ECCouncil 312-50v13 Certified Ethical Hacker v13 Exam Dumps and Practice Test Questions Set3 Q41-60

Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.

Question 41 

Which attack exploits weak encryption in the SSL/TLS protocol to intercept communications?

A) POODLE
B) ARP spoofing
C) Cross-site scripting
D) SQL injection

Answer: A) POODLE

Explanation: 

ARP spoofing is a network-level attack in which an attacker manipulates ARP tables by sending falsified ARP responses, causing traffic to be misdirected to the attacker. While this technique enables the interception or redirection of unencrypted communications, it does not exploit weaknesses within SSL/TLS encryption itself. Instead, it targets Layer 2 communication and relies on the victim sending traffic through the attacker rather than attacking cryptographic protocols directly. 

Cross-site scripting focuses on injecting malicious scripts into vulnerable web applications, exploiting weaknesses in client-side validation or sanitization. This technique allows attackers to execute JavaScript in a user’s browser, steal cookies, hijack sessions, or manipulate user interactions. However, it has no relation to encryption standards or SSL/TLS protocol behavior, as its scope remains within browser-based script execution and web application logic flaws. 

SQL injection manipulates database queries through improperly sanitized input fields, enabling attackers to retrieve or alter sensitive database content. This type of attack undermines server-side logic and database security but does not interact with SSL/TLS negotiation or padding mechanisms. SQL injection attacks occur at the application layer and are unrelated to encrypted communications at the transport layer. 

POODLE, however, specifically targets a cryptographic weakness in SSL 3.0 and certain TLS implementations that support fallback to SSL 3.0. By exploiting the vulnerability in block cipher padding, an adversary performing a man-in-the-middle attack can repeatedly manipulate and observe encrypted blocks to gradually deduce plaintext values. The attack depends on forcing a downgrade to SSL 3.0 and abusing the flawed padding oracle mechanism, demonstrating how outdated protocols become high-risk even when newer and stronger standards are available. POODLE enables attackers to break confidentiality guarantees by systematically revealing sensitive data such as session cookies. Therefore, POODLE is the correct answer because it directly exploits structural flaws in legacy SSL/TLS encryption, highlighting the critical importance of disabling obsolete protocols and enforcing strong, modern cryptographic standards within secure communications.

Question 42 

Which type of attack attempts to overwhelm the DNS infrastructure to prevent domain name resolution?

A) DNS amplification
B) Cross-site request forgery
C) SQL injection
D) Phishing

Answer: A) DNS amplification

Explanation: 

Cross-site request forgery works by tricking authenticated users into performing unintended actions on web applications. It exploits trust relationships between a browser and a server, relying on the victim’s authenticated session to send unauthorized requests. This attack does not impact DNS systems or attempt to overload network infrastructure. It operates at the application layer rather than at the network or DNS level, and therefore has no mechanism to disrupt domain name resolution services.

SQL injection manipulates database queries to extract or alter data, exploiting poorly sanitized inputs to interfere with database logic. This attack affects the backend of web applications but is not designed to target DNS functionality or flood DNS servers. SQL injection remains confined to database operations and does not engage in generating excessive network traffic aimed at disrupting resolution services.

Phishing is a social engineering technique crafted to deceive users into divulging sensitive data. It relies on fraudulent messages that imitate trustworthy entities. Even though phishing may involve malicious links or domains, it does not inherently interfere with DNS availability or generate traffic intended to incapacitate DNS infrastructure. Its purpose is to manipulate users rather than network systems.

DNS amplification specifically leverages the design of DNS, where small queries can generate significantly larger responses. Attackers spoof the victim’s IP address and send numerous small queries to open DNS resolvers. These servers respond with large DNS packets, all directed at the victim’s system. The massive volume of unsolicited responses overwhelms the victim’s bandwidth, leading to denial of service and impairing their ability to resolve domain names. The amplification factor makes the attack particularly powerful, allowing attackers to generate high levels of traffic with minimal initial effort. Because DNS amplification directly targets DNS servers and exploits the amplification nature of DNS responses to disrupt the victim’s ability to perform domain resolution, it is the correct answer.

Question 43 

Which type of malware records keystrokes to steal sensitive information?

