLi can compromise data confidentiality and integrity, it does not rely on tricking the user’s browser or leveraging their authenticated session. ARP spoofing, on the other hand, is a local network attack in which the attacker associates their MAC address with a legitimate IP address to intercept network traffic. Though ARP spoofing can facilitate man-in-the-middle attacks, it does not directly exploit browser trust or authenticated sessions in web applications. Similarly, directory traversal attacks focus on file system vulnerabilities by manipulating file paths to access restricted directories or sensitive files. These attacks do not coerce users into sending requests and are not dependent on active authenticated sessions.

The key characteristic of CSRF is its reliance on the user’s existing session. By embedding malicious requests within emails, websites, or third-party content, attackers can execute operations on behalf of the user without their awareness. Because the server cannot distinguish between legitimate user-initiated actions and those submitted unknowingly through a CSRF attack, this vulnerability can have serious consequences, including unauthorized fund transfers, changes to account settings, or exposure of confidential information.

Given the scenario described—tricking a user’s browser into sending requests to a trusted web application using an authenticated session—CSRF is the correct answer. It precisely aligns with the mechanism of forcing unintended actions via session trust, whereas SQL injection, ARP spoofing, and directory traversal each target different components and do not involve manipulating a user’s browser behavior. Proper mitigation techniques include implementing anti-CSRF tokens, validating the origin of requests, and enforcing same-site cookie policies to prevent unauthorized cross-site actions.

Question 184 

Which malware type records user keystrokes to capture sensitive information?

A) Spyware
B) Ransomware
C) Keylogger
D) Trojan

Answer: C) Keylogger

Explanation: 

Keylogger malware is a type of malicious software designed specifically to record the keystrokes a user types on their keyboard. By capturing every keystroke, keyloggers can obtain highly sensitive information, including usernames, passwords, credit card numbers, personal messages, and other confidential data. This data is typically transmitted to the attacker either in real-time or in batches, enabling unauthorized access to accounts and financial information, identity theft, or further exploitation of the compromised system. Keyloggers can operate in the background without the user’s awareness, making them particularly stealthy and dangerous. They may be implemented as standalone malware or embedded within other types of malicious software to enhance their functionality.

It is important to distinguish keyloggers from other types of malware that may have overlapping objectives but differ in specificity and primary function. Spyware, for instance, broadly monitors user activity and gathers information about system usage, installed software, or browsing habits. While some spyware may include keylogging features, not all spyware records every keystroke. Its primary purpose is surveillance rather than capturing detailed textual input. Therefore, spyware alone is not a precise answer when the question focuses on keystroke capture.

Ransomware is another category of malware, but its goal is entirely different. Ransomware encrypts the files or entire storage on a victim’s device and then demands a ransom payment to provide decryption keys. Although ransomware can cause significant disruption and financial loss, it does not monitor or log keystrokes, so it is not relevant to this scenario.

Trojan malware, or Trojans, masquerade as legitimate software while delivering malicious payloads. Trojans are versatile and can perform a variety of malicious actions, including remote access, data theft, or even keylogging if programmed to do so. However, the Trojan category is broad and does not inherently involve recording keystrokes. Not all Trojans contain keylogging functionality, making them less precise as an answer than a dedicated keylogger.

Because the question specifically asks for malware that captures keystrokes, keylogger is the most accurate and relevant answer. Keyloggers directly fulfill this role, operating quietly to record typed input and transmit it to attackers. Understanding the distinction between keyloggers and other malware types is critical in cybersecurity, as it informs detection strategies, incident response, and mitigation measures. Defenses against keyloggers include using antivirus and anti-malware software, enabling on-screen keyboards for sensitive input, implementing multi-factor authentication, and monitoring system processes for suspicious activity.

Question 185 

Which technique breaks a malicious payload into smaller packets to evade intrusion detection systems?

A) Packet sniffing
B) IP fragmentation attack
C) DNS poisoning
D) SQL injection

Answer: B) IP fragmentation attack

Explanation: 

Packet sniffing is a technique used to monitor and capture network traffic for analysis. Tools such as Wireshark, tcpdump, and similar network analyzers intercept packets traveling across a network, allowing security professionals, network administrators, or attackers to examine the headers, payloads, and metadata of network communication. This can reveal a wealth of information, including IP addresses, protocols in use, session identifiers, authentication tokens, and other sensitive data transmitted in plaintext or weakly encrypted formats. Packet sniffing is invaluable for network troubleshooting, performance monitoring, and security auditing, as it provides a granular view of traffic flow and anomalies.

