20 tough Certified Ethical Hacker Certification exam question and answers (EH-Council)

Why EC-Council’s Certified Ethical Hacker exam matters

Over the past few months, I’ve been helping professionals pivot into cybersecurity and build careers in ethical hacking, DDoS attack prevention, penetration testing, and blue-team defense.

Part of that journey is earning credible certifications, and the one I want my clients to prioritize is EC-Council’s Certified Ethical Hacker (CEH) designation.

Whether you’re a network admin, AI analyst, DevOps engineer, or senior developer, the first security certification I recommend is the CEH certification.

It validates your ability to think like an attacker, legally and ethically, so you can better defend modern environments.

You won’t thrive in today’s threat landscape if you don’t understand recon, scanning, exploitation techniques, post-exploitation, web and wireless attacks, cloud and IoT risks, and the fundamentals of cryptography and malware. EC-Council’s Ethical Hacker Certification measures your ability to apply these skills with common tools and methodologies across real-world scenarios.

Certified Ethical Hacker (CEH) exam simulators

Through my courses and free practice banks at certificationexams.pro, I’ve seen which Certified Ethical Hacker domains trip learners up the most. Based on thousands of student interactions and performance data, these are 20 of the toughest Ethical Hacker practice questions currently circulating in the pool.

Each question is thoroughly answered at the end of the set, so take your time, think like an ethical hacker, and check your reasoning when you’re done.

If you’re preparing for the EC-Council’s CEH exam or exploring other security certifications such as Security+, CySA+, CISSP, or cloud security tracks, you’ll find hundreds more free practice questions and detailed exam explanations at certificationexams.pro.

Important Note: these are not CEH exam dumps or braindumps. They’re original questions designed to teach what’s covered and how to approach exam scenarios with discipline and integrity. That’s why every answer includes a tip and guidance.

Now, let’s dive into the 20 toughest Ethical Hacker exam practice questions.

Good luck, and remember, a great cybersecurity career begins with mastering the mindset and methods of ethical hacking.

Tough CEH Ethical Hacker Exam Questions

Question 1

A security analyst at PineBridge Technologies is running nmap to fingerprint a remote system during a network scan and needs to enable operating system detection. Which nmap flag should they use?

• [ ] A. nmap -sV
• [ ] B. nmap -sS
• [ ] C. nmap -O
• [ ] D. nmap -A

Question 2

Which type of network intrusion involves an attacker falsifying the packet source IP so they can access protected hosts and retrieve sensitive information?

• [ ] A. Source routing
• [ ] B. IP fragmentation attack
• [ ] C. IP address spoofing
• [ ] D. ARP poisoning

Question 3

What is the quickest method to enumerate files and directories on a web host using the Gobuster tool?

• [ ] A. Run Gobuster in a brute force mode while increasing threads to 20
• [ ] B. Perform directory and file enumeration by supplying a dictionary wordlist to Gobuster
• [ ] C. Use Gobuster with randomized file extensions in a brute force run
• [ ] D. Skip TLS certificate validation to avoid SSL handshake failures during scanning

Question 4

Which testing method discovers SQL injection vulnerabilities by sending large volumes of malformed random input and observing the application’s responses?

• [ ] A. Dynamic testing
• [ ] B. Fuzz testing
• [ ] C. Static analysis

Question 5

When moving sensitive data out of a corporate network and attempting to evade firewall inspection, which type of packets should the information be hidden inside so the traffic looks routine to most firewall rules?

• [ ] A. HTTP
• [ ] B. TCP
• [ ] C. SMTP
• [ ] D. DNS

Question 6

You receive an email that appears to be from the National Cybersecurity Bureau and it claims your computer was detected as part of a botnet that is distributing unauthorized copies of a recent movie. The email demands that you follow a link and pay a $750 fine within 36 hours or agents will be dispatched to your address to arrest you for copyright violations. What social engineering principle is this email exploiting?

• [ ] A. Social proof
• [ ] B. Coercion and intimidation
• [ ] C. Authority impersonation
• [ ] D. Reciprocity and obligation

Question 7

Intrusion detection systems inspect hosts and networks to find unauthorized access and unusual activity, and adversaries may try tactics to avoid detection. Which technique could an attacker employ to evade an IDS?

