











































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Practice foundational security testing concepts including reconnaissance, vulnerability scanning, penetration testing basics, reporting, and ethical security assessment practices.
Typology: Exams
1 / 51
This page cannot be seen from the preview
Don't miss anything!












































Question 1. Which of the following best describes the primary difference between ethical hacking and malicious hacking? A) Ethical hackers work only on web applications, while malicious hackers target networks. B) Ethical hackers obtain prior authorization, whereas malicious hackers do not. C) Ethical hackers use open-source tools, while malicious hackers use proprietary tools. D) Ethical hackers focus on physical security, while malicious hackers focus on logical security. Answer: B Explanation: The defining characteristic of ethical hacking is obtaining explicit, written permission before testing; malicious hacking proceeds without consent. Question 2. In a Rules of Engagement (RoE) document, which clause typically defines the “out-of-scope” assets? A) Liability limitation B) Time-window for testing C) Exclusion list of IP ranges, applications, or data D) Reporting format requirements Answer: C Explanation: The exclusion list explicitly states which systems, networks, or data are not to be tested, preventing accidental impact on critical assets. Question 3. The Computer Misuse Act (UK) criminalizes which of the following activities? A) Publishing security research without permission B) Unauthorized access to computer material C) Using encryption for data protection D) Conducting vulnerability scans on owned assets Answer: B Explanation: Section 1 of the Computer Misuse Act makes “unauthorised access to computer material” an offence, forming the legal basis for prosecuting illicit hacking.
Question 4. Which OSSTMM principle focuses on measuring the effectiveness of security controls rather than just identifying flaws? A) Integrity B) Confidentiality C) Operational Security (OPSEC) D) Assurance Answer: D Explanation: Assurance in OSSTMM evaluates how well controls mitigate risk, providing a quantitative measure of security effectiveness. Question 5. When performing passive reconnaissance, which technique is least likely to alert the target organization? A) Sending ICMP echo requests to the target’s public IPs B) Analyzing DNS zone transfers from a public DNS server C) Scraping employee LinkedIn profiles for email addresses D) Querying Shodan for exposed services Answer: C Explanation: Harvesting publicly available social media data does not interact with the target’s network, making it silent and low-risk. Question 6. Which DNS record type can be leveraged to discover subdomains of a target domain? A) MX B) TXT C) CNAME D) NS Answer: C Explanation: CNAME records often point subdomains to their canonical names, revealing hidden or internal services during enumeration.
A) Nmap B) Wireshark C) Maltego D) Netcat Answer: C Explanation: Maltego excels at aggregating data from various sources and presenting it as a graphical relationship map of hosts and services. Question 11. Which of the following is a false positive indicator when interpreting Nessus scan results? A) CVE- 2021 - 34527 listed for a Windows 10 machine that is fully patched B) Open FTP port 21 on a server that does not run an FTP daemon C) Missing patches for a known kernel vulnerability on a Linux host D) Detecting SMB signing disabled on a Windows Server 2016 Answer: B Explanation: An open port flagged without an associated service often results from a scanning artifact, indicating a false positive. Question 12. When prioritizing vulnerabilities, which metric from the CVSS v3. system reflects the potential impact on confidentiality, integrity, and availability? A) Attack Vector (AV) B) Base Score (BS) C) Exploitability Sub-Score (E) D) Scope (S) Answer: B Explanation: The Base Score aggregates impact and exploitability metrics, providing an overall severity rating for the vulnerability. Question 13. Which UNIX misconfiguration is most likely to allow a low-privileged user to read /etc/shadow? A) Incorrect permissions on /etc/passwd
B) SUID bit set on the ‘cat’ command C) World-readable /etc/shadow file D) Disabled SELinux policy enforcement Answer: C Explanation: If /etc/shadow is set to 644 (world-readable), any user can read hashed passwords, compromising credential security. Question 14. In Windows environments, which default setting can lead to “Pass the Hash” attacks? A) Disabled SMB signing B) NTLMv2 authentication enforced C) Credential Guard enabled D) Use of smart card logon only Answer: A Explanation: When SMB signing is disabled, attackers can replay captured NTLM hash values over the network to authenticate as the original user. Question 15. Which of the following best describes a “session hijacking” technique that works at the application layer? A) TCP reset injection B) ARP spoofing C) Web cookie theft and reuse D) DNS cache poisoning Answer: C Explanation: Capturing and replaying a valid session cookie allows an attacker to assume the victim’s authenticated session at the web application level. Question 16. Which Metasploit auxiliary module would you use to perform a DNS enumeration scan? A) auxiliary/scanner/http/dir_scanner B) auxiliary/scanner/dns/dns_version