However, it is important to note that packet sniffing itself is a passive monitoring technique. It does not modify, split, or fragment packets, nor does it inherently attempt to evade detection mechanisms. Its primary goal is observation rather than active manipulation or intrusion. Attackers may leverage packet sniffers to harvest sensitive data such as login credentials, session cookies, or confidential communications, but the act of sniffing does not alter the packet structure or bypass security controls. Because packet sniffing does not interact with security detection systems like Intrusion Detection Systems (IDS) or firewalls in a way that conceals malicious intent, it is not classified as an evasion technique.

While packet sniffing can help attackers understand a network’s topology or identify vulnerabilities, it is distinct from techniques explicitly designed to bypass security controls. For example, attacks that modify network traffic, such as IP fragmentation attacks, specifically aim to exploit limitations in IDS packet reassembly logic to slip past detection. Packet sniffing merely observes the traffic in its current state and relies on existing network permissions to do so. Properly configured networks often detect unauthorized sniffing through measures like port security, network segmentation, encrypted communication channels, and anomaly-based intrusion detection.

Packet sniffing is an analytical tool rather than an offensive evasion strategy. It provides insights into network activity but does not actively fragment, alter, or evade detection of network packets. It is primarily used for legitimate purposes like monitoring and troubleshooting but can be abused for reconnaissance and data capture if misused. Recognizing this distinction helps differentiate passive monitoring techniques from active network attacks specifically crafted to bypass security controls.

Question 186 

Which wireless attack captures the WPA/WPA2 four-way handshake?

A) Deauthentication attack
B) Evil twin attack
C) War-driving
D) MAC flooding

Answer:  A) Deauthentication attack

Explanation:

A deauthentication attack is the correct answer because it directly aligns with the scenario in which wireless clients are forced to disconnect from an access point (AP) so the attacker can capture the authentication handshake when the clients reconnect. To understand why, it is important to examine how this attack works and why the other options do not fit the described behavior.

A deauthentication attack exploits the management frames used in Wi-Fi networks. These frames, including deauth and disassociation messages, are not encrypted in many Wi-Fi protocols, especially in older or improperly configured networks. Attackers can easily forge deauthentication frames and send them to clients, making them believe the AP has disconnected them. When forced offline, the clients automatically attempt to reconnect to the network. During this reconnection process, the WPA/WPA2/WPA3 four-way handshake is initiated. If an attacker is monitoring the airwaves using a packet capture tool like Aircrack-ng or Wireshark, they can capture this handshake. Once obtained, it can be used in offline brute-force or dictionary attacks to attempt to recover the Wi-Fi password. Because the attack explicitly causes disconnection and triggers handshake capture, it perfectly fits the scenario in the question.

An evil twin attack, by contrast, focuses on impersonating a legitimate access point using a rogue AP broadcasting the same SSID. While this allows attackers to steal credentials, perform phishing-style attacks, or act as a man-in-the-middle, it does not inherently force clients to disconnect from the legitimate AP to capture the handshake. Evil twins rely on tricking users into connecting voluntarily or through signal manipulation, not on deauthentication as a mechanism for forced disconnection. Therefore, while dangerous, it does not match the specific requirement of forcibly capturing a handshake.

War-driving is purely a reconnaissance technique. Attackers or researchers move through an area—often in a car—scanning for and mapping wireless networks. The goal is typically to identify SSIDs, encryption types, signal strengths, and publicly broadcast information. It does not involve any attack against the network, nor does it capture or manipulate handshake traffic. Since war-driving does not disconnect clients or interact with authentication frames, it is irrelevant to the described scenario.

MAC flooding, on the other hand, targets wired networks—specifically Ethernet switches. By overwhelming the switch’s CAM table with bogus MAC addresses, the attacker forces the switch into fail-open mode, causing it to broadcast traffic to all ports. This has no connection to Wi-Fi handshakes or wireless deauthentication behavior.

