Questions for the 312-50 were updated on : Dec 16 ,2025
You are the lead cybersecurity analyst at a multinational corporation that uses a hybrid encryption
system to secure inter-departmental communications. The system uses RSA encryption for key
exchange and AES for data encryption, taking advantage of the strengths of both asymmetric and
symmetric encryption. Each RSA
key pair has a size of 'n' bits, with larger keys providing more security at the cost of slower
performance. The time complexity of generating an RSA key pair is O(n*2), and AES encryption has a
time complexity of O(n). An attacker has developed a quantum algorithm with time complexity
O((log n)*2) to crack RSA encryption. Given *n=4000' and variable ‘AES key size’, which scenario is
likely to provide the best balance of security and
performance?
A
Explanation:
A hybrid encryption system is a system that combines the advantages of both asymmetric and
symmetric encryption algorithms. Asymmetric encryption, such as RSA, uses a pair of keys: a public
key and a private key, which are mathematically related but not identical. Asymmetric encryption
can provide key exchange, authentication, and non-repudiation, but it is slower and less efficient
than symmetric encryption. Symmetric encryption, such as AES, uses a single key to encrypt and
decrypt data. Symmetric encryption is faster and more efficient than asymmetric encryption, but it
requires a secure way to share the key.
In a hybrid encryption system, RSA encryption is used for key exchange, and AES encryption is used
for data encryption. This way, the system can benefit from the security of RSA and the speed of AES.
However, the system also depends on the key sizes of both algorithms, which affect the security and
performance of the system.
The key size of RSA encryption determines the number of bits in the public and private keys. The
larger the key size, the more secure the encryption, but also the slower the key generation and
encryption/decryption processes. The time complexity of generating an RSA key pair is O(n*2),
where n is the key size in bits. This means that the time required to generate an RSA key pair
increases quadratically with the key size. For example, if it takes 1 second to generate a 1024-bit RSA
key pair, it will take 4 seconds to generate a 2048-bit RSA key pair, and 16 seconds to generate a
4096-bit RSA key pair.
The key size of AES encryption determines the number of bits in the symmetric key. The larger the
key size, the more secure the encryption, but also the more rounds of encryption/decryption are
needed. The time complexity of AES encryption is O(n), where n is the key size in bits. This means
that the time required to encrypt/decrypt data increases linearly with the key size. For example, if it
takes 1 second to encrypt/decrypt data with a 128-bit AES key, it will take 2 seconds to
encrypt/decrypt data with a 256-bit AES key, and 4 seconds to encrypt/decrypt data with a 512-bit
AES key.
An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA
encryption. This means that the time required to break RSA encryption decreases exponentially with
the key size. For example, if it takes 1 second to break a 1024-bit RSA encryption, it will take 0.25
seconds to break a 2048-bit RSA encryption, and 0.0625 seconds to break a 4096-bit RSA encryption.
This makes RSA encryption vulnerable to quantum attacks, unless the key size is very large.
Given n=4000 and variable AES key size, the scenario that is likely to provide the best balance of
security and performance is C. AES key size=192 bits. This configuration is a compromise between
options A and B, providing moderate security and performance. Option A, AES key size=128 bits,
provides less security than option C, but RSA key generation and AES encryption will be faster. Option
B, AES key size=256 bits, provides more security than option C, but RSA key generation may be slow.
Option D, AES key size=512 bits, provides the highest level of security, but at a significant
performance cost due to the large AES key size.
Reference:
Hybrid cryptosystem - Wikipedia
RSA (cryptosystem) - Wikipedia
Advanced Encryption Standard - Wikipedia
Quantum computing and cryptography - Wikipedia
An ethical hacker has been tasked with assessing the security of a major corporation's network. She
suspects the network uses default SNMP community strings. To exploit this, she plans to extract
valuable network information using SNMP enumeration. Which tool could best help her to get the
information without directly modifying any parameters within the SNMP agent’s management
information base (MIB)?
A
Explanation:
snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information
without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that
allows the user to enumerate SNMP devices and extract information from them. It can gather a wide
array of information about the target, such as system information, network interfaces, routing tables,
ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more.
snmp-check can also perform brute force attacks to discover the SNMP community strings, which are
the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a
module (snmp_enum) within the Metasploit framework.
