ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 81

Which technique involves manipulating DNS responses to redirect users to malicious destinations?

A) DNS cache poisoning
B) ARP spoofing
C) VLAN hopping
D) Port scanning

Answer: A) DNS cache poisoning

Explanation: 

DNS cache poisoning involves altering cached DNS records on a resolver to redirect users to fraudulent or malicious destinations. This manipulation targets the trust that systems place in cached DNS data, making it possible for attackers to substitute legitimate IP addresses with crafted ones that lead to phishing sites, malware delivery pages, or interception servers. The attacker injects forged DNS responses, often exploiting weak transaction ID randomness or unsecured DNS configurations. Once a poisoned entry is stored, users automatically resolve the altered address without suspecting malicious intent. This attack focuses specifically on DNS-level deception rather than lower-level network manipulation.

ARP spoofing works by sending falsified ARP messages within a local network to associate the attacker’s MAC address with the IP of a legitimate host. The goal is often to perform man-in-the-middle interception, session hijacking, or traffic redirection at the LAN layer. While it also involves deception, it does not manipulate DNS records or domain resolutions. Instead, it manipulates LAN-level address mappings and requires local network access rather than interaction with DNS infrastructure.

VLAN hopping is a technique used to gain unauthorized access to VLAN segments that should be isolated. It can be performed using double-tagging or switch spoofing, but its purpose is lateral movement and network segmentation bypass rather than redirecting external traffic. VLAN hopping abuses switch behavior and tagging vulnerabilities, not DNS resolution, and has no relation to altering domain-to-IP mapping.

Port scanning identifies open, closed, or filtered ports across a target system. It is a reconnaissance method used to enumerate services, fingerprint operating systems, or prepare for exploitation. Port scanning does not alter traffic flow or DNS behavior. Instead, it merely gathers information about the target’s network-facing attack surface.

The correct answer is DNS cache poisoning because it directly involves modifying or injecting false DNS records into caching resolvers so that users unknowingly connect to attacker-controlled destinations. This technique specifically exploits the recursive trust model of DNS resolvers, making it a classic and high-impact method for large-scale redirection attacks, credential theft, and malware deployment. The other choices involve network manipulation, service discovery, or segmentation bypass but do not modify DNS responses, which is the core requirement described in the question.

Question 82

Which type of attack relies on sending malformed packets to crash or destabilize a target system?

A) Fraggle attack
B) Teardrop attack
C) Dictionary attack
D) Credential stuffing

Answer: B) Teardrop attack

Explanation: 

A Teardrop attack exploits vulnerabilities in the way an operating system reassembles fragmented IP packets. When fragmented packets overlap or are improperly constructed, vulnerable systems attempt to reassemble them and encounter errors that can crash the kernel or network stack. This form of denial-of-service targets the operating system’s fragmentation handling routines rather than bandwidth consumption. It is considered a malformed-packet attack because it uses structurally invalid packet fragments rather than volume-based flooding.

A Fraggle attack is an amplification-based denial-of-service technique that leverages UDP echo and chargen services. Attackers spoof a victim’s IP and send broadcast packets, causing multiple systems to respond simultaneously. Unlike malformed packet attacks, Fraggle uses valid but high-volume traffic for amplification and overload rather than attempting to crash the reassembly process of a protocol stack.

A dictionary attack attempts to guess authentication credentials by cycling through a predefined list of common passwords. It targets authentication weaknesses, not packet-handling vulnerabilities or system instability. It neither sends malformed packets nor attempts to crash services—it focuses strictly on password-guessing efficiency.

Credential stuffing uses previously breached username-password pairs to gain unauthorized access to accounts across multiple platforms. This method relies on credential reuse and automated login attempts. It does not involve malformed traffic, denial of service, or packet manipulation. The goal is unauthorized access, not destabilizing or crashing a system.

The correct answer is the Teardrop attack because it specifically relies on malformed and overlapping fragmented packets to trigger crashes or instability within vulnerable hosts. It directly aligns with the requirement stated in the question: the use of malformed packets for destabilization rather than brute-force password guessing (dictionary), breach-data automation (credential stuffing), or UDP-based amplification (Fraggle). Teardrop’s unique method of exploiting TCP/IP fragmentation logic is the defining characteristic that fits the described behavior, making B the correct choice.

Question 83

Which tool is primarily used for password cracking through GPU-accelerated brute force and hash computation?