Thus, the only option that matches the scenario of forcing clients to reconnect in order to capture the four-way handshake is the deauthentication attack.

Question 187 

Which tool automates exploitation of known vulnerabilities in target systems?

A) Metasploit
B) Nmap
C) Wireshark
D) Nikto

Answer:  A) Metasploit

Explanation:

Metasploit is the correct answer because it is specifically designed as a powerful, modular exploitation framework that enables security professionals and penetration testers to automate the process of identifying, selecting, configuring, and launching exploits against vulnerable systems. What separates Metasploit from scanning, mapping, or traffic‑analysis tools is its ability to not only identify weaknesses but also actively take advantage of them using a vast library of exploit modules, payloads, auxiliary modules, and post‑exploitation tools. This built‑in automation significantly reduces the manual effort typically required during the exploitation phase of penetration testing, especially when dealing with large networks or multiple vulnerabilities across different systems.

To understand why Metasploit is uniquely suited for automated exploitation, it is useful to compare it with the other tools listed in the question. Nmap, for example, is one of the most widely used network scanning tools in cybersecurity. It excels at discovering live hosts, enumerating open ports, fingerprinting services, detecting versions, and running scripts through the Nmap Scripting Engine (NSE). While NSE can identify vulnerabilities or misconfigurations, Nmap does not automate exploitation and cannot deploy payloads, run shellcode, or compromise systems. Its primary role is reconnaissance, not offensive exploitation.

Wireshark, on the other hand, is a network protocol analyzer. It captures and analyzes packets, making it invaluable for diagnosing network issues, monitoring communications, troubleshooting protocols, or detecting suspicious traffic. Despite its power in traffic inspection, Wireshark does not include any functionality for exploiting systems or delivering payloads. Its purpose is strictly analytic and passive, not offensive or automated in nature.

Nikto is a vulnerability scanner intended primarily for web servers. It checks for outdated software, configuration issues, dangerous scripts, and commonly known web server vulnerabilities. However, Nikto’s scope is limited to identification; it does not automate exploitation or provide payload‑delivery capabilities. It alerts administrators to problems but does not act upon them beyond reporting.

In contrast, Metasploit integrates scanning, exploitation, payload generation, privilege escalation, and post‑exploitation into one cohesive framework. It can automatically match discovered vulnerabilities with corresponding exploits, select payloads, and execute attacks with minimal manual intervention. Its database of hundreds of exploits is continuously updated, allowing testers to simulate real‑world attack scenarios quickly and effectively.

Because the question specifically asks for a tool that automates exploitation, Metasploit is the only correct answer.

Question 188 

Which type of attack involves guessing passwords using combinations of dictionary words and character variations?

A) Brute force attack
B) Dictionary attack
C) Hybrid attack
D) Credential stuffing

Answer: C) Hybrid attack

Explanation: 

A hybrid attack is the correct answer because it blends the strengths of a dictionary attack and a brute‑force attack to generate password guesses that are both intelligent and comprehensive. Unlike pure brute‑force methods, which attempt every possible combination of characters without any prioritization or linguistic awareness, hybrid attacks begin with a list of known or likely words—typically drawn from dictionaries, leaked credentials, common passwords, or wordlists tailored to a target. After selecting a base word, the hybrid attack applies rules or transformations to generate variations such as appending numbers, adding special characters, capitalizing letters, substituting characters, inserting patterns, and altering the structure of the word. This enables attackers to attempt variations of predictable passwords far more efficiently than full brute‑force approaches.

To understand why a hybrid attack matches the scenario in the question, it is essential to compare it with the other listed attack types. A brute‑force attack systematically tests every possible password combination, including all permutations of letters, digits, and symbols. While brute force is comprehensive, it does not preferentially test dictionary-based combinations or apply rule-based modifications, making it slower and less targeted. Because it does not start with dictionary words, it does not match the described attack technique.

A dictionary attack, although more efficient than brute force, limits itself to testing a static list of words exactly as they appear. It does not apply variations such as adding trailing numbers or substituting characters. Thus, it lacks the dynamic generation behavior highlighted in the scenario. Although dictionary attacks form the foundation of hybrid attacks, they are not sufficient on their own to match the description.

