EC-Council Ethical Hacker Certification (CEH) braindump and exam dump

Better than a CEH exam dump

This is not a braindump.

All of these questions were taken from my CEH cybersecurity Udemy course and the certificationexams.pro certification website that has hundreds of free Certified Ethical Hacker exam style questions.

All of these Certified Ethical Hacker exam practice questions are designed to target the Certified Ethical Hacker exam domains in a very precise and focused way, and while they may be similar to what you see on the exam, they are not copies and they are not braindumps. Passing the CEH exam with integrity is important.

There’s over 1500 exam questions in my CEH Udemy course.

If you can answer these questions, and you understand why the wrong answers are incorrect, you’ll not only be well-prepared for the EC-Council Certified Ethical Hacker exam, but you’ll also learn a thing or two about cybersecurity fundamentals, ethical hacking methodologies, and most importantly, how to think like a defender and an ethical hacker.

But here you go, here’s your Certified Ethical Hacker exam “braindump,” if you want to call it that.

The questions are tough, but each one is answered in full detail below, along with tips and strategies on how to approach similar questions on the actual Certified Ethical Hacker exam.

Have fun, and best of luck on the exam!

Certified Ethical Hacker Exam Questions

Question 1

An information security team at HarborTech performs a vulnerability review to reduce exposure. Your assignment is to discover the network protocols running on each machine to find which ports correspond to services such as a website mail system or database. After identifying services you will choose the appropriate checks for each host and execute only those tests. Which type of vulnerability assessment approach matches this workflow?

• A. Inference based assessment
• B. Host based inventory assessment
• C. Product based assessment
• D. Service oriented assessment

Question 2

A regional fintech firm called Northbridge Technologies has mandated that all web browsers clear their HTTP cookies when the browser is closed. What type of security incident is this control intended to prevent?

• A. Persistent cookie based tracking used to build profiles of employee browsing habits
• B. Cross site request forgery attacks that exploit a still authenticated browser session
• C. Session hijacking by stealing session cookies that allow attackers to impersonate employees and access websites that trust the browser
• D. Attackers extracting saved login credentials that web browsers store locally on a workstation

Question 3

Which federal law establishes national standards for electronic healthcare transactions and requires unique identifiers for providers, insurers, and employers?

• A. Payment Card Industry Data Security Standard
• B. Health Insurance Portability and Accountability Act of 1996
• C. Health Information Technology for Economic and Clinical Health Act

Question 4

During a penetration test a consultant needs to run a SYN stealth scan with Nmap and they want to know which command line option triggers that type of scan?

• A. -sT
• B. -sU
• C. -sO
• D. -sS

Question 5

Which category of malicious software replicates itself across networked hosts and produces damage similar to what viruses cause to compromised machines?

• A. Trojan Horse
• B. Adware
• C. Worm
• D. Rootkit

Question 6

Which CVSS severity label corresponds to a base score of 5.5?

• A. High
• B. Medium
• C. Informational

Question 7

Which method protects against replay attacks in remote keyless systems like home garage remotes or car key fobs?

• A. Time based one time password
• B. Hopping code
• C. Fixed code
• D. Challenge response

Question 8

A security analyst at Cynergia finds that a web portal is vulnerable to SQL injection but the application does not return any query output. The analyst injects statements that cause the database to pause before replying and uses the response delay to determine whether test conditions are true or false. What type of SQL injection does this describe?

• A. Error driven SQL injection
• B. UNION based SQL injection
• C. Out of band SQL injection
• D. Time delayed blind SQL injection

Question 9

Which Nmap command quickly discovers which hosts are up on the 10.10.20.0/24 network without performing a port scan?

• A. nmap -sL 10.10.20.0/24
• B. nmap -sn 10.10.20.0/24
• C. nmap -PE 10.10.20.0/24

Question 10

When diagnosing a file transfer fault at DataBridge Solutions using Wireshark which display filter will show packets for the File Transfer Protocol control channel?

• A. tcp.port==22
• B. udp.port==123
• C. tcp.port==21
• D. tcp.port==25

Question 11

A network administrator at a regional tourism firm discovers a bogus wireless network that copies the name of the legitimate guest WiFi and tricks patrons into joining so their traffic can be monitored or redirected to fake sign in pages to steal credentials. What is this type of wireless attack called?

