clapgeek logo
In Denver, Colorado, ethical hacker Sophia Nguyen is hired by Rocky Mountain Insurance to assess the effectiveness of their network security controls. During her penetration test, she attempts to evade the company ' s firewall by fragmenting malicious packets to avoid detection. The IT team, aware of such techniques, has implemented a security measure to analyze packet contents beyond standard headers. Sophia ' s efforts are thwarted as the system identifies and blocks her fragmented packets.
Which security measure is the IT team most likely using to counter Sophia ' s firewall evasion attempt?
During a red team assessment at Alpine Manufacturing Corp., network security consultant Marcus Lee is instructed to evaluate the security of internal communications within their switched LAN environment. Without altering any switch configurations, Marcus manages to intercept credentials being transmitted between a payroll administrator’s workstation and the backend authentication server. He subtly reroutes the communication path through his testing machine, though no proxy or VPN was involved. Analysis shows the redirection was achieved by injecting crafted messages that silently altered how the two hosts identified each other on the local network.
Which sniffing technique did Marcus most likely use?
During a controlled red team engagement at a financial institution in New Jersey, ethical hacker Ryan tests the bank ' s resilience against stealth-based malware. He plants a custom malicious program on an employee workstation. After execution, he observes that the infected files continue to function normally, but his malware conceals its modifications by intercepting operating system calls. Antivirus scans repeatedly return “no threats detected,” even though the malicious code remains active and hidden on the system.
Which type of virus did Ryan most likely deploy in this assessment?
A corporation uses both hardware-based and cloud-based solutions to distribute incoming traffic and absorb DDoS attacks, ensuring legitimate requests remain unaffected. Which DDoS mitigation strategy is being utilized?
You are conducting a security audit at a government agency. During your walkthrough, you observe a temporary contractor sitting in the staff lounge using their smartphone to discretely record employees as they enter passwords into their systems. Upon further investigation, you find discarded documents in a nearby trash bin containing sensitive project information. What type of attack is most likely being performed?
During a covert red team engagement, a penetration tester is tasked with identifying live hosts in a target organization’s internal subnet (10.0.0.0/24) without triggering intrusion detection systems (IDS). To remain undetected, the tester opts to use the command nmap -sn -PE 10.0.0.0/24, which results in several " Host is up " responses, even though the organization’s IDS is tuned to detect high-volume scans. After the engagement, the client reviews the logs and is surprised that the scan was not flagged. What allowed the scan to complete without triggering alerts?
A security analyst investigates unusual east-west traffic on a corporate network. A rogue device has been physically inserted between a workstation and the switch, enabling unauthorized access while inheriting the workstation’s authenticated network state. Which evasion technique is being used?
After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?
As a network administrator, you explain to your team that a recent DDoS attack targeted the application layer of your company’s web server. Which type of DDoS attack was most likely used?
A future-focused security audit discusses risks where attackers collect encrypted data today, anticipating they will be able to decrypt it later using quantum computers. What is this threat commonly known as?
A regional healthcare provider in Minneapolis, Minnesota began experiencing intermittent connectivity issues across a newly activated access-layer network segment. Shortly after a contractor connected a diagnostic device to an unused switch port, multiple employee workstations failed to receive valid network configurations. System logs showed repeated address negotiation attempts from affected hosts, while monitoring tools recorded a rapid sequence of configuration requests originating from a single switch interface. Within minutes, additional clients on the segment encountered similar assignment failures. From a sniffing standpoint, which technique most accurately explains this behavior?
At TechTrend Innovations in Silicon Valley, network administrator Jake Henderson reviews the configuration of their web infrastructure. While inspecting the web server setup, he identifies the directory that stores the publicly accessible website content such as HTML files, images, and client-side scripts. Jake highlights this area as a frequent target for attackers, since improper permissions could expose sensitive files to unauthorized users.
Which web server component is Jake analyzing in this scenario?
At RedCore Motors, the IT security lead, Priya, is tasked with selecting a vulnerability management solution for their expanding hybrid infrastructure. During the evaluation, she prioritizes tools that support agent-based detection across endpoints, offer constant monitoring and alerting capabilities, and provide comprehensive visibility into both on-premises and cloud-based systems. After thorough testing, she selects a platform that promises to scan for vulnerabilities everywhere accurately and efficiently, aligning with her organization’s need for centralized visibility and real-time risk assessment.
Which vulnerability assessment tool did Priya MOST LIKELY select?
Maria is conducting passive reconnaissance on a competitor without interacting with their systems. Which method would be least appropriate and potentially risky?
A web server was compromised through DNS hijacking. What would most effectively prevent this in the future?
Which advanced session hijacking technique is the most difficult to detect and mitigate?
An IDS generates alerts during normal user activity. What is the most likely cause?