The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is
a network scanning and enumeration tool that can perform various types of scans and probes on the
target. It can also run scripts to perform specific tasks, such as retrieving SNMP information.
However, Nmap may not be able to gather as much information as snmp-check, and it may also
trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring
and management toolset that can perform various functions, such as device discovery, configuration
backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly
designed for device management and not SNMP enumeration, and it may not be able to extract
valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to
retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However,
SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID
(object identifier) to a different value, which may modify the parameters within the SNMP agent’s
MIB and affect its functionality or security. Reference:
snmp-check - The SNMP enumerator
SNMP Enumeration | Ethical Hacking - GreyCampus
SNMP Enumeration - GeeksforGeeks
Nmap - the Network Mapper - Free Security Scanner
OpUtils - Network Monitoring & Management Toolset
SnmpWalk - SNMP MIB Browser
An IT company has just implemented new security controls to their network and system setup. As a
Certified Ethical Hacker, your responsibility is to assess the possible vulnerabilities in the new setup.
You are given the information that the network and system are adequately patched with the latest
updates, and all employees have gone through recent cybersecurity awareness training. Considering
the potential vulnerability sources,
what is the best initial approach to vulnerability assessment?
A
Explanation:
A vulnerability assessment is a systematic review of security weaknesses in an information system.
It
evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those
vulnerabilities, and recommends remediation or mitigation, if and whenever needed1
. A
vulnerability assessment can be performed using various tools and techniques, depending on the
scope and objectives of the assessment.
Considering the potential vulnerability sources, the best initial approach to vulnerability assessment
is to check for hardware and software misconfigurations to identify any possible loopholes. Hardware
and software misconfigurations are common sources of vulnerabilities that can expose the system to
unauthorized access, data breaches, or service disruptions. Hardware and software misconfigurations
can include:
Insecure default settings, such as weak passwords, open ports, unnecessary services, or verbose
error messages.
Improper access control policies, such as granting excessive privileges, allowing anonymous access,
or failing to revoke access for terminated users.
Lack of encryption or authentication mechanisms, such as using plain text protocols, storing sensitive
data in clear text, or transmitting data without verifying the identity of the sender or receiver.
Outdated or incompatible software versions, such as using unsupported or deprecated software,
failing to apply security patches, or having software conflicts or dependencies.
Checking for hardware and software misconfigurations can help identify any possible loopholes that
could be exploited by attackers to compromise the system or the data. Checking for hardware and
software misconfigurations can be done using various tools, such as:
Configuration management tools, such as Ansible, Puppet, or Chef, that can automate the
deployment and maintenance of consistent and secure configurations across the system.
Configuration auditing tools, such as Nipper, Lynis, or OpenSCAP, that can scan the system for
deviations from the desired or expected configurations and report any issues or vulnerabilities.
Configuration testing tools, such as Inspec, Serverspec, or Testinfra, that can verify the system’s
compliance with the specified configuration rules and standards.
Therefore, checking for hardware and software misconfigurations is the best initial approach to
vulnerability assessment, as it can help identify and eliminate any possible loopholes that could pose
a security risk to the system or the data.
Reference:
Vulnerability Assessment Principles | Tenable®
Configuration Management Tools: A Complete Guide - Guru99
Top 10 Configuration Auditing Tools - Infosec Resources
[Configuration Testing Tools: A Complete Guide - Guru99]
A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They
decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port
with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo.
Which test did the ethical hacker conduct and why was this specific approach adopted?
B
Explanation:
The ethical hacker conducted Test 1, which is a TCP/IP stack fingerprinting technique that uses the
SYN and ECN-Echo flags to determine the OS of the target system. The SYN flag is used to initiate a
TCP connection, and the ECN-Echo flag is used to indicate that the sender supports Explicit
Congestion Notification (ECN), which is a mechanism to reduce network congestion. Different OSes
have different implementations and responses to these flags, which can reveal their identity. For
example, Windows XP and 2000 will reply with SYN and ECN-Echo flags set, while Linux will reply
with only SYN flag set. By sending a TCP packet with these flags enabled to an open TCP port and
observing the reply, the ethical hacker can probe the nature of the response and subsequently
determine the OS fingerprint.
