Certified Ethical Hacker (CEH) Practice Test

Security control categories describe the intent of a safeguard. A preventive control is designed to stop an unwanted action from occurring in the first place. Disabling or restricting USB mass-storage functionality on endpoints prevents users from writing data to removable media, eliminating the opportunity for unauthorized copies. Detective controls (such as log analysis or alerts) only identify events after they happen, while corrective controls attempt to remediate damage that has already occurred. Deterrent controls, including policies or warning banners, rely on influencing behavior but do not technically block the action. Therefore, a preventive control that technically disallows USB storage access is the most appropriate solution to meet management's requirement to stop the transfers outright.

The Gramm-Leach-Bliley Act (GLBA), formally the Financial Services Modernization Act of 1999, applies to U.S. financial institutions. It requires safeguarding of non-public personal information and obligates covered entities to provide annual privacy notices explaining their information-sharing practices. HIPAA governs health data, PCI DSS focuses on payment card information, and COPPA protects children's online data; none of these specifically impose privacy notice and safeguard rules on banks for customer financial records.

The tester is first performing a DHCP starvation attack-flooding the legitimate server with requests that consume every available lease. Once no addresses remain, clients will accept the first DHCPOFFER they see. By immediately running a rogue (unauthorized) DHCP server, the attacker becomes that first responder and supplies malicious options such as a default gateway or DNS server under her control. This combination is the textbook DHCP starvation followed by rogue DHCP server takeover, enabling man-in-the-middle sniffing. The other options describe different DHCP abuse methods but do not deplete the pool and then mis-serve clients from a fake DHCP service.

Collecting publicly available information about a target before sending any traffic toward its systems belongs to the first phase of the hacking methodology, commonly called Footprinting or Reconnaissance. Because only third-party services are queried and no packets are sent to the organization, the activity is classified as passive reconnaissance. Scanning and enumeration occur later, after the tester has begun actively probing the target, while the gaining-access phase involves exploitation rather than information collection.

A pass-the-hash attack lets you authenticate to an SMB service by presenting the captured NTLMv2 hash in place of the real password. Tools such as Impacket's psexec.py (or smbexec.py) perform the NTLM challenge-response with the supplied hash, create a service on the remote host, and return a SYSTEM-level shell. Password spraying requires plaintext guesses, Kerberoasting focuses on cracking service-account keys from Kerberos tickets rather than giving immediate access, and forging a Golden Ticket needs the krbtgt account's password hash-not just one administrator's NTLM hash.

Windows Anti-Malware Scan Interface (AMSI) exposes the content of scripts and other dynamic code to the installed antivirus engine as the code is loaded into memory, allowing heuristic and behavior-based inspection that can stop fileless threats before execution. Encrypting File System only protects data at rest and does nothing to inspect running scripts. Software Restriction Policies can block executables by path or hash but cannot analyze the in-memory script text of PowerShell or WMI. BitLocker with TPM-only mode protects the drive during offline attacks yet provides no runtime visibility into script content. Therefore, enabling AMSI integration is the appropriate countermeasure for detecting memory-resident, script-based malware.

The attacker is performing ARP poisoning (also called ARP spoofing). By crafting fake ARP reply frames that bind the gateway's IP address to the attacker's MAC address, the attacker poisons the victims' ARP caches. Traffic destined for the gateway is then sent to the attacker, allowing passive sniffing or an active man-in-the-middle position.

MAC flooding targets a switch's CAM table to force the device into hub-like behavior but does not forge gateway mappings. DHCP spoofing uses rogue DHCP offers to supply malicious network configuration values, and DNS spoofing tampers with name resolution responses rather than Layer-2 address resolution. None of those alternatives explain unsolicited ARP replies claiming the gateway's IP-to-MAC association.

802.11w adds cryptographic protection (integrity and optional encryption) to management frames such as deauthentication and disassociation. When PMF is required by both the AP and the client, any spoofed deauth or disassoc frames sent by an attacker fail the integrity check and are dropped, preventing the classic deauthentication or disassociation denial-of-service technique used to capture handshakes or disrupt connectivity. ARP replay targets data frames in WEP networks and is unaffected by PMF. WPS PIN brute forcing abuses a design flaw in the WPS protocol and does not rely on management-frame spoofing. An Evil Twin rogue AP attack leverages fake beacon and probe responses; PMF does not stop clients from seeing other beacons, so it remains possible. Therefore, deauthentication/disassociation flooding is the attack that PMF specifically mitigates.

Because the vendor-owned system is outside the written scope, any interaction beyond the discovery phase would be unauthorized hacking. Ethical hacking principles and common rules of engagement require that the tester halt activity on the out-of-scope target and obtain explicit, preferably written, permission before proceeding. Simply exploiting the server, ignoring the host, or seeking oral permission from the vendor all violate the requirement that testing occur only on assets specifically approved by the client in advance.

Web-server attack methodology moves from identifying the platform (fingerprinting) to enumerating the server for misconfigurations such as public status pages, sample scripts, directory indexing, or vulnerable modules. This reconnaissance provides concrete evidence of weaknesses and often reveals a precise attack surface. Jumping straight to denial-of-service, credential brute-forcing, or patching skips a critical discovery phase and either creates excessive noise or is outside the attacker's objective. Therefore, systematically enumerating directories, modules, and sample content is the correct next step.

