1. What is the first phase of a penetration test?
a) Exploitation
b) Reconnaissance
c) Post-Exploitation
d) Privilege Escalation
Answer: b) Reconnaissance
Explanation: Reconnaissance is the initial phase where an attacker gathers as much information as possible about the target. This includes passive and active information gathering techniques such as OSINT, footprinting, and scanning.
2. Which of the following is an example of passive reconnaissance?
a) Port scanning
b) Banner grabbing
c) Social media profiling
d) Exploiting vulnerabilities
Answer: c) Social media profiling
Explanation: Passive reconnaissance involves gathering information without directly interacting with the target. Social media profiling, WHOIS lookups, and DNS queries are common passive recon techniques.
3. What is the main goal of the scanning phase in penetration testing?
a) To gain access to a system
b) To identify vulnerabilities and attack vectors
c) To cover tracks
d) To exfiltrate sensitive data
Answer: b) To identify vulnerabilities and attack vectors
Explanation: The scanning phase involves mapping open ports, services, and potential vulnerabilities that can be exploited. Tools like Nmap and Nessus are commonly used.
4. Which tool is widely used for vulnerability scanning during penetration testing?
a) Burp Suite
b) Metasploit
c) Nessus
d) Mimikatz
Answer: c) Nessus
Explanation: Nessus is a popular vulnerability scanner used to identify security weaknesses in systems before attempting exploitation.
5. In which penetration testing phase does exploitation occur?
a) Reconnaissance
b) Scanning
c) Post-Exploitation
d) Gaining Access
Answer: d) Gaining Access
Explanation: The gaining access phase involves actively exploiting identified vulnerabilities to gain control over the target system. Tools like Metasploit are used in this stage.
6. What is privilege escalation in penetration testing?
a) Gaining initial access
b) Bypassing network firewalls
c) Upgrading privileges from a lower to a higher level
d) Hiding malicious activity
Answer: c) Upgrading privileges from a lower to a higher level
Explanation: Privilege escalation occurs when an attacker exploits a vulnerability to gain higher privileges, such as moving from a normal user to an administrator.
7. Which framework is commonly used for penetration testing methodologies?
a) ISO 27001
b) OWASP
c) PTES
d) HIPAA
Answer: c) PTES (Penetration Testing Execution Standard)
Explanation: PTES defines a structured methodology for penetration testing, including phases such as reconnaissance, scanning, exploitation, and post-exploitation.
8. What is lateral movement in penetration testing?
a) Moving data from one server to another
b) Propagating within a network to compromise additional systems
c) Identifying new vulnerabilities
d) Exploiting social engineering tactics
Answer: b) Propagating within a network to compromise additional systems
Explanation: Lateral movement is a tactic where attackers navigate within a network after gaining initial access to find valuable targets.
9. What is the primary goal of post-exploitation?
a) Exploiting additional vulnerabilities
b) Maintaining access and exfiltrating data
c) Generating payloads
d) Executing denial-of-service attacks
Answer: b) Maintaining access and exfiltrating data
Explanation: Post-exploitation involves establishing persistence, covering tracks, and stealing sensitive information while avoiding detection.
10. Which of the following is NOT a post-exploitation activity?
a) Data exfiltration
b) Maintaining persistence
c) Gaining initial access
d) Covering tracks
Answer: c) Gaining initial access
Explanation: Gaining initial access happens before post-exploitation. Post-exploitation focuses on maintaining access and avoiding detection.
11. What is the main objective of a penetration testing report?
a) To document findings, risks, and remediation steps
b) To attack a system legally
c) To list all vulnerabilities without analysis
d) To create new exploits
Answer: a) To document findings, risks, and remediation steps
Explanation: A penetration testing report provides details of identified vulnerabilities, exploited weaknesses, and recommended fixes for security improvements.
12. What is a zero-day vulnerability?
a) A well-known vulnerability with patches available
b) A vulnerability that is actively exploited before being disclosed
c) A firewall misconfiguration
d) An outdated software bug
Answer: b) A vulnerability that is actively exploited before being disclosed
Explanation: Zero-day vulnerabilities are unknown to vendors and have no patches, making them highly dangerous when exploited.
13. What is the purpose of a red team in penetration testing?
a) To patch vulnerabilities
b) To attack systems and test security defenses
c) To audit compliance reports
d) To monitor firewall logs
Answer: b) To attack systems and test security defenses
Explanation: Red teams simulate real-world attacks to assess an organization’s security posture, while blue teams focus on defense.
14. Which of the following is a common social engineering attack?
a) Buffer Overflow
b) Phishing
c) SQL Injection
d) XSS
Answer: b) Phishing
Explanation: Phishing attacks trick users into revealing sensitive information through fraudulent emails or websites.
15. What is the difference between black-box and white-box penetration testing?
a) Black-box involves no prior knowledge, while white-box has full knowledge of the system
b) Black-box tests internal threats, while white-box tests external threats
c) Black-box uses only automated tools
d) There is no difference
Answer: a) Black-box involves no prior knowledge, while white-box has full knowledge of the system
Explanation: In black-box testing, testers simulate external attackers with no system knowledge, while white-box testers have complete access to the system’s architecture.
16. What is an example of an out-of-band attack?
a) SQL Injection
b) DNS exfiltration
c) XSS
d) ARP Spoofing
Answer: b) DNS exfiltration
Explanation: Out-of-band attacks use indirect communication channels, such as extracting data via DNS queries.
17. What does “Pivoting” mean in penetration testing?
a) Re-exploiting the same system
b) Using one compromised system to attack another
c) Encrypting stolen data
d) Running automated tools
Answer: b) Using one compromised system to attack another
Explanation: Pivoting allows attackers to move deeper into a network by leveraging an already compromised host.