A) Hydra
B) Nikto
C) Hashcat
D) Wapiti

Answer: C) Hashcat

Explanation: 

Hashcat is a widely used and highly optimized password-cracking tool that utilizes GPU acceleration to perform brute force, rule-based attacks, dictionary attacks, mask attacks, and hybrid methods against various hash formats. Its GPU-driven parallel processing enables extremely fast hash computation, making it one of the most powerful offline password-cracking tools available. Hashcat supports numerous hashing algorithms including MD5, SHA-1, NTLM, bcrypt, and many others. The key feature that differentiates Hashcat from many other tools is its heavy reliance on GPU performance to achieve high cracking speeds that CPUs alone cannot match.

Hydra is a fast network login-cracking tool used for online authentication attack scenarios such as brute forcing SSH, FTP, Telnet, SMTP, RDP, and many other services. Instead of GPU-accelerated hash cracking, it attempts password combinations directly against live services. This makes Hydra excellent for online brute force but irrelevant to the offline GPU-accelerated cracking described in the question.

Nikto is a vulnerability scanner for web servers. It checks for misconfigurations, outdated software, known vulnerabilities, and dangerous scripts. Nikto does not perform password cracking, hash computation, or GPU acceleration. Its purpose lies entirely in HTTP service assessment, not cryptographic or brute-force operations.

Wapiti is a web vulnerability scanner that performs black-box testing to detect issues such as SQL injection, XSS, file disclosure, and other web-related weaknesses. Like Nikto, it focuses on web application analysis. It does not crack passwords, compute hashes, or utilize GPUs.

The correct answer is Hashcat because it specifically matches the requirement of GPU-accelerated brute force and hash cracking. Its architecture and functionality are fundamentally designed around these tasks. Hydra, Nikto, and Wapiti serve different purposes—network login brute forcing and web vulnerability scanning—and do not align with the GPU-based cracking described in the question, making C the only fitting answer.

Question 84

Which wireless attack involves forcing clients to reauthenticate by sending fake deauthentication frames?

A) Wardriving
B) Evil twin attack
C) Deauth attack
D) WEP IV collision attack

Answer: C) Deauth attack

Explanation: 

A deauthentication attack involves sending forged IEEE 802.11 deauthentication frames to wireless clients, forcing them to disconnect from an access point. Because deauthentication frames are not encrypted or authenticated in many Wi-Fi implementations, attackers can craft these packets freely. Once clients are disconnected, attackers may exploit reconnection attempts to capture WPA/WPA2 handshakes, redirect users to rogue APs, or simply disrupt service. This technique is commonly used in penetration testing to facilitate key recovery or test robustness against wireless denial-of-service conditions.

Wardriving refers to driving around an area with a Wi-Fi scanning device to map wireless networks, identify access points, and assess their security configurations. Wardriving is passive and does not involve manipulating connections or sending forged frames. It is used for reconnaissance, not for forcing reauthentication.

An evil twin attack sets up a rogue access point that mimics the SSID of a legitimate AP. While attackers may combine deauthentication to push users toward the rogue AP, the core evil twin technique involves cloning and impersonation, not specifically sending fake deauthentication frames. Thus, although related in practice, the evil twin method does not inherently require deauthentication.

A WEP IV collision attack exploits the weakness of the WEP protocol’s initialization vector (IV). By capturing large numbers of packets with repeated IVs, attackers can recover the WEP key. This method focuses on cryptographic flaws rather than deauthentication or session disruption.

The correct answer is the deauth attack because it specifically aligns with the action described: sending forged deauthentication frames to force clients to reauthenticate. None of the other techniques directly involve crafting or transmitting deauthentication frames as their primary mechanism.

Question 85

Which type of malware restricts access to files and demands payment to restore functionality?

A) Worm
B) Ransomware
C) Adware
D) Keylogger

Answer:B) Ransomware

Explanation: 

Ransomware is a type of malware designed to encrypt a victim’s files or lock their systems, demanding payment—typically in cryptocurrency—to restore access. It often spreads via phishing emails, exploit kits, or remote service attacks. Once activated, ransomware encrypts data using strong cryptographic algorithms, displays ransom instructions, and threatens permanent data loss unless the demand is met. Its defining characteristic is the extortion component tied to data unavailability, making it distinct from other malware categories.

A worm is malware capable of self-replication and autonomous propagation across networks. Worms often exploit vulnerabilities to spread without user involvement. While they can deliver ransomware as a payload, worms themselves do not inherently restrict file access or demand payment. They focus primarily on replication and spreading efficiency.

