Chapter 8-10

Question 1

This document protects the pen-tester from legal liability should issues arise from an agreed-upon pen test.
A. Rules of Engagement
B. Title IX
C. Memorandum of Understanding
D. Acceptable Use Policy

Answer 1

A. Rules of Engagement

Question 2

Which of these is not an example of a server-side exploitation:
A. Insert SQL code into a form on a webpage to gain unauthorized access to database records
B. Gaining unauthorized access to a server via a backdoor
C. Inserting malicious code into a website through cross site scripting
D. Exploiting a vulnerability in the management interface of a server

Answer 2

B. Gaining unauthorized access to a server via a backdoor

Question 3

This multipurpose tool that is installed on most Linux distros provides a discreet, but unencrypted channel to remotely send text and files to a target machine.
  A. Empire 
  B. Meterpreter 
  C. NetCat 
  D. Nmap

Answer 3

C. NetCat

Question 4

In order to determine whether SSH were running on a host, this scanning type would be used:
  A. Port scanning 
  B. Network Tracing 
  C. Version Scanning 
  D. OS Fingerprinting

Answer 4

C. Version Scanning

Question 5

This phase involves gaining access to a target through means of some type of unintended access.
  A. Post-Exploitation 
  B. Exploitation 
  C. Scanning 
  D. Reconnaissance 
  E. Planning

Answer 5

B. Exploitation

Question 6

A user who is infected with malware from a web server due to a vulnerability in their browser has experienced a:
  A. Server-side exploit 
  B. Humiliation 
  C. Client-side exploit 
  D. Local Privilege Escalation

Answer 6

C. Client-side exploit

Question 7

Determining which hosts are active on a network is part of which phase of a pen-test:
  A. Exploitation 
  B. Post-Exploitation 
  C. Planning 
  D. Scanning 
  E. Reconnaissance

Answer 7

D. Scanning

Question 8

Examining publicly available information to gather information about the target is part of this phase:
A.	Planning 
B.	Scanning 
C.	Post-Exploitation 
D.	Reconnaissance 
E.	Exploitation

Answer 8

D. Reconnaissance

Question 9

Which of these is not a passive scanning technique?
A. Scanning the organization’s public IP range
B. Pulling site registration records
C. Scanning for files on a public website
D. Examining metadata in publicly available files

Answer 9

A. Scanning the organization’s public IP range

Question 10

What port is used for file shares (SMB)?
 A. 445 
  B. 143 
  C. 110 
  D. 443

Answer 10

A. 445

Question 11

What port is used for DNS services?
  A. 22 
  B. 53 
  C. 445 
  D. 25

Answer 11

B. 53

Question 12

Data collected from publicly available sources and used in an intelligent context is known as:
  A. Open Source Intelligence 
  B. Open Source Collective 
  C. Collective Intelligence 
  D. Open Source Software

Answer 12

A. Open Source Intelligence

Question 13

When an Nmap scan has determined a port has no service listening on it, the status is reported as:
  A. Unfiltered 
  B. Open 
  C. Closed 
  D. Filtered

Answer 13

C. Closed

Question 14

Sending scan packets gradually so as to not trigger alerts is which type of firewall evasion technique:
  A. Sending bad checksums 
  B. Specify MTU 
  C. Decoys 
  D. Timing attacks 
  E. Fragmented packets

Answer 14

D. Timing attacks

Question 15

Sending spoofed packets to hide the attacker's IP address is which type of firewall evasion technique:
  A. Sending bad checksums 
  B. Specify MTU 
  C. Decoys 
  D. Timing attacks 
  E. Fragmented packets

Answer 15

C. Decoys

Question 16

Forcing packets to be sent in smaller packet sizes to force payloads to be broken up into multiple packets in an effort to obfuscate the payload is which type of firewall evasion technique:
  A. Timing attacks 
  B. Sending bad checksums 
  C. Specify MTU 
  D. Decoys 
  E. Fragmented packets

