During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification.
Which social engineering technique is Liam demonstrating?
You detect the presence of a kernel-level rootkit embedded deeply within an operating system. Given the critical nature of the infection, which remediation strategy should be followed to effectively remove the rootkit while minimizing long-term risk?
Which of the following protocols is used when an attacker attempts to launch a man-in-the-middle attack by manipulating sequence and acknowledgment numbers?
During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?
Which of the following is the primary goal of ethical hacking?
What is the minimum number of network connections in a multihomed firewall?
During a red team assessment at a banking client in Chicago, ethical hacker David gains access to the internal LAN. He sets up a test machine and injects crafted messages into the network. Soon, all traffic between a finance workstation and the authentication server is silently routed through his system without changing switch configurations. He observes usernames and passwords passing through his interface, even though no proxy or VPN is in use.
Which sniffing technique did David most likely use?
Which vulnerability exploits memory corruption?
An ethical hacker conducting an authorized assessment of a multinational advisory firm begins collecting intelligence exclusively from publicly accessible online platforms where employees share professional background details and engage in industry-related discussions.
By correlating individual role descriptions, publicly endorsed technical competencies, collaborative conversations referencing internal initiatives, and recurring terminology used to describe projects and departments, the tester develops a structured view of reporting relationships, identifies commonly deployed technologies, and infers internal naming conventions.
From a reconnaissance methodology perspective, which technique is being applied?
During an ethical hacking exercise, a security analyst is testing a web application that manages confidential information and suspects it may be vulnerable to SQL injection. Which payload would most likely reveal whether the application is vulnerable to time-based blind SQL injection?
An attacker is analyzing traffic from a mobile app and finds that sensitive data like session tokens are being transmitted over HTTP instead of HTTPS. The attacker plans to intercept and manipulate the data during transmission. Which vulnerability is the attacker exploiting?
A security researcher reviewing an organization ' s website source code finds references to Amazon S3 file locations. What is the most effective way to identify additional publicly accessible S3 bucket URLs used by the target?
An attacker exploits a misconfigured S3 bucket containing application backups with database credentials. What cloud security failure category does this fall under?
You are conducting a security audit at a government agency. During your walkthrough, you observe a temporary contractor sitting in the staff lounge using their smartphone to discretely record employees as they enter passwords into their systems. Upon further investigation, you find discarded documents in a nearby trash bin containing sensitive project information. What type of attack is most likely being performed?
An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization ' s machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?
During a penetration test at Pacific Shipping Co. in Seattle, ethical hacker Mia Chen evaluates the defenses protecting the company ' s web-facing servers. She observes that the security system is not only checking basic packet headers but also validating session state and performing some application-level analysis. This multilayer approach makes it more difficult for Mia to bypass the firewall using simple fragmentation or tunneling attacks.
Which type of firewall is Mia most likely facing?
During an authorized security assessment of a smart home product manufacturer in San Jose, California, a certified ethical hacker evaluates the web-based management interface used to configure connected IoT cameras and lighting controllers.
The tester discovers that when an internal user visits a specially crafted external website, the browser automatically initiates requests to a locally hosted device management interface within the user’s private network.
Which attack technique best explains this behavior?
You are Ava Mitchell, an ethical hacker at Sentinel Cyberworks, hired to test the wireless defenses of Horizon Financial, a bank in Boston, Massachusetts. During a covert night-time assessment, your objective is to simulate an attacker attempting to breach the bank ' s WPA-protected Wi-Fi network. You deploy a tool that allows you to capture wireless packets, send de-authentication packets to force client reconnections, and attempt to recover the encryption key, all within a single graphical interface. Based on the described functionality, which Wi-Fi security auditing tool are you using?
During a red team exercise at Horizon Financial Services in Chicago, ethical hacker Clara crafts an email designed to trick the company’s CEO. The message, disguised as an urgent memo from the legal department, warns of a pending lawsuit and includes a link to a fake internal portal requesting the executive’s credentials. Unlike generic phishing, this attack is tailored specifically toward a high-ranking individual with decision-making authority.
As an IT security analyst, you perform network scanning using ICMP Echo Requests. During the scan, several IP addresses do not return Echo Replies, yet other network services remain operational. How should this situation be interpreted?
You are an ethical hacker at Apex Security Consulting, hired by Riverfront Media, a digital marketing firm in Boston, Massachusetts, to assess the security of their customer relationship management CRM web application. While evaluating the application’s search feature, you input a long string of single quote characters into the search bar. The application responds with an error message suggesting that it cannot handle the length or structure of the input in the current SQL context. Based on the observed behavior, which SQL injection vulnerability detection technique are you employing?
During a stealth penetration test at a defense research facility, ethical hacker Daniel installs a payload that survives even after multiple operating system reinstalls. The implant resides deep inside the system hardware and executes before the OS is loaded, ensuring that forensic scans and antivirus tools at the OS level cannot detect or remove it. Administrators notice unusual activity on network cards and storage devices, but repeated scans show no malware traces within the file system.
Which type of rootkit most likely enabled this level of persistence?
As a network administrator, you explain to your team that a recent DDoS attack targeted the application layer of your company’s web server. Which type of DDoS attack was most likely used?
At Norwest Freight Services, a rotating audit team is asked to evaluate host exposure across multiple departments following a suspected misconfiguration incident. Simon, a junior analyst working from a trusted subnet, initiates a network-wide scan using the default configuration profile of his assessment tool. The tool completes quickly but returns only partial insights such as open service ports and version banners while deeper registry settings, user policies, and missing patches remain unreported. Midway through the report review, Simon notices that system login prompts were never triggered during scanning, and no credential failures were logged in the SIEM.
Which type of vulnerability scan BEST explains the behavior observed in Simon’s assessment?
As part of a passive reconnaissance engagement for a university research network, you are tasked with mapping potential administrative exposure points across .edu domains. Your objective is to identify web pages that might allow privileged backend access, such as misconfigured administrative interfaces, using only publicly indexed information. To ensure efficiency and compliance, you decide to use advanced Google search operators to refine your search results. Your goal is to locate URLs across educational domains that may contain restricted backend functionality.
Which of the following search strings would most effectively support this goal?
Which of the following tools can be used for passive OS fingerprinting?
A penetration tester is assessing a company ' s executive team for vulnerability to sophisticated social engineering attacks by impersonating a trusted vendor and leveraging internal communications. What is the most effective social engineering technique to obtain sensitive executive credentials without being detected?
An attacker impersonates a technician and gains physical access to restricted areas. What tactic is this?
At a power distribution facility in Phoenix, Arizona, ethical hacker Sameer Das is performing an OT security assessment. He demonstrates that a programmable controller accepts modifications delivered over the network without checking the origin or cryptographic validity of the package. By uploading altered instructions, he changes how the controller processes commands during operations. Which IoT/OT threat best represents this technique?
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic ' s appointment system, they were directed to a website that looked identical to the official portal. The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization ' s infrastructure. Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site. Which type of social engineering technique best explains this attack?
After the completion of the pen test, you have provided the client with a list of controls to implement to reduce the identified risk. What term best describes the risk that remains after the controls have been implemented?
An attacker has partial root access to a mobile application. What control best prevents further exploitation?
A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
A regional hospital network is conducting incident containment after discovering that an internal file server was accessed by unauthorized actors. While forensic analysis is ongoing, a security engineer must immediately protect sensitive medical records stored on a mounted partition without shutting down the system.
The solution must support strong encryption, including 256-bit AES, allow creation of encrypted containers within existing storage volumes, and provide the capability to conceal protected data inside standard-looking volumes to reduce visibility during continued investigation.
Select the disk encryption tool that best satisfies these operational and security requirements.
A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?
In downtown Chicago, Illinois, security analyst Mia Torres investigates a breach at Windy City Enterprises, a logistics firm running an Apache HTTP Server. The attacker exploited a known vulnerability in an outdated version, gaining unauthorized access to customer shipment data. Mia’s analysis reveals the server lacked recent security updates, leaving it susceptible to remote code execution. Determined to prevent future incidents, Mia recommends a strategy to the IT team to address this exposure.
