Question 151
David is working on a pen testing assignment as a junior consultant. His supervisor told him to test a web application for SQL injection. The supervisor also informed David the web application is known to
be vulnerable to the “admin' OR '” injection. When David tried this string, he received a WAF error message the input is not allowed.
Which of following strings could David use instead of the above string to bypass the WAF filtering?
' union select
exec sp_addsrvrolemember 'name' , 'sysadmin'
admin') or '1'='1'--
' or username like char(37);
Question 152
Chris, a penetration tester working with a large software company, is testing the company’s web servers for vulnerabilities. What can he do to find other domains that share the same web servers in a
target organization?
Perform reverse lookup using nslookup
Perform reverse lookup with the USENET
Perform reverse lookup using YouGetSignal
Perform reverse lookup using nmap
Question 153
Analyze the ICMP packet below and mark the correct statement.
It is a ping request, but the destination port is unreachable
It is a ping packet that requires fragmentation, but the Don't Fragment flag is set
It is a ping response, when the destination host is unknown
It is a ping request, but the destination network is unreachable
Question 154
As a normal three-way handshake mechanism system A sends an ACK packet to system B. However, system A does not send an ACK packet to system B. In this case, client B is waiting for an ACK packet from client A.
What is the status of client B?
“Half-open”
“Filtered”
“Full-open”
“Half-closed”
Question 155
James, a penetration tester, found a SQL injection vulnerability in the website http://www.xsecurity.com. He used sqlmap and extracted the website’s databases from the sql server,
one of them being “offices.” Which among the following sqlmap queries does James issue in order to extract the tables related to the database “offices”?
sqlmap -u “www.xsecurity.com” --dbs offices --T
sqlmap -u “www.xsecurity.com” --dbs offices --tables
sqlmap -u “www.xsecurity.com” --dbs offices -T
sqlmap -u “www.xsecurity.com” --dbs offices -tables
Question 156
During a pen test, you are presented with a web application which has a login page. Your task is to use Burp Suite and perform a dictionary attack to crack the user credentials. Which among the following
intruder payload methods will you choose if you have to use multiple payload sets and crack the usernames and passwords?
Battering fork
Sniper
Battering ram
Cluster bomb
Question 157
What is the command nmap -e eth0 -S 192.168.1.100 192.168.1.109 used for?
Perform Ethernet scan
Change Ethernet connection status
Spoof an IP Address
Spoofing Packets
Question 158
Charles, a network penetration tester, is part of a team assessing the security of perimeter devices of an organization. He is using the following Nmap command to bypass the firewall: nmap -D 10.10.8.5, 192.168.168.9, 10.10.10.12
What is Charles trying to do?
Cloaking a scan with decoys
Packet Fragmentation
Spoofing source address
Spoofing source port number
Question 159
During a WordPress web application audit, you found a plugin ebook download version 1.1 installed and activated in the application. Upon research, it was found that the plugin has directory traversal vulnerability. The URL of the web application is http://172.19.19.17/wordpress. Identify the URL which
allows you to successfully exploit the vulnerability and download wp-config.php file.
http://172.19.19.17/wordpress/wp-content/plugins/ebookdownload/
download.php?ebookdownloadurl=http://www.attackerwebsite.com/wp-config.php
http://172.19.19.17/wordpress/wp-content/plugins/ebookdownload/
fileupload.php?ebookdownloadurl=./././wp-config.php
http://172.19.19.17/wordpress/wp-content/plugins/ebookdownload/
filedownload.php?ebookdownloadurl=../../../wp-config.php
http://172.19.19.17/wordpress/wp-content/plugins/ebookdownload/
download.php?http://www.attackerwebsite.com=wp-config.php
Question 160
The Finger service displays information such as currently logged-on users, email address, full name, etc. Which among the following ports would you scan to identify this service during a penetration test?
Port 69
Port 79
Port 89
Port 99
Question 161
While scanning a server, you found rpc, nfs and mountd services running on it. During the investigation, you were told that NFS Shares were mentioned in the /etc/exports list of the NFS server.
Based on this information, which among the following commands would you issue to view the NFS Shares running on the server?
mount
showmount
rpcinfo
nfsenum
Question 162
During an internal network audit, you are asked to see if there is any RPC server running on the network and if found, enumerate the associated RPC services. Which port would you scan to determine
the RPC server and which command will you use to enumerate the RPC services?
Port 111, rpcenum
Port 145, rpcinfo
Port 145, rpcenum
Port 111, rpcinfo
Question 163
Which of the following network perimeter devices is a victim of the VLAN Trunking Protocol (VTP) attack?
Routers
Switches
Firewalls
IDS
Question 164
During a security assessment, you observed that one of the machines with the IP address
192.168.168.10 has only SMB port open. As a part of the assessment, you wanted to perform a password audit using Hydra, so you have prepared wordlists for usernames and passwords with the namesUsernames.txt and Passwords.txt and stored them in Kali Linux root folder. Which among the following commands will you use to perform the attack?
hydra -U /root/Usernames.txt -P /root/Passwords.txt 192.168.168.10 smb
hydra -L /root/Usernames.txt -P /root/Passwords.txt 192.168.168.10 smb
hydra -L /root/Usernames.txt -P /root/Passwords.txt 192.168.168.10 445
hydra -U /root/Usernames.txt -P /root/Passwords.txt 192.168.168.10 445
Question 165
Which of the following tool can you use to find the publicly available email addresses of an organization?
LinkedIn
Maltego
Google Dorks
The Harvester
Question 166
During an internal network audit, you came across a Linux operating system which has a vulnerable
version of Apache server running on it with CGI enabled. If you are asked to exploit this machine with
the given information, which Metasploit exploit module would you choose in order to gain access to
the
machine?
apache_mod_cgi_bash_env_exec
apache_mod_cgi_bin_env_exec
ms17_010_eternalblue
ssl_poodle
Question 167
You are working on a pen testing assignment for National Healthcare Inc. The client has specifically
asked you for a Data Use Agreement (DUA).
What does it indicate?