18. What does the OWASP Top 10 focus on?
a) The most common network vulnerabilities
b) The most common web application security risks
c) The best penetration testing tools
d) Encryption methods
Answer: b) The most common web application security risks
Explanation: The OWASP Top 10 lists the most critical web security vulnerabilities, such as SQL Injection and XSS.
19. What is the purpose of a Rules of Engagement (RoE) document in penetration testing?
a) To define the scope, limitations, and legal aspects of the test
b) To create a list of exploitable vulnerabilities
c) To detail specific attack payloads
d) To provide firewall configurations
Answer: a) To define the scope, limitations, and legal aspects of the test
Explanation: The RoE document outlines what is allowed, what is off-limits, and the legal considerations to ensure ethical and authorized penetration testing.
20. What is a common way to bypass network firewalls in penetration testing?
a) Reverse shell connections
b) Brute-force attacks
c) Antivirus evasion
d) Memory corruption
Answer: a) Reverse shell connections
Explanation: Reverse shells allow attackers to establish a connection from inside the network, bypassing inbound firewall restrictions.
21. Which attack involves injecting malicious code into a web application’s database through user input fields?
a) Cross-Site Scripting (XSS)
b) SQL Injection
c) DNS Spoofing
d) Buffer Overflow
Answer: b) SQL Injection
Explanation: SQL Injection allows attackers to manipulate database queries, potentially leading to unauthorized access, data leakage, or even full system compromise.
22. What type of penetration test provides the tester with partial knowledge of the target environment?
a) White-box testing
b) Black-box testing
c) Gray-box testing
d) Social engineering testing
Answer: c) Gray-box testing
Explanation: Gray-box testing provides limited knowledge of the target system, simulating an insider threat or an attacker with some access.
23. What is an example of a man-in-the-middle (MITM) attack?
a) Exploiting a zero-day vulnerability
b) Intercepting and altering network traffic
c) Conducting brute-force authentication attacks
d) Injecting malware into a system
Answer: b) Intercepting and altering network traffic
Explanation: In a MITM attack, an attacker secretly intercepts and possibly alters communication between two parties.
24. What is an example of a covert channel in penetration testing?
a) Command injection
b) Steganography
c) SQL Injection
d) Phishing
Answer: b) Steganography
Explanation: Steganography hides information inside images, audio, or video files, creating a covert channel for exfiltrating data unnoticed.
25. What is the purpose of a pivot attack in penetration testing?
a) To exploit a firewall misconfiguration
b) To move laterally within a network
c) To exfiltrate data to a command-and-control server
d) To enumerate system files
Answer: b) To move laterally within a network
Explanation: Pivoting uses a compromised system as a staging point to attack other systems inside the network.
26. Which protocol is commonly targeted in ARP spoofing attacks?
a) TCP
b) UDP
c) ARP
d) ICMP
Answer: c) ARP (Address Resolution Protocol)
Explanation: ARP spoofing tricks a network into associating the attacker’s MAC address with a legitimate IP address, allowing MITM attacks.
27. What is a common way to evade detection during a penetration test?
a) Using high-volume scans
b) Implementing encryption and obfuscation techniques
c) Relying solely on automated tools
d) Using clear-text payloads
Answer: b) Implementing encryption and obfuscation techniques
Explanation: Encryption, encoding, and obfuscation help attackers evade network monitoring tools and intrusion detection systems (IDS).
28. What is the primary purpose of a honeypot in cybersecurity?
a) To act as a decoy system to attract attackers
b) To replace firewalls in a network
c) To store user credentials securely
d) To perform automated penetration testing
Answer: a) To act as a decoy system to attract attackers
Explanation: Honeypots are designed to lure attackers, allowing security teams to study their tactics and improve defenses.
29. Which of the following is a cloud-specific penetration testing challenge?
a) Identifying vulnerable web applications
b) Testing physical security of data centers
c) Ensuring compliance with provider policies
d) Analyzing open ports
Answer: c) Ensuring compliance with provider policies
Explanation: Cloud providers often impose strict penetration testing guidelines, requiring testers to obtain authorization before testing cloud environments.
30. What does the acronym CVE stand for?
a) Common Vulnerabilities and Exposures
b) Computer Virus Enumeration
c) Cyber Vulnerability Exploit
d) Common Verification Engine
Answer: a) Common Vulnerabilities and Exposures
Explanation: CVE is a publicly available database that tracks known security vulnerabilities in software and hardware.
31. Which of the following is NOT typically part of a red team operation?
a) Physical security testing
b) Social engineering attacks
c) Malware analysis
d) Network scanning
Answer: c) Malware analysis
Explanation: Red team operations focus on simulating real-world attacks, including network exploitation, social engineering, and physical security breaches—but do not typically include malware analysis.
32. What is a common post-exploitation technique for maintaining access?
a) Running a port scan
b) Creating a backdoor
c) Conducting an SQL Injection attack
d) Brute-forcing passwords
Answer: b) Creating a backdoor
Explanation: Attackers establish persistence by creating backdoors or installing remote access tools (RATs) to re-enter the system later.
33. What is a payload in penetration testing?
a) A list of targeted IP addresses
b) The malicious code delivered during an attack
c) A type of firewall configuration
d) A network scanning report
Answer: b) The malicious code delivered during an attack
Explanation: A payload is the executable code used in an exploit to perform malicious actions on a target system.
34. What is the purpose of the OSINT phase in penetration testing?
a) To deploy exploits
b) To gather publicly available information about the target
c) To manipulate firewalls
d) To remove security logs
Answer: b) To gather publicly available information about the target
Explanation: OSINT (Open Source Intelligence) involves collecting publicly accessible data to identify weaknesses before launching an attack.
35. What tool is commonly used to perform a brute-force attack on password-protected systems?
a) Nmap
b) John the Ripper
c) Wireshark
d) Nikto
Answer: b) John the Ripper
Explanation: John the Ripper is a popular password-cracking tool used to conduct dictionary and brute-force attacks.