Which approach should Mia recommend to secure Windy City Enterprises ' Apache HTTP Server against such vulnerabilities?
A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?
A media streaming company in Los Angeles, California engages a certified ethical hacker to evaluate the resilience of its cloud-hosted infrastructure. After initial access is obtained through an exposed credential in a development repository, the tester systematically modifies logging configurations, establishes alternate access keys for persistence, and documents privilege relationships between services within the tenant.
The tester’s actions are focused on maintaining continued access and mapping the internal structure of the environment after initial compromise has occurred.
Within the cloud attack lifecycle, which phase best represents this stage of activity?
Self-replicating malware causes redundant traffic, crashes, and spreads autonomously. What malware type is responsible, and how should it be handled?
You are an ethical hacker at ShieldPoint Security, hired by Pinecrest Travel Agency in Orlando, Florida, to perform a penetration test on their flight booking portal. During testing, you notice that normal SQL injection attempts are blocked by a security filter. To bypass it, you adjust your input so that key SQL keywords are broken apart with unexpected symbols, allowing the database to interpret them correctly while evading the filter. This manipulation allows you to retrieve hidden booking records despite the filter ' s restrictions. Based on the observed behavior, which SQL injection evasion technique are you employing?
Scenario:
Victim opens the attacker ' s website.
Attacker sets up a website containing interesting and attractive content such as “Do you want to make $1000 in a day?”.
Victim clicks the attractive content URL.
The attacker creates a transparent iframe in front of the URL that the victim attempts to click. The victim believes he/she is clicking the “Do you want to make $1000 in a day?” link, but is actually clicking content or a URL hidden inside the transparent iframe controlled by the attacker.
What is the name of the attack mentioned in the scenario?
A penetration tester is tasked with mapping an organization ' s network while avoiding detection by sophisticated intrusion detection systems (IDS). The organization employs advanced IDS capable of recognizing common scanning patterns. Which scanning technique should the tester use to effectively discover live hosts and open ports without triggering the IDS?
A web app fails to restrict API request frequency. What risk exists?
An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?
A penetration tester suspects that a web application ' s user profile page is vulnerable to SQL injection, as it uses the userID parameter in SQL queries without proper sanitization. Which technique should the tester use to confirm the vulnerability?
As part of a quarterly security review at EvoTrans Logistics, a global freight optimization firm, you have been brought in as a senior cybersecurity analyst to audit perimeter firewall configurations across cloud-hosted application clusters. During your investigation, you notice that TCP port 1433 is open on a virtual machine tagged as svc-node-east-14, which was provisioned by a now-defunct third-party vendor. The node is not referenced in any current infrastructure diagrams, yet live traffic logs suggest it is still handling requests during peak hours. No documentation exists regarding its service role, but you are tasked with flagging misconfigurations that may violate policy or expose critical services unnecessarily. Based on your understanding of standard port assignments, you must determine what service this port likely represents and whether its exposure warrants escalation.
Which of the following services is most likely running on this port and requires immediate review?
Michael, an ethical hacker at a New York-based e-commerce company, is evaluating the security of their online payment system after a recent incident where fraudulent transactions went undetected. His investigation reveals that the system uses an asymmetric encryption algorithm to ensure the authenticity of payment confirmations. He finds that the algorithm employs a public-key cryptosystem, where the sender signs the transaction with a private key, and the recipient verifies it using a corresponding public key located in a directory. During his test, Michael intercepts a signed message and notices that the algorithm supports modular exponentiation for generating digital signatures, a process critical to verifying the identity of the signatory. He aims to assess if the algorithm ' s configuration could be vulnerable to a meet-in-the-middle attack due to its key structure. Which asymmetric encryption algorithm should Michael identify as the one used by the payment system?
During a red team engagement at a technology startup in Austin, ethical hacker Priya simulates an internal attacker by connecting a laptop to the corporate LAN. Within minutes, nearby workstations begin receiving incorrect network settings such as altered gateways and DNS servers. Employees trying to access the intranet are redirected to fake login portals hosted on Priya’s machine. Security tools record temporary IP conflicts, but no alerts are triggered against the altered traffic paths.
Which attack technique did Priya most likely use?
During a scheduled security review in a high-tech lab in Austin, Texas, penetration tester Lucas Bennett was assessing a state government’s new payroll system hosted in a private cloud. One humid afternoon, while fuzz testing the input validation logic of the TaxCalcEngine.dll module, he triggered a buffer overflow by submitting malformed taxpayer ID strings. The crash led to unintended disclosure of payroll data due to unchecked data boundaries. Lucas traced the issue to a coding oversight in a core processing module. Applying a structured analysis approach, which category best describes the vulnerability he discovered?
While conducting a red team exercise at a corporate office in San Diego, California, you observe employees working in an open-plan area. By discreetly watching their screens and hand movements as they log into internal systems, you are able to capture several usernames and partial passwords without touching any devices or interacting with the staff. Which social engineering technique does this scenario best illustrate?
One customer’s malicious activity impacts other tenants. Which control would best prevent this?
In Denver, Colorado, ethical hacker Rachel Nguyen is conducting a network security assessment for Apex Logistics, a transportation firm with a complex internal network. During her test, Rachel observes a client-server communication and injects specially crafted packets into the exchange, disrupting the client’s session. As a result, the server continues interacting with Rachel’s system while the legitimate client’s connection becomes unresponsive. She uses this setup in a controlled environment to demonstrate vulnerabilities to the company’s IT team.
What network-level session hijacking technique is Rachel employing in this assessment?
During a red team assessment at Sunshine Credit Union in Miami, ethical hacker Laura demonstrates a weakness in the company ' s session handling process. She shows that once a user logs in, the same authentication token assigned before login continues to be valid without being refreshed. Laura explains that an attacker could exploit this flaw by tricking a victim into authenticating with a value already known to the attacker, gaining access afterward. To mitigate this risk, the IT team agrees to apply a countermeasure focused on proper session lifecycle management.
Which countermeasure should the IT team implement?
In Raleigh, North Carolina, ethical hacker Ethan Brooks is conducting a penetration test for Triangle FinTech, a rising financial startup. During his assessment, Ethan aims to bypass the company’s network security to access a restricted internal server. He crafts network packets to disguise his traffic as legitimate, forcing some TCP header information into subsequent packets to evade the firewall’s checks. His aim is to demonstrate how an attacker could slip past the security perimeter undetected, alerting the IT team to potential weaknesses.
Which technique is Ethan employing to bypass Triangle FinTech’s firewall during his penetration test?
Which of the following best describes the role of a penetration tester?
A penetration tester runs a vulnerability scan and identifies an outdated version of a web application running on the company’s server. The scan flags this as a medium-risk vulnerability. What is the best next step for the tester?
What is the correct order of the five phases of ethical hacking?
Noah Kim, an ethical hacker at Quantum Cyber Solutions in Austin, Texas, is assessing iPhones used for proprietary development. On one device, he demonstrates a technique that allows it to boot normally without a computer, but the elevated access is temporarily lost after restart until the user launches a special on-device app to reapply the modifications. Which jailbreaking method is this?
Justin Fletcher is conducting an authorized assessment for EverSafe Technologies in Las Vegas. During the active reconnaissance phase, he interacts directly with the organization ' s infrastructure to retrieve structural details about how its public-facing systems are logically organized. His activity generates entries within the target environment ' s monitoring systems. Which type of active footprinting technique is Justin performing?
A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?
Which information CANNOT be directly obtained from DNS interrogation?
A penetration tester identifies malware on a system that hides its presence and gives an attacker access to administrative functions without being detected. What type of malware is this?
Lily, a network security analyst at a regional healthcare provider, is preparing defenses ahead of a scheduled external vulnerability assessment. During internal simulation drills, she observes that scanners are successfully identifying open ports and service banners across critical systems. Tasked with reducing exposure to such reconnaissance efforts, Lily is instructed to apply measures that specifically hinder port scanning activity without disrupting legitimate traffic.