• A. Man in the middle attack
• B. Evil twin
• C. Signal jamming
• D. Cloud Armor

Question 12

Which statement correctly describes AES and RSA and how they are typically used?

• A. Both RSA and AES are asymmetric algorithms
• B. RSA for public private key operations and AES for symmetric bulk encryption
• C. Both RSA and AES are symmetric ciphers

Question 13

While building a research honeynet for the security team at CypherWorks, what approach will draw attackers in while ensuring that live production systems remain protected?

• A. Cloud Armor
• B. Allowing connections only from preapproved IP ranges
• C. Deploying fake services that emulate exploitable hosts and running them inside isolated networks
• D. Relying on factory default configurations to increase interactions

Question 14

A threat actor named Aisha is trying to disrupt a cluster of smart sensors run by Solara Systems and she fabricates dozens of phantom node identities to create apparent traffic congestion and interrupt communications between adjacent devices and networks?

• A. Spanning Tree Protocol manipulation
• B. Exploit kit campaign
• C. Side channel attack
• D. Sybil attack

Question 15

Which practice enforces accepting only predefined safe input types, lengths, ranges, and values to prevent SQL injection?

• A. Parameterized queries
• B. Allowlist input validation
• C. Google Cloud Armor

Question 16

Which scanning method does an intruder use when transmitting a TCP packet to a remote host with the FIN URG and PUSH flags enabled?

• A. ACK flag probe scan
• B. IDLE IPID header scan
• C. TCP Maimon scan
• D. Xmas scan

Question 17

A security data scientist at Northbridge Financial is designing a detection pipeline for suspicious activity and they need a technique that models the order of customer actions within a payments application. Which technique should they choose?

• A. Recurrent neural networks that model long term dependencies in user sessions
• B. Decision tree classifiers that label actions as normal or suspicious
• C. Logistic regression to score individual events against historical labels
• D. Markov chain models to estimate probabilities of moving between discrete user states

Question 18

Which Nmap command identifies EtherNet/IP devices and retrieves the vendor name, product code, device identifier, and IP address?

• A. nmap -Pn -sT -p 44818 –script enip-info <Target IP>
• B. nmap -Pn -sU -p 44818 –script enip-info <Target IP>
• C. nmap -Pn -sU -p 502 –script modbus-discover <Target IP>

Question 19

A threat actor posted a thread and a graphic on a community message board that included a concealed harmful URL. When a user follows that URL the browser issues an authenticated request to a web application automatically. What type of attack is this?

• A. Clickjacking
• B. Cross-site scripting
• C. Cross-site request forgery
• D. SQL injection

Question 20

Which cloud service model requires the customer to manage and maintain virtual machines networking and storage resources themselves?

• A. PaaS
• B. IaaS
• C. SaaS
• D. BaaS

There’s over 1500 exam questions in my CEH Udemy course.

CEH Ethical Hacker Certification v13 exam answers

Question 1

An information security team at HarborTech performs a vulnerability review to reduce exposure. Your assignment is to discover the network protocols running on each machine to find which ports correspond to services such as a website mail system or database. After identifying services you will choose the appropriate checks for each host and execute only those tests. Which type of vulnerability assessment approach matches this workflow?

• A. Inference based assessment
• B. Host based inventory assessment
• C. Product based assessment
• D. Service oriented assessment

The correct answer is Service oriented assessment.

A Service oriented assessment focuses on discovering the network protocols and services running on each machine and then mapping those services to the appropriate vulnerability checks. This approach matches the described workflow of identifying which ports correspond to a website mail system or database and then executing only the tests that apply to those services to reduce noise and limit impact.

A Service oriented assessment is the right match because it is service centric and lets you choose tailored checks per host after service discovery rather than running broad or unrelated tests.

Inference based assessment is incorrect because that approach derives likely issues from indirect signals or heuristics rather than performing explicit service discovery and targeted service checks.

Host based inventory assessment is incorrect because it emphasizes installed software and inventory on individual hosts rather than mapping network protocols and ports to running services for targeted testing.

Product based assessment is incorrect because it targets specific software products and their known vulnerabilities rather than discovering and testing the network services and protocols running on each machine.

Exam Tip

When a question describes identifying open ports and then selecting checks that match each service look for the phrase service oriented assessment as the best fit.

