Certified Ethical Hacker (CEH) Exam

A cybersecurity analyst is working in a Security Operations Center and maintains a written log to account for any actions he takes during his overnight shift. In his written log, it says the following: 

00:00 The current size of the firewall log files are at an expected value of 4 MB
02:00 The firewall log file size has shrunk to 1.3 MB
03:00 The firewall log file size continued to shrink and is now 0.6 MB

What actions should the cybersecurity analyst recommend?

Options are :

  • Log the event as suspicious activity and report this behavior to the incident response team immediately
  • Log the event as suspicious activity, call a senior cybersecurity analyst/supervisor to look over the issue, and report this issue as quickly as possible
  • Run an antivirus scan on the log server because it might be infected by malware
  • Log the event as suspicious activity, continue to investigate, and act according to the organization’s security policy (Correct)

Answer : Log the event as suspicious activity, continue to investigate, and act according to the organization’s security policy

Explanation Firewall log files should not be shrinking in size, but usually grow to a maximum capacity (in this case, expected was 4 MB), then overwrite the older information. Since the file size is shrinking, it could be an indication of malicious activity and should be logged as suspicious and investigated. As an analyst, you may or may not have the ability to call the incident response team directly, this is dependent on your organization’s security policy and roles/responsibilities. Therefore, it is important to consider your organization's security policy.

What type of technique can perform a Connection Stream Parameter Pollution (CSPP) attack?

Options are :

  • Injecting parameters into a connection string using semicolons as a separator (Correct)
  • Inserting malicious JavaScript code into input parameters
  • Setting a user's session identifier (SID) to an explicit known value
  • Adding multiple parameters with the same name in HTTP requests

Answer : Injecting parameters into a connection string using semicolons as a separator

Explanation Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact).

What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a taxicab?

Options are :

  • Use a secure BIOS password
  • Backup everything on the laptop and store the backup in a safe place
  • Encrypt the hard drive contents (Correct)
  • Use a long and strong password to login to Windows

Answer : Encrypt the hard drive contents

Explanation Utilizing full disk encryption, like BitLocker, will ensure the contents of the hard drive are encrypted and inaccessible if the laptop is lost or stolen. While all the other options are good security measures, encrypting the drive specifically addresses the issue of a lost/stolen device.

What programming language is most vulnerable to buffer overflow attacks?

Options are :

  • Python
  • Swift
  • C++ (Correct)
  • Java

Answer : C++

Explanation Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.

What cryptographic attack method is usually performed without the use of a computer?

Options are :

  • Chosen key attack
  • Ciphertext-only attack
  • Rubber hose attack (Correct)
  • Rainbow table attack

Answer : Rubber hose attack

Explanation The rubber-hose attack is a nickname for the extraction of cryptographic secrets from a person by coercion or torture, such as beating that person with a rubber hose until they give up the encryption key.

What is the most efficient way to crack the passwords for users in a Windows 2003 Active Directory server?

Options are :

  • Rainbow table (Correct)
  • Dictionary attack
  • Brute force attack
  • Hybrid attack

Answer : Rainbow table

Explanation Using a rainbow table is the most efficient way to crack a password in a Windows 2003 or above Active Directory environment. The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.

What best describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

Options are :

  • Directory
  • Key registry
  • Key escrow (Correct)
  • Recovery agent

Answer : Key escrow

Explanation Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.

Which cryptographic algorithm might be used to create the password hashes used to protect access to a web-based application?

Options are :

  • AES
  • Diffie-Helman
  • SHA1 (Correct)
  • RSA

Answer : SHA1

Explanation SHA1 and SHA-256 are two of the commonly used hash algorithms to secure the storage of passwords and other authentication mechanisms for web-based applications. Older systems may also use the MD5 hash algorithm.

You are using Kali Linux and want to start the Nessus client in the background so that the Nessus server can be configured. What command should you use?

Options are :

  • nessus & (Correct)
  • nessus *s
  • nessus +
  • nessus -d

Answer : nessus &

Explanation In Linux, if you start a command with the “&? symbol after it, the command is run in the background and you are returned to the prompt to enter additional commands.