• [ ] A. Covert channel
• [ ] B. Packet fragmentation
• [ ] C. Encrypted payloads
• [ ] D. VLAN hopping

Question 8

Which tool is used to probe operational technology networks to identify protocol faults and exploitable weaknesses?

• [ ] A. Wireshark
• [ ] B. ProtoFuzz
• [ ] C. Nmap

Question 9

A payments startup called ApexPay is comparing block ciphers and asks which algorithm is referred to as Magma and implements a 32 round Feistel network on 64 bit blocks with a 256 bit key?

• [ ] A. Serpent
• [ ] B. Blowfish
• [ ] C. Camellia
• [ ] D. GOST

Question 10

A security analyst at a financial technology firm named Rivermark wants to determine whether a machine learning model contains a hidden backdoor that preserves correct behavior for normal inputs and then activates under specially crafted conditions. Which method should they use to make the model perform normally on standard data while failing or misbehaving only when a specific trigger is present?

• [ ] A. Vertex AI Model Monitoring
• [ ] B. Fuzz testing by mutating inputs
• [ ] C. Planting a trojan trigger during model training
• [ ] D. Applying differential privacy to training data

Question 11

Which approach is commonly used to detect possible poisoning of the training dataset in a machine learning workflow?

• [ ] A. Expand the training set size to dilute any malicious records
• [ ] B. Use Cloud Audit Logs and Data Catalog to trace data provenance and identify suspicious sources
• [ ] C. Apply anomaly detection to training inputs to flag outliers that may indicate poisoned examples
• [ ] D. Reduce the frequency of model retraining to limit the model’s exposure to potentially compromised data

Question 12

Which nmap option performs a Christmas tree scan by setting the FIN, PSH, and URG TCP flags?

• [ ] A. -sA
• [ ] B. -sX
• [ ] C. -sS

Question 13

A security analyst injects malicious payloads into an intercepted TCP conversation while source routing is turned off and cannot observe replies so the analyst must predict how the client and server will respond. Which session hijacking technique matches this scenario?

• [ ] A. TCP session hijacking
• [ ] B. RST injection
• [ ] C. Blind hijacking
• [ ] D. SIP registration hijacking

Question 14

Which document defines permitted test activities specifies any disallowed actions and protects both the client firm and the external penetration testing team?

• [ ] A. Statement of Work
• [ ] B. Non-Disclosure Agreement
• [ ] C. Service Level Agreement
• [ ] D. Rules of Engagement

Question 15

Maya, a cloud solutions architect at Atlas Digital, packages applications with their libraries, configuration files, binaries and related assets into containers so they run isolated from other workloads in the cloud. She follows a five level container architecture to manage images and deployments. She is currently verifying and validating image contents, digitally signing images and pushing them to image repositories. Which level of the container architecture is Maya operating in?

• [ ] A. Tier-4 Orchestration platforms
• [ ] B. Tier-1 Developer workstations
• [ ] C. Tier-3 Repositories
• [ ] D. Tier-2 Image certification and validation systems

Question 16

What term describes a coordinated network of compromised internet connected devices that an attacker controls remotely?

• [ ] A. Malware campaign
• [ ] B. Botnet
• [ ] C. Command and Control server
• [ ] D. Rootkit

Question 17

During a web application penetration test which command is effective for brute forcing directory paths to discover hidden files and resources?

• [ ] A. ffuf -u http://example.com/FUZZ -w wordlist.txt
• [ ] B. curl -X GET http://example.com -H ‘User-Agent: Mozilla/5.0’
• [ ] C. gobuster dir -u http://example.com -w dirlist.txt
• [ ] D. wget -r http://example.com

Question 18

A company hosting directories at example.com has an LDAP server that accepts anonymous binds. Which authentication protocol can be used to require credentials and prevent anonymous LDAP queries?

• [ ] A. Cloud Identity
• [ ] B. Kerberos
• [ ] C. RADIUS
• [ ] D. NTLM

Question 19

A security analyst at a regional internet provider is researching worm propagation methods and asks which scanning approach leverages information extracted from a compromised host to locate other susceptible machines within the same network?

• [ ] A. Permutation scanning
• [ ] B. Hit-list scanning
• [ ] C. Topology guided scanning
• [ ] D. Random scanning

Question 20

Which attack captures an authentication handshake and later replays it to impersonate a workstation?

