- In the context of penetration testing, what is the primary purpose of defining a Rules of Engagement (RoE) document?
- To outline the legal framework of the test
- To detail the technical procedures to be used
- To establish communication protocols with the client
- To specify the boundaries and limitations of the test
Correct answer: To specify the boundaries and limitations of the test
Correct answer: To specify the boundaries and limitations of the test. Explanation: The Rules of Engagement document in penetration testing primarily serves to specify the boundaries and limitations of the test. It includes details such as the scope, timing, methods to be used, and any areas or tactics that are off-limits, ensuring both parties have clear expectations.
- Which element is crucial to include in a penetration testing report for it to be most effective for the client?
- A detailed list of all tools used during the test
- High-level executive summaries
- Step-by-step reproduction of each exploit
- The personal information of the pen-testers
Correct answer: High-level executive summaries
Correct answer: High-level executive summaries. Explanation: Including high-level executive summaries in a penetration testing report is crucial for its effectiveness. It provides a concise overview of the findings, risks, and recommendations, which is particularly useful for stakeholders who may not have technical expertise.
- What is the most important reason for defining a clear scope in a penetration testing engagement?
- To ensure legal compliance
- To limit the time spent on testing
- To prevent testing of out-of-scope targets
- To guarantee the discovery of all vulnerabilities
Correct answer: To prevent testing of out-of-scope targets
Correct answer: To prevent testing of out-of-scope targets. Explanation: Defining a clear scope in a penetration testing engagement is crucial to prevent testing of out-of-scope targets. It helps to avoid unauthorized access and potential legal issues by clearly delineating the boundaries within which the testers are allowed to operate.
- Which of the following best describes a Black Box penetration test?
- The tester has full knowledge of the target environment.
- The tester has no prior knowledge of the target environment.
- The tester is given limited information, typically only network diagrams.
- The tester is an employee of the organization being tested.
Correct answer: The tester has no prior knowledge of the target environment.
Correct answer: The tester has no prior knowledge of the target environment. Explanation: In a Black Box penetration test, the tester simulates an external attack by someone with no prior knowledge of the target environment. This approach helps in assessing how an actual attacker might exploit vulnerabilities without inside information.
- What factor is most critical when determining the timeline for a penetration test?
- The size and complexity of the target environment
- The availability of penetration testing tools
- The geographical location of the testing team
- The number of previous tests conducted on the target
Correct answer: The size and complexity of the target environment
Correct answer: The size and complexity of the target environment. Explanation: The size and complexity of the target environment are the most critical factors in determining the timeline for a penetration test. Larger and more complex environments generally require more time to thoroughly assess and test.
- In penetration testing, why is it important to establish a communication plan with the client?
- To provide daily updates on findings
- To discuss the tools and methods being used
- To agree on how and when to report critical findings
- To negotiate the cost of the engagement
Correct answer: To agree on how and when to report critical findings
Correct answer: To agree on how and when to report critical findings. Explanation: Establishing a communication plan with the client is important to agree on how and when to report critical findings. Immediate communication of critical vulnerabilities is essential for allowing the client to take timely action to mitigate risks.
- Which of the following is a key consideration when scoping a penetration test for an e-commerce website?
- The marketing strategies of the company
- The types of products being sold
- The payment processing systems used
- The physical location of the company's offices
Correct answer: The payment processing systems used
Correct answer: The payment processing systems used. Explanation: When scoping a penetration test for an e-commerce website, a key consideration is the payment processing systems used. These systems are critical components that handle sensitive financial data and require thorough testing for vulnerabilities.
- What is the primary reason for conducting a risk assessment before a penetration test?
- To identify the most critical assets to focus on
- To choose the appropriate tools for the test
- To determine the skill level of the pen-testers
- To predict the outcome of the test
Correct answer: To identify the most critical assets to focus on
Correct answer: To identify the most critical assets to focus on. Explanation: Conducting a risk assessment before a penetration test is primarily done to identify the most critical assets. This helps in focusing the test on areas where vulnerabilities would have the most significant impact.
- In the planning phase of a penetration test, why is it important to consider regulatory compliance?
- To ensure the test does not violate legal or regulatory requirements
- To determine the technical skills required for the test
- To estimate the duration of the test
- To identify the tools prohibited by law
Correct answer: To ensure the test does not violate legal or regulatory requirements
Correct answer: To ensure the test does not violate legal or regulatory requirements. Explanation: Considering regulatory compliance in the planning phase of a penetration test is important to ensure that the testing activities do not violate any legal or regulatory requirements. This is crucial to avoid legal repercussions and ensure adherence to industry standards and laws.
- What is the significance of defining a "Stop Point" in a penetration testing engagement?
- To mark the successful completion of the test
- To determine when the testing budget has been expended
- To specify conditions under which testing should be halted
- To identify the highest level of privilege that can be obtained
Correct answer: To specify conditions under which testing should be halted
Correct answer: To specify conditions under which testing should be halted. Explanation: Defining a "Stop Point" in a penetration testing engagement is important to specify the conditions under which testing should be halted. This could be due to critical system instability, discovery of a severe vulnerability, or other predefined conditions to prevent unwanted disruptions or damage.
- In penetration testing, what is the main purpose of defining the scope in relation to the client's objectives?
- To ensure the test is conducted within a set timeframe
- To align the testing activities with the client's security goals
- To limit the number of penetration testers involved
- To reduce the overall cost of the engagement
Correct answer: To align the testing activities with the client's security goals
Correct answer: To align the testing activities with the client's security goals. Explanation: Defining the scope in relation to the client's objectives in penetration testing is crucial to ensure that the testing activities are aligned with the client's security goals. It helps in focusing efforts on areas that are most relevant to the client's needs and concerns.
- Why is it important to understand the client's infrastructure before starting a penetration test?
- To choose the right tools and techniques for the test
- To comply with legal and regulatory requirements
- To prepare a detailed report for the client
- To train the penetration testing team
Correct answer: To choose the right tools and techniques for the test
Correct answer: To choose the right tools and techniques for the test. Explanation: Understanding the client's infrastructure is important before starting a penetration test to choose the appropriate tools and techniques. Different infrastructures may require different testing methods, and a proper understanding helps in planning an effective testing strategy.
- What is a critical factor to consider when determining the legal implications of a penetration test?
- The geographical location of the testing team
- The type of penetration testing tools used
- The jurisdiction where the testing takes place
- The number of systems to be tested
Correct answer: The jurisdiction where the testing takes place
Correct answer: The jurisdiction where the testing takes place. Explanation: A critical factor to consider when determining the legal implications of a penetration test is the jurisdiction where the testing takes place. Different jurisdictions have different laws and regulations concerning cybersecurity and penetration testing, which must be adhered to.
- In the planning phase, what is the importance of identifying the critical assets of the organization?
- To focus the testing on less critical systems
- To ensure all assets receive equal attention
- To prioritize testing on the most sensitive or valuable assets
- To determine the duration of the test
Correct answer: To prioritize testing on the most sensitive or valuable assets
Correct answer: To prioritize testing on the most sensitive or valuable assets. Explanation: Identifying the critical assets of the organization in the planning phase of penetration testing is important to prioritize testing on the most sensitive or valuable assets. This helps to efficiently allocate resources and efforts to areas where potential vulnerabilities could have the most impact.
- What role does a threat model play in the planning phase of a penetration test?
- It helps in selecting the members of the testing team
- It assists in predicting the potential impact of vulnerabilities
- It is used to estimate the cost of the testing engagement
- It determines the types of tools to be used during the test
Correct answer: It assists in predicting the potential impact of vulnerabilities
Correct answer: It assists in predicting the potential impact of vulnerabilities. Explanation: A threat model in the planning phase of a penetration test helps in predicting the potential impact of vulnerabilities. It involves identifying potential threats and assessing how they could exploit vulnerabilities, aiding in focusing the test on significant risk areas.
- Why is it necessary to establish data handling procedures before conducting a penetration test?
- To ensure data collected during the test is securely stored and disposed of
- To make sure that the data can be easily transferred between testers
- To prevent the client's data from being accessed by unauthorized personnel
- To comply with the testing tools' licensing agreements
Correct answer: To ensure data collected during the test is securely stored and disposed of
Correct answer: To ensure data collected during the test is securely stored and disposed of. Explanation: Establishing data handling procedures before conducting a penetration test is necessary to ensure that any data collected during the test is securely stored and appropriately disposed of. This is crucial to maintain confidentiality and prevent data breaches.
- In a penetration testing engagement, why is it important to have a clear understanding of the client's business operations?
- To tailor the testing methods to the specific industry
- To avoid testing during business peak hours
- To ensure that the test results are relevant to the client's business context
- To prepare an industry-specific report
Correct answer: To ensure that the test results are relevant to the client's business context
Correct answer: To ensure that the test results are relevant to the client's business context. Explanation: Having a clear understanding of the client's business operations in a penetration testing engagement is important to ensure that the test results are relevant to the client's business context. This understanding helps in aligning the test with the specific needs and risks of the business.
- What is the primary purpose of obtaining written permission before conducting a penetration test?
- To document the technical details of the test
- To define the scope and limitations of the test
- To ensure legal authorization for the testing activities
- To confirm the date and time of the test
Correct answer: To ensure legal authorization for the testing activities
Correct answer: To ensure legal authorization for the testing activities. Explanation: The primary purpose of obtaining written permission before conducting a penetration test is to ensure legal authorization for the testing activities. This helps in protecting both the tester and the client from legal issues that may arise from unauthorized testing.
- How does defining the scope of a penetration test benefit the client organization?
- It ensures all vulnerabilities will be discovered
- It prevents unnecessary testing of out-of-scope systems
- It reduces the cost of the penetration test
- It speeds up the testing process
Correct answer: It prevents unnecessary testing of out-of-scope systems
Correct answer: It prevents unnecessary testing of out-of-scope systems. Explanation: Defining the scope of a penetration test benefits the client organization by preventing unnecessary testing of out-of-scope systems. A well-defined scope helps in focusing the testing efforts on relevant areas, avoiding wastage of resources on irrelevant systems.
- In penetration testing, what is the significance of understanding the client's risk tolerance?
- To choose the most aggressive testing techniques
- To tailor the testing strategy to align with the client's risk appetite
- To determine the number of testers required for the engagement
- To calculate the potential financial impact of the test
Correct answer: To tailor the testing strategy to align with the client's risk appetite
Correct answer: To tailor the testing strategy to align with the client's risk appetite. Explanation: Understanding the client's risk tolerance in penetration testing is significant to tailor the testing strategy to align with the client's risk appetite. This ensures that the testing approach matches the level of risk the client is willing to accept during the testing process.
- Which tool is primarily used for automated vulnerability scanning in a network penetration testing scenario?
- Nmap
- Metasploit
- Nessus
- Wireshark
Correct answer: Nessus
Correct answer: Nessus. Explanation: Nessus is widely used for automated vulnerability scanning in penetration testing. It helps in identifying vulnerabilities, misconfigurations, and potential risks within the network, making it an essential tool for vulnerability assessment.
- In the context of penetration testing, what is the primary purpose of using a tool like Burp Suite?
- Network mapping
- Wireless cracking
- Web application security testing
- Password cracking
Correct answer: Web application security testing
Correct answer: Web application security testing. Explanation: Burp Suite is primarily used for web application security testing. It provides a range of tools for probing and attacking web applications, making it a vital tool for identifying vulnerabilities in web applications during penetration testing.
- Which technique is most effective for identifying live hosts on a network during a penetration test?
- Port scanning
- DNS enumeration
- ICMP sweeping
- Social engineering
Correct answer: ICMP sweeping
Correct answer: ICMP sweeping. Explanation: ICMP sweeping is an effective technique for identifying live hosts on a network. It involves sending ICMP echo requests (pings) to multiple hosts and analyzing the responses to determine which hosts are active.
- What is the primary purpose of using the whois command in the information gathering phase of a penetration test?
- To identify open ports on the target system
- To gather information about the domain owner and registrar
- To crack passwords
- To intercept network traffic
Correct answer: To gather information about the domain owner and registrar
Correct answer: To gather information about the domain owner and registrar. Explanation: The whois command is used to gather information about the domain owner, registrar, registration dates, and more. This information can be valuable in the reconnaissance phase of a penetration test to understand more about the target organization.
- Which tool or technique is used for discovering subdomains of a target domain during a penetration test?
- Traceroute
- DNS zone transfer
- Sublist3r
- ARP spoofing
Correct answer: Sublist3r
Correct answer: Sublist3r. Explanation: Sublist3r is a tool specifically used for discovering subdomains of a target domain. It is effective in finding hidden subdomains that might be relevant targets during a penetration test.
- What is the primary goal of fingerprinting a server during a penetration test?
- Identifying the server's physical location
- Determining the server's operating system and software versions
- Cracking the server's passwords
- Mapping the network topology
Correct answer: Determining the server's operating system and software versions
Correct answer: Determining the server's operating system and software versions. Explanation: Fingerprinting a server involves determining the server's operating system and software versions. This information is crucial for identifying potential vulnerabilities and planning subsequent phases of the penetration test.
- In penetration testing, what is the primary use of a tool like SQLmap?
- Conducting SQL injection attacks
- Performing network enumeration
- Cracking wireless encryption
- Executing phishing campaigns
Correct answer: Conducting SQL injection attacks
Correct answer: Conducting SQL injection attacks. Explanation: SQLmap is a tool designed for automating the process of detecting and exploiting SQL injection vulnerabilities. It is widely used in penetration testing for identifying and demonstrating SQL injection flaws in web applications.
- Which of the following is an active information gathering technique?
- Analyzing publicly available data
- Scanning ports of the target system
- Reviewing DNS records
- Reading archived news about the target
Correct answer: Scanning ports of the target system
Correct answer: Scanning ports of the target system. Explanation: Scanning ports of the target system is an active information gathering technique. Unlike passive techniques, it involves directly interacting with the target system to gather information, such as open ports and services.
- During a penetration test, which tool is most effective for automated password cracking of hashed passwords?
- Nmap
- John the Ripper
- WireShark
- Burp Suite
Correct answer: John the Ripper
Correct answer: John the Ripper. Explanation: John the Ripper is a fast password cracker, primarily used for cracking hashed passwords. It is an effective tool for automated password cracking in penetration testing, supporting many hash types and attack modes.
- Which method is commonly used to discover the technology stack (like CMS, web server version) of a target web application?
- Port scanning
- Banner grabbing
- Social engineering
- Physical security testing
Correct answer: Banner grabbing
Correct answer: Banner grabbing. Explanation: Banner grabbing involves collecting information from network responses sent by the target system. This technique is used to identify the technology stack, such as CMS and web server versions, of a target web application.
- In penetration testing, what is the primary purpose of a tool like Nikto?
- Network sniffing
- Web server vulnerability scanning
- Password cracking
- Wireless network testing
Correct answer: Web server vulnerability scanning
Correct answer: Web server vulnerability scanning. Explanation: Nikto is a web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs. It is primarily used for web server vulnerability scanning in penetration testing.