Credential stuffing is fundamentally different because it does not generate passwords at all. Instead, attackers reuse known username‑password pairs—typically stolen from data breaches—to attempt login across multiple platforms. This attack takes advantage of password reuse rather than guessing or password generation. It is unrelated to modifying dictionary words.

A hybrid attack is uniquely designed to exploit user tendencies such as choosing predictable patterns (e.g., “Password1,” “Summer2024,” or “Admin!”). By combining dictionary words with rule-based modifications, hybrid attacks achieve a balance of speed, efficiency, and sophistication. Since the question asks for an attack that incorporates dictionary words and applies variations, the correct answer is clearly hybrid attack.

Question 189 

Which scanning method sends SYN packets but does not complete the TCP handshake?

A) TCP connect scan
B) SYN scan
C) UDP scan
D) ACK scan

Answer: B) SYN scan

Explanation:

A SYN scan, also known as a “half‑open” scan, is the correct answer because it works by sending only the first packet of the TCP three‑way handshake—the SYN packet—to a target port. Based on the response, the attacker can determine whether the port is open, closed, or filtered, all without completing the handshake. If the target replies with a SYN‑ACK packet, the scanner knows the port is open, but instead of sending the ACK packet that would finalize the connection, it immediately sends an RST (reset) packet. This prevents the connection from being fully established, making the scan stealthier and less detectable by intrusion detection systems.

To understand why the SYN scan matches the question, it is necessary to compare it with other scan types. A TCP connect scan differs significantly because it completes the entire three‑way handshake: SYN, SYN‑ACK, and ACK. This means the connection is fully established before being closed, making it noisier and more easily detected by logs and monitoring tools. Since the question explicitly asks for a scan that does not complete the handshake, the TCP connect scan is not correct.

A UDP scan examines UDP ports instead of TCP ports. Because UDP is connectionless and does not use a handshake mechanism, this type of scan is irrelevant to the scenario. It cannot involve SYN packets because SYN is specific to TCP.

An ACK scan uses TCP ACK packets but serves an entirely different purpose. It is primarily used to determine whether a firewall is filtering packets and to map firewall rules—not to identify open ports. ACK scans cannot reliably determine port states because they do not initiate a handshake sequence or depend on SYN‑ACK responses.

SYN scans are favored by penetration testers because they balance speed, stealth, and accuracy. They allow scanning large ranges of ports efficiently while minimizing the risk of alerting security monitoring systems. Tools like Nmap support SYN scanning extensively due to its reliability and stealth characteristics. Since the technique involves sending only SYN packets without completing the TCP handshake, it perfectly fits the description provided. Therefore, SYN scan is the correct answer.

Question 190
Which attack intercepts and alters traffic between two communicating systems without detection?

A) Man-in-the-middle
B) Passive sniffing
C) Replay attack
D) Phishing

Answer:  A) Man-in-the-middle

Explanation:

A man‑in‑the‑middle (MITM) attack is the correct answer because it allows an attacker to secretly position themselves between two communicating systems and intercept, modify, or inject traffic without either party being aware. In a typical MITM scenario, the attacker can read sensitive information, manipulate messages, alter commands, or redirect communications in real time. This makes MITM attacks highly dangerous, especially when used against protocols lacking strong encryption or authentication mechanisms.

To understand why MITM matches the description, it is useful to contrast it with the other choices. Passive sniffing involves monitoring and capturing network traffic without altering it. Although passive sniffing can reveal credentials, session tokens, or other sensitive data, it does not involve modifying or injecting messages between parties. It does not alter communication streams, making it insufficient for the scenario describing interception and alteration.

A replay attack involves capturing valid data packets and retransmitting them later to reproduce an action or fraudulently authenticate. While replay attacks manipulate timing and reuse data, they do not modify traffic dynamically or intercept bidirectional communication between systems. They are one‑directional and not interactive, meaning they lack the real‑time modification capability required by the scenario.

Phishing, on the other hand, relies entirely on social engineering. Attackers deceive victims into providing sensitive information by masquerading as trusted entities in emails, messages, or fake websites. This attack does not intercept network traffic or interact directly with communication flows; it relies on user behavior rather than protocol manipulation.