Question 2

A regional fintech firm called Northbridge Technologies has mandated that all web browsers clear their HTTP cookies when the browser is closed. What type of security incident is this control intended to prevent?

• A. Persistent cookie based tracking used to build profiles of employee browsing habits
• B. Cross site request forgery attacks that exploit a still authenticated browser session
• C. Session hijacking by stealing session cookies that allow attackers to impersonate employees and access websites that trust the browser
• D. Attackers extracting saved login credentials that web browsers store locally on a workstation

Session hijacking by stealing session cookies that allow attackers to impersonate employees and access websites that trust the browser is the control this requirement is intended to prevent.

Web session cookies often serve as authentication tokens for an active browser session and attackers who steal those cookies can impersonate the user until the cookie expires or the session is ended. By clearing cookies when the browser closes the organization reduces the window of opportunity for session hijacking because stolen session cookies will not persist across browser restarts and cannot be reused later.

Persistent cookie based tracking used to build profiles of employee browsing habits is not the best match because that control targets short lived session tokens and immediate impersonation risk rather than the broader issue of long term tracking. Clearing cookies on close may reduce tracking in some cases but the primary security goal here is to protect active authentication cookies.

Cross site request forgery attacks that exploit a still authenticated browser session is incorrect because CSRF exploits an active authenticated session while the browser is open and logged in. Preventing CSRF requires application level mitigations such as anti CSRF tokens or proper cookie SameSite settings and not just clearing cookies on close.

Attackers extracting saved login credentials that web browsers store locally on a workstation is also incorrect because clearing cookies does not affect saved passwords in a browser password manager or credentials stored on disk. Protecting saved credentials requires endpoint controls and secure credential storage rather than cookie expiration policies.

Exam Tip

When a question describes clearing cookies on browser close focus on protecting authentication tokens and reducing the chance of session reuse by attackers rather than on tracking or stored passwords.

Question 3

Which federal law establishes national standards for electronic healthcare transactions and requires unique identifiers for providers, insurers, and employers?

• A. Payment Card Industry Data Security Standard
• B. Health Insurance Portability and Accountability Act of 1996
• C. Health Information Technology for Economic and Clinical Health Act

The correct answer is Health Insurance Portability and Accountability Act of 1996.

Health Insurance Portability and Accountability Act of 1996 contains the Administrative Simplification provisions that set national standards for electronic healthcare transactions and code sets and that require unique identifiers such as the National Provider Identifier for providers and identifiers for health plans and employers.

Payment Card Industry Data Security Standard is an industry security standard for protecting payment card data and it is not a federal law that establishes healthcare transaction standards or unique healthcare identifiers.

Health Information Technology for Economic and Clinical Health Act supports the adoption of electronic health records and strengthened certain privacy and breach notification rules, but it did not originally create the national transaction standards or the required unique identifiers. It amended and built on Health Insurance Portability and Accountability Act of 1996 rather than replacing those core Administrative Simplification requirements.

Exam Tip

When you see a question about national standards for electronic healthcare transactions and unique identifiers think of HIPAA and its Administrative Simplification rules rather than industry security standards or incentive programs.

Question 4

During a penetration test a consultant needs to run a SYN stealth scan with Nmap and they want to know which command line option triggers that type of scan?

• A. -sT
• B. -sU
• C. -sO
• D. -sS

The correct option is -sS.

-sS triggers Nmap’s SYN stealth scan which is sometimes called a half open scan. The scanner sends a SYN packet and waits for a SYN-ACK to identify an open port and then sends a RST to avoid completing the TCP three way handshake which makes it less likely to leave a full connection on the target.

-sT is not correct because it performs a full TCP connect scan using the operating system’s network stack and it completes the TCP handshake which is not stealthy.

-sU is not correct because it scans UDP ports and it uses a completely different protocol so it does not perform a SYN scan.

-sO is not correct because it is an IP protocol scan that enumerates supported IP protocols rather than scanning TCP ports with SYN packets.

Exam Tip

When you need to distinguish Nmap scan flags remember that -sS is the SYN stealth scan and -sT is the full TCP connect scan. Focus on the protocol behavior to pick the right flag.

Question 5

Which category of malicious software replicates itself across networked hosts and produces damage similar to what viruses cause to compromised machines?

