ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 61 

Which attack involves cloning a legitimate wireless access point to deceive users into connecting to a malicious network?

A) Rogue AP
B) Wi-Fi jamming
C) WPS brute-force
D) Evil twin

Answer:D) Evil twin

Explanation: 

The first answer choice describes a rogue access point, which is an unauthorized wireless access point installed inside an organization’s network. Although a rogue AP can be malicious or accidental, its purpose is usually to provide an internal foothold or bypass security policies. However, a rogue AP is not specifically designed to impersonate an existing wireless network. Instead, it simply introduces an unauthorized wireless connection that attackers or internal users may exploit. It does not focus on cloning an SSID or imitating security parameters of a legitimate network.

The second answer choice refers to Wi-Fi jamming, which is a form of denial-of-service attack on wireless networks. Wi-Fi jamming uses continuous interference, deauthentication frames, or radio frequency noise to disrupt communication. This method prevents users from accessing Wi-Fi services completely, but it does not attempt to mimic or duplicate legitimate access points. Its purpose is disruption, not impersonation.

The third answer choice is WPS brute-force, which targets the Wi-Fi Protected Setup PIN authentication method. WPS brute-force attacks exploit predictable PIN validation to gain unauthorized access to WPA/WPA2 networks. This attack focuses on authentication weaknesses, not network impersonation. The attacker attempts to join the real access point, not clone it.

The fourth answer choice correctly identifies the evil twin attack. An evil twin is an access point configured to look identical to a legitimate one by copying its SSID, encryption type, and sometimes MAC address. Once victims connect, attackers can intercept network traffic, perform credential harvesting, launch man-in-the-middle attacks, or capture sensitive information. In many cases, users cannot visually distinguish between the real access point and the clone, because the evil twin intentionally mimics the authentic network’s characteristics. Attackers may strengthen the signal of the evil twin to attract connections or disrupt the real AP temporarily to force users onto the malicious one.

The correct answer is the evil twin attack because it centers on network impersonation as its core strategy. It explicitly clones a legitimate wireless access point and tricks users into connecting, making it a powerful method for capturing sensitive traffic, login sessions, or performing deeper intrusion. This behavior differentiates it from rogue APs, jamming, and WPS-based attacks.

Question 62 

Which technique is commonly used during enumeration to gather usernames from a Windows domain?

A) LDAP querying
B) DNS poisoning
C) MAC flooding
D) ARP spoofing

Answer: A) LDAP querying

Explanation: 

The first answer choice refers to LDAP querying, a technique used to interact with directory services such as Active Directory. LDAP queries can retrieve user accounts, groups, organizational units, and other domain-related details. When attackers gain access to a machine with domain connectivity, LDAP queries become a key method for enumeration because directory services store large volumes of structured information. LDAP enumeration can reveal usernames, group memberships, service accounts, and domain trusts. This significantly assists attackers in privilege escalation and lateral movement, making LDAP querying a powerful and appropriate technique for gathering usernames in Windows domain environments.

The second answer choice, DNS poisoning, involves corrupting DNS caches so that hostnames resolve to incorrect IP addresses. This is used for redirecting traffic to malicious endpoints or launching man-in-the-middle attacks. DNS poisoning does not enumerate usernames or domain information; instead, it manipulates network-level name resolution.

The third answer choice describes MAC flooding, which targets switches at Layer 2 by overwhelming the CAM table with fake MAC addresses. Once the table is full, the switch may behave like a hub, broadcasting traffic to all ports. This attack aims to capture Ethernet traffic rather than extract user account information. It is unrelated to domain enumeration or identity mapping.

The fourth answer choice, ARP spoofing, allows attackers to redirect network traffic by forging ARP responses. It enables packet interception but does not extract structured data like usernames from a domain controller or directory service. ARP spoofing focuses on traffic manipulation rather than enumeration tasks involving identity or role mapping.

LDAP querying is the correct answer because it directly interfaces with Active Directory using standardized commands to enumerate user accounts. Attackers often use tools such as ldapsearch, BloodHound, or PowerShell-based scripts to query AD via LDAP. This technique reveals essential information for planning targeted attacks, identifying privileged accounts, or mapping trust paths within a domain environment. LDAP enumeration is fundamental in CEH methodologies because it provides comprehensive domain-level intelligence.

Question 63 

Which attack targets web applications by manipulating serialized data to achieve unauthorized execution?