Adware displays unwanted advertisements, generates pop-ups, or redirects browsing sessions for revenue generation. It aims to monetize user attention rather than encrypting data or denying access. While annoying and potentially privacy-invasive, adware does not engage in extortion and does not prevent users from accessing files.

A keylogger captures keystrokes, screen activity, or user interactions to steal credentials and sensitive information. It operates stealthily, focusing on data theft rather than holding files hostage. Keyloggers aim to facilitate credential compromise or identity theft, not extortion.

The correct answer is ransomware because it uniquely meets all elements described in the question: file restriction and financial demand. Worms focus on replication, adware focuses on advertising, and keyloggers focus on capturing input. None of these involve payment-based file recovery, making B the only accurate match.

Question 86

Which scanning technique attempts to determine open ports by sending packets without completing the full TCP handshake?

A) Full connect scan
B) SYN scan
C) Null scan
D) XMAS scan

Answer:B) SYN scan

Explanation: 

A SYN scan (also known as half-open scanning) sends TCP SYN packets to target ports without completing the full three-way handshake. When the target responds with SYN/ACK, the scanner knows the port is open but immediately replies with an RST to avoid establishing a full connection. This makes SYN scanning fast, stealthier, and less resource-intensive than full TCP connect scans. Penetration testers frequently use SYN scans to enumerate services while minimizing logging and detection.

A full connect scan completes the entire TCP handshake. The scanner sends SYN, receives SYN/ACK, responds with ACK, and establishes a full connection before closing it. While reliable, this method is more detectable and slower. It does not match the half-open behavior described in the question.

A null scan involves sending TCP packets with no flags set. Depending on how systems handle such packets, the response may indicate whether ports are open or closed. Null scans are stealthy but less reliable across diverse operating systems and do not resemble the process of initiating but not completing a handshake.

An XMAS scan sends packets with FIN, URG, and PSH flags lit, resembling a “lit-up” Christmas tree. Like null scans, responses vary by OS, and these scans are used for stealth enumeration but do not mimic the handshake process or determine open ports through SYN-initiated probing.

The correct answer is SYN scan because it directly corresponds to the technique that sends SYN packets without completing the TCP handshake. This specificity aligns with the question’s requirement that the scan attempts to identify open ports while avoiding full connection establishment. Full connect, null, and XMAS scans involve different packet flag behaviors and do not match the half-open handshake mechanism described.

Question 87

Which attack targets web applications by inserting malicious scripts into trusted web pages viewed by other users?

A) Cross-site scripting
B) SQL injection
C) LDAP injection
D) Directory traversal

Answer: A) Cross-site scripting

Explanation: 

Cross-site scripting (XSS) is a client-side attack where attackers inject malicious scripts, typically JavaScript, into trusted web pages. When other users visit the affected page, the malicious code executes within their browser under the security context of that website. XSS exploits vulnerabilities in web application input validation, where untrusted input is improperly sanitized, encoded, or filtered, allowing attackers to inject arbitrary scripts. Once executed in a victim’s browser, XSS can have multiple consequences: attackers can steal cookies and session tokens, hijack user sessions, perform actions on behalf of the user, log keystrokes, or redirect users to malicious websites. XSS is commonly categorized into three types: stored (persistent), reflected (non-persistent), and DOM-based, each differing in how and where the malicious script is delivered and executed. Stored XSS saves the malicious payload on the server to be delivered to other users, reflected XSS returns the payload in HTTP responses based on user input, and DOM-based XSS occurs entirely within client-side scripts manipulating the DOM.

SQL injection, by contrast, is a server-side attack targeting backend databases. Attackers manipulate SQL queries by inserting crafted input into application forms, URL parameters, or API calls to retrieve sensitive data, modify database records, bypass authentication, or execute administrative commands. SQL injection does not deliver scripts to client browsers and does not rely on browser execution. It impacts database integrity and confidentiality rather than client-side execution, making its scope fundamentally different from XSS.

LDAP injection manipulates Lightweight Directory Access Protocol queries by injecting malicious input into LDAP filters. The objective is usually to bypass authentication, extract directory data, or escalate privileges in directory services. LDAP injection affects server-side directory queries and authentication logic, not browser-side script execution. Unlike XSS, it does not expose other users to malicious scripts or hijack their sessions.