MITM attacks can be performed using various techniques such as ARP poisoning, DNS spoofing, Wi‑Fi evil twin attacks, SSL stripping, or rogue gateway insertion. Once the attacker establishes their position between the parties, they can perform actions such as altering transaction details, modifying commands in transit, injecting malicious payloads, or rerouting sessions. Modern defenses, such as certificate validation, encrypted communication (TLS), DHCP snooping, dynamic ARP inspection, and secure DNS, aim to reduce MITM risks.

Since the question specifically asks about an attack that intercepts and alters traffic without detection, the only correct answer is man‑in‑the‑middle, because it uniquely supports real‑time interception, modification, and injection, all while remaining invisible to both communicating parties.

Question 191 

Which attack exploits a web application by injecting malicious code into input fields to execute scripts in users’ browsers?

A) SQL injection
B) Cross-site scripting
C) Command injection
D) Directory traversal

Answer: B) Cross-site scripting

Explanation:

Cross‑site scripting (XSS) is the correct answer because it allows attackers to inject malicious scripts—typically JavaScript—into web pages or input fields that are later rendered by a victim’s browser. When the browser processes the malicious script, it executes it as if it were legitimate code originating from the server. This can enable attackers to steal session cookies, capture keystrokes, redirect users, deface content, perform unauthorized actions on behalf of the user, or execute arbitrary browser-based scripts.

To understand why XSS matches the scenario, we must compare it with other attack types. SQL injection targets backend databases by manipulating query structures. Attackers use input fields to inject SQL commands that alter database behavior, retrieve unauthorized data, or modify stored information. While SQL injection is serious, it affects the server side, not the client’s browser. Because SQL injection does not execute scripts in the user’s browser, it does not fit the scenario.

Command injection allows attackers to execute operating system commands on the server hosting the application. This can lead to privilege escalation, system compromise, or unauthorized commands running on the server’s OS. However, command injection happens on the server side and does not involve injecting malicious scripts for browser execution, making it unrelated to the behavior described.

Directory traversal exploits vulnerabilities in file path handling, allowing attackers to access restricted files by modifying path parameters such as using “../”. This attack is aimed at unauthorized file access on the server and has no relationship to injecting or executing browser-based scripts.

XSS attacks come in three main forms: stored, reflected, and DOM-based. Stored XSS occurs when malicious input is saved on the server and delivered to users later. Reflected XSS occurs when malicious input is included in a link and executed when the victim clicks it. DOM-based XSS occurs entirely within client-side JavaScript without server involvement. All three forms involve executing scripts inside the victim’s browser—precisely what the scenario describes.

Because the question explicitly refers to malicious scripts executed in users’ browsers via manipulated input fields, the correct answer is Cross‑site scripting (XSS).

Question 192 

Which tool is used to enumerate Windows SMB shares and users on a network?

A) Enum4linux
B) Nmap
C) Wireshark
D) Aircrack-ng

Answer:  A) Enum4linux

Explanation:

Enum4linux is the correct answer because it is specifically designed to perform enumeration of Windows and Samba systems using SMB (Server Message Block) and NetBIOS protocols. The tool is widely used by penetration testers to gather critical information such as user lists, shared directories, password policies, group memberships, OS details, domain information, and other SMB-related attributes. It automates the process of sending SMB queries and interpreting responses, making enumeration efficient and thorough.

To understand why Enum4linux matches the scenario, we must compare it with other listed tools. Nmap, although capable of detecting open SMB ports (like 139 or 445) and running SMB-related scripts through the Nmap Scripting Engine, is primarily a network mapper and scanner. It does not specialize in enumerating SMB shares and user accounts unless specific NSE scripts are used, and even then, the depth of information retrieval is not as extensive or targeted as with Enum4linux.

Wireshark is a network analysis tool used for capturing and inspecting packets. While Wireshark can decode SMB traffic if such traffic occurs during monitoring, it cannot actively enumerate SMB shares or users. It provides passive observation rather than active querying, so it does not satisfy the requirement of enumerating Windows SMB resources.

Aircrack‑ng is a suite of tools focused entirely on wireless network security. Its capabilities include packet capture, cracking WEP/WPA keys, performing deauthentication attacks, and analyzing wireless frames. It has no features related to SMB, Windows enumeration, or network share discovery, making it irrelevant to the question.

