CertiProf Updated CEHPC Exam Questions and Answers by kiyaan

Passive recognition (or passive reconnaissance) is the foundational phase of any ethical hacking or penetration testing engagement. Its primary objective is to collect as much intelligence as possible about a target while remaining completely undetectable. The hallmark of a passive approach is that itnever involves direct interactionwith the target’s infrastructure. By avoiding the transmission of packets directly to the target’s servers, the attacker or tester ensures that no logs are generated and no intrusion detection systems (IDS) or firewalls are triggered.

Instead, ethical hackers leverageOpen-Source Intelligence (OSINT)and third-party data sources. Common techniques include:

WHOIS and DNS Lookups: Querying public registries to find domain ownership, administrative contacts, and subdomains.

Social Media Analysis: Scraping platforms like LinkedIn or Twitter to identify key employees, their roles, and potential technologies used by the firm.

Search Engine Probing: Using "Google Dorking" to find exposed documents, metadata, or forgotten directories that might contain software version numbers or usernames.

Analyzing Public Databases: Checking repositories like GitHub for leaked source code or credentials.

The primary advantage of passive recognition is stealth; it allows a penetration tester to map a target's "footprint" without alerting security teams to an impending assessment. While the data gathered passively may occasionally be less precise than that obtained through active probing (like port scanning), it provides a low-risk way to identify broad vulnerabilities and potential entry points. It is a critical step in building a comprehensive picture of a target’s security landscape before moving into more intrusive phases.

Nmap (Network Mapper) is primarily known as a powerful tool for network discovery and port scanning, but it also possesses robust vulnerability scanning capabilities through theNmap Scripting Engine (NSE). The NSE allows users to write and share simple scripts to automate a wide variety of networking tasks. One of the core categories of scripts available in the NSE is vuln, which is specifically designed to detect known security vulnerabilities on the targets being scanned.

When an ethical hacker runs a scan with the flag --script vuln, Nmap will not only identify open ports but will also cross-reference the discovered services against its internal database of vulnerabilities. For example, if Nmap detects an old version of an SMB service, it can run specific scripts to check if that service is vulnerable to well-known exploits like EternalBlue (MS17-010).

While dedicated vulnerability scanners like Nessus or OpenVAS offer more comprehensive databases and reporting features, Nmap’s vulnerability scanning is highly valued for being fast, lightweight, and scriptable. It is an excellent tool for "quick-look" assessments during the reconnaissance phase. By using NSE, testers can also perform tasks beyond simple vulnerability detection, such as:

Brute-forcing: Attempting to guess passwords for services like SSH or FTP.

Malware Detection: Identifying if a server has been infected by certain types of worms or backdoors.

Configuration Auditing: Checking for insecure default settings.

Integrating Nmap’s vulnerability scanning into a penetration testing workflow allows for a more seamless transition from discovery to exploitation, making it one of the most versatile tools in a security professional’s toolkit.

Persistent Cross-Site Scripting (XSS), also known as Stored XSS, is one of the most dangerous forms of web application vulnerabilities. It occurs when a web application receives data from a user and stores it permanently in its backend database or filesystem without proper sanitization or encoding. Common vectors for persistent XSS include comment sections, user profiles, message boards, and "Contact Us" forms. Unlike Reflected XSS, where the payload is included in a specific URL and only affects the user who clicks that link, a persistent XSS payload is served automatically to every user who visits the affected page.

When an attacker successfully injects a malicious script (typically JavaScript), the server "remembers" this script. Every time a legitimate user requests the page where the data is displayed, the server includes the malicious code in the HTML response. The user’s browser, trusting the source, executes the script. This can lead to devastating consequences, such as session hijacking through the theft of session cookies, account takeover, or the redirection of users to malicious websites. From an ethical hacking perspective, identifying persistent XSS involves testing all input fields that result in data being displayed later. Mitigation strategies focus on the principle of "filter input, escape output." Input should be validated against a strict whitelist of allowed characters, and any data rendered in the browser must be context-aware encoded (e.g., converting < to <) to prevent the browser from interpreting the data as executable code. Because the payload is stored on the server, this vulnerability represents a significant risk to the entire user base of an organization, making it a high-priority finding in any security assessment.

Social engineering is a non-technical method of intrusion that relies heavily on human interaction and involves tricking people into breaking normal security procedures. Unlike traditional hacking, which targets software or hardware vulnerabilities, social engineering exploits human psychology—specifically the natural tendency to trust or the desire to be helpful. The process typically begins with an attacker assuming a deceptive persona, such as a helpful IT support technician, a trusted colleague, or an authoritative figure like a company executive. By establishing a rapport or creating a sense of urgency, the attacker builds a bridge of "trust" with the victim.

Once this psychological foothold is established, the attacker manipulates the victim into performing actions that compromise security. This might include revealing confidential login credentials, transferring funds to fraudulent accounts, or providing sensitive internal information about a network’s architecture. Common tactics include "phishing" (sending deceptive emails), "vishing" (voice solicitation over the phone), and "pretexting" (creating a fabricated scenario to obtain info).

In a professional ethical hacking engagement, social engineering testing is critical because it highlights that a company’s security is only as strong as its weakest human link. No matter how robust the firewalls or encryption methods are, they can be bypassed if an employee is manipulated into "opening the door" for an adversary. Effective defenses against social engineering do not rely solely on technology but on continuous employee awareness training and the implementation of strict verification protocols for any request involving sensitive data.