A) Rootkit
B) Keylogger
C) Trojan
D) Worm

Answer: B) Keylogger

A rootkit focuses on concealment and persistence within a compromised system. Its primary purpose is to hide malware processes, files, or system modifications from detection tools. Although a rootkit may facilitate the installation of other malicious programs, including those capable of keylogging, it is not inherently designed to record keystrokes. Instead, its emphasis lies in evading detection by embedding itself deeply into system-level functions. 

A keylogger is specifically crafted to capture keyboard input from the user. It logs keystrokes and sends them back to the attacker, enabling the theft of confidential information such as passwords, banking details, and personal data. Keyloggers may be deployed as standalone malware, components of larger malware packages, or even hardware devices connected between a keyboard and a computer. They operate silently and stealthily, often without user awareness, making them highly effective in credential theft campaigns.

A Trojan hides malicious intent behind the façade of legitimate software. Its defining trait is deception: users unwittingly execute it believing it to be harmless. While some Trojans may include keylogging functions, this capability is not universal. Trojans can carry various payloads, such as backdoors, ransomware, or spyware. Thus, while related, Trojans are a broader category, not specifically dedicated to recording keystrokes. 

A worm is a self-replicating malware that spreads automatically across networks. Its objective is rapid propagation rather than data capture. Worms may cause network congestion or install additional payloads, but they are not inherently designed to monitor user input. 

Keylogger is therefore the correct answer because it directly aligns with the behavior described in the question. Its primary role is to record keystrokes, making it a targeted tool for capturing sensitive information and enabling unauthorized access to user accounts and personal data.

Question 44 

Which social engineering attack involves impersonating someone with authority to extract information?

A) Baiting
B) Pretexting
C) Phishing
D) Shoulder surfing

Answer: B) Pretexting

Explanation: 

Baiting entices victims by offering something misleadingly attractive, such as free software downloads or physical media like USB drives that contain malware. The attack depends on the victim’s desire for the offered item rather than manipulation through authority. Baiting does not require impersonation or fabrication of identity to coerce information disclosure.

Pretexting involves crafting an elaborate, believable scenario to manipulate individuals into sharing sensitive information. The attacker often impersonates authority figures such as IT staff, financial officers, law enforcement, or organizational supervisors. The strength of pretexting lies in exploiting trust relationships and human psychology. By presenting a fabricated persona that appears credible and authoritative, the attacker convinces targets to comply with requests that they would otherwise question.

 

Phishing uses fraudulent emails, messages, or websites to trick victims into revealing sensitive data. Although phishing messages may sometimes impersonate legitimate organizations, they do not typically involve detailed, interactive scenarios or personalized impersonation associated with pretexting. Phishing is usually broad and automated, whereas pretexting is targeted and highly interactive.

 

Shoulder surfing is a physical technique in which an attacker observes someone entering sensitive information, such as PINs, passwords, or personal data. This tactic relies on visual observation rather than impersonation, communication, or psychological manipulation.

Pretexting is correct because it specifically relies on impersonating someone with legitimate authority to persuade victims into voluntarily disclosing sensitive information, making it a strategic and psychologically driven social engineering method.

Question 45 

Which type of penetration test simulates an insider threat with full knowledge of the system?

A) Black-box
B) Gray-box
C) White-box
D) Red-team

Answer: C) White-box

Explanation: 

Black-box testing mirrors the perspective of an external attacker who has no prior knowledge of the system. Testers know nothing about internal structures and must rely solely on publicly available information, reconnaissance, and probing. This approach evaluates how well external defenses withstand unknown adversaries but does not simulate insider threats or knowledgeable attackers.

 

Gray-box testing gives testers partial knowledge, such as user credentials or limited architectural diagrams. This approach simulates a semi-insider with some access but not full system understanding. Although it offers deeper insight than black-box testing, it still does not grant complete visibility into system internals.

 

White-box testing provides full access to internal documentation, source code, architecture diagrams, configurations, and credentials. This level of insight mirrors the capabilities of an insider who has full privileges and detailed system knowledge. The objective is to uncover vulnerabilities that may not be externally visible and assess how an attacker with internal knowledge could exploit weaknesses.

 

Red-team exercises are broader simulations involving advanced adversaries attempting to achieve objectives such as data exfiltration or operational disruption. While red teams may sometimes have partial or full knowledge, their purpose is different: they simulate real-world threat actors using stealth, persistence, and creativity. Red-team testing does not guarantee complete knowledge as white-box testing does.