• A. Trojan Horse
• B. Adware
• C. Worm
• D. Rootkit

The correct option is Worm.

A Worm is a type of malicious software that can autonomously replicate itself and spread across networked hosts without needing to attach to another program or to rely on a user to execute it. A Worm often causes damage similar to viruses by corrupting or deleting files, consuming network bandwidth, or installing additional malicious payloads on compromised machines.

Trojan Horse is incorrect because Trojan Horse does not self-replicate across networks. A Trojan Horse typically hides inside legitimate software or tricks users into running it, and it depends on user action rather than autonomous propagation.

Adware is incorrect because Adware mainly displays unwanted advertisements and may track user behavior, and it does not replicate across networked hosts like a worm. Adware is usually intrusive but it does not spread by itself in the way described by the question.

Rootkit is incorrect because Rootkit focuses on hiding malicious activity and maintaining privileged access on an infected system, and it does not inherently propagate across networks. A Rootkit enables stealth and persistence rather than autonomous replication.

Exam Tip

When a question asks about malware that spreads across networked hosts look for the phrase self-replicate or similar wording to identify a worm rather than trojans, adware, or rootkits.

Question 6

Which CVSS severity label corresponds to a base score of 5.5?

• A. High
• B. Medium
• C. Informational

The correct answer is Medium.

CVSS version 3 maps base scores into severity categories. Scores from 4.0 up to 6.9 are classified as Medium. A base score of 5.5 therefore falls within the Medium range and that is why Medium is correct.

High is for higher base scores and covers 7.0 through 8.9 so 5.5 is below that threshold and not High.

Informational is not the appropriate label for a 5.5 score. In CVSS v3 the zero impact label is typically called None and it corresponds to 0.0, so Informational is incorrect for 5.5.

Exam Tip

Memorize the CVSS v3 ranges such as Medium equals 4.0 to 6.9 so you can quickly classify scores like 5.5 on exam questions.

Question 7

Which method protects against replay attacks in remote keyless systems like home garage remotes or car key fobs?

• A. Time based one time password
• B. Hopping code
• C. Fixed code
• D. Challenge response

The correct option is Hopping code.

Hopping code uses a rolling or pseudo random sequence and a synchronized counter so each transmission is different. The receiver accepts only the next valid codes within a small window so an attacker who records a transmission cannot replay the same code later because it will no longer be valid.

Time based one time password relies on synchronized clocks and is used for human authentication tokens. It is not the typical mechanism used by simple one way RF key fobs and garage remotes.

Fixed code always transmits the same value and is vulnerable to replay because an attacker can record and resend the identical code with no protection.

Challenge response does prevent replay but it requires two way communication where the receiver issues a challenge and the transmitter computes a response. Most consumer remotes are one way devices so they do not implement a true challenge response protocol.

Exam Tip

When a question asks about replay protection look for answers that mention changing codes or synchronization since those phrases point to rolling or hopping code solutions.

Question 8

A security analyst at Cynergia finds that a web portal is vulnerable to SQL injection but the application does not return any query output. The analyst injects statements that cause the database to pause before replying and uses the response delay to determine whether test conditions are true or false. What type of SQL injection does this describe?

• A. Error driven SQL injection
• B. UNION based SQL injection
• C. Out of band SQL injection
• D. Time delayed blind SQL injection

The correct answer is Time delayed blind SQL injection.

Time delayed blind SQL injection describes the situation because the application does not return query output and the tester infers true or false by causing the database to pause and observing response delays. This is a blind technique because the attacker cannot see data directly and must rely on the timing side channel to extract information.

Attackers commonly use database functions like SLEEP in MySQL or WAITFOR DELAY in SQL Server to create measurable delays and then deduce data one bit at a time from the presence or absence of those delays.

Error driven SQL injection is incorrect because that technique relies on database error messages to reveal data or structure, and it requires the application to return error output which is not the case here.

UNION based SQL injection is incorrect because UNION attacks combine query results with attacker supplied queries to return visible rows, and that requires the application to send query output back to the client.

Out of band SQL injection is incorrect because out of band methods use a secondary channel such as DNS or HTTP callbacks to retrieve data, and they do not rely on inducing response delays to infer true or false.

Exam Tip

When an application does not return results try timing tests and payloads that use SLEEP or WAITFOR DELAY to confirm a time based blind SQL injection.