The ethical hacker adopted this specific approach because it is an advanced and stealthy technique
that can evade some firewalls and intrusion detection systems (IDS) that may block or alert other
types of packets, such as NULL, FIN, or Xmas packets. Moreover, this technique can provide more
accurate and reliable results than other techniques, such as banner grabbing or passive analysis, that
may depend on the availability or validity of the information provided by the target system.
The other options are not correct, as they describe different tests and reasons. Test 3 is a TCP/IP stack
fingerprinting technique that uses the URG, PSH, SYN, and FIN flags to determine the OS of the target
system. Test 2 is a TCP/IP stack fingerprinting technique that uses a NULL packet, which is a TCP
packet with no flags enabled, to determine the OS of the target system. Test 6 is a TCP/IP stack
fingerprinting technique that uses the ACK flag, which is used to acknowledge the receipt of a TCP
segment, to determine the OS of the target system. Reference:
OS and Application Fingerprinting | SANS Institute
Operating System Fingerprinting | SpringerLink
OS and Application Fingerprinting - community.akamai.com
What is OS Fingerprinting and Techniques - Zerosuniverse
In your cybersecurity class, you are learning about common security risks associated with web
servers. One topic that comes up is the risk posed by using default server settings. Why is using
default settings ona web - server considered a security risk, and what would be the best initial step to
mitigate this risk?
C
Explanation:
Using default settings on a web server is considered a security risk because it can reveal the server
software type and version, which can help attackers identify potential vulnerabilities and launch
targeted attacks. For example, if the default settings include a server signature that displays the
name and version of the web server software, such as Apache 2.4.46, an attacker can search for
known exploits or bugs that affect that specific software and version. Additionally, default settings
may also include other insecure configurations, such as weak passwords, unnecessary services, or
open ports, that can expose the web server to unauthorized access or compromise.
The best initial step to mitigate this risk is to change the default settings to hide or obscure the server
software type and version, as well as to disable or remove any unnecessary or insecure features.
For
example, to hide the server signature, one can modify the ServerTokens and ServerSignature
directives in the Apache configuration file1
.
Alternatively, one can use a web application firewall or a
reverse proxy to mask the server information from the client requests2
. Changing the default settings
can reduce the attack surface and make it harder for attackers to exploit the web server.
Reference:
How to Hide Apache Version Number and Other Sensitive Info
How to hide server information from HTTP headers? - Stack Overflow
Your company suspects a potential security breach and has hired you as a Certified Ethical Hacker to
investigate. You discover evidence of footprinting through search engines and advanced Google
hacking techniques. The attacker utilized Google search operators to extract sensitive information.
You further notice queries that indicate the use of the Google Hacking Database (GHDB) with an
emphasis on VPN footprinting.
Which of the following Google advanced search operators would be the LEAST useful in providing the
attacker with sensitive VPN-related information?
B
Explanation:
The location: operator is the least useful in providing the attacker with sensitive VPN-related
information, because it does not directly relate to VPN configuration, credentials, or vulnerabilities.
The location: operator finds information for a specific location, such as a city, country, or region. For
example, location:paris would return results related to Paris, France. However, this operator does not
help the attacker to identify or access VPN servers or clients, unless they are specifically named or
indexed by their location, which is unlikely.
The other operators are more useful in providing the attacker with sensitive VPN-related
information, because they can help the attacker to find pages or files that contain VPN configuration,
credentials, or vulnerabilities. The intitle: operator restricts results to only the pages containing the
specified term in the title. For example, intitle:vpn would return pages with VPN in their title, which
may include VPN guides, manuals, or tutorials. The inurl: operator restricts the results to only the
pages containing the specified word in the URL. For example, inurl:vpn would return pages with VPN
in their URL, which may include VPN login portals, configuration files, or directories. The link:
operator searches websites or pages that contain links to the specified website or page. For example,
link:vpn.com would return pages that link to vpn.com, which may include VPN reviews, comparisons,
or recommendations. Reference:
Google Search Operators: The Complete List (44 Advanced Operators)
Footprinting through search engines
Module 02: Footprinting and Reconnaissance
A certified ethical hacker is conducting a Whois footprinting activity on a specific domain. The
individual is leveraging various tools such as Batch IP Converter and Whols Analyzer Pro to retrieve
vital details but is unable to gather complete Whois information from the registrar for a particular set
of dat
a. As the hacker, what might be the probable data model being utilized by the domain's registrar for
storing and looking up
Who is information?