36. What is the primary purpose of a penetration testing pre-engagement phase?
a) To start exploiting vulnerabilities
b) To define scope, goals, and obtain authorization
c) To document post-exploitation activities
d) To perform phishing attacks
Answer: b) To define scope, goals, and obtain authorization
Explanation: The pre-engagement phase ensures that the penetration test is legally and ethically conducted by defining scope, goals, testing constraints, and permissions before execution.
37. Which of the following is an example of an out-of-band attack?
a) SQL Injection
b) DNS Tunneling
c) ARP Poisoning
d) Man-in-the-middle (MITM) attack
Answer: b) DNS Tunneling
Explanation: Out-of-band attacks use alternative communication channels (e.g., DNS queries) to bypass security controls and extract data covertly.
38. What is an effective way to detect lateral movement in a network?
a) Regular software updates
b) Implementing strong password policies
c) Analyzing log files for unusual activity
d) Using steganography
Answer: c) Analyzing log files for unusual activity
Explanation: Lateral movement detection involves monitoring logs, network traffic, and system behaviors to identify unauthorized access within the network.
39. What is an example of a privilege escalation technique?
a) Phishing
b) Exploiting unpatched vulnerabilities to gain admin rights
c) Performing a Denial-of-Service (DoS) attack
d) Conducting a reverse TCP shell attack
Answer: b) Exploiting unpatched vulnerabilities to gain admin rights
Explanation: Privilege escalation occurs when attackers exploit software flaws or misconfigurations to gain higher-level privileges on a system.
40. What is the primary function of a Web Application Firewall (WAF) in penetration testing?
a) To scan for malware
b) To block unauthorized API calls
c) To protect against web-based attacks like SQL Injection and XSS
d) To perform packet sniffing
Answer: c) To protect against web-based attacks like SQL Injection and XSS
Explanation: A WAF filters and monitors HTTP traffic to prevent attacks like SQL Injection, Cross-Site Scripting (XSS), and Command Injection.
41. What is the primary purpose of a time-based blind SQL Injection attack?
a) To extract database structure
b) To determine if an SQL injection vulnerability exists based on response delay
c) To bypass authentication
d) To gain administrative privileges instantly
Answer: b) To determine if an SQL injection vulnerability exists based on response delay
Explanation: In time-based blind SQL Injection, attackers inject queries that force the database to delay responses, indicating whether the injection is successful.
42. What type of attack is used to guess passwords using a list of commonly used credentials?
a) Brute-force attack
b) Dictionary attack
c) Rainbow table attack
d) Side-channel attack
Answer: b) Dictionary attack
Explanation: Dictionary attacks try predefined lists of common passwords instead of trying all possible character combinations.
43. What is the primary advantage of using a TCP SYN scan over a full TCP connect scan?
a) It is faster and stealthier
b) It guarantees access to the target
c) It does not require administrative privileges
d) It provides real-time encryption
Answer: a) It is faster and stealthier
Explanation: A TCP SYN scan sends a half-open connection request and analyzes responses without completing the connection, making it harder to detect by IDS/IPS systems.
44. Which attack exploits weak session management mechanisms in web applications?
a) SQL Injection
b) Clickjacking
c) Session Hijacking
d) Denial-of-Service (DoS)
Answer: c) Session Hijacking
Explanation: Session hijacking occurs when an attacker steals or predicts a session token, allowing unauthorized access to a user’s active session.
45. What is the purpose of a pentest report’s executive summary?
a) To provide in-depth technical exploit details
b) To list detected vulnerabilities only
c) To summarize key findings, business impact, and recommendations for executives
d) To display source code used in the test
Answer: c) To summarize key findings, business impact, and recommendations for executives
Explanation: The executive summary is a high-level overview tailored for non-technical stakeholders to understand the risks and required security improvements.
46. What is a “living off the land” attack technique in penetration testing?
a) Using built-in OS tools to avoid detection
b) Deploying malware remotely
c) Exploiting third-party applications
d) Running an automated brute-force attack
Answer: a) Using built-in OS tools to avoid detection
Explanation: Attackers use legitimate system tools (e.g., PowerShell, WMI, Netcat) to carry out attacks, making them harder to detect by security tools.
47. Which of the following is an example of two-factor authentication (2FA)?
a) A username and password
b) A password and a CAPTCHA
c) A password and an SMS verification code
d) A biometric scan alone
Answer: c) A password and an SMS verification code
Explanation: 2FA requires two different authentication factors (e.g., something you know and something you have) for improved security.
48. What is the primary goal of a covert red team operation?
a) To brute-force administrative passwords
b) To evaluate an organization’s real-world security posture without prior notice
c) To scan for vulnerabilities and report them instantly
d) To bypass firewalls and plant malware
Answer: b) To evaluate an organization’s real-world security posture without prior notice
Explanation: A red team operation simulates real-world cyberattacks, testing an organization’s detection and response capabilities under realistic conditions.
49. What is an important consideration when performing wireless penetration testing?
a) Only checking SSIDs
b) Ensuring proper legal authorization and scope
c) Using brute-force methods to gain access
d) Avoiding encryption analysis
Answer: b) Ensuring proper legal authorization and scope
Explanation: Wireless penetration testing involves analyzing SSIDs, encryption, signal strength, and vulnerabilities but must be conducted legally and with proper scope definitions.
50. What is an example of an anti-forensic technique used by attackers?
a) Using SIEM logs for tracking
b) Disabling antivirus software
c) Encrypting or deleting logs to hide evidence
d) Running a vulnerability scanner
Answer: c) Encrypting or deleting logs to hide evidence
Explanation: Attackers use anti-forensic techniques like log wiping, timestomping, encryption, and data obfuscation to cover their tracks and avoid detection.