Question 9

Which Nmap command quickly discovers which hosts are up on the 10.10.20.0/24 network without performing a port scan?

• A. nmap -sL 10.10.20.0/24
• B. nmap -sn 10.10.20.0/24
• C. nmap -PE 10.10.20.0/24

The correct answer is nmap -sn 10.10.20.0/24.

nmap -sn 10.10.20.0/24 runs a ping scan that determines which hosts are up and it explicitly disables port scanning. On a local network Nmap will typically use ARP requests which are fast and reliable and it may also use ICMP echo or other probes depending on network configuration and privileges.

nmap -sL 10.10.20.0/24 is incorrect because that option only lists the targets and performs DNS resolution when possible. It does not send probes to detect live hosts so it will not tell you which addresses are actually up.

nmap -PE 10.10.20.0/24 is incorrect because -PE only specifies using ICMP echo requests as a host discovery probe and it does not suppress port scanning by itself. Without -sn Nmap will proceed with its normal scan behavior after discovery and ICMP probes can be blocked by hosts or firewalls which makes them less reliable than ARP on a LAN.

Exam Tip

When you only need to discover live hosts and want to avoid port scans use -sn. If you only want to enumerate names without probing use -sL.

Question 10

When diagnosing a file transfer fault at DataBridge Solutions using Wireshark which display filter will show packets for the File Transfer Protocol control channel?

• A. tcp.port==22
• B. udp.port==123
• C. tcp.port==21
• D. tcp.port==25

The correct option is tcp.port==21.

The filter tcp.port==21 matches TCP packets to or from port 21 which is the well known port for the FTP control channel. The control channel carries FTP commands and replies and it uses TCP so this display filter will show the FTP control traffic in Wireshark. The actual file bytes may flow on the FTP data channel which can use port 20 or ephemeral ports depending on active or passive mode so filtering on port 21 targets the control session rather than every file data packet.

tcp.port==22 is incorrect because port 22 is used by SSH and by protocols that run over SSH such as SFTP. SFTP is not the same as FTP and it does not use the FTP control channel on TCP 21.

udp.port==123 is incorrect because UDP port 123 is for NTP time synchronization and it does not carry FTP control or data traffic. NTP uses UDP rather than TCP and a different port number.

tcp.port==25 is incorrect because TCP port 25 is used for SMTP email transport and it does not relate to FTP control traffic. SMTP commands and replies are a separate protocol from FTP.

Exam Tip

Memorize common protocol port numbers and map them to their protocols so you can quickly construct Wireshark display filters. For FTP remember that the control channel uses TCP 21 while data transfers may use other ports.

Question 11

A network administrator at a regional tourism firm discovers a bogus wireless network that copies the name of the legitimate guest WiFi and tricks patrons into joining so their traffic can be monitored or redirected to fake sign in pages to steal credentials. What is this type of wireless attack called?

• A. Man in the middle attack
• B. Evil twin
• C. Signal jamming
• D. Cloud Armor

Evil twin is the correct answer.

A Evil twin attack occurs when an attacker creates a wireless access point that copies the name and appearance of a legitimate guest WiFi so that patrons connect to it instead of the real network. Once connected the attacker can monitor traffic capture credentials or redirect users to fake sign in pages to steal information which matches the behavior described in the question.

Man in the middle attack is related because an evil twin can be used to perform a man in the middle style interception but the term does not specifically describe the fake wireless access point that impersonates the legitimate SSID. The question asks for the specific wireless technique which is an Evil twin.

Signal jamming is incorrect because that attack uses radio interference to disrupt wireless communications rather than creating a fraudulent network to trick users into connecting. The scenario describes impersonation and credential theft which do not match Signal jamming.

Cloud Armor is a Google Cloud product for web application and DDoS protection and it is not a type of wireless attack. It cannot describe a bogus WiFi network and so Cloud Armor is not the right choice.

Exam Tip

When you see scenarios about fake WiFi or cloned SSIDs look for terms like evil twin or rogue access point as those point to impersonation attacks rather than interference or cloud security services.

Question 12

Which statement correctly describes AES and RSA and how they are typically used?

• A. Both RSA and AES are asymmetric algorithms
• B. RSA for public private key operations and AES for symmetric bulk encryption
• C. Both RSA and AES are symmetric ciphers

The correct option is RSA for public private key operations and AES for symmetric bulk encryption.