You are Maya, a security engineer at HarborPoint Cloud Services in Chicago, Illinois, performing a post-incident hardening review after an internal audit flagged multiple services that rely on legacy public-key algorithms. The engineering team must prioritize actions company-wide to reduce long-term risk from future quantum-capable adversaries while development continues on a large refactor of several services. Which proactive control should Maya recommend as the highest-priority change to embed into the organization ' s development lifecycle to improve future resistance to quantum-based attacks?
A penetration tester is evaluating the security of a mobile application and discovers that it lacks proper input validation. The tester suspects that the application is vulnerable to a malicious code injection attack. What is the most effective way to confirm and exploit this vulnerability?
You are performing a security audit for a regional hospital in Dallas, Texas. While monitoring the network, you discover that an unknown actor has been silently capturing clear-text credentials and analyzing unencrypted traffic flowing across the internal Wi-Fi network. No modifications have been made to the data, and the attack remained undetected until your assessment. Based on this activity, what type of attack is most likely being conducted?
In the crisp mountain air of Denver, Colorado, ethical hacker Lila Chen investigates the security framework of MedVault, a US-based healthcare platform used by regional clinics to manage patient data. During her assessment, Lila manipulates session parameters while navigating the patient portal’s dashboard. Her tests reveal a critical flaw: the system allows users to access sensitive medical records not associated with their own account, enabling unauthorized changes to private health data. Upon deeper inspection, Lila determines that the issue stems from the application allowing users to perform actions beyond their assigned roles rather than failures in encryption, unsafe object handling, or server configuration.
Which OWASP Top 10 2021 vulnerability is Lila most likely exploiting in MedVault’s web application?
Using nbtstat -A < IP > , NetBIOS names including < 20 > and < 03 > are retrieved, but shared folders cannot be listed. Why?
An Android device has an unpatched permission-handling flaw and updated antivirus. What is the most effective undetected exploitation approach?
In the bustling financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by TrustBank, a regional US bank, to evaluate their online loan application portal. On April 22, 2025, Raj tests a feature allowing customers to upload structured financial documents for loan processing. By submitting a specially crafted document, he triggers a response that exposes internal server file paths and sensitive configuration data, including database connection strings. The issue arises from the portal ' s handling of external references in document parsing, not from response manipulation, authentication weaknesses, or undetected attack attempts. Raj compiles a detailed report to assist TrustBank ' s security team in mitigating the vulnerability.
Which type of vulnerability is Raj most likely exploiting in TrustBank ' s online loan application portal?
An organization uses SHA-256 for data integrity checks but still experiences unauthorized data modification. Which cryptographic tool can help resolve this issue?
During a penetration test at a retail company in Seattle, Washington, an ethical hacker needs to disguise her scans so they appear to originate from a specific hardware vendor. The organization uses MAC-based logging, and by assigning a vendor-associated identifier, she can make her traffic blend in with legitimate devices on the network. Which Nmap command should she use to achieve this?
A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?
A cybersecurity research team identifies suspicious behavior on a user’s Android device. Upon investigation, they discover that a seemingly harmless app, downloaded from a third-party app store, has silently overwritten several legitimate applications such as WhatsApp and SHAREit. These fake replicas maintain the original icon and user interface but serve intrusive advertisements and covertly harvest credentials and personal data in the background. The attackers achieved this by embedding malicious code in utility apps like video editors and photo filters, which users were tricked into installing. The replacement occurred without user consent, and the malicious code communicates with a command-and-control (C & C) server to execute further instructions. What type of attack is being carried out in this scenario?
In a high-stakes cybersecurity exercise in Boston, Emily, an ethical hacker, is tasked with tracing a mock phishing email sent to a healthcare provider’s staff. Using the email header, she identifies a series of IP addresses and server details, including multiple timestamps and server names. Her objective is to pinpoint the exact moment the email was processed by the sender’s system. As part of her reconnaissance, what specific detail from the email header should Emily examine to determine this information?
During a red team exercise at a financial institution in New York, penetration tester Bob investigates irregularities in time synchronization across critical servers. While probing one server, he decides to use a diagnostic command that allows him to directly interact with the NTP daemon and query its internal state. This command enables him to perform monitoring and retrieve statistics, but it is primarily focused on controlling and checking the operation of the NTP service rather than listing peers with delay, offset, and jitter values.
Which command should Bob use to accomplish this?
An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?
A penetration tester identifies malware on a system that hides its presence and gives an attacker access to administrative functions without being detected. What type of malware is this?
During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification. Which social engineering technique is Liam demonstrating?
A penetration tester is testing a web application ' s product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?
You are an ethical hacker at Titan Cyber Defense, hired by BrightWave Publishing in New York City to assess the security of their content management system (CMS). While testing the article search function, you input malformed strings such as multiple single quotes. The application responds with system feedback that unexpectedly reveals the database type and internal query structure, including table and column information. You use these disclosures to better understand how the backend query is built.