Directory traversal exploits insufficient input validation to access files and directories outside a web server’s intended file system boundaries, often using sequences like ../ or …/. The goal is to disclose or modify restricted files, read sensitive configuration data, or gain unauthorized access to resources. Directory traversal is a server-side file access vulnerability, not a mechanism for executing scripts in a user’s browser.

The correct answer is cross-site scripting (XSS) because it uniquely involves injecting malicious scripts into trusted web pages to execute in other users’ browsers. The other options—SQL injection, LDAP injection, and directory traversal—affect server-side databases, directory services, or file systems and do not provide a client-side script execution vector, which is the defining trait of XSS.

Question 88

Which cloud security model states that the provider secures the infrastructure while the customer secures data and configurations?

A) Shared Responsibility Model
B) Zero Trust Model
C) Defense in Depth
D) Cloud Bursting Model

Answer: A) Shared Responsibility Model

Explanation:

The Shared Responsibility Model defines the division of security duties between a cloud service provider and its customers. In this model, the provider secures the underlying infrastructure—such as physical servers, storage, networking, hypervisors, and foundational platform services—while the customer is responsible for securing data, access controls, identity management, configurations, and application-level protections. The exact division varies between IaaS, PaaS, and SaaS offerings, but the core principle remains consistent: both parties share security obligations.

The Zero Trust Model operates under the premise that no user or device should be trusted by default, regardless of whether it is inside or outside the network. It enforces continuous authentication, authorization, and monitoring. While Zero Trust is important for cloud environments, it does not define the responsibility split between provider and customer.

Defense in Depth refers to layering multiple security controls across various layers—network, application, endpoint, data, and user—to create redundancy and resilience. This is a security strategy, not a model for dividing responsibilities in cloud environments.

Cloud Bursting allows workloads to expand into public clouds when demand exceeds local resources. It relates to scalability and hybrid cloud architectures but has nothing to do with allocating security duties.

The correct answer is the Shared Responsibility Model because it uniquely addresses the distribution of security tasks between the cloud provider and the customer. The other models address trust, layered security, or scalability, none of which define responsibility boundaries.

Question 89

Which type of social engineering involves impersonating a legitimate organization through calls to manipulate users?

A) Vishing
B) Phishing
C) Smishing
D) Shoulder surfing

Answer: A) Vishing

Explanation: 

Vishing refers to voice-based social engineering conducted over phone calls, VoIP systems, or automated voice messages. Attackers impersonate legitimate entities such as banks, IT departments, or government agencies to extract sensitive information, convince users to divulge credentials, or trick them into installing malware. Vishing exploits trust in voice communication and can involve caller ID spoofing, persuasive dialogue, and emotional manipulation. The defining characteristic is the use of voice channels rather than text or physical observation.

Phishing uses email or web-based messages to deceive users into divulging information or clicking malicious links. While similar in intent, phishing is text-based and delivered electronically rather than via voice communications. It does not involve phone impersonation.

Smishing is SMS-based phishing. Attackers send malicious text messages posing as trusted entities. Although smishing resembles phishing, it uses mobile messaging rather than phone calls or voice impersonation.

Shoulder surfing involves physically observing someone entering sensitive data, such as PINs or passwords. It is a visual technique, not a digital or voice-based impersonation method.

The correct answer is vishing because it uniquely matches the requirement of voice-based impersonation. The other techniques involve email, SMS, or physical observation, none of which involve the phone-based manipulation described.

Question 90

Which Windows tool can be used to analyze logs, system events, and security-related alerts?

A) Event Viewer
B) Task Scheduler
C) Group Policy Editor
D) Registry Editor

Answer: A) Event Viewer

Explanation:

Event Viewer is a built-in Windows utility used to analyze system logs, application logs, security events, and other operating system activities. It organizes logs into categories such as System, Application, and Security, enabling analysts to investigate authentication attempts, system warnings, failures, service behavior, and audit trails. Penetration testers and forensic analysts rely on Event Viewer to understand system activity and identify anomalies, especially in authentication events, privilege escalation attempts, or suspicious service behavior.

Task Scheduler automates the execution of programs or scripts based on triggers or schedules. While attackers may abuse it for persistence, it is not used for log analysis or event review. Its purpose is automation, not monitoring.

Group Policy Editor manages policy settings for users and computers. Administrators use it to enforce security configurations, access restrictions, software controls, and other behavioral rules. It does not provide event logs or detailed system event histories.