D) Systemd service startup order Answer: B Explanation: Dirty COW exploits a race condition in the kernel’s copy-on-write mechanism, allowing unprivileged users to gain write access to read-only memory. Question 20. Which Windows service, if left enabled with default configuration, can be abused to achieve local privilege escalation via named pipe impersonation? A) Windows Defender B) Print Spooler (spoolsv.exe) C) Windows Time Service (w32time) D) Remote Desktop Services (termsrv.exe) Answer: B Explanation: The Print Spooler service creates named pipes that can be hijacked by low-privileged users to execute code in the context of SYSTEM. Question 21. Which term describes a malicious program that disguises itself as a legitimate application to gain user trust? A) Rootkit B) Trojan horse C) Worm D) Logic bomb Answer: B Explanation: A Trojan horse appears benign or useful, tricking users into executing it, thereby delivering malicious payloads. Question 22. In post-exploitation, which Windows registry key is commonly edited to achieve persistence for a malicious executable? A) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run B) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa C) HKEY_USERS.DEFAULT\Control Panel\Desktop D) HKEY_CLASSES_ROOT\CLSID
Answer: A Explanation: The “Run” key under HKCU (or HKLM) is read at user logon, making it a popular location for auto-starting malicious programs. Question 23. Which Linux startup mechanism can be abused to maintain persistence by adding a malicious script to /etc/rc.local? A) systemd unit files B) cron @reboot entries C) init.d scripts executed by rc.local D) PAM configuration files Answer: C Explanation: rc.local is executed by the init system after all other init scripts, allowing any commands placed there to run at boot. Question 24. Which of the following is a typical indicator that a rootkit has been installed on a Linux host? A) Increased CPU usage during idle periods B) Presence of /dev/.hidden directory C) Unexpected kernel module (e.g., “rkmod”) loaded with lsmod D) New user account created in /etc/passwd Answer: C Explanation: Rootkits often load malicious kernel modules to hide processes, files, and network connections; listing loaded modules can reveal them. Question 25. An attacker wants to erase evidence of their activity from Windows Event Logs. Which command achieves this? A) wevtutil cl System B) netsh advfirewall reset C) reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f D) taskkill /IM explorer.exe /F Answer: A
Explanation: Threat modeling helps define who might attack, what they might target, and how, guiding the scope and methodology of testing. Question 29. Which open-source tool is specialized for performing OS fingerprinting based on TCP/IP stack characteristics? A) Nmap B) Nikto C) OpenVAS D) Burp Suite Answer: A Explanation: Nmap’s OS detection (-O) leverages subtle differences in TCP/IP responses to infer the target operating system. Question 30. In the context of GDPR, which principle requires that personal data be processed only for a specific, explicit purpose? A) Data minimization B) Purpose limitation C) Accuracy D) Storage limitation Answer: B Explanation: Purpose limitation mandates that data collection and processing be confined to clearly defined, legitimate purposes. Question 31. Which technique would you use to discover hidden directories on a web server? A) SYN scan with Nmap B) Directory brute-forcing with tools like DirBuster or Gobuster C) SNMP walk on port 161 D) ICMP echo requests Answer: B Explanation: Directory brute-forcing enumerates common and custom paths, revealing hidden or unlinked directories.
Question 32. Which of the following is a characteristic of a “low-and-slow” DoS attack? A) High bandwidth consumption B. Flooding the target with SYN packets at maximum rate C) Sending a small number of requests over a long period to evade detection D. Using amplification from third-party servers Answer: C Explanation: Low-and-slow attacks use minimal traffic spread over time, making them harder for IDS/IPS to notice. Question 33. Which HTTP header can be manipulated to perform a simple cross-site scripting (XSS) attack? A) Content-Security-Policy B) Set-Cookie C) User-Agent D) X-Forwarded-For Answer: C Explanation: Reflecting unsanitized User-Agent data in a response can inject malicious script code into the page. Question 34. Which cryptographic algorithm is considered insecure for password hashing due to its speed? A) bcrypt B) Argon C) SHA- 1 D) PBKDF Answer: C Explanation: SHA-1 is a fast hash function and not designed for password storage; it lacks key stretching, making brute-force attacks feasible.
Question 38. Which Windows command can be used to list all active network connections and the processes that own them? A) ipconfig /all B) netstat -ano C) ping -t D) route print Answer: B Explanation: netstat -ano displays active connections along with the owning process ID, aiding in post-exploitation reconnaissance. Question 39. In the context of PKI, what does the term “certificate revocation list (CRL)” provide? A) A list of expired certificates only B) A list of certificates that have been revoked before their expiration date C) A list of trusted root CAs D) A list of certificate fingerprints for verification Answer: B Explanation: A CRL enumerates certificates that are no longer trusted, allowing clients to reject them during validation. Question 40. Which of the following is the most effective method to mitigate ARP spoofing attacks on a switched LAN? A) Disabling DHCP B) Enabling port security with static MAC bindings C) Using a larger MTU size D. Enabling IPv6 only Answer: B Explanation: Port security with static MAC addresses prevents unauthorized MAC address changes, limiting ARP poisoning effectiveness.