A) Deserialization attack
B) SQL injection
C) Directory traversal
D) CSRF

Answer: A) Deserialization attack

Explanation: 

The first answer describes a deserialization attack, which occurs when untrusted or manipulated serialized data is processed by a web application. Deserialization vulnerabilities arise when an application converts structured data back into objects without proper validation. Attackers craft malicious serialized data to inject arbitrary code, modify object states, escalate privileges, or trigger dangerous functions within the application. Because serialization formats such as JSON, XML, and binary structures are widely used for data exchange, deserialization flaws can have a significant impact. Many languages, including Java, Python, Ruby, and PHP, have been affected by insecure deserialization vulnerabilities. These attacks become severe because they often result in remote code execution when the application automatically loads object data.

The second answer choice refers to SQL injection, where attackers input malicious queries to manipulate databases. SQL injection exploits database parsing, not object serialization. While both affect web applications, SQL injection targets backend databases rather than serialization-based processes.

The third answer choice is directory traversal, which allows unauthorized access to filesystem directories by using patterns such as “../”. Directory traversal impacts file access but is unrelated to processing serialized data structures.

The fourth answer choice refers to CSRF, which tricks authenticated users into performing unwanted actions on websites. CSRF leverages browser trust relationships but does not involve object serialization or backend code execution tied to data transformation.

The correct answer is deserialization attack because it specifically exploits the process of rebuilding objects from serialized data. When developers fail to validate incoming serialized structures or fail to restrict which classes can be reconstructed, attackers can load dangerous objects that trigger unwanted behaviors. Deserialization flaws are considered critical because they often bypass authentication controls and access restrictions. They can lead to full system compromise depending on application logic. Understanding deserialization attacks is essential for ethical hackers because many modern APIs rely heavily on serialized data structures, making this attack surface widespread and dangerous if mishandled.

Question 64 

Which tool is most commonly used for Windows privilege escalation by enumerating misconfigurations?

A) WinPEAS
B) Aircrack-ng
C) Hydra
D) Burp Suite

Answer: A) WinPEAS

Explanation: 

The first answer choice, WinPEAS, is a tool specifically designed for Windows privilege escalation auditing. It enumerates configurations, permissions, services, registry keys, scheduled tasks, and various system details to identify escalation paths. Ethical hackers use WinPEAS because it automates the discovery of weaknesses that could allow standard users to elevate privileges. These include weak file permissions, unquoted service paths, insecure registry entries, outdated patches, and misconfigured system policies. Its comprehensive output gives attackers or penetration testers insight into potential misconfigurations that may lead to privilege escalation.

The second answer choice, Aircrack-ng, is a wireless security tool used primarily for WEP and WPA/WPA2 cracking. It captures wireless packets and attempts to derive Wi-Fi keys. Aircrack-ng is unrelated to Windows privilege escalation or misconfiguration enumeration. It operates in the wireless communication layer, not the Windows system layer.

The third answer choice, Hydra, is a password-cracking tool focused on network authentication services. It performs brute-force attacks on protocols such as FTP, SSH, RDP, Telnet, and SMTP. While useful in authentication testing, Hydra does not perform system misconfiguration enumeration or privilege escalation mapping.

The fourth answer choice, Burp Suite, is a web application testing platform. It intercepts web traffic, analyzes requests, and identifies vulnerabilities such as SQL injection, XSS, and parameter manipulation. Burp Suite focuses entirely on web penetration testing, not system-level privilege escalation.

WinPEAS is the correct answer because it is tailored for privilege escalation on Windows. It performs deep enumeration that reveals hidden escalation vectors within the operating system. Ethical hackers rely on WinPEAS to quickly extract actionable insights from Windows environments. Its thorough output helps identify overlooked security misconfigurations that attackers can exploit to escalate privileges. This makes WinPEAS an essential component of post-exploitation methodology in Windows domain penetration testing.

Question 65 

Which attack relies on exploiting vulnerable SOAP-based web services?

A) XML injection
B) DNS tunneling
C) ARP cache poisoning
D) WPA2 cracking

Answer: A) XML injection

Explanation: 

The first answer choice is XML injection, which targets applications that parse XML input, including SOAP-based web services. SOAP messages use XML envelopes for communication, which makes them vulnerable to XML manipulation attacks. XML injection involves altering XML structures, injecting malicious tags, or modifying schema expectations to manipulate logic on the server side. Attackers can cause unauthorized data access, bypass authentication, or disrupt processing logic. XML injection attacks also involve manipulating elements such as XPath queries, XML attributes, or nested structures to gain unintended access.