- Which technique is effective for identifying if a web application is vulnerable to cross-site scripting (XSS)?
- SQL injection testing
- Fuzzing with malicious scripts
- Port scanning
- DNS enumeration
Correct answer: Fuzzing with malicious scripts
Correct answer: Fuzzing with malicious scripts. Explanation: Fuzzing with malicious scripts is an effective technique for identifying XSS vulnerabilities in web applications. It involves inputting malicious scripts into web forms or URL parameters to see if they are executed, indicating an XSS vulnerability.
- What is the main goal of utilizing a tool like Wapiti in penetration testing?
- Conducting wireless network attacks
- Performing web application black-box vulnerability scanning
- Executing network layer attacks
- Gathering information through social engineering
Correct answer: Performing web application black-box vulnerability scanning
Correct answer: Performing web application black-box vulnerability scanning. Explanation: Wapiti is a tool used for black-box vulnerability scanning of web applications. It performs the scanning without access to the source code, making it effective for identifying various types of web application vulnerabilities.
- During a penetration test, which tool is used for sniffing and analyzing network packets?
- Aircrack-ng
- Wireshark
- Metasploit
- Nessus
Correct answer: Wireshark
Correct answer: Wireshark. Explanation: Wireshark is a network protocol analyzer used for network troubleshooting, analysis, and communications protocol development. It is widely used in penetration testing for sniffing and analyzing network packets to gather information and identify vulnerabilities.
- In the context of penetration testing, which tool is specifically designed for testing SQL injection vulnerabilities?
- Burp Suite
- SQLmap
- Nikto
- Nmap
Correct answer: SQLmap
Correct answer: SQLmap. Explanation: SQLmap is a tool designed specifically for automating the detection and exploitation of SQL injection flaws. It is widely used in penetration testing for identifying SQL injection vulnerabilities in web applications and databases.
- What is the primary use of a tool like OpenVAS in penetration testing?
- Vulnerability scanning
- Password cracking
- Wireless network testing
- Social engineering
Correct answer: Vulnerability scanning
Correct answer: Vulnerability scanning. Explanation: OpenVAS (Open Vulnerability Assessment System) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. It is primarily used for vulnerability scanning in penetration testing.
- Which penetration testing technique is most effective for discovering outdated software versions on a target system?
- Banner grabbing
- Phishing
- Social engineering
- Physical access testing
Correct answer: Banner grabbing
Correct answer: Banner grabbing. Explanation: Banner grabbing is an effective technique in penetration testing for discovering outdated software versions on a target system. It involves capturing information from network service banners, which often include version details of the software running.
- During a penetration test, what is the primary purpose of using tools like Maltego?
- Network mapping and reconnaissance
- Decrypting encrypted files
- Cracking wireless network passwords
- Performing brute-force attacks
Correct answer: Network mapping and reconnaissance
Correct answer: Network mapping and reconnaissance. Explanation: Maltego is a tool used for open-source intelligence and forensics, focusing on network mapping and reconnaissance. It helps penetration testers in gathering information about the relationships and real-world links between people, groups, websites, domains, networks, internet infrastructure, and more.
- What is the primary objective of using the 'dig' command in penetration testing?
- Enumerating directories on a web server
- Gathering DNS information about a domain
- Identifying live hosts in a network
- Analyzing packet captures
Correct answer: Gathering DNS information about a domain
Correct answer: Gathering DNS information about a domain. Explanation: The 'dig' (Domain Information Groper) command is used in penetration testing for querying DNS name servers. It is an effective tool for gathering DNS information about a domain, such as record information and DNS server responses.
- In penetration testing, what is the primary purpose of tools like theHarvester?
- Gathering email accounts, subdomains, hosts, and employee names from public sources
- Cracking encrypted network traffic
- Conducting brute-force attacks on web applications
- Scanning for open ports on a target system
Correct answer: Gathering email accounts, subdomains, hosts, and employee names from public sources
Correct answer: Gathering email accounts, subdomains, hosts, and employee names from public sources. Explanation: theHarvester is a tool used in penetration testing for gathering email accounts, subdomains, hosts, employee names, and more from different public sources (like search engines and PGP key servers). It's a passive reconnaissance tool useful for the initial stages of a penetration test.
- Which tool is essential for a penetration tester to perform a man-in-the-middle attack for analyzing and intercepting traffic between a web application and its users?
- Nmap
- Cain & Abel
- Aircrack-ng
- Metasploit
Correct answer: Cain & Abel
Correct answer: Cain & Abel. Explanation: Cain & Abel is a tool that can be used for carrying out man-in-the-middle attacks. It is effective for analyzing and intercepting traffic between a web application and its users, making it a valuable tool in certain penetration testing scenarios where traffic analysis is crucial.
- In penetration testing, what is the primary purpose of using the arp-scan tool?
- Identifying active devices on the local network segment
- Cracking passwords
- Analyzing encrypted network traffic
- Exploiting web application vulnerabilities
Correct answer: Identifying active devices on the local network segment
Correct answer: Identifying active devices on the local network segment. Explanation: The arp-scan tool is used in penetration testing for identifying active devices on the local network segment. It sends ARP (Address Resolution Protocol) requests to specified IP addresses and displays any responses, helping to map out local network devices.
- In penetration testing, which attack method involves intercepting and modifying communication between two parties without their knowledge?
- Phishing
- Man-in-the-Middle (MitM)
- Denial of Service (DoS)
- SQL Injection
Correct answer: Man-in-the-Middle (MitM)
Correct answer: Man-in-the-Middle (MitM). Explanation: Man-in-the-Middle (MitM) attacks involve the attacker secretly intercepting and possibly altering the communication between two parties who believe they are directly communicating with each other. This type of attack is used to steal data, eavesdrop, or sabotage communications.
- Which type of attack primarily targets web applications by injecting unauthorized SQL commands?
- Cross-Site Scripting (XSS)
- SQL Injection
- Buffer Overflow
- Cross-Site Request Forgery (CSRF)
Correct answer: SQL Injection
Correct answer: SQL Injection. Explanation: SQL Injection attacks target web applications by injecting malicious SQL commands into input fields. These attacks manipulate a site's database by executing unauthorized SQL commands, leading to data theft, corruption, or loss.
- In the context of penetration testing, what is a 'zero-day' exploit?
- An attack that targets system vulnerabilities on the day they are made public
- An exploit that crashes systems without leaving any trace
- An attack that is carried out on the same day a system is deployed
- An exploit for a vulnerability that is not yet known to the software vendor
Correct answer: An exploit for a vulnerability that is not yet known to the software vendor
Correct answer: An exploit for a vulnerability that is not yet known to the software vendor. Explanation: A 'zero-day' exploit refers to an attack that exploits a previously unknown vulnerability in software or hardware, meaning the vendor has had zero days to fix the issue. These vulnerabilities are particularly dangerous because there is no known defense against them when they are first exploited.
- Which technique is used in penetration testing to bypass security mechanisms by corrupting the memory of a program?
- SQL Injection
- Phishing
- Buffer Overflow
- Cross-Site Scripting (XSS)
Correct answer: Buffer Overflow
Correct answer: Buffer Overflow. Explanation: Buffer Overflow attacks occur when a program writes more data to a buffer than it can hold. This can corrupt or overwrite the adjacent memory space, leading to the execution of malicious code or crashing of the program. It's a common method used to bypass security mechanisms.
- What is the primary goal of a Cross-Site Request Forgery (CSRF) attack in web applications?
- To steal sensitive information from a user
- To inject malicious scripts into web pages viewed by other users
- To impersonate a user and perform actions on their behalf
- To overload a web server with excessive traffic
Correct answer: To impersonate a user and perform actions on their behalf
Correct answer: To impersonate a user and perform actions on their behalf. Explanation: CSRF attacks aim to trick a user into executing unwanted actions on a web application where they are authenticated. By exploiting the user's trust in the web application, an attacker can perform actions on behalf of the user without their knowledge.
- In penetration testing, what is the primary purpose of using a 'fuzzer'?
- To decrypt encrypted network traffic
- To automate the discovery of software vulnerabilities
- To generate and send spam emails
- To brute-force password authentication systems
Correct answer: To automate the discovery of software vulnerabilities
Correct answer: To automate the discovery of software vulnerabilities. Explanation: A 'fuzzer' is a tool used in penetration testing to automate the discovery of software vulnerabilities. It works by sending a large amount of random data ("fuzz") to a program in order to trigger and identify potential faults or security loopholes.
- Which attack vector is most commonly used to exploit vulnerabilities in software without user interaction?
- Drive-by download
- Phishing email
- Rogue access point
- Social engineering
Correct answer: Drive-by download
Correct answer: Drive-by download. Explanation: Drive-by download attacks exploit vulnerabilities in a user's browser or in browser plugins without any user interaction. They typically occur when a user visits a malicious website, leading to the automatic download and installation of malware.
- What is the main objective of a Distributed Denial of Service (DDoS) attack?
- To gain unauthorized access to sensitive data
- To corrupt data on the target server
- To disrupt normal service of a targeted server or network
- To inject malicious code into a website
Correct answer: To disrupt normal service of a targeted server or network
Correct answer: To disrupt normal service of a targeted server or network. Explanation: The primary objective of a DDoS attack is to disrupt the normal service of a targeted server or network by overwhelming it with a flood of internet traffic. This is done to make the server or network resources unavailable to its intended users.
- In the context of penetration testing, what is 'privilege escalation'?
- Gaining unauthorized access to restricted network segments
- Increasing an attacker's privileges on the system beyond what were originally granted
- Decrypting encrypted data without the key
- Extracting credentials from network traffic
Correct answer: Increasing an attacker's privileges on the system beyond what were originally granted
Correct answer: Increasing an attacker's privileges on the system beyond what were originally granted. Explanation: Privilege escalation in penetration testing refers to the process by which an attacker gains higher-level permissions on a system or network than what they were originally granted, often leading to unauthorized system access or control.
- What is the primary goal of 'pass-the-hash' attacks?
- Intercepting and using plain-text passwords
- Gaining unauthorized access by reusing user's hash credentials
- Cracking hashed passwords
- Capturing and replaying network traffic
Correct answer: Gaining unauthorized access by reusing user's hash credentials
Correct answer: Gaining unauthorized access by reusing user's hash credentials. Explanation: 'Pass-the-hash' attacks involve an attacker capturing account password hashes and reusing them to authenticate to other systems as the user, without the need to crack the hash and know the actual plaintext password.
- In penetration testing, which technique is used to identify and exploit vulnerabilities in web applications by automatically sending a large number of requests with varying payloads?
- Fuzzing
- Social engineering
- Port scanning
- Man-in-the-Middle attack
Correct answer: Fuzzing
Correct answer: Fuzzing. Explanation: Fuzzing is a technique used in penetration testing to identify security vulnerabilities in software by automatically sending a large number of requests with varying payloads to a web application. This method tests how the application handles unexpected or malformed data.
- What type of attack involves manipulating a user into executing unauthorized actions on a website they are currently authenticated to?
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Buffer Overflow
Correct answer: Cross-Site Request Forgery (CSRF)
Correct answer: Cross-Site Request Forgery (CSRF). Explanation: Cross-Site Request Forgery (CSRF) attacks involve tricking a user into executing actions on a website where they are already authenticated. The attack exploits the trust that a site has in the user's browser.
- In penetration testing, what does a 'payload' refer to?
- The part of a virus that performs a malicious action
- The data sent by a web application in response to a request
- The code used to exploit a vulnerability
- The data captured by network sniffing
Correct answer: The code used to exploit a vulnerability
Correct answer: The code used to exploit a vulnerability. Explanation: In the context of penetration testing, a 'payload' refers to the part of an exploit that performs the intended malicious action, such as opening a backdoor, executing code, or stealing data.
- Which attack exploits the trust that a user has for a particular certificate authority (CA)?
- A) Man-in-the-Middle attack
- Rogue CA attack
- Phishing attack
- Replay attack
Correct answer: Rogue CA attack
Correct answer: Rogue CA attack. Explanation: A Rogue CA attack involves the creation or compromise of a certificate authority (CA) to issue unauthorized digital certificates, exploiting the trust users and systems have in the CA to carry out attacks like impersonation or Man-in-the-Middle attacks.
- In penetration testing, what is the primary goal of a 'side-channel attack'?
- To exploit vulnerabilities in web applications
- To gain information from the physical implementation of a system
- To capture and replay network traffic
- To perform a brute-force attack on encrypted data
Correct answer: To gain information from the physical implementation of a system
Correct answer: To gain information from the physical implementation of a system. Explanation: Side-channel attacks in penetration testing aim to gain information from the physical implementation of a system, such as timing information, power consumption, electromagnetic leaks, or sound, to break cryptographic systems and gain access.
- Which penetration testing technique involves injecting malicious scripts into a web page viewed by other users?
- SQL Injection
- Cross-Site Scripting (XSS)
- Buffer Overflow
- CSRF
Correct answer: Cross-Site Scripting (XSS)
Correct answer: Cross-Site Scripting (XSS). Explanation: Cross-Site Scripting (XSS) attacks involve injecting malicious scripts into web pages that are viewed by other users. The attacker uses a web application to send malicious code, typically in the form of a browser side script, to a different end user.
- What kind of penetration testing attack is conducted against the hardware of a device, such as routers, switches, or servers?
- Network sniffing
- Social engineering
- Physical attack
- Software exploitation
Correct answer: Physical attack
Correct answer: Physical attack. Explanation: Physical attacks in penetration testing target the hardware of devices, such as routers, switches, or servers. These attacks might involve tampering, extraction of sensitive data, or physically damaging the hardware to compromise security.
- Which attack involves an unauthorized person gaining access to a network by using a legitimate user's credentials?
- Spoofing
- Eavesdropping
- Credential reuse
- Session hijacking
Correct answer: Credential reuse
Correct answer: Credential reuse. Explanation: Credential reuse attacks involve an attacker gaining access to a network or system by using legitimate credentials that have been obtained from another source, such as a previous data breach or through phishing.
- Which attack aims to make a network resource unavailable to its intended users by disrupting the services of a host connected to the Internet?
- Phishing attack
- Denial of Service (DoS) attack
- Man-in-the-Middle attack
- SQL Injection attack
Correct answer: Denial of Service (DoS) attack
Correct answer: Denial of Service (DoS) attack. Explanation: A Denial of Service (DoS) attack aims to make a network resource unavailable to its intended users by overwhelming the target with a flood of internet traffic, or by exploiting vulnerabilities that cause the service to crash, thus disrupting the services of a host connected to the Internet.
- What type of penetration testing technique involves the exploitation of vulnerabilities in communication protocols?
- Protocol poisoning
- Service enumeration
- Application layer attack
- Cryptographic attack
Correct answer: Protocol poisoning
Correct answer: Protocol poisoning. Explanation: Protocol poisoning involves exploiting vulnerabilities in communication protocols to disrupt or intercept network communication. This technique manipulates protocol processes like ARP or DNS to execute attacks like ARP spoofing or DNS poisoning.