• [ ] A. Relay attack
• [ ] B. Replay attack
• [ ] C. Man-in-the-middle attack
• [ ] D. Session hijacking

EC-Council’s Certified Ethical Hacker (CEH) exam answers

Question 1

A security analyst at PineBridge Technologies is running nmap to fingerprint a remote system during a network scan and needs to enable operating system detection. Which nmap flag should they use?

• [*] C. nmap -O

The correct option is nmap -O. The nmap -O flag enables operating system detection by performing TCP/IP stack fingerprinting against Nmap’s database of known OS signatures.

When you run nmap -O Nmap sends a variety of probes and compares the responses to its fingerprint database to determine the most likely operating system and often additional details such as device type or uptime.

nmap -sV is focused on service and version detection and it does not perform operating system fingerprinting.

nmap -sS performs a TCP SYN scan to discover open ports and it does not enable OS detection.

nmap -A runs an aggressive scan that includes OS detection along with version detection, script scanning and traceroute, but it is not the single flag for only OS detection and many questions that ask specifically for the OS detection flag expect nmap -O.

Exam Tip

Remember that -O is the direct flag for OS detection. Recognize that -A also enables OS detection but it is broader and not the single focused option the question usually asks for.

Question 2

Which type of network intrusion involves an attacker falsifying the packet source IP so they can access protected hosts and retrieve sensitive information?

• [*] C. IP address spoofing

The correct answer is IP address spoofing.

IP address spoofing means an attacker forges the source IP address in packet headers so the packets appear to originate from a trusted host. This allows the attacker to bypass simple source based access controls and to impersonate another machine in order to retrieve sensitive information or to hijack sessions.

Attackers often pair IP address spoofing with other techniques and they rely on networks that do not validate source addresses. Mitigations include ingress and egress filtering on routers and using strong authentication and encrypted channels so that identity cannot be faked by simply changing the source IP.

Source routing refers to specifying the path that packets should take through the network and it does not involve falsifying the packet source IP to impersonate a host. That makes it a poor match for this question.

IP fragmentation attack manipulates how packets are broken into fragments or how fragments are reassembled to evade detection or cause errors. It does not describe changing the source IP address to access protected hosts.

ARP poisoning is a link layer attack that forges ARP messages so the attacker’s MAC address is associated with another IP on the local LAN. It enables local traffic interception but it is not the same as forging the IP source field to impersonate remote hosts.

Exam Tip

When the question mentions falsifying a packet’s source look for answers that explicitly use the word spoofing or that describe forging the source IP. Also check the protocol layer because ARP is link layer and fragmentation is about reassembly.

Question 3

What is the quickest method to enumerate files and directories on a web host using the Gobuster tool?

• [*] B. Perform directory and file enumeration by supplying a dictionary wordlist to Gobuster

Perform directory and file enumeration by supplying a dictionary wordlist to Gobuster is the correct option.

Gobuster is designed to discover directories and files by iterating a supplied wordlist and issuing HTTP requests for each candidate path. Using a focused dictionary wordlist gives targeted coverage and lets you combine options like file extensions, recursion, and thread tuning to quickly enumerate common and hidden resources.

Run Gobuster in a brute force mode while increasing threads to 20 is incorrect because simply switching to a brute force mode and raising thread counts does not replace a targeted wordlist. Higher thread counts can speed up scans but they can also trigger rate limits or produce unreliable results which reduces effectiveness.

Use Gobuster with randomized file extensions in a brute force run is incorrect because randomizing extensions generates mostly invalid guesses and wastes requests. It is far more efficient to use likely extensions or include them in a curated wordlist than to rely on randomness.

Skip TLS certificate validation to avoid SSL handshake failures during scanning is incorrect because skipping certificate validation does not help you find files or directories faster. Bypassing TLS checks may allow scans to proceed on misconfigured servers but it is not an enumeration technique and it lowers the security of your scanning environment.

Exam Tip

Focus on the tool’s primary function when choosing the answer and remember that a well chosen wordlist is often more important than extreme thread counts for reliable and fast enumeration.

Question 4

Which testing method discovers SQL injection vulnerabilities by sending large volumes of malformed random input and observing the application’s responses?

• [*] B. Fuzz testing

The correct answer is Fuzz testing.