You are working with a HIPAA compliant organization
You are working on a target that is not connected to the Internet
You are working with a publicly traded organization
The client organization does not want you to exploit vulnerabilities
Question 168
Arrange the steps in the correct order for creating a firewall policy:
i. Prepare a cost-benefit analysis to secure the network application(s)
Create a network application traffic matrix to identify the protection method
Identify the network application(s) vulnerabilities
Identify the network applications that are of utmost importance
Create a firewall ruleset which depends on the application’s traffic matrix
iv-->iii-->i-->ii-->v
iii-->i-->iv-->ii-->v
iv-->ii-->v-->iii-->i
iii-->iv-->ii-->i-->v
Question 169
During an internal network audit, you came across a Windows 7 SP1 operating system which has SMB
version 1 (SMBv1) server running on it. If you are asked to exploit this machine with the given information, which Metasploit exploit module would you choose in order to gain access to the machine?
ssl_poodle
openssl_heartbleed
apache_mod_cgi_bash_env_exec
ms17_010_eternalblue
Question 170
As a part of information gathering, you are given a website URL and asked to identify the operating system using passive OS fingerprinting. When you begin to use p0f tool and browse the website URL, the
tool captures the header information of all the packets sent and received, and decodes them. Which among the decoded request/response packets hold the operating system information of the remote operating system?
SYN-ACK
SYN
RST
ACK
Question 171
Jason is working on a pen testing assignment. He is sending customized ICMP packets to a host in the target network. However, the ping requests to the target failed with “ICMP Time Exceeded Type = 11”
error messages.
What can Jason do to overcome this error?
Increase the ICMP header length
Set a Fragment Offset
Increase the Window size in the packets
Increase the TTL value in the packets
Question 172
Watson works as a Penetrating test engineer at Neo security services. The company found its wireless networks operating in an unusual manner, with signs that a possible cyber attack might have happened. Watson was asked to resolve this problem. Watson starts a wireless penetrating test, with the first step of discovering wireless networks by war-driving. After several thorough checks, he identifies that there is some problem with rogue access points and resolves it. Identifying rogue access
points involves a series of steps.
Which of the following arguments is NOT valid when identifying the rogue access points?
If a radio media type used by any discovered AP is not present in the authorized list of media
types, it is considered as a rogue AP
If any new AP which is not present in the authorized list of APs is detected, it would
be
considered as a rogue AP
If the radio channel used by any discovered AP is not present in the authorized list of channels, it
is considered as a rogue AP
If the MAC of any discovered AP is present in the authorized list of MAC addresses, it would be
considered as a rogue AP
Question 173
Dale is a network admin working in Zero Faults Inc. Recently the company’s network was compromised and is experiencing very unusual traffic. Dale checks for the problem that compromised
the network. He performed a penetration test on the network’s IDS and identified that an attacker sent
spoofed packets to a broadcast address in the network. Which of the following attacks compromised the network?
Amplification attack
MAC Spoofing
ARP Spoofing
Session hijacking
Question 174
If you are trying to determine whether the port is open by sending TCP probe packets with ACK flag set to a remote device, then which of the following statements is true about the header information of
received RST packets?
If the WINDOW value of RST packet on port is zero, then that port is open
If the WINDOW value of RST packet on a port is 1, then that port is closed
If the TTL value of RST packet on a port is less than the boundary value of 64, then that port is
open
If the TTL value of RST packet on a port is more than the boundary value of 64, then that port is
open
Question 175
Arrange the WEP cracking process in the correct order:
I.aireplay-ng -1 0 -e SECRET_SSID -a 1e:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 eth1
II.aircrack-ng -s capture.ivs
III.airmon-ng start eth1
IV.airodump-ng --ivs --write capture eth1
V.aireplay-ng -3 -b 1e:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 eth1
IV-->I-->V-->III-->II
IV-->I-->V-->III-->II
III-->IV-->I-->V-->II
III-->IV-->V-->II-->I
Question 176
While performing a web application vulnerability scan, Fred found that the application contained a cross-site scripting vulnerability in a text field. In order to document the vulnerability, he first needs to
verify that the vulnerability exists and the result is not false positive. Which among the following scripts
would he execute in the text field to prove that the vulnerability exists?
1' or '1' = '1
<script>alert("XSS");</script>
Set-Cookie: JSESSIONID=xxxxx; SameSite=Strict
select title, text from news where id=$id
Question 177
Which of the following tool is used by a penetration tester to find all domains similar to a company’s domain name?
dnsmap
sublist3r
urlcrazy
subbrute.py
Question 178
Cindy, a network security analyst, is trying to locate a DNS PTR record within the organization’s IP range. Which of the following commands will help her to complete her search?
traceroute -t 162.240.0.0-162.241.255.255
nmap - - traceroute -r 162.240.0.0-162.241.255.255
dnsrecon -t asfr -d 162.240.0.0-162.241.255.255
dnsrecon -r 162.240.0.0-162.241.255.255
Question 179
During scanning of a test network, Paul sends TCP probe packets with the ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of the received RST packets
to find whether the port is open or closed.
Analyze the scanning result below and identify the open port.
Port 20
Port 23
Port 22
Port 21
Question 180
Mike, was asked by his Information Security Office to recommend a firewall for the company’s internal network which works at the network level of the OSI model. The firewall must filter the network
traffic based on specified session rules, such as when a session is initiated by a recognized computer. Which of the following firewall types should Mike recommend to his Information Security Office?
Packet Filtering Firewall
Stateful Multilayer Inspection Firewall
Application Level Firewall
Circuit Level Gateway
Question 181
During a pen test, June was able to successfully crack user credentials of an Ubuntu machine and connect to it using ssh. When trying to access a file containing sensitive information, the server returned
an error stating “Access Denied,” meaning the user account June cracked did not have sufficient privileges. She then tried to view the operating system version, planning to perform privilege escalation
if the backend server was running a vulnerable version of operating system. Which command would June issue in the ssh terminal to view the OS version of Ubuntu?
uname
lsb_release
sysname
lsb_system
Question 182
Adam found a pen drive in his company’s parking lot. He connected it to his system to check the content. On the next day, he found that someone has logged into his company email account and sent
some emails. What type of social engineering attack has Adam encountered?