The second answer choice, DNS tunneling, uses DNS queries and responses to covertly transmit data. It is often used to bypass firewalls or exfiltrate information but is entirely unrelated to SOAP or XML-based processing. DNS tunneling does not interact with web service communication mechanisms.

The third answer choice describes ARP cache poisoning, where attackers forge ARP responses to redirect traffic on a local network. This is a Layer 2 attack and has no connection to XML, SOAP, or web service protocols. It manipulates network-level routing, not application-layer data structures.

The fourth answer choice, WPA2 cracking, targets wireless networks by capturing the four-way handshake and attempting offline password recovery. This relates to Wi-Fi security, not XML-based web services or SOAP messaging structures.

XML injection is the correct answer because SOAP uses XML extensively, and manipulating XML data can exploit vulnerabilities within SOAP request processing. XML injection can lead to authentication bypass, administrative access, or data corruption. Understanding XML injection is essential when testing legacy enterprise systems, as many corporate environments continue using SOAP web services. Such attacks highlight the importance of secure XML parsing, schema validation, and sanitization controls.

Question 66 

Which type of attack abuses the trust between two systems that share authentication tokens without verifying source legitimacy?

A) Pass-the-token attack
B) DNS amplification
C) Watering-hole attack
D) Keylogging

Answer: A) Pass-the-token attack

Explanation: 

The first answer choice refers to pass-the-token attacks, which exploit token-based authentication mechanisms, such as Kerberos tickets or NTLM tokens, within Windows environments. When two systems trust each other and rely on tokens, attackers who acquire those tokens can authenticate without needing passwords. Pass-the-token attacks allow lateral movement by reusing captured authentication tokens and leveraging existing trust relationships. These attacks exploit weak validation processes that do not verify the true origin of the token, enabling impersonation of legitimate users or administrators. This form of attack is common in Active Directory penetration testing and is considered highly dangerous because it bypasses password policies entirely.

The second answer choice describes DNS amplification, a distributed denial-of-service mechanism that uses small queries to generate large responses from DNS servers. This attack disrupts services but does not involve token-based authentication or trust relationships between systems.

The third answer choice describes a watering-hole attack, where attackers compromise a website frequently visited by targets. It is a social engineering and malware distribution tactic, not related to token reuse or authentication trust chains.

The fourth answer choice refers to keylogging, which records keystrokes to capture sensitive data. While keylogging can be used to obtain credentials, it does not exploit token trust or authentication reuse mechanisms.

Pass-the-token attack is the correct answer because it specifically targets trust and authentication mechanisms. It leverages existing tokens to impersonate identities across systems without requiring password compromise. This makes it a crucial technique in post-exploitation phases of penetration testing within enterprise network environments.

Question 67 

Which attack modifies the firmware of a device to maintain persistent access?

A) Bootkit attack
B) SQL injection
C) XSS
D) SYN flood

Answer: A) Bootkit attack

Explanation: 

A bootkit attack represents one of the most advanced forms of persistence because it targets the system at its lowest operational layer: the firmware or the bootloader. By modifying components such as UEFI, BIOS, or the Master Boot Record, an attacker can ensure that malicious code activates before the operating system even begins loading. This early execution grants the threat actor significant control, enabling stealthy long-term access that often survives reboots, OS reinstallation, and even some disk replacements. Bootkits are notoriously difficult to detect because most security tools operate at the OS level and therefore cannot easily inspect, verify, or remediate compromised firmware structures. This method of attack highlights a shift in modern threat landscapes where adversaries increasingly focus on hardware-level compromise for maximum persistence.

SQL injection, on the other hand, is completely different in nature and scope. It is an application-layer attack that manipulates malicious SQL queries to interact with a database in unintended ways. While SQL injection can lead to unauthorized data access, data corruption, or privilege escalation within an application’s backend, it does not interact with the system’s firmware, boot process, or low-level components. This means it cannot achieve the type of deep persistence associated with firmware tampering or bootloader infection. It remains limited to databases and application logic.

XSS, or cross-site scripting, is primarily a client-side web attack aimed at browsers. It involves injecting malicious scripts into web pages viewed by users, typically to steal cookies, manipulate sessions, or perform unauthorized browser actions. Because XSS executes at the browser layer and relies on manipulating client-side scripts, it has no ability to affect a system’s boot sequence, firmware, or low-level memory. Consequently, it cannot deliver persistent system-level control or survive system reinstallations the way a bootkit can.