 

White-box is therefore correct because it explicitly simulates a fully informed insider threat, enabling comprehensive evaluation of vulnerabilities from an internal perspective.

Question 46 

Which type of vulnerability allows attackers to read files outside the intended directory structure?

A) Cross-site scripting
B) Directory traversal
C) SQL injection
D) Man-in-the-middle

Answer:B) Directory traversal

Explanation: 

Cross-site scripting focuses on injecting malicious scripts into webpages to attack users’ browsers. It manipulates client-side execution rather than interacting with server file systems. Attackers aim to steal cookies, manipulate sessions, or alter webpage behavior but cannot inherently access files outside directory boundaries through this technique. 

Directory traversal exploits insufficient input sanitization, allowing attackers to craft path manipulation sequences such as ../ or ..\ to move outside restricted directories. This flaw enables reading sensitive files such as password files, environment configurations, or log data. It often results from poorly implemented path validation, failing to sanitize user-supplied file names or URLs. 

SQL injection attacks database queries by injecting malicious SQL statements. While attackers may extract sensitive data from the database, SQL injection does not provide direct access to server-level file structures outside the database environment. The attack operates within database logic rather than operating system directories. 

Man-in-the-middle attacks intercept communications between two parties. They can manipulate or observe transmitted data but do not inherently grant access to local filesystem structures. 

Directory traversal is correct because it directly allows bypassing directory restrictions and reading unauthorized files by manipulating file paths, posing significant security risks to servers.

Question 47 

Which method is used to detect vulnerabilities in a system using authorized credentials?

A) Credentialed scanning
B) Non-credentialed scanning
C) Passive scanning
D) Port scanning

Answer: A) Credentialed scanning

Explanation: 

Non-credentialed scanning evaluates systems from an external perspective without using login credentials. It identifies vulnerabilities that are visible to outsiders but cannot inspect internal settings, configurations, or patch levels. This limitation means many internal flaws remain undetected.

 

Passive scanning observes network traffic without actively sending packets. This technique identifies systems, open services, and software versions by monitoring existing network activity, but it does not authenticate into systems or test privileged areas. Its non-intrusive nature makes it safe but limited.

Port scanning detects open ports, running services, and potential entry points. However, it does not authenticate or evaluate internal security. It identifies surface-level exposure rather than internal vulnerabilities.

 

Credentialed scanning uses valid credentials to log into systems and conduct in-depth analysis. This method assesses patch levels, security configurations, installed software versions, privilege assignments, and system hardening. Because it operates with authorized access, it uncovers vulnerabilities not visible from the outside, providing a comprehensive picture of system health.

 

Credentialed scanning is the correct answer because it thoroughly evaluates vulnerabilities accessible to authenticated users and identifies deeper misconfigurations that external scans cannot detect.

Question 48 

Which malware type hides within legitimate files and executes when the host file is run?

A) Worm
B) Trojan
C) Rootkit
D) Spyware

Answer:B) Trojan

Explanation: 

A worm self-replicates autonomously across networks without requiring user interaction. It spreads rapidly by exploiting weaknesses in communication protocols or operating systems. Worms do not disguise themselves as legitimate files, nor do they rely on a user launching a host application to activate.

 

A Trojan disguises itself as a legitimate or desirable file or program to deceive users. When the user runs the host program, the malicious payload executes. This deception-based technique allows Trojans to bypass initial suspicion and gain access to systems. They often appear harmless while executing harmful actions such as installing backdoors, keyloggers, or data exfiltration mechanisms.

 

A rootkit focuses on hiding malicious activity by modifying system processes, kernel modules, or security tools. It conceals files and processes but does not necessarily hide within legitimate files for initial execution. Its primary function is stealth and persistence, not deception at launch time.

 

Spyware monitors user activities, collects data, and sends it to attackers. Although some spyware may be disguised, it is not defined by embedding itself inside host files. Its core purpose is surveillance rather than camouflage for execution.

The Trojan is correct because it specifically relies on appearing to be legitimate software and activating its payload when the user runs the infected host file.

Question 49 

Which type of attack floods a network with ICMP Echo Request packets to exhaust resources?

A) DDoS
B) Smurf attack
C) Man-in-the-middle
D) ARP poisoning

Answer: B) Smurf attack

Explanation: 

DDoS is a broad category of distributed denial-of-service attacks that overwhelm a target using multiple sources. It may use any protocol, including TCP, UDP, or ICMP. However, not all DDoS attacks use ICMP or involve amplification. Therefore, although a Smurf attack is a type of DDoS, the general term does not specifically match the ICMP-based flooding described.