Which of the following methods to detect SQL injection are you employing?
You are investigating unauthorized access to a web application using token-based authentication. Tokens expire after 30 minutes. Server logs show multiple failed login attempts using expired tokens within a short window, followed by successful access with a valid token. What is the most likely attack scenario?
As an IT technician in a small software development company, you are responsible for protecting the network against various cyber threats. You learn that attackers often try to bypass firewalls. Which of the following is a common technique used by attackers to evade firewall detection?
You discover a Web API integrated with webhooks and an existing administrative web shell. Your objective is to compromise the system while leaving minimal traces. Which technique is most effective?
During a red team assessment of a multinational financial firm, you ' re tasked with identifying key personnel across various departments and correlating their digital footprints to evaluate exposure risk. Your objective includes mapping user aliases across platforms, identifying geotagged media, and pinpointing potential insider threats based on social posting behavior. The team has shortlisted multiple tools for the task.
Considering the technical capabilities and limitations described in the approved reconnaissance toolkit, which tool provides cross-platform username correlation by scanning hundreds of social networking sites, but does not natively support geolocation tracking or visualizing identity relationships?
A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting 1 OR ' T ' = ' T ' ; --, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
A penetration tester identifies malware on a system that hides its presence and gives an attacker access to administrative functions without being detected. What type of malware is this?
A penetration tester targets a company ' s executive assistants by referencing upcoming board meetings in an email requesting access to confidential agendas. What is the most effective social engineering technique to obtain the necessary credentials without raising suspicion?
An attacker extracts the initial bytes from an encrypted file container and uses a tool to iterate through numeric combinations. What type of cryptanalytic technique is being utilized?
A penetration tester is tasked with scanning a network protected by an IDS and firewall that actively blocks connection attempts on non-standard ports. The tester needs to gather information on the target system without triggering alarms. Which technique should the tester use to evade detection?
Sarah, a cybersecurity analyst at a US-based e-commerce company in New York, is tasked with evaluating the company ' s transition to a cloud-based infrastructure to support its growing online platform. The company aims to optimize resource allocation to handle fluctuating customer demand during peak shopping seasons, such as Black Friday. Sarah must recommend a key characteristic of cloud computing that ensures resources are efficiently shared across multiple users while maintaining scalability.
Which cloud computing characteristic should Sarah recommend ensuring efficient resource sharing and scalability for the e-commerce platform?
A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?
A malware analyst finds JavaScript and /OpenAction keywords in a suspicious PDF using pdfid. What should be the next step to assess the potential impact?
During a red team exercise, a Certified Ethical Hacker (CEH) is attempting to exploit a potential vulnerability in a target organization’s web server. The CEH has completed the information gathering and footprinting phases and has mirrored the website for offline analysis. It has also been discovered that the server is vulnerable to session hijacking. Which of the following steps is most likely to be part of a successful attack methodology while minimizing the possibility of detection?
An ethical hacker is conducting a penetration test on a company’s network with full knowledge and permission from the organization. What is this type of hacking called?
During a red team engagement at a manufacturing company in Dallas, penetration tester Tyler gains access to a Windows workstation. Later in the exercise, he reviews his exfiltrated logs and finds detailed records of employee logins, email drafts, and sensitive data entered into desktop applications. The collection occurred without requiring browser injection or physical device access, and no kernel drivers were installed.
Which type of keylogger did Tyler most likely deploy?
A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS). Which technique is most likely being used?
In a recent cybersecurity incident, Google’s response team in the United States investigated a severe attack that briefly disrupted services and customer-facing platforms for approximately 2–3 minutes. Server logs recorded a sudden surge in traffic, peaking at 398 million requests per second, which caused active connections to drop unexpectedly. The attack was traced to numerous compromised devices, likely orchestrated through malicious tools promoted on social media. Based on this information, what type of attack was most likely executed against Google’s infrastructure?
On a busy Monday morning at Horizon Financial Services in Chicago, accounts assistant Clara Nguyen receives an email that appears to come from the company ' s IT department. The email, addressed specifically to Clara and mentioning her role in the accounts team, warns of a critical system vulnerability requiring immediate action. It includes a link to a login page resembling the company ' s internal portal, urging her to update her credentials to prevent account suspension. The email ' s sender address looks legitimate, but Clara notices a slight misspelling in the domain name.
What social engineering technique is being attempted against Clara?
A penetration tester suspects that a web application ' s login form is vulnerable to SQL injection due to improper sanitization of user input. What is the most appropriate approach to test for SQL injection in the login form?