Phishing
Dumpster Diving
Eaves Dropping
Media Dropping
Question 183
Smith, a pen tester, has been hired to analyze the security posture of an organization and is trying to find the operating systems used in the network using Wireshark. What can be inferred about the selected packet in the Wireshark screenshot below?
The machine with IP 10.0.0.12 is running on Linux
The machine with IP 10.0.0.12 is running on Windows
The machine with IP 10.0.0.10 is running on Linux
The machine with IP 10.0.0.10 is running on Windows
Exam B (81 questions)
Question 184
The Finger service displays information such as currently logged-on users, email address, full name, etc. Which among the following ports would you scan to identify this service during a penetration test?
Port 79
Port 69
Port 89
Port 99
Question 185
Cedrick, who is a software support executive working for Panacx Tech. Inc., was asked to install Ubuntu operating system in the computers present in the organization. After installing the OS, he came to know that there are many unnecessary services and packages in the OS that were automatically
installed without his knowledge. Since these services or packages can be potentially harmful and can create various security threats to the host machine, he was asked to disable all the unwanted services.
In order to stop or disable these unnecessary services or packages from the Ubuntu distributions, which of the following commands should Cedrick employ?
# chkconfig [service name] off
# chkconfig [service name] –del
# service [service name] stop
# update-rc.d -f [service name] remove
Question 186
The penetration testers are required to follow predefined standard frameworks in making penetration testing reporting formats.
Which of the following standards does NOT follow the commonly used methodologies in penetration testing?
Open Web Application Security Project (OWASP)
Information Systems Security Assessment Framework (ISSAF)
American Society for Testing and Materials (ASTM)
National Institute of Standards and Technology (NIST)
Question 187
Which of the following roles of Microsoft Windows Active Directory refers to the ability of an active directory to transfer roles to any domain controller (DC) in the enterprise?
Master Browser (MB)
Rights Management Services (RMS)
Flexible Single Master Operation (FSMO)
Global Catalog (GC)
Question 188
An attacker with a malicious intention decided to hack confidential data from the target organization. For acquiring such information, he started testing IoT devices that are connected to the target network. He started monitoring the network traffic passing between the IoT devices and the
network to verify whether credentials are being transmitted in clear text. Further, he also tried to crack the passwords using well-known keywords across all the interfaces. Which of the following IoT threats the attacker is trying to exploit?
Insecure firmware
Poor authentication
Poor physical security
Privacy concerns
Question 189
Recently, SecGlobal Corporation adopted a cloud service in which cloud service provider offers application software to subscribers on-demand over the Internet and the provider charges for it on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users. Identify the type of cloud service adopted by the organization?
Anything as a service (XaaS)
Software as a service (SaaS)
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Question 190
The penetration testing team of MirTech Inc. identified the presence of various vulnerabilities in the web application coding. They prepared a detailed report addressing to the web developers regarding the findings. In the report, the penetration testing team advised the web developers to avoid the use of dangerous standard library functions. They also informed the web developers that the
web application copies the data without checking whether it fits into the target destination memory and is susceptible in supplying the application with large amount of data.
According to the findings by the penetration testing team, which type of attack was possible on the web application?
SQL injection
Cross-site scripting
Buffer overflow
Denial-of-service
Question 191
John is a network administrator and he is configuring the Active Directory roles in the primary domain controller (DC) server. Whilst configuring the Flexible Single Master Operation (FSMO) roles in the primary DC, he configured one of the roles to synchronize the time among all the DCs in an enterprise. The role that he configured also records the password changes performed by other DCs in the domain, authentication failures due to entering an incorrect password, and processes account lockout activities.
Which of the following FSMO roles has John configured?
PDC emulator
Domain naming master
Schema master
RID master
Question 192
Stanley, a pen tester needs to perform various tests to detect SQL injection vulnerabilities. He has to make a list of all input fields whose values could be used in crafting a SQL query. This includes the hidden fields of POST requests and then test them separately, attempting to interfere with the query and cause an error to generate as a result.
In which of the following tests is the source code of the application tested in a non-runtime environment to detect the SQL injection vulnerabilities?
Static Testing
Function Testing
Dynamic Testing
Fuzz Testing
Question 193
Joe works as an engagement team lead with Xsecurity Inc. His pen testing team follows all the standard pentesting procedures, however, one of the team members inadvertently deletes a document
containing the client’s sensitive information. The client is using Xsecurity for damages.
Which part of the Penetration Testing Contract should Joe have written better to avoid this lawsuit?
Non-disclosure clause
Indemnification clause
Fees and project schedule
Objective of the penetration test
Question 194
GenSec Inc, a UK-based Company, uses Oracle database to store all its data. The company also uses Oracle DataBase Vault to restrict user access to specific areas of their database. GenSec hired a senior penetration tester and security auditor named Victor to check the vulnerabilities of the company’s Oracle DataBase Vault. He was asked to find all the possible vulnerabilities that can bypass the company’s Oracle DB Vault. Victor tried different kinds of attacks to penetrate into the company’s Oracle DB Vault and succeeded.
Which of the following attacks can help Victor to bypass GenSec’s Oracle DB Vault?
Denial-of-Service Attack
SQL Injection
Man-in-the-Middle Attack
Replay Attack
Question 195
In delivering penetration testing report, which of the following steps should NOT be followed?
Always ask for a signed acknowledgment after submitting the report
Report must be presented in a PDF format, unless requested otherwise
Always deliver the report to approved stakeholders in the company in person
Always send the report by email or CD-ROM
Question 196
Tom is a networking manager in XYZ Inc. He and his team were assigned the task to store and update the confidential files present on a remote server using Network File System (NFS) client-server application protocol. Since the files are confidential, Tom was asked to perform this operation in a secured manner by limiting the access only to his team. As per the instructions provided to him, to use NFS securely, he employed the process of limiting the superuser access privileges only to his team by using authentication based on the team personnel identity. Identify the method employed by Tom for securing access controls in NFS?
nosuid
Root Squashing
Suid
noexec
Question 197
Joe, an ECSA certified professional, is working on a pen testing engagement for one of his SME clients. He discovered the host file in one of the Windows machines has the following entry:65.172.55 microsoft.com
After performing a Whois lookup, Joe discovered the IP does not refer to Microsoft.com. The network
admin denied modifying the host files.