51. What is the main objective of a post-mortem analysis in penetration testing?
a) To exploit more vulnerabilities
b) To analyze and document the effectiveness of the test
c) To launch another round of attacks
d) To install additional malware for persistence
Answer: b) To analyze and document the effectiveness of the test
Explanation: A post-mortem analysis helps penetration testers and security teams review findings, assess what worked, and provide recommendations for improving security.
52. Which of the following is a common technique to maintain persistence on a compromised system?
a) Running a port scan
b) Deploying a rootkit
c) Conducting a brute-force attack
d) Using an SQL injection
Answer: b) Deploying a rootkit
Explanation: Rootkits allow attackers to hide their presence and maintain access to a system even after a reboot.
53. What is the purpose of fuzz testing (fuzzing) in penetration testing?
a) To automate brute-force attacks
b) To inject random or malformed input to find vulnerabilities
c) To perform privilege escalation
d) To generate phishing emails
Answer: b) To inject random or malformed input to find vulnerabilities
Explanation: Fuzz testing helps identify buffer overflows, crashes, and unexpected behavior in applications by testing them with unexpected or malformed inputs.
54. Which type of firewall monitors and filters HTTP requests specifically for web applications?
a) Packet-filtering firewall
b) Web Application Firewall (WAF)
c) Proxy firewall
d) Stateful inspection firewall
Answer: b) Web Application Firewall (WAF)
Explanation: A WAF helps detect and block web-based attacks such as SQL Injection, Cross-Site Scripting (XSS), and CSRF.
55. Which penetration testing technique is used to exploit security weaknesses in Bluetooth devices?
a) War Driving
b) BlueJacking
c) SQL Injection
d) Pivoting
Answer: b) BlueJacking
Explanation: BlueJacking involves sending unsolicited messages or files to Bluetooth-enabled devices, often for phishing or pranking purposes.
56. What is a key characteristic of a zero-click attack?
a) Requires user interaction to execute the payload
b) Exploits a vulnerability without user interaction
c) Only works on outdated systems
d) Always uses brute-force techniques
Answer: b) Exploits a vulnerability without user interaction
Explanation: Zero-click attacks exploit security flaws without requiring the user to click anything, making them particularly dangerous (e.g., iMessage zero-click exploits).
57. What is an example of an attack that relies on poor input validation?
a) Cross-Site Scripting (XSS)
b) ARP Spoofing
c) DNS Poisoning
d) Man-in-the-Middle (MITM)
Answer: a) Cross-Site Scripting (XSS)
Explanation: XSS occurs when an application does not properly sanitize user input, allowing attackers to inject malicious scripts into web pages.
58. What is a common objective of a red team engagement?
a) To check software licenses
b) To improve an organization’s detect and respond capabilities
c) To only scan for open ports
d) To configure firewalls
Answer: b) To improve an organization’s detect and respond capabilities
Explanation: Red team engagements simulate real-world attacks to assess how well a company’s blue team (defenders) can detect and respond to security incidents.
59. What does the acronym “TTPs” stand for in cybersecurity?
a) Testing, Tools, and Penetration
b) Tactics, Techniques, and Procedures
c) Threats, Tracking, and Patching
d) Technical, Training, and Policies
Answer: b) Tactics, Techniques, and Procedures
Explanation: TTPs describe the methods used by attackers, including their behavior, attack vectors, and operational techniques.
60. What is a common defensive strategy against phishing attacks?
a) Disabling firewalls
b) Implementing email filtering and security awareness training
c) Increasing network speed
d) Using strong passwords only
Answer: b) Implementing email filtering and security awareness training
Explanation: Phishing protection involves email filtering, user education, and multi-factor authentication (MFA) to mitigate attacks.
61. Which of the following is an example of a side-channel attack?
a) Spectre & Meltdown
b) SQL Injection
c) XSS
d) Buffer Overflow
Answer: a) Spectre & Meltdown
Explanation: Side-channel attacks exploit hardware vulnerabilities by analyzing CPU behavior, cache memory, or power consumption.
62. Which Linux command is commonly used for privilege escalation enumeration?
a) whoami
b) sudo -l
c) cat /etc/passwd
d) ping
Answer: b) sudo -l
Explanation: sudo -l lists commands that a user can execute with elevated privileges, helping penetration testers identify misconfigurations.
63. Which protocol is commonly used for sniffing unencrypted network traffic?
a) DNS
b) HTTP
c) HTTPS
d) SMTP
Answer: b) HTTP
Explanation: HTTP sends data in plaintext, making it vulnerable to packet sniffing and MITM attacks using tools like Wireshark.
64. What type of attack targets API security flaws?
a) Server-Side Request Forgery (SSRF)
b) ARP Spoofing
c) DNS Hijacking
d) Port Knocking
Answer: a) Server-Side Request Forgery (SSRF)
Explanation: SSRF occurs when attackers manipulate APIs to make requests on their behalf, often leading to internal network access.
65. What is the primary goal of a bug bounty program?
a) To replace penetration testing
b) To incentivize ethical hackers to find and report vulnerabilities
c) To train employees in social engineering
d) To exploit company networks legally
Answer: b) To incentivize ethical hackers to find and report vulnerabilities
Explanation: Bug bounty programs encourage security researchers to responsibly disclose vulnerabilities in exchange for monetary rewards.
66. What is a common attack against weak cryptographic implementations?
a) Rainbow table attack
b) SQL Injection
c) ARP Spoofing
d) Smurf attack
Answer: a) Rainbow table attack
Explanation: Rainbow table attacks precompute password hashes, allowing attackers to quickly crack weakly hashed passwords.
67. What type of attack can exploit deserialization vulnerabilities?
a) Remote Code Execution (RCE)
b) SQL Injection
c) Man-in-the-Middle (MITM)
d) DNS Spoofing
Answer: a) Remote Code Execution (RCE)
Explanation: Insecure deserialization can allow attackers to inject malicious objects, leading to RCE and system compromise.