 

A Smurf attack leverages ICMP Echo Requests sent to broadcast addresses with the victim’s IP address spoofed as the sender. All devices on the broadcast network reply to the victim, creating a massive ICMP flood that exhausts network resources. Its amplification nature makes it far more powerful than simple ICMP floods.

 

Man-in-the-middle attacks intercept communications but do not generate large volumes of traffic. They focus on stealth rather than overwhelming network infrastructure.

ARP poisoning manipulates ARP tables to redirect traffic. Although it enables interception and tampering, it does not produce ICMP flooding or denial-of-service through resource exhaustion.

 

The Smurf attack is correct because it specifically floods a network using amplified ICMP Echo Requests, matching the description in the question.

Question 50 

Which cryptographic technique ensures data integrity but not confidentiality?

A) Symmetric encryption
B) Hashing
C) Asymmetric encryption
D) Digital signature

Answer: B) Hashing

Explanation: 

Symmetric encryption uses a shared secret key to encrypt and decrypt data. Its purpose is to ensure confidentiality by preventing unauthorized users from reading the data. While symmetric encryption may indirectly support integrity through modes like authenticated encryption, confidentiality remains its core function.

Hashing transforms input data into a fixed-size digest. The output is deterministic and changes entirely when the input changes, making hashing ideal for verifying data integrity. Since hashing is a one-way function and does not allow reconstruction of the original message, it does not provide confidentiality. Anyone who sees the hash cannot retrieve the original content, but the hash alone reveals nothing about secrecy. 

Asymmetric encryption uses public and private key pairs to protect data confidentiality or support key exchange. When data is encrypted with the recipient’s public key, only the corresponding private key can decrypt it, ensuring secrecy. While asymmetric cryptography can support integrity when paired with hashing or signatures, confidentiality remains a primary function. 

Digital signatures combine hashing and asymmetric encryption to provide integrity, authentication, and non-repudiation. They do more than simply ensure integrity; they also verify the signer’s identity. 

Hashing is the correct answer because its primary focus is verifying data integrity without providing any confidentiality mechanism.

Question 51 

Which attack exploits vulnerabilities in session management to impersonate a user?

A) Session hijacking
B) Phishing
C) SQL injection
D) ARP spoofing

Answer: A) Session hijacking

Explanation: 

Session hijacking is a technique used by attackers to take advantage of weaknesses in web session management mechanisms, specifically session tokens or cookies, to impersonate an authenticated user. Web applications rely heavily on session identifiers to maintain state, and if these identifiers are predictable, exposed, or insufficiently protected, an attacker can capture or guess them and assume the identity of the victim. This unauthorized use of valid session tokens allows the attacker to bypass authentication entirely, granting them access to sensitive data, functions, or accounts. Since session tokens are often stored in cookies, URL parameters, or headers, improper handling of these elements can make systems vulnerable. Attackers may capture tokens using network sniffing, Cross-site scripting payloads, or insecure connections, making robust session hardening essential.

Phishing, by contrast, relies on social engineering to trick users into voluntarily revealing sensitive personal information such as passwords, credit card numbers, or account details. While phishing can lead indirectly to account compromise, it does not exploit session identifiers themselves, nor does it manipulate or capture session tokens as part of its operation. Instead, phishing attempts focus on deception and user manipulation rather than technical weaknesses in session state mechanisms.

SQL injection is an attack where malicious SQL statements are inserted into application inputs to manipulate backend database operations. It allows attackers to retrieve, modify, or delete data and may even lead to full database control. However, SQL injection does not interact with session tokens nor attempts to impersonate users via session manipulation. Its target is database query execution, not session control or identity spoofing.

ARP spoofing focuses on local network traffic interception by falsifying ARP messages, enabling attackers to reroute traffic through their device. While this may facilitate session token theft in some situations, ARP spoofing does not directly exploit weaknesses in session management. Its primary impact is network-level interception, not web application session takeover.

Session hijacking is the correct choice because it specifically revolves around taking over an active session by compromising session identifiers. It exploits flaws in session creation, storage, transmission, or expiration and enables attackers to impersonate authorized users seamlessly. This direct manipulation of session tokens is what makes session hijacking fundamentally different from the other listed attacks.