Which type of attack does this scenario present?
Phishing
MAC spoofing
DNS starvation
DNS poisoning
Question 198
An employee is trying to access the internal website of his company. When he opened a webpage, he received an error message notifying “Proxy Authentication Required.” He approached the IT department
in the company and reported the issue. The IT staff explained him that this is an HTTP error indicating that the server is unable to process the request due to lack of appropriate client’s authentication credentials for a proxy server that is processing the requests between the clients and the server.
Identify the HTTP error code corresponding to the above error message received by the employee?
404
407
417
415
Question 199
Nancy Jones is a network admin at Society Technology Ltd. When she is trying to send data packets
from one network (Token-ring) to another network (Ethernet), she receives an error message stating:
‘Destination unreachable’
What is the reason behind this?
TTL value in the packet header is not set
Packet size is small and not able to reach the destination
Packet contains image data
Packet size is big and fragmentation is required
Question 200
Nick is a penetration tester in Stanbiz Ltd. As a part of his duty, he was analyzing the network
traffic by using various filters in the Wireshark tool. While sniffing the network traffic, he used
“tcp.port==1433” Wireshark filter for acquiring a specific database related information since port
number 1433 is the default port of that specific target database.
Which of the following databases Nick is targeting in his test?
MySQL
Microsoft SQL Server
PostgreSQL
Oracle
Question 201
Jack, a network engineer, is working on an IPv6 implementation for one of his clients. He deployed IPv6 on IPv4 networks using a mechanism where a node can choose from IPv6 or IPv4 based on
the DNS value. This makes the network resources work simpler.
What kind of technique did Jack use?
Tunneling
Translation
Dual stacks
Filtering
Question 202
A web application developer is writing code for validating the user input. His aim is to verify
the user input against a list of predefined negative inputs to ensure that the received input is not one among the negative conditions.
Identify the input filtering mechanism being implemented by the developer?
Authentication
Authorization
White listing
Black listing
Question 203
A penetration tester at Trinity Ltd. is performing IoT device testing. As part of this process,
he is checking the IoT devices for open ports using port scanners such as Nmap. After identifying the open ports, he started using automated tools to check each open port for any exploitable vulnerabilities.
Identify the IoT security issues the penetration tester is trying to uncover?
Lack of transport encryption
Insecure software/firmware
Insecure network services
Insufficient security configurability
Question 204
An attacker targeted to attack network switches of an organization to steal confidential information such as network subscriber information, passwords, etc. He started transmitting data through one switch to another by creating and sending two 802.1Q tags, one for the attacking switch and the other for victim switch. By sending these frames, the attacker is fooling the victim switch into thinking that the frame is intended for it. The target switch then forwards the frame to the victim port.
Identify the type of attack being performed by the attacker?
VLAN hopping
MAC flooding
IP spoofing
SNMP brute forcing
Question 205
Which of the following access point cannot be considered as rogue access point?
AP is present in authorized list of APs
AP with radio channel not present in the authorized list of channels
AP with radio media type not present in the authorized list of media types
AP not present in the authorized list of APs
Question 206
Jason is a penetration tester, and after completing the initial penetration test, he wanted to create a final penetration test report that consists of all activities performed throughout the penetration testing process.
Before creating the final penetration testing report, which of the following reports should Jason prepare in order to verify if any crucial information is missed from the report?
Draft report
Host report
Activity report
User report
Question 207
George, a reputed ethical hacker and penetration testing consultant, was hired by FNB Services, a startup financial services company, to audit the security of their web applications. During his investigation, George discovered that the company’s website is vulnerable to blind SQL injection attacks. George, entered a custom SQL query in a form located on the vulnerable page which resulted
in a back-end SQL query similar to the one given below: http://fnb.com/forms/?id=1+AND+555=if(ord(mid((select+pass from+users+limit+0,1),1,2))= 97,555,777)
What is George trying to achieve with this custom SQL query?
George is searching for the second character of the second table entry
George is searching for the first character of all the table entries
George is searching for the first character of the second table entry
George is searching for the first character of the first table entry
Question 208
Thomas is an attacker and he skimmed through the HTML source code of an online shopping website for the presence of any vulnerabilities that he can exploit. He already knows that when a user makes any selection of items in the online shopping webpage, the selection is typically stored as form
field values and sent to the application as an HTTP request (GET or POST) after clicking the Submit button. He also knows that some fields related to the selected items are modifiable by the user (like quantity, color, etc.) and some are not (like price). While skimming through the HTML code, he identified that the price field values of the items are present in the HTML code. He modified the price field values of certain items from $200 to $2 in the HTML code and submitted the request successfully to the application.
Identify the type of attack performed by Thomas on the online shopping website?
Session poisoning attack
HTML embedding attack
Hidden field manipulation attack
XML external entity attack
Question 209
Allen and Greg, after investing in their startup company called Zamtac Ltd., developed a new web application for their company. Before hosting the application, they want to test the robustness and immunity of the developed web application against attacks like buffer overflow, DOS, XSS, and SQL injection.
What is the type of the web application security test Allen and Greg should perform?
Web mirroring
Web crawling
Web fuzzing
Web spidering
Question 210
Adam is an IT administrator for Syncan Ltd. He is designated to perform various IT tasks like
setting up new user accounts, managing backups/restores, security authentications and passwords, etc.
Whilst performing his tasks, he was asked to employ the latest and most secure authentication protocol to encrypt the passwords of users that are stored in the Microsoft Windows OS-based systems
which makes use of the Key Distribution Center (KDC). Which of the following authentication protocols
should Adam employ in order to achieve the objective?