Enum4linux, on the other hand, is specifically optimized for SMB enumeration. It leverages SMB protocol interactions such as null sessions, RID cycling, and NetBIOS queries to extract data from Windows hosts. It is especially effective in environments where SMB services are misconfigured, allowing information disclosure even without authentication. Penetration testers rely on Enum4linux to gather critical reconnaissance data early in an engagement because SMB is a highly informative protocol when improperly secured.

Because the question explicitly asks for a tool that enumerates SMB shares and Windows users, the only correct answer is Enum4linux.

Question 193

Which attack uses DNS requests to exfiltrate data from a network covertly?

A) DNS tunneling
B) DNS amplification
C) DNS cache poisoning
D) Man-in-the-middle

Answer:  A) DNS tunneling

Explanation:

DNS tunneling is the correct answer because it allows attackers to embed data inside DNS queries and responses, creating a covert communication channel that bypasses firewalls and security filters. DNS traffic is often allowed to pass freely through networks because it is essential for domain name resolution. Attackers exploit this trust by encoding stolen data—such as credentials, files, or command‑and‑control instructions—into DNS request subdomains or response payloads, enabling covert exfiltration.

To fully understand why DNS tunneling fits the scenario, we must compare it with the other answers. DNS amplification is a type of DDoS attack in which attackers send DNS queries with spoofed source IP addresses to open resolvers. These resolvers respond with significantly larger DNS messages, amplifying the traffic toward the victim. Although amplification uses DNS traffic, it is strictly designed for denial‑of‑service purposes, not for data exfiltration.

DNS cache poisoning manipulates DNS records to redirect users to malicious IP addresses. By corrupting the DNS resolver’s cache, attackers can redirect traffic, perform phishing attacks, or reroute victims to fraudulent websites. However, cache poisoning does not encode or transmit exfiltrated data, so it does not serve as a covert communication channel.

Man‑in‑the‑middle attacks can intercept DNS traffic, alter responses, or redirect users, but they do not create a structured mechanism to exfiltrate data via DNS queries.

DNS tunneling typically works by encoding data in Base32, Base64, or other encodings within DNS subdomain labels. For example, a compromised system may send DNS requests like: encodeddata.maliciousdomain.com
The attacker’s server receives the encoded request, decodes it, and the stolen data is extracted. Attackers may also send commands back to the compromised host using DNS responses, enabling bidirectional communication.

Security tools often struggle to detect DNS tunneling because DNS traffic appears legitimate at first glance. However, unusual domain lengths, high volumes of TXT queries, repeated unresolved domains, or abnormal query entropy can indicate tunneling behavior.

Since the question asks specifically for an attack that uses DNS to exfiltrate data covertly, the only correct answer is DNS tunneling.

Question 194 

Which type of attack floods a target system with TCP SYN requests to exhaust resources?

A) Ping flood
B) SYN flood
C) Smurf attack
D) Teardrop attack

Answer: B) SYN flood

Explanation:

A SYN flood attack is the correct answer because it overwhelms a target system by sending massive numbers of TCP SYN packets, which initiate a large number of half-open TCP connections. Each SYN packet forces the target server to allocate memory and resources to track the pending connection. However, because the attacker never completes the handshake by sending the final ACK packet, these connections remain half-open. When enough incomplete connections accumulate, the server’s connection table becomes full, preventing legitimate users from establishing new connections and effectively causing a denial of service.

To understand why SYN flood matches the scenario, we need to distinguish it from the other choices. A ping flood uses ICMP echo request packets (ping packets) to overwhelm a target. This attack does not use TCP, nor does it exploit TCP’s connection-handling mechanisms. Since the question specifically references TCP SYN requests, ping flood is not correct.

A Smurf attack is an amplification attack that uses ICMP echo requests broadcast to an entire network with a spoofed source IP address. The network’s devices respond back to the spoofed victim, flooding it with traffic. Again, this involves ICMP, not TCP, making it irrelevant to the scenario of SYN-based flooding.

A teardrop attack exploits IP packet fragmentation and reassembly vulnerabilities, causing systems to crash when they attempt to reassemble malformed overlapping fragments. This attack targets IP fragmentation logic, not TCP connection mechanisms, and does not involve SYN packets.