Question 52 

Which scanning technique identifies open ports on multiple hosts in a network efficiently?

A) Ping sweep
B) Port scan
C) Vulnerability scan
D) Packet sniffing

Answer: A) Ping sweep

Explanation: 

A ping sweep is a reconnaissance technique used to determine which hosts are active across a wide range of IP addresses. The method involves sending ICMP Echo Request packets to multiple targets and waiting for Echo Replies. When replies are received, it indicates that the corresponding hosts are online and reachable. This method is efficient for quickly identifying live systems across large networks because it does not require extensive interaction with each host. Instead, it focuses solely on determining host availability rather than gathering deeper insights such as open ports or vulnerabilities. Security professionals frequently use ping sweeps in the initial stages of network mapping, where the goal is to form a basic picture of active devices before conducting more detailed scans.

Port scanning, on the other hand, is designed to identify open, closed, or filtered ports on a specific host. While there are techniques that allow scanning of multiple hosts, port scanning generally involves a more time-consuming and detailed evaluation of individual machines. It helps detect available services but does not efficiently determine host availability across a large network. Therefore, it is typically used after a ping sweep identifies which hosts are alive.

Vulnerability scanning is more complex and in-depth, focusing on identifying known security weaknesses in systems. These tools analyze services, software versions, patch levels, and configuration issues. They require prior knowledge of active hosts and therefore rely on earlier scanning methods like ping sweeps or port scans. Their purpose extends well beyond host identification, making them unsuitable for rapid enumeration across a broad address space.

Packet sniffing captures and analyzes network traffic passively. Instead of actively probing the network, it listens for existing traffic patterns. While useful for analyzing protocols, detecting anomalies, or recovering information, packet sniffing does not determine host availability or identify open ports.

Ping sweep is correct because it is specifically designed to discover which hosts are up across a network in an efficient and scalable way. It provides foundational reconnaissance data required for deeper investigations such as port and vulnerability scanning.

Question 53 

Which wireless attack targets the WPS PIN to gain unauthorized access?

A) WEP cracking
B) WPA2 handshake attack
C) WPS brute-force
D) Evil twin

Answer:C) WPS brute-force

Explanation:

A WPS brute-force attack focuses on exploiting vulnerabilities in the Wi-Fi Protected Setup (WPS) protocol by systematically guessing the eight-digit PIN used to authenticate new devices to wireless networks. WPS was originally introduced to simplify the process of connecting devices, but its design weaknesses created a significant security concern. Because some routers validate the WPS PIN in two separate parts and because the last digit is a checksum, the total number of possible combinations is drastically reduced, making brute-force attacks practical. As a result, attackers can repeatedly attempt PIN combinations until the correct one is found, allowing them to obtain the WPA/WPA2 PSK and gain unauthorized access to the network. This method bypasses the need to attack the primary Wi-Fi encryption directly, targeting a secondary mechanism instead.

WEP cracking, in contrast, targets the weaknesses in the original WEP encryption protocol. WEP uses RC4 with static keys, and due to flaws in key scheduling and packet initialization vectors, attackers can capture enough packets and mathematically recover the key. However, WEP cracking does not interact with the WPS system or its PIN validation process.

A WPA2 handshake attack requires capturing the four-way handshake during authentication, usually by forcing a device to reconnect. Attackers then perform offline dictionary or brute-force attacks against the captured handshake to guess the Wi-Fi password. This method targets password strength rather than WPS functionality and does not exploit the WPS PIN mechanism.

An evil twin attack involves setting up a rogue access point with the same SSID as a legitimate network to trick users into connecting. Although effective for credential theft and traffic interception, it does not exploit WPS nor does it involve brute-forcing PINs.

WPS brute-force is correct because it directly exploits the design flaws of the WPS PIN system. It allows attackers to bypass strong WPA2 encryption by targeting an inherently weaker authentication mechanism.

Question 54 

Which network tool can transfer data between hosts and perform port scanning?

A) Nmap
B) Netcat
C) Wireshark
D) Nessus

Answer:B) Netcat

Explanation: 

Netcat is a highly versatile networking tool often referred to as the “Swiss Army knife” of network utilities because of its wide range of capabilities. It can establish TCP or UDP connections, read and write data across network channels, create backdoors, and even function as a simple web server. One of its most useful features is its ability to transfer data between hosts, making it valuable for file transfers, remote shell creation, or relaying information during penetration tests. Additionally, Netcat can perform port scanning by attempting to establish connections to a range of ports, helping identify listening services on a target system. Its lightweight design and powerful functionality make it a standard tool included in many security distributions and administrative environments.