What type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

Options are :

  • Passive (Correct)
  • Intuitive
  • Detective
  • Reactive

Answer : Passive

Explanation Passive intrusion detection systems only monitor networks and alert/log attacks. Active intrusion detection systems, also called Intrusion Protection Systems (IPS), can take a more proactive approach by blocking network traffic based on known rulesets.

What type of security control would prohibit employees from bringing personal computing devices into a facility?

Options are :

  • Procedural (Correct)
  • Physical
  • Compliance
  • Technical

Answer : Procedural

Explanation Procedural security controls are security controls that mitigate identified risks by way of policies, procedures, or guidelines. In this case, preventing employees from bringing in personal electronic devices can prevent the introduction of new risk to the network or reduce the risk of data theft.

What part of a computer system will an anti-virus program scan if it is looking for rootkits?

Options are :

  • Boot Sector (Correct)
  • Windows Process List
  • Password Protected Files
  • Deleted Files

Answer : Boot Sector

Explanation Rootkits are most commonly hidden in the Boot Sector of a hard disk, therefore to be most effective, the anti-virus should be run from an external source (DVD, USB Drive, etc) and should scan the entire hard disk, especially the boot sector.

Which NMAP switch would a hacker use to determine which IP addresses are currently active on a network?

Options are :

  • -sS
  • -sP (Correct)
  • -sU
  • -sO

Answer : -sP

Explanation NMAP uses the -P switch to conduct a simple ping scan to determine which hosts are online. The -P switch still works in the most recent version of NMAP, but it is considered a legacy switch and is depreciated in the source code. The most modern version of NMAP now uses -sn to perform a ping scan instead.

After issuing the command “telnet jasondion.com 80? and connecting to the server, what command is used to conduct the banner grab?

Options are :

  • HEAD / HTTP/2.0
  • PUT / HTTP/2.0
  • PUT / HTTP/1.1
  • HEAD / HTTP/1.1 (Correct)

Answer : HEAD / HTTP/1.1

Explanation To conduct a banner grab using telnet, you first must connect to the server using “telnet webserver 80?. Once the connection is established, you will receive a blank prompt and you issue the command “HEAD / HTTP/1.1?, which requests the document header from the server. This will provide information such as the server software version and the operating system of the server.

What type of weakness is John the Ripper used to test during a technical assessment?

Options are :

  • Firewall rulesets
  • File permissions
  • Usernames
  • Passwords (Correct)

Answer : Passwords

Explanation John the Ripper is a free, open-source password cracking software tool. It is utilized to test the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.

What kind of mapping does static NAT utilize?

Options are :

  • Many-to-one
  • One-to-one (Correct)
  • Many-to-many
  • One-to-many

Answer : One-to-one

Explanation Static NAT uses a one-to-one mapping of internal to external IP addresses.

A cybersecurity analyst is trying to map the organization's internal network. The analyst enters the following command (nmap -n -sS -P0 -p 80 10.0.3.0/24). What type of scan is this?

Options are :

  • Comprehensive Scan
  • Quick Scan
  • Stealth Scan (Correct)
  • Intense Scan

Answer : Stealth Scan

Explanation In NMAP, the -sS command signifies a stealth scan. This is also known as a SYN scan, and is the most popular scan option, for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy, since it never completes TCP connections.

Encryption meets what security control role?

Options are :

  • Defensive
  • Detective
  • Offensive
  • Preventative (Correct)

Answer : Preventative

Explanation Preventative controls are designed to prevent the threat from coming in contact with the weakness. By encrypting data, you prevent the threat of data theft from being realized since the data cannot be read in its encrypted state.

What is a detective control?

Options are :

  • Audit trail (Correct)
  • Smart card authentication
  • Continuity of operations plan
  • Security policy

Answer : Audit trail

Explanation A ‘detective control' is a type of internal control mechanism intended to find problems within a company's processes. Detective control may be employed in accordance with many different goals, such as quality control, fraud prevention and legal compliance. In terms of cybersecurity, the most commonly used detective controls are audit trails and logging.

Threat modeling occurs during what phase of the software security development lifecycle process?

Options are :

  • Design (Correct)
  • Implementation
  • Verification
  • Requirements

Answer : Design

Explanation System design describes desired features and operations in detail, including screen layouts, business rules, process diagrams, pseudocode and other documentation.