68. What is a defense-in-depth approach?
a) Using a single security measure
b) Implementing multiple security layers to protect against threats
c) Relying only on strong passwords
d) Blocking all network connections
Answer: b) Implementing multiple security layers to protect against threats
Explanation: Defense-in-depth involves using multiple security controls (firewalls, IDS, encryption, etc.) to mitigate attacks.
69. What is an important consideration when testing mobile applications?
a) Analyzing API security
b) Only testing web versions
c) Ignoring data storage security
d) Skipping penetration testing
Answer: a) Analyzing API security
Explanation: Mobile apps rely heavily on APIs, making API security testing a critical part of penetration testing.
70. Which tool is commonly used for privilege escalation in Windows environments?
a) Mimikatz
b) Burp Suite
c) Wireshark
d) Nmap
Answer: a) Mimikatz
Explanation: Mimikatz is a powerful tool for stealing credentials, dumping hashes, and performing privilege escalation on Windows.
71. What is the main goal of a social engineering penetration test?
a) To identify technical vulnerabilities in a web application
b) To assess human susceptibility to manipulation and deception
c) To exploit misconfigured firewalls
d) To perform automated vulnerability scanning
Answer: b) To assess human susceptibility to manipulation and deception
Explanation: Social engineering tests simulate phishing, impersonation, and psychological manipulation attacks to measure employee awareness and response.
72. Which type of penetration test focuses on evaluating the security of a company’s physical premises?
a) Web application penetration test
b) Physical penetration test
c) Network penetration test
d) API penetration test
Answer: b) Physical penetration test
Explanation: Physical penetration testing evaluates physical security controls, such as locks, security cameras, RFID systems, and employee access protocols.
73. What is the purpose of a “Command and Control” (C2) server in a cyber attack?
a) To provide security updates to compromised systems
b) To enable attackers to remotely control infected machines
c) To harden network security
d) To monitor legitimate user activities
Answer: b) To enable attackers to remotely control infected machines
Explanation: A C2 server allows attackers to send commands, extract data, and maintain control over compromised devices in a botnet or advanced attack campaign.
74. What is an example of a direct attack vector in penetration testing?
a) Phishing emails
b) Exploiting an unpatched vulnerability in a web server
c) Social engineering phone calls
d) Passive reconnaissance
Answer: b) Exploiting an unpatched vulnerability in a web server
Explanation: Direct attack vectors involve exploiting software vulnerabilities to gain unauthorized access. Indirect vectors include phishing and social engineering.
75. What does an Intrusion Detection System (IDS) do?
a) Prevents all attacks from occurring
b) Detects and alerts security teams about suspicious activity
c) Automatically removes all malware
d) Encrypts all network traffic
Answer: b) Detects and alerts security teams about suspicious activity
Explanation: An IDS monitors network traffic for anomalies and known attack signatures, but it does not actively block threats like an IPS (Intrusion Prevention System).
76. What is a rogue access point in Wi-Fi penetration testing?
a) A legitimate access point with a weak password
b) A fake access point set up to capture network traffic
c) A misconfigured firewall
d) A VPN with incorrect settings
Answer: b) A fake access point set up to capture network traffic
Explanation: Rogue APs are set up by attackers to trick users into connecting, allowing them to intercept credentials and sensitive data.
77. What is the purpose of the Kerberoasting attack?
a) To exploit SQL Injection vulnerabilities
b) To crack Windows service account passwords from Kerberos tickets
c) To launch a ransomware attack
d) To perform lateral movement via DNS spoofing
Answer: b) To crack Windows service account passwords from Kerberos tickets
Explanation: Kerberoasting extracts encrypted Kerberos service tickets and attempts to brute-force the passwords offline to escalate privileges.
78. Which type of attack can be mitigated by implementing HTTP security headers like X-Frame-Options?
a) Cross-Site Scripting (XSS)
b) SQL Injection
c) Clickjacking
d) Cross-Origin Resource Sharing (CORS)
Answer: c) Clickjacking
Explanation: The X-Frame-Options header prevents malicious iframes from embedding your website, blocking Clickjacking attacks.
79. What is a “golden ticket” attack in Active Directory exploitation?
a) An attack that bypasses VPN authentication
b) A method of creating a Kerberos ticket granting ticket (TGT) for unlimited access
c) A privilege escalation attack that exploits SQL Injection
d) A phishing attack targeting privileged users
Answer: b) A method of creating a Kerberos ticket granting ticket (TGT) for unlimited access
Explanation: A golden ticket attack allows attackers to forge Kerberos tickets and gain persistent domain admin access in Active Directory environments.
80. What type of attack leverages XML parsing vulnerabilities to access sensitive system resources?
a) SQL Injection
b) Cross-Site Scripting (XSS)
c) XML External Entity (XXE) Injection
d) DNS Spoofing
Answer: c) XML External Entity (XXE) Injection
Explanation: XXE attacks manipulate XML parsers to access files, execute system commands, or conduct Server-Side Request Forgery (SSRF).
81. What is the main advantage of using a SOCKS proxy in penetration testing?
a) It speeds up network traffic
b) It provides an encrypted tunnel for data exfiltration and anonymity
c) It prevents SQL Injection attacks
d) It improves DNS resolution
Answer: b) It provides an encrypted tunnel for data exfiltration and anonymity
Explanation: SOCKS proxies allow penetration testers to route traffic anonymously through compromised machines, making detection harder.
82. Which of the following is a client-side vulnerability?
a) Insecure deserialization
b) Cross-Site Scripting (XSS)
c) Privilege escalation
d) Command injection
Answer: b) Cross-Site Scripting (XSS)
Explanation: Client-side vulnerabilities like XSS occur within the user’s browser and do not affect the server directly.