Fuzz testing works by sending large volumes of malformed or semi random input to an application and then observing how the application responds. This approach deliberately exercises unexpected inputs to reveal input handling errors and injection vulnerabilities such as SQL injection when the application produces errors or behaves unexpectedly.

This technique tests the running program and monitors runtime behavior such as crashes, error messages, or abnormal responses. That runtime focus is what makes Fuzz testing effective at uncovering flaws that only appear when malformed input is actually processed.

Dynamic testing is a general term for testing an application while it is running and it can include methods like penetration testing and fuzzing. It is not the specific method described in the question because the question asks for the technique that sends large volumes of malformed random input which is the definition of fuzzing.

Static analysis examines source code or compiled artifacts without executing the program and it can find coding patterns that may lead to vulnerabilities. Static analysis does not feed inputs into a running application so it cannot observe runtime behaviors caused by malformed inputs which is why it is not the correct choice.

Exam Tip

When a question mentions sending large volumes of malformed or random input and observing program responses look for the term fuzz or fuzzing and differentiate it from broad runtime testing and code analysis.

Question 5

When moving sensitive data out of a corporate network and attempting to evade firewall inspection, which type of packets should the information be hidden inside so the traffic looks routine to most firewall rules?

• [*] D. DNS

The correct option is DNS.

Hiding data inside DNS queries and responses makes exfiltrated traffic appear routine because DNS is almost always allowed outbound and many perimeter devices do not perform deep payload inspection by default. Attackers can encode data in record types such as TXT or in subdomain labels and use UDP or fall back to TCP for larger transfers which helps the channel blend with normal name resolution traffic.

HTTP is common web traffic but it is frequently inspected by proxies and web application firewalls which makes covert exfiltration over HTTP easier to detect with content inspection and data loss prevention tools.

TCP is a transport layer protocol rather than an application protocol and simply using TCP does not make traffic look like a routine application. Firewalls and intrusion detection systems can reconstruct TCP streams for analysis which reduces its effectiveness for stealthy exfiltration.

SMTP can carry attachments but outbound email is often restricted or scanned by security controls and many networks block direct SMTP egress which makes it a less reliable choice for covert data removal.

Exam Tip

Pick protocols that are widely allowed and not usually deeply inspected. On many exams that points to DNS since DNS resolution is required and is often permitted with limited payload inspection.

Question 6

You receive an email that appears to be from the National Cybersecurity Bureau and it claims your computer was detected as part of a botnet that is distributing unauthorized copies of a recent movie. The email demands that you follow a link and pay a $750 fine within 36 hours or agents will be dispatched to your address to arrest you for copyright violations. What social engineering principle is this email exploiting?

• [*] B. Coercion and intimidation

The correct answer is Coercion and intimidation.

The message uses explicit threats of arrest and a tight deadline combined with a demand for payment to force quick compliance. Those elements are the hallmark of coercion and intimidation because they create fear and urgency so the recipient will act before verifying the claim.

The email may also try to appear official by naming a government bureau, but the primary leverage is the threatened punishment and demand for money rather than simply claiming authority.

Social proof is incorrect because that technique relies on showing that others have done something or are doing something to encourage conformity. The email does not reference other people or groups to influence your behavior.

Authority impersonation is not the best choice because although the sender claims to be a government agency, the dominant tactic is using threats and intimidation to extract payment. Authority impersonation would focus more on perceived legitimacy without the explicit coercive threat.

Reciprocity and obligation is wrong because that principle involves offering a gift or favor to create a duty to return it. This message does not offer any benefit and instead threatens punishment to force compliance.

Exam Tip

When you receive a message that uses threats or a short deadline to demand payment, pause and verify the claim through official channels and never follow payment links in unsolicited emails.

Question 7

Intrusion detection systems inspect hosts and networks to find unauthorized access and unusual activity, and adversaries may try tactics to avoid detection. Which technique could an attacker employ to evade an IDS?

• [*] C. Encrypted payloads

Encrypted payloads is the correct option.

Encrypted payloads allow an attacker to hide the contents of network traffic so that an intrusion detection system that relies on payload inspection cannot match signatures or analyze malicious content without access to decryption keys or a man in the middle decrypting proxy.

Covert channel is incorrect because a covert channel refers to hiding data within legitimate traffic flows and it is a different class of data exfiltration technique rather than the straightforward prevention of payload inspection that encryption provides.