Nmap, although extremely powerful for port scanning and network discovery, is not designed to transfer data between hosts. It focuses primarily on mapping networks, identifying services, detecting operating systems, and revealing vulnerabilities through scripts. While it excels at reconnaissance, it lacks the direct communication and data-transfer capabilities that Netcat provides.

Wireshark is a packet analysis tool used to capture, inspect, and decode network traffic. It operates passively, meaning it does not send data or initiate connections. Its purpose is to analyze packets for troubleshooting or security analysis, not to transfer data or perform active port scanning in the way Netcat can.

Nessus is a vulnerability scanner that identifies security weaknesses across systems by testing configurations, software versions, and known vulnerabilities. It conducts in-depth assessments but does not act as a general-purpose communication tool and cannot be used to transfer data between hosts or serve as a port-scanning utility beyond its internal assessment mechanisms.

Netcat is correct because it uniquely combines data-transfer capabilities with active port scanning and flexible network communication.

Question 55 

Which attack relies on crafting malicious input to exploit a buffer memory allocation flaw?

A) Buffer overflow
B) SQL injection
C) Cross-site scripting
D) ARP spoofing

Answer: A) Buffer overflow

Explanation: 

A buffer overflow attack occurs when more data is supplied to a memory buffer than it is designed to hold. Software that fails to properly validate input may allow attackers to write beyond the boundaries of allocated memory. When this happens, adjacent memory can be overwritten, leading to corruption of data, crashes, or even execution of arbitrary code. Buffer overflows are particularly dangerous because they enable attackers to inject malicious instructions into memory and force the system to execute them, often granting elevated privileges. These flaws arise from unsafe programming practices, especially in low-level languages like C or C++, where manual memory management is required. Attackers exploit these vulnerabilities by crafting inputs specifically designed to overwrite control structures such as return addresses or function pointers, thereby redirecting program execution.

SQL injection does not exploit memory-buffer flaws; instead, it targets web applications by injecting malicious SQL queries through input fields. This allows attackers to manipulate database operations, retrieve sensitive data, or alter stored information. Although serious, SQL injection interacts with database logic, not memory allocation, and therefore it does not trigger buffer overflows.

Cross-site scripting allows attackers to inject malicious scripts into web pages viewed by other users. The primary target is the victim’s browser rather than the server’s memory. XSS exploits flaws in input validation but does not involve overwriting memory or executing low-level code on the server.

ARP spoofing manipulates Address Resolution Protocol messages in a local network, enabling attackers to redirect traffic by associating their MAC address with another device’s IP address. This attack operates at the network layer and has no relation to memory buffers or input handling.

Buffer overflow is correct because it specifically leverages improper memory boundary checks to overwrite memory and influence execution flow. It remains one of the most critical and impactful vulnerability types in software security.

Question 56 

Which type of reconnaissance involves gathering information without alerting the target?

A) Passive reconnaissance
B) Active reconnaissance
C) Credentialed scanning
D) Penetration testing

Answer: A) Passive reconnaissance

Explanation: 

Passive reconnaissance refers to the process of gathering information about a target without engaging directly with its systems or networks, ensuring that the activity remains undetectable. This technique relies entirely on third-party data sources, public information, metadata, leaked credentials, open directories, domain registration details, social media content, DNS records, and network traffic monitoring conducted externally. Because no packets are sent to the target’s network, there is no risk of triggering logs, alarms, or intrusion detection systems. Analysts, security testers, or attackers use passive reconnaissance to build an early intelligence profile while maintaining complete stealth. Such information serves as the foundation for later stages of testing or attacks, helping determine system structures, exposed assets, potential weaknesses, and employee behavior patterns.

Active reconnaissance differs significantly because it requires direct engagement with the target’s systems. Techniques include port scanning, service enumeration, operating system fingerprinting, and vulnerability probing. These actions generate network traffic that is likely to be detected by firewalls, intrusion detection systems, or network monitoring tools. While active reconnaissance provides detailed, real-time information, it sacrifices stealth and increases the risk of exposure. Because active probing interacts with the target’s environment, it cannot be considered a non-alerting discovery method.