D
Explanation:
A thin Whois model is a type of data model that is used by some domain registrars for storing and
looking up Whois information. In a thin Whois model, the registrar only stores the basic information
about the domain, such as the domain name, the registrar name, the name servers, and the
registration and expiration dates. The rest of the information, such as the contact details of the
domain owner, the administrative contact, and the technical contact, is stored by the registry that
manages the top-level domain (TLD) of the domain. For example, the registry for .com and .net
domains is Verisign, and the registry for .org domains is Public Interest Registry.
When a Whois
lookup is performed on a domain that uses a thin Whois model, the registrar’s Whois server only
returns the basic information and refers the query to the registry’s Whois server for the complete
information1
.
As a hacker, if you are unable to gather complete Whois information from the registrar for a
particular set of data, it might be because the domain’s registrar is using a thin Whois model and the
registry’s Whois server is not responding or providing the information. This could be due to various
reasons, such as network issues, server errors, rate limits, privacy policies, or legal restrictions.
Therefore, the probable data model being utilized by the domain’s registrar for storing and looking
up Whois information is a thin Whois model working correctly.
Reference:
Differences Between Thin WHOIS vs Thick WHOIS – OpenSRS Help & Support
Your network infrastructure is under a SYN flood attack. The attacker has crafted an automated
botnet to
simultaneously send 's' SYN packets per second to the server. You have put measures in place to
manage ‘f
SYN packets per second, and the system is designed to deal with this number without any
performance issues.
If 's' exceeds ‘f', the network infrastructure begins to show signs of overload. The system's response
time
increases exponentially (24k), where 'k' represents each additional SYN packet above the ff limit.
Now, considering 's=500' and different 'f values, in which scenario is the server most likely to
experience overload and significantly increased response times?
D
Explanation:
A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process
by sending a large number of SYN requests to the target server, without completing the connection.
This consumes the connection state tables on the server, preventing it from accepting new
connections. The attacker has crafted an automated botnet to simultaneously send ‘s’ SYN packets
per second to the server. The server can handle ‘f’ SYN packets per second without any performance
issues. If ‘s’ exceeds ‘f’, the network infrastructure begins to show signs of overload. The system’s
response time increases exponentially (24k), where ‘k’ represents each additional SYN packet above
the ‘f’ limit.
Considering ‘s=500’ and different ‘f’ values, the scenario that is most likely to cause the server to
experience overload and significantly increased response times is the one where ‘f=420’. This is
because ‘s’ is greater than ‘f’ by 80 packets per second, which means the server cannot handle the
incoming traffic and will eventually run out of resources. The response time shoots up (2480 =
281,474,976,710,656 times the normal response time), indicating a system overload.
The other scenarios are less likely or less severe than the one where ‘f=420’. Option A has ‘f=510’,
which is greater than ‘s’, so the system stays stable and the response time remains unaffected.
Option B has ‘f=495’, which is less than ‘s’ by 5 packets per second, so the response time drastically
rises (245 = 32 times the normal response time), indicating a probable system overload, but not as
extreme as option D. Option C has ‘f=505’, which is less than ‘s’ by 5 packets per second, so the
response time increases but not as drastically (245 = 32 times the normal response time), and the
system might still function, albeit slowly. Reference:
SYN flood DDoS attack | Cloudflare
SYN flood - Wikipedia
What Is a SYN Flood Attack? | F5
What is a SYN flood attack and how to prevent it? | NETSCOUT
You have been hired as an intern at a start-up company. Your first task is to help set up a basic web
server for the company’s new website. The team leader has asked you to make sure the server is
secure from common - threats. Based on your knowledge from studying for the CEH exam, which of
the following actions should be
your priority to secure the web server?
D
Explanation:
One of the most important actions to secure a web server from common threats is to regularly
update and patch the server software. This includes the operating system, the web server software,
the database software, and any other applications or frameworks that run on the server. Updating
and patching the server software can fix known vulnerabilities, bugs, or errors that could be
exploited by attackers to compromise the server or the website. Failing to update and patch the
server software can expose the server to common attacks, such as SQL injection, cross-site scripting,
remote code execution, denial-of-service, etc.