What setting enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?

Options are :

  • Reduce parallel connections on congestion (Correct)
  • Netstat WMI Scan
  • Consider unscanned ports as closed
  • Silent Dependencies

Answer : Reduce parallel connections on congestion

Explanation The Reduce Parallel Connections on Congestion setting is used in Nessus to reduce the number of packets being sent on the network to avoid choking the network bandwidth.

An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the main lobby of the building until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?

Options are :

  • Man trap
  • Social engineering
  • Shoulder surfing
  • Tailgating (Correct)

Answer : Tailgating

Explanation Based on the description, the ethical hacker is conducting a very specialized type of social engineering attack known as “tailgating?. Sometimes on a certification exam, there are two correct answers, but one is “more? correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area.

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization’s LAN. What is the best method for the penetration tester to use to conduct the pivot?

Options are :

  • Set the payload to propagate through meterpreter
  • Create a route statement in meterpreter (Correct)
  • Reconfigure the network settings in meterpreter
  • Issue the pivot exploit and setup meterpreter

Answer : Create a route statement in meterpreter

Explanation Since the penetration tester has been able to exploit the FTP server from outside the LAN, they will need to setup a route statement in meterpreter. Metasploit make this very simple, since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) by creating the routes we need.

What type of malware usually targets Microsoft Office products?

Options are :

  • Polymorphic virus
  • Macro virus (Correct)
  • Stealth virus
  • Multipart virus

Answer : Macro virus

Explanation Macro viruses usually infect Microsoft Word or Excel files and cause a sequence of actions to be performed automatically when the host application (Word or Excel) is started and reads the file. Macros allow users to embed programming code into Microsoft Office files for useful purposes, but attackers have also used this to create macro viruses.

An attacker was able to gain access to your organization's network closet while posing as a HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network. What attack should he use?

Options are :

  • Smurf
  • Tear Drop
  • Fraggle
  • MAC Flood (Correct)

Answer : MAC Flood

Explanation MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch "fails open" and begins to act like a hub, broadcasting all the frames out every port. This would allow the attacker to sniff all of the network packets since he is connected to one of those switch ports.

During a penetration test, you have captured a target file that is encrypted with public key cryptography. What attack could you use to crack the target file's encryption?

Options are :

  • Memory trade-off attack
  • Replay attack
  • Chosen plain-text attack (Correct)
  • Timing attack

Answer : Chosen plain-text attack

Explanation A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme. Since you have access to the public key, but not the private key, you can choose your plaintext to be encrypted with the public key to use during cryptanalysis.

What defines the role of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)?

Options are :

  • CA is the trusted root that issues certificates (Correct)
  • CA stores the user's hash value for safekeeping
  • CA is the recovery agent used to encrypt data when a user's certificate is lost
  • CA is used to encrypt email messages to prevent unintended disclosure of data

Answer : CA is the trusted root that issues certificates

Explanation A certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.

What kind of security vulnerability would a newly discovered flaw in a software application be considered?

Options are :

  • HTTP header injection vulnerability
  • Time-to-check to time-to-use flaw
  • Zero-day vulnerability (Correct)
  • Input validation flaw

Answer : Zero-day vulnerability

Explanation A zero day vulnerability refers to a hole in software that is unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and is able to fix it.

How are the two types of sniffing categorized?

Options are :

  • Unmanaged and managed
  • Broadcast and unicast
  • Active and passive (Correct)
  • Filtered and unfiltered

Answer : Active and passive

Explanation There are two basic types of sniffing: active and passive. Sniffing is the process of capturing traffic sent between two systems. Active sniffing involves launching an Address Resolution Protocol (ARP) spoofing or traffic-flooding attack against a switch in order to capture the traffic. Passive sniffing involves listening and capturing traffic, and is useful in a network connected by hubs or when you are trying to be more covert during your packet sniffing.

If a cybersecurity analyst determines that the organization's web server is currently being hacked, what should they do next?