Credentialed scanning relies on valid login credentials to authenticate directly into systems, providing full insight into vulnerabilities, patches, configuration issues, and system behavior. Since this process involves establishing authenticated sessions and running internal checks, it is inherently intrusive. Logs and monitoring systems easily detect credentialed scans, and because they require trusted access, they are far removed from stealth-based reconnaissance methods.

Penetration testing goes beyond information gathering and attempts to exploit vulnerabilities to gain access or escalate privileges. Penetration tests mimic real attacks and often cause detectable events such as failed login attempts, abnormal network traffic, service interruptions, or file modifications. Because exploitation is interactive and disruptive, penetration testing is not passive under any circumstances.

Passive reconnaissance is correct because it is the only method that focuses exclusively on gathering intelligence without interacting with the target. It maintains complete anonymity by avoiding any direct communication or data requests. Its reliance on publicly accessible information ensures that the target remains unaware of the assessment activity. This makes passive reconnaissance the preferred initial step for attackers seeking stealth and for security professionals conducting safe, undetectable intelligence gathering before deeper testing.

Question 57 

Which attack captures traffic between two hosts and can manipulate it before delivery?

A) Man-in-the-middle
B) SQL injection
C) Phishing
D) DNS poisoning

Answer: A) Man-in-the-middle

Explanation: 

A man-in-the-middle attack involves an attacker secretly intercepting communication between two parties, positioning themselves between them without their knowledge. Once embedded in the communication path, the attacker can capture, read, modify, or inject data before sending it on to the intended recipient. This manipulation capability makes the attack extremely dangerous because both users believe they are communicating directly and securely. Attackers may achieve this position by exploiting insecure Wi-Fi, ARP spoofing, session hijacking methods, SSL stripping, or compromised routers. Because the attacker controls the data flow, they can steal credentials, alter transactions, inject malicious content, or observe sensitive information. The ability to both intercept and modify communications distinguishes a man-in-the-middle attack from simple eavesdropping.

SQL injection operates on a completely different layer. Instead of intercepting communications, it targets backend databases by inserting malicious SQL statements through vulnerable input fields. This manipulation affects database operations, not traffic flow between two hosts. It enables attackers to extract or modify stored information but does not involve intercepting or altering communication between two endpoints.

Phishing relies on psychological deception rather than communication interception. Attackers craft fraudulent emails or messages designed to trick users into revealing sensitive information or clicking malicious links. While phishing can lead to credential theft or malware infections, it does not involve capturing or modifying ongoing communication between hosts.

DNS poisoning manipulates DNS records to redirect users to malicious sites. When DNS cache entries are corrupted, users attempting to reach a legitimate domain may be unknowingly directed to a fraudulent server. While this attack influences destination resolution, it does not generally allow direct interception or manipulation of data in transit. Instead, it misdirects users rather than placing the attacker between two communicating systems.

Man-in-the-middle is correct because it uniquely places the attacker directly inside the communication path. This allows real-time interception, modification, and redirection of data without the knowledge of either communicating party. The ability to manipulate messages distinguishes it from passive sniffing or redirection attacks and makes it a powerful method for credential theft, fraud, and espionage.

Question 58 

Which type of attack allows attackers to execute commands on a remote system via weak authentication in network services?

A) Remote code execution
B) Brute-force attack
C) Denial-of-service
D) Packet sniffing

Answer: A) Remote code execution

Explanation: 

Remote code execution is an attack that allows an adversary to run arbitrary commands or programs on a remote system by exploiting vulnerabilities or weak authentication mechanisms within network-exposed services. Such attacks occur when a system fails to validate user input, improperly handles memory, or exposes insecure interfaces that attackers can abuse to gain command execution capability. Weak credentials, unpatched software, and misconfigured services often create environments where remote code execution becomes possible. Once attackers gain the ability to execute commands remotely, they may install malware, harvest data, create backdoors, or pivot further into a network. Remote code execution is considered one of the most severe types of vulnerabilities because it allows attackers to take full control of a system without requiring physical access.

Brute-force attacks involve repeatedly guessing usernames, passwords, or encryption keys until the correct value is found. While a brute-force attack can lead to unauthorized access if successful, it does not automatically result in remote command execution unless paired with additional exploitation mechanisms. Brute-forcing targets authentication, not command execution directly.