83. What is an effective countermeasure against a brute-force attack on a login page?
a) Disabling user authentication
b) Implementing account lockout policies and CAPTCHA
c) Encrypting all cookies
d) Using only HTTP instead of HTTPS
Answer: b) Implementing account lockout policies and CAPTCHA
Explanation: Account lockouts, CAPTCHA challenges, and rate-limiting prevent brute-force attacks by restricting multiple failed login attempts.
84. What does “Timestomping” refer to in penetration testing?
a) Cracking passwords using timestamps
b) Manipulating file timestamps to evade forensic detection
c) Using a timestamp-based encryption algorithm
d) Performing a timing attack on SSL/TLS
Answer: b) Manipulating file timestamps to evade forensic detection
Explanation: Timestomping alters file metadata (creation, modification, access times) to hide attacker activity from forensic investigations.
85. What is the purpose of a silver ticket attack?
a) To bypass multifactor authentication (MFA)
b) To forge Kerberos service tickets for lateral movement
c) To execute a remote buffer overflow exploit
d) To escalate privileges via a brute-force attack
Answer: b) To forge Kerberos service tickets for lateral movement
Explanation: A silver ticket attack allows attackers to forged service tickets, enabling lateral movement without domain controller validation.
86. What is a common goal of lateral movement in penetration testing?
a) To infect external websites
b) To access high-value systems within the network
c) To bypass firewall configurations
d) To disable antivirus software
Answer: b) To access high-value systems within the network
Explanation: Lateral movement allows attackers to escalate privileges and compromise critical systems after gaining an initial foothold.
87. Which penetration testing phase focuses on removing all traces of testing activities?
a) Post-exploitation
b) Covering tracks
c) Lateral movement
d) Reporting
Answer: b) Covering tracks
Explanation: The covering tracks phase involves removing logs, clearing command histories, and modifying timestamps to prevent detection and forensic analysis.
88. What does the nc -lvnp 4444 command do in Netcat during penetration testing?
a) Opens a reverse shell on the target system
b) Starts a Netcat listener on port 4444
c) Conducts a brute-force attack
d) Scans the network for open ports
Answer: b) Starts a Netcat listener on port 4444
Explanation: The -l flag starts listening, -v enables verbose mode, -n prevents DNS resolution, and -p 4444 specifies the listening port. It is used for reverse shell interactions.
89. What is the main purpose of a watering hole attack?
a) To exploit a zero-day vulnerability
b) To compromise frequently visited websites and infect users
c) To create a rogue access point
d) To conduct a dictionary attack
Answer: b) To compromise frequently visited websites and infect users
Explanation: Watering hole attacks infect legitimate, high-traffic websites to deliver malware to targeted users.
90. Which of the following best describes a pass-the-hash (PtH) attack?
a) Cracking password hashes using rainbow tables
b) Using stolen NTLM hashes to authenticate without knowing the plaintext password
c) Exploiting buffer overflow vulnerabilities
d) Using SQL Injection to retrieve hashed passwords
Answer: b) Using stolen NTLM hashes to authenticate without knowing the plaintext password
Explanation: Pass-the-hash (PtH) attacks allow attackers to use hashed credentials to access network services without cracking the password.
91. What does the Mimikatz tool primarily help penetration testers achieve?
a) Scanning for open ports
b) Extracting plaintext passwords, hashes, and Kerberos tickets
c) Running vulnerability scans
d) Performing SQL Injection attacks
Answer: b) Extracting plaintext passwords, hashes, and Kerberos tickets
Explanation: Mimikatz is a powerful post-exploitation tool used to steal credentials, escalate privileges, and manipulate authentication mechanisms.
92. What is the primary difference between spear phishing and regular phishing?
a) Spear phishing targets specific individuals, while phishing is broad
b) Phishing attacks only occur via SMS
c) Spear phishing only targets government agencies
d) Regular phishing is always automated
Answer: a) Spear phishing targets specific individuals, while phishing is broad
Explanation: Spear phishing is highly targeted, often impersonating trusted contacts, whereas regular phishing targets large numbers of users with generic emails.
93. What is a common sign of DNS cache poisoning?
a) Websites loading slower than usual
b) Being redirected to malicious or fraudulent websites
c) Emails taking longer to send
d) Firewalls blocking all connections
Answer: b) Being redirected to malicious or fraudulent websites
Explanation: DNS cache poisoning modifies DNS entries to redirect users to attacker-controlled websites for phishing or malware distribution.
94. What does an adversary use in an evil twin attack?
a) A compromised VPN
b) A fake Wi-Fi access point mimicking a legitimate one
c) A zero-day vulnerability
d) An exploit targeting SSH connections
Answer: b) A fake Wi-Fi access point mimicking a legitimate one
Explanation: Evil twin attacks create a rogue access point to trick users into connecting, allowing attackers to intercept traffic and steal credentials.
95. What is the primary purpose of a canary token in penetration testing?
a) To detect unauthorized access attempts
b) To scan for SQL Injection vulnerabilities
c) To perform brute-force attacks
d) To create backdoors for persistence
Answer: a) To detect unauthorized access attempts
Explanation: Canary tokens are bait files or credentials that alert defenders when accessed by unauthorized users, helping to detect breaches.
96. What is a common way to bypass antivirus detection in penetration testing?
a) Encrypting malicious payloads
b) Using only pre-built exploits
c) Disabling firewalls manually
d) Avoiding exploitation altogether
Answer: a) Encrypting malicious payloads
Explanation: Antivirus evasion techniques include encryption, obfuscation, and polymorphic malware, which change signatures to avoid detection.
97. What is the primary objective of an assumed breach penetration test?
a) To simulate insider threats or already compromised environments
b) To scan for external network vulnerabilities
c) To brute-force login credentials
d) To audit compliance regulations
Answer: a) To simulate insider threats or already compromised environments
Explanation: Assumed breach testing starts with the assumption that an attacker has already gained initial access, evaluating lateral movement and response readiness.