Options are :

  • Determine the origin of the attack and launch a counterattack
  • Record as much information as possible from the attack (Correct)
  • Unplug the network connection on the web server
  • Perform a system restart on the company's web server

Answer : Record as much information as possible from the attack

Explanation The cybersecurity analyst should record as much information as possible from the attack and then notify the Security Incident Response Team to begin the response, recovery, and remediation actions.

What information does a risk assessor need to receive from an IT system administrator?

Options are :

  • Security architecture (Correct)
  • Threat statement
  • Impact analysis
  • Management buy-in

Answer : Security architecture

Explanation When conducting a risk assessment, all information about the security architecture should be provided in order for the risk assessor to make a proper risk determination recommendation. For this reason, risk assessor should be a trusted entity or contractor due to the detailed level of vulnerability information and security architecture information for which they will receive access.

What technique identifies if a computer’s file has been changed?

Options are :

  • Firewall alerts
  • Network sniffing
  • Integrity checking hashes (Correct)
  • Permission sets

Answer : Integrity checking hashes

Explanation Integrity checking of a file is conducted by comparing the current hash value of the file against its known-good hash value. If the file has been modified or changed in any way, its new hash value will be significantly different than its known-good hash value and an alert can be flagged to the analyst.

What algorithm is optimized for confidential communications, such as bidirectional voice and video?

Options are :

  • RC4 (Correct)
  • MD5
  • RC5
  • MD4

Answer : RC4

Explanation In cryptography, RC4 (Rivest Cipher) is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). RC4 is now considered weak, but based on the choices provided, only RC4 and RC5 are bidirectional. RC5 is a block cipher, making it slower and not as effective for voice and video. MD4 and MD5 are both hash algorithms; therefore they cannot be used bi-directionally.

What is a hardware requirement that either a proxy server or IDS/IPS system must have to function properly?

Options are :

  • Very fast network interface cards
  • They must be dual-homed (Correct)
  • Large RAM requirements
  • A fast CPU to use for network traffic analysis

Answer : They must be dual-homed

Explanation Since proxy servers and IDS/IPS systems work primarily as network security devices, it is important that they are dual-homed and connected two different networks. This allows them to transfer data between the two networks, since the dual-homed nature of them can send and receive information from both networks, logging or blocking data which should not be passed between the two networks.

What should be implemented to minimize the threat of a man-in-the-middle attack from occurring if you are deploying a secure remote access solution to allow your employees to connect to the organization’s internal network?

Options are :

  • IPSec (Correct)
  • SSL
  • Mutual authentication
  • Static IP addresses

Answer : IPSec

Explanation A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryptions, such as PPTP (Point-to-point Tunneling Protocol) or Internet Protocol Security (IPSec). All data transmission is encrypted so that even if being intercepted, the attacker will have no idea about the content of the traffic. This is the most common solution to providing secure remote access. SSL should not be used, as it is older and consider no longer secure.

A software tester wants to ensure that the software is not changing or tampering with critical data on the backend of the system. What can the software tester do to ensure that the software is trusted?

Options are :

  • Secure coding principles
  • Proper testing
  • Systems security and architecture review
  • Analysis of interrupts within the software (Correct)

Answer : Analysis of interrupts within the software

Explanation The software tester should conduct an analysis of the interrupts within the software to determine if the data is being modified or changed. The software tester cannot ensure secure coding principles were utilized since they are not the coder. The systems security and architecture review occurs at a higher (more macro) level, so it will not be able to determine if the critical data was changed by the software. The software tester should always conduct proper testing, but this alone will not help him determine if the software is trusted, but instead only can tell him if the software is functional.

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public web server. The analyst open up the terminal on his Kali Linux workstation and decides to use netcat to gather some information. What type of action did the analyst perform, based on the command and response below?


Options are :

  • SQL injection attack
  • Query to the Whois database
  • Cross-site scripting attack
  • Banner grabbing (Correct)

Answer : Banner grabbing

Explanation The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc www.webserver.com 80? was used to establish a connection to a target web server using Netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the web server. In this example, the server software version (Apache 2.0.46) and the type of operating system (Red Hat Linux).

While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's web site:

IMG SRC=vbscript:msgbox("This site is vulnerable to an attack!");> originalAttribute="SRC" originalPAth="vbscript:msgbox("This site is vulnerable to an attack!");>"

alert("This site is vulnerable to an attack!")