Registry Editor allows modification of the Windows Registry, a hierarchical database storing configuration settings. It is useful for configuration changes and forensic investigation but does not display system logs or event histories.

The correct answer is Event Viewer because it is the dedicated log analysis tool within Windows. None of the other utilities are designed to analyze logs, making A the only correct response.

Question 91

Which technology allows attackers to trick a user’s browser into using an attacker-controlled proxy through WPAD manipulation?

A) Proxy auto-config poisoning
B) Clickjacking
C) Header injection
D) DNS zone transfer

Answer: A) Proxy auto-config poisoning

Explanation: 

Proxy auto-config (PAC) poisoning or WPAD (Web Proxy Auto-Discovery) hijacking involves manipulating how browsers automatically discover proxy settings. WPAD relies on DNS or DHCP to locate proxy configuration files. Attackers can create malicious PAC files or spoof WPAD hostnames, causing browsers to route traffic through an attacker-controlled proxy. This enables interception, monitoring, modification, or redirection of victim traffic. The defining trait is tricking the browser’s automatic proxy discovery mechanism.

Clickjacking overlays transparent or disguised UI elements to trick users into clicking unintended buttons or links. It manipulates user interactions, not proxy routing or PAC file distribution.

Header injection involves inserting malicious headers into HTTP responses or requests due to improper input handling. While it may enable XSS or redirection, it does not manipulate proxy configuration or WPAD behavior.

DNS zone transfer is a legitimate mechanism for replicating DNS records between servers. Attackers may attempt unauthorized zone transfers for reconnaissance, but the technique does not involve proxy discovery or forced proxy usage.

The correct answer is proxy auto-config poisoning because it specifically involves manipulating WPAD or PAC mechanisms to push users toward attacker-controlled proxies. The other choices lack any relation to proxy discovery or proxy configuration hijacking.

Question 92

Which malware propagation method spreads automatically without requiring user interaction?

A) Worm
B) Trojan
C) Rootkit
D) Spyware

Answer: A) Worm

Explanation:

A worm is a type of self-replicating malware capable of propagating autonomously across networks and systems without any user intervention. Unlike other malware, worms can scan networks, exploit vulnerabilities, and move laterally to infect additional hosts independently. They often exploit software flaws, misconfigured systems, open ports, or weak authentication to spread efficiently. Worms are notorious for their rapid and indiscriminate propagation, as exemplified by Conficker, which infected millions of computers worldwide, and WannaCry, which leveraged the EternalBlue SMB exploit to spread quickly across unpatched systems. Worms can carry secondary payloads such as ransomware, keyloggers, or botnet clients, amplifying their impact and facilitating large-scale attacks. Their primary hallmark is autonomous replication and distribution, making them especially dangerous in enterprise and public network environments.

In contrast, a Trojan is malware disguised as a legitimate program or file, which requires the user to execute it for infection. Trojans rely on social engineering techniques to trick users into downloading and running malicious code. While a Trojan can carry worm-like functionality as a payload, it cannot propagate independently; its installation always depends on user action.

A rootkit is designed to maintain stealth and persistence on an infected system, often by hiding files, processes, or registry entries from detection. Rootkits focus on concealing the presence of malware rather than spreading it. They typically accompany other malware to enable long-term control and evade security tools but do not propagate autonomously.

Spyware is malicious software that stealthily collects user data such as browsing habits, credentials, or personal information. Its primary objective is surveillance and data exfiltration, not infection of other systems. Spyware often relies on bundling with Trojans or other delivery mechanisms and does not spread on its own.

The correct answer is worm because it uniquely spreads automatically without requiring user interaction. Trojans depend on execution by the user, rootkits prioritize stealth, and spyware focuses on monitoring. Only worms possess the capability for self-replication and autonomous network propagation, which aligns perfectly with the scenario described.

Question 93

Which Bluetooth attack forces paired devices to reconnect, allowing attackers to capture or manipulate traffic?

A) Bluejacking
B) Bluesnarfing
C) BlueBump
D) BlueBugging

Answer: C) BlueBump

Explanation: 

BlueBump is a Bluetooth attack technique that exploits vulnerabilities in the pairing or authentication process to force a device to reconnect to an attacker-controlled system. By triggering a reconnection, the attacker can establish persistent access to the device, intercept communications, manipulate traffic, or exploit services exposed over Bluetooth. The attack leverages the trust relationships between previously paired devices, effectively hijacking sessions and gaining unauthorized control. Its distinguishing characteristic is the deliberate coercion of the target device into re-establishing a connection, which enables long-term monitoring or manipulation of Bluetooth communications.