- In penetration testing, what is the primary objective of 'war driving'?
- To test the strength of Wi-Fi network encryption
- To find unsecured wireless networks
- To intercept mobile communications
- To perform a physical security assessment
Correct answer: To find unsecured wireless networks
Correct answer: To find unsecured wireless networks. Explanation: 'War driving' in penetration testing is the practice of driving around in a vehicle to find unsecured wireless networks. It involves searching for Wi-Fi networks that can be exploited or used without authorization.
- What is the primary purpose of ARP spoofing in a network?
- To encrypt data packets
- To create a backdoor in a system
- To intercept and modify network traffic
- To overload a network with traffic
Correct answer: To intercept and modify network traffic
Correct answer: To intercept and modify network traffic. Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to intercept and modify network traffic by sending false ARP messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
- In the context of penetration testing, what is a 'rainbow table' used for?
- Decoding encrypted network traffic
- Cracking hashed passwords
- Mapping network topologies
- Identifying software vulnerabilities
Correct answer: Cracking hashed passwords
Correct answer: Cracking hashed passwords. Explanation: A 'rainbow table' is a precomputed table used for reversing cryptographic hash functions, primarily for cracking password hashes. It is used in penetration testing to identify passwords by comparing hashed values.
- Which tool is primarily used for automated vulnerability scanning in web applications?
- Metasploit
- Wireshark
- Burp Suite
- Nmap
Correct answer: Burp Suite
Correct answer: Burp Suite. Explanation: Burp Suite is widely used for automated vulnerability scanning in web applications. It provides a range of tools for testing web security, including automated scanner, intruder, repeater, and sequencer tools.
- What is the main purpose of the tool 'Sqlmap' in penetration testing?
- Network sniffing
- Detecting SQL injection vulnerabilities
- Password cracking
- Wireless network analysis
Correct answer: Detecting SQL injection vulnerabilities
Correct answer: Detecting SQL injection vulnerabilities. Explanation: Sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. It is specifically designed for SQL injection vulnerability scanning and database takeover.
- Which tool is best suited for performing a password cracking attack on a WPA2 wireless network?
- Aircrack-ng
- Cain & Abel
- John the Ripper
- Nessus
Correct answer: Aircrack-ng
Correct answer: Aircrack-ng. Explanation: Aircrack-ng is a set of tools for auditing wireless networks, including tools for password cracking of WPA and WPA2 networks. It is specifically designed for this purpose and is widely used in wireless penetration testing.
- In penetration testing, which tool is used for comprehensive network discovery and security auditing?
- Tcpdump
- Nmap
- OWASP ZAP
- Hydra
Correct answer: Nmap
Correct answer: Nmap. Explanation: Nmap (Network Mapper) is a powerful tool used for network discovery and security auditing. It is widely used in penetration testing for network mapping, identifying open ports, detecting services running on hosts, and other network-related information gathering.
- What is the primary use of the tool 'Nikto' in penetration testing?
- Brute-forcing network login credentials
- Web server vulnerability scanning
- Decrypting SSL traffic
- Analyzing packet captures
Correct answer: Web server vulnerability scanning
Correct answer: Web server vulnerability scanning. Explanation: Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.
- Which tool is primarily used for fuzzing in software testing to discover coding errors and security loopholes?
- Wireshark
- Metasploit
- Peach
- GDB
Correct answer: Peach
Correct answer: Peach. Explanation: Peach is a tool commonly used for fuzzing during software testing. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program to find coding errors and security loopholes.
- In the context of penetration testing, what is the main function of the 'BeEF' framework?
- Exploiting network vulnerabilities
- Browser exploitation
- Cracking encrypted files
- Social engineering attacks
Correct answer: Browser exploitation
Correct answer: Browser exploitation. Explanation: The Browser Exploitation Framework (BeEF) is a penetration testing tool focused specifically on the web browser. It is designed to assess the actual security posture of a target environment by using client-side attack vectors.
- Which tool is used for automated exploitation and payload delivery in penetration testing?
- OWASP ZAP
- Nessus
- Metasploit
- Snort
Correct answer: Metasploit
Correct answer: Metasploit. Explanation: Metasploit is widely used in penetration testing for automated exploitation and payload delivery. It is a powerful framework that allows testers to develop and execute exploit code against a remote target machine.
- What is the primary purpose of the tool 'Yersinia' in network protocol penetration testing?
- Sniffing network traffic
- Exploiting vulnerabilities in network protocols
- Wireless network cracking
- Performing network reconnaissance
Correct answer: Exploiting vulnerabilities in network protocols
Correct answer: Exploiting vulnerabilities in network protocols. Explanation: Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols. It is primarily used for exploiting vulnerabilities in network protocols during penetration testing.
- Which tool is used for testing and exploiting web application Cross-Site Scripting (XSS) vulnerabilities?
- Burp Suite
- XSSer
- Nmap
- OpenVAS
Correct answer: XSSer
Correct answer: XSSer. Explanation: XSSer (Cross-Site Scripting) is a penetration testing framework used for testing and exploiting web application XSS vulnerabilities. It provides a variety of options to generate different types of XSS attack vectors and test their effectiveness.
- Which tool is best suited for conducting a Man-in-the-Middle (MitM) attack in a penetration testing scenario?
- Wireshark
- Ettercap
- Aircrack-ng
- Nessus
Correct answer: Ettercap
Correct answer: Ettercap. Explanation: Ettercap is a comprehensive suite for network attacks, including Man-in-the-Middle (MitM) attacks. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a variety of protocols.
- What is the primary function of the tool 'Gobuster' in penetration testing?
- Password cracking
- Directory and file enumeration in web servers
- Wireless network exploitation
- Network sniffing
Correct answer: Directory and file enumeration in web servers
Correct answer: Directory and file enumeration in web servers. Explanation: Gobuster is a tool used in penetration testing for brute-forcing URIs (directories and files) in web servers. It is designed to enumerate hidden directories and files that are not listed in the web server's directory listing.
- Which tool is primarily used for sniffing and analyzing HTTP/HTTPS traffic in a penetration testing exercise?
- Nmap
- Burp Suite
- Wireshark
- Tcpdump
Correct answer: Wireshark
Correct answer: Wireshark. Explanation: Wireshark is a network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. It is particularly effective for sniffing and analyzing HTTP/HTTPS traffic during penetration tests.
- In penetration testing, which tool is used for exploiting vulnerabilities in VoIP (Voice over IP) systems?
- Cain & Abel
- SIPVicious
- Hydra
- Metasploit
Correct answer: SIPVicious
Correct answer: SIPVicious. Explanation: SIPVicious is a suite of tools that can be used to audit SIP-based VoIP systems. It is specifically designed for penetration testing of VoIP infrastructures and is effective in exploiting vulnerabilities in these systems.
- What is the main use of the 'Hashcat' tool in penetration testing?
- Decrypting SSL traffic
- Password recovery and cracking
- Web application scanning
- Network protocol analysis
Correct answer: Password recovery and cracking
Correct answer: Password recovery and cracking. Explanation: Hashcat is a robust password recovery tool that uses GPU power to crack encrypted passwords by trying multiple combinations (brute-force attack) and applying different hash algorithms. It is widely used in penetration testing for password cracking.
- Which tool is used for automated SSL/TLS security testing and identifying vulnerabilities like Heartbleed and POODLE in a target system?
Correct answer: SSLyze
Correct answer: SSLyze. Explanation: SSLyze is a Python tool that can analyze the SSL/TLS configuration of a server by connecting to it. It is used for automated SSL/TLS security testing and is capable of identifying vulnerabilities like Heartbleed and POODLE.
- In penetration testing, what is the primary function of the tool 'Mimikatz'?
- Network traffic analysis
- Extracting plaintext passwords, hash, PIN code, and Kerberos tickets from memory
- Directory enumeration
- Firewall penetration
Correct answer: Extracting plaintext passwords, hash, PIN code, and Kerberos tickets from memory
Correct answer: Extracting plaintext passwords, hash, PIN code, and Kerberos tickets from memory. Explanation: Mimikatz is a tool that is used to gather credential data from Windows systems. It can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory, making it a powerful tool in post-exploitation stages of penetration testing.
- Which tool is specifically designed for testing the security of wireless networks?
- Airgeddon
- Nmap
- Nessus
- John the Ripper
Correct answer: Airgeddon
Correct answer: Airgeddon. Explanation: Airgeddon is a multi-use bash script for Linux systems to audit wireless networks. It covers the whole process from network discovery to the injection and cracking of wireless networks, making it a specific tool for wireless security testing.
- What is the primary use of the 'sqlninja' tool in penetration testing?
- Performing network reconnaissance
- Exploiting SQL injection vulnerabilities in Microsoft SQL Server
- Analyzing packet captures
- Brute-forcing SSH logins
Correct answer: Exploiting SQL injection vulnerabilities in Microsoft SQL Server
Correct answer: Exploiting SQL injection vulnerabilities in Microsoft SQL Server. Explanation: Sqlninja is a tool targeted to exploit SQL injection vulnerabilities on a web application that uses Microsoft SQL Server as its backend. It focuses on getting a foothold on the database server when an SQL injection vulnerability is found.
- In penetration testing, which tool is best suited for capturing and analyzing Bluetooth communication?
- Ubertooth
- Kismet
- Airodump-ng
- Wireshark
Correct answer: Ubertooth
Correct answer: Ubertooth. Explanation: Ubertooth is an open-source Bluetooth monitoring and development platform that is suitable for capturing and analyzing Bluetooth communication. It is used in penetration testing for assessing the security of Bluetooth networks and devices.
- In penetration testing reports, what is the primary purpose of an executive summary?
- To provide technical details of vulnerabilities
- To outline the penetration testing methodologies used
- To offer a high-level overview of risks and impacts for management
- To list all the tools used during the test
Correct answer: To offer a high-level overview of risks and impacts for management
Correct answer: To offer a high-level overview of risks and impacts for management. Explanation: The executive summary in penetration testing reports is designed to provide management with a high-level overview of the test's findings, focusing on risks, impacts, and the urgency of addressing identified vulnerabilities, without delving into technical details.
- When communicating penetration testing results, which factor is most important for ensuring that the findings are actionable?
- Using technical jargon to describe vulnerabilities
- Providing clear and concise remediation steps
- Including detailed packet captures for each finding
- Presenting the number of vulnerabilities found
Correct answer: Providing clear and concise remediation steps
Correct answer: Providing clear and concise remediation steps. Explanation: For penetration testing results to be actionable, it is crucial to provide clear and concise remediation steps. This ensures that the organization can understand and effectively address each identified vulnerability.
- Which element is essential to include in a penetration testing report to aid in prioritizing remediation efforts?
- The pentester's personal recommendations
- A risk rating for each identified vulnerability
- The total number of vulnerabilities found
- The software version of the testing tools
Correct answer: A risk rating for each identified vulnerability
Correct answer: A risk rating for each identified vulnerability. Explanation: Including a risk rating for each identified vulnerability in a penetration testing report is essential for helping the organization prioritize remediation efforts. The risk rating assesses the potential impact and likelihood of each vulnerability, guiding effective resource allocation.
- In the context of penetration testing, what is the primary purpose of a post-engagement cleanup report?
- To document the tools and methods used during the test
- To outline the skills and qualifications of the pentesting team
- To confirm that all artifacts of the test have been removed from the system
- To provide a timeline of the testing activities
Correct answer: To confirm that all artifacts of the test have been removed from the system
Correct answer: To confirm that all artifacts of the test have been removed from the system. Explanation: A post-engagement cleanup report is critical to confirm that all artifacts, such as tools, scripts, and data generated during the penetration test, have been properly removed from the client's systems, ensuring no residual risk.
- What is the most appropriate action when a penetration tester discovers sensitive data, such as personally identifiable information (PII), during a test?
- Immediately report the finding to the client
- Store the data for proof in the final report
- Analyze the data to find more vulnerabilities
- Ignore the data as it is out of scope
Correct answer: Immediately report the finding to the client
Correct answer: Immediately report the finding to the client. Explanation: If a penetration tester discovers sensitive data like PII, it should be immediately reported to the client. This ensures that the client is aware of the data exposure risk and can take prompt actions to secure it.
- Which of the following best describes the purpose of including threat modeling in a penetration testing report?
- To provide an in-depth technical analysis of each tool used
- To outline potential future threats based on current findings
- To offer a historical perspective of the organization's security
- To list the credentials of the penetration testing team
Correct answer: To outline potential future threats based on current findings
Correct answer: To outline potential future threats based on current findings. Explanation: Including threat modeling in a penetration testing report aims to outline potential future threats and attack vectors based on the current findings. It helps the organization understand and prepare for potential future security challenges.
- What is the primary reason for including both false positives and false negatives in a penetration testing report?
- To demonstrate the thoroughness of the testing process
- To provide a comprehensive list of all tested vulnerabilities
- To highlight the limitations of the testing tools and techniques
- To comply with legal and regulatory requirements
Correct answer: To highlight the limitations of the testing tools and techniques
Correct answer: To highlight the limitations of the testing tools and techniques. Explanation: Including both false positives and false negatives in a penetration testing report highlights the limitations of the testing tools and techniques. This transparency helps the client understand the effectiveness and boundaries of the test.
- Why is it important to include a methodology section in a penetration testing report?
- To ensure the report is lengthy and detailed
- To provide the client with a list of vulnerabilities to fix
- To detail the step-by-step actions taken during the test
- To document the ethical considerations adhered to
Correct answer: To detail the step-by-step actions taken during the test
Correct answer: To detail the step-by-step actions taken during the test. Explanation: The methodology section in a penetration testing report is important to detail the specific actions, tools, and techniques used during the test. This helps the client understand the scope and depth of the testing, as well as reproduce the findings if needed.
- When a penetration tester finds a previously unknown vulnerability, what is the best practice for reporting it?
- Publicly disclose it immediately for awareness
- Include it in the report without notifying the vendor
- Follow responsible disclosure guidelines
- Use it as leverage for future engagement
Correct answer: Follow responsible disclosure guidelines
Correct answer: Follow responsible disclosure guidelines. Explanation: When a previously unknown vulnerability is found, the best practice is to follow responsible disclosure guidelines. This involves privately notifying the vendor and giving them time to patch the issue before making it public, balancing transparency and security.
- What is a key element to include in a penetration testing report to facilitate effective communication with non-technical stakeholders?
- Complex technical jargon
- Detailed code snippets
- Graphs and visual aids
- Extensive logs of all activities
Correct answer: Graphs and visual aids
Correct answer: Graphs and visual aids. Explanation: Including graphs and visual aids in a penetration testing report is key for effectively communicating with non-technical stakeholders. These elements help to convey complex information in an accessible and understandable manner.
- What is the primary purpose of including risk impact assessments in a penetration testing report?