Which of the following actions should Lily implement?
A competing technology firm begins releasing products that closely mirror the design, pricing strategy, and feature roadmap of ApexDynamics Inc. An internal review reveals that detailed information about ApexDynamics ' s upcoming initiatives had been gradually collected through publicly available sources and external disclosures before product launch. Which footprinting-related threat does this scenario best represent?
A penetration tester needs to map open ports on a target network without triggering the organization’s intrusion detection systems (IDS), which are configured to detect standard scanning patterns and abnormal traffic volumes. To achieve this, the tester decides to use a method that leverages a third-party host to obscure the origin of the scan. Which scanning technique should be employed to accomplish this stealthily?
Which indicator most strongly confirms a MAC flooding attack?
In Seattle, Washington, ethical hacker Mia Chen is hired by Pacific Trust Bank to test the security of their corporate network, which stores sensitive customer financial data. During her penetration test, Mia conducts a thorough reconnaissance, targeting a server that appears to host a critical database of transaction records. As she interacts with the server, she notices it responds promptly to her queries but occasionally returns error messages that seem inconsistent with a production system’s behavior, such as unexpected protocol responses. Suspicious that this server might be a decoy designed to monitor her actions, Mia applies a technique to detect inconsistencies that may reveal the system as a honeypot.
Which technique is Mia most likely using to determine if the server at Pacific Trust Bank is a honeypot?
A penetration tester is assessing a company ' s HR department for vulnerability to social engineering attacks using knowledge of recruitment and onboarding processes. What is the most effective technique to obtain network access credentials without raising suspicion?
Which method of password cracking takes the most time and effort?
At a cybersecurity consultancy firm in Boston, senior analyst Amanda Liu is called in to assess a malware outbreak affecting a regional healthcare provider. Despite using updated antivirus tools, the security team notices inconsistent detection across infected endpoints. Amanda discovers that while the malicious behavior is consistent, system file tampering and suspicious outbound traffic, each malware sample has a slightly different code structure and fails traditional hash-based comparison. Static analysis reveals that the underlying logic remains unchanged, but the code patterns vary unpredictably across infections. What type of virus is most likely responsible for this behavior?
During a forensic investigation of an attack on a media company in New York, analysts discovered that a non-privileged process loaded a malicious library instead of the intended library because the attacker placed the rogue file in a directory Windows searched before the legitimate location. When the trusted application started, the attacker’s code executed with the application’s privileges. No registry changes or kernel exploits were involved. Which technique most likely enabled the privilege escalation?
You are Ethan Brooks, an ethical hacker at Vanguard Security Solutions, hired to perform a wireless penetration test for Pacific Logistics, a shipping company in Seattle, Washington. Your task is to identify all Wi-Fi networks in range without alerting the network administrators. Using a laptop with a Wi-Fi card, you monitor radio channels to detect access points and their BSSIDs without sending any probe requests or injecting data packets.
Based on the described method, which Wi-Fi discovery technique are you employing?
Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?
A penetration tester is tasked with compromising a company’s wireless network, which uses WPA2-PSK encryption. The tester wants to capture the WPA2 handshake and crack the pre-shared key. What is the most appropriate approach to achieve this?
In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.
Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?
A penetration tester evaluates the security of an iOS mobile application that handles sensitive user information. The tester discovers that the application is vulnerable to insecure data transmission. What is the most effective method to exploit this vulnerability?
You are Jordan, a cryptographic assessor at Cascade Data in Portland, Oregon, reviewing the protection applied to telemetry logs. Your review finds an algorithm that operates on 128-bit blocks, accepts keys up to 256 bits, and the documentation notes it was one of the finalists in the AES selection process that aimed to replace legacy DES. Which symmetric encryption algorithm should you identify as being used?
Amid the vibrant buzz of Miami’s digital scene, ethical hacker Sofia Alvarez embarks on a mission to fortify the web server of Sunshine Media’s streaming platform. Diving into her security assessment, Sofia sends a meticulously crafted GET / HTTP/1.0 request to the server, scrutinizing its response. The server obligingly returns headers exposing its software version and operating system, a revelation that could empower malicious actors to tailor their attacks. Committed to bolstering the platform’s defenses, Sofia documents her findings to urge the security team to address this exposure.
What approach is Sofia using to expose the vulnerability in Sunshine Media’s web server?
SCADA anomalies suggest a side-channel attack. Which investigation best confirms this?
A future-focused security audit discusses risks where attackers collect encrypted data today, anticipating they will be able to decrypt it later using quantum computers. What is this threat commonly known as?
A regional healthcare provider in Minneapolis, Minnesota began experiencing intermittent connectivity issues across a newly activated access-layer network segment. Shortly after a contractor connected a diagnostic device to an unused switch port, multiple employee workstations failed to receive valid network configurations. System logs showed repeated address negotiation attempts from affected hosts, while monitoring tools recorded a rapid sequence of configuration requests originating from a single switch interface. Within minutes, additional clients on the segment encountered similar assignment failures. From a sniffing standpoint, which technique most accurately explains this behavior?
You are Alex, a forensic responder at HarborHealth in Seattle, Washington. During a live incident response you must secure an enterprise Windows server ' s system partition and attached data volumes without rebooting user machines or disrupting domain authentication. The IT team prefers a solution that integrates with Windows platform features (including hardware-backed startup protection and centralized key escrow via Active Directory/management policies) and provides transparent full-disk protection for the OS volume. Which disk-encryption solution should you deploy?
Anthony works as a security consultant for a financial services firm in Chicago, Illinois. During an internal engagement, he reviews traffic logs and observes repeated connection attempts to a service that appears to provide directory-related information beyond a single domain. The responses suggest that the underlying database contains entries representing objects across the entire organization rather than being limited to a single segment.
As Anthony continues his assessment, he notices that administrators commonly connect to this service when troubleshooting directory-related issues. The service listens on a dedicated port and allows object searches across multiple domains without requiring prior knowledge of the specific domain name.
Which service is Anthony most likely enumerating?
Infected systems receive external instructions over HTTP and DNS, with fileless payloads modifying system components. What is the most effective action to detect and disrupt this malware?
A red team member uses an access token obtained from an Azure function to authenticate with Azure PowerShell and retrieve storage account keys. What kind of abuse does this scenario demonstrate?
The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?
A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?
Olivia, a cybersecurity architect at a Boston-based fintech company, is tasked with upgrading the organization ' s cryptographic infrastructure in preparation for future quantum computing threats. A recent internal audit flagged that sensitive customer data stored in the company ' s cloud environment could be vulnerable if quantum decryption methods become practically viable. To strengthen their post-quantum defense, Olivia must recommend a proactive cryptographic control that ensures long-term confidentiality of stored data, even against advanced quantum attackers.
Which cryptographic defense should Olivia prioritize to mitigate the risk of future quantum-based decryption?
A regional healthcare provider in Portland, Oregon, recently migrated its patient scheduling portal to a new cloud platform. Within days, multiple patients reported that when searching online for the clinic’s appointment system, they were directed to a website that looked identical to the official portal.
The fraudulent page appeared prominently in search engine results and prompted users to log in using their patient credentials. The URL closely resembled the legitimate domain name, and no internal DNS servers had been altered within the organization’s infrastructure.
Security analysts later determined that the attacker had created a convincing replica of the portal and manipulated search visibility so that unsuspecting users would voluntarily navigate to the malicious site.
Which type of social engineering technique best explains this attack?
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?
Bob, a seasoned security analyst at XYZ Aerospace, was investigating a series of misaligned transaction timestamps coming from one of the data archival systems. Suspecting that the server might be syncing with an unstable time source, Bob decided to extract a detailed list of all peer servers associated with the target machine, including metrics such as delay, offset, and jitter, to determine whether the issue stemmed from time synchronization drift.