Packet fragmentation is incorrect because fragmentation was historically used to bypass signature matching but most modern IDS and intrusion prevention systems perform reassembly and are designed to detect fragmentation based evasion attempts.

VLAN hopping is incorrect because VLAN hopping is a layer two technique to move between network segments and it does not directly prevent an IDS from inspecting packet payloads.

Exam Tip

Focus on what the IDS inspects. If an option affects payload visibility such as encryption it often prevents content based detection and is a strong indicator of an evasion technique.

Question 8

Which tool is used to probe operational technology networks to identify protocol faults and exploitable weaknesses?

• [*] B. ProtoFuzz

The correct answer is ProtoFuzz.

The tool ProtoFuzz is a protocol fuzzing tool that actively crafts and sends malformed or unexpected messages to devices and services in order to reveal parsing errors, crashes, and logic flaws. It is built to probe implementations of industrial and operational technology protocols so it can discover exploitable weaknesses that only appear when a device receives malformed inputs.

Wireshark is a passive packet capture and analysis tool and it does not perform active fuzzing or craft inputs to provoke protocol faults. It is useful for debugging and inspecting traffic but not for discovering protocol implementation flaws through active probing.

Nmap is a network scanner that discovers hosts, open ports, and running services and it is not designed to perform protocol fuzzing to find exploitable protocol weaknesses. It can help enumerate targets but it does not generate mutated protocol messages to test for faults.

Exam Tip

When a question asks about discovering protocol faults and exploitable weaknesses look for tools that perform fuzzing or active input mutation rather than tools that only do passive capture or simple port scanning.

Question 9

A payments startup called ApexPay is comparing block ciphers and asks which algorithm is referred to as Magma and implements a 32 round Feistel network on 64 bit blocks with a 256 bit key?

• [*] D. GOST

The correct answer is GOST.

GOST refers to the Soviet and Russian block cipher family originally specified as GOST 28147-89 and it is commonly called Magma in some modern Russian standards. The cipher operates on 64 bit blocks, uses a 256 bit key, and implements a 32 round Feistel network, which matches the parameters in the question.

Serpent is incorrect because it is a substitution permutation network designed as an AES finalist and it operates on 128 bit blocks rather than using the 64 bit block size and Feistel structure described here.

Blowfish is incorrect because although it does use a 64 bit block it only has 16 Feistel rounds and supports variable key lengths up to 448 bits, so its round count and typical key size do not match the 32 round, 256 bit description.

Camellia is incorrect because it uses 128 bit blocks and a differing number of rounds depending on key size, and therefore it does not match the 64 bit block size and 32 round Feistel design in the question.

Exam Tip

Remember to check block size, key length, and whether the design is Feistel or a substitution permutation network when distinguishing block cipher algorithms.

Question 10

A security analyst at a financial technology firm named Scrumtuous Agile Inc wants to determine whether a machine learning model contains a hidden backdoor that preserves correct behavior for normal inputs and then activates under specially crafted conditions. Which method should they use to make the model perform normally on standard data while failing or misbehaving only when a specific trigger is present?

• [*] C. Planting a trojan trigger during model training

Planting a trojan trigger during model training is the correct choice.

Planting a trojan trigger during model training creates a hidden backdoor by injecting poisoned examples that associate a specific trigger pattern with a target label so the model preserves normal behavior on clean inputs but misbehaves only when that trigger appears. The attack is performed during training so the model learns the trigger to output the attacker chosen behavior while maintaining good accuracy on standard data.

Vertex AI Model Monitoring is a monitoring and observability service for deployed models that helps detect drift and quality issues but it is not a technique for inserting a backdoor or creating trigger based misbehavior.

Fuzz testing by mutating inputs is a testing technique that supplies malformed or random inputs to find crashes or robustness issues. It is useful for uncovering bugs but it does not intentionally plant a trigger during training to produce a stealthy backdoor.

Applying differential privacy to training data injects noise into training to protect individual data and to reduce memorization. It is a privacy defense rather than a method to create a selective-triggered failure and it would generally make inserting a targeted backdoor more difficult rather than achieve the described behavior.

Exam Tip

When a question describes a model that behaves normally except when a special trigger is present look for answers that mention poisoning or inserting a trigger into training data and rule out options about monitoring testing or privacy. Keywords to watch for are trojan trigger poison and backdoor.