- To detail the penetration tester's qualifications
- To provide a cost analysis of the testing tools used
- To outline the potential consequences of each vulnerability
- To list all the software and hardware used in the test
Correct answer: To outline the potential consequences of each vulnerability
Correct answer: To outline the potential consequences of each vulnerability. Explanation: Including risk impact assessments in a penetration testing report is essential for outlining the potential consequences of each identified vulnerability. This helps in understanding the severity and potential business impact, aiding in prioritization and decision-making.
- In penetration testing, why is it important to communicate interim findings to the client?
- To demonstrate continuous progress
- To adjust the scope of the test in real-time
- To immediately address critical vulnerabilities
- To ensure compliance with regulatory standards
Correct answer: To immediately address critical vulnerabilities
Correct answer: To immediately address critical vulnerabilities. Explanation: Communicating interim findings, especially critical vulnerabilities, to the client during a penetration test is important for immediate attention and remediation. This helps in minimizing potential risks as soon as they are discovered.
- What is the most effective way to present complex technical vulnerabilities to a non-technical audience in a penetration test report?
- Using detailed technical terminology
- Providing high-level summaries and analogies
- Focusing solely on the technical aspects
- Including only the most severe vulnerabilities
Correct answer: Providing high-level summaries and analogies
Correct answer: Providing high-level summaries and analogies. Explanation: For a non-technical audience, presenting complex technical vulnerabilities in high-level summaries and using analogies makes the information more accessible and understandable, ensuring effective communication of the risks and necessary actions.
- Why is it important to include mitigation strategies for each vulnerability in a penetration test report?
- To provide a historical overview of the vulnerabilities
- To guide the client in proper remediation efforts
- To showcase the depth of the penetration tester's knowledge
- To comply with international testing standards
Correct answer: To guide the client in proper remediation efforts
Correct answer: To guide the client in proper remediation efforts. Explanation: Including mitigation strategies for each identified vulnerability in a penetration test report is crucial to guide the client in proper remediation efforts. It provides actionable steps to address and reduce the risks associated with each vulnerability.
- In a penetration testing report, what is the significance of categorizing vulnerabilities by exploitability?
- To prioritize vulnerabilities based on ease of exploitation
- To comply with legal documentation requirements
- To highlight the technical skills of the testing team
- To focus on low-risk vulnerabilities
Correct answer: To prioritize vulnerabilities based on ease of exploitation
Correct answer: To prioritize vulnerabilities based on ease of exploitation. Explanation: Categorizing vulnerabilities by exploitability in a penetration testing report is significant for prioritizing them based on how easily they can be exploited. This helps the client understand which vulnerabilities pose the most immediate risk and should be addressed first.
- How should a penetration tester handle the discovery of illegal content during a test?
- Ignore it and focus on the test objectives
- Document it in the report for legal reasons
- Immediately stop testing and notify the appropriate authorities
- Delete the content to protect the client
Correct answer: Immediately stop testing and notify the appropriate authorities
Correct answer: Immediately stop testing and notify the appropriate authorities. Explanation: Upon discovering illegal content during a penetration test, the tester should immediately stop the test and notify the appropriate authorities. Handling such situations legally and ethically is crucial.
- What is a key reason for including both qualitative and quantitative data in a penetration testing report?
- To increase the report's length and detail
- To provide a balanced view of the security posture
- To focus on the most technical aspects of the test
- To comply with industry-specific regulations
Correct answer: To provide a balanced view of the security posture
Correct answer: To provide a balanced view of the security posture. Explanation: Including both qualitative and quantitative data in a penetration testing report provides a balanced and comprehensive view of the organization's security posture, offering insights into the severity, impact, and likelihood of identified vulnerabilities.
- In the context of penetration testing, what is the primary purpose of a root cause analysis?
- To identify the underlying reasons for vulnerabilities
- To determine the cost of the testing tools used
- To document every step taken during the test
- To provide a list of all discovered vulnerabilities
Correct answer: To identify the underlying reasons for vulnerabilities
Correct answer: To identify the underlying reasons for vulnerabilities. Explanation: Root cause analysis in penetration testing is essential to identify the underlying reasons and contributing factors for vulnerabilities. Understanding the root cause helps in implementing more effective and long-term remediation strategies.
- When a penetration test uncovers a vulnerability in third-party software, what is the best practice for reporting this finding?
- Publicly disclose the vulnerability immediately
- Include the details in the report to the client only
- Notify the third-party vendor for responsible disclosure
- Use the vulnerability as a bargaining tool with the vendor
Correct answer: Notify the third-party vendor for responsible disclosure
Correct answer: Notify the third-party vendor for responsible disclosure. Explanation: When a vulnerability is found in third-party software, the best practice is to notify the vendor for responsible disclosure. This allows the vendor to develop and release a patch or solution before the vulnerability is made public, reducing the risk of exploitation.
- What is the importance of including a revision history in a penetration testing report?
- To track changes and updates made to the report
- To display the report's compliance with regulatory standards
- To list the qualifications of the penetration testers
- To show the chronological order of vulnerabilities found
Correct answer: To track changes and updates made to the report
Correct answer: To track changes and updates made to the report. Explanation: Including a revision history in a penetration testing report is important to track any changes, updates, or revisions made to the report. This ensures transparency and maintains the integrity of the information presented.
- After gaining a foothold, a penetration tester creates a Windows scheduled task that launches a payload at logon. What post-exploitation objective does this support?
- Reconnaissance
- Persistence
- Scope definition
- Passive information gathering
Correct answer: Persistence
Correct answer: Persistence. Explanation: Persistence ensures continued access to a compromised host even after reboots or disconnections. Scheduled tasks (and cron jobs on Linux) are classic persistence mechanisms because they re-launch a payload automatically at a defined time or event.
- Which of the following is a Linux persistence mechanism analogous to a Windows scheduled task?
- A cron job
- An RDP session
- A SYN scan
- A captive portal
Correct answer: A cron job
Correct answer: A cron job. Explanation: Cron jobs schedule commands to run at defined intervals on Linux/Unix systems. A tester can add a cron entry to periodically re-establish a reverse shell, making it a common persistence technique equivalent to Windows scheduled tasks.
- A tester adds a new local administrator account on a compromised server to maintain future access. This is BEST categorized as which post-exploitation activity?
- Pivoting
- Establishing persistence
- Covering tracks
- Exfiltration
Correct answer: Establishing persistence
Correct answer: Establishing persistence. Explanation: Adding a new account (or obtaining valid account credentials) gives the tester a durable way back into the system, which is a persistence technique. Note that such changes should be documented and removed during cleanup and restoration.
- On a Linux host, a tester finds a binary owned by root with the SUID bit set that can be abused to run commands as root. Which post-exploitation goal does exploiting it achieve?
- Privilege escalation
- Data exfiltration
- Passive reconnaissance
- Covering tracks
Correct answer: Privilege escalation
Correct answer: Privilege escalation. Explanation: A misconfigured SUID binary executes with the file owner's privileges (root). Abusing it lets a low-privileged user run commands as root, achieving privilege escalation. SUID misconfigurations and overly permissive sudo rules are common Linux escalation paths.
- On Windows, which tool is most commonly used to dump credentials and extract NTLM hashes or plaintext passwords from the LSASS process?
- Nmap
- Mimikatz
- Wireshark
- Gobuster
Correct answer: Mimikatz
Correct answer: Mimikatz. Explanation: Mimikatz extracts credentials, NTLM hashes, and Kerberos tickets from the Local Security Authority Subsystem Service (LSASS) memory. Harvested credentials then enable lateral movement techniques such as pass-the-hash or pass-the-ticket.
- A tester uses a captured NTLM hash to authenticate to other systems without ever cracking the plaintext password. What technique is this?
- Pass-the-hash
- SQL injection
- ARP spoofing
- DNS poisoning
Correct answer: Pass-the-hash
Correct answer: Pass-the-hash. Explanation: In a pass-the-hash attack, the NTLM hash is used directly for authentication, since Windows NTLM accepts the hash as proof of identity. This enables lateral movement across systems that share the same credentials without needing the cleartext password.
- Which tool lets a tester execute commands on a remote Windows host over SMB using legitimate administrative protocols, making it a popular lateral-movement utility?
- Aircrack-ng
- PsExec
- TheHarvester
- Shodan
Correct answer: PsExec
Correct answer: PsExec. Explanation: PsExec (and equivalents like Impacket's psexec/wmiexec) executes commands on remote Windows systems over SMB. Because it uses built-in administrative functionality, it is widely used for lateral movement after valid credentials or hashes are obtained.
- A tester wants to run commands on a remote Windows machine using WMI rather than dropping a service binary, for a stealthier approach. Which protocol/mechanism is being leveraged?
- Windows Management Instrumentation (WMI)
- Simple Mail Transfer Protocol (SMTP)
- Border Gateway Protocol (BGP)
- File Transfer Protocol (FTP)
Correct answer: Windows Management Instrumentation (WMI)
Correct answer: Windows Management Instrumentation (WMI). Explanation: WMI enables remote management and command execution on Windows without installing a service, which can be stealthier than PsExec. Tools like Impacket's wmiexec leverage WMI (and WinRM is a related remote-management option) for lateral movement.
- A tester compromises a dual-homed host and uses it to reach an internal subnet that is not directly accessible from the attacker's machine. This technique is called:
- Pivoting
- Banner grabbing
- Fuzzing
- Wardriving
Correct answer: Pivoting
Correct answer: Pivoting. Explanation: Pivoting uses a compromised system as a relay to reach networks the attacker cannot access directly. A multihomed (dual-homed) host bridging two segments is an ideal pivot point to extend access deeper into the environment.
- Which tool is commonly used to route a tester's traffic through a chain of proxies or a compromised host to reach otherwise unreachable internal hosts?
- Proxychains
- Nikto
- John the Ripper
- Maltego
Correct answer: Proxychains
Correct answer: Proxychains. Explanation: Proxychains forces an application's TCP traffic through a proxy (often a SOCKS proxy created via an SSH tunnel or a C2 pivot). Combined with tools like sshuttle or SSH port forwarding, it enables tunneling into internal networks during pivoting.
- A tester sets up 'ssh -D 1080 user@pivot' to create a SOCKS proxy through a compromised jump host. What is the purpose of this command?
- To crack password hashes
- To create a dynamic tunnel (SSH tunneling) for pivoting into the internal network
- To perform a deauthentication attack
- To exfiltrate data over DNS
Correct answer: To create a dynamic tunnel (SSH tunneling) for pivoting into the internal network
Correct answer: To create a dynamic tunnel (SSH tunneling) for pivoting into the internal network. Explanation: 'ssh -D' establishes dynamic SOCKS proxying, a form of SSH tunneling. Tools configured to use the SOCKS proxy can then reach hosts that are only routable from the pivot, enabling lateral movement without additional implants.
- Which of the following is a command-and-control (C2) framework a tester might use to manage compromised hosts during post-exploitation?
- Metasploit
- Wireshark
- Nessus
- Dig
Correct answer: Metasploit
Correct answer: Metasploit. Explanation: C2 frameworks such as Metasploit, Cobalt Strike, Covenant, Sliver, and Empire manage implants/agents on compromised hosts, providing tasking, lateral movement, and post-exploitation capabilities. They give the tester centralized control over the engagement footprint.
- A tester encodes stolen data inside DNS queries to slip it past egress filtering. This is an example of:
- A covert channel for exfiltration
- Privilege escalation
- Service enumeration
- Bind shell creation
Correct answer: A covert channel for exfiltration
Correct answer: A covert channel for exfiltration. Explanation: Exfiltration over a covert channel hides data in protocols that are normally allowed outbound, such as DNS, ICMP, or HTTPS. DNS tunneling is a classic covert channel because DNS is rarely blocked, letting data leave despite egress controls.
- Which technique hides data within another file (such as embedding it in an image) to avoid detection during exfiltration?
- Steganography
- Password spraying
- VLAN hopping
- Kerberoasting
Correct answer: Steganography
Correct answer: Steganography. Explanation: Steganography conceals data inside another medium, such as hiding payloads or stolen data within image, audio, or document files. It is listed as a staging/exfiltration covert-channel concept because the hidden data is not obvious to inspection.
- Before exfiltrating a large dataset, a tester compresses and encrypts it. What is the primary benefit of this staging step?
- It increases the file size to trigger alerts
- It reduces transfer size and conceals the contents during exfiltration
- It escalates privileges on the host
- It removes the need for a C2 channel
Correct answer: It reduces transfer size and conceals the contents during exfiltration
Correct answer: It reduces transfer size and conceals the contents during exfiltration. Explanation: File encryption and compression are staging activities that make exfiltration more efficient and harder to inspect. Compression shrinks the volume of data to move, while encryption hides its contents from data-loss-prevention tools and network monitoring.
- At the end of an engagement, which cleanup and restoration activity should the penetration tester perform?
- Leave all backdoors in place for the client to find
- Remove persistence mechanisms, tester-created accounts, and tools, and revert configuration changes
- Permanently delete the client's production data
- Escalate privileges on additional systems
Correct answer: Remove persistence mechanisms, tester-created accounts, and tools, and revert configuration changes
Correct answer: Remove persistence mechanisms, tester-created accounts, and tools, and revert configuration changes. Explanation: Cleanup and restoration returns systems to their pre-test state: removing persistence mechanisms, deleting tester-created credentials, removing tools, reverting configuration changes, and preserving artifacts/evidence. This prevents the tester's changes from becoming a real-world risk.
- During an authorized internal engagement, a tester wants to capture NTLMv2 hashes by answering broadcast name-resolution requests that Windows hosts send when DNS lookups fail. Which protocol weakness does this technique abuse?
- TLS certificate pinning failures on internal web servers
- LLMNR and NBT-NS responding to unauthenticated multicast/broadcast name queries
- SNMP community strings transmitted in cleartext
- DHCP starvation exhausting the address pool
Correct answer: LLMNR and NBT-NS responding to unauthenticated multicast/broadcast name queries
The technique abuses LLMNR and NBT-NS responding to unauthenticated multicast/broadcast name queries. When a Windows host cannot resolve a name through DNS it falls back to LLMNR and NBT-NS, broadcasting the query to the local segment, and because no responder is authenticated an attacker can reply, causing the victim to send NTLMv2 authentication material. TLS pinning, DHCP starvation, and SNMP cleartext are unrelated to fallback name resolution.
- A penetration tester runs Responder on an authorized internal network and immediately begins receiving NTLMv2 hashes from workstations. What is the primary function of the Responder tool in this scenario?
- It scans for open ports across the subnet
- It decrypts captured TLS sessions in real time
- It brute-forces RDP logins against the domain controller
- It poisons LLMNR, NBT-NS, and mDNS responses to capture authentication material
Correct answer: It poisons LLMNR, NBT-NS, and mDNS responses to capture authentication material
Responder poisons LLMNR, NBT-NS, and mDNS responses to capture authentication material. It listens for broadcast name-resolution requests and answers them with the attacker's address, so victim systems attempt to authenticate and disclose NTLMv2 hashes that can be cracked offline or relayed. Responder is not a port scanner, RDP brute-forcer, or TLS decryptor.