LANMAN
NTLM
NTLMv2
Kerberos
Question 211
Steven is performing a wireless network audit. As part of the engagement, he is trying to crack a WPA-PSK key. Steven has captured enough packets to run aircrack-ng and discover the key, but aircrack-ng did not yield any result, as there were no authentication packets in the capture. Which of the following commands should Steven use to generate authentication packets?
airmon-ng start eth0
aircrack-ng.exe -a 2 -w capture.cap
aireplay-ng --deauth 11 -a AA:BB:CC:DD:EE:FF
airodump-ng --write capture eth0
Question 212
Tecty Motors Pvt. Ltd. has recently deployed RFID technology in the vehicles which allows the car owner to unlock the car with the exchange of a valid RFID signal between a reader and a tag. Jamie, on the other hand, is a hacker who decided to exploit this technology with the aim of stealing the target vehicle. To perform this attack on the target vehicle, he first used an automated tool to intercept the signals between the reader and the tag to capture a valid RFID signal and then later used the same signal to unlock and steal the victim’s car.
Which of the following RFID attacks Jamie has performed in the above scenario?
RFID cloning
Power analysis attack
Replay attack
DoS attack
Question 213
A security analyst at Techsoft Solutions is performing penetration testing on the critical IT
assets of the company. Without any prior information about the target, he/she is simulating the methodologies and techniques, just like what real attacker does. This type of test is very time consuming and expensive since nothing is provided to pen tester, pentester has to gain required information on his/her own. Identify the type of testing performed by the security analyst?
Blind testing
Announced testing
Unannounced testing
White-box testing
Question 214
Michael, a Licensed Penetration Tester, wants to create an exact replica of an original website, so he can browse and spend more time analyzing it.
Which of the following tools will Michael use to perform this task?
VisualRoute
Zaproxy
BlackWidow
NetInspector
Question 215
David is a penetration tester and he is attempting to extract password hashes from the Oracle database.
Which of the following utilities should David employ in order to brute-force password hashes from oracle databases?
Orabf
TNS
OAT
Opwg
Question 216
John is working as a cloud security analyst in an organization. The management instructed him to implement a technology in the cloud infrastructure which allows the organization to share the underlying cloud resources such as server, storage devices, and network. Which of the following technologies John must employ?
Virtualization technology
Site technology
VoIP technology
RFID technology
Question 217
Russel, a penetration tester after performing the penetration testing, wants to create a report so that he can provide details of the testing process and findings of the vulnerabilities to the management. Russel employs the commonly available vulnerability scoring framework called Common
Vulnerability Scoring System (CVSS) v3.0 ratings for grading the severity and risk level of identified vulnerabilities in the report. For a specific SMB-based vulnerability, Russel assigned a score of 8.7.
What is the level of risk or level of severity of the SMB vulnerability as per CVSS v3.0 for the assigned score?
High
Medium
Critical
Low
Question 218
John is a newly appointed penetration testing manager in ABC Ltd. He is assigned a task to build a penetration testing team and asked to justify the return on investment (ROI).
To assess and predict the ROI of the team by considering the parameters like expected returns from the team and cost of investment, how can John calculate the ROI?
ROI = (Cost of investment - Expected returns)/Expected returns
ROI = (Expected returns + Cost of investment)/Cost of investment
ROI = (Expected returns - Cost of investment)/Cost of investment
ROI = (Cost of investment + Expected returns)/Expected returns
Question 219
Robert is a network admin in XYZ Inc. He deployed a Linux server in his enterprise network and wanted to share some critical and sensitive files that are present in the Linux server with his subordinates. He wants to set the file access permissions using chmod command in such a way that his
subordinates can only read/view the files but cannot edit or delete the files.
Which of the following chmod commands can Robert use in order to achieve his objective?
chmod 777
chmod 666
chmod 644
chmod 755
Question 220
A user unknowingly installed a fake malicious banking app in his Android mobile. This app
includes a configuration file that consists of phone numbers of the bank. When the user makes a call to the bank, he is automatically redirected to the number being used by the attacker. The attacker impersonates as a banking official. Also, the app allows the attacker to call the user, then the app displays fake caller ID on the user’s mobile resembling call from a legitimate bank. Identify the attack being performed on the Android mobile user?
Tailgating
Eavesdropping
Vishing
SMiShing
Question 221
You are working on a pen testing assignment. Your client has asked for a document that shows them
the detailed progress of the pen testing.
Which document is the client asking for?
Project plan with work breakdown structure
Engagement log
Scope of work (SOW) document
Rule of engagement with signatures of both the parties
Question 222
AB Cloud services provide virtual platform services for the users in addition to storage. The company offers users with virtual machines and other abstracted hardware and operating systems (OSs)
which may be controlled through a service API. What is the name of the service AB Cloud services offer?
Platform as a service (PaaS)
Software as a Service (SaaS)
Infrastructure as a service (IaaS)
Web Application Services
Question 223
Harry, a penetration tester in SqSac Solutions Ltd., is trying to check if his company’s SQL
server database is vulnerable. He also wants to check if there are any loopholes present that can enable the perpetrators to exploit and gain access to the user account login details from the database. After performing various test attempts, finally Harry executes an SQL query that enabled him to extract all the available Windows Login Account details.
Which of the following SQL queries did Harry execute to obtain the information?
SELECT name FROM sys.server_principals WHERE TYPE = 'G'
SELECT name FROM sys.server_principals WHERE TYPE = 'I'
SELECT name FROM sys.server_principals WHERE TYPE = 'U‘
SELECT name FROM sys.server_principals WHERE TYPE = 'R'
Question 224
Jacob is a penetration tester at TechSoft Inc. based at Singapore. The company assigned him the task of conducting penetration test on the IoT devices connected to the corporate network. As part of
this process, he captured the network traffic of the devices, their mobile applications, and cloud connections to check whether any critical data are transmitted in plain text. Also, he tried to check whether SSL/TLS protocols are properly updated and implemented. Which of the following IoT security issues Jacob is dealing with?