Installing a web application firewall, limiting the number of concurrent connections to the server,
and encrypting the company’s website with SSL/TLS are also good practices to secure a web server,
but they are not as critical as updating and patching the server software. A web application firewall
can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched
vulnerabilities in the server software. Limiting the number of concurrent connections to the server
can prevent overload and improve performance, but it cannot stop attackers from sending malicious
requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit
between the server and the client, but it cannot protect the data at rest on the server or prevent
attacks that target the server itself.
Therefore, the priority action to secure a web server from common threats is to regularly update and
patch the server software.
Reference:
Web Server Security- Beginner’s Guide - Astra Security Blog
Top 10 Web Server Security Best Practices | Liquid Web
21 Server Security Tips & Best Practices To Secure Your Server - phoenixNAP
A sophisticated attacker targets your web server with the intent to execute a Denial of Service (DoS)
attack. His strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using 'r' packets per
second. Your server, reinforced with advanced security measures, can handle 'h' packets per second
before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to
become unresponsive. In a peculiar pattern, the attacker selects 'r' as a composite number and 'h' as
a prime number, making the attack detection more challenging. Considering 'r=2010' and different
values for 'h', which of the following scenarios would potentially cause the server to falter?
D
Explanation:
A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network
resource unavailable to its intended users by flooding it with traffic or requests that consume its
resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by
sending a large number of SYN requests to the target server, without completing the connection. A
UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports
on the target server, forcing it to check for the application listening at that port and reply with an
ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets,
such as ping requests, to the target server, overwhelming its ICMP processing capacity.
The attacker’s strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using ‘r’ packets
per second. The server can handle ‘h’ packets per second before it starts showing signs of strain. If ‘r’
surpasses ‘h’, it overwhelms the server, causing it to become unresponsive. The attacker selects ‘r’ as
a composite number and ‘h’ as a prime number, making the attack detection more challenging. This
is because prime numbers are less predictable and more difficult to factorize than composite
numbers, which may hinder the analysis of the attack pattern.
Considering ‘r=2010’ and different values for ‘h’, the scenario that would potentially cause the server
to falter is the one where ‘h=1987’ (prime). This is because ‘r’ is greater than ‘h’ by 23 packets per
second, which means the server cannot handle the incoming traffic and will eventually run out of
resources. The other scenarios would not cause the server to falter, as ‘h’ is either greater than or
very close to ‘r’, which means the server can either manage or barely cope with the incoming
traffic. Reference:
What is a denial-of-service (DoS) attack? | Cloudflare
Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia
DDoS Attack Types: Glossary of Terms
What is a Denial of Service (DoS) Attack? | Webopedia
You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you
discover that the company's wireless network is using WEP encryption. You understand the
vulnerabilities associated with WEP and plan to recommend a more secure encryption method.
Which of the following would you recommend as a Suitable replacement to enhance the security of
the company's wireless network?
B
Explanation:
WEP encryption is an outdated and insecure method of protecting wireless networks from
unauthorized access and eavesdropping.
WEP uses a static key that can be easily cracked by various
tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting
the weak key scheduling algorithm1
. Therefore, you should recommend a more secure encryption
method to enhance the security of the company’s wireless network.
One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2
stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous
WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced
Encryption Standard.
AES is a block cipher that uses a 128-bit key and is considered to be very secure
and resistant to attacks2
.
WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a
password to generate the encryption key. The passphrase or password must be entered by the users
who want to connect to the wireless network. The key is then derived from the passphrase or
password using a function called PBKDF2, which stands for Password-Based Key Derivation Function
2.
PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to
crack3
.
WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:
It uses a dynamic key that changes with each session, instead of a static key that remains the same.
It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption
algorithm that is more vulnerable to attacks.
It uses a longer key that provides more security, instead of a shorter key that provides less security.
It uses a more secure key derivation function that adds complexity and randomness, instead of a
simple key generation function that is predictable and flawed.
Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to
enhance the security of the company’s wireless network.
Reference:
Wireless Security - Encryption - Online Tutorials Library
WiFi Security: WEP, WPA, WPA2, WPA3 And Their Differences - NetSpot
WPA2-PSK (Wi-Fi Protected Access 2 Pre-Shared Key)
As a cybersecurity analyst for SecureNet, you are performing a security assessment of a new mobile
payment application. One of your primary concerns is the secure storage of customer data on the
device. The application
stores sensitive information such as credit card details and personal identification numbers (PINs) on
the device. Which of the following measures would best ensure the security of this data?
B
Explanation:
Encrypting all sensitive data stored on the device is the best measure to ensure the security of this
data, because it protects the data from unauthorized access or disclosure, even if the device is lost,
stolen, or compromised. Encryption is a process of transforming data into an unreadable format
using a secret key or algorithm. Only authorized parties who have the correct key or algorithm can
decrypt and access the data. Encryption can be applied to data at rest, such as files or databases, or
data in transit, such as network traffic or messages. Encryption can prevent attackers from stealing or
tampering with the customer data stored on the device, such as credit card details and PINs, which
can cause financial or identity fraud.
The other options are not as effective or sufficient as encryption for securing the customer data
stored on the device. Implementing biometric authentication for app access may provide an
additional layer of security, but it does not protect the data from being accessed by other means,
such as malware, physical access, or backup extraction. Enabling GPS tracking for all devices using
the app may help locate the device in case of loss or theft, but it does not prevent the data from
being accessed by unauthorized parties, and it may also pose privacy risks. Regularly updating the
app to the latest version may help fix bugs or vulnerabilities, but it does not guarantee the security of
the data, especially if the app does not use encryption or other security features.
Reference:
Securely Storing Data | Security.org
Data Storage Security: 5 Best Practices to Secure Your Data
M9: Insecure Data Storage | OWASP Foundation
As a cybersecurity professional, you are responsible for securing a high-traffic web application that
uses MySQL as its backend database. Recently, there has been a surge of unauthorized login
attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown
proficiency in SQL Injection and
appears to be using the 'UNION' SQL keyword to trick the login process into returning additional
data.
However, your application's security measures include filtering special characters in user inputs, a
method usually effective against such attacks. In this challenging environment, if the hacker still
intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ?
D
Explanation:
SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL
database. The attacker injects malicious SQL code into the user input, such as a login form, that is
then executed by the database server. This can allow the attacker to access, modify, or delete data,
or execute commands on the database server.
The ‘UNION’ SQL keyword is often used in SQL Injection attacks to combine the results of two or
more SELECT statements into a single result set. This can allow the attacker to retrieve additional
data from other tables or columns that are not intended to be displayed by the application. For
example, if the application uses the following query to check the user credentials:
SELECT * FROM users WHERE username = '$username' AND password = '$password'
The attacker can inject a ‘UNION’ statement to append another query, such as:
' OR 1 = 1 UNION SELECT * FROM credit_cards --
This will result in the following query being executed by the database server:
SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND
password = '$password'
The first part of the query will always return true, and the second part of the query will return the
data from the credit_cards table. The ‘–’ symbol is a comment that will ignore the rest of the query.
The attacker can then see the credit card information in the application’s response.
However, some web applications implement security measures to prevent SQL Injection attacks,
such as filtering special characters in user inputs. Special characters are symbols that have a special
meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters,
the application can prevent the attacker from injecting malicious SQL code. For example, if the
application replaces single quotes with two single quotes, the previous injection attempt will fail, as
the query will become:
SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND
password = '$password'
This will result in a syntax error, as the query is not valid SQL.
In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability,
the strategy that he is most likely to employ is to bypass the special character filter by encoding his
malicious input. Encoding is a process of transforming data into a different format, such as
hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject
malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous
injection attempt will become:
%27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--
This will result in the following query being executed by the database server, after the application
decodes the input:
SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND
password = '$password'
This will succeed in returning the credit card information, as the filter will not detect the special
characters in the encoded input.
Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by
encoding his malicious input, which could potentially enable him to successfully inject damaging SQL
queries.
Reference:
SQL Injection | OWASP Foundation
SQL Injection Union Attacks
SQL Injection Bypassing WAF
A well-resourced attacker intends to launch a highly disruptive DDoS attack against a major online
retailer. The attacker aims to exhaust all the network resources while keeping their identity
concealed. Their method should be resistant to simple defensive measures such as IP-based
blocking. Based on these objectives, which of the following attack strategies would be most
effective?
A
Explanation:
A Pulse Wave attack is a type of DDoS attack that uses a botnet to send high-volume traffic pulses at
regular intervals, typically lasting for a few minutes each. The attacker can adjust the frequency and
duration of the pulses to maximize the impact and evade detection. A Pulse Wave attack can exhaust
the network resources of the target, as well as the resources of any DDoS mitigation service that the
target may use. A Pulse Wave attack can also conceal the attacker’s identity, as the traffic originates
from multiple sources that are part of the botnet. A Pulse Wave attack can bypass simple defensive
measures, such as IP-based blocking, as the traffic can appear legitimate and vary in source IP
addresses.
The other options are less effective or feasible for the attacker’s objectives. A protocol-based SYN
flood attack is a type of DDoS attack that exploits the TCP handshake process by sending a large
number of SYN requests to the target server, without completing the connection. This consumes the
connection state tables on the server, preventing it from accepting new connections. However, a SYN
flood attack can be easily detected and mitigated by using SYN cookies or firewalls. A SYN flood
attack can also expose the attacker’s identity, as the source IP addresses of the SYN requests can be
traced back to the attacker. An ICMP flood attack is a type of DDoS attack that sends a large number
of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing
capacity. However, an ICMP flood attack from a single IP can be easily blocked by using IP-based
filtering or disabling ICMP responses. An ICMP flood attack can also reveal the attacker’s identity, as
the source IP address of the ICMP packets can be identified. A volumetric flood attack is a type of
DDoS attack that sends a large amount of traffic to the target server, saturating its network
bandwidth and preventing legitimate users from accessing it. However, a volumetric flood attack
using a single compromised machine may not be sufficient to overwhelm the network bandwidth of
a major online retailer, as the attacker’s machine may have limited bandwidth itself. A volumetric
flood attack can also be detected and mitigated by using traffic shaping or rate limiting
techniques. Reference:
Pulse Wave DDoS Attacks: What You Need to Know
DDoS Attack Prevention: 7 Effective Mitigation Strategies
DDoS Attack Types: Glossary of Terms
DDoS Attacks: What They Are and How to Protect Yourself
DDoS Attack Prevention: How to Protect Your Website
Jake, a network security specialist, is trying to prevent network-level session hijacking attacks in his
company.
While studying different types of such attacks, he learns about a technique where an attacker inserts
their machine into the communication between a client and a server, making it seem like the
packets are flowing through the original path. This technique is primarily used to reroute the
packets. Which of the following types of network-level session hijacking attacks is Jake studying?
B
Explanation:
A man-in-the-middle attack using forged ICMP and ARP spoofing is a type of network-level session
hijacking attack where an attacker inserts their machine into the communication between a client
and a server, making it seem like the packets are flowing through the original path. This technique is
primarily used to reroute the packets and intercept or modify the data exchanged between the client
and the server.
A man-in-the-middle attack using forged ICMP and ARP spoofing works as follows1
:
The attacker sends a forged ICMP redirect message to the client, claiming to be the gateway. The
ICMP redirect message tells the client to use the attacker’s machine as the next hop for reaching the
server’s network. The client updates its routing table accordingly and starts sending packets to the
attacker’s machine instead of the gateway.
The attacker also sends a forged ARP reply message to the client, claiming to be the server. The ARP
reply message associates the attacker’s MAC address with the server’s IP address. The client updates
its ARP cache accordingly and starts sending packets to the attacker’s MAC address instead of the
server’s MAC address.
The attacker receives the packets from the client and forwards them to the server, acting as a relay.
The attacker can also monitor, modify, or drop the packets as they wish. The server responds to the
packets and sends them back to the attacker, who then forwards them to the client. The client and
the server are unaware of the attacker’s presence and think they are communicating directly with
each other.
Therefore, Jake is studying a man-in-the-middle attack using forged ICMP and ARP spoofing, which is
a type of network-level session hijacking attack.
Reference:
Network or TCP Session Hijacking | Ethical Hacking - GreyCampus