- After capturing NTLMv2 hashes that resist cracking, a tester wants to forward the authentication to another host to gain access without ever recovering the plaintext password. Which technique accomplishes this?
- Golden ticket forgery
- Pass-the-hash brute force against the DC
- SMB relay using a tool such as ntlmrelayx
- Kerberoasting
Correct answer: SMB relay using a tool such as ntlmrelayx
SMB relay using a tool such as ntlmrelayx accomplishes this. The captured authentication is relayed in real time to a target host that lacks SMB signing, authenticating the attacker as the victim without cracking the hash. Kerberoasting targets service-account TGS tickets, and golden tickets require the krbtgt hash, so neither matches this relay scenario.
- A tester needs to generate a standalone Windows executable that, when run, connects back to the tester's listener. Which Metasploit Framework utility is purpose-built to create such payloads in various output formats?
- Msfconsole
- Msfdb
- Searchsploit
- Msfvenom
Correct answer: Msfvenom
msfvenom is the utility purpose-built to create payloads in various output formats. It combines payload generation and encoding to produce executables, scripts, or shellcode (for example a Windows EXE that connects back to a handler). msfconsole is the interactive console, searchsploit queries the Exploit-DB archive, and msfdb manages the Metasploit database.
- In Metasploit, what does the term payload most accurately describe?
- The scanner module that fingerprints a target's operating system
- The encoder used to evade antivirus signatures
- The network listener that waits for incoming connections
- The code that runs on the target after a vulnerability is successfully exploited
Correct answer: The code that runs on the target after a vulnerability is successfully exploited
A payload is the code that runs on the target after a vulnerability is successfully exploited. The exploit delivers control, and the payload then performs the attacker's intended action such as opening a shell or running Meterpreter. Encoders only obfuscate the payload, scanners are auxiliary modules, and the listener (handler) is separate from the payload itself.
- A tester generates a payload that opens a listening port on the compromised host and waits for the tester to connect inbound. What type of shell is this?
- A spawned TTY shell
- A web shell
- A reverse shell
- A bind shell
Correct answer: A bind shell
This is a bind shell, because it binds to and listens on a port on the target while the attacker initiates the inbound connection. The drawback is that ingress firewall rules commonly block inbound connections to the victim. A reverse shell instead has the target connect outbound to the attacker, which often bypasses such filtering.
- Why do penetration testers frequently prefer a reverse shell over a bind shell when targeting a host behind a restrictive firewall?
- Reverse shells encrypt traffic automatically while bind shells do not
- Reverse shells require no payload, only an exploit
- The target initiates an outbound connection, which is more likely to pass egress filtering
- Bind shells cannot run on Windows systems
Correct answer: The target initiates an outbound connection, which is more likely to pass egress filtering
With a reverse shell the target initiates an outbound connection, which is more likely to pass egress filtering, because firewalls usually permit outbound traffic on common ports while blocking unsolicited inbound connections that a bind shell requires. Reverse shells are not inherently encrypted, do still need a payload, and bind shells run on Windows as well, so those options are incorrect.
- A tester is choosing between a staged and a stageless Metasploit payload for a low-bandwidth, signature-restricted environment. Which statement about staged payloads is correct?
- Staged payloads cannot be used with Meterpreter
- A staged payload delivers a small stager first that then pulls the rest of the payload from the attacker
- Staged payloads embed the entire payload at once and need no handler
- Stageless payloads are denoted with a slash and staged with an underscore
Correct answer: A staged payload delivers a small stager first that then pulls the rest of the payload from the attacker
A staged payload delivers a small stager first that then pulls the rest of the payload from the attacker, which keeps the initial footprint tiny and useful when shellcode space is limited. Metasploit denotes staged payloads with a slash (windows/meterpreter/reverse_tcp) and stageless with an underscore, and Meterpreter is commonly delivered staged, so the other statements are wrong.
- A tester poisons the ARP cache of a target host and the gateway so that traffic between them flows through the tester's machine. What category of attack is this, and what is its immediate effect?
- A SYN flood that exhausts the target's connection table
- An on-path (man-in-the-middle) attack that lets the tester intercept and modify traffic
- A DNS amplification attack that floods the gateway
- A VLAN hopping attack that crosses broadcast domains
Correct answer: An on-path (man-in-the-middle) attack that lets the tester intercept and modify traffic
This is an on-path (man-in-the-middle) attack that lets the tester intercept and modify traffic. ARP poisoning sends forged ARP replies binding the attacker's MAC to the IP of the victim and gateway, redirecting their traffic through the attacker. It is not a flood, an amplification attack, or VLAN hopping, which work by different mechanisms.
- On a Layer 2 segment, a tester sends crafted replies that associate the tester's MAC address with the default gateway's IP so victim hosts forward their traffic to the tester. Which attack is being performed?
- DHCP snooping
- MAC flooding
- ARP poisoning (ARP spoofing)
- Smurf attack
Correct answer: ARP poisoning (ARP spoofing)
ARP poisoning (ARP spoofing) is being performed. Because ARP has no authentication, forged ARP replies overwrite the victim's cache, mapping the gateway IP to the attacker's MAC and redirecting traffic. MAC flooding overwhelms a switch's CAM table, DHCP snooping is a defensive feature, and a Smurf attack is an ICMP amplification flood.
- A tester wants to redirect victims to an attacker-controlled server by supplying forged name-to-IP mappings during resolution. Which attack describes this manipulation of name resolution?
- ARP starvation
- DNS spoofing (DNS cache poisoning)
- Port mirroring
- TCP session teardown
Correct answer: DNS spoofing (DNS cache poisoning)
This is DNS spoofing (DNS cache poisoning), which supplies forged name-to-IP mappings so the victim resolves a hostname to an attacker-controlled address. It can be achieved by poisoning a resolver's cache or by answering queries from an on-path position. ARP starvation, port mirroring, and TCP teardown do not redirect name resolution.
- What term does the current PenTest+ objectives use to describe attacks where the tester positions themselves between two communicating systems to intercept or alter traffic?
- Off-path attack
- On-path attack
- Pass-back attack
- Out-of-band attack
Correct answer: On-path attack
The objectives use the term on-path attack to describe positioning between two communicating systems to intercept or alter traffic; it is the modern label for what was historically called man-in-the-middle. An off-path attacker cannot see the traffic directly, and out-of-band and pass-back refer to unrelated techniques.
- A web application passes a user-supplied filename directly into a shell command. By appending a semicolon and an additional OS command, the tester causes the server to run their command. Which vulnerability class is this?
- SQL injection
- Cross-site scripting
- Command injection
- Insecure deserialization
Correct answer: Command injection
This is command injection, where unsanitized input is concatenated into an OS-level command so the attacker's appended command (for example, separated by a semicolon) executes on the host. It differs from SQL injection, which targets database queries, and from XSS, which runs script in a victim's browser rather than commands on the server.
- A tester manipulates a file parameter using sequences such as ../../ to read files outside the web root, retrieving /etc/passwd. Which vulnerability is being exploited?
- Open redirect
- Server-side request forgery
- Local privilege escalation
- Directory (path) traversal
Correct answer: Directory (path) traversal
This is directory (path) traversal, in which dot-dot-slash sequences or absolute paths manipulate a file reference to escape the intended directory and read arbitrary files like /etc/passwd. SSRF targets internal services via crafted requests, an open redirect bounces users to external URLs, and privilege escalation raises account rights, none of which describe traversing the filesystem path.
- During testing of a login form, the tester submits a value that closes the intended SQL string and appends OR 1=1, returning all rows. What is the most reliable code-level defense the tester should recommend?
- Hiding database error messages from users
- Renaming the database tables to obscure their purpose
- Increasing the password complexity policy
- Using parameterized queries (prepared statements) with bound parameters
Correct answer: Using parameterized queries (prepared statements) with bound parameters
The most reliable defense is using parameterized queries (prepared statements) with bound parameters, which separate code from data so user input is treated only as a value and can never alter the query structure. Hiding errors and renaming tables are obscurity measures that do not stop injection, and password policy is unrelated to query construction.
- A tester injects a script payload into a comment field; when other users view the page, the script runs in their browsers and steals session cookies. Which attack is demonstrated?
- Cross-site script inclusion
- Stored cross-site scripting
- Clickjacking
- Cross-site request forgery
Correct answer: Stored cross-site scripting
This is stored cross-site scripting, because the malicious script is persisted on the server (in the comment) and then executed in the browser of every user who views the page, allowing cookie or session theft. CSRF forces actions using an existing session without injecting script, and clickjacking overlays hidden UI rather than running attacker script.
- A tester wants to capture and manipulate HTTP requests between a browser and a web application, then resend modified requests to probe for flaws. Which tool is designed for this web application proxy workflow?
- Nmap
- Wireshark
- Hydra
- Burp Suite
Correct answer: Burp Suite
Burp Suite is designed for this workflow; it acts as an intercepting proxy so a tester can view, modify, and replay HTTP requests using features like Proxy, Repeater, and Intruder to test web application security. Wireshark passively captures packets but does not act as an interactive web proxy, Nmap maps networks, and Hydra brute-forces credentials.
- Which description best captures what the Metasploit Framework is primarily used for during an engagement?
- A directory-busting tool for enumerating web paths
- An exploitation framework for selecting exploits, configuring payloads, and running them against targets
- A wireless cracking suite for WPA2 handshakes
- A protocol analyzer for inspecting captured packets
Correct answer: An exploitation framework for selecting exploits, configuring payloads, and running them against targets
Metasploit is primarily an exploitation framework for selecting exploits, configuring payloads, and running them against targets, also providing post-exploitation modules and a handler for catching shells. Packet analysis is Wireshark's role, WPA2 cracking is Aircrack-ng's, and directory busting is handled by tools like Gobuster.
- A tester captured a set of password hashes and wants to recover plaintext passwords using GPU-accelerated cracking with multiple attack modes. Which tool is built for this?
- Ettercap
- Responder
- Hashcat
- TheHarvester
Correct answer: Hashcat
Hashcat is built for this; it is a high-speed, GPU-accelerated password recovery tool that supports many hash types and attack modes such as dictionary, mask, and combinator. Responder captures hashes but does not crack them, Ettercap performs on-path attacks, and theHarvester is an OSINT collection tool.
- In a dictionary-based password cracking attack, what role does a wordlist play?
- It records previously cracked passwords for reporting
- It defines the character set used to brute force every combination
- It stores precomputed hash-to-plaintext mappings for instant lookups
- It supplies the list of candidate passwords that the cracker hashes and compares to the target hash
Correct answer: It supplies the list of candidate passwords that the cracker hashes and compares to the target hash
A wordlist supplies the list of candidate passwords that the cracker hashes and compares to the target hash. Each entry is hashed with the same algorithm and matched against the captured hash. Precomputed hash-to-plaintext mappings describe rainbow tables, and a defined character set for trying all combinations describes a pure brute-force or mask attack, not a wordlist.
- A tester uses a precomputed table that maps hash values directly to their corresponding plaintext passwords to crack unsalted hashes quickly. What is this resource called, and what defeats it?
- A hash collision; longer keys defeat it
- A wordlist; rate limiting defeats it
- A rainbow table; per-password salting defeats it
- A keyspace; encryption defeats it
Correct answer: A rainbow table; per-password salting defeats it
This is a rainbow table; per-password salting defeats it. A rainbow table is a large precomputed lookup of hash-to-plaintext values that trades disk space for speed, but adding a unique random salt to each password means the precomputed tables no longer match, forcing the attacker to compute hashes from scratch. Rate limiting affects online guessing, not offline table lookups.
- Which choice best defines social engineering in the context of a penetration test?
- Manipulating people into revealing information or performing actions that weaken security
- Exploiting a software buffer to overwrite memory
- Scanning a network range to find live hosts
- Cracking encrypted password hashes offline
Correct answer: Manipulating people into revealing information or performing actions that weaken security
Social engineering is manipulating people into revealing information or performing actions that weaken security, targeting human trust rather than technical flaws. Buffer overflows, host scanning, and hash cracking are technical attacks, whereas social engineering relies on persuasion, pretexting, or deception against individuals.
- During an authorized engagement, the tester sends targeted emails impersonating the IT help desk to lure employees into entering credentials on a cloned login page. What is this technique, and what is the tester measuring?
- Tailgating; measuring physical access controls
- Smishing; measuring SMS filtering effectiveness
- Phishing; measuring how susceptible users are to credential-harvesting lures
- Vishing; measuring phone-based response times
Correct answer: Phishing; measuring how susceptible users are to credential-harvesting lures
This is phishing; the tester is measuring how susceptible users are to credential-harvesting lures by tracking who clicks and submits credentials to the cloned page. Vishing uses voice calls and smishing uses SMS, while tailgating is a physical access technique, so none of those match an email-and-cloned-page scenario.
- A tester deauthenticates a client from a WPA2-Personal wireless network to capture the four-way handshake, then attempts to recover the passphrase offline. Which captured element is necessary for the offline crack to succeed?
- The access point's BSSID only
- The client's DHCP lease
- The router's administrative login banner
- The WPA2 four-way handshake (EAPOL frames) containing the MIC and nonces used to derive the PTK
Correct answer: The WPA2 four-way handshake (EAPOL frames) containing the MIC and nonces used to derive the PTK
The WPA2 four-way handshake (EAPOL frames) is necessary, because offline cracking hashes each passphrase candidate to derive the PMK and PTK, then checks whether the computed MIC matches the one captured in the handshake. The BSSID alone, a DHCP lease, or a login banner do not contain the cryptographic material needed to validate passphrase guesses. Note that PMKID is a separate clientless attack method that extracts a single frame from the AP without requiring a connected client or deauthentication.
- A tester sets up a rogue access point that broadcasts the same SSID as the corporate wireless network to lure clients into connecting. What is this attack commonly called?
- War dialing
- Evil twin attack
- Bluesnarfing
- ARP poisoning
Correct answer: Evil twin attack
This is an evil twin attack, where a rogue access point mimics a legitimate SSID so victims associate to it, letting the tester intercept traffic or harvest credentials. War dialing targets phone lines, bluesnarfing steals data over Bluetooth, and ARP poisoning is a wired Layer 2 attack, so none fit a spoofed Wi-Fi SSID.
- A web application reflects an unsanitized id parameter into the response, and the tester confirms a script entered in the URL executes only for the user who follows the crafted link. Which XSS variant is this?
- DOM-based XSS
- Reflected XSS
- Blind XSS
- Stored XSS
Correct answer: Reflected XSS
This is reflected XSS, because the injected script is echoed back immediately in the server's response and runs only for the victim who follows the crafted link, rather than being persisted. Stored XSS is saved server-side and affects all viewers, DOM-based XSS executes through client-side script handling, and blind XSS fires in a context the attacker cannot directly observe.