Insecure software/firmware
Lack of transport encryption
Poor authentication/authorization
Privacy concerns
Question 225
An organization hosted a website to provide services to its customers. A visitor of this website
has reported a complaint to the organization that they are getting an error message with code 502 when they are trying to access the website. This issue was forwarded to the IT department in the organization. The IT department identified the reason behind the error and started resolving the issue by checking whether the server is overloaded, whether the name resolution is working properly,
whether the firewall is configured properly, etc.
Identify the error message corresponding to code 502 that the visitors obtained when they tried to access the organization’s website?
Forbidden
Bad gateway
Internal error
Bad request
Question 226
Rock is a disgruntled employee of XYZ Inc. He wanted to take revenge. For that purpose, he created a malicious software that automatically visits every page on the company’s website, checks pages for important links to other content recursively, and indexes them in a logical flow. By using this malicious software, he gathered a lot of crucial information that is required to exploit the organization.
What is the type of software that Rock developed?
Web spider
Web scanner
Web proxy
Web fuzzer
Question 227
Jan is a newly joined penetration tester for XYZ Ltd. While joining, as a part of her training, she was instructed about various legal policies and information securities acts by her trainer. During the training, she was informed about a specific information security act related to the conducts and activities like it is illegal to perform DoS attacks on any websites or applications, it is illegal to supply and own hacking tools, it is illegal to access unauthorized computer material, etc. To which type of information security act does the above conducts and activities best suit?
Police and Justice Act 2006
Data Protection Act 1998
USA Patriot Act 2001
Human Rights Act 1998
Question 228
Adam is an IT administrator for Hyperscan LLC. He is designated to perform various IT tasks like setting up new user accounts, managing backup/restores, security authentications and passwords, etc. Whilst performing his tasks, he was asked to employ the latest and most secure authentication protocol to encrypt the passwords of users that are stored in the Microsoft Windows OS-based systems. Which of the following authentication protocols should Adam employ in order to achieve the objective?
LANMAN
Kerberos
NTLM
NTLMv2
Question 229
Hans Olo, a Licensed Penetration Tester, wants to create an exact replica of an original website, so he can browse and spend more time analyzing it. Which of the following tools will Mr. Olo use to perform this task?
VisualRoute
NetInspector
BlackWidow
Zaproxy
Question 230
o
o
o
o
Question 231
o
o
o
o
Question 232
An organization deployed Microsoft Azure cloud services for running their business activities. They appointed Jamie, a security analyst for performing cloud penetration testing. Microsoft prohibits certain tests to be carried out on their platform. Which of the following penetration testing activities Jamie cannot perform on the Microsoft Azure cloud service?
Post scanning
Denial-of-Service
Log monitoring
Load testing
Question 233
Peter, a disgruntled ex-employee of Zapmaky Solutions Ltd., is trying to jeopardize the company’s website http://zapmaky.com. He conducted the port scan of the website by using the Nmap tool to extract the information about open ports and their corresponding services. While performing the scan, he recognized that some of his requests are being blocked by the firewall deployed by the IT personnel of Zapmaky and he wants to bypass the same. For evading the firewall, he wanted to employ the stealth scanning technique which is an incomplete TCP three-way handshake method that can effectively bypass the firewall rules and logging mechanisms. Which if the following Nmap commands should Peter execute to perform stealth scanning?
nmap -sT -v zapmaky.com
nmap -T4 -A -v zapmaky.com
nmap -sX -T4 -A -v zapmaky.com
nmap -sN -A zapmaky.com
Question 234
Mr. Riddick is an attacker who wants to attack XYZ Inc. He has performed reconnaissance over all the publicly available resources of the company and identified the official company website http://xyz.com. He scanned all the pages of the company website to find for any potential vulnerabilities to exploit. Finally, in the user account login page of the company’s website, he found a user login form which consists of several fields that accepts user inputs like username and password. He also found than any non-validated query that is requested can be directly communicated to the active directory and enable unauthorized users to obtain direct access to the databases. Since Mr. Riddick knew an employee named Jason from XYZ Inc., he enters a valid username “jason” and injects “jason)(&))” in the username field. In the password field, Mr. Riddick enters “blah” and clicks Submit button. Since the complete URL string entered by Mr. Riddick becomes “(& (USER=jason)(&))(PASS=blah)),” only the first filter is processed by the Microsoft Active Directory, that is, the query “(&(USER=jason)(&))” is processed. Since this query always stands true, Mr. Riddick successfully logs into the user account without a valid password of Jason. In the above scenario, identify the type of attack performed by Mr. Riddick?
LDAP injection attack
HTML embedding attack
Shell injection attack
File injection attack
Question 235
An organization has deployed a web application that uses encoding technique before transmitting the data over the Internet. This encoding technique helps the organization to hide the confidential data such as user credentials, email attachments, etc. when in transit. This encoding technique takes 3 bytes of binary data and divides it into four chunks of 6 bits. Each chunk is further encoded into respective printable character. Identify the encoding technique employed by the organization?
Unicode encoding
Base64 encoding
URL encoding
HTMS encoding
Question 236
SecGlobal Corporation hired Hans Olo, a penetration tester. Management asked Hans Olo to perform cloud penetration testing on the company’s cloud infrastructure. As a part of his task, he started checking all the agreements with cloud service provider and came to a conclusion that it is not possible to perform penetration testing on the cloud services that are being used by the organization due to the level of responsibilities between company and the Cloud Service Provider (CSP). Identify the type of cloud service deployed by the organization?
Platform as a service (PaaS)
Software as a service (SaaS)
Anything as a service (XaaS)
Infrastructure as a service (IaaS)
Question 237
A team of cyber criminals in Germany has sent malware-based emails to workers of a fast-food center which is having multiple outlets spread geographically. When any of the employees click on the malicious email, it will give backdoor access to the point of sale (POS) systems located at various outlets. After gaining access to the POS systems, the criminals will be able to obtain credit card details of the fast-food center’s customers. In the above scenario, identify the type of attack being performed on the fast-food center?
