CEH v13 Domain 3.2 Practice Test 003

Clark, a penetration tester, has gained local access to a Windows 10 workstation during an authorized red team exercise and extracts the SAM database using Mimikatz to obtain NTLM password hashes for all local accounts. He wants to recover the plaintext passwords by running the extracted hashes against a large precomputed lookup table that maps hash values to their corresponding plaintext strings without any live brute-force computation. Which password cracking technique uses precomputed hash-to-plaintext mappings stored in a lookup table?

A penetration tester gains initial access to a Linux web server as the www-data service account and discovers during post-exploitation enumeration that /usr/bin/find has the SUID bit set, meaning it executes with root-level permissions regardless of which user invokes it. By exploiting this misconfiguration via a GTFOBins shell-escape technique, the tester escalates from the low-privileged service account to a full interactive root shell on the target system. What type of privilege escalation is being performed when an attacker moves from a lower-privileged account to a higher-privileged account on the same system?

Kevin is conducting an authorized internal penetration test against a Windows Active Directory environment and uses Mimikatz to dump NTLM password hashes from LSASS process memory on a compromised workstation, obtaining hash values for multiple domain accounts without recovering any plaintext passwords. He then injects the captured hash values directly into NTLM authentication handshakes to access file shares and remote management services on additional domain-joined Windows systems. Which attack technique does Kevin's method represent, where authentication is achieved using a password hash rather than the original plaintext credential?

An enterprise red team lead is assembling a toolkit for an authorized password recovery engagement and asks the junior analyst to identify two tools from the list below that are specifically designed for offline password hash cracking, support multiple hash types including NTLM, MD5, and SHA-256, and are explicitly referenced in the CEH v13 methodology. The team will be performing wordlist and rule-based attacks against NTLM hashes extracted from a compromised domain controller. Which two tools are primarily designed for offline password cracking? (Choose two)

Elijah successfully compromises a Windows Server 2019 system during a red team engagement and installs a kernel-mode component that hooks SSDT (System Service Descriptor Table) functions to intercept system calls and filter their output, hiding its associated processes, registry entries, and network connections from the operating system, task managers, antivirus software, and security event log viewers. This component patches core OS kernel functions in memory, ensuring its presence is completely invisible to all standard user-space monitoring tools running on the same host. What category of malware is specifically designed to conceal attacker presence by operating at the kernel level and manipulating OS visibility mechanisms?

Jane is performing the post-exploitation phase during an authorized red team assessment on a Windows enterprise network and wants to hide a malicious payload inside a legitimate file on the target without changing the file's visible size or triggering antivirus detection against the host file itself. She uses a native Windows NTFS capability to embed the payload within a secondary data stream attached to a benign text document, keeping it completely hidden from standard directory listings and Windows Explorer views. Which Windows NTFS capability allows data to be embedded within a file without altering its apparent size or filename as shown in standard file system views?

A penetration tester who has completed a full compromise simulation on a production Windows environment must now erase all evidence of his activities, including clearing the Security, System, and Application event logs, deleting PowerShell command history files, and wiping prefetch artifacts to prevent forensic reconstruction of the attack chain. He uses Metasploit post-exploitation modules combined with native Windows commands such as wevtutil and del to automate artifact removal across multiple compromised hosts. Which phase of the CEH system hacking methodology does this artifact removal activity represent?

A security instructor teaching a CEH boot camp asks students to identify two techniques from the list that are used in the Gaining Access phase of the system hacking methodology and rely on compromised credentials to authenticate to target systems without exploiting a software vulnerability. The instructor notes that one technique attempts a single common password against many accounts to avoid lockout thresholds, while the other injects a captured hash value directly into an authentication session without knowing the plaintext. Which two techniques are associated with credential-based Gaining Access attacks? (Choose two)

Kevin is conducting an authorized penetration test against an unpatched Windows Server 2008 R2 host and uses Metasploit to launch an exploit module targeting MS17-010 (EternalBlue), a critical unauthenticated remote code execution vulnerability in the SMBv1 service. After the exploit successfully triggers the vulnerability and achieves code execution on the target, Metasploit delivers a separate code component to the compromised system that establishes an interactive reverse shell back to Kevin's attacking machine. What is the Metasploit term for the code component delivered to a compromised system after a successful exploit to provide the attacker with post-exploitation access?

An attacker who has compromised a Windows 10 workstation in a corporate environment creates a new registry value under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun pointing to a malicious binary, causing it to execute automatically each time the victim user logs in and ensuring the attacker retains access across system reboots without needing to re-exploit any vulnerability. A forensic analyst reviewing the system's registry hive during incident response identifies this as MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys). Which phase of the CEH system hacking methodology does this registry-based auto-execution mechanism represent?