CEH v13 Domain 4.5 Practice Test 002

Question 1

Clark is performing a penetration test against an enterprise network protected by a signature-based IDS and attempts to evade detection by breaking his Nmap scan into tiny packet fragments so that no single packet contains enough of the TCP header to match any known attack signature. The IDS fails to reassemble the fragments and does not alert on the activity. Which IDS evasion technique did Clark use?

A. Session Splicing B. IP Fragmentation C. Unicode Encoding D. TTL Manipulation

Question 2

A security analyst reviewing firewall logs notices that an external attacker consistently sends HTTP requests with the destination port 80 but encapsulates a reverse shell command inside the HTTP payload, allowing the shell traffic to pass through the perimeter firewall unblocked. The firewall is configured to allow inbound TCP port 80 traffic to the DMZ web server without deep packet inspection. Which firewall evasion technique does this describe?

A. Protocol Tunneling B. Source Routing C. IP Spoofing D. ACK Tunneling

Question 3

Jane is performing a red team engagement and uses Nmap with the -D option followed by several decoy IP addresses to make her real scan traffic indistinguishable from spoofed probes originating from multiple sources. The IDS at the target organization generates dozens of simultaneous alerts from different IPs but cannot determine which source is the legitimate attacker. Which IDS evasion technique is Jane employing?

A. Polymorphic Shellcode B. Decoy Scanning C. Fragmentation Attack D. Insertion Attack

Question 4

Select all that apply

An OT security team deploys a honeypot on their industrial control network that mimics a vulnerable SCADA HMI interface to lure potential attackers and gather threat intelligence on adversary tactics. During the monitoring period, they detect an attacker who enumerated the fake HMI using Shodan and Nmap before realizing the system showed signs of being a trap and abruptly ceased interaction. Which TWO indicators would MOST reliably suggest to an attacker that the system is a honeypot rather than a production asset? (Choose two)

A. All ports open with instant banner responses B. No outbound traffic or legitimate user sessions C. IP listed in public threat intelligence feeds D. OS fingerprint matches a real ICS vendor E. Zero packet loss and perfect reliability

Question 5

Elijah is conducting an authorized penetration test against a financial institution's web application and uses Burp Suite to insert invalid UTF-8 byte sequences and double-encoded percent signs in the URL path before forwarding requests to the backend web server, successfully bypassing the WAF that strips only single-pass decoded attack strings. The backend server normalizes the URL a second time and processes the injected payload. Which evasion technique did Elijah apply?

A. HTTP Header Injection B. Double Encoding C. Session Splicing D. Obfuscated JavaScript

Question 6

A penetration tester assessing a hardened enterprise perimeter uses hping3 to craft TCP packets with the ACK flag set and a destination port of 443, then analyzes which packets elicit RST responses from hosts inside the network to determine which IP addresses are alive behind the stateful firewall. The firewall passes ACK packets because they appear to belong to established sessions. Which scanning technique is the tester using to bypass the firewall?

A. XMAS Scan B. SYN Stealth Scan C. ACK Flag Probe Scan D. FIN Scan

Question 7

Kevin is performing a wireless penetration test against a corporate network and discovers that the IDS is configured to alert on any traffic matching known Metasploit module signatures. He modifies his exploit payload using a custom XOR encoder in msfvenom to change the byte pattern of the shellcode with each generation, ensuring no two payloads have the same binary signature. Which IDS evasion technique is Kevin using?

A. Insertion Attack B. Polymorphic Code C. Protocol-Level Evasion D. Proxy Chain Obfuscation

Question 8

A red team operator is testing an enterprise network where the perimeter firewall blocks all inbound traffic except DNS responses on UDP port 53. The operator establishes a command-and-control channel by encoding commands as subdomains of a domain she controls and receiving data back in DNS TXT records, completely bypassing firewall rules that only inspect layer 3 and layer 4 headers. Which firewall evasion technique is she using?

A. ICMP Tunneling B. DNS Tunneling C. HTTP Tunneling D. SSH Port Forwarding

Question 9

Select all that apply

During a cloud-based penetration test, a security team discovers that the target organization's web application firewall is deployed in detection-only mode and is not blocking any traffic. The team identifies the WAF's presence by sending deliberately malformed HTTP requests and comparing response latency and error messages against those from an unprotected endpoint. Which TWO methods are MOST commonly used to detect the presence of a WAF in front of a web application? (Choose two)

A. Observing WAF-specific cookies in server responses B. Injecting attack strings and analyzing response anomalies C. Running a full Nmap SYN scan on all ports D. Using wafw00f to fingerprint WAF signatures E. Performing a DNS zone transfer

Question 10

An IDS analyst notices that an attacker's TCP stream contains overlapping fragments where both the IDS and the target host receive the same fragments but reassemble them differently due to conflicting overlap resolution policies, causing the IDS to reconstruct a benign byte sequence while the target host processes the actual malicious payload. Which IDS evasion category does this attack fall under?

A. Evasion Attack B. Insertion Attack C. DoS Against the IDS D. Encoding Obfuscation

ByThe Test Master

Related Post

CEH v13 Domain 4.4 Practice Test 002

CEH v13 Domain 4.3 Practice Test 002

CEH v13 Domain 4.1 Practice Test 002