Bluejacking, in comparison, is a relatively benign technique that involves sending unsolicited messages or business cards to nearby Bluetooth-enabled devices. It is largely a nuisance and does not intercept, manipulate, or persistently access data.

Bluesnarfing targets unauthorized data extraction from Bluetooth-enabled devices, such as contacts, messages, or calendar entries. While it does involve unauthorized access, it does not rely on forcing reconnections or session hijacking and is generally focused on passive data theft.

BlueBugging is a severe attack that grants an attacker remote control over a device, enabling call initiation, SMS sending, or contact manipulation. Although highly intrusive, BlueBugging does not specifically exploit forced reconnections and instead leverages older vulnerabilities to gain control.

The correct answer is BlueBump because it uniquely focuses on forcing paired devices to reconnect, thereby enabling persistent unauthorized access. The other attacks—Bluejacking, Bluesnarfing, and BlueBugging—may involve messaging, data theft, or control but lack the reconnection exploitation aspect that defines BlueBump.

Question 94

Which vulnerability allows attackers to escalate privileges by exploiting improperly sanitized SUID programs in Linux?

A) Buffer overflow
B) SUID misconfiguration
C) Race condition
D) Path traversal

Answer:B) SUID misconfiguration

Explanation: 

SUID misconfiguration occurs when Linux programs configured to run with elevated privileges (set-user-ID, often root) fail to properly sanitize input, validate environment variables, or restrict execution paths. SUID binaries are designed to allow users to perform tasks requiring higher privileges without granting full root access. If these programs are improperly configured or handle untrusted input insecurely, attackers can exploit them to escalate privileges and execute commands as the root user. Common issues include unsafe system() calls, writable environment variables, insecure file paths, or the ability to execute arbitrary binaries. Exploiting a misconfigured SUID binary allows attackers to bypass normal privilege restrictions while maintaining stealth and persistence on the system.

A buffer overflow is a memory corruption vulnerability that may allow privilege escalation if exploited in a privileged process. However, buffer overflows are a broad class of vulnerabilities and are not specifically tied to SUID misconfigurations.

Race conditions exploit timing issues between checks and resource access, potentially allowing privilege escalation or unauthorized actions. While race conditions can lead to elevated privileges, they do not necessarily involve SUID binaries or misconfigurations.

Path traversal vulnerabilities occur when software fails to properly validate file or directory paths, allowing attackers to access restricted locations. While dangerous, path traversal focuses on unauthorized file access rather than privilege escalation through SUID binaries.

The correct answer is SUID misconfiguration because it directly describes privilege escalation through improperly configured or unsanitized SUID programs. Buffer overflows, race conditions, and path traversal may escalate privileges or access data, but only SUID misconfiguration aligns specifically with the scenario described.

Question 95

Which attack involves intercepting and modifying communication between two parties without their knowledge?

A) Replay attack
B) Man-in-the-middle attack
C) DoS attack
D) Rainbow table attack

Answer:B) Man-in-the-middle attack

Explanation:

A man-in-the-middle (MITM) attack occurs when an attacker secretly positions themselves between two communicating parties, intercepting, monitoring, and potentially altering messages without detection. The attacker can read sensitive information, inject malicious content, manipulate transactions, or impersonate endpoints, creating the illusion of a normal communication channel. MITM attacks can exploit various techniques such as ARP spoofing, rogue Wi-Fi access points, SSL stripping, DNS poisoning, or compromised routers. The defining characteristic of MITM is real-time interception and modification, allowing attackers to actively manipulate data while remaining invisible to the legitimate participants.

A replay attack captures legitimate communications and retransmits them to gain unauthorized access or trick systems into accepting previous transactions. While it involves interception, it does not allow real-time modification or active manipulation of data, distinguishing it from MITM attacks.

A denial-of-service (DoS) attack focuses on overwhelming a target system or service to disrupt availability. It does not involve intercepting or altering communications, and its objective is purely disruption rather than manipulation or eavesdropping.

A rainbow table attack leverages precomputed hash tables to crack passwords efficiently. It is a cryptographic attack unrelated to intercepting or modifying live communications, targeting stored credentials rather than real-time data flows.