Which of the following commands should Bob use to retrieve this information?
During a red team exercise at a technology consulting firm in San Francisco, analyst Evelyn deploys a malicious payload disguised within a software update installer. When the target runs the installer, the main application functions normally, but behind the scenes, additional malware components are silently placed on the system without the user ' s knowledge. These hidden components later activate to establish remote access for the red team.
Which technique was most likely used to deliver the hidden malware?
This type of security test might seek to target the CEO ' s laptop or the organization ' s backup tapes to extract critical information, usernames, and passwords.
During a security assessment at Apex Technologies in Austin, Texas, the cybersecurity team identifies a high risk of social engineering attacks, including phishing, vishing, and baiting, targeting employees across departments. To strengthen defenses, the team plans to implement a countermeasure to reduce the likelihood of employees disclosing sensitive information. Which of the following countermeasures should Apex Technologies prioritize to mitigate the risk of social engineering attacks?
You discover multiple NetBIOS responses during an nbtscan, but only one host returns a < 1B > entry. What does this indicate?
A financial technology firm in Atlanta, Georgia launches an internal investigation after multiple employees report that a popular messaging application on their Android devices has begun displaying excessive advertisements and behaving unpredictably.
Security analysts discover that users had installed a utility application from a third-party marketplace weeks earlier. Further examination shows that this application silently replaced certain legitimate apps already present on the device. The compromised applications were then used to generate large volumes of advertisements and collect user data for external transmission.
Based on the observed behavior, what malware is most consistent with this incident?
A penetration tester alters the " file " parameter in a web application (e.g., view?file=report.txt) to ../../../../etc/passwd and successfully accesses restricted system files. What attack method does this scenario illustrate?
You are Sofia Patel, an ethical hacker at Nexus Security Labs, hired to test the mobile device security of Bayview University in San Francisco, California. During your assessment, you are given an Android 11-based Samsung Galaxy Tab S6 with USB debugging disabled and OEM unlock restrictions in place. To simulate an attacker attempting to gain privileged access, you install a mobile application that exploits a system vulnerability to gain root access directly on the device without requiring a PC. This allows you to bypass OS restrictions and retrieve sensitive research data. Based on this method, which Android rooting tool are you using?
Malware adapts behavior, changes code dynamically, and exfiltrates data stealthily. What is it?
A multinational corporation deploys a major internal tool built on a PowerShell-based automation framework. Shortly after a scheduled rollout, the IT team notices intermittent system slowdowns and unexplained bandwidth spikes. Despite running updated endpoint protection and restrictive firewall rules, traditional scanning tools report no malicious files on disk. However, internal telemetry flags a trusted process repeatedly executing obfuscated PowerShell commands in memory. The anomalous activity vanishes upon reboot and appears to leave no footprint behind on the system.
Which type of malware is most likely responsible for this behavior?
During a stealth penetration test for a multinational shipping company, ethical hacker Daniel Reyes gains local access to an engineering workstation and deploys a specialized payload that installs below the operating system. On subsequent reboots, the payload executes before any system-level drivers or services are active, giving Daniel covert control over the machine without triggering antivirus or endpoint detection tools. Weeks later, system administrators report suspicious network activity, but repeated forensic scans fail to locate any malicious processes or user-level traces.
Which type of rootkit did Daniel most likely use to maintain this level of stealth and persistence?
As a cybersecurity analyst conducting passive reconnaissance, you aim to gather information without interacting directly with the target system. Which technique is least likely to assist in this process?
A biotech research firm in Boston, Massachusetts, migrates its laboratory management platform to the cloud. The vendor provides an environment where developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage. The firm controls the application logic but not the runtime infrastructure.
Which cloud service model is the company using?
On 10th of July this year, during a security penetration test at IntelliCore Systems in Raleigh, North Carolina, the ethical hacking team evaluates the stability of the company’s file-sharing server. Sofia crafts and transmits a sequence of oversized, malformed packets designed to test how the server handles unexpected input. Shortly after, the system begins crashing intermittently due to processing failures triggered by these anomalous network requests. The security team onsite is tasked with identifying the root cause behind the packet-induced instability and attributing it to a known DoS tactic.
Which of the following best explains the technique Sofia used to trigger the server crashes?
In an ethical hacking methodology and framework, which of the following step is known for “active and passive information gathering”?
Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?
Which tool is best for sniffing plaintext HTTP traffic?
During a large-scale network assessment of a telecom provider in Dallas, Texas, a cybersecurity consultant uses Recon-ng and Nmap to enumerate legacy and infrastructure-level services across multiple nodes. The tools uncover open Telnet ports, FTP directories with anonymous login enabled, active TFTP services, and exposed SMB shares. The consultant also detects a service that responds to VRFY, EXPN, and RCPT commands, allowing the enumeration of user identities and delivery addresses due to weak input validation. IPv6 tunneling protocols are also detected. Concerned about information leakage, the consultant flags these services for immediate remediation.
Which classification best describes this set of enumeration activities?
You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester?
Working as an Information Security Analyst at a technology firm, you are designing training material for employees about the dangers of session hijacking. As part of the training, you want to explain how attackers could use sidejacking to compromise user accounts. Which of the following scenarios most accurately describes a sidejacking attack?
Using nbtstat -A < IP > , NetBIOS names including < 20 > and < 03 > are retrieved, but shared folders cannot be listed. Why?
An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?
Which countermeasure best mitigates brute-force attacks on Bluetooth SSP?
A cyber adversary wants to enumerate firewall rules while minimizing noise and mimicking normal traffic behavior. Which reconnaissance technique enables mapping of firewall filtering behavior using TTL-manipulated packets?
An enterprise collaboration platform used by a pharmaceutical distributor in Boston, Massachusetts relies on a centralized identity store to validate employee credentials. While reviewing the authentication workflow, a security tester notices that user-provided values are directly embedded into backend lookup expressions responsible for locating account records.
When specific logical operators and wildcard characters are introduced into the username field, the application’s record-matching behavior changes. Instead of evaluating a single identity entry, the backend process begins matching a broader set of records than intended, altering the outcome of the authentication check.
The issue arises from improper handling of input within directory-based search logic.
From the following options, identify the injection technique illustrated in this scenario.
A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of /JavaScript and /OpenAction keywords. What should the analyst do next to understand the potential impact?
A fintech startup in Austin, Texas deploys several virtual machines within a public cloud environment. During an authorized cloud security assessment, a tester uploads a small script to one of the instances through a web application vulnerability.
After executing the script locally on the instance, the tester retrieves temporary access credentials associated with the instance’s assigned role. These credentials are then used to enumerate storage resources and access additional cloud services within the same account.
Which cloud attack technique best corresponds to this activity?
During a penetration test at TechTrend Innovations in California, ethical hacker Jake Henderson reviews the company ' s web server exposure to network-based threats. He finds that the server is running with multiple open services and protocols that are not required for its operation, such as NetBIOS and SMB. Jake explains to the IT team that attackers could exploit these unnecessary services to gain unauthorized access to the server.
Which hardening measure should the IT team implement to mitigate this risk?
Which of the following best describes an attack that altered the contents of two critical files?
During an internal red team simulation at a global insurance provider, Joe, a senior SOC analyst, is assigned to verify a surge in anomalous SYN packets targeting the perimeter firewall. The result of spoofed traffic. The organization has ruled out DNS poisoning and malformed header issues. Joe must now analyze packet behavior in real-time to determine authenticity without relying on host-level authentication. To identify spoofed traffic using techniques aligned with best practices taught in the organization, which approach should Joe take?
A technology consulting firm in Charlotte, North Carolina experienced a targeted intrusion after an employee interacted with a carefully crafted phishing email. Security analysts reconstructed the sequence of events and determined that once the email attachment was opened, built-in scripting utilities were invoked to inject malicious instructions into an active system process.
No standalone malicious executables were discovered on disk. The injected instructions began running directly inside legitimate processes before any registry modifications or task scheduling changes were observed.