- A tester finds that a cloud storage bucket is publicly readable and lists sensitive objects. Within the Attacks and Exploits domain, which cloud attack class does exploiting this misconfiguration represent?
- A wireless deauthentication attack
- A cloud misconfiguration attack exploiting overly permissive storage access
- A side-channel timing attack against the hypervisor
- A DNS zone transfer against the cloud provider
Correct answer: A cloud misconfiguration attack exploiting overly permissive storage access
This represents a cloud misconfiguration attack exploiting overly permissive storage access; publicly readable buckets are a common cloud weakness that leaks data without any software exploit. A hypervisor side channel, a DNS zone transfer, and wireless deauthentication are unrelated mechanisms that do not describe an open storage bucket.
- A tester escapes a container by abusing an overly privileged container that was run with host namespace access, gaining code execution on the underlying node. Which class of attack is this?
- A SQL injection attack
- A container breakout (escape) attack
- A pass-the-ticket attack
- A directory traversal attack
Correct answer: A container breakout (escape) attack
This is a container breakout (escape) attack, in which a misconfigured or over-privileged container is abused to access the host operating system. SQL injection targets databases, pass-the-ticket abuses Kerberos tickets, and directory traversal reads files within an application, so none describe crossing the container boundary to the host.
- A tester intercepts an API request and changes the account identifier in the request body to access another user's records, with the server returning the data. Which web flaw is being exploited?
- Cross-site request forgery
- Insecure direct object reference (broken object level authorization)
- Clickjacking
- Server-side template injection
Correct answer: Insecure direct object reference (broken object level authorization)
This is an insecure direct object reference, also framed as broken object level authorization, where changing an identifier grants access to objects the user is not authorized to see because the server fails to enforce ownership checks. CSRF forces actions in an existing session, clickjacking tricks clicks, and template injection executes server-side template code, none of which match swapping an object ID.
- A tester crafts a request that makes a vulnerable server fetch a URL of the tester's choosing, reaching an internal metadata endpoint not exposed externally. Which vulnerability is this?
- Cross-site scripting
- Open redirect
- Server-side request forgery (SSRF)
- Local file inclusion
Correct answer: Server-side request forgery (SSRF)
This is server-side request forgery (SSRF), where the attacker coerces the server into making requests to attacker-chosen destinations, often reaching internal services such as a cloud metadata endpoint. XSS runs in the browser, an open redirect only sends the user elsewhere, and local file inclusion loads server files rather than issuing outbound requests.
- A tester abuses a vulnerable web parameter to include and execute a server-side file, ultimately gaining remote code execution through a log-poisoning chain. Which initial flaw enabled this?
- Local file inclusion (LFI)
- Insecure deserialization
- Session fixation
- Cross-site request forgery
Correct answer: Local file inclusion (LFI)
Local file inclusion (LFI) enabled this; the application includes a server-side file based on user input, and chaining it with log poisoning lets the attacker execute injected code. CSRF forces actions, insecure deserialization abuses object parsing, and session fixation manipulates session identifiers, none of which describe including a local server file.
- While testing a SOAP/XML endpoint, the tester submits XML defining an external entity that reads a local file and returns its contents in the response. Which attack is this?
- XML external entity (XXE) injection
- SQL injection
- HTTP request smuggling
- Cross-site scripting
Correct answer: XML external entity (XXE) injection
This is XML external entity (XXE) injection, where a parser that processes external entity declarations can be coerced into reading local files or reaching internal systems. SQL injection targets databases, XSS targets browsers, and request smuggling exploits discrepancies in how front-end and back-end servers parse HTTP, so none describe abusing XML entity parsing.
- A tester sends a request with a deliberately oversized input to a network service and observes a crash, then refines the input to control the instruction pointer. Which vulnerability class is being exploited?
- A cross-site scripting flaw
- A buffer overflow
- A race condition
- A clickjacking flaw
Correct answer: A buffer overflow
This is a buffer overflow, where writing more data than a buffer can hold corrupts adjacent memory and can let the attacker overwrite the instruction pointer to redirect execution. A race condition exploits timing between operations, while XSS and clickjacking are browser-side web attacks, none of which involve overflowing a memory buffer.
- A tester crafts a malicious serialized object that, when parsed by a vulnerable Java application, instantiates a gadget chain and executes attacker code. Which vulnerability is being exploited?
- Directory traversal
- SQL injection
- Insecure deserialization
- ARP poisoning
Correct answer: Insecure deserialization
This is insecure deserialization, where untrusted serialized data is parsed into objects, and a gadget chain present in the application's classpath is abused to achieve code execution. Directory traversal reads files, SQL injection targets the database, and ARP poisoning is a Layer 2 network attack, so none describe abusing object deserialization.
- A tester tampers with a JWT used for authentication by changing the alg header to none and removing the signature, and the application accepts the modified token. Which attack class does this represent?
- A war driving attack
- A rainbow table attack
- A token/authentication bypass exploiting weak signature validation
- A SYN flood denial of service
Correct answer: A token/authentication bypass exploiting weak signature validation
This represents a token/authentication bypass exploiting weak signature validation, because the application trusts a JWT whose algorithm was downgraded to none and whose signature was stripped, allowing forged claims. A SYN flood is a denial-of-service technique, a rainbow table cracks hashes, and war driving searches for wireless networks, none of which involve forging an unsigned token.
- During an authorized engagement, a tester wants to map open TCP ports quickly while avoiding completing the three-way handshake, and is running with root privileges. Which Nmap scan type best fits this requirement?
- A UDP scan (-sU)
- A SYN scan (-sS)
- A TCP connect scan (-sT)
- An ACK scan (-sA)
Correct answer: A SYN scan (-sS)
A SYN scan (-sS) is the best fit. It sends a SYN, evaluates the SYN/ACK or RST response to determine port state, then sends a RST to tear down the connection before the handshake completes, which makes it fast and is why it is called a half-open or stealth scan. It requires raw-packet privileges (root on Linux), unlike a TCP connect scan (-sT), which calls the OS connect() function and fully completes the handshake.
- A penetration tester is operating from a low-privilege account on a Linux jump host and cannot obtain root. They need to enumerate open TCP ports on a target. Which behavior should they expect from the scan they are forced to use?
- The scan will silently fall back to half-open SYN probing
- The TCP connect scan will complete full three-way handshakes and is more likely to be logged
- The UDP scan will require no privileges and complete handshakes
- The SYN scan will run faster and leave fewer log entries
Correct answer: The TCP connect scan will complete full three-way handshakes and is more likely to be logged
The tester should expect that a TCP connect scan (-sT) completes full three-way handshakes and is more likely to be logged. Without raw-socket privileges, Nmap cannot craft half-open SYN probes, so it uses the operating system connect() call, which establishes and then closes a full connection on each open port. This is noisier and slower than a SYN scan, and target applications frequently log the completed connections.
- A tester adds -sV to an Nmap command against discovered open ports. What does this flag instruct Nmap to do?
- Scan UDP ports in addition to TCP ports
- Perform a stealthy half-open scan that avoids the full handshake
- Spoof the source address to evade firewall logging
- Probe open ports to identify the service and its version
Correct answer: Probe open ports to identify the service and its version
The -sV flag tells Nmap to probe open ports to identify the service and its version. After determining a port is open, Nmap sends a series of probes and matches the responses against its service-detection database to report the application name and version (for example, OpenSSH 9.6 or Apache 2.4.58). This deeper fingerprinting helps a tester prioritize which services may be vulnerable, going beyond simply knowing a port is open.
- A tester queries public records, social media, code repositories, and breach databases to build a profile of a target organization without sending packets to its systems. Which activity best describes this work?
- Open-source intelligence (OSINT) gathering
- Vulnerability validation
- Service enumeration
- Active scanning
Correct answer: Open-source intelligence (OSINT) gathering
This best describes open-source intelligence (OSINT) gathering. OSINT is the collection and analysis of publicly available information, such as registrant records, social media, employee details, public code repositories, and breach data, to build a target profile. Because it draws only on third-party and public sources rather than touching the target's own infrastructure, OSINT is a form of passive reconnaissance.
- Which statement most accurately distinguishes passive reconnaissance from active reconnaissance during an engagement?
- Passive reconnaissance gathers information without directly interacting with target systems; active reconnaissance interacts directly with them
- Passive reconnaissance sends crafted packets to the target; active reconnaissance only reads public sources
- Passive reconnaissance requires written authorization; active reconnaissance does not
- Passive reconnaissance is performed only after exploitation; active reconnaissance is performed before
Correct answer: Passive reconnaissance gathers information without directly interacting with target systems; active reconnaissance interacts directly with them
The accurate distinction is that passive reconnaissance gathers information without directly interacting with target systems, while active reconnaissance interacts directly with them. Passive techniques rely on third-party and public data such as WHOIS, DNS records held by others, and search engines, leaving no trace on the target. Active techniques such as port scanning or banner grabbing send traffic to the target and can be detected and logged.
- A tester is explaining the workflow to a client. Which description correctly captures how reconnaissance differs from enumeration?
- Reconnaissance occurs after exploitation; enumeration occurs before scoping
- Reconnaissance gathers broad information about the target; enumeration actively extracts specific details such as users, shares, and service versions
- Reconnaissance is always active; enumeration is always passive
- Reconnaissance extracts usernames and shares; enumeration maps the public footprint
Correct answer: Reconnaissance gathers broad information about the target; enumeration actively extracts specific details such as users, shares, and service versions
The correct description is that reconnaissance gathers broad information about the target while enumeration actively extracts specific details such as users, shares, and service versions. Reconnaissance establishes the overall attack surface (domains, IP ranges, technologies), and enumeration then interacts with identified services to pull concrete items like account names, network shares, SNMP data, and exact software versions that feed later exploitation.
- In the context of a penetration test, what does the term footprinting most precisely refer to?
- Cleaning up artifacts after the engagement ends
- Building a comprehensive profile of the target's attack surface during early reconnaissance
- Cracking captured password hashes offline
- Exploiting a discovered service to gain a foothold
Correct answer: Building a comprehensive profile of the target's attack surface during early reconnaissance
Footprinting refers to building a comprehensive profile of the target's attack surface during early reconnaissance. It is the systematic collection of information such as domain names, IP ranges, network blocks, technologies in use, and organizational details, which together outline what can potentially be attacked. Footprinting can be passive or active and precedes detailed enumeration and scanning.
- A tester connects to TCP port 25 on an in-scope mail server and reads the SMTP response line returned by the service to learn its software and version. What technique is being used?
- Banner grabbing
- Credential stuffing
- Fuzzing
- DNS zone transfer
Correct answer: Banner grabbing
This is banner grabbing. Banner grabbing connects to a listening service and reads the identifying text it returns, such as an SMTP greeting, an HTTP Server header, or an SSH version string, to learn the product and version. The information helps a tester match running software to known vulnerabilities. It is an active technique because it requires sending a connection request to the target.
- A tester wants to discover hostnames, mail servers, and other records associated with a target domain by interrogating its name servers. Which activity is this?
- War driving
- Packet capture
- DNS enumeration
- ARP scanning
Correct answer: DNS enumeration
This is DNS enumeration. DNS enumeration queries a domain's name servers to uncover records such as A, AAAA, MX, NS, TXT, and CNAME entries, plus subdomains, revealing hosts and services tied to the organization. Tools such as dnsenum, dnsrecon, and host can automate these lookups. The data exposes additional targets and infrastructure relationships useful for planning later phases.
- During DNS enumeration, a tester attempts to retrieve every record in a zone from a misconfigured name server using a single AXFR request. What is this specific technique called?
- DNS tunneling
- DNS zone transfer
- Reverse DNS lookup
- DNS cache poisoning
Correct answer: DNS zone transfer
This is a DNS zone transfer. A zone transfer (AXFR) is intended to replicate a full zone between authoritative name servers, but a misconfigured server that allows transfers to any client will hand over every record in the zone at once. For a tester this is a high-value misconfiguration because it exposes the complete internal host map in one query. It differs from reverse DNS lookups, which resolve only individual IP-to-name mappings.
- What is the primary purpose of running Gobuster against an authorized web target?
- Brute-forcing directories, files, and subdomains to discover hidden content
- Capturing and decrypting TLS session keys
- Cracking NTLM password hashes
- Performing ARP spoofing on the local segment
Correct answer: Brute-forcing directories, files, and subdomains to discover hidden content
Gobuster is used to brute-force directories, files, and subdomains to discover hidden content. It takes a wordlist and rapidly requests candidate paths or names, reporting which ones return responses indicating they exist, such as admin panels, backup files, or development endpoints not linked from the site. This content discovery expands the web attack surface beyond what is visible through normal browsing.
- A tester captures live traffic on an authorized network segment to inspect packets, follow TCP streams, and identify plaintext protocols. Which tool is purpose-built for this analysis?
- Hydra
- Wireshark
- Gobuster
- Hashcat
Correct answer: Wireshark
Wireshark is purpose-built for this. It is a graphical packet analyzer that captures network traffic and lets the tester inspect individual packets, apply display filters, follow TCP or HTTP streams, and reconstruct conversations. During reconnaissance and enumeration it reveals protocols in use, hostnames, and sometimes credentials transmitted in cleartext, helping the tester understand the environment.
- In penetration testing, what does enumeration specifically accomplish that general reconnaissance does not?
- It removes log entries created during scanning
- It establishes the legal scope of the engagement
- It actively connects to identified services to extract concrete details like user accounts, shares, and exact versions
- It generates the final report for the client
Correct answer: It actively connects to identified services to extract concrete details like user accounts, shares, and exact versions
Enumeration actively connects to identified services to extract concrete details like user accounts, shares, and exact versions. Where reconnaissance produces a broad map of the target, enumeration interrogates specific services (SMB, SNMP, LDAP, SMTP, and others) to pull actionable specifics such as valid usernames, group memberships, network shares, and software builds. These details directly inform which exploits or credential attacks to attempt next.
- How is reconnaissance best defined within the penetration testing process?
- The information-gathering phase that identifies and profiles potential targets before active attacks
- The phase of validating exploits in a lab
- The phase of maintaining access after a system is compromised
- The phase of writing remediation recommendations
Correct answer: The information-gathering phase that identifies and profiles potential targets before active attacks
Reconnaissance is best defined as the information-gathering phase that identifies and profiles potential targets before active attacks. It collects details about an organization's domains, IP ranges, technologies, and personnel, using passive and active methods, to build the picture an attacker needs. Strong reconnaissance increases the efficiency and success of every subsequent phase by focusing effort on the most promising targets.
- A tester uses Nmap's -O flag against an in-scope host and reviews the output. What information is this option designed to provide?