The correct answer is man-in-the-middle attack because it uniquely enables interception and modification of real-time communications between two parties. The other techniques—replay attacks, DoS, and rainbow table attacks—do not involve simultaneous interception and manipulation of ongoing communication, making them distinct from MITM attacks.

Question 96

Which technique is used to find hidden directories and files on a web server?

A) Gobuster scanning
B) Packet crafting
C) Load balancing
D) ARP poisoning

Answer: A) Gobuster scanning

Explanation: 

Gobuster is a specialized tool used for directory and file enumeration on web servers. It works by taking a wordlist containing potential directory and file names and sending HTTP requests to the target web server for each candidate path. Based on the HTTP response codes, Gobuster determines whether a directory, file, or virtual host exists. This makes it highly effective for uncovering hidden or restricted areas such as administrative panels, backup directories, configuration files, or temporary content that could be exploited if left exposed. The tool supports multithreading, allowing multiple requests to be sent concurrently, significantly increasing the speed of enumeration. Gobuster also offers various modes, including DNS subdomain discovery, which extends its capability beyond simple web path enumeration.

Packet crafting, on the other hand, refers to manually constructing network packets to test network defenses, probe for vulnerabilities, perform evasion, or exploit weaknesses. While it is a valuable technique for penetration testing, it does not involve enumerating directories or files on a web server and is unrelated to web path discovery.

Load balancing is an infrastructure technique used to distribute network or application traffic across multiple servers to optimize performance, reliability, and fault tolerance. Load balancers manage traffic flows but do not facilitate the discovery of hidden files or directories; their primary role is operational rather than reconnaissance.

ARP poisoning is a network attack method that involves sending falsified ARP messages over a local network to associate the attacker’s MAC address with the IP address of another host, typically to intercept, modify, or redirect traffic. It focuses on traffic interception at the network level and has no function related to web server file enumeration.

The correct answer is Gobuster scanning because it is explicitly designed for discovering hidden web directories and files through systematic enumeration, which is exactly the scenario described in the question. The other options, while important in network and security contexts, are unrelated to web path enumeration and would not accomplish the same reconnaissance objective.

Question 97

Which wireless security protocol uses TKIP and was introduced as a temporary enhancement over WEP?

A) WPA
B) WPA2
C) WPA3
D) EAP-TLS

Answer: A) WPA

Explanation: 

WPA, or Wi-Fi Protected Access, was introduced in response to the vulnerabilities discovered in WEP (Wired Equivalent Privacy), which relied on weak encryption and static keys that were easily exploitable. WPA implemented the Temporal Key Integrity Protocol (TKIP), which dynamically generates encryption keys for each packet, addressing WEP’s predictability issues and significantly improving data confidentiality and integrity. TKIP also includes message integrity checks to prevent packet tampering, making attacks like replay and injection more difficult. WPA was intended as a transitional protocol, allowing existing hardware to implement stronger encryption without requiring replacement of wireless infrastructure, thus bridging the gap until WPA2, which introduced AES-based CCMP encryption, became widely available.

WPA2, in contrast, replaced TKIP with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES, providing much stronger security and data protection. While WPA2 can operate in a TKIP compatibility mode for legacy devices, it is primarily the long-term standard, not a temporary enhancement.

WPA3 represents the next generation of Wi-Fi security, introducing features such as SAE (Simultaneous Authentication of Equals) to resist offline password-guessing attacks and stronger encryption for open networks. It was designed to replace both WPA and WPA2, not serve as an interim measure.

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is an authentication framework for enterprise Wi-Fi networks that relies on certificate-based authentication. While highly secure, it is not an encryption protocol itself and does not serve as a transitional solution over WEP.

The correct answer is WPA because it uniquely combines TKIP with the purpose of temporarily addressing WEP weaknesses while maintaining compatibility with existing hardware. WPA2, WPA3, and EAP-TLS do not fulfill this transitional role.

Question 98

Which type of pentest engagement restricts knowledge given to testers, simulating an external attacker?

A) Black box
B) White box
C) Gray box
D) Red teaming

Answer: A) Black box

Explanation: 

Black box penetration testing is characterized by providing testers with no prior internal knowledge of the target environment. Testers approach the system entirely as an external attacker would, performing reconnaissance, scanning, enumeration, and exploitation using only publicly accessible information. This method allows organizations to evaluate the effectiveness of perimeter defenses, intrusion detection systems, and incident response mechanisms under realistic attack conditions. Because testers must discover all targets from scratch, black box testing emphasizes external security measures and the organization’s ability to prevent and detect unauthorized access.

