CEH v13 Domain 3.2 Practice Test 002

Kevin, a threat actor, has successfully compromised a Windows domain controller during a targeted attack against a financial institution. He extracts the NTDS.dit file and the SYSTEM registry hive from the domain controller and transfers both files to his remote attack machine running Kali Linux. Kevin then uses impacket-secretsdump to pull the NTLM hashes from the offline database files. He feeds the resulting hash list into hashcat along with the rockyou.txt wordlist and executes a cracking session against all extracted hashes. Which password cracking technique is Kevin using when he runs hashcat against the extracted NTLM hashes using the rockyou.txt wordlist?

A penetration tester gains initial access to a Linux server as a low-privileged service account during a red team engagement targeting a retail company. During post-exploitation enumeration, she runs 'sudo -l' and discovers that the service account has NOPASSWD sudo rights for /usr/bin/vim. She opens vim using sudo and types ':!/bin/bash' from within the editor to spawn an interactive root shell without entering any password. The engagement report must accurately classify this privilege escalation technique for the client. What type of privilege escalation did the penetration tester achieve, and what is the root cause vulnerability?

Clark has successfully compromised a Windows 10 endpoint inside a corporate network using a Metasploit exploit and obtained a Meterpreter session with SYSTEM-level privileges. The target organization conducts regular system reboots as part of patch maintenance cycles, and Clark wants to ensure his access survives reboots and does not depend on the original exploit path remaining available. He evaluates several post-exploitation options from his toolkit before selecting persistence mechanisms. Which TWO of the following techniques would most effectively allow Clark to maintain persistent access to the compromised Windows endpoint across reboots? (Choose two)

A digital forensics analyst is called in to investigate a suspected breach at a regional bank. Upon examining a compromised Windows Server 2019 system, the analyst discovers that the Windows Security, System, and Application event logs are entirely empty. The server has been in active production for three years with auditing policies confirmed enabled via Group Policy. No log rotation or archiving policy is configured on the system, and the SIEM platform shows a complete gap in log data from the server beginning at a specific timestamp three weeks prior. The analyst correlates the log gap with confirmed indicators of compromise on the network perimeter. Which activity most accurately explains the state of the Windows event logs on the compromised server?

A CEH candidate is studying the EC-Council system hacking methodology in preparation for the 312-50v13 exam. The methodology defines a structured sequence of phases that an attacker follows when targeting a system after gaining initial network-level access. The candidate encounters a practice question asking them to arrange the system hacking phases in their correct sequential order as defined by EC-Council. Understanding this sequence is critical both for the exam and for recognizing attacker behavior during incident response activities. Which of the following sequences correctly represents the EC-Council system hacking phases in order?

Jane, a senior penetration tester contracted by a manufacturing company, identifies during an external vulnerability scan that a Windows Server 2016 system is running an unpatched SMB service susceptible to MS17-010 (EternalBlue). She opens Metasploit on her Kali Linux attack machine, selects the exploit/windows/smb/ms17_010_eternalblue module, configures RHOSTS with the target IP and LHOST with her machine's IP, and executes the exploit. Within seconds she receives an active Meterpreter shell displaying NT AUTHORITYSYSTEM — no credentials were supplied at any point. In the context of the CEH system hacking methodology, what phase does Jane's activity represent, and what makes this exploitation particularly significant?

A forensic team investigating a prolonged intrusion in an operational technology (OT) environment discovers that an attacker maintained covert access to a Windows HMI workstation for over four months without triggering any alerts. Forensic analysis of the compromised workstation reveals the attacker used multiple techniques to hide malicious tools and exfiltrated data from both local administrators and the monitoring team. The forensic team must accurately document the file-hiding techniques used by the attacker in their incident report. Which TWO of the following methods would most effectively allow an attacker to conceal files on a compromised Windows system within an OT environment? (Choose two)

During an authorized cloud penetration test of an AWS environment, a security tester discovers that a publicly accessible EC2 instance running a web application is vulnerable to server-side request forgery (SSRF). He crafts a malicious payload and sends it through a vulnerable URL parameter, causing the application server to query the AWS Instance Metadata Service (IMDS) at http://169.254.169.254/latest/meta-data/iam/security-credentials/WebAppRole. The response returns a valid AccessKeyId, SecretAccessKey, and SessionToken belonging to the IAM role attached to the instance. The tester then configures the AWS CLI with these credentials and successfully lists and downloads files from private S3 buckets containing sensitive PII. In the context of the CEH system hacking methodology, what phase does this technique represent?

Elijah, a red team operator, has an active Meterpreter session on a Windows 11 enterprise workstation in the finance department. The target user regularly authenticates to the organization's banking portal and internal ERP system throughout the workday. Elijah wants to silently capture every keystroke the user types into these applications. Before running the Meterpreter keyscan_start command, Elijah runs 'ps' to list processes, identifies explorer.exe running under the target user's account, and executes 'migrate ' to move his Meterpreter session into the explorer.exe process space. What is the primary operational reason Elijah migrates into explorer.exe before activating the keylogger?

During a post-engagement debrief, a penetration testing team presents findings to the CISO of a mid-sized enterprise. The report describes a technique in which the testers extracted NTLM password hashes from a compromised server's SAM database using Mimikatz and then used those hash values directly in SMB authentication requests to move laterally across multiple Windows servers in the domain — all without ever converting the hashes to plaintext passwords. The CISO asks the lead tester to explain why this attack succeeds even though the organization enforces a 16-character minimum password complexity policy. Which of the following best identifies the attack technique and explains why strong password policies do not prevent it?