In the financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by TrustBank, a regional U.S. bank, to evaluate their online loan application portal. During testing, Raj submits crafted input into the portal ' s form fields and notices that the server ' s HTTP responses are unexpectedly altered. His payloads cause additional headers to appear and even inject unintended content into the output, creating opportunities for attackers to manipulate web page behavior and deliver malicious data to users.
Which type of vulnerability is Raj most likely exploiting in TrustBank ' s online loan application portal?
A penetration tester is assessing a company’s vulnerability to advanced social engineering attacks targeting its legal department. Using detailed knowledge of mergers and legal proceedings, the tester crafts a highly credible pretext to deceive legal employees into sharing confidential case documents. What is the most effective technique?
During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment. What is the most likely cause of this abnormal behavior?
A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?
A company’s customer data in a cloud environment has been exposed due to an unknown vulnerability. Which type of issue most likely led to the incident?
A web application returns generic error messages. The analyst submits AND 1=1 and AND 1=2 and observes different responses. What type of injection is being tested?
During LDAP-based enumeration, you observe that some critical information cannot be retrieved. What is the most likely reason?
A penetration tester discovers that a web application is vulnerable to Local File Inclusion (LFI) due to improper input validation in a URL parameter. Which approach should the tester take to exploit this vulnerability?
During a security assessment for an e-commerce company in Boston, Massachusetts, your team conducts a reconnaissance phase to identify potential entry points into the organization ' s communication infrastructure. You focus on gathering details about the systems responsible for handling incoming email traffic, avoiding active network probing, and relying on passive DNS data collection. Given this objective, which DNS record type should you query to extract information about the target’s mail server configuration?
You are a security analyst conducting a footprinting exercise for a new client to gather information without direct interaction. After using search engines and public databases, you consider using Google Hacking (Google Dorking) techniques to uncover further vulnerabilities. Which option best justifies this decision?
A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?
An ethical hacker needs to gather detailed information about a company ' s internal network without initiating any direct interaction that could be logged or raise suspicion. Which approach should be used to obtain this information covertly?
Which advanced session hijacking technique is hardest to detect and mitigate in a remote-access environment?
A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged-in user context and collect those responses for offline cracking. Which attack technique is being used?
During a red team assessment of an enterprise LAN environment, the tester discovers an access switch that connects multiple internal workstations. The switch has no port security measures in place. To silently intercept communication between different hosts without deploying ARP poisoning or modifying the routing table, the tester launches a MAC flooding attack using the macof utility from the dsniff suite. This command sends thousands of Ethernet frames per minute, each with random, spoofed source MAC addresses. Soon after the flooding begins, the tester puts their network interface into promiscuous mode and starts capturing packets. They observe unicast traffic between internal machines appearing in their packet sniffer—traffic that should have been isolated. What internal switch behavior is responsible for this sudden exposure of isolated traffic?
A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing the Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this service to conceal malicious activities?
During a penetration test at Sunshine Media ' s streaming platform in Miami, ethical hacker Sofia Alvarez examines whether the company ' s web server exposes sensitive resources through poor configuration. She finds that a crawler directive at the server ' s root allows unintended indexing of restricted areas. This oversight reveals internal paths that may expose hidden links, confidential files, or other sensitive information.
Which technique is Sofia most likely using in this assessment?
A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?
On July 25, 2025, during a security assessment at Apex Technologies in Boston, Massachusetts, ethical hacker Sophia Patel conducts a penetration test to evaluate the company’s defenses against a simulated DDoS attack targeting their e-commerce platform. The simulated attack floods the platform with traffic from multiple sources, attempting to overwhelm server resources. The IT team activates a specific tool that successfully mitigates this attack by distributing traffic across multiple servers and filtering malicious requests. Sophia’s test aims to verify the effectiveness of this tool in maintaining service availability.
Which DoS DDoS protection tool is most likely being utilized by the IT team in this scenario?
An IoT traffic light shows anomalous traffic to an external IP and has an open port. What should be your next step?
A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?
During a security review for a healthcare provider in Denver, Colorado, Ava examines the header of a suspicious message to map the sender ' s outbound email infrastructure. Her goal is to identify which specific system on the sender ' s side processed the message so the team can understand where the transmission originated within that environment. Which detail from the email header should she examine to determine this?
As a network administrator, you explain to your team that a recent DDoS attack targeted the application layer of your company’s web server. Which type of DDoS attack was most likely used?
At a cybersecurity consultancy firm in Boston, senior analyst Amanda Liu is called in to assess a malware outbreak affecting a regional healthcare provider. Despite using updated antivirus tools, the security team notices inconsistent detection across infected endpoints. Amanda discovers that while the malicious behavior is consistent, system file tampering and suspicious outbound traffic, each malware sample has a slightly different code structure and fails traditional hash-based comparison. Static analysis reveals that the underlying logic remains unchanged, but the code patterns vary unpredictably across infections. What type of virus is most likely responsible for this behavior?