SYN flood attacks are a type of denial-of-service technique that exploit the TCP handshake process. By sending a large number of incomplete connection requests, SYN floods exhaust server resources and interrupt availability. This type of attack focuses on disruption rather than persistence, and it does not modify firmware, implant malware, or establish hidden long-term access. Its impact is temporary and ends when the attack traffic stops.

Bootkit attack is the correct answer because it uniquely targets the firmware layer, enabling deep, stealthy, and durable persistence unmatched by the other choices.

Question 68 

Which cloud attack method exploits misconfigured storage buckets to obtain sensitive data?

A) Public bucket enumeration
B) ARP spoofing
C) MAC flooding
D) Evil twin

Answer: A) Public bucket enumeration

Explanation: 

Public bucket enumeration is a cloud attack method that targets misconfigured storage services such as AWS S3, Google Cloud Storage, or Azure Blob Storage. Many organizations unintentionally configure storage buckets with overly permissive access controls, including public read or write permissions. Attackers exploit these misconfigurations by enumerating bucket names, listing stored objects, and attempting to read, modify, or delete files. Automated tools simplify this process by systematically scanning for publicly accessible buckets, detecting patterns in naming conventions, and attempting access with common URL structures. The primary advantage for attackers is that they do not need credentials to gain access; the vulnerability arises purely from misconfiguration. Once access is obtained, sensitive data such as user information, internal documents, credentials, or proprietary files can be stolen or modified, potentially leading to regulatory violations, data breaches, or corporate espionage.

ARP spoofing is a network-level attack that involves sending falsified ARP (Address Resolution Protocol) messages to associate an attacker’s MAC address with the IP address of a legitimate host. While it can be used to intercept network traffic, ARP spoofing does not exploit cloud storage misconfigurations. Its focus is limited to local networks and traffic redirection, not access to cloud-based data. MAC flooding targets Ethernet switches by sending large volumes of frames with random MAC addresses to overflow the switch’s MAC address table. Once full, the switch may broadcast traffic to all ports, allowing potential sniffing of sensitive data. However, MAC flooding is also network-focused and does not exploit cloud storage vulnerabilities. The evil twin attack is a wireless attack in which an attacker creates a rogue access point that mimics a legitimate Wi-Fi network. While it can capture user credentials or traffic, it does not provide access to cloud storage buckets and is unrelated to cloud misconfigurations.

Public bucket enumeration is correct because it specifically targets cloud storage misconfigurations. Attackers can enumerate buckets to discover exposed sensitive information, download or modify files, or chain access with other attacks such as data exfiltration or privilege escalation. It highlights a common oversight in cloud security: improper access policies or lack of auditing on bucket permissions. Proper mitigation strategies include restricting bucket access, enabling authentication for all read/write operations, monitoring for public exposure, and conducting regular audits of cloud storage configurations. By understanding this attack, organizations can proactively prevent unintentional exposure of sensitive data and reduce the likelihood of cloud-based breaches.

Question 69 

Which attack sends crafted DHCP responses to redirect clients to malicious gateways?

A) DHCP spoofing
B) DNS poisoning
C) ARP spoofing
D) ICMP redirection

Answer: A) DHCP spoofing

Explanation: 

DHCP spoofing is a network attack where an attacker sends forged DHCP responses to clients in order to manipulate network configurations. Attackers position themselves strategically on the network, responding faster than legitimate DHCP servers to DHCP discovery requests from clients. By doing so, the attacker can assign malicious IP addresses, gateways, and DNS servers, redirecting client traffic through systems controlled by the attacker. This enables man-in-the-middle attacks, credential harvesting, traffic inspection, and redirection to phishing or malicious websites. DHCP spoofing is especially dangerous in open or poorly segmented networks, such as public Wi-Fi, corporate networks with lax access controls, or virtualized environments with multiple users sharing the same subnet.

DNS poisoning, in contrast, focuses on corrupting the DNS cache of a resolver or client to redirect domain resolution to malicious IP addresses. While both attacks involve redirection, DNS poisoning manipulates domain name resolution rather than assigning network-level configurations like gateways or IP addresses. ARP spoofing manipulates Address Resolution Protocol tables on local networks to associate the attacker’s MAC address with legitimate IP addresses, enabling traffic interception at the data link layer. ARP spoofing does not provide configuration control for IP addresses or gateways. ICMP redirection occurs when routers instruct hosts to update their routing tables to alternative paths, but it requires access to router functionality and does not involve directly sending DHCP responses.