At this point in the attack sequence, which operational phase of the fileless attack lifecycle is being demonstrated?
During a cloud security assessment, you discover a former employee still has access to critical cloud resources months after leaving. Which practice would most effectively prevent this?
An authorized security assessment is performed on a public-sector services portal in Madison, Wisconsin. After authenticating with a controlled test account, the assessor captures the authentication identifier issued by the application.
Under controlled lab conditions, she attempts to reuse the captured identifier from a separate machine connected through a different encrypted channel. Although the identifier remains valid and within its lifetime, the application rejects the request when presented from the alternate environment.
Analysis indicates that the server evaluates characteristics associated with the original secure exchange before allowing continued use of the issued identifier.
Which defensive mechanism most likely explains this behavior?
During a penetration test at Horizon Tech in Austin, ethical hacker Michael sets up a man-in-the-middle attack to intercept traffic between employees and the company ' s internal web applications. He uses a lightweight tool capable of performing ARP spoofing, DNS manipulation, and packet injection while providing an interactive interface for real-time monitoring. This allows him to capture and manipulate session tokens in transit, which he later presents to the security team as proof of risk.
Which tool is Michael most likely using in this exercise?
A financial services firm detects that outbound corporate emails containing sensitive underwriting data were intercepted while transmitted over unsecured channels. To immediately restore confidentiality and ensure authenticity of executive communications, the security operations team deploys a standardized email encryption framework compatible with the organization’s Microsoft Outlook environment.
The selected solution must support digital signatures for sender authentication, rely on a public-key infrastructure for secure key exchange, and enable recipients to validate signed messages using certificates issued by trusted authorities.
Identify the email encryption standard that best fulfills these requirements.
You are an ethical hacker at Nexus Cybersecurity, contracted to perform a penetration test for BlueRidge Retail, a US-based e-commerce company in Atlanta, Georgia. While testing their online store’s product search page, you attempt to inject a malicious query into the URL to extract customer data. The application is protected by a web application firewall WAF that blocks standard SQL injection attempts. To bypass this, you modify your input to split the query into multiple parts, ensuring the malicious instructions are not detected as a single signature. For example, you craft the URL as products.php?id=1+UNION+SE+LECT+1,2, which successfully retrieves unauthorized data. Based on the observed behavior, which SQL injection evasion technique are you employing?
A retail brand based in San Diego, California, authorized a controlled mobile security exercise to evaluate risks associated with third-party application distribution channels.
Testers acquired a version of the company’s customer rewards application from an unofficial marketplace frequently used by overseas customers. The application’s visual layout and functionality were indistinguishable from the officially released version available in mainstream app stores.
Behavioral monitoring conducted in a sandbox environment revealed that, in addition to its normal operations, the application initiated outbound connections unrelated to its documented features. A binary comparison against the vendor-supplied build confirmed structural differences between the two versions.
What mobile-based social engineering technique does this scenario most accurately represent?
When referring to the domain name service, what is a zone?
Clark is a talented coder and as such has found a vulnerability in a well-known application. Unconcerned about the ethics of the situation, he has developed an exploit that can leverage this unknown vulnerability. Based on this information, which of the following is most correct?
A defense contractor in Arlington, Virginia, initiated an internal awareness exercise to test employee susceptibility to human-based manipulation. During the assessment, an individual posing as an external recruitment consultant began casually engaging several engineers at a nearby industry networking event. Over multiple conversations, the individual gradually steered discussions toward current research initiatives, development timelines, and internal project code names. No direct requests for credentials or system access were made. Instead, the information was obtained incrementally through carefully crafted questions embedded within informal dialogue. Which social engineering technique is most accurately demonstrated in this scenario?
A multinational payment processor conducts a long-term risk assessment to evaluate the durability of its encrypted archives against future computational advances. Internal analysts warn that if large-scale quantum computers become operational, currently deployed public-key schemes protecting stored customer data may become vulnerable to rapid key recovery.
To maintain long-term confidentiality of archived financial records, the security architecture team must implement a defensive strategy that directly addresses cryptographic resilience rather than relying solely on network segmentation or development policy controls.
Determine the most appropriate mitigation to protect stored data against quantum-enabled decryption capabilities.
A regional insurance claims platform in Sacramento, California is protected by a web application firewall that evaluates inbound requests for suspicious query structures. During an authorized assessment, a tester observes that conventional injection attempts are consistently rejected.
The tester then adjusts the format and composition of the request while preserving its intended database behavior. After this modification, the request passes through the filtering mechanism and is processed by the backend system without disruption.
Which firewall evasion technique is being demonstrated?
Sarah, an ethical hacker at a San Francisco-based financial firm, is testing the security of their customer database after a recent data exposure incident. Her analysis reveals that the sensitive client information is safeguarded using a symmetric encryption algorithm. She observes that the algorithm processes data in 64-bit blocks and supports a variable key size from 32 to 448 bits. During her penetration test, Sarah intercepts a ciphertext transmission and notes that the encryption was developed as a replacement for DES, an older algorithm. She aims to determine if the algorithm’s flexible key size could be susceptible to brute-force attacks. The algorithm is also noted for its use in secure storage, a critical application for the firm’s data protection.
Which symmetric encryption algorithm should Sarah identify as the one used by the firm?
During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?
A penetration tester discovers malware on a system that disguises itself as legitimate software but performs malicious actions in the background. What type of malware is this?
John, a penetration tester at a Los Angeles-based online gaming company, is analyzing the company ' s cloud infrastructure after a recent security breach caused unexpected downtime and delayed alerts. His investigation reveals that the attackers remained undetected, due to the absence of mechanisms that track function-level activity and capture anomalous events. The backend architecture for matchmaking and in-game purchases is serverless, increasing the importance of robust security measures.
So, which cloud computing threat should John prioritize to prevent similar breaches?
At a New York-based e-commerce company preparing for Black Friday sales, analyst Sarah evaluates cloud billing practices. She notices that the provider tracks compute hours, storage usage, and bandwidth consumption in detail, enabling the company to pay only for what is consumed while also supporting audits. Which cloud computing characteristic best explains this feature?
Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee ' s computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action?
In a security assessment conducted in New York, Sarah, an ethical hacker, is evaluating a corporate network to enhance its protection against potential threats. She aims to gather essential data about available access points to guide her analysis. Which scanning technique should Sarah apply to meet this objective while adhering to the organization ' s ethical guidelines?
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?
A subscription-based analytics platform in Portland, Oregon provides enterprise clients with API access to project dashboards. Each dashboard is associated with a unique identifier included in client-side API requests when retrieving project data.
While evaluating access controls, a security analyst signs in using a standard user account and captures a legitimate API request used to retrieve a specific project dashboard. By altering only the identifier value within the request and replaying it through the same authenticated session, the analyst receives data belonging to a different client organization.
The session remains valid, and no elevated privileges are granted. The behavior indicates that access validation does not adequately verify whether the requesting user is authorized to access the referenced resource.
Identify the OWASP API security risk illustrated in this scenario.
MidWest BioAnalytics, a pharmaceutical research firm in Columbus, Ohio, authorizes a controlled adversarial simulation to assess the resilience of its internal web-based inventory management platform. During the exercise, administrators observe that several active client connections briefly lose synchronization, and unexpected command patterns appear within system transaction logs.
The irregularities are subtle and become apparent only after reviewing stored network captures. Executive leadership requests a solution that can maintain ongoing visibility into network exchanges and highlight activity that diverges from typical communication behavior across the organization’s infrastructure.
Which approach best satisfies this requirement?
During a security assessment of a metropolitan public transportation terminal, a penetration tester examines a network-connected IoT surveillance camera system used for 24/7 video monitoring. The camera uses outdated SSLv2 encryption to transmit video data. The tester intercepts and decrypts video streams due to the weak encryption and absence of authentication mechanisms. What IoT vulnerability is most likely being exploited in this scenario?
Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?
In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.