RSA for public private key operations and AES for symmetric bulk encryption is correct because RSA is an asymmetric algorithm that uses a public key and a private key and it is commonly used for encrypting small pieces of data, exchanging symmetric keys, and creating digital signatures. AES is a symmetric block cipher that uses the same secret key for encryption and decryption and it is designed to handle large amounts of data efficiently, which makes it suitable for bulk encryption.

Both RSA and AES are asymmetric algorithms is incorrect because RSA is asymmetric but AES is symmetric, and asymmetric schemes use a key pair while symmetric schemes use a single shared key for both encryption and decryption.

Both RSA and AES are symmetric ciphers is incorrect because RSA is not a symmetric cipher and it relies on public and private keys, whereas AES is the symmetric cipher in this comparison and uses a single secret key.

Exam Tip

Focus on the terms asymmetric and symmetric when reading these questions. Remember that RSA implies a public and private key pair and AES implies a shared secret key suitable for fast, bulk encryption.

Question 13

While building a research honeynet for the security team at CypherWorks, what approach will draw attackers in while ensuring that live production systems remain protected?

• A. Cloud Armor
• B. Allowing connections only from preapproved IP ranges
• C. Deploying fake services that emulate exploitable hosts and running them inside isolated networks
• D. Relying on factory default configurations to increase interactions

The correct answer is Deploying fake services that emulate exploitable hosts and running them inside isolated networks.

This approach creates a controlled environment that attracts attackers while keeping real production systems safe. A well built honeynet mimics actual services and collects telemetry so defenders can study attacker behavior and signatures without exposing critical assets.

Keeping the fake services in isolated networks and projects prevents lateral movement and data exfiltration risks. Isolation also lets you apply strict firewall rules, limited permissions, and extensive logging so you can safely monitor attacker activity and quickly shut down or snapshot instances for analysis.

Cloud Armor is incorrect because it is a defensive service that helps protect real applications from DDoS and web based attacks and it does not create decoy hosts for monitoring attacker behavior.

Allowing connections only from preapproved IP ranges is incorrect because whitelisting reduces attacker interactions and defeats the purpose of a honeynet which must be reachable to attract adversaries.

Relying on factory default configurations to increase interactions is incorrect because intentionally leaving insecure defaults is unsafe and unpredictable and it can lead to compromises that affect other systems rather than producing useful, analyzable attacker telemetry.

Exam Tip

When questions ask about attracting attackers while protecting production, focus on solutions that combine realistic decoys with strong isolation and comprehensive logging.

Question 14

A threat actor named Aisha is trying to disrupt a cluster of smart sensors run by Solara Systems and she fabricates dozens of phantom node identities to create apparent traffic congestion and interrupt communications between adjacent devices and networks?

• A. Spanning Tree Protocol manipulation
• B. Exploit kit campaign
• C. Side channel attack
• D. Sybil attack

The correct answer is Sybil attack. The scenario describes an attacker fabricating dozens of phantom node identities to create apparent traffic congestion and interrupt communications which matches a Sybil attack.

A Sybil attack happens when one adversary presents many forged identities to a network to influence routing, neighbor tables, or consensus. In IoT sensor clusters an attacker can create phantom nodes to occupy routing resources, cause misrouting, or flood links and thereby disrupt communications between adjacent devices and networks. Common mitigations include strong device identity and authentication, certificate based provisioning, gateway enrollment controls, and resource or reputation based checks to limit new identities.

Spanning Tree Protocol manipulation is incorrect. Manipulating STP targets layer two bridging and switch topology to create loops or change the root bridge and it does not describe fabricating many independent node identities across a sensor cluster.

Exploit kit campaign is incorrect. Exploit kits are toolkits used to deliver and execute exploits against vulnerable endpoints and they do not involve creating phantom network identities to congest device communications.

Side channel attack is incorrect. Side channel attacks extract information from timing, power use, electromagnetic emissions, or other implementation leaks and they do not involve forging multiple node identities to disrupt routing or neighbor discovery.

Exam Tip

When a question mentions many fake or duplicate node identities think Sybil attack and focus on identity based disruption rather than protocol manipulation or side channel techniques.

Question 15

Which practice enforces accepting only predefined safe input types, lengths, ranges, and values to prevent SQL injection?