DHCP spoofing is correct because it specifically targets the Dynamic Host Configuration Protocol to assign malicious network settings. By controlling the client’s default gateway and DNS, attackers can intercept traffic, redirect communications, and launch further attacks on unsuspecting users. Mitigation strategies include using DHCP snooping, enforcing static IP assignments in sensitive environments, and monitoring for unauthorized DHCP servers. Understanding DHCP spoofing highlights the importance of securing both configuration protocols and local network infrastructure to prevent unauthorized traffic redirection.

Question 70 

Which type of vulnerability results from failing to neutralize user input used in XML queries?

A) XPath injection
B) SQL injection
C) CSRF
D) XSS

Answer: A) XPath injection

Explanation: 

XPath injection is a vulnerability that occurs when user input is improperly validated and embedded into XML queries. XPath is used to navigate XML documents and extract data, similar to how SQL queries interact with relational databases. When input is not sanitized, attackers can manipulate the structure of XPath queries to retrieve unauthorized information, bypass authentication mechanisms, or modify query results. This can expose sensitive information, including usernames, passwords, personal details, or business-critical data stored in XML documents. XPath injection demonstrates that vulnerabilities are not limited to SQL databases; improper handling of structured query languages in XML can be equally dangerous.

SQL injection targets relational databases by injecting malicious SQL statements to manipulate data, bypass authentication, or perform privilege escalation. It does not interact with XML or XPath queries. CSRF (Cross-Site Request Forgery) tricks authenticated users into executing unintended actions on a web application, but it does not exploit XML query logic. XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into client-side browsers, but it targets web page execution rather than XML query processing.

XPath injection is correct because it exploits the lack of input validation in XML queries, allowing attackers to alter query logic to access unauthorized data. Mitigation strategies include parameterizing XPath queries, validating and escaping user input, and applying the principle of least privilege when processing XML data. Understanding XPath injection is critical for developers working with XML-based systems or legacy applications that rely on XML for authentication, configuration, or data storage. This vulnerability highlights that all input-processing systems, whether database-driven or XML-driven, must implement rigorous input handling and sanitization measures to prevent data breaches and unauthorized access.

Question 71 

Which post-exploitation activity focuses on mapping network structure and reachable targets?

A) Internal reconnaissance
B) Password spraying
C) ARP spoofing
D) Session fixation

Answer: A) Internal reconnaissance

Explanation:

Internal reconnaissance is a critical post-exploitation activity that occurs after an attacker gains initial access to a target network. Its primary goal is to gather comprehensive information about the internal environment to plan subsequent attacks such as lateral movement, privilege escalation, or data exfiltration. This activity involves discovering network hosts, shared resources, domain trust relationships, active directory objects, open ports, and reachable targets within the compromised environment. 

Attackers systematically map network segments, identify valuable assets, and understand how different systems communicate with each other. Internal reconnaissance can include enumeration of user accounts, service accounts, and permission structures, which allows attackers to understand security boundaries and potential weak points. Password spraying, on the other hand, is a brute-force attack method in which commonly used passwords are tried against multiple accounts to avoid account lockouts. 

While password spraying can be part of gaining additional access during post-exploitation, it does not provide mapping or detailed structural knowledge of the network. ARP spoofing is a network-level attack that involves sending falsified Address Resolution Protocol messages to intercept or redirect traffic between hosts. It is primarily used for man-in-the-middle attacks, not for mapping internal network structures. Session fixation targets user sessions by forcing a user to use a known session ID, which allows an attacker to hijack a session, but this technique focuses on authentication manipulation rather than network discovery. 

Internal reconnaissance is considered correct because it focuses on systematically mapping the network environment, identifying reachable targets, discovering connections between hosts, and understanding trust relationships, which are essential for planning lateral movement, privilege escalation, and achieving long-term persistence within a compromised network. 

This step is a prerequisite for more advanced attacks and is crucial for attackers to understand the internal landscape before attempting higher-value exploits or data exfiltration.

Question 72 

Which malware spreads through USB devices by placing hidden executables?

A) USB worm
B) Trojan
C) Logic bomb
D) Ransomware

Answer: A) USB worm

Explanation: 

A USB worm is a type of self-replicating malware that propagates specifically through removable storage devices such as USB flash drives. When a USB containing a worm is inserted into a computer, the worm automatically executes, copying itself to the new system and often placing hidden executables or autorun scripts to ensure further spread. This propagation method exploits the common practice of using USB drives across multiple systems, allowing the malware to infect systems that are not directly connected to the internet. 