During a social engineering simulation at BrightPath Consulting in Denver, ethical hacker Liam emails employees a message that appears to come from the company’s security team. The email urgently warns that “all systems will shut down within 24 hours” unless staff download a patch from a provided link. The message is deliberately false and contains no actual malware, but it causes confusion and prompts several employees to call IT for clarification.
Which social engineering technique is Liam demonstrating?
As a Certified Ethical Hacker, you are assessing a corporation’s serverless cloud architecture. The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?
During a cloud security assessment, you discover a former employee still has access to critical cloud resources months after leaving. Which practice would most effectively prevent this?
During an external assessment of a healthcare insurance company in Houston, a penetration tester identifies a service running on TCP port 389. When queried, the service accepts anonymous binds and reveals directory data. By structuring his search filter, the tester is able to obtain usernames, departmental details, and organizational units. This information could potentially be used for targeted password attacks or privilege escalation.
Which classification best describes this enumeration activity?
As a newly appointed network security analyst, you are tasked with ensuring that the organization’s network can detect and prevent evasion techniques used by attackers. One commonly used evasion technique is packet fragmentation, which is designed to bypass intrusion detection systems (IDS). Which IDS configuration should be implemented to effectively counter this technique?
A penetration tester evaluates an industrial control system (ICS) that manages critical infrastructure. The tester discovers that the system uses weak default passwords for remote access. What is the most effective method to exploit this vulnerability?
You are an ethical hacker at Sentinel Cyberworks, engaged to assess the wireless defenses of HarborTrust Bank in Portland, Oregon. During your assessment, the security team shows you a production system that continuously places selected APs into a passive scan mode, aggregates alarms from multiple wireless controllers into a central engine for forensic storage, and can automatically apply countermeasures (for example, time-sliced channel scanning and remote configuration changes) across the campus when it classifies a nearby device as malicious. Based on the described capabilities, which Wi-Fi security solution is this most consistent with?
An attacker analyzes how small changes in plaintext input affect ciphertext output to deduce encryption key patterns in a symmetric algorithm. What technique is being used?
During a red team assessment at a retail bank in New York, ethical hacker Aisha launches a flood of TCP connection initiation packets against the bank ' s online portal. The target accepts each initial handshake packet but never receives the final ACK to complete the three-way handshake, exhausting the server ' s backlog of half-open connections and preventing legitimate users from establishing new sessions.
Which type of DoS attack is Aisha most likely simulating?
Bluetooth devices are suspected of being targeted by a Bluesnarfing attack. What is the most effective countermeasure?
During a security assessment of a cloud-hosted application using SOAP-based web services, a red team operator intercepts a valid SOAP request, duplicates the signed message body, inserts it into the same envelope, and forwards it. Due to improper validation, the server accepts the duplicated body and executes unauthorized code. What type of attack does this represent?
In Austin, Texas, ethical hacker Michael Reyes is conducting a red team exercise for Horizon Tech, a software development firm. During his assessment, Michael crafts a malicious link that appears to lead to the company ' s internal project management portal. When an unsuspecting employee clicks the link, it redirects them to a login session that Michael has already initialized with the server. After the employee logs in, Michael uses that session to access the portal in a controlled test, demonstrating a vulnerability to the IT team.
Which session hijacking technique is Michael using in this red team exercise?
A penetration tester needs to map open ports on a target network without triggering the organization’s intrusion detection systems (IDS), which are configured to detect standard scanning patterns and abnormal traffic volumes. To achieve this, the tester decides to use a method that leverages a third-party host to obscure the origin of the scan. Which scanning technique should be employed to accomplish this stealthily?
An ethical hacker is conducting a penetration test on a company’s network with full knowledge and permission from the organization. What is this type of hacking called?
A cyber adversary wants to enumerate firewall rules while minimizing noise and mimicking normal traffic behavior. Which reconnaissance technique enables mapping of firewall filtering behavior using TTL-manipulated packets?
A penetration tester identifies malware that monitors the activities of a user and secretly collects personal information, such as login credentials and browsing habits. What type of malware is this?
An ethical hacker needs to enumerate user accounts and shared resources within a company ' s internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?
A system administrator observes that several machines in the network are repeatedly sending out traffic to unknown IP addresses. Upon inspection, these machines were part of a coordinated spam campaign. What is the most probable cause?
A financial institution in San Francisco suffers a breach where attackers install malware that captures customer account credentials. The stolen data is then sold on underground forums for profit. No political or social statements are made, and the attackers remain anonymous while continuing to target similar organizations for financial gain. Based on this activity, what category of hacker is most likely responsible?