Question 41. Which of the following best describes a “logic bomb” in post-exploitation? A) A program that self-replicates across the network B) Code that triggers a malicious action when a specific condition is met C) An encrypted payload stored in the registry D) A rootkit that hides processes from ps Answer: B Explanation: A logic bomb remains dormant until a predefined condition (date, user action) activates its payload. Question 42. Which Nmap scanning technique sends a FIN packet to determine port state, and why is it useful? A) SYN scan – faster than full connect B) ACK scan – identifies firewall rules C) FIN scan – can bypass stateless firewalls because closed ports reply with RST while open ports ignore the packet D. UDP scan – discovers open UDP services Answer: C Explanation: FIN scans exploit the fact that many firewalls do not log or block FIN packets, and open ports typically do not respond, making detection harder. Question 43. Which of the following is a recommended practice when handling credentials discovered during a penetration test? A) Store them in a plain-text file on the tester’s desktop for quick access B) Immediately delete them after use without documentation C) Encrypt the credential list and store it in a secure, access-controlled location D. Share them with all members of the testing team via instant messaging Answer: C Explanation: Protecting sensitive data with encryption and proper access controls maintains confidentiality and complies with legal obligations.
Question 47. Which of the following is an example of a “client-side” vulnerability? A) SQL injection in a backend database B) Buffer overflow in a server daemon C) Cross-site scripting (XSS) that executes JavaScript in the victim’s browser D) Unpatched kernel module on a Linux host Answer: C Explanation: Client-side vulnerabilities affect the user’s browser or application, such as XSS, which runs code on the client. Question 48. Which of the following Linux commands can be used to view active network sockets and the processes that own them? A) ls -l /proc/net/tcp B) netstat -tulpn C) iptables -L D) dmidecode Answer: B Explanation: netstat -tulpn lists listening and established sockets along with the owning process IDs. Question 49. Which of the following best illustrates “horizontal privilege escalation”? A) A low-privileged user gains admin rights on the same machine B) An attacker moves from one compromised system to another at the same privilege level C) An attacker gains root access on a Linux server from a normal user account D. An attacker elevates a service account to SYSTEM via token impersonation Answer: B Explanation: Horizontal escalation involves moving laterally across systems with similar privileges, rather than increasing privilege on a single host.
Question 50. Which of the following is a common method for bypassing Windows User Account Control (UAC) during exploitation? A) Disabling the firewall B) Using “fodhelper.exe” with a malicious .reg file to trigger auto-elevated execution C) Modifying the hosts file D. Changing the system time Answer: B Explanation: “fodhelper.exe” is auto-elevated; abusing it with a crafted registry entry can execute code with elevated rights without prompting the user. Question 51. Which of the following best describes the purpose of a “kill chain” in penetration testing? A) To outline the steps an attacker takes from reconnaissance to exfiltration, helping defenders identify gaps B) To list all known vulnerabilities in a target environment C) To schedule automated scans at regular intervals D. To define the legal scope of an engagement Answer: A Explanation: The kill chain model maps attacker activities, enabling defenders to disrupt or detect attacks at each phase. Question 52. Which of the following is the most reliable way to verify that a vulnerability scanner’s finding is not a false positive? A) Accept the scanner’s rating and move on B) Manually reproduce the issue using a controlled exploit or proof-of-concept code C) Increase the scan intensity and rescan D. Run the scanner on a different network segment Answer: B Explanation: Manual verification with a PoC confirms whether the vulnerability truly exists, eliminating false positives.
A) Requires user interaction to spread B. Self-replicates and spreads automatically across networks without user action C. Only infects executable files D. Primarily targets hardware components Answer: B Explanation: Worms propagate autonomously, often exploiting network services, whereas viruses generally need a host file and user action. Question 57. Which of the following is a primary benefit of using a “sandbox” environment during exploit development? A) Increases the speed of network scanning B) Allows safe execution of potentially malicious code without affecting production systems C. Automatically generates CVE identifiers D. Provides a built-in password cracking module Answer: B Explanation: Sandboxes isolate the exploit, preventing collateral damage while allowing analysis of behavior. Question 58. Which of the following best describes “credential stuffing” as an attack technique? A) Using a stolen password hash to directly log into a system B. Re-using large lists of compromised username/password pairs against multiple services to gain unauthorized access C. Intercepting credentials during a man-in-the-middle attack D. Brute-forcing a single account with dictionary words Answer: B Explanation: Credential stuffing exploits the tendency of users to reuse passwords across sites, automating login attempts with known credentials. Question 59. Which of the following is a recommended step after gaining administrative access to a Windows host during a test?
A) Immediately delete all user accounts B) Create a new local administrator account for future access and document it in the report C. Disable Windows Defender to avoid detection D. Install a third-party firewall without informing the client Answer: B Explanation: Adding a dedicated admin account ensures repeatable access while maintaining accountability and documentation. Question 60. Which of the following best explains why “rate limiting” is an effective mitigation against brute-force attacks? A) It encrypts all inbound traffic B. It restricts the number of login attempts from a single source within a time window, reducing attack speed C. It blocks all traffic from unknown IP addresses D. It disables the login page entirely during an attack Answer: B Explanation: By limiting attempts, the attacker’s ability to try many passwords quickly is throttled, making brute-force impractical. Question 61. Which of the following tools can be used to enumerate SMB shares on a Windows target? A) nslookup B) rpcclient C) traceroute D. ping Answer: B Explanation: rpcclient (part of the Samba suite) can list available SMB shares on a remote Windows host. Question 62. Which of the following is a sign that a Linux system may be compromised by a “cryptojacking” malware?