 

A Trojan, in contrast, is malicious software that masquerades as legitimate software to trick users into installing it. While Trojans can carry payloads like keyloggers, ransomware, or backdoors, they typically do not self-replicate via removable drives. Logic bombs are programmed to trigger malicious actions under specific conditions, such as a certain date, file, or system event, but they do not propagate themselves to other systems autonomously. 

 

Ransomware is designed to encrypt files and demand payment from victims but usually spreads through phishing emails, network shares, or exploits rather than USB devices. USB worms are correct in this context because their primary characteristic is self-replication via removable media, exploiting the physical transfer of storage devices. Once a system is infected, the worm can further attempt to compromise connected networks, copy itself to other drives, and establish persistence. 

 

Understanding USB worms is important because they demonstrate how malware can bypass traditional network security measures, highlighting the need for endpoint security policies that restrict autorun features, scan removable devices, and monitor for unauthorized executables. Attackers leverage USB worms to infiltrate air-gapped networks or isolated systems that are otherwise unreachable through standard network-based attacks, making them particularly insidious in sensitive or high-security environments.

Question 73

Which attack floods a WLAN with fake deauthentication frames?

A) Deauth attack
B) Evil twin
C) WEP cracking
D) MAC flooding

Answer: A) Deauth attack

Explanation:

A deauthentication (deauth) attack is a wireless network attack that targets Wi-Fi clients and access points by flooding the network with forged deauthentication frames. In a typical Wi-Fi environment, deauthentication frames are management messages used to terminate a client’s connection to an access point in a legitimate context. Attackers exploit this mechanism by crafting and sending large volumes of fake deauth frames, causing clients to be repeatedly disconnected. 

 

This disruption can lead to denial-of-service conditions, force clients to reconnect to rogue access points, or facilitate further attacks such as credential interception or man-in-the-middle exploits. An evil twin attack involves creating a rogue access point that impersonates a legitimate Wi-Fi network to trick users into connecting, but it does not inherently flood the network with deauthentication frames. WEP cracking attacks aim to exploit weaknesses in the Wired Equivalent Privacy (WEP) encryption protocol, primarily through capturing Initialization Vectors (IVs) to recover encryption keys, and are not related to sending deauth frames.

 

MAC flooding targets switches by overwhelming the MAC address table to force traffic into a hub-like state, but this attack occurs at the wired network layer and does not disrupt WLAN connections. Deauth attacks are particularly effective because the 802.11 management frames are often unauthenticated, meaning attackers can perform them without needing to compromise the access point or client devices. These attacks can be used to disconnect devices to coerce them into connecting to a rogue access point or to interrupt critical communications, making them a versatile tool in wireless network exploitation. 

 

Therefore, a deauth attack is correct because it specifically exploits WLAN management frame vulnerabilities to forcibly disconnect clients, disrupt connectivity, and enable secondary attacks such as session hijacking or credential capture. Network administrators mitigate these attacks using Wi-Fi Protected Access (WPA3), 802.11w protected management frames, monitoring tools, and robust wireless intrusion detection systems.

Question 74

Which tool is used to analyze and exploit Active Directory attack paths?

A) BloodHound
B) John the Ripper
C) Wireshark
D) SQLMap

Answer: A) BloodHound

Explanation: 

BloodHound is a specialized tool used for analyzing, visualizing, and exploiting attack paths within Microsoft Active Directory (AD) environments. It gathers information on AD objects, such as users, groups, computers, and trusts, and maps relationships to identify potential privilege escalation paths. Using graph theory, BloodHound helps security professionals and attackers alike understand complex trust relationships, membership hierarchies, and access permissions within an AD environment. 

 

John the Ripper is a password-cracking tool that uses brute-force, dictionary, and hybrid techniques to recover passwords from hashed values but does not provide mapping of attack paths or privilege relationships. Wireshark is a network protocol analyzer that captures and inspects traffic for analysis, troubleshooting, or monitoring purposes, without providing direct insights into AD structures or privilege escalation routes. SQLMap is a tool designed to automate detection and exploitation of SQL injection vulnerabilities in web applications, which is unrelated to Active Directory attack path mapping. 