Which session hijacking technique is Michael using in this red team exercise?
Following reports of inconsistent IP-to-MAC mappings on an internal access switch at a manufacturing company in Detroit, Michigan, the network security team enabled additional validation controls.
Soon afterward, the switch began automatically discarding certain ARP replies that did not match previously recorded IP address assignments. Log entries indicated that packets were being denied due to validation failures tied to existing address-to-port mappings learned earlier from legitimate host configuration traffic.
Which switch-level security feature is most likely responsible for enforcing this ARP validation behavior?
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?
Steve, an attacker, created a fake profile on a social media website and sent a request to Stella. Stella was enthralled by Steve ' s profile picture and the description given for his profile, and she initiated a conversation with him soon after accepting the request. After a few days, Steve started asking about her company details and eventually gathered all the essential information regarding her company. What is the social engineering technique Steve employed in the above scenario?
A fintech startup in Austin, Texas authorizes a controlled red team engagement to evaluate the resilience of its web-based loan management platform. At the outset of the engagement, the assessment team concentrates on developing a structural understanding of the application.
They examine publicly exposed endpoints, observe server responses under different navigation paths, identify accessible directories, and document the relationships between client-side scripts, form parameters, and backend behaviors. Error handling patterns and response variations are cataloged to understand how user interactions are processed across various components of the platform.
The collected information is used to guide strategic planning for subsequent phases of the engagement.
Within the web application hacking methodology, which phase is most accurately demonstrated in this scenario?
A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?
A penetration tester suspects that a web application ' s login form is vulnerable to SQL injection due to improper sanitization of user input. What is the most appropriate approach to test for SQL injection in the login form?
You are a penetration tester hired to evaluate the security posture of a regional manufacturing company’s network devices. During your assessment, you discover that one of the core routers allows external administrative access without requiring a password. Additionally, the router communicates with other devices using a protocol that does not provide encryption or validation. Based solely on these observations, which of the following network device vulnerabilities is most clearly present?
A healthcare technology company deploys internet-connected cardiac monitoring devices across several hospitals in Minneapolis, Minnesota. During a controlled security review, an analyst discovers that administrative configuration features can be accessed remotely through components that interact with external management platforms.
Further analysis reveals that these externally reachable components process user-supplied data without sufficient validation checks. Additionally, authentication controls protecting remote configuration features rely solely on basic credential verification without additional safeguards against automated misuse.
According to the OWASP Top 10 IoT Vulnerabilities, how should this weakness be classified?
A penetration tester finds that a web application does not properly validate user input and is vulnerable to reflected Cross-Site Scripting (XSS). What is the most appropriate approach to exploit this vulnerability?
A compromised admin account is used to disable logging services. What is the attacker attempting?
A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?
At HarborGrid Utilities in Oregon, a security assessment team is reviewing how the organization’s network monitoring platform evaluates inbound traffic targeting its SCADA management interface. During testing, the red team introduces carefully crafted packets that adhere to known protocol standards but contain payload sequences previously identified in documented exploit repositories.
The monitoring system immediately flags the activity because it matches patterns stored in its internal threat database. However, when the team slightly modifies the exploit sequence while preserving its overall malicious intent, the alerts are no longer triggered.
Based on this behavior, which intrusion detection method is most likely deployed in this environment?
A Python API allows unlimited file upload size. What attack is possible?
What is GINA?
A Java app uses Random() for session tokens. What is the risk?
An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?
At Horizon Legal Services in Boston, Massachusetts, ethical hacker Daniel Price is tasked with assessing the security of the firm ' s mobile case-tracking app. During testing, he finds that confidential case notes and client records are kept locally on the device without encryption. By browsing the file system with a standard explorer tool, he can open sensitive information without any authentication. Which OWASP Top 10 Mobile Risk is most clearly present in the app?
Which of the following addresses the secrecy and privacy of information?
A penetration tester is assessing a web application that uses dynamic SQL queries for searching users in the database. The tester suspects the search input field is vulnerable to SQL injection. What is the best approach to confirm this vulnerability?
During a red team assessment at New England Insurance in Boston, ethical hacker Daniel sends a series of spoofed TCP packets carrying the reset flag to a server hosting client applications. As a result, several active sessions between employees and the server are abruptly terminated, causing temporary disruption of legitimate work. Daniel uses this demonstration to highlight how attackers can forcibly tear down sessions without completing a full hijack.
Which type of network-level session hijacking technique is Daniel simulating?
At Apex Financial Services in Houston, Texas, ethical hacker Javier Ruiz evaluates mobile security practices under the company ' s BYOD policy. He demonstrates that employees often install applications that request access to contact lists, cameras, and messaging services, even though these functions are unrelated to the apps ' intended purpose. This behavior allows a malicious program to harvest sensitive corporate information.
Which security guideline would most directly prevent this issue?
A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?
At Redwood Financial Group in Boston, Massachusetts, the security leadership team is formalizing a continual security strategy composed of four coordinated activities. During implementation planning, one team is assigned responsibility for reviewing operational data across the enterprise environment to recognize irregular patterns that may indicate malicious activity.
Within this model, which activity is responsible for this responsibility?
In Dallas, Texas, ethical hacker Ethan Brooks is hired by Lone Star Credit Union to assess the security of their online banking portal, which processes customer transactions. During his penetration test, Ethan probes the web server hosting the portal, experimenting with crafted URL requests. He notices that by altering the URL parameters in a specific way, the server returns data from areas of the system that should be restricted, revealing configuration files not intended for public access. Suspecting this behavior indicates a vulnerability, Ethan documents the issue to help the security team strengthen their defenses against potential unauthorized access.
Which technique is Ethan most likely using to uncover the vulnerability in Lone Star Credit Union’s web server?
What is lateral movement?
An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?
A penetration tester is running a vulnerability scan on a company’s network. The scan identifies an open port with a high-severity vulnerability linked to outdated software. What is the most appropriate next step for the tester?
A multinational organization is implementing a security upgrade for its corporate wireless infrastructure. The current WPA2-Personal configuration relies on a shared passphrase, which the IT team finds difficult to rotate and manage securely across hundreds of employee devices. To enhance security and scalability, the organization decides to migrate to WPA2-Enterprise. The new setup must allow for centralized control of user authentication, support certificate-based identity verification, and ensure that each authenticated client is assigned a unique session encryption key to prevent key reuse and limit the blast radius of potential breaches.
Which component is essential for enabling this centralized, certificate-based authentication with unique key generation per session in a WPA2-Enterprise environment?
A penetration tester is tasked with scanning a network protected by an IDS and firewall that actively blocks connection attempts on non-standard ports. The tester needs to gather information on the target system without triggering alarms. Which technique should the tester use to evade detection?
During a red team exercise at a financial institution in New York, penetration tester Bob investigates irregularities in time synchronization across critical servers. While probing one server, he decides to use a diagnostic command that allows him to directly interact with the NTP daemon and query its internal state. This command enables him to perform monitoring and retrieve statistics, but it is primarily focused on controlling and checking the operation of the NTP service rather than listing peers with delay, offset, and jitter values.
Which command should Bob use to accomplish this?
Which encryption method supports secure key distribution?
A network administrator reviews logs and observes that an attacker sends packets requesting the target system’s internal clock value. The response includes timing information that can be used to calculate round-trip delay and analyze host characteristics.
What host discovery technique is being used in this scenario?
During a penetration test at a logistics company in Atlanta, Georgia, you examine the configuration of network devices and discover that they rely on legacy communication mechanisms lacking encryption and integrity checks. These mechanisms allow neighboring systems to exchange operational data without verification, exposing the infrastructure to potential manipulation. What type of vulnerability is most clearly present?
During an authorized security assessment for a regional transportation authority in Sacramento, California, an ethical hacker is tasked with evaluating externally exposed web service interfaces used to exchange scheduling data with third-party transit applications.