98. What is the primary security risk associated with JWT (JSON Web Token) if improperly implemented?
a) It can be used to bypass firewall rules
b) It may allow token forgery if the secret key is weak
c) It slows down authentication services
d) It prevents all unauthorized access
Answer: b) It may allow token forgery if the secret key is weak
Explanation: Weak or exposed JWT signing keys allow attackers to forge authentication tokens, leading to unauthorized access.
99. Which of the following is a critical vulnerability in cloud security penetration testing?
a) Open S3 bucket permissions
b) Incorrect IP subnet masks
c) Weak CAPTCHA challenges
d) Unused API endpoints
Answer: a) Open S3 bucket permissions
Explanation: Exposed Amazon S3 buckets can lead to data leaks and unauthorized access, making misconfigured cloud storage a major security risk.
100. What is the main function of a Cobalt Strike beacon in penetration testing?
a) To act as a simulated malware implant for post-exploitation
b) To generate brute-force attack payloads
c) To encrypt command-line arguments
d) To conduct automated penetration tests
Answer: a) To act as a simulated malware implant for post-exploitation
Explanation: Cobalt Strike beacons enable covert command execution, lateral movement, and C2 (command and control) interactions during red team operations.
101. What is the primary goal of an out-of-band (OOB) exploitation technique?
a) To execute payloads in a different network segment
b) To bypass traditional network security monitoring
c) To conduct brute-force attacks from multiple locations
d) To perform SQL injection
Answer: b) To bypass traditional network security monitoring
Explanation: Out-of-band exploitation sends data through unexpected channels (e.g., DNS, ICMP) to exfiltrate data while avoiding detection.
102. Which protocol is commonly exploited in NTLM relay attacks?
a) SMB
b) ICMP
c) SSH
d) SNMP
Answer: a) SMB
Explanation: NTLM relay attacks exploit Server Message Block (SMB) authentication by intercepting and relaying credentials to gain access.
103. Which of the following tools is commonly used to test and exploit deserialization vulnerabilities?
a) Ysoserial
b) Mimikatz
c) SQLmap
d) Nmap
Answer: a) Ysoserial
Explanation: Ysoserial generates payloads to exploit insecure deserialization vulnerabilities in Java-based applications.
104. What is a common way to escalate privileges on Linux systems?
a) Exploiting weak sudo configurations
b) Cracking the BIOS password
c) Running a DDoS attack
d) Enabling a firewall
Answer: a) Exploiting weak sudo configurations
Explanation: Misconfigured sudo permissions can allow privilege escalation if users have unrestricted execution rights.
105. What does the BloodHound tool help penetration testers identify?
a) Misconfigurations in Active Directory environments
b) Open web application ports
c) Unused API keys
d) Cryptographic weaknesses
Answer: a) Misconfigurations in Active Directory environments
Explanation: BloodHound maps Active Directory relationships, helping testers find privilege escalation paths and lateral movement opportunities.
106. What is a key indicator of a Kerberoasting attack?
a) Unusual DNS traffic
b) A high number of Kerberos TGS requests
c) Unauthorized firmware updates
d) Excessive failed SSH login attempts
Answer: b) A high number of Kerberos TGS requests
Explanation: Kerberoasting attacks abuse service tickets (TGS) to obtain encrypted credentials for cracking.
107. What technique is used to compromise a domain controller without directly attacking it?
a) Skeleton Key attack
b) Watering Hole attack
c) BGP Hijacking
d) MITM attack
Answer: a) Skeleton Key attack
Explanation: The Skeleton Key attack injects a malicious authentication backdoor into a domain controller, allowing unrestricted access.
108. What does an attacker exploit in an OAuth token reuse attack?
a) A misconfigured SQL database
b) A vulnerable web socket
c) An improperly secured authentication token
d) A firewall rule bypass
Answer: c) An improperly secured authentication token
Explanation: If OAuth tokens are not properly expired or revoked, attackers can reuse them to gain unauthorized access.
109. Which of the following is a common attack against CI/CD pipelines?
a) Command injection in build scripts
b) DNS spoofing
c) Bluetooth hijacking
d) HTTP request smuggling
Answer: a) Command injection in build scripts
Explanation: Attackers inject malicious commands into CI/CD scripts, leading to unauthorized execution on deployment environments.
110. What is the primary risk of exposed .git directories in web applications?
a) They can allow attackers to download source code
b) They lead to instant remote code execution
c) They enable brute-force attacks
d) They expose SSL/TLS certificates
Answer: a) They can allow attackers to download source code
Explanation: Exposed .git directories let attackers retrieve sensitive files, credentials, and version history, potentially exposing security flaws.
111. Which of the following is an example of a supply chain attack?
a) Exploiting vulnerabilities in a software vendor’s update mechanism
b) Sending phishing emails to employees
c) Conducting a network port scan
d) Running a SQL Injection attack
Answer: a) Exploiting vulnerabilities in a software vendor’s update mechanism
Explanation: Supply chain attacks target trusted third-party vendors to compromise software updates, libraries, or dependencies.
112. What technique can be used to extract credentials from memory in Windows systems?
a) Process injection
b) Memory scraping with Mimikatz
c) Subdomain takeover
d) TLS fingerprinting
Answer: b) Memory scraping with Mimikatz
Explanation: Mimikatz can extract plaintext credentials, NTLM hashes, and Kerberos tickets from memory.
113. What does a Domain Fronting technique help attackers achieve?
a) Concealing C2 (Command and Control) traffic using legitimate domains
b) Identifying subdomains for brute-force attacks
c) Manipulating DNS cache poisoning
d) Conducting phishing attacks
Answer: a) Concealing C2 (Command and Control) traffic using legitimate domains
Explanation: Domain fronting allows attackers to hide malicious traffic behind reputable web services like CDNs and cloud providers.