Phishing
Vishing
Tailgating
Dumpster diving
Question 238
Fred, who owns a company called Skyfeit Ltd., wants to test the enterprise network for presence of any vulnerabilities and loopholes. He employed a third-party penetration testing team and asked them to perform the penetration testing over his organizational infrastructure. Fred briefed the team about his network infrastructure and provided them with a set of IP addresses on which they can perform tests. He gave them strict instruction not to perform DDoS attacks or access the domain servers in the company. He also instructed them that they can carry out the penetration tests even when the regular employees are on duty since they lack the clue about the happenings. However, he asked the team to take care that no interruption in business continuity should be caused. He also informed the penetration testing team that they get only 1 month to carry out the test and submit the report. What kind of penetration test did Fred ask the third- party penetration testing team to perform?
Announced testing
Blind testing
Grey-Box testing
Unannounced testing
Question 239
Ross performs security test on his company’s network assets and creates a detailed report of all the findings. In his report, he clearly explains the methodological approach that he has followed in finding the loopholes in the network. However, his report does not mention about the security gaps that can be exploited or the amount of damage that may result from the successful exploitation of the loopholes. The report does not even mention about the remediation steps that are to be taken to secure the network. What is the type of test that Ross has performed?
Penetration testing
Vulnerability assessment
Risk assessment
Security audit
Question 240
JUA Networking Solutions is a group of certified ethical hacking professionals with a large client base. Stanley works as a penetrating tester at this firm. Future group approached JUA for an internal pen test. Stanley performs various penetration testing test sequences and gains information about the network resources and shares, routing tables, audit and service settings, SNMP and DNS details, machine names, users and groups, applications and banners. Identify the technique that gave Stanley this information.
Enumeration
Sniffing
Ping sweeps
Port scanning
Question 241
Moses, a professional hacker, attempts to overwhelm the target victim computer by transmitting TCP connection requests faster than the computer can process them. He started sending multiple SYN packets of size between 800 and 900 bytes with spoofed source addresses and port numbers. The main intention of Moses behind this attack is to exhaust the server resources and saturate the network of the target organization. Identify the type of attack being performed by Moses?
VTP attack
DoS attack
ARP attack
HSRP attack
Question 242
Mulder, an ex-employee of Netabb Ltd. with bruised feelings due to his layoff, tries to take revenge against the company. He randomly tried several attacks against the organization. As some of the employees used weak passwords to their user accounts, Mulder was successful in cracking the user accounts of several employees with the help of a common passwords file. What type of password cracking attack did Mulder perform?
Hybrid attack
Dictionary attack
Brute forcing attack
Birthday attack
Question 243
Mr. Riddick, a research scholar, received an email informing that someone is trying to access his Google account from an unknown device. When he opened his email message, it looked like a standard Google notification instructing him to click the link below to take further steps. This link was redirected to a malicious webpage where he was tricked to provide Google account credentials.
Mr. Riddick observed that the URL began with www.translate.google.com giving a legitimate appearance. In the above scenario, identify the type of attack being performed on Mr. Riddick’s email account?
SMiShing
Dumpster diving
Phishing
Vishing
Question 244
During scanning of a test network, Paul sends TCP probe packets with the ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of the received RST packets to find whether the port is open or closed. Analyze the scanning result below and identify the open port.
Port 22
Port 23
Port 21
Port 20
Question 245
Jeffry, a penetration tester in Repotes Solutions Pvt. Ltd., is facing a problem in testing the firewall. By consulting other penetration testers and considering other penetration testing approaches, he was able to take critical decisions on how to test the
firewall; he was finally successful in testing the firewall for vulnerabilities. In which of the following sections of penetration testing report will Jeffry mention the above situation?
Timeline
Evaluation purpose
Assumptions
System description
Question 246
Analyze the packet capture from Wireshark below and mark the correct statement.
It is an invalid DNS query
It is a DNS response message
It is an answer to the iterative query from Microsoft.com DNS server
It is Host (A record) DNS query message
Question 247
Henderson has completed the pen testing tasks. He is now compiling the final report for the client. Henderson needs to include the result of scanning that revealed a SQL injection vulnerability and different SQL queries that he used to bypass web application authentication. In which section of the pen testing report, should Henderson include this information?
General opinion section
Methodology section
Compressive technical report section
Executive summary section
Question 248
John, a security analyst working for LeoTech organization, was asked to perform penetration testing on the client organizational network. In this process, he used a method that involves threatening or convincing a person from the client organization to obtain sensitive information. Identify the type of penetration testing performed by John on the client organization?
Wireless network penetration testing
Social engineering penetration testing
Mobile device penetration testing
Web application penetration testing
Question 249
Which of the following acts provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information?
PCI-DSS
SOX
HIPAA
GLBA
Question 250
John is a penetration tester who wants to perform port scan on the DNS Server (IP address:
192.168.0.124) deployed in the perimeter. In his primary research, he identified that the DNS server
is configured with default settings. Since he is employing Nmap tool to perform port scanning, which
of the following Nmap commands should John execute to port scan the DNS Server?
nmap -sS -sU –p 80 192.168.0.124
nmap -sS -sU –p 69 192.168.0.124
nmap -sS -sU –p 123 192.168.0.124
nmap -sS -sU –p 53 192.168.0.124
Question 251
Frodo, an employee in EvilCorp Ltd., notices a USB flash drive on the pavement of the company. Before he could hand it over to the security guard, he tries to check it out. He connects it with an OTG to his mobile phone and finds some of his favorite music playlists and games. He tries to download them into his mobile, but very lately he came to know that he has been attacked and some of his sensitive financial information was exposed to attackers. What type of attacks did Frodo face?
Social engineering attack
Phishing attack
Wardriving attack
Impersonation attack
Question 252
Which of the following information security acts enables to ease the transfer of financial information between institutions and banks while making the rights of the individual through security requirements more specific?