Denial-of-service attacks attempt to overwhelm or disrupt a system by flooding it with traffic or malformed requests. Their purpose is to degrade availability, not to execute commands or gain control. Although denial-of-service attacks can destabilize a system, they do not enable attackers to run remote programs.

Packet sniffing is a passive technique that captures and analyzes data traveling across a network. It enables attackers to observe traffic but does not modify or inject commands into a remote system. Packet sniffing may help gather credentials, but it does not directly provide a method for executing commands.

Remote code execution is correct because it explicitly refers to attacks that allow adversaries to run commands remotely through vulnerable or poorly protected services. This ability makes it one of the most powerful and damaging forms of exploitation.

Question 59

Which attack manipulates session cookies to impersonate an authenticated user?

A) Session hijacking
B) Cross-site request forgery
C) ARP spoofing
D) Smurf attack

Answer: A) Session hijacking

Explanation: 

Session hijacking involves stealing, manipulating, or predicting session cookies or tokens that web applications use to maintain user authentication. When users log in, the server assigns a session identifier that proves their authenticated state. If an attacker can capture or modify this session information, they can impersonate the user without needing credentials like usernames or passwords. Techniques to steal session cookies include sniffing traffic on unsecured networks, exploiting Cross-site scripting vulnerabilities, leveraging insecure storage mechanisms, or predicting poorly generated tokens. Once in possession of the token, the attacker simply injects it into their own session, gaining unauthorized access to user accounts. This technique directly targets the mechanism that preserves identity and state in web applications.

Cross-site request forgery works by tricking an authenticated user’s browser into performing unintended actions on a website. It relies on the victim being logged in and uses their valid session, but it does not involve stealing or manipulating session cookies. Instead, it abuses trust between the client and server by forging legitimate-looking requests.

ARP spoofing compromises communication within local networks by associating a malicious MAC address with the IP address of another device. Although it can facilitate session theft indirectly by enabling sniffing, ARP spoofing itself does not manipulate web session cookies nor impersonate users through session token alteration.

Smurf attacks exploit ICMP traffic amplification to overwhelm a target with network floods. This attack type is purely about availability disruption and has no relation to session cookies or user impersonation.

Session hijacking is correct because it specifically focuses on capturing or manipulating session identifiers to impersonate legitimate users and bypass authentication.

Question 60 

Which type of attack targets weaknesses in the SSL/TLS handshake to capture encryption keys?

A) BEAST
B) SQL injection
C) Phishing
D) ARP spoofing

Answer: A) BEAST

Explanation: 

BEAST, short for Browser Exploit Against SSL/TLS, is an attack that targets cryptographic weaknesses in earlier implementations of the SSL/TLS protocol, specifically those using Cipher Block Chaining (CBC) mode. By exploiting vulnerabilities during the handshake and block encryption processes, attackers can decrypt secure HTTPS traffic and potentially retrieve sensitive information such as cookies, authentication tokens, or session data. BEAST works by injecting malicious JavaScript into a victim’s browser, allowing the attacker to observe encrypted blocks and manipulate plaintext in a way that reveals protected information. The attack demonstrated how weaknesses in the initialization vector implementation allowed chosen-plaintext attacks to succeed, undermining the confidentiality guarantees of older SSL/TLS versions. As a result, modern browsers and servers updated their cryptographic libraries and configurations to mitigate BEAST, including disabling vulnerable cipher suites and adopting TLS 1.1 and higher.

SQL injection does not interact with encryption protocols or handshake mechanisms. It manipulates database queries by inserting malicious SQL statements into application inputs. While highly effective against poorly secured web applications, SQL injection does not attempt to decrypt SSL/TLS traffic or capture encryption keys.

Phishing is a social engineering technique designed to deceive users into revealing credentials or sensitive information. It has no interaction with cryptographic handshakes, encryption processes, or SSL/TLS algorithms. Since phishing relies on deception rather than protocol exploitation, it cannot decrypt or reveal protected key material.

ARP spoofing manipulates local network routing by falsifying ARP responses. While this can allow attackers to intercept unencrypted traffic or redirect users, ARP spoofing does not exploit TLS cryptographic weaknesses nor does it target handshake messages or encryption keys. It functions at an entirely different layer of the network stack.

BEAST is correct because it explicitly targets vulnerabilities in SSL/TLS encryption, specifically in CBC mode, and demonstrates how attackers can exploit protocol-level weaknesses to decrypt sensitive information.