During an internal penetration test within a large corporate environment, the red team gains access to an unrestricted network port in a public-facing meeting room. The tester deploys an automated tool that sends thousands of DHCPDISCOVER requests using randomized spoofed MAC addresses. The DHCP server’s lease pool becomes fully depleted, preventing legitimate users from obtaining IP addresses. What type of attack did the penetration tester perform?
As a security analyst, you are testing a company’s network for potential vulnerabilities. You suspect an attacker may be using MAC flooding to compromise network switches and sniff traffic. Which of the following indicators would most likely confirm your suspicion?
A city’s power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?
During a red team assessment, an ethical hacker must map a large multinational enterprise’s external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization’s subdomains?
During a targeted phishing campaign, a malicious HTML attachment reconstructs malware locally using obfuscated JavaScript without making external network calls, bypassing firewalls and IDS inspection. Which evasion technique is being employed?
A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider’s API. What is the most likely threat arising from this flaw?
In Austin, Texas, ethical hacker Liam Carter is hired by Lone Star Healthcare to probe the defenses of their patient data network. During his penetration test, Liam aims to bypass the hospital’s firewall protecting a medical records server. To do so, he uses a tool to craft custom network packets, carefully designing their headers to slip past the firewall’s filtering rules. His goal is to demonstrate how an attacker could infiltrate the system, exposing vulnerabilities for the security team to address.
Which tool is Liam using to bypass Lone Star Healthcare’s firewall during his penetration test?
A WPA2-PSK wireless network is tested. Which method would allow identification of a key vulnerability?
During a red team simulation at a bank in Chicago, Illinois, the SOC team suspects that some of the incoming traffic may be spoofed. To verify this, an analyst begins monitoring the sequence values assigned to packets, looking for irregularities that indicate they were not generated by the legitimate source. Which spoofing detection technique is the analyst using?
A company hires a hacker to test its network security by simulating real-world attacks. The hacker has permission and operates within legal boundaries. What is this type of hacker called?
During a stealth penetration test at a defense research facility, ethical hacker Daniel installs a payload that survives even after multiple operating system reinstalls. The implant resides deep inside the system hardware and executes before the OS is loaded, ensuring that forensic scans and antivirus tools at the OS level cannot detect or remove it. Administrators notice unusual activity on network cards and storage devices, but repeated scans show no malware traces within the file system.
Which type of rootkit most likely enabled this level of persistence?
During a security assessment of an internal network, a penetration tester discovers that UDP port 123 is open, indicating that the NTP service is active. The tester wants to enumerate NTP peers, check synchronization status, offset, and stratum levels. Which command should the tester use?
You perform a FIN scan and observe that many ports do not respond to FIN packets. How should these results be interpreted?
You are a cybersecurity analyst at a global banking corporation and suspect a backdoor attack due to abnormal outbound traffic during non-working hours, unexplained reboots, and modified system files. Which combination of measures would be most effective to accurately identify and neutralize the backdoor while ensuring system integrity?
An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker ' s access token, allowing automatic synchronization of internal files to the attacker’s cloud storage. What type of attack has likely occurred?
During an internal red team engagement, an operator discovers that TCP port 389 is open on a target system identified as a domain controller. To assess the extent of LDAP exposure, the operator runs the command ldapsearch -h < Target IP > -x -s base namingcontexts and receives a response revealing the base distinguished name (DN): DC=internal,DC=corp. This naming context indicates the root of the LDAP directory structure. With this discovery, the operator plans the next step to continue LDAP enumeration and expand visibility into users and objects in the domain. What is the most logical next action?
During a stealth assessment, an attacker exploits intermittent delays in ARP responses from a target system. By injecting fake ARP replies before legitimate ones, the attacker temporarily redirects traffic to their own device, allowing intermittent packet capture. What type of sniffing attack is occurring?
During a cryptographic audit of a legacy system, a security analyst observes that an outdated block cipher is leaking key-related information when analyzing large sets of plaintext–ciphertext pairs. What approach might an attacker exploit here?
During a security audit, a penetration tester observes abnormal redirection of all traffic for a financial institution’s primary domain. Users are being redirected to a phishing clone of the website. Investigation shows the authoritative DNS server was compromised and its zone records modified to point to the attacker’s server. This demonstrates total manipulation of domain-level resolution, not cache poisoning or client-side attacks. Which technique is being used in this scenario?
A penetration tester runs a vulnerability scan and identifies an outdated version of a web application running on the company’s server. The scan flags this as a medium-risk vulnerability. What is the best next step for the tester?
A cloud storage provider discovers that an unauthorized party obtained a complete backup of encrypted database files containing archived client communications. The attacker did not compromise the encryption keys, nor is there evidence that any original plaintext records were exposed. A forensic cryptography specialist reviewing the breach considers the possibility that the adversary is attempting to analyze the encrypted data in isolation, searching for statistical irregularities or structural repetition within the encrypted output to infer meaningful information. To properly assess the organization ' s exposure, the specialist must determine which cryptanalytic approach best matches an attack conducted using only the intercepted encrypted data.