The Digital Millennium Copyright Act (DMCA)
Sarbanes Oxley Act (SOX)
Computer Misuse Act 1990
Gramm-Leach-Bliley Act (GLBA)
Question 253
Peter is working on a pen testing assignment. During the reconnaissance phase, Peter discovered that the client’s SYSLOG systems are taken off for four hours on the second Saturday of every month for maintenance. He wants to analyze the client’s web pages for sensitive information without triggering their logging mechanism. There are hundreds of pages on the client’s website and it is difficult to analyze all the information in just four hours. What will Peter do to analyze all the web pages in a stealthy manner?
Use HTTrack to mirror the complete website
Use WayBackMachine
Perform reverse DNS lookup
Search the Internet, newsgroups, bulletin boards, and negative websites for information about the client
Question 254
SecInfo is a leading cyber security provider who recently hired Andrew, a security analyst. He was assigned the task of identifying vulnerabilities in the NFC devices by performing an attack on them. In this process, he was present with his receiver. Identify the type of attack performed by Andrew on the target NFC devices?
Ticket cloning
MITM attack
DoS attack
Virus attack
Question 255
A recent study from HyThech Technologies found that three of the most popular websites are having most commonly exploitable flaw in their web applications. Using this vulnerability, an attacker may inject malicious code that can be executed on a user’s machine. Also, the study revealed that most sensitive target of this vulnerability is stealing session cookies. This helps attackers to duplicate the user session and access anything the user can perform on a website like manipulating personal information, creating fake social media posts, stealing credit card information and performing unauthorized financial transactions, etc. Identify the vulnerability revealed by HyThech Technologies?
DoS vulnerability
Buffer overflow vulnerability
Insecure decentralization vulnerability
XSS vulnerability
Question 256
Clark, a professional hacker, decided to bring down the services provided by the target organization. In the initial information-gathering stage, he detected some vulnerabilities in the TCP/IP protocol stack of the victim’s system. He exploited these vulnerabilities to create multiple malformed packets in ample magnitude and has sent these unusually crafted packets to the victim’s machine. Identify the type of attack being performed by Clark?
Dictionary attack
DoS attack
SNMP brute-forcing attack
ARP attack
Question 257
Jackson, a social media editor for Early Times, identified that there are exploitable zero-day vulnerabilities in many of the open source protocols and common file formats across software used by some of the specific industries. To identify vulnerabilities in software, he had sent malformed or random input to the target software and then observed the result. This technique helps in uncovering zero-day vulnerabilities and helps security teams in identifying areas where the quality and security of the software need to be improved. Identify the technique used by Jackson to uncover zero-day vulnerabilities?
Application fuzz testing
Application black testing
Source code review
Application white testing
Question 258
An organization recently faced a cyberattack where an attacker captured legitimate user credentials and gained access to the critical information systems. He also led other malicious hackers in gaining access to the information systems. To defend and prevent such attacks in future, the organization has decided to route all the incoming and outgoing network traffic through a centralized access proxy apart from validating user credentials. Which of the following defensive mechanisms the organization is trying to strengthen?
Authentication
Serialization
Encryption
Hashing
Question 259
Hans Olo, a penetration tester of Rolatac Pvt. Ltd., has completed his initial penetration testing and now he needs to create a penetration testing report for company’s client, management, and top officials for their reference. For this, he created a report providing a detailed summary of the complete penetration testing process of the project that he has undergone, its outcomes, and recommendations for future testing and exploitation. In the above scenario, which type of penetration testing report has Hans Olo prepared?
Host report
Activity report
User report
Executive report
Question 260
Gibson, a security analyst at MileTech Solutions, is performing cloud penetration testing. As part of this process, he needs to check for any governance and compliance issues against cloud services. Which of the following documents helps Gibson in checking whether the CSP is regularly audited and certified for compliance issues?
Service level agreement
Data use agreement
ROE agreement
Nondisclosure agreement
Question 261
StarMotel is a prominent chain of hotels in the world that uses high-tech solutions to ease the stay of their guests. In those high-tech solutions, they deployed RFID cards using which a guest can get access to the allocated hotel room. Keeping an eye on the RFID technology and with an objective of exploiting it, John, a professional hacker, decided to hack it in order to obtain access to any room in the target hotel. In this process, he first pulled an RFID keycard from the trash of the target hotel and identified the master keycard code in several tries using an RFID card reading and writing tool. Then, he created its clone using a new RFID card that gave him free reign to roam in any hotel room in the building. Identify the RFID attack John has performed on the target hotel?
RFID spoofing attack
Reverse engineering attack
RFID replay attack
Power analysis attack
Question 262
An attacker impersonated himself as a pizza delivery boy and is waiting outside the target company. He observed that an employee of the company is gaining security approval to enter the campus. When the employee is opening the entrance door of the company, the attacker requested the employee to hold the door open to enter into the company. In the above scenario, identify the technique used by the attacker to enter into the company?
Dumpster diving
Vishing
Tailgating
Phishing
Question 263
A disgruntled employee Robert targeted to acquire business secrets of the organization he is working in and wants to sell them to a competing organization for some financial gain. He started gathering information about the organization and
somehow found out that the organization is conducting a meeting to discuss future business plans. To collect the information about the organization’s business plans, he had built a listening device housed in his bag and arrived the meeting location wearing a suit and tie. One of the employees of the organization thought he was a senior executive from other branch who came to attend the meeting and readily took him to the meeting room. Robert waited until that employee left the meeting room and planted listening devices at multiple places in the room. Then, he went outside the building and started listening and recorded all the conversations in the meeting. Identify the type of attack being performed by Robert on the target organization?
Vishing
Phishing
Shoulder surfing
Eavesdropping
Question 264
A company identified critical vulnerability in its hyperconverged infrastructure that provides services such as computing, networking, and storage resources in a single system. Also, the company identified that this vulnerability may lead to various injection attacks that allow the attackers to execute malicious commands as the root users. The company decided to immediately implement appropriate countermeasure to defend against such attacks. Which of the following defensive mechanisms should the company employ?
Data correlation
Patch management
Input validation
Session management
Tags
SULTAN SULTAN