 

BloodHound is correct because it allows attackers to visualize paths from lower-privileged accounts to domain admins or other high-value targets, identifying misconfigurations or excessive privileges that can be exploited. It supports both offensive and defensive operations: defenders can use it to proactively identify risky privilege assignments, while attackers use it to prioritize targets for lateral movement and domain dominance. 

 

BloodHound typically collects data using built-in AD queries or agents that extract information such as group memberships, session information, local administrator rights, and trust relationships. By analyzing this data, one can construct a complete map of potential attack vectors within an enterprise network. 

 

This capability is crucial for post-compromise planning, penetration testing, and red team operations, enabling systematic exploitation of complex enterprise environments. Thus, BloodHound is the correct tool because it specifically targets the analysis and exploitation of Active Directory relationships to reveal attack paths and escalation opportunities.

Question 75 

Which attack replaces legitimate code in memory without touching the disk?

A) Process hollowing
B) Rootkit
C) Trojan
D) Directory traversal

Answer: A) Process hollowing

Explanation:

Process hollowing is a sophisticated malware technique in which an attacker creates a legitimate process in a suspended state, removes or “hollows out” its original executable code in memory, and replaces it with malicious code. The process is then resumed, executing the attacker’s payload under the guise of a trusted application, which can evade security monitoring tools that rely on process names or signatures. Rootkits are designed to hide malicious activities and maintain persistent access, often modifying kernel or system files on disk to evade detection, but they may not specifically perform memory-only code replacement. 

 

Trojans masquerade as legitimate software to trick users into executing them, and while they can deliver malicious payloads, they often write to disk and do not inherently replace code within a running process. Directory traversal attacks manipulate file paths to access unauthorized files on disk, which is unrelated to memory-only execution. 

 

Process hollowing is correct because it performs malicious actions entirely in memory, avoiding traditional file-based detection mechanisms such as antivirus scanners that inspect executables on disk. This technique allows attackers to maintain stealth and persistence while blending in with legitimate processes.

 

It is commonly used in advanced persistent threats (APTs) and sophisticated malware campaigns targeting enterprise systems. Attackers use process hollowing to execute keyloggers, ransomware, or backdoors while minimizing traces on the file system. 

 

Detecting process hollowing often requires monitoring process creation and memory injection behaviors, analyzing abnormal thread activity, and leveraging endpoint detection and response (EDR) tools capable of identifying runtime memory modifications. 

 

By understanding this attack, security teams can improve defenses against memory-resident malware that bypasses conventional detection strategies, reinforcing the importance of behavior-based monitoring over simple signature-based protection.

Question 76 

Which type of attack uses fraudulent SSL certificates to impersonate secure websites?

A) SSL spoofing
B) Phishing
C) DNS tunneling
D) ARP poisoning

Answer: A) SSL spoofing

Explanation: 

SSL spoofing is an attack in which attackers forge SSL/TLS certificates to make a malicious website appear secure. The forged certificate convinces users and applications that they are communicating with a legitimate, encrypted website. This can allow attackers to intercept sensitive information, such as credentials, financial data, or personal details, without triggering browser warnings. Fraudulent certificates exploit the trust model of PKI, where browsers rely on trusted certificate authorities to validate authenticity.

Phishing, by comparison, is a social engineering attack designed to trick users into providing sensitive information, usually through deceptive emails or websites. While phishing can be combined with SSL spoofing to increase credibility, it does not inherently involve forging SSL certificates. DNS tunneling, on the other hand, is a technique for hiding data within DNS queries and responses, primarily for data exfiltration or command-and-control communication. It does not directly spoof secure website identities.

ARP poisoning redirects traffic between hosts on a local network, enabling man-in-the-middle attacks. Although ARP poisoning can capture data or manipulate traffic, it does not involve certificates or HTTPS encryption. SSL spoofing is correct because it specifically leverages fake certificates to impersonate secure sites, allowing attackers to deceive users who rely on browser padlocks or HTTPS indicators.

Organizations can mitigate SSL spoofing by enforcing certificate pinning, monitoring certificate issuance for their domains, and using strict transport security policies. End users should be aware of certificate warnings and avoid bypassing browser alerts. SSL spoofing demonstrates how attackers exploit cryptographic trust rather than network weaknesses, making it a critical concern in web security.

Question 77 

Which cloud security issue allows attackers to move between tenants due to isolation failure?