Question 11

Which approach is commonly used to detect possible poisoning of the training dataset in a machine learning workflow?

• [*] C. Apply anomaly detection to training inputs to flag outliers that may indicate poisoned examples

The correct answer is Apply anomaly detection to training inputs to flag outliers that may indicate poisoned examples.

Applying anomaly detection to the training inputs is effective because it inspects the actual feature distributions and can flag examples that deviate strongly from expected patterns. These outliers may be accidental errors or deliberately poisoned examples and they can be triaged before they influence model training.

Expand the training set size to dilute any malicious records is not reliable because simply adding more data does not remove poisoned records and it can increase the attack surface. Dilution may reduce impact in some cases but it does not detect or remove malicious data and it can be costly to collect and label more data.

Use Cloud Audit Logs and Data Catalog to trace data provenance and identify suspicious sources can help with provenance and operational tracing but it does not analyze individual training examples for anomalous feature values. Audit logs record actions and metadata rather than the input data distribution that is needed to detect poisoned examples.

Reduce the frequency of model retraining to limit the model’s exposure to potentially compromised data is not a detection strategy and it can make models stale. Slowing retraining might delay exposure but it does not find or remove poisoned data and it is not a recommended method to address poisoning risks.

Exam Tip

On questions about data poisoning choose answers that inspect the data itself such as anomaly detection or data validation tools rather than operational changes that only affect exposure.

Question 12

Which nmap option performs a Christmas tree scan by setting the FIN, PSH, and URG TCP flags?

• [*] B. -sX

The correct option is -sX. This option generates a Christmas tree scan by setting the FIN, PSH, and URG TCP flags.

The Christmas tree scan sets FIN, PSH, and URG in a single TCP packet to probe port state. A closed port commonly responds with a RST according to TCP rules while an open or filtered port often does not reply which can help identify stealthy open ports. Modern network stacks and firewalls may drop or normalize these packets so results can be less reliable than standard scans.

-sA is an ACK scan that is used to map firewall rules and to determine whether ports are filtered or unfiltered. It does not set the FIN, PSH, and URG flags so it cannot produce a Christmas tree scan.

-sS is a SYN scan which sends only the SYN flag to perform a half open handshake. It does not set the FIN, PSH, and URG flags and so it is not a Christmas tree scan.

Exam Tip

Memorize common nmap scan types by association and link -sS to SYN, -sA to ACK, and -sX to Christmas tree to recall the correct option quickly.

Question 13

A security analyst from McKenzie Consulting injects malicious payloads into an intercepted TCP conversation while source routing is turned off and cannot observe replies so the analyst must predict how the client and server will respond. Which session hijacking technique matches this scenario?

• [*] C. Blind hijacking

The correct answer is Blind hijacking.

Blind hijacking fits this scenario because the attacker injects payloads into an active TCP conversation while source routing is turned off and cannot observe replies. In blind hijacking the attacker must predict TCP sequence numbers and guess how the client and server will respond so the injected packets are accepted without seeing the actual responses.

TCP session hijacking is a general term for taking over a TCP connection and it does not specifically describe the condition where the attacker cannot observe replies and must guess sequence numbers. The question asks for the specific technique so the general term is not the best choice.

RST injection involves sending forged TCP reset packets to terminate or disrupt a connection. That technique is about closing or interrupting a session rather than injecting commands blindly while unable to see replies so it does not match the scenario.

SIP registration hijacking targets SIP and VoIP registration mechanisms and is protocol specific. It is unrelated to injecting TCP payloads into a conversation when replies cannot be observed so it is not correct for this question.

Exam Tip

Focus on wording that you cannot observe responses and must guess sequence numbers. That language usually points to blind techniques rather than a general session hijack or a protocol specific attack.

Question 14

Which document defines permitted test activities specifies any disallowed actions and protects both the client firm and the external penetration testing team?

• [*] D. Rules of Engagement

Rules of Engagement is correct because it is the document that defines permitted test activities, specifies any disallowed actions and protects both the client firm and the external penetration testing team.

The Rules of Engagement set the scope and boundaries for the test and name allowed IP ranges, time windows, approved tools and methods and any sensitive systems to avoid. The document also records communication channels and escalation procedures and it provides explicit legal authorization so testers are not mistaken for attackers.

