CEH Scenarios

ignore the fluff, find the answer

A penetration tester is conducting an assessment against a large financial institution. During testing, the assessor enters a single quotation mark (') into a login form and receives a detailed database error message referencing SQL syntax. The application is hosted on Windows Server 2022 and uses HTTPS with a valid TLS certificate. What vulnerability should the tester suspect first?

SQL Injection

A security analyst discovers that a web application accepts user-supplied comments. An attacker posts JavaScript code that executes whenever other users view the page, even days after the original post was made. The application runs behind a load balancer and uses Active Directory for authentication. What vulnerability is present?

Stored XSS

A user receives an email appearing to come from the company's HR department asking them to verify payroll information. The email contains a link to a fake login page. The attacker is targeting only a small group of finance employees. What type of attack is occurring?

Spear Phishing

A penetration tester discovers that entering ../../../etc/passwd into a URL parameter returns portions of the Linux password file. The server is fully patched and running Apache. What vulnerability is being exploited?

Directory Traversal

A security engineer notices repeated login attempts against thousands of employee accounts. Only three common passwords are being attempted, and account lockouts have not been triggered. What attack is occurring?

Password Spraying

A web application allows users to specify a URL that the server retrieves on their behalf. During testing, the assessor causes the application server to request data from internal systems that are not directly accessible from the Internet. What vulnerability exists?

SSRF

A Windows domain administrator notices unusual authentication activity. Investigation reveals that an attacker extracted NTLM hashes from memory and authenticated to multiple systems without knowing any plaintext passwords. What attack technique is being used?

Pass-the-Hash

A security consultant gains access to a compromised workstation and discovers valid Kerberos tickets stored on the host. The tickets are later reused to access network resources without re-entering credentials. What attack is being performed?

Pass-the-Ticket

A network administrator discovers that several employee laptops are connecting to a wireless access point using the same SSID as the company's legitimate network. Users report intermittent connectivity issues and credential prompts. What attack is most likely occurring?

Evil Twin Attack

A security analyst observes a machine repeatedly sending forged ARP replies claiming to be the default gateway. Nearby systems begin sending traffic through the attacker's workstation. What attack is occurring?

ARP Spoofing

A company wants developers to deploy applications without managing operating systems, patching servers, or maintaining virtualization infrastructure. Which cloud model best fits this requirement?

PaaS

A company subscribes to a service that provides email, document storage, and collaboration software through a browser. The company manages neither the servers nor the applications themselves. Which cloud model is being used?

SaaS

A forensic analyst examines a compromised Windows machine and finds evidence that credential material was extracted directly from a process responsible for storing authentication information in memory. Which process was most likely targeted?

LSASS.exe

An assessor wants to identify operating systems running on multiple hosts without logging into any systems. Which Nmap option would best accomplish this objective?

-O

A tester sends TCP SYN packets to a target and receives SYN-ACK responses from open ports. The tester immediately responds with RST packets instead of completing the connection. What type of scan is being performed?

SYN Scan (-sS)

An organization deploys a wireless network secured with WPA2. Which encryption algorithm is primarily used to protect communications?

AES

A user is logged into an online banking application. While browsing another website, hidden requests are sent that initiate a transfer from the user's account. No malicious scripts execute in the browser. What attack occurred?

CSRF

A user visits a compromised website. Malicious JavaScript executes within the browser and steals session cookies. Which attack is most likely responsible?

XSS

A security consultant is asked to identify relationships between employees, subsidiaries, and business partners without directly interacting with the target environment. Which tool would be most useful?

Maltego

A security analyst needs to capture and inspect packets traversing a network segment to investigate suspicious traffic. Which tool is most appropriate?

Wireshark

An attacker obtains a list of usernames and passwords from a breach involving a social media website. The attacker attempts to use the same credentials against a corporate VPN gateway. What attack is being performed?

Credential Stuffing

A penetration tester wants to identify open ports while minimizing the likelihood of detection by completing full TCP handshakes. Which scan type is most appropriate?

SYN Scan (-sS)

A company stores user accounts, groups, and organizational units within a Microsoft domain environment. Which protocol is primarily used to query this information?

LDAP

A user successfully authenticates to a domain environment and receives a Ticket Granting Ticket (TGT). Which protocol issued the ticket?

Kerberos

An incident response team has successfully removed malware from affected systems. Which incident response phase should occur next?

Recovery

An attacker modifies DNS responses so that users attempting to visit a legitimate banking website are redirected to a malicious IP address. What attack is occurring?

DNS Spoofing

A security analyst discovers that attackers are attempting every possible password combination against a single administrative account. What attack is occurring?

Brute Force

A vulnerability scanner reports missing security patches, weak configurations, and outdated software versions across multiple systems. Which tool is commonly used for this purpose?

Nessus

A penetration tester is assessing a Linux-based web server. Input supplied by the tester results in the execution of operating system commands on the server itself. What vulnerability is being exploited?

Command Injection

A company allows users to upload profile images. Testing reveals that arbitrary local files can be read from the underlying operating system through a vulnerable parameter. What vulnerability category best describes this issue?

Local File Inclusion (LFI)

A wireless attacker repeatedly sends management frames forcing clients to disconnect from a legitimate access point. What attack is occurring?

Deauthentication Attack

An attacker sends millions of packets from thousands of compromised devices toward a single target. What type of attack is occurring?

DDoS

A company requires proof that a specific user signed a document and cannot later deny having done so. Which cryptographic mechanism best satisfies this requirement?

Digital Signature

A security consultant discovers a file named NTDS.dit on a domain controller. What type of information is primarily stored within this file?

Active Directory Domain Credentials

A system administrator needs secure command-line access to a remote Linux server over an untrusted network. Which protocol should be used?

SSH

A company uses a legacy wireless security protocol that relies on RC4 and is considered fundamentally broken. Which protocol is being described?

WEP

A tester identifies a service listening on TCP port 445. Which protocol is most commonly associated with this port?

SMB

A tester identifies a service listening on TCP port 3389. Which protocol is most commonly associated with this port?

RDP

A tester identifies a service listening on TCP port 389. Which protocol is most commonly associated with this port?

LDAP

A tester identifies a service listening on TCP port 88. Which protocol is most commonly associated with this port?

Kerberos

A security analyst discovers malware that disguises itself as legitimate software to convince users to install it. What type of malware is this?

Trojan

A security analyst discovers malware capable of self-replication across networks without requiring user interaction. What type of malware is this?

Worm

A security analyst discovers malware designed to conceal processes, files, and registry entries while maintaining privileged access. What type of malware is this?

Rootkit

A web application stores user input in a database and displays it later to other users. Attackers exploit this behavior to execute malicious scripts. What specific XSS variant is being used?

Stored XSS

A tester needs to determine the exact version of software running on open ports discovered during a scan. Which Nmap option should be used?

-sV

A cloud workload shares the host operating system kernel with other isolated workloads rather than running a separate guest OS. What technology is being described?

Container

A Windows workstation stores local account password hashes in a database used for authentication. What is the name of this database?

SAM

A security analyst receives reports that users are being redirected to malicious websites due to corrupted DNS cache entries. What attack category best describes this behavior?

DNS Cache Poisoning

A tester wants to identify all hosts on a network, determine their operating systems, discover open ports, and enumerate service versions using a single aggressive command. Which Nmap option is most associated with this activity?

-A