White box testing is the opposite approach, where testers are given full access to system documentation, source code, network diagrams, and credentials. This enables a deep inspection for vulnerabilities that may not be exposed externally, including configuration weaknesses, logic flaws, and insecure coding practices. Unlike black box testing, white box testing assumes complete transparency, providing a more thorough but less realistic attack simulation.

Gray box testing is a hybrid approach that provides partial knowledge, such as user credentials, architectural diagrams, or limited system information. This simulates a scenario where an attacker has insider access or prior reconnaissance. Gray box testing balances efficiency with realism but does not fully replicate the knowledge restrictions of a pure black box test.

Red teaming is a broader adversarial simulation that tests not just technical vulnerabilities but also organizational procedures, personnel, and operational security. While red team engagements may include external attack scenarios, they often involve multi-step objectives, stealth, evasion, and goal-oriented operations, extending beyond traditional black box testing scope.

The correct answer is black box because it uniquely restricts tester knowledge entirely, simulating an external attacker without prior access. White box, gray box, and red team engagements provide varying degrees of information or different objectives and therefore do not match the description given.

Question 99

Which attack exploits predictable TCP sequence numbers to hijack a session between two hosts?

A) TCP session hijacking
B) SYN flood
C) DNS amplification
D) Slowloris

Answer: A) TCP session hijacking

Explanation: 

TCP session hijacking is a network attack technique that targets the sequence numbers used in the TCP protocol. TCP connections rely on a three-way handshake to establish a session, with each packet containing a sequence number to maintain proper ordering. If an attacker can predict or intercept these sequence numbers, they can inject malicious packets into an active session, effectively impersonating one of the communicating parties. The attacker can manipulate data, terminate the connection, or redirect communication to achieve unauthorized access or data exfiltration. This vulnerability arises from systems using predictable sequence number generation, which was more common in older TCP/IP implementations but can still pose a risk in poorly configured systems.

SYN flood attacks, by contrast, are denial-of-service techniques that overwhelm server resources by sending a high volume of SYN packets without completing the TCP handshake. The goal is to exhaust resources, not hijack active sessions.

DNS amplification attacks exploit vulnerable DNS servers by sending small queries that generate large responses directed toward a victim, amplifying traffic to overwhelm bandwidth. While disruptive, they do not involve TCP sequence prediction or session hijacking.

Slowloris attacks work by sending partial HTTP headers to a server to keep connections open indefinitely, eventually exhausting connection pools. Slowloris is a low-bandwidth DoS attack targeting HTTP connections rather than TCP session control.

TCP session hijacking is the correct answer because it specifically exploits predictable sequence numbers to take control of ongoing sessions. The other attacks target availability or traffic volume rather than session manipulation.

Question 100

Which attack involves sending numerous small HTTP requests to exhaust a target server’s connection pool?

A) Slowloris attack
B) Smurf attack
C) Ping of Death
D) UDP flood

Answer: A) Slowloris attack

Explanation: 

The Slowloris attack is a specialized denial-of-service technique that targets web servers by keeping HTTP connections open as long as possible. It achieves this by sending partial HTTP requests or incomplete headers at very slow intervals, preventing the server from closing the connection. Web servers often allocate a fixed number of threads or slots for active connections, and when Slowloris holds multiple connections open, the server eventually exhausts available threads, blocking legitimate requests. Unlike volumetric attacks, Slowloris is low-bandwidth but highly effective, particularly against thread-based architectures such as Apache, where resources are consumed per connection rather than per byte. Its unique feature is the starvation of the server’s connection pool rather than overwhelming network bandwidth.

Smurf attacks involve sending ICMP echo requests to broadcast addresses with a spoofed source IP. All devices on the broadcast network reply to the victim, creating volumetric traffic amplification. While disruptive, this attack is not HTTP-based and does not target server connection pools.

Ping of Death attacks exploit vulnerable systems by sending oversized or malformed ICMP packets, potentially causing crashes or instability. It manipulates packet size rather than connection management.

UDP floods overwhelm target systems with a high volume of UDP packets, consuming network bandwidth and server resources. While effective for resource exhaustion, it is not connection-oriented and does not rely on slow HTTP requests.

The correct answer is Slowloris because it specifically targets HTTP connections, maintaining them in a partially open state to exhaust the server’s connection pool. The other attacks operate on network-level flooding or malformed packets and do not achieve the same connection-based resource exhaustion.