SMTP with STARTTLS upgrades the transport connection to TLS only for the single hop between the two mail transfer agents that negotiated it. The message contents are decrypted as soon as they are accepted by the next server and may travel further or be stored in plaintext. End-to-end protection that persists to the recipient's mailbox requires a message-level scheme such as S/MIME or OpenPGP. STARTTLS neither signs the mail nor creates an IPsec tunnel; it simply provides opportunistic, hop-by-hop encryption of the SMTP channel.

Directory and file enumeration, content discovery, and inspection of publicly reachable application resources are performed in the "Analyze web applications" phase. By this point the tester has already completed infrastructure footprinting and now focuses on mapping the application's internal structure (hidden directories, configuration files, comments, parameters, etc.). Phases such as "Footprint web infrastructure," "Bypass client-side controls," and "Attack authentication mechanisms" address different objectives and therefore are not appropriate for evaluating an exposed web.xml file.

The hostname filter confines results to systems whose reverse DNS or SSL certificate names contain the specified domain. Because the mod_status handler sets the HTML title to Apache Status, combining http.title:"Apache Status" with hostname:"examplecorp.com" precisely targets the desired pages. The plain quoted-string search is too broad; the http.component query would return every Apache site with an HTTP 200 response under the domain, not specifically mod_status; and a favicon hash does not uniquely identify mod_status pages.

Security controls are often grouped by their primary function: preventive, detective, corrective, deterrent, and compensating. A web-application firewall rule that inspects traffic and blocks malicious SQL-injection payloads acts before the attack can succeed, thereby stopping the exploitation from occurring. That is the hallmark of a preventive control.

A detective control (such as log monitoring) only identifies an attack after it happens; a corrective control (such as applying a patch or restoring from backup) attempts to fix damage that has already occurred; a compensating control provides an alternate safeguard when the preferred control is infeasible but does not necessarily prevent the action itself. Therefore, the most accurate classification for the proposed WAF rule is preventive.

The TCP SYN (half-open) scan, invoked in Nmap with the -sS option, transmits a single SYN packet to each port. If the target replies with SYN-ACK the port is marked open; if it replies with RST the port is closed. Because the tester immediately resets the connection instead of sending the final ACK, no full TCP session is established, so most applications never record the attempt. TCP connect scan (-sT) completes the handshake and is more easily logged, while ACK (-sA) and FIN (-sF) scans are used primarily for firewall rule discovery and stealth probing of stateless filters, not for reliable open-port enumeration on modern systems.

Querying the public WHOIS database is considered passive footprinting because the request is sent only to the registrar's servers, not to any host owned by the target organization. No traffic ever touches the client's infrastructure, so intrusion-detection systems or firewalls at the target cannot see or log the activity. All the other actions-an Nmap UDP scan, SMB null-session enumeration, and requesting a DNS zone-transfer from the authoritative name server-generate direct traffic to the victim network and therefore constitute active reconnaissance, increasing the risk of detection.

Windows Management Instrumentation (WMI) remote execution can be performed through Impacket's wmiexec.py (or similar tooling) by supplying the stolen NTLM hash instead of the clear-text password-an example of a Pass-the-Hash attack. Because WMI uses DCOM to spawn cmd.exe in memory over the network, no auxiliary binaries need to be copied to the target's file system, keeping the operation fileless.

PsExec also supports Pass-the-Hash, but it transfers and launches a temporary service executable (psexesvc) on disk, which would violate the "no file write" constraint. Brute-forcing the Administrator password would be noisy, slow and unnecessary since valid credentials are already available. A Golden Ticket attack manipulates Kerberos in a domain context and is irrelevant to local-account NTLM hashes on standalone workstations.

IMDSv1 is reachable only at the link-local address 169.254.169.254. To obtain temporary AWS credentials, you must query the iam/security-credentials endpoint with the instance's IAM role name appended. The parent path /latest/meta-data/iam/security-credentials/ merely lists the role names; the instance-identity document and user-data endpoints do not contain credentials, and the RabbitMQ URI is unrelated to AWS metadata.

The scenario describes an amplification-based distributed denial-of-service technique. By spoofing the victim's IP address in very small Network Time Protocol (NTP) monlist requests, the attacker coerces many NTP servers to send much larger replies to the victim, producing an amplification ratio often exceeding 200×. This quickly saturates the victim's bandwidth even though the attacker transmits relatively little traffic. A TCP SYN flood and teardrop fragmentation rely on consuming state or exploiting reassembly bugs, not on reflection or amplification. Slowloris keeps HTTP sessions open with partial headers, which targets web servers and consumes their connection pools rather than amplifying traffic volume. Therefore, the only option matching the described UDP reflection and amplification behavior is the NTP amplification attack that abuses the monlist command.

In normal (non-promiscuous) operation, a NIC drops any Ethernet frame whose destination MAC address is neither its own nor a broadcast/multicast address. By crafting an ARP request that contains the correct target IP but an unrelated unicast destination MAC, you ensure that only a NIC running in promiscuous mode will pass the frame up the network stack to the ARP process. If the target still generates a valid ARP reply, it proves that the interface accepted and processed a frame not addressed to it, confirming promiscuous-mode operation. The other choices describe behaviors that can occur for legitimate reasons or that are unrelated to sniffing detection, so they are not reliable indicators.