CEH Practice Exam Part 3 – Certified Ethical Hacker Questions

Answer: D. PKI

The answer is correct because PKI uses certificates and keys to verify identities in a data exchange. The trap is confusing it with an authentication method like SSO.

Answer: B. Directly interacting with the threat actor on the forums using a pseudonym to gain more information about their plans.

Direct interaction risks alerting the threat actor and compromising the investigation. Passive methods like archives and Tor are safer for reconnaissance.

Answer: C. Cross-Site Request Forgery

CSRF forces an authenticated user to perform unwanted actions on a web application. Clickjacking involves a visible UI element, not a form submission.

Answer: D. Deriving linear patterns from cipher behavior

Linear cryptanalysis exploits statistical patterns in cipher behavior. This is distinct from brute-forcing keys or analyzing input differences.

Answer: A. Utilize Session Fixation to manipulate a user into utilizing a session ID that an attacker already has access to.

Session Fixation is correct because it manipulates a user into using an attacker-controlled session ID, bypassing advanced security like MFA and WAF.

Answer: C. Implement uniform encryption strength across all user roles, eliminating disparities in session token lengths.

Uniform encryption strength eliminates token length disparities, preventing cryptographic attacks on privileged sessions, making C the best fix.

Answer: D. It involves the ethical hacker trying to break into a system without any prior knowledge about the system.

Black box testing is correct because it simulates an attacker with no prior knowledge of the system, making option D accurate.

Answer: D. Disable JavaScript in the browser and proceed to submit weaker passwords and invalid CAPTCHAs.

Disabling JavaScript bypasses client-side checks without server alerts. This tests client-side validation bypassing, a core hacking technique.

Answer: D. Assessing multi-tenant isolation techniques

Multi-tenant isolation prevents one customer's malicious activity from affecting others in the cloud. This is a fundamental cloud security principle.

Answer: C. Intranet DNS poisoning via local spoofed responses

Intranet DNS poisoning uses local spoofed responses to redirect internal traffic. The ARP spoofing and DNS response speeds confirm this attack vector.

Answer: D. Exploiting MRI machine firmware vulnerabilities to intercept real-time patient scans.

Exploiting firmware vulnerabilities in medical devices is a sophisticated sniffing attack. This tests knowledge of medical device security and sniffing.

Answer: D. Consider the possibility of firewall blocking the FIN packets and investigate further.

FIN scans are blocked by firewalls, which would prevent response. This is a common security measure, not a breach or congestion issue.

Answer: A. Employ a systematic, multi-layered strategy, starting with the deployment of a specialized rootkit detection tool to verify the presence and type of rootkit, followed by an appropriately tailored removal procedure, specific to the identified rootkit.

Systematic detection and tailored removal remove the rootkit effectively. Formatting is extreme, and honeypots are for detection, not remediation.

Answer: A. Analyze and document the activities of the unauthorized user in real-time, then use this data to implement immediate countermeasures and isolate the affected server from the network.

Real-time analysis allows for targeted containment. Powering down disrupts services unnecessarily, and forensics come after containment.

Answer: C. A Pulse Wave attack leveraging high-volume short bursts to overwhelm network resources.

Pulse Wave attacks use short bursts to overwhelm resources. Continuous floods and PDoS are different, with PDoS targeting hardware.

Answer: A. Install the backdoor on a non-web file referenced in a URL.

Placing a backdoor in a non-web file avoids detection by web scanners. Increasing size may trigger anomaly detection, and regular updates can remove it.

Answer: B. Checking if the remote host is alive

Checking if the remote host is alive confirms reachability before scanning. Other steps depend on this initial verification.

Answer: B. They are novices in the hacking world who mainly use scripts and codes developed by others.

Script kiddies are novices who use pre-existing scripts instead of writing their own. They lack advanced technical skills.

Answer: C. Enforcing timely user de-provisioning

Timely user de-provisioning promptly revokes access when an employee leaves. This directly prevents former employees from retaining access.

Answer: D. TCP SYN scan on all ports

TCP SYN scan is stealthy as it doesn't complete the handshake, minimizing IDS detection while identifying live hosts.

Answer: D. Implementing DNSSEC on the DNS server

DNSSEC digitally signs DNS records to prevent hijacking by ensuring the integrity and authenticity of responses.

Answer: D. Wireshark

Wireshark is a packet sniffer that can analyze HTTP traffic in plaintext to investigate unencrypted protocols.

Answer: A. Side-channel attack on the hypervisor

A hypervisor side-channel attack directly compromises cloud infrastructure security, which is a core CEH concern for virtualized environments.

Answer: C. An attacker intercepts network traffic, captures unencrypted session cookies, and uses these to impersonate the user.

Sidejacking involves intercepting unencrypted session cookies to impersonate users, a classic session hijacking attack.

Answer: D. The APT group will exploit zero-day vulnerabilities present in the IoT device firmware.

Zero-day exploits in IoT firmware are a primary APT attack vector for unpatched systems.

Answer: A. CAST-128

The described Feistel structure with 64-bit blocks and specific S-boxes matches the CAST-128 algorithm.

Answer: A. Spearphone attack exploiting accelerometer-based vulnerabilities.

Spearphone uses the accelerometer to capture audio vibrations from the loudspeaker without special permissions.

Answer: D. Worm

Worms self-replicate and spread across networks without human intervention, unlike other malware types.

Answer: C. Perform detailed monitoring of system and file activity, incorporate anomaly detection techniques in the security framework, and utilize advanced anti-malware tools for comprehensive system scans.

Monitoring system activity and using anomaly detection is key for backdoor identification, as backdoors often exhibit abnormal behavior.

Answer: D. Implementing an automatic patch management process and using a patch management tool to monitor the patched systems.

Automated patch management is the most effective strategy for efficient and timely security updates.