• A. Parameterized queries
• B. Allowlist input validation
• C. Google Cloud Armor

The correct answer is Allowlist input validation.

Allowlist input validation enforces that an application accepts only predefined safe input types, lengths, ranges and explicit allowed values so unexpected or malicious payloads are rejected before they reach the database. This approach reduces the attack surface and ensures that inputs conform to the exact constraints your application expects.

Allowlist input validation is commonly implemented with typed parsing, length checks, numeric ranges, enumerated values or strict regular expressions and it is a first line of defense against injection attacks when done correctly.

Parameterized queries are an effective mechanism that separates code from data to prevent SQL injection, but they do not by themselves define allowed input types, lengths, ranges or explicit allowed values so they are not the practice described in the question.

Google Cloud Armor is a network and application layer service that can block malicious traffic and provide WAF rules, but it is a managed security product rather than the practice of enforcing allowed input constraints and values on incoming data.

Exam Tip

When a question asks about enforcing specific types, lengths, ranges and values think allowlist input validation. Distinguish input validation from query parameterization and from external firewall services.

Question 16

Which scanning method does an intruder use when transmitting a TCP packet to a remote host with the FIN URG and PUSH flags enabled?

• A. ACK flag probe scan
• B. IDLE IPID header scan
• C. TCP Maimon scan
• D. Xmas scan

Xmas scan is the correct option because the scan sends TCP packets with the FIN, URG, and PUSH flags set.

Xmas scan sets those flags to make the packet look distinctly flagged and it relies on TCP stack behavior to infer port state. Closed ports typically reply with a RST while open or filtered ports often produce no response on Unix like systems. The scan is therefore identified by the FIN URG and PUSH flag pattern and by the characteristic responses or lack of responses from the target.

ACK flag probe scan is incorrect because ACK scans send ACK packets to determine firewall rules and filtering behavior and they do not set the FIN, URG, and PUSH flags.

IDLE IPID header scan is incorrect because the idle or IPID based scan uses a zombie host and IP identification side channels to infer port state and it does not send packets with FIN, URG, and PUSH to the target.

TCP Maimon scan is incorrect because the Maimon technique sends a FIN+ACK style probe and not the FIN, URG, and PUSH flag combination that defines the Xmas scan.

Exam Tip

When you see scan names on the exam try to picture the TCP flags they set and focus on the unique flag combinations. It helps to remember that Xmas means the FIN, URG, and PSH flags are lit like a tree.

Question 17

A security data scientist at Northbridge Financial is designing a detection pipeline for suspicious activity and they need a technique that models the order of customer actions within a payments application. Which technique should they choose?

• A. Recurrent neural networks that model long term dependencies in user sessions
• B. Decision tree classifiers that label actions as normal or suspicious
• C. Logistic regression to score individual events against historical labels
• D. Markov chain models to estimate probabilities of moving between discrete user states

Markov chain models to estimate probabilities of moving between discrete user states is correct.

Markov chain models to estimate probabilities of moving between discrete user states are designed to represent sequences of discrete states and to encode the probability of transitioning from one state to the next. That makes them a natural fit when you need to model the order of customer actions in a payments application because the transition probabilities capture typical flows and rare transitions stand out as anomalies.

Recurrent neural networks that model long term dependencies in user sessions are not the best choice here because although they can model sequence order they require more data and compute and they are often less interpretable than a simple transition model. For discrete state transitions and lightweight online scoring a Markov chain is usually simpler to build and explain.

Decision tree classifiers that label actions as normal or suspicious are incorrect because decision trees generally treat each event as an independent example and they do not natively model the sequence or the transition probabilities between actions. You could add engineered sequence features but that does not directly model ordered state transitions the way a chain does.

Logistic regression to score individual events against historical labels is incorrect because logistic regression scores single events and it does not capture the order of actions or the conditional probabilities of moving between states. It can help flag suspicious events in isolation but it will miss anomalies that only appear in unusual sequences of actions.

Exam Tip

When a question asks about modeling the order of user actions look for phrases like transition or state. Those words often point to Markov or other sequence state models rather than single event classifiers.

Question 18

Which Nmap command identifies EtherNet/IP devices and retrieves the vendor name, product code, device identifier, and IP address?