- A guess of the host's operating system based on TCP/IP stack characteristics
- A dump of the host's DNS zone records
- The list of usernames configured on the host
- A capture of all plaintext credentials on the wire
Correct answer: A guess of the host's operating system based on TCP/IP stack characteristics
The -O flag is designed to provide a guess of the host's operating system based on TCP/IP stack characteristics. Nmap sends a series of probes and compares response attributes such as initial sequence numbers, window sizes, and TCP options against its OS fingerprint database to estimate the platform and version. Knowing the likely OS helps a tester choose compatible exploits and tools.
- A tester runs Nmap with -p- against an authorized host. What is the effect of this option on the scan?
- It enables operating system detection
- It performs a ping sweep without port scanning
- It scans all 65,535 TCP ports rather than the default set
- It scans only the most common 1,000 ports
Correct answer: It scans all 65,535 TCP ports rather than the default set
The -p- option causes Nmap to scan all 65,535 TCP ports rather than the default set. By default Nmap checks only the top 1,000 most common ports, so services bound to high or nonstandard ports can be missed. Scanning the full range is slower but ensures uncommon listeners, such as an admin service moved to a high port, are discovered.
- A tester is determining whether a target subnet has live hosts before committing to full port scans. Using Nmap, which option performs host discovery only, without scanning ports?
Correct answer: -sn
The -sn option performs host discovery only, without scanning ports. Often called a ping sweep, it sends discovery probes (such as ICMP, TCP SYN to 443, and TCP ACK to 80) and reports which hosts respond as up, while skipping the port-scan phase entirely. This produces a quick inventory of live systems so the tester can target follow-up scans efficiently.
- A tester runs theHarvester against a target domain during early reconnaissance. Which category of data is this tool primarily designed to collect?
- Cracked password hashes from captured traffic
- Live exploit payloads for discovered services
- Kernel-level OS fingerprints
- Email addresses, subdomains, and host names from public sources
Correct answer: Email addresses, subdomains, and host names from public sources
theHarvester is primarily designed to collect email addresses, subdomains, and host names from public sources. It queries search engines, certificate transparency logs, and other open data to aggregate an organization's exposed identities and infrastructure. Because it relies on third-party public data rather than probing the target directly, it is a passive OSINT tool used early in reconnaissance.
- A tester needs to enumerate shares, users, and policies from a Windows host exposing SMB on TCP 445. Which tool is most appropriate for this enumeration?
- Enum4linux
- Sqlmap
- John the Ripper
- Aircrack-ng
Correct answer: Enum4linux
enum4linux is most appropriate for enumerating shares, users, and policies over SMB. It wraps Samba client utilities to query a Windows or Samba host and report network shares, user lists, group memberships, password policies, and OS details. This is a classic enumeration step that turns a discovered SMB service into concrete account and share data for later attacks.
- A tester queries certificate transparency logs for a target's primary domain. What reconnaissance value does this provide?
- It performs an ICMP sweep of the subnet
- It cracks the server's private key
- It captures live session cookies
- It reveals subdomains and hostnames from issued TLS certificates
Correct answer: It reveals subdomains and hostnames from issued TLS certificates
Querying certificate transparency logs reveals subdomains and hostnames from issued TLS certificates. Publicly logged certificates list the domains and subdomains they cover, so searching these logs surfaces hosts (including staging and internal-sounding names) that may not appear in normal DNS browsing. Because the logs are public third-party records, this is a passive OSINT technique that expands the known attack surface.
- A tester sends a UDP scan (-sU) against a host and several ports return no response at all. How should an open-or-filtered UDP result be interpreted?
- The scan completed a full handshake on those ports
- The host is definitively offline
- The ports are definitively closed
- No response can mean the port is open or filtered, because many UDP services do not reply to empty probes
Correct answer: No response can mean the port is open or filtered, because many UDP services do not reply to empty probes
No response can mean the port is open or filtered, because many UDP services do not reply to empty probes. UDP is connectionless, so an open port frequently stays silent while a closed port returns an ICMP port-unreachable message; a silent port could also be filtered by a firewall. This ambiguity is why UDP scans are slower and often require service-specific probes or -sV to confirm what is actually listening.
- A tester reviews Nmap output showing a port in the filtered state. What does the filtered result most likely indicate?
- The host is not running any services
- The port completed a three-way handshake
- The service responded with its version banner
- A firewall or filter is blocking probes so Nmap cannot determine if the port is open
Correct answer: A firewall or filter is blocking probes so Nmap cannot determine if the port is open
A filtered result most likely indicates that a firewall or filter is blocking probes so Nmap cannot determine if the port is open. In this state, probe packets are dropped or rejected before Nmap can observe a definitive open or closed response. This differs from closed, where the host actively returns a RST, and signals that packet filtering sits between the tester and the target.
- During authorized OSINT, a tester uses Google search operators such as site:, filetype:, and inurl: to surface exposed documents and pages indexed for a target. What is this technique commonly called?
- ARP poisoning
- DNS tunneling
- Session fixation
- Google dorking
Correct answer: Google dorking
This technique is commonly called Google dorking. It uses advanced search operators to narrow engine results to specific sites, file types, or URL patterns, surfacing exposed spreadsheets, configuration files, login pages, and other indexed content. Because it relies entirely on a public search index rather than touching the target, Google dorking is a passive OSINT method.
- A tester wants to query WHOIS and DNS records and enumerate subdomains in an automated, modular way during reconnaissance. Among the following, which is a recon and OSINT framework rather than an exploitation tool?
- Responder
- Recon-ng
- Mimikatz
- BeEF
Correct answer: Recon-ng
Recon-ng is a recon and OSINT framework rather than an exploitation tool. It provides a modular, command-driven environment for automating reconnaissance tasks such as harvesting hosts, contacts, and credentials from public data sources and storing results in a workspace database. Mimikatz, Responder, and BeEF are used in credential, on-path, and browser-exploitation phases, not for OSINT collection.
- A tester discovers a network device responding on UDP 161 and supplies the default community string public to query it. What enumeration data can this commonly yield from a misconfigured device?
- System details, interface lists, routing tables, and sometimes running processes via SNMP
- Cracked WPA2 wireless keys
- The device's TLS private key
- A full DNS zone transfer of the domain
Correct answer: System details, interface lists, routing tables, and sometimes running processes via SNMP
Querying SNMP on UDP 161 with a guessable community string can yield system details, interface lists, routing tables, and sometimes running processes. SNMP exposes a management information base (MIB) of device data, and version 1 and 2c rely only on a community string such as the default public or private for read access. A misconfigured device that keeps these defaults lets a tester walk the MIB and harvest valuable inventory and topology information during enumeration.
- During an authorized internal engagement, a tester is given a valid domain account before running a vulnerability scan. The client wants to understand what advantage this provides over a scan run without any login. Which statement best describes an authenticated (credentialed) scan compared to an unauthenticated scan?
- An authenticated scan is faster because it skips network probing entirely and reads results from a central database
- An authenticated scan can only be performed against web applications, while an unauthenticated scan works on any host
- An authenticated scan logs into each host and inspects installed packages, patch levels, and configuration files, producing fewer false positives than an unauthenticated scan that only probes from the outside
- An unauthenticated scan always finds more vulnerabilities because it is not limited by account permissions
Correct answer: An authenticated scan logs into each host and inspects installed packages, patch levels, and configuration files, producing fewer false positives than an unauthenticated scan that only probes from the outside
An authenticated scan logs into each host with valid credentials and inspects installed software, patch levels, and configuration files, which yields more accurate, lower-false-positive results than an unauthenticated scan that can only infer issues from external probing. Credentialed access lets the scanner confirm a missing patch rather than guess from a banner. An unauthenticated scan typically reports fewer confirmed findings and more uncertainty, not more, and credentialed scanning is not limited to web apps.
- A tester scans a Linux web server with credentials and the report lists every missing OS patch and an outdated OpenSSL package, while a prior uncredentialed scan of the same host only flagged an exposed service banner. Why did the credentialed scan surface so much more detail?
- Because uncredentialed scans intentionally suppress patch findings to avoid noise
- Because the credentialed scan automatically exploited each finding to confirm it
- Because OpenSSL issues can only be detected when scanning over an encrypted channel
- Because the credentialed scan could read the local package database and configuration to verify exact versions, whereas the uncredentialed scan could only observe what was exposed over the network
Correct answer: Because the credentialed scan could read the local package database and configuration to verify exact versions, whereas the uncredentialed scan could only observe what was exposed over the network
The credentialed scan could read the local package database and configuration files to verify exact installed versions, so it confirmed missing patches and the outdated OpenSSL build directly. An uncredentialed scan only sees network-exposed surfaces and must infer from banners. Vulnerability scanners do not exploit findings to confirm them, and detecting an outdated package does not require an encrypted scan channel.
- A client reading a penetration test report asks what a CVSS base score actually represents. Which explanation is correct under CVSS v4.0?
- The base score reflects the intrinsic, time- and environment-independent severity of a vulnerability, derived from metrics such as attack vector, attack complexity, privileges required, and impact
- The base score is recalculated daily based on how many organizations have been breached using the flaw
- The base score is assigned manually by CompTIA for each published CVE
- The base score already includes the customer's specific network defenses and asset value
Correct answer: The base score reflects the intrinsic, time- and environment-independent severity of a vulnerability, derived from metrics such as attack vector, attack complexity, privileges required, and impact
The CVSS base score reflects the intrinsic severity of a vulnerability that does not change over time or across environments, computed from metrics like attack vector, attack complexity, attack requirements, privileges required, user interaction, and impact. Time-varying factors live in the separate Threat metric group, and environment-specific tailoring lives in the Environmental metrics. Base scores come from the CVSS specification maintained by FIRST, not from CompTIA.
- A tester is producing a CVSS v4.0 vector for a flaw that an unauthenticated attacker can trigger over the internet with no special conditions and no user interaction. Which combination of base metric values most accurately captures this?
- Attack Vector: Adjacent, Attack Complexity: High, Privileges Required: None, User Interaction: Active
- Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None
- Attack Vector: Local, Attack Complexity: High, Privileges Required: High, User Interaction: Required
- Attack Vector: Physical, Attack Complexity: Low, Privileges Required: Low, User Interaction: Passive
Correct answer: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None
Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None matches a flaw reachable from anywhere on the internet that needs no credentials, no special conditions, and no victim action. Local or Physical vectors would require proximity or device access, and High complexity or High privileges contradict the described ease of exploitation. In CVSS v4.0 User Interaction uses values of None, Passive, and Active; None is correct for a flaw requiring no victim involvement.
- When using the FIRST CVSS v4.0 calculator to derive a numeric score, which set of inputs determines the base score?
- The number of affected hosts multiplied by their business value
- The base metric group: attack vector, attack complexity, attack requirements, privileges required, user interaction, and the impact metrics on the vulnerable and subsequent systems
- The scanner's own confidence percentage for the finding
- Only the exploit maturity and remediation level fields
Correct answer: The base metric group: attack vector, attack complexity, attack requirements, privileges required, user interaction, and the impact metrics on the vulnerable and subsequent systems
The base score is calculated from the base metric group: attack vector, attack complexity, attack requirements, privileges required, user interaction, and the impact metrics for the vulnerable and subsequent systems. Exploit maturity belongs to the Threat group and asset value belongs to the Environmental group, so neither sets the base score. A scanner's confidence is not a CVSS input at all.
- A developer asks the tester to clarify the difference between SAST and DAST during a secure-coding discussion. Which statement is accurate?
- SAST analyzes application source code or binaries without running the program, while DAST tests the running application from the outside by sending requests and observing responses
- SAST runs only against live production traffic, while DAST inspects source code line by line
- SAST requires no access to code and DAST requires full source access
- Both SAST and DAST require the application to be compiled into a single binary before testing
Correct answer: SAST analyzes application source code or binaries without running the program, while DAST tests the running application from the outside by sending requests and observing responses
SAST (static application security testing) analyzes source code or binaries without executing the program, while DAST (dynamic application security testing) exercises the running application from the outside by sending crafted requests and observing responses. SAST needs code or binary access and finds issues like insecure functions early; DAST needs a running instance and finds runtime issues such as injection. The descriptions are reversed in the incorrect choices.
- A tester must assess a third-party web application during an engagement but has no access to its source code and cannot install agents on the server. Which testing approach fits these constraints?
- A credentialed host scan, because it reads the application's source from disk
- SAST, because it can review compiled source even when the binary is unavailable
- Manual code review, because it is the only option when source is unavailable
- DAST, because it exercises the live, running application externally without needing source code
Correct answer: DAST, because it exercises the live, running application externally without needing source code
DAST fits because it tests the live, running application from the outside by sending requests and analyzing responses, requiring no source code or installed agents. SAST inherently requires source or binaries, which the tester does not have, and a credentialed host scan cannot reconstruct application source it was never given. Manual code review is impossible without the code.
- A vulnerability scanner reports that a Windows IIS server is vulnerable to a flaw that only affects a specific Linux Apache module, even though that module is not present on the host. How should the tester classify this result?
- A false positive, because the scanner flagged a condition that does not actually exist on the target
- A true positive that requires immediate exploitation
- A configuration error in CVSS scoring that should be reported to FIRST
- A false negative, because the scanner failed to detect a real vulnerability
Correct answer: A false positive, because the scanner flagged a condition that does not actually exist on the target
This is a false positive: the scanner reported a vulnerability that does not actually apply to the host, in this case a Linux Apache flaw on a Windows IIS server. A false negative is the opposite case where a real flaw is missed. Manual validation against the actual platform and version is exactly how a tester filters false positives out of scanner output before reporting.
- In vulnerability scanning, what is a false positive and why does it matter to a penetration tester?
- A duplicate entry caused by scanning the same host twice
- A finding the scanner reports as a vulnerability that does not truly exist on the target; it matters because acting on it wastes effort and undermines report credibility, so testers manually validate findings
- A vulnerability that exists but the scanner failed to report, requiring deeper scanning
- A finding that has been confirmed exploitable and assigned a CVE
Correct answer: A finding the scanner reports as a vulnerability that does not truly exist on the target; it matters because acting on it wastes effort and undermines report credibility, so testers manually validate findings
A false positive is a finding the scanner reports as a vulnerability that does not actually exist on the target. It matters because reporting unverified flaws wastes the client's remediation effort and erodes trust in the assessment, which is why testers manually validate scanner output before including it. A missed-but-real vulnerability is a false negative, not a false positive.
- A non-technical client asks the tester, in plain terms, what a vulnerability scan does. Which description is most accurate?
- It is a tool that automatically patches every weakness it finds
- It is a manual process where the tester exploits every system to prove which ones can be breached
- It is an automated process that probes systems and compares discovered software, versions, and configurations against a database of known weaknesses to produce a list of potential issues
- It is a network monitoring service that watches live traffic for attackers
Correct answer: It is an automated process that probes systems and compares discovered software, versions, and configurations against a database of known weaknesses to produce a list of potential issues
A vulnerability scan is an automated process that probes systems and matches the discovered software, versions, and configurations against a database of known weaknesses to produce a list of potential issues for review. It identifies, it does not exploit or patch, and it is distinct from continuous traffic monitoring. The output still needs human validation to remove false positives.