Answer 16

C. Specify MTU

Question 17

Sending an echo request to a host to determine its status is which type of scan:
  A. TCP Connect 
  B. UDP 
  C. TCP SYN 
  D. ICMP

Answer 17

D. ICMP

Question 18

When an Nmap scan cannot access a port, the status is reported as:
  A. Unfiltered 
  B. Filtered 
  C. Closed 
  D. Open

Answer 18

B. Filtered

Question 19

Taking advantage of web input forms in order to perform unauthorized operations on a database is which type of web attack:
  A. Application Override 
  B. SQL Script Injection 
  C. Cross-Site Scripting 
  D. LDAP Injection

Answer 19

B. SQL Script Injection

Question 20

A web error code in the 400 range is considered to be which type of code:
  A. Redirection 
  B. Successful 
  C. Informational 
  D. Server Error 
  E. Client Error

Answer 20

E. Client Error

Question 21

A web error code in the 500 range is considered to be which type of code:
  A. Client Error 
  B. Redirection 
  C. Informational 
  D. Server Error 
  E. Successful

Answer 21

D. Server Error

Question 22

A web error code in the 200 range is considered to be which type of code:
  A. Informational 
  B. Client Error 
  C. Server Error 
  D. Redirection 
  E. Successful

Answer 22

E. Successful

Question 23

Which of these is considered to be the strongest wireless security:
  A. WEP 
  B. WPA 
  C. TKIP 
  D. WPA2

Answer 23

D. WPA2

Question 24

The overall management of industrial technology systems is known as:
  A. PLC 
  B. OSINT 
  C. ICS 
  D. SCADA

Answer 24

D. SCADA

Question 25

Which of these is considered to be the weakest wireless security:
  A. WPA2 
  B. WEP 
  C. AES 
  D. WPA

Answer 25

B. WEP

Question 26

The NIST Publication that provides standardized guidelines for Industrial Control Systems is known as:
  A. 800-125 
  B. 800-39 
  C. 800-53 
  D. 800-82R2

Answer 26

D. 800-82R2

Question 27

The MAC address of a wireless access point is known as:
  A. GUID 
  B. BSSD 
  C. OUID 
  D. SSID

Answer 27

B. BSSD

Question 28

The KRACK vulnerability affects which wireless protocol:
  A. TKIP 
  B. WPA2 
  C. WPA 
  D. WEP

Answer 28

B. WPA2

Question 29

Pentesting phases of attack?

Answer 29

1. Planning
2. Reconnaissance
3. Scanning
4. Expoitation
5. Post-Exploitation

Question 30

Scanning types

Answer 30

Network Tracing
Network Sweeping
Port Scanning
OS fingerprinting
Version scanning
Vulnerability scanning

Question 31

No internals known?

Answer 31

Black box

Question 32

Full target details known?

Answer 32

Crystal box

Question 33

Full target details known?

Answer 33

Crystal box

Question 34

Active scanning

Answer 34

interacting directly with the target network to gather info

Question 35

Scan types

Answer 35

ICMP
TCP SYN
TCP Connect
NULL
FIN
XMAS

Question 36

The process of discovering potential attack vectors in the system for further exploitation of the system.

Answer 36

Enumeration

Question 37

Scan types

Answer 37

ICMP
TCP SYN
TCP Connect
NULL
FIN
XMAS

Question 38

Telnet port

Answer 38

23

Question 39

FTP port

Answer 39

20,21

Question 40

Email port

Answer 40

25, 110

Question 41

SNMP port

Answer 41

161, 162

Question 42

Web Browsing

Answer 42

80

Question 43

Secure Web Browsing

Answer 43

443

Question 44

DNS port

Answer 44

53

Question 45

SSH port

Answer 45

22

Question 46

SMB port

Answer 46

445

Question 47

Firewall evasion techniques

Answer 47

Timing attacks
Fragmented packets
SPecify MTU
Sending bad checksums
Decoys