As part of the engagement, the ethical hacker retrieves publicly accessible service description files and systematically analyzes them to understand the operations supported by the service. By reviewing these definitions, the tester identifies undocumented methods, expected input parameters, and response schemas that were not clearly outlined in the public integration documentation.
The activity provides a detailed understanding of the service’s available capabilities before deeper testing begins.
From the options below, identify the web service attack technique demonstrated in this scenario.
You are a security analyst at Sentinel Cyber Group, monitoring the web portal of Aspen Valley Bank in Salt Lake City, Utah. During log review, you notice repeated attempts by attackers to inject malicious strings into the login fields. However, despite these attempts, the application executes queries safely without altering their logic, since user inputs are kept separate from the SQL statements and bound as fixed values before execution.
Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?
You are part of the red team assigned to evaluate the physical and social vulnerabilities of a government contractor ' s office located in a metropolitan business hub. During your pretexting phase, you decide to simulate the role of a third-party IT technician. Upon arrival, the receptionist allows you entry without verifying credentials, assuming you ' re there for scheduled printer maintenance. While moving through the workspace, you casually observe open terminals, unattended printouts, and discarded sticky notes at workstations. You later report several user credentials and partial access details acquired during this visit.
Which social engineering technique does this scenario best illustrate?
What is CVSS used for?
A corporation uses both hardware-based and cloud-based solutions to distribute incoming traffic and absorb DDoS attacks, ensuring legitimate requests remain unaffected. Which DDoS mitigation strategy is being utilized?
Ethical hacker Ryan Brooks, a skilled penetration tester from Austin, Texas, was hired by Skyline Aeronautics, a leading aerospace firm in Denver, to conduct a security assessment. One stormy morning, Ryan noticed an unexpected lag in the routine system update process while running his tests, sparking his curiosity. During a late-night session, he observed a junior analyst, Chris Miller, cautiously modifying a legacy server’s configuration, including a scheduled task set to a specific date. The lead developer, Jessica Hayes, casually mentioned receiving an odd email from an unfamiliar source, which she ignored as clutter. As Ryan probed deeper, he detected a faint increase in network activity only after the scheduled date passed, and a systems admin, Mark Thompson, quickly pointed out some unusual code traces on a dormant workstation.
Which type of threat best characterizes this attack?
A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?
During a physical penetration test simulating a social engineering attack, a threat actor walks into the lobby of a target organization dressed as a field technician from a known external vendor. Carrying a fake ID badge and referencing a known company name, the attacker confidently claims they’ve been dispatched to perform a routine server room upgrade. Using internal-sounding terminology and referencing real employee names gathered via OSINT, the individual conveys urgency. The receptionist, recognizing the vendor name and the convincing language, allows access without verifying the credentials.
In Portland, Oregon, ethical hacker Olivia Harper is hired by Cascade Biotech to test the security of their research network. During her penetration test, she simulates an attack by sending malicious packets to a server hosting sensitive genetic data. To evade detection, she needs to understand the monitoring system deployed near the network’s perimeter firewall, which analyzes incoming and outgoing traffic for suspicious patterns across the entire subnet. Olivia’s goal is to bypass this system to highlight vulnerabilities for the security team.
Which security system is Olivia attempting to bypass during her penetration test of Cascade Biotech’s network?
At a financial headquarters in Denver, Colorado, ethical hacker Jordan Lee moves beyond cataloging IoT devices and begins testing them for weaknesses. He runs specialized tools against smart lighting and HVAC systems to check for outdated firmware, default passwords, and open service ports. Which step of the IoT hacking methodology is Jordan carrying out?
As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action?
During a black-box internal penetration test, a security analyst identifies an SNMPv2-enabled Linux server using the default community string “public.” The analyst wants to enumerate running processes. Which Nmap command retrieves this information?
During an authorized penetration test of an organization ' s Operational Technology (OT) environment, the tester has already identified exposed industrial assets and now begins actively probing controllers, services, and interfaces to identify exploitable weaknesses. No exploitation attempts or persistence mechanisms have been performed yet.
According to the OT hacking methodology, which phase is currently being carried out?
A penetration tester submits altered ciphertexts to a web server and pays close attention to how the server responds. When the server produces different error messages for certain inputs, the tester starts to infer which inputs result in valid internal processing. Which cryptanalytic method is being used in this scenario?
Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implemented the necessary controls. After that, another security risk assessment was performed showing that risk has decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions will be the best for the project in terms of its successful continuation with the most business profit?
An attacker exploits medical imaging protocols to intercept patient data. Which sniffing technique is most challenging?
A penetration tester is tasked with assessing the security of a smart home IoT device that communicates with a mobile app over an unencrypted connection. The tester wants to intercept the communication and extract sensitive information. What is the most effective approach to exploit this vulnerability?
Which WPA vulnerability allowed packet injection and decryption attacks?
A mid-sized insurance provider in Hartford, Connecticut authorizes a controlled red team engagement to evaluate its public-facing customer portal. Before progressing to active exploitation, the assessment team concentrates on understanding how the site is organized and how its content is interconnected.
Using automated tooling, they systematically retrieve publicly accessible pages along with associated resources such as scripts, media files, and referenced directories. The collected material allows the team to analyze navigation paths, hidden references, and structural relationships without repeatedly interacting with the live production system.
This preparatory effort is intended to build a detailed structural understanding of the application before later testing phases begin.
Within the web server attack methodology, which stage is most accurately demonstrated in this scenario?
Malware remains dormant until triggered and changes its code with each infection. What malware type is responsible, and how should it be mitigated?
A BLE attack captured LL_ENC_REQ and LL_ENC_RSP packets but not the LTK. What is the next step?
A Linux server has world-writable cron directories. What can attackers achieve?
During a red team engagement at a healthcare provider in Miami, ethical hacker Rachel suspects that a compromised workstation is running a sniffer in promiscuous mode. To confirm her suspicion, she sends specially crafted ICMP packets with a mismatched MAC address but a correct IP destination. Minutes later, the suspected machine responds to the probe even though ordinary systems would ignore it.
Which detection technique is Rachel most likely using to validate the presence of a sniffer?
A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?
During an internal investigation at a healthcare billing firm in Denver, Colorado, the security team analyzes suspicious activity involving a senior accountant’s corporate smartphone. The user reports that the device behaved normally and that no links were clicked or applications installed during the timeframe in question.
Telecom monitoring reveals that the device received several binary-formatted SMS messages shortly before the incident. These messages were not visible in the messaging application. Within minutes of receiving them, the phone began transmitting cellular location identifiers and device-related data to an unfamiliar external system. The transmissions occurred automatically and did not require any user interaction.
Which mobile attack technique most accurately explains this behavior?
During a routine software update at Horizon Solutions, a mid-sized IT firm in Raleigh, North Carolina, an employee downloads a file utility from a popular third-party site to streamline document processing. During the installation, the user is prompted to install an optional “productivity toolbar” and a “system optimization tool,” which are bundled with vague descriptions. Shortly after, the employee notices intermittent pop-up ads, an altered browser homepage, and sluggish PC performance, though network logs also show occasional unexplained data transfers during off-hours. A security scan flags the additional programs as potentially harmful, but a deeper analysis reveals no immediate file encryption or self-replicating code.
What type of threat are these unwanted programs most likely classified as?
You are an ethical hacker at HorizonSec Consulting, hired by Liberty Insurance in Philadelphia, Pennsylvania, to test the resilience of their online claim submission portal. During testing, you modify the claim ID parameter in the URL with conditions such as AND and AND 1=2. When the first condition is used, the portal displays claim details as normal; when the second condition is used, the page displays no results. You repeat this process to determine how the application responds to true and false conditions without error messages or delays.
Based on the observed behavior, which SQL injection technique are you employing?
Which attack targets WPA WPS PIN?
A penetration tester must enumerate user accounts and network resources in a highly secured Windows environment where SMB null sessions are blocked. Which technique should be used to gather this information discreetly?
During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?
A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?