SYN floods exploit a fundamental aspect of how TCP establishes connections. In normal operation, the three‑way handshake is:

Client → SYN

Server → SYN‑ACK

Client → ACK
In a SYN flood, the attacker sends step 1 repeatedly but never completes steps 2 or 3. The server remains stuck waiting for ACK packets that will never arrive. Meanwhile, system resources become exhausted, leading to degraded performance or complete denial of service.

Modern defenses include SYN cookies, rate limiting, firewall filtering, and intrusion prevention systems that detect abnormal SYN patterns. However, SYN floods remain one of the most common and effective DoS techniques.

Because the question explicitly refers to flooding TCP SYN packets and exhausting system resources, the correct answer is SYN flood.

Question 195 

Which malware encrypts user files and demands payment for decryption?

A) Ransomware
B) Rootkit
C) Trojan
D) Spyware

Answer:  A) Ransomware

Explanation:

Ransomware is malicious software specifically designed to encrypt a victim’s files or entire system, rendering them inaccessible until a ransom is paid to the attacker. The encryption process typically uses strong cryptography, making it virtually impossible for the user to regain access without the decryption key held by the attacker. Once the files are encrypted, ransomware usually displays a message explaining the ransom demand, often including instructions for payment, frequently in cryptocurrency, to maintain anonymity.

It is important to distinguish ransomware from other malware types. Rootkits are designed to hide the presence of malware within the operating system, allowing attackers to maintain persistent access while remaining undetected. Rootkits do not encrypt files or demand payment. Trojans disguise malicious software as legitimate programs and may deliver ransomware as a payload, but the Trojan itself does not inherently encrypt data. Spyware secretly monitors user activity, logs keystrokes, or collects sensitive information for exfiltration, but it does not disrupt access to data via encryption.

Ransomware attacks have become a major threat because they directly affect data availability, potentially halting business operations and personal access. Examples include WannaCry, Petya/NotPetya, and Ryuk. Given that the question specifies encrypting files with a demand for payment, ransomware is the only malware type that fits the description, making it the correct answer.

Question 196 

Which attack sends forged ARP messages to associate the attacker’s MAC with the IP of another device?

A) ARP spoofing
B) DNS spoofing
C) DHCP spoofing
D) ICMP redirect attack

Answer:  A) ARP spoofing

Explanation: 

ARP spoofing, also called ARP poisoning, is a network attack that manipulates the Address Resolution Protocol (ARP) by sending fraudulent ARP messages to devices on a local network. The goal is to associate the attacker’s MAC address with the IP address of a legitimate device, such as the default gateway. When successful, traffic intended for the legitimate device is redirected to the attacker, allowing interception, modification, or dropping of packets. This technique can enable man-in-the-middle attacks, traffic sniffing, or session hijacking.

Other options do not match this behavior. DNS spoofing manipulates DNS responses to redirect traffic but does not involve altering ARP tables or MAC addresses. DHCP spoofing sets up a rogue DHCP server to deliver false network configurations, but it does not forge ARP replies. ICMP redirect attacks modify routing tables through ICMP messages and do not target MAC-IP mappings.

By sending carefully crafted ARP replies, attackers poison the ARP cache of target devices. Once the spoofing is successful, they can monitor or manipulate communications invisibly. Because the question specifies sending forged ARP messages to associate the attacker’s MAC with another IP, ARP spoofing is the correct answer.

Question 197 

Which reconnaissance method gathers information without interacting with the target system?

A) Passive reconnaissance
B) Active reconnaissance
C) Social engineering
D) Phishing

Answer:  A) Passive reconnaissance

Explanation: 

Passive reconnaissance is a method of gathering information about a target without initiating any direct interaction or alerting the target. This involves collecting publicly available data from sources such as WHOIS databases, DNS records, social media profiles, company websites, job postings, or public forums. The purpose is to learn details like network ranges, technologies in use, user accounts, and potential vulnerabilities without sending probes or packets that could be detected.

Other methods differ significantly. Active reconnaissance involves scanning, probing, or sending requests to the target system to discover open ports, services, or system configurations. This generates detectable network traffic and alerts the target to reconnaissance activities. Social engineering relies on manipulating individuals to obtain confidential information through human interaction, while phishing tricks users into revealing credentials or sensitive data through deceptive communication. Both involve direct interaction.