During a red team operation on a segmented enterprise network, the testers discover that the organization’s perimeter devices deeply inspect only connection-initiation packets (such as TCP SYN and HTTP requests). Response packets and ACK packets within established sessions, however, are minimally inspected. The red team needs to covertly transmit payloads to an internal compromised host by blending into normal session traffic. Which approach should they take to bypass these defensive mechanisms?
During a security assessment, an attacker identifies a flaw in a multi-user file system. The system first verifies access rights to a temporary file created by a user. However, immediately after this verification, and before the file is processed, the attacker manages to swap the original file with a malicious version. This manipulation happens in the brief interval between the system ' s access verification and the moment it handles the file, resulting in the malicious file being treated as legitimate. Which vulnerability is the attacker exploiting?
A penetration tester is mapping a Windows-based internal network. The tester notices that TCP port 139 and UDP port 137 are open on multiple systems. File and printer sharing is enabled. To retrieve hostnames, user details, and domain roles without triggering alerts, which tool and method would be most effective?
During a red team simul-ation, an attacker crafts packets with malformed checksums so the IDS accepts them but the target silently discards them. Which evasion technique is being employed?
A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?
During an internal assessment, a penetration tester gains access to a hash dump containing NTLM password hashes from a compromised Windows system. To crack the passwords efficiently, the tester uses a high-performance CPU setup with Hashcat, attempting millions of password combinations per second. Which technique is being optimized in this scenario?
A university ' s online registration system is disrupted by a combined DNS reflection and HTTP Slowloris DDoS attack. Standard firewalls cannot mitigate the attack without blocking legitimate users. What is the best mitigation strategy?
Multiple internal workstations and IoT devices are compromised and transmitting large volumes of traffic to numerous external targets under botnet control. Which type of denial-of-service attack best describes this situation?
A senior executive receives a personalized email with the subject line “Annual Performance Review 2024.” The email contains a downloadable PDF that installs a backdoor when opened. The email appears to come from the CEO and includes company branding. Which phishing method does this best illustrate?
As an IT security analyst, you perform network scanning using ICMP Echo Requests. During the scan, several IP addresses do not return Echo Replies, yet other network services remain operational. How should this situation be interpreted?
During a red team engagement at a healthcare provider in Miami, ethical hacker Rachel suspects that a compromised workstation is running a sniffer in promiscuous mode. To confirm her suspicion, she sends specially crafted ICMP packets with a mismatched MAC address but a correct IP destination. Minutes later, the suspected machine responds to the probe even though ordinary systems would ignore it.
Which detection technique is Rachel most likely using to validate the presence of a sniffer?
Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?
Packet fragmentation is used as an evasion technique. Which IDS configuration best counters this?
A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization ' s security monitoring systems. The network employs strict VLAN segmentation and port security measures. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?
Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?
During a penetration test at Cascade Financial in Seattle, ethical hacker Elena Vasquez probes the input handling of the company’s web server. She discovers that a single crafted request is processed as two separate ones, allowing her to inject malicious data into the server’s communication. This type of attack falls into the same category of input validation flaws as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection.
Which type of web server attack is Elena most likely demonstrating?
A cybersecurity analyst monitors competitors’ web content for changes indicating strategic shifts. Which missing component is most crucial for effective passive surveillance?
A retail brand based in San Diego, California, authorized a controlled mobile security exercise to evaluate risks associated with third-party application distribution channels. Testers acquired a version of the company ' s customer rewards application from an unofficial marketplace frequently used by overseas customers. The application ' s visual layout and functionality were indistinguishable from the officially released version available in mainstream app stores. Behavioral monitoring conducted in a sandbox environment revealed that, in addition to its normal operations, the application initiated outbound connections unrelated to its documented features. A binary comparison against the vendor-supplied build confirmed structural differences between the two versions. What mobile-based social engineering technique does this scenario most accurately represent?
A penetration tester evaluates the security of an iOS mobile application that handles sensitive user information. The tester discovers that the application is vulnerable to insecure data transmission. What is the most effective method to exploit this vulnerability?
During a security penetration test at ABC Financial Services in Miami, Florida, on July 9, 2025, ethical hacker Javier Morales targets the company’s online banking portal to assess its resilience. Over several hours, the portal’s web server begins to falter, with legitimate users reporting inability to log in or complete transactions. The IT team notices the server is struggling to accept new connections, as its maximum connection limit is nearly reached, despite no significant spike in overall network traffic. Javier’s controlled test, run from a secure system, logs interactions to simulate a real attack, aiming to evaluate the IT team’s ability to identify the threat.
What DoS or DDoS attack technique is Javier’s exercise primarily simulating?