You then clicked the search button and a pop-up box appears on your screen showing the following text, "This site is vulnerable to an attack!"
Based on this response, what vulnerability have you uncovered in the web application?

Options are :

  • Cross-site request forgery
  • Cross-site scripting (Correct)
  • Distributed denial of service
  • Buffer overflow

Answer : Cross-site scripting

Explanation This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

A penetration tester was able to sniff packets on an organization’s wireless network and discovered the key (01001011 10110010) and the cyphertext (01011010 01100101). Using an Exclusive OR function, what was the original message sent over the wireless network?

Options are :

  • 00010001 11010111 (Correct)
  • 00100000 01001011
  • 11110010 01011011
  • 1110111 01011011

Answer : 00010001 11010111

Explanation To regain the original message from the key and ciphertext using the exclusive OR (XOR) function, you need to compare each digit of the key the cipher against each other. If both a 1’s or both are 0’s, you receive a 0. If one is 1 and the other is 0, you receive a 1. Therefore, the answer is 00010001 11010111.

An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?

Options are :

  • transfer type=ns
  • set type=ns (Correct)
  • request type=ns
  • locate type=ns

Answer : set type=ns

Explanation The “set type=ns? tells nslookup to only report information on name servers. If you used “set type=mx? instead, you would receive information only about mail exchange servers.

What is a common Service Oriented Architecture (SOA) vulnerability?

Options are :

  • XML denial of service issues (Correct)
  • VPath injection
  • Cross-site scripting
  • SQL injection

Answer : XML denial of service issues

Explanation Service Oriented Architecture (SOA) is an architectural paradigm and its aim is to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, thus affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to a XML denial of service.

If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?

Options are :

  • Broadcast ping
  • TCP ping
  • Traceroute
  • Hping (Correct)

Answer : Hping

Explanation Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping doesn't support IPv6, though, so the creators of NMAP have created Nping to fill this gap and serve as an updated variant of Hping.

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. What is the most efficient technique that a penetration tester should use to scan an internal organizational network from the internet without alerting the sensor placed at the network’s border?

Options are :

  • Tunneling the scan over SSH (Correct)
  • Tunneling the scan over high port numbers
  • Scanning using fragmented IP packets
  • Spoofing an IP address

Answer : Tunneling the scan over SSH

Explanation By tunneling the scan over SSH, the penetration tester can scan the internal organizational network from a previously compromised box. The penetration tester will create an SSH tunnel to the compromised box, then conduct the local scan of the organizational network using NMAP and SSH local port forwarding through that compromised box.

You have conducted an NMAP scan of a server and found that port 69 is open. What type of risk could this pose to your network?

Options are :

  • Unauthenticated access (Correct)
  • Weak SSL version
  • Cleartext login
  • Web portal data leak

Answer : Unauthenticated access

Explanation Port 69 is used for Trivial File Transfer Protocol (TFTP). TFTP allows a client to get a file from or put a file onto a remote host. TFTP has no login or access control mechanisms, therefore it should not be used or your organization could allow unauthenticated access into your network.

What type of malicious application does not require user intervention or another application to act as a host in order for it to replicate?

Options are :

  • Virus
  • Macro
  • Worm (Correct)
  • Trojan

Answer : Worm

Explanation A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host in order for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears to be harmless.

One of your friends wants to be able to send encrypted emails from their home computer using their personal email account. They don’t want to pay for any commercial software or have to manage a special server to handle the encrypted communications. What technology should your friend utilize as a secure encryption protocol to accomplish this?

Options are :

  • Multipurpose Internet Mail Extensions (MIME)
  • IP Security (IPSec)
  • Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)
  • Pretty Good Privacy (PGP) (Correct)

Answer : Pretty Good Privacy (PGP)

Explanation Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP is available both as a commercial software or as a free, open-source variant, therefore, it meets your friend’s requirements.

A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately the firm locked the file with a password so the potential employee cannot fill-in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?

Options are :

  • Session hijacking
  • Brute-force attack
  • Dictionary attack (Correct)
  • Man-in-the-middle attack

Answer : Dictionary attack

Explanation A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that he “using passwords from a list?.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions