312-50v13 Practice Questions

A security analyst is tasked with gathering detailed information about an organization ' s network infrastructure without making any direct contact that could be logged or trigger alarms. Which method should the analyst use to obtain this information covertly?

Targeted, logic-based credential guessing using prior intel best describes which technique?

Using nbtstat -A < IP > , NetBIOS names including < 20 > and < 03 > are retrieved, but shared folders cannot be listed. Why?

Which payload is most effective for testing time-based blind SQL injection?

Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?

During an internal red team engagement, an operator discovers that TCP port 389 is open on a target system identified as a domain controller. To assess the extent of LDAP exposure, the operator runs the command ldapsearch -h < Target IP > -x -s base namingcontexts and receives a response revealing the base distinguished name (DN): DC=internal,DC=corp. This naming context indicates the root of the LDAP directory structure. With this discovery, the operator plans the next step to continue LDAP enumeration and expand visibility into users and objects in the domain. What is the most logical next action?

A Certified Ethical Hacker (CEH) is auditing a company’s web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server’s document directory (containing critical HTML files) is named “certrcx” and stored in /admin/web. The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?

During a late-night shift at IronWave Logistics in Seattle, cybersecurity analyst Marcus Chen notices a pattern of high-port outbound traffic from over a dozen internal machines to a previously unseen external IP. Each system had recently received a disguised shipping report, which, when opened, initiated a process that spread autonomously to other workstations using shared folders and stolen credentials. Upon investigation, Marcus discovers that the machines now contain hidden executables that silently accept remote instructions and occasionally trigger coordinated background tasks. The compromised endpoints are behaving like zombies, and malware analysts confirm that the payload used worm-like propagation to deliver a backdoor component across the network.

Which is the most likely objective behind this attack?

At Horizon Legal Services in Boston, Massachusetts, ethical hacker Daniel Price is tasked with assessing the security of the firm ' s mobile case-tracking app. During testing, he finds that confidential case notes and client records are kept locally on the device without encryption. By browsing the file system with a standard explorer tool, he can open sensitive information without any authentication. Which OWASP Top 10 Mobile Risk is most clearly present in the app?

A penetration tester submits altered ciphertexts to a web server and pays close attention to how the server responds. When the server produces different error messages for certain inputs, the tester starts to infer which inputs result in valid internal processing. Which cryptanalytic method is being used in this scenario?

A penetration tester identifies that a web application ' s login form is not using secure password hashing mechanisms, allowing attackers to steal passwords if the database is compromised. What is the best approach to exploit this vulnerability?

A web server experienced a DDoS attack that specifically targeted the application layer. Which type of DDoS attack was most likely used?

You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?

You must map open ports and services while remaining stealthy and avoiding IDS detection. Which scanning technique is best?

A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?