A penetration tester discovers that a system is infected with malware that encrypts all files and demands payment for decryption. What type of malware is this?
After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?
A financial institution ' s online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?
A government agency trains a group of cybersecurity experts to carry out covert cyber missions against foreign threats and gather intelligence without being detected. These experts work exclusively for national interests. What classification best describes them?
While simulating a reconnaissance phase against a cloud-hosted retail application, your team attempts to gather DNS records to map the infrastructure. You avoid brute-forcing subdomains and instead aim to collect specific details such as the domain’s mail server, authoritative name servers, and potential administrative information like serial number and refresh interval.
Given these goals, which DNS record type should you query to extract both administrative and technical metadata about the target zone?
A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following cryptographic algorithms should they utilize?
A penetration tester discovers that a system is infected with malware that encrypts all files and demands payment for decryption. What type of malware is this?
A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?
During a penetration test at Greenview Credit Union in Chicago, Illinois, ethical hacker Rebecca Hayes simulates an attacker who contacts employees using a voice channel. The number displayed on their devices appears identical to the institution’s official line, convincing staff that the request is legitimate. Rebecca then asks for account credentials under the pretense of a mandatory security check. Which mobile attack vector is she demonstrating?
At Norwest Freight Services, Simon, a junior analyst, is tasked with running a vulnerability scan on several departmental servers. This time, he is provided with administrator-level credentials to input into the scanner. The scan takes significantly longer than usual but returns detailed results, including weak registry permissions, outdated patches, and insecure configuration files that would not have been visible to an outsider. SIEM logs confirm that successful logins occurred during the scanning process.
Which type of vulnerability scan best explains the behavior observed in Simon ' s assessment?
You are a security analyst at Sentinel IT Services, monitoring the web application of GreenValley Credit Union in Portland, Oregon. During a log analysis, you identify an SQL injection attempt on the customer login portal, where the attacker inputs a malicious string to manipulate the query logic. The application mitigates this by replacing special characters with their escaped equivalents to prevent query manipulation before the query is executed, ensuring the SQL statement remains unchanged. Based on the observed defense mechanism, which SQL injection countermeasure is the application employing?
A penetration tester is tasked with identifying vulnerabilities on a web server running outdated software. The server hosts several web applications and is protected by a basic firewall. Which technique should the tester use to exploit potential server vulnerabilities?
A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?
In Miami, Florida, Sarah Thompson, a security analyst at Apex Cyber Defense, is tasked with monitoring the wireless infrastructure at Coastal Healthcare, a busy urban hospital. One morning, nurse Emily Carter reports that her tablet used for accessing patient records is unexpectedly connecting to an access point broadcasting a name and signal similar to the hospital’s secure Wi-Fi. Upon investigation, Sarah’s log analysis reveals an unauthorized device on the network capturing sensitive traffic from connected systems. Suspecting a breach, she identifies that the attacker has deployed an access point to mimic the hospital’s legitimate network.
Based on this behavior, which wireless threat is the attacker executing?
At a smart retail outlet in San Diego, California, ethical hacker Sophia Bennett assesses IoT-based inventory sensors that synchronize with a cloud dashboard. She discovers that sensitive business records are sent across the network without encryption and are also stored in a retrievable format on the provider ' s cloud platform.
Which IoT attack surface area is most directly demonstrated in this finding?
A penetration tester has gained access to a target system using default credentials. What is the most effective next step to escalate privileges on the system?
A penetration tester is tasked with uncovering historical content from a company’s website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization’s web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?
Which approach should an ethical hacker avoid to maintain passive reconnaissance?
A security analyst is tasked with gathering detailed information about an organization ' s network infrastructure without making any direct contact that could be logged or trigger alarms. Which method should the analyst use to obtain this information covertly?
In Boston, Massachusetts, network administrator Daniel Carter is monitoring the IT infrastructure of New England Insurance, a prominent firm, after receiving alerts about sluggish system performance. While reviewing traffic patterns, Daniel observes an unusual volume of concurrent requests overwhelming critical servers. To validate his suspicion of a session hijacking attempt, he begins capturing and reviewing live network traffic to identify unauthorized session behaviors before escalating to the security team.
What detection method should Daniel use to confirm the session hijacking attack in this scenario?
As part of a red team campaign against a pharmaceutical company in Boston, ethical hacker Alex begins with a successful spear-phishing attack that delivers an initial payload to a manager ' s laptop. After gaining access, Alex pivots to harvesting cached credentials and using them to move laterally across the internal network. Soon, routers, printers, and several file servers are compromised, expanding the red team ' s control beyond the original host. At this point, Alex has not yet targeted sensitive research data, but the team has built a broader foothold within the environment.
Which phase of the Advanced Persistent Threat (APT) lifecycle is Alex simulating?
TESTED 07 Apr 2026