CEH v13 Domain 3.2 Practice Test 001

Question 1

During a penetration test, a tester captures the following hash from a Windows target's SAM database: `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0`. The tester recognizes this immediately without running any cracking tool. What does this hash indicate?

A. The account uses a blank password B. The account is disabled and locked out C. The hash was generated using bcrypt and cannot be cracked D. The account is protected by Windows Credential Guard

Question 2

Clark, a professional hacker, has gained a low-privileged shell on a Windows Server 2019 system. He runs the command `whoami /priv` and notices that the `SeImpersonatePrivilege` token is enabled for his current user context. Clark decides to leverage this finding to escalate his privileges to SYSTEM level. Which attack technique is Clark most likely preparing to execute?

A. Pass-the-Hash B. Token impersonation using a potato attack (e.g., JuicyPotato or PrintSpoofer) C. DLL hijacking D. Kerberoasting

Question 3

Select all that apply

A penetration tester has compromised a Linux host and wants to establish persistence without creating a new user account or modifying `/etc/passwd`. The tester wants the backdoor to survive reboots and remain hidden from a basic process listing. Which TWO of the following techniques would best achieve this goal? (Choose two)

A. Adding a reverse shell one-liner to `/etc/rc.local` B. Creating a cron job under the root crontab that spawns a callback shell C. Installing a bind shell listener on port 443 as a foreground process D. Modifying the `.bashrc` file of a low-privilege user E. Deploying a kernel-level rootkit that hooks system calls

Question 4

Jane is conducting a black-box penetration test against a Windows Active Directory environment. After gaining initial access, she uses Mimikatz and runs the command `sekurlsa::logonpasswords`. What is the primary purpose of this command, and from where does Mimikatz extract the credentials?

A. It dumps password hashes from the SAM database on disk B. It extracts plaintext passwords and hashes from LSASS process memory C. It performs a brute-force attack against cached domain credentials D. It reads credentials stored in the Windows Credential Manager vault

Question 5

During a penetration test, a tester uses the following Hashcat command against a captured hash file: `hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?d?d?d?d`. What attack mode and password pattern is this command targeting?

A. Dictionary attack targeting 8-character passwords starting with a digit B. Brute-force/mask attack targeting passwords with one uppercase letter, three lowercase letters, and four digits C. Rule-based attack targeting NTLM hashes using a custom wordlist D. Combinator attack targeting LM hashes with an alphanumeric mask

Question 6

Elijah, a malicious insider, wants to cover his tracks after exfiltrating sensitive files from a Linux server. He wants to remove evidence of his activity from system logs without completely deleting log files, which would itself raise suspicion. Which of the following commands would BEST help Elijah selectively remove entries related to his username `elijah` from the `/var/log/auth.log` file?

A. `shred -u /var/log/auth.log` B. `sed -i '/elijah/d' /var/log/auth.log` C. `echo "" > /var/log/auth.log` D. `rm -rf /var/log/`

Question 7

A security analyst reviewing endpoint logs notices that a Windows service named `WindowsUpdateSvc32` was recently installed on several hosts. The service binary path points to `C:WindowsTempsvchost32.exe` and it is configured to start automatically. No legitimate Windows update service uses this name or path. What system hacking phase does this activity MOST likely represent?

A. Gaining Access B. Escalating Privileges C. Establishing Persistence D. Clearing Logs

Question 8

During a penetration test, a tester wants to perform online password cracking against an SSH service on a target at 192.168.10.50. The tester has a username list (`users.txt`) and a password list (`pass.txt`). Which tool and command syntax would be MOST appropriate for this task?

A. `john --wordlist=pass.txt --users=users.txt ssh_hashes.txt` B. `hydra -L users.txt -P pass.txt 192.168.10.50 ssh` C. `aircrack-ng -w pass.txt -u users.txt capture.cap` D. `hashcat -m 1800 -a 0 ssh_hashes.txt pass.txt`

Question 9

Kevin is performing a post-exploitation assessment on a Windows domain-joined workstation. He wants to extract cached domain credentials stored locally so that users can log in even when the domain controller is unreachable. Kevin runs `lsadump::cache` in Mimikatz. What type of credentials does this module retrieve, and how are they protected?

A. Kerberos TGTs stored in plaintext in the LSASS memory space B. Domain cached credentials (DCC2) stored as MS-Cache v2 hashes in the registry C. NTLM hashes stored in the SAM database under HKLMSAM D. WDigest credentials stored in the LSA secrets section of the registry

Question 10

Select all that apply

An ethical hacker is performing a penetration test on a Windows environment and has obtained SYSTEM-level access on a workstation. She wants to dump credentials from the SAM database but notices that the SAM file is locked by the OS. Which technique would allow her to extract the SAM database contents while the system is running? (Choose two)

A. Use `reg save HKLMSAM sam.bak` and `reg save HKLMSYSTEM system.bak`, then parse offline with secretsdump.py B. Use Volume Shadow Copy (`vssadmin`) to access a shadow copy of the SAM file C. Run `net user /domain` to export all domain account hashes D. Use `copy C:WindowsSystem32configSAM .` while the OS is running normally E. Boot from a live USB and copy the SAM file directly from the filesystem

ByThe Test Master

Related Post

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

CEH v13 Domain 9.1 Practice Test 001