A security consultant is conducting an authorized assessment for a healthcare billing provider in Phoenix, Arizona. While monitoring internal traffic, he observes an authenticated employee interacting with a sensitive web-based management portal over TCP.
During the session, the consultant carefully crafts and injects packets into the ongoing communication stream. Shortly afterward, the legitimate user experiences irregular responses from the application, and the server begins processing commands originating from the consultant’s injected traffic as though they were part of the established session.
The technique does not involve credential guessing or forcing the user to reauthenticate. Instead, it targets the communication channel already in progress.
From a network-level perspective, what type of session hijacking technique is being demonstrated?
Which of the following hacking frameworks describes adversary tactics, techniques, and procedures (TTPs) used in cyberattacks?
In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MedVault, a US-based healthcare platform used by regional clinics to manage patient data. During her assessment, Lila manipulates session parameters while navigating the patient portal’s dashboard. Her tests reveal a critical flaw: the system allows users to access sensitive medical records not associated with their own account, enabling unauthorized changes to private health data. Upon deeper inspection, Lila determines that the issue stems from the application allowing users to perform actions beyond their assigned roles rather than failures in encryption, unsafe object handling, or server configuration.
Which OWASP Top 10 2021 vulnerability is Lila most likely exploiting in MedVault’s web application?
A digital forensics consultant in Portland, Oregon examines an iPhone seized as part of a corporate data leakage investigation. The device contains third-party extensions and system modifications not typically permitted by the operating system vendor.
The owner explains that whenever the device is powered off and restarted, it boots normally and remains fully functional for everyday tasks such as calls and messaging. However, the custom extensions and system-level tweaks do not function until a specific jailbreak application installed on the device is manually executed. No external computer is required during this reactivation process.
Determine the type of jailbreaking technique implemented on this device.
A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?
A financial services firm is experiencing a sophisticated DoS attack on their DNS servers using DNS amplification and on their web servers using HTTP floods. Traditional firewall rules and IDS are failing to mitigate the attack effectively. To protect their infrastructure without impacting legitimate users, which advanced mitigation strategy should the firm implement?
As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?
A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider’s API. What is the most likely threat arising from this flaw?
At Liberty Mutual ' s cybersecurity operations center in Boston, network engineer Marcus is troubleshooting a critical issue during peak transaction hours. Multiple VLANs are experiencing intermittent access delays, and several endpoints including those on isolated VLANs are receiving network traffic not intended for them, raising concerns about data exposure. Marcus notices that the issue began after a newly imaged workstation used by an intern named Lisa was connected to a trunk port in the server room. Switch logs indicate abnormal traffic patterns overwhelming the network.
Which sniffing technique is Lisa ' s workstation most likely using to cause this behavior?
In a tense red team exercise at a mid-sized university in Austin, Texas, an ethical hacker named Jake targeted a legacy Linux server in the engineering department. Late one afternoon, he discovered TCP port 2049 was open during his first sweep, suggesting hidden file-sharing capabilities. Intrigued, Jake used a standard utility to request a list of remote file systems shared across the network, aiming to map accessible resources. Meanwhile, he idly checked for Telnet access and probed a time-sync service out of routine, but both proved fruitless on this host.
Which enumeration method is actively demonstrated in this scenario?
At a fast-growing startup in Austin, Texas, an ethical hacker is asked to simulate how attackers might gather information to gain initial access. During the assessment, she poses as a recruiter on a professional networking site and convinces several employees to share details about the company’s internal software and VPN setup. Which type of threat best represents this adversary’s method of information gathering?
In the bustling tech hub of Silicon Valley, cybersecurity investigator Elena Martinez found herself deep into a late-night investigation at Horizon Tech Solutions on July 7, 2025. The company had reported sporadic network disruptions affecting their research team ' s access to critical project files. Elena, working under the cover of a maintenance window from midnight to 3 AM PDT, began monitoring the internal network, focusing on a subnet reserved for the R & D department. She noticed a pattern of failed connection attempts logged just before each disruption, with multiple hosts reporting temporary IP address conflicts. Suspecting foul play, Elena deployed a discreet test to simulate an internal threat scenario. Shortly afterward, several workstations began showing unfamiliar gateway settings and redirected users to misleading login portals during routine access attempts. Despite these anomalies, no security alerts were triggered.
What type of attack technique did Elena most likely simulate?
A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?
An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments. The test email claimed to originate from the corporate compliance office and instructed employees to “complete a mandatory regulatory update within the next 30 minutes to avoid account suspension.” The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications. Additionally, security analysts observed that the embedded hyperlink displayed the organization ' s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host. From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?
On July 25, 2025, during a security assessment at Apex Technologies in Boston, Massachusetts, ethical hacker Sophia Patel conducts a penetration test to evaluate the company’s defenses against a simulated DDoS attack targeting their e-commerce platform. The simulated attack floods the platform with traffic from multiple sources, attempting to overwhelm server resources. The IT team activates a specific tool that successfully mitigates this attack by distributing traffic across multiple servers and filtering malicious requests. Sophia’s test aims to verify the effectiveness of this tool in maintaining service availability.
Which DoS DDoS protection tool is most likely being utilized by the IT team in this scenario?
A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?
Which of the following is the most important step for the ethical hacker to perform during the pre-assessment?
In ethical hacking, what is black box testing?
During a red team engagement at a retail company in Atlanta, ethical hacker James crafts a session with the company ' s shopping portal and deliberately shares that session ID with an unsuspecting employee by embedding it in a link. When the employee clicks and logs in, their activity is bound to the attacker ' s pre-assigned session. Later, James retrieves the employee ' s input from that same session to demonstrate the flaw to management.
Which session hijacking technique is James most likely using?
A vulnerability has a score of 9.8. What does this rating help explain?
An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?
In Seattle, Washington, ethical hacker Mia Chen is tasked with testing the network defenses of Pacific Shipping Co., a major logistics firm. During her penetration test, Mia targets the company ' s external-facing web server, which handles customer tracking requests. She observes that the security system filtering traffic to this server analyzes incoming SSH and DNS requests to block unauthorized access attempts. Mia plans to craft specific payloads to bypass this system to expose vulnerabilities to the IT department.
Which security system is Mia attempting to bypass during her penetration test of Pacific Shipping Co. ' s web server?
A large chemical plant uses operational technology (OT) networks to control its industrial processes. Recently, abnormal behavior is observed from PLCs, suggesting a stealthy compromise via malicious firmware. Which action should the team take FIRST to verify and neutralize the issue?
You are Riley, an incident responder at NovaEx Crypto in San Antonio, Texas, tasked with investigating a recent double-spend reported by a retail merchant that accepts the exchange ' s token. Your telemetry shows that a reseller node used by the merchant received blocks only from a small, fixed set of peers for several hours and accepted a conflicting history that later allowed the attacker to reverse a confirmed payment. The attacker appears to have controlled which peers that node communicated with and supplied it a private chain until they were ready to reveal it. Which blockchain attack does this behavior most closely describe?
During a penetration test at Lone Star Healthcare in Austin, ethical hacker Liam evaluates the hospital ' s perimeter defenses by generating controlled traffic flows through the firewall. He uses a tool that can create and replay diverse traffic patterns to test how well the firewall enforces its rules against both legitimate and malicious traffic types. This allows him to demonstrate whether the device properly identifies evasion attempts under simulated attack conditions.
Which tool is Liam most likely using in this test?
A penetration tester observes that traceroutes to various internal devices always show 10.10.10.1 as the second-to-last hop, regardless of the destination subnet. What does this pattern most likely indicate?
While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information like serial number and refresh interval.
Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?
A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?
At a Chicago-based healthcare provider, security engineer Emily reviews the migration of critical applications to a cloud service. During her evaluation, she notes that administrators can provision new servers, increase storage, and expand compute power instantly through a web dashboard without any manual involvement from the cloud provider. Which NIST-defined characteristic of cloud computing best explains this capability?
A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing the Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this service to conceal malicious activities?
Copyright © 2021-2026 CertsTopics. All Rights Reserved
