CEH v13 Domain 2.3 Practice Test 002

Clark, a penetration tester hired by a regional financial institution, is enumerating a Windows host at 192.168.10.15 during an authorized engagement. He runs the command `nbtstat -A 192.168.10.15` and reviews the returned NetBIOS name table. He notices an entry with the hexadecimal suffix registered to the host. Recognizing the significance of this entry, Clark decides to probe further for accessible shared resources over the network. Which Windows service is indicated by the NetBIOS suffix , and why is this finding significant during enumeration?

During a penetration test of an enterprise network, a security analyst named Jane discovers that multiple network devices — including routers and switches — are running SNMP version 1. She uses a scanning tool configured with the most commonly found default community string and successfully queries each device's MIB (Management Information Base). The extracted data includes routing tables, interface descriptions, ARP caches, and system descriptions. The security team is alarmed because this data was retrieved without any authentication challenge. What is the primary reason SNMP v1 is considered insecure in this scenario, and which community string did Jane most likely use?

A red team member is conducting an authorized assessment of a corporate Active Directory environment and needs to extract user accounts, group memberships, organizational unit (OU) structure, and password policy settings using LDAP queries. She requires a GUI-based tool that can connect directly to the domain controller's LDAP service on port 389 and browse the directory tree interactively without needing to write custom LDAP queries from scratch. She also needs to export the enumerated data for further analysis. Which of the following tools is most appropriate for performing interactive LDAP enumeration and browsing against an Active Directory domain controller?

Kevin, an ethical hacker contracted by a technology firm, is performing user enumeration against a mail server running SMTP on port 25. He wants to identify valid email addresses by querying the SMTP service directly without triggering authentication prompts or generating excessive error log entries. Kevin is aware that specific SMTP commands respond differently depending on whether a user exists on the server, and plans to use these differences to build a list of valid accounts. After reconnaissance, he selects two specific SMTP commands that are well-known for enabling this type of enumeration. Which two SMTP commands can Kevin use to enumerate valid users on the mail server? (Choose two)

During a network security assessment of a financial services firm, a senior analyst is tasked with mapping all devices that are currently synchronized to the organization's NTP infrastructure. She queries the primary NTP server at 10.0.0.1 and wants to retrieve a list of all hosts that have recently synchronized with it, which would effectively map the internal network topology. She knows that a specific NTP query mode can return the last several hundred hosts that interacted with the server. Which command should the analyst use to enumerate NTP clients that have recently synchronized with the target server?

Elijah, a penetration tester engaged by a mid-sized healthcare organization, is targeting a Linux host running Samba version 4.x on ports 139 and 445. He suspects that the Samba configuration permits null session connections, which would allow him to enumerate user accounts, group memberships, shared resources, and password policy settings without providing any credentials. He selects a well-known automated enumeration tool designed specifically for Windows and Samba systems and runs it against the target. After execution, Elijah receives a comprehensive output that includes usernames, share names, the workgroup name, and OS version details. Which tool did Elijah most likely use in this scenario?

A threat intelligence team discovers that an organization's authoritative DNS server is improperly configured to respond to full zone transfer requests from any source IP address on the internet. An external attacker identifies this misconfiguration using a tool that sends an AXFR query to the DNS server. The attacker successfully downloads the entire zone file in seconds, revealing the complete internal DNS record set for the target domain. The security team must understand the full impact of this breach. Which type of DNS attack has the attacker performed, and what categories of DNS records would typically be exposed?

A security architect at a large enterprise is conducting a review of the organization's defenses against enumeration-based reconnaissance. She is specifically focused on preventing attackers from extracting NetBIOS names, SMB shares, and user account information from perimeter-exposed Windows systems. After reviewing firewall rules and host configurations, she identifies two critical controls that would most significantly reduce the enumeration attack surface for NetBIOS and SMB-based attacks. Which two countermeasures would be most effective in preventing NetBIOS and SMB enumeration from external or unauthorized sources? (Choose two)

Clark, now assessing an industrial control system (ICS) environment at a manufacturing facility, discovers that multiple PLCs and managed switches are running SNMP v2c. The facility's IT team has changed the community string from the default 'public' to a custom value — however, the string is listed in the vendor's publicly available installation guide. Clark uses a specialized tool to rapidly test a curated list of community strings against each device, and successfully authenticates to several PLCs using the string found in the vendor documentation. He then uses SNMPwalk to retrieve full MIB trees from the compromised devices. What type of attack has Clark performed in the first phase, and which tools are most associated with this technique?

A penetration tester is assessing a Windows Server 2019 host and needs to enumerate all RPC services registered with the endpoint mapper service. She knows that the RPC endpoint mapper runs on port 135 and maintains a registry of all RPC services currently available on the host, including their program numbers, version numbers, UUIDs, and transport protocols. This information will help her identify services that may be vulnerable to RPC-based exploits. She uses a purpose-built enumeration approach targeting port 135 to extract the full list of registered endpoints. Which tool or technique did the penetration tester use to enumerate RPC endpoints on the target Windows server?