By documenting these details the Rules of Engagement protect the client by reducing the risk of accidental disruption and they protect the testers by providing written permission and limiting liability when the test follows the agreed rules.

Statement of Work describes deliverables, timelines, responsibilities and costs for a contracted engagement but it does not typically authorize specific testing actions or spell out allowed and disallowed techniques for penetration tests.

Non-Disclosure Agreement protects confidentiality of information shared between parties but it does not define what testing is permitted or provide operational rules and authorizations for conducting the test.

Service Level Agreement sets expected service performance metrics, uptime and remedies for failures but it does not define penetration test scope or list permitted and prohibited testing activities.

Exam Tip

When a question asks which document grants permission and limits testing look for Rules of Engagement. Remember that an NDA protects secrecy, an SOW outlines deliverables, and an SLA covers performance but none of those replace operational test rules.

Question 15

Maya, a cloud solutions architect at Pickering is Springfield Inc, packages applications with their libraries, configuration files, binaries and related assets into containers so they run isolated from other workloads in the cloud. She follows a five level container architecture to manage images and deployments. She is currently verifying and validating image contents, digitally signing images and pushing them to image repositories. Which level of the container architecture is Maya operating in?

• [*] D. Tier-2 Image certification and validation systems

The correct answer is Tier-2 Image certification and validation systems.

Tier-2 Image certification and validation systems are the layer responsible for inspecting and attesting to container images before they are accepted for deployment. This tier performs content verification and validation, produces digital signatures or attestations, and integrates with CI CD pipelines to push certified artifacts into repositories.

Tier-4 Orchestration platforms is incorrect because orchestration platforms manage scheduling networking and runtime behavior of containers rather than performing image verification or signing.

Tier-1 Developer workstations is incorrect because developer machines are used to build and test images locally but they do not usually provide the centralized certification validation and signing workflows that a dedicated image validation tier provides.

Tier-3 Repositories is incorrect because repositories store and serve container images and metadata but they are not primarily the systems that verify contents and apply digital signatures as part of a controlled certification process.

Exam Tip

When a question mentions verifying or signing images look for the tier that handles certification and attestations rather than the tier that only stores or runs images.

Question 16

What term describes a coordinated network of compromised internet connected devices that an attacker controls remotely?

• [*] B. Botnet

The correct answer is Botnet.

A Botnet is a coordinated network of compromised internet connected devices that an attacker controls remotely. The individual infected machines are often called bots or zombies and the attacker uses the network to perform distributed tasks at scale.

Botnet operators commonly use these networks to run distributed denial of service attacks, send large volumes of spam, harvest credentials, or perform distributed cryptomining, and the scale and coordination are what distinguish a botnet from a single infected host.

Malware campaign is incorrect because it refers to the broader effort to distribute malicious software and achieve an objective, and it does not specifically name the coordinated network of compromised devices.

Command and Control server is incorrect because that term denotes the infrastructure or servers used to send commands to compromised hosts, and it refers to the controller rather than the network of infected devices itself.

Rootkit is incorrect because a rootkit is software that hides itself and maintains privileged access on an individual system, and it does not describe a coordinated network of multiple compromised devices.

Exam Tip

When a question asks for a network of compromised devices controlled remotely think botnet. If the question asks about the controller or management infrastructure think command and control.

Question 17

During a web application penetration test which command is effective for brute forcing directory paths to discover hidden files and resources?

• [*] C. gobuster dir -u http://example.com -w dirlist.txt

The correct answer is gobuster dir -u http://example.com -w dirlist.txt.

gobuster dir -u http://example.com -w dirlist.txt uses Gobuster in its directory enumeration mode and it is designed to brute force directories and files with a wordlist. The -u flag sets the target URL and the -w flag supplies the wordlist, and Gobuster supports concurrency and response filtering which makes it well suited for discovering hidden paths.

ffuf -u http://example.com/FUZZ -w wordlist.txt is a capable web fuzzer that can also discover directories by replacing the FUZZ marker with words from a list, but it is marked incorrect for this question because the expected answer specifically uses Gobuster’s directory subcommand.

curl -X GET http://example.com -H ‘User-Agent: Mozilla/5.0’ performs a single HTTP request and is not an automated directory brute forcing tool without additional scripting, and that is why it is not the correct choice.

wget -r http://example.com recursively downloads site content and is intended for mirroring rather than wordlist driven brute forcing of directory paths, and that is why it is not the correct choice.