Passive reconnaissance is widely used in the early stages of penetration testing or cyber-attack planning. Its stealthy nature allows attackers to build a profile of the target, identify potential attack vectors, and strategize without risk of detection. Because the question specifies gathering information without interacting with the target, passive reconnaissance is the correct answer.

Question 198 

Which technique allows attackers to guess a TCP sequence number to hijack an active session?

A) Session hijacking
B) Replay attack
C) Sequence number prediction
D) ARP spoofing

Answer: C) Sequence number prediction

Explanation: 

Sequence number prediction is a method of hijacking active TCP sessions by analyzing the incremental patterns of TCP sequence numbers and predicting the next number the server or client will use. By accurately predicting the sequence number, an attacker can inject malicious packets into the existing session and effectively take control of the communication without requiring authentication or credentials. This allows the attacker to send commands or receive sensitive data as if they were a legitimate participant in the session.

Other attack types differ in their mechanisms. Session hijacking refers generally to taking over an active session, but sequence number prediction is the precise technique that achieves this by manipulating TCP sequence numbers. Replay attacks involve capturing valid packets and retransmitting them to reproduce actions, but they do not require predicting sequence numbers. ARP spoofing targets MAC-IP associations at the network layer, unrelated to TCP session manipulation.

Sequence number prediction exploits weaknesses in early TCP implementations or predictable number generation. Attackers monitor communication, analyze patterns, and craft packets that seamlessly integrate into the ongoing session. By guessing the correct sequence numbers, they bypass security controls, achieving unauthorized access and control. Because the question specifies guessing TCP sequence numbers to hijack a session, sequence number prediction is the correct answer.

Question 199 

Which type of attack manipulates a web application’s session management to impersonate a user?

A) Session hijacking
B) Cross-site scripting
C) SQL injection
D) Phishing

Answer:  A) Session hijacking

Explanation:

Session hijacking is an attack in which an attacker exploits weaknesses in a web application’s session management to impersonate a legitimate user. This is usually achieved by stealing or predicting session identifiers, cookies, or tokens. Once an attacker gains access to a valid session, they can perform actions on behalf of the user, such as accessing sensitive data, making transactions, or modifying settings.

Other options do not match the scenario. Cross-site scripting (XSS) injects scripts into a user’s browser, potentially stealing session tokens indirectly, but it is not inherently about manipulating session management. SQL injection targets the backend database and does not directly compromise session identifiers. Phishing deceives users into revealing credentials but does not manipulate session tokens directly.

Session hijacking exploits session vulnerabilities such as weak session IDs, token reuse, insecure storage, or predictable patterns. Attackers may intercept tokens over insecure networks or through malware. By using these tokens, they bypass authentication and assume the identity of the user without logging in. Because the question specifically mentions manipulating session management to impersonate a user, session hijacking is the correct answer.

Question 200 

Which attack intercepts, modifies, or injects traffic between two systems without their knowledge?

A) Man-in-the-middle
B) Passive sniffing
C) Replay attack
D) Denial-of-service

Answer:  A) Man-in-the-middle

Explanation: 

A man-in-the-middle (MITM) attack is an active network attack where an attacker intercepts communication between two parties, allowing them to read, modify, or inject messages without either party knowing. The attacker positions themselves in the communication path, often using techniques like ARP spoofing, DNS spoofing, Wi-Fi evil twins, or compromised routers. Once in position, the attacker can steal sensitive information, inject malicious data, manipulate transactions, or impersonate one or both parties.

Other options do not achieve the same effect. Passive sniffing only captures network traffic for analysis but does not modify or inject data. Replay attacks resend captured traffic to reproduce actions but do not perform real-time alteration. Denial-of-service (DoS) attacks disrupt services by overwhelming systems but do not intercept or modify communication between systems.

MITM attacks can compromise confidentiality, integrity, and trust in communications. They are particularly effective against unencrypted protocols or poorly implemented encryption. Attackers can manipulate login credentials, financial transactions, or session tokens. Since the question describes intercepting, modifying, or injecting traffic without user awareness, MITM is the only answer that satisfies these criteria, making it correct.