A) Hypervisor escape
B) Public bucket enumeration
C) DoS attack
D) Credential stuffing

Answer: A) Hypervisor escape

Explanation: 

Hypervisor escape occurs when an attacker exploits vulnerabilities in the hypervisor or virtualization layer to break isolation between virtual machines (VMs). This allows the attacker to move from a compromised VM to other VMs hosted on the same physical server, potentially accessing sensitive data from different tenants. Such isolation failures violate the core security principle of multi-tenancy in cloud environments.

Public bucket enumeration, by contrast, targets storage misconfigurations, allowing attackers to find publicly exposed data. While it exposes information, it does not break VM isolation or enable cross-tenant access. Denial-of-service (DoS) attacks aim to disrupt availability but do not allow movement between tenants. Credential stuffing uses stolen credentials to gain unauthorized access to accounts, but it is unrelated to hypervisor vulnerabilities or tenant separation.

Hypervisor escape is correct because it directly targets the virtualization layer to bypass isolation controls, representing a serious risk for cloud service providers and users. Mitigation strategies include patching hypervisor vulnerabilities, enforcing strong VM separation policies, and using security monitoring to detect unusual cross-VM activities. This attack underscores the importance of virtualization security in protecting multi-tenant cloud environments.

Question 78 

Which attack exploits the way browsers store and send authentication tokens across trusted sites?

A) CSRF
B) SQL injection
C) WPA handshake attack
D) ICMP flooding

Answer: A) CSRF

Explanation: 

Cross-site request forgery (CSRF) tricks a user’s authenticated browser into sending unintended requests to a trusted website. The attack exploits the fact that browsers automatically include authentication tokens or cookies with each request to the site. Attackers use this behavior to perform unauthorized actions, such as changing account details, initiating transactions, or altering settings, without the user’s knowledge.

SQL injection targets backend databases by manipulating queries through user input. While it is a critical web application vulnerability, it does not exploit browser token handling. WPA handshake attacks target Wi-Fi networks by capturing handshakes to recover encryption keys, unrelated to web sessions or authentication tokens. ICMP flooding is a denial-of-service technique at the network layer, designed to overwhelm a system with ping requests.

CSRF is correct because it specifically abuses the browser’s automatic handling of session tokens across trusted sites. Effective defenses include using anti-CSRF tokens, validating origin headers, and implementing same-site cookie attributes. By understanding CSRF, developers can protect users from attacks that occur silently and exploit inherent browser trust relationships.

Question 79 

Which tool is used to brute-force RDP credentials?

A) Hydra
B) Wireshark
C) Nmap
D) DirBuster

Answer: A) Hydra

Explanation: 

Hydra is a versatile password-cracking tool capable of performing brute-force attacks on multiple protocols, including Remote Desktop Protocol (RDP). It attempts a large number of username-password combinations to gain unauthorized access. Hydra’s modular design allows users to specify target protocols, credential lists, and connection parameters, making it effective for testing or attacking RDP services.

Wireshark captures and analyzes network traffic but does not perform brute-force attacks. Nmap is primarily a network scanning tool used to identify open ports, services, and host operating systems. DirBuster enumerates web directories and files, unrelated to RDP or credential attacks.

Hydra is correct because it is specifically designed to automate credential attacks against services like RDP. Organizations can defend against such attacks by enforcing strong passwords, limiting login attempts, and implementing multi-factor authentication. Hydra demonstrates the risk posed by brute-force attacks when proper authentication controls are not in place.

Question 80

Which attack modifies blockchain transaction sequences without altering previous block hashes?

A) Race attack
B) Sybil attack
C) 51% attack
D) Replay attack

Answer: A) Race attack

Explanation: 

A race attack targets blockchain systems by broadcasting two conflicting transactions almost simultaneously. The goal is to spend the same cryptocurrency twice before the network confirms the initial transaction. The attacker exploits the time gap between transaction propagation and confirmation.

Sybil attacks involve creating numerous fake identities in a blockchain network to gain disproportionate influence, often affecting consensus mechanisms. A 51% attack occurs when a single entity controls the majority of the network’s mining or validating power, enabling rewriting of blockchain history, including prior blocks. Replay attacks resubmit valid transactions across chains or networks, but they do not manipulate transaction order before confirmation.

Race attacks are correct because they specifically manipulate transaction order without modifying historical block data. Preventive measures include waiting for sufficient transaction confirmations, monitoring mempool transactions, and implementing double-spending safeguards. Understanding race attacks is crucial for secure cryptocurrency operations, ensuring transactions cannot be reversed or duplicated during propagation delays.