Exam Tip

When choosing the command look for the subcommand or placeholder that matches the task such as dir for directory enumeration or FUZZ for fuzzing, and prefer tools whose command syntax directly expresses the intended operation.

Question 18

An Agile Services company hosting directories at example.com has an LDAP server that accepts anonymous binds. Which authentication protocol can be used to require credentials and prevent anonymous LDAP queries?

• [*] D. NTLM

The correct answer is NTLM.

NTLM is a Windows challenge response authentication protocol that forces clients to present credentials when binding to an LDAP service on Active Directory servers. When LDAP is configured to require integrated Windows authentication the server will not accept anonymous binds and will require an authenticated bind such as NTLM.

Cloud Identity is a Google Cloud product for managing users and devices and it is not an LDAP bind authentication protocol so it cannot by itself change anonymous LDAP bind behavior.

Kerberos is a ticket based authentication protocol and it can be used for authenticated LDAP binds in many environments. It is marked incorrect here because the question expects the Windows integrated challenge response mechanism and the correct choice is NTLM. Kerberos would require a Kerberos infrastructure and a different bind flow.

RADIUS is a network access authentication and accounting protocol and it is not the protocol used for LDAP bind authentication. RADIUS can mediate access to services but it does not directly replace LDAP bind authentication to prevent anonymous LDAP queries.

Exam Tip

When an option list mixes product names and protocols first eliminate entries that are products rather than protocols. Also remember that NTLM and Kerberos are Windows authentication methods while RADIUS is a network access protocol.

Question 19

A security analyst at a regional internet provider is researching worm propagation methods and asks which scanning approach leverages information extracted from a compromised host to locate other susceptible machines within the same network?

• [*] C. Topology guided scanning

The correct option is Topology guided scanning.

Topology guided scanning uses information harvested from a compromised host to focus its probes on other machines that are likely to be nearby or reachable along similar network paths. The worm can examine routing tables, ARP caches, local IP address assignments, or other local state and then preferentially scan those subnets or adjacent addresses to find additional vulnerable hosts.

Random scanning is incorrect because random methods select targets uniformly across the address space and do not use any local host information to bias their scans.

Hit-list scanning is incorrect because hit lists rely on a predefined set of targets that the attacker supplies in advance and they do not derive target addresses from data on the compromised host.

Permutation scanning is incorrect because permutation techniques reorder or partition the address space to reduce overlap between infected machines and improve coverage, but they still do not use host-specific topology information to find nearby vulnerable systems.

Exam Tip

When an exam question asks about a scanning approach that uses data from the infected machine look for answers that mention using local network state or topology, and rule out options that imply random selection or precompiled target lists.

Question 20

Which attack captures an authentication handshake and later replays it to impersonate a workstation?

• [*] B. Replay attack

Replay attack is the correct option.

A Replay attack captures a valid authentication handshake or credentials and later retransmits those same messages to impersonate the original client or workstation. The attack succeeds when the protocol does not enforce message freshness with nonces, timestamps, or sequence checks and therefore accepts the replayed handshake as valid.

Defenses against a Replay attack include challenge response mechanisms, timestamps, nonces, and session tokens that are bound to a specific session so that captured handshakes cannot be reused.

Relay attack is incorrect because a relay attack typically forwards messages live between the victim and the legitimate endpoint to proxy authentication rather than recording and replaying the handshake later.

Man-in-the-middle attack is incorrect because a man in the middle intercepts and possibly modifies traffic in real time and does not necessarily perform a later retransmission of a captured handshake as its defining behavior.

Session hijacking is incorrect because session hijacking involves taking over an active session by stealing session tokens or cookies and continuing the session, and it is not the same as capturing an authentication handshake and replaying it later.

Exam Tip

When a question mentions capture and retransmit later or lack of message freshness pick the option that explicitly says replay and rule out answers that describe live forwarding or token theft.

Cameron McKenzie is an AWS Certified AI Practitioner, Machine Learning Engineer, Solutions Architect and author of many popular books in the software development and Cloud Computing space. His growing YouTube channel training devs in Java, Spring, AI and ML has well over 30,000 subscribers.