- A penetration tester needs a widely used commercial vulnerability scanner to perform automated network and host assessment, including credentialed checks across thousands of plugins. Which tool is purpose-built for this?
- Burp Suite Repeater
- Responder
- John the Ripper
- Nessus
Correct answer: Nessus
Nessus is a widely used commercial vulnerability scanner designed for automated network and host assessment, supporting credentialed checks across an extensive plugin library. Burp Suite Repeater is for manually manipulating individual web requests, John the Ripper is a password cracker, and Responder is a man-in-the-middle and credential-capture tool. None of those perform broad automated vulnerability scanning.
- During web application analysis, a tester sends large volumes of malformed, unexpected, and random input to a target to trigger crashes or anomalous behavior that may reveal exploitable flaws. What is this technique called?
- Banner grabbing
- Privilege escalation
- Fuzzing
- Pivoting
Correct answer: Fuzzing
Fuzzing is the technique of sending large volumes of malformed, unexpected, or random input to a target to provoke crashes or anomalous behavior that can expose input-handling and memory-safety flaws. Banner grabbing reads service identification strings, privilege escalation raises an attacker's access level, and pivoting routes traffic through a compromised host. Only fuzzing describes the malformed-input testing method.
- A scanner reports four findings on a client's host: a Critical remote code execution flaw, a High privilege-escalation issue, and two Low informational items. With limited remediation time, how should the tester advise the client to prioritize?
- Address findings alphabetically by CVE identifier
- Address the two Low items first because there are more of them
- Treat all four findings as equal priority regardless of severity
- Address the Critical remote code execution finding first, then the High issue, since severity and exploitability drive remediation order
Correct answer: Address the Critical remote code execution finding first, then the High issue, since severity and exploitability drive remediation order
Prioritization should follow severity and exploitability, so the Critical remote code execution flaw is addressed first, then the High privilege-escalation issue, leaving the Low informational items for last. Counting findings or sorting by CVE identifier ignores risk, and treating everything equally wastes scarce remediation time on low-impact issues. CVSS severity bands exist precisely to support this triage.
- A tester wants a fully open-source vulnerability scanner to assess a client's external network without paying for a commercial license. Which tool fits this requirement?
- Cobalt Strike
- Hydra
- Aircrack-ng
- OpenVAS (Greenbone)
Correct answer: OpenVAS (Greenbone)
OpenVAS, maintained as part of the Greenbone framework, is a fully open-source vulnerability scanner suited to automated network assessment without a commercial license. Cobalt Strike is a paid commercial command-and-control platform, Hydra is an online password-brute-forcing tool, and Aircrack-ng targets wireless encryption. Only OpenVAS is an open-source general vulnerability scanner.
- While analyzing scan results, a tester sees a web server self-reporting version 2.4.49 of a well-known HTTP daemon associated with a path-traversal and remote code execution issue. What is the most appropriate next analysis step within the engagement scope?
- Rescan the entire subnet before examining the single host further
- Immediately mark it exploited and move to post-exploitation
- Discard the finding because version banners can never be trusted
- Map the reported version to its known CVEs and manually verify the host is actually affected before flagging it as exploitable
Correct answer: Map the reported version to its known CVEs and manually verify the host is actually affected before flagging it as exploitable
The correct next step is to map the reported version to its known CVEs and manually verify that the host is genuinely affected before flagging it as exploitable, since version-based detection can produce false positives from backports or modified builds. Declaring it exploited without validation skips analysis, dismissing all banners outright discards useful signal, and rescanning the subnet does nothing to validate this specific finding.
- A tester writes a short script to parse Nmap XML output and automatically cross-reference each discovered service version against a local vulnerability list. Within the Vulnerability Discovery and Analysis domain, what does this scripting primarily accomplish?
- It automates the correlation of enumeration data with known vulnerabilities, speeding analysis and reducing manual lookup errors
- It replaces the need to run any vulnerability scanner at all
- It generates the final client invoice from scan data
- It exploits each discovered service automatically
Correct answer: It automates the correlation of enumeration data with known vulnerabilities, speeding analysis and reducing manual lookup errors
The script automates correlation of enumeration data with known vulnerabilities, which speeds the analysis phase and reduces manual lookup errors when triaging many services. It supports, rather than replaces, scanner output and does not exploit anything by itself. Scripting and automation to support analysis is an explicit part of this domain's objectives.
- A vulnerability scanner runs against a bespoke web application and reports no issues, yet the tester later confirms a custom authentication bypass exists. How is the scanner's original result classified, and what does it illustrate?
- A false positive, illustrating that scanners over-report custom applications
- A true positive that was simply low severity
- A configuration drift issue unrelated to scanning accuracy
- A false negative, illustrating that signature-based scanners often miss logic and bespoke flaws that require manual testing
Correct answer: A false negative, illustrating that signature-based scanners often miss logic and bespoke flaws that require manual testing
The scanner produced a false negative because it failed to report a vulnerability that genuinely exists, here a custom authentication bypass. This illustrates that signature- and pattern-based scanners frequently miss business-logic and bespoke application flaws, which is why manual testing remains essential. A false positive is the opposite error of reporting a nonexistent flaw.
- A tester wants to discover hidden input-handling crashes in a custom compiled binary by feeding it mutated and generated inputs and monitoring for failures. Which category of tool is most appropriate?
- A credential dumper such as Mimikatz
- A web proxy such as Burp Suite Proxy
- A network mapper such as Nmap
- A fuzzer such as AFL++
Correct answer: A fuzzer such as AFL++
A fuzzer such as AFL++ is purpose-built to feed mutated and generated inputs into a binary and watch for crashes or hangs that reveal input-handling and memory-safety flaws. A web proxy intercepts HTTP traffic, a network mapper performs host and port discovery, and a credential dumper extracts secrets after compromise. Only the fuzzer performs automated malformed-input testing of a binary.
- After running two different scanners against the same web application, a tester finds one tool reports a SQL injection on a parameter while the other does not. What is the most defensible way to resolve the discrepancy during analysis?
- Manually test the parameter, for example by submitting crafted input and observing the application's response, to confirm or refute the injection
- Report the vulnerability as confirmed because at least one scanner detected it
- Discard both results since the scanners disagree
- Average the two scanners' CVSS scores and report that value
Correct answer: Manually test the parameter, for example by submitting crafted input and observing the application's response, to confirm or refute the injection
The defensible approach is to manually test the parameter, such as by submitting crafted input and observing the application's behavior, to confirm or refute the suspected SQL injection. Reporting a single scanner's hit without validation risks a false positive, discarding both results ignores a possible real flaw, and averaging CVSS scores does nothing to establish whether the vulnerability actually exists.
- A client has a flat asset inventory and asks the tester to help decide which scan-discovered vulnerabilities deserve attention first. Beyond raw CVSS base score, what additional factor most improves this prioritization?
- The total number of plugins the scanner ran
- The alphabetical order of the affected hostnames
- The scan's start and end timestamps
- The exploit maturity and real-world exploitability of each flaw, since an actively exploited vulnerability outranks a higher-scored one with no known exploit
Correct answer: The exploit maturity and real-world exploitability of each flaw, since an actively exploited vulnerability outranks a higher-scored one with no known exploit
Incorporating exploit maturity and real-world exploitability sharpens prioritization, because a vulnerability that is actively being exploited can warrant faster action than a higher base-scored flaw with no known exploit. In CVSS v4.0 this lives in the Threat metric group via the Exploit Maturity metric. Hostname ordering, plugin counts, and scan timestamps carry no risk information.
- A tester needs to scan a web application specifically for common server-side problems such as outdated server software, dangerous default files, and known insecure CGI scripts. Which lightweight scanner is designed for this purpose?
- Nmap
- Metasploit
- Nikto
- Hashcat
Correct answer: Nikto
Nikto is a lightweight open-source web server scanner designed to check for outdated server software, dangerous default files, and known insecure scripts and CGIs. Nmap focuses on host and port discovery, Metasploit is an exploitation framework, and Hashcat is a password-cracking tool. Only Nikto specializes in this web-server vulnerability checking.
- During an authorized engagement, a penetration tester has compromised one workstation and now uses its access to authenticate to additional hosts in the same Active Directory domain, gradually expanding control across the network. Which post-exploitation activity does this describe?
- Active reconnaissance
- Lateral movement
- Privilege escalation
- Vulnerability scanning
Correct answer: Lateral movement
Lateral movement is the activity of using an already-compromised host to reach and gain access to additional systems across the target environment. It is what an attacker does after the initial foothold to spread through the network, typically by reusing credentials, abusing trust relationships, or leveraging remote-execution protocols such as SMB, WMI, or RDP. Privilege escalation is the separate goal of raising permissions on a single host rather than moving between hosts.
- A tester has a foothold on a dual-homed host that can reach an isolated internal subnet the tester's own machine cannot. The tester configures the compromised host to relay traffic so that tools launched from the attack box can scan and attack systems in that hidden subnet. What is this technique called?
- Credential stuffing
- Banner grabbing
- War driving
- Pivoting
Correct answer: Pivoting
Pivoting is using a compromised system as a relay or gateway to reach networks that are otherwise unreachable from the attacker's position. The tester routes traffic through the foothold host, commonly with a proxy such as SOCKS via Metasploit, SSH port forwarding, or a tunneling tool, to access segmented internal networks. It differs from lateral movement, which is the broader act of compromising additional hosts; pivoting is specifically the network-relay mechanism that enables that reach.
- A penetration tester deploys an implant on a compromised host that periodically beacons out to an external server the tester controls, retrieving commands and returning their output. What does the external server in this arrangement function as?
- A vulnerability scanner
- A command-and-control (C2) server
- A DNS resolver
- A jump box
Correct answer: A command-and-control (C2) server
A command-and-control (C2) server is the attacker-controlled system that compromised hosts communicate with to receive instructions and send back results during post-exploitation. Frameworks such as Cobalt Strike, Metasploit, Sliver, and Empire provide C2 infrastructure, and implants typically beacon out at intervals over channels like HTTPS or DNS to blend with normal traffic. A jump box is a defender-managed administrative host, not the attacker's instruction server.
- After gaining administrative access to several hosts, a tester collects passwords, password hashes, and Kerberos tickets from memory and configuration files to reuse them against other systems in the domain. What is this post-exploitation activity called?
- Fuzzing
- Credential harvesting
- Session fixation
- Subdomain enumeration
Correct answer: Credential harvesting
Credential harvesting is the gathering of authentication material such as plaintext passwords, NTLM hashes, Kerberos tickets, and tokens from compromised systems so they can be reused to expand access. Testers extract this material from memory (for example with credential-dumping tools), the SAM and LSASS process, browser stores, and configuration files, then feed it into lateral-movement techniques. It is distinct from password cracking, which converts an already-captured hash into its plaintext value offline.
- A tester with a valid but unprivileged domain account requests Kerberos service tickets for accounts that have a registered Service Principal Name, then exports those tickets to crack them offline and recover the service accounts' passwords. Which attack is being performed?
- Cross-site scripting
- ARP spoofing
- DNS cache poisoning
- Kerberoasting
Correct answer: Kerberoasting
Kerberoasting requests TGS service tickets for accounts that have a Service Principal Name (SPN) and cracks them offline, because each ticket is encrypted with a key derived from the service account's password. Any authenticated domain user can request these tickets, and the domain controller does not verify whether that user may actually use the service, so weak service-account passwords (especially with legacy RC4 encryption) can be recovered without triggering account lockout. Tools such as Rubeus and Impacket's GetUserSPNs automate the ticket request and extraction.
- A penetration tester installs a scheduled task that re-launches an implant after every reboot so that access to a compromised host survives if the system is restarted or the original session drops. Which post-exploitation goal does this technique serve?
- Conducting a denial-of-service attack
- Performing reconnaissance
- Establishing persistence
- Defining the rules of engagement
Correct answer: Establishing persistence
Persistence is maintaining access to a compromised system across reboots, logoffs, or credential changes so the tester does not have to re-exploit the initial vulnerability. Common mechanisms include scheduled tasks, registry Run keys, new services, startup folder entries, cron jobs, and backdoor accounts. In an authorized engagement the tester documents every persistence mechanism installed so the client can verify removal during cleanup.
- On a compromised Linux host, a tester runs the command that lists files with the SUID bit set and finds a root-owned binary that GTFOBins documents as exploitable. How does abusing this binary help the tester?
- It encrypts disk contents to evade detection
- It runs with the file owner's privileges, allowing escalation to root
- It enumerates open ports on neighboring hosts
- It opens a covert channel to the C2 server
Correct answer: It runs with the file owner's privileges, allowing escalation to root
A SUID binary executes with the privileges of its owner rather than the user who launched it, so a root-owned SUID program that can spawn a shell or read arbitrary files lets an unprivileged user escalate to root. Testers locate these with a find command searching for the -perm -4000 bit and check GTFOBins to see which functions a given binary exposes. Other reliable Linux escalation vectors include exploitable sudo rules (found with sudo -l), writable cron jobs, and kernel exploits, often surfaced by enumeration scripts such as LinPEAS.
- A tester has limited-user access on a Windows server and wants to find a path to SYSTEM. Which finding represents a classic Windows privilege-escalation opportunity?
- An open port 80 serving a static web page
- An unquoted service path pointing to a directory the user can write to
- A DNS TXT record containing a long encoded string
- A self-signed TLS certificate on an internal site
Correct answer: An unquoted service path pointing to a directory the user can write to
An unquoted service path that contains spaces and points through a user-writable directory lets the tester place a malicious executable that Windows runs in the service's security context, often SYSTEM. Other common Windows escalation vectors include misconfigured service permissions, AlwaysInstallElevated, weak registry or file ACLs, token impersonation, and unpatched kernel vulnerabilities, frequently enumerated with tools such as WinPEAS or PowerUp. An open web port or a TLS certificate finding is a network or web-layer issue, not a local privilege-escalation primitive.
- After collecting sensitive files on a compromised internal host, a tester encodes the data into the subdomain labels of DNS queries sent to a domain whose authoritative name server the tester controls, reassembling the data on that server. Why is this exfiltration method effective at evading network controls?
- DNS queries cannot be logged by network monitoring tools
- DNS traffic is usually permitted outbound and rarely deeply inspected
- DNS uses TCP exclusively, which firewalls never block
- DNS responses are always encrypted end-to-end by default
Correct answer: DNS traffic is usually permitted outbound and rarely deeply inspected
Exfiltration over DNS is effective because outbound DNS is almost always allowed through firewalls and frequently passes with little deep inspection, giving a covert channel for moving data out. The tester encodes data into query subdomain labels (or uses TXT records on the return path) directed at an attacker-controlled authoritative server, with tools like dnscat2 and iodine automating the channel. Defenders detect it by watching for high query volumes, high-entropy labels, and unusual record types rather than by the protocol being unloggable. This is one form of data exfiltration, the unauthorized transfer of data off a target.