114. What is a major risk of allowing unrestricted outbound traffic from a network?
a) It allows unauthorized port scanning
b) It facilitates data exfiltration and C2 communications
c) It prevents malware execution
d) It improves firewall security
Answer: b) It facilitates data exfiltration and C2 communications
Explanation: Attackers exploit outbound traffic for exfiltrating sensitive data and maintaining persistence via C2 servers.
115. What is the primary function of a Rogue DHCP server in an attack?
a) To distribute incorrect IP configurations and intercept network traffic
b) To perform DNS lookups faster
c) To encrypt outgoing traffic
d) To block malware connections
Answer: a) To distribute incorrect IP configurations and intercept network traffic
Explanation: Rogue DHCP servers can manipulate network traffic routing, enabling MITM attacks and unauthorized monitoring.
116. Which of the following tools is commonly used for hardware hacking in penetration testing?
a) Bus Pirate
b) Metasploit
c) Nmap
d) Nikto
Answer: a) Bus Pirate
Explanation: Bus Pirate is used for hardware hacking, testing embedded devices, and analyzing communication protocols.
117. What is the primary risk of exposed API keys in public repositories?
a) They can be used for unauthorized access and data theft
b) They prevent brute-force attacks
c) They encrypt data automatically
d) They improve software security
Answer: a) They can be used for unauthorized access and data theft
Explanation: Exposed API keys allow attackers to access cloud services, databases, and sensitive resources without authentication.
118. Which of the following is a key indicator of a successful man-in-the-middle (MITM) attack?
a) Increased network latency and packet loss
b) Web pages failing to load completely
c) Intercepted and manipulated network traffic
d) Random system crashes
Answer: c) Intercepted and manipulated network traffic
Explanation: MITM attacks allow attackers to eavesdrop, alter, and intercept communications between two parties without their knowledge.
119. What type of security flaw does Host Header Injection exploit?
a) Web application firewall misconfiguration
b) Incorrect validation of HTTP headers
c) TLS certificate weaknesses
d) Session timeout settings
Answer: b) Incorrect validation of HTTP headers
Explanation: Host Header Injection can allow attackers to redirect traffic, conduct phishing, or bypass security controls if a server does not properly validate HTTP headers.
120. What is the purpose of the Responder tool in penetration testing?
a) To perform network reconnaissance
b) To capture and poison network authentication requests
c) To brute-force web login pages
d) To scan for vulnerabilities in APIs
Answer: b) To capture and poison network authentication requests
Explanation: Responder is a tool used to poison LLMNR, NBT-NS, and MDNS requests, capturing credentials for offline cracking.
121. What is the primary risk of an improperly configured CORS (Cross-Origin Resource Sharing) policy?
a) It can allow cross-site scripting (XSS) attacks
b) It can allow unauthorized cross-origin API requests
c) It can cause network congestion
d) It enables privilege escalation
Answer: b) It can allow unauthorized cross-origin API requests
Explanation: Weak CORS policies can allow malicious websites to make unauthorized requests to sensitive APIs, leading to data theft.
122. Which attack technique leverages a downgrade from HTTPS to HTTP?
a) Downgrade Attack (SSL Strip)
b) Cache Poisoning
c) Clickjacking
d) XML External Entity Injection
Answer: a) Downgrade Attack (SSL Strip)
Explanation: SSL Strip attacks force victims’ browsers to load sites over HTTP instead of HTTPS, exposing traffic to MITM interception.
123. What is a major security concern when using weak JWT (JSON Web Token) secrets?
a) They enable token replay attacks
b) They allow JWT tokens to be forged and authenticated
c) They expose internal databases
d) They prevent token expiration
Answer: b) They allow JWT tokens to be forged and authenticated
Explanation: If the JWT signing secret is weak, attackers can generate valid authentication tokens, leading to unauthorized access.
124. What is a key difference between SSRF (Server-Side Request Forgery) and CSRF (Cross-Site Request Forgery)?
a) SSRF targets servers, while CSRF tricks users into making unintended requests
b) CSRF requires direct network access
c) SSRF can only be performed over HTTP
d) CSRF attacks are unexploitable in modern browsers
Answer: a) SSRF targets servers, while CSRF tricks users into making unintended requests
Explanation: SSRF attacks trick servers into making unauthorized requests, whereas CSRF manipulates users into sending malicious requests on their behalf.
125. What is the main purpose of using the Empire framework in penetration testing?
a) Automating vulnerability scanning
b) Post-exploitation and C2 (Command and Control) operations
c) Detecting malware
d) Auditing web application logs
Answer: b) Post-exploitation and C2 (Command and Control) operations
Explanation: Empire is a post-exploitation framework used for lateral movement, privilege escalation, and remote execution in red team engagements.
126. What is the main security risk of weak session cookies?
a) They can lead to session hijacking
b) They cause application slowdowns
c) They automatically expire after logout
d) They improve authentication security
Answer: a) They can lead to session hijacking
Explanation: Weak session cookies (e.g., missing the HttpOnly or Secure flag) can allow session hijacking, letting attackers impersonate users.
127. What is the primary purpose of a rootkit in post-exploitation?
a) To exploit web application vulnerabilities
b) To hide an attacker’s presence and maintain persistence
c) To trigger a Denial-of-Service attack
d) To execute a phishing campaign
Answer: b) To hide an attacker’s presence and maintain persistence
Explanation: Rootkits modify system-level processes to evade detection, allowing attackers to maintain long-term access.
128. What does a race condition vulnerability in web applications allow an attacker to do?
a) Execute multiple transactions simultaneously to exploit logic flaws
b) Encrypt files for ransom
c) Modify network firewalls remotely
d) Crash the entire operating system
Answer: a) Execute multiple transactions simultaneously to exploit logic flaws
Explanation: Race condition attacks exploit timing issues, allowing attackers to manipulate transactions or bypass security checks.
129. What is the