• A. nmap -Pn -sT -p 44818 –script enip-info <Target IP>
• B. nmap -Pn -sU -p 44818 –script enip-info <Target IP>
• C. nmap -Pn -sU -p 502 –script modbus-discover <Target IP>

The correct answer is nmap -Pn -sU -p 44818 –script enip-info <Target IP>.

This command is correct because EtherNet/IP communicates over UDP on port 44818 and the NSE script enip-info is designed to query that service to retrieve vendor name product code device identifier and IP address. The -sU option tells Nmap to perform a UDP scan which is required to reach UDP services while -Pn disables host discovery and is commonly used when ICMP may be blocked.

nmap -Pn -sT -p 44818 –script enip-info <Target IP> is incorrect because it uses -sT which performs a TCP connect scan. EtherNet/IP runs over UDP so a TCP scan will not discover the service even though the script name is the same.

nmap -Pn -sU -p 502 –script modbus-discover <Target IP> is incorrect because it targets Modbus on TCP port 502 and uses the Modbus discovery script. That script and port are for Modbus devices and will not return EtherNet/IP vendor and device identifiers which are served on UDP port 44818.

Exam Tip

Remember that protocol and port matter more than script name. If a protocol uses UDP choose -sU and target port 44818 when using the enip-info script.

Question 19

A threat actor posted a thread and a graphic on a community message board that included a concealed harmful URL. When a user follows that URL the browser issues an authenticated request to a web application automatically. What type of attack is this?

• A. Clickjacking
• B. Cross-site scripting
• C. Cross-site request forgery
• D. SQL injection

The correct answer is Cross-site request forgery.

Cross-site request forgery happens when a malicious link or page causes a browser to send a request to a web application using the user’s authenticated session without the user’s intent. The scenario describes a concealed harmful URL that, when followed, makes the browser issue an authenticated request automatically which matches that behavior.

Defenses for Cross-site request forgery include using unpredictable anti-forgery tokens, setting the SameSite attribute on cookies, and validating origin or referer headers so that crafted links cannot perform actions on behalf of an authenticated user.

Clickjacking is incorrect because that attack tricks a user into clicking hidden or framed UI elements and does not require the browser to automatically issue an authenticated request simply by following a concealed link.

Cross-site scripting is incorrect because XSS injects and executes script in the context of a web page. While XSS can be used to perform many actions, the described behavior of an automatic authenticated request triggered by a link is the hallmark of CSRF rather than XSS.

SQL injection is incorrect because it targets a backend database by injecting malicious queries through application inputs and does not describe an attack that uses the user’s browser to send an authenticated request via a concealed URL.

Exam Tip

When a question describes an attacker causing a browser to act on the user’s existing session without explicit consent think CSRF and look for mentions of anti-forgery tokens or SameSite cookie defenses.

Question 20

Which cloud service model requires the customer to manage and maintain virtual machines networking and storage resources themselves?

• A. PaaS
• B. IaaS
• C. SaaS
• D. BaaS

IaaS is correct because it is the cloud service model where the customer is responsible for managing and maintaining virtual machines, networking, and storage themselves.

With IaaS the cloud provider supplies the underlying physical hardware and virtualization. The customer provisions and operates virtual machines and their guest operating systems, configures networking, attaches and manages storage, and installs any middleware and applications. Those responsibilities match managing VMs, networking, and storage directly.

PaaS is incorrect because the provider manages the infrastructure and the platform runtime, so the customer typically only deploys and manages applications and data rather than virtual machines or low level networking and storage.

SaaS is incorrect because the provider delivers a complete application and manages everything including the underlying servers, storage, and networking, so the customer simply uses the software and does not manage virtual machines.

BaaS is incorrect because it usually refers to Backend as a Service or Backup as a Service and it is not the model that requires customers to manage VMs and their networks. It generally abstracts infrastructure responsibilities or provides a specific managed service rather than the raw control offered by IaaS.

Exam Tip

Focus on who controls the operating system and networking when you see service model questions. If the customer manages VMs and attached storage the answer is likely IaaS.

Cameron McKenzie is an AWS Certified AI Practitioner, Machine Learning Engineer, Solutions Architect and author of many popular books in the software development and Cloud Computing space. His growing YouTube channel training devs in Java, Spring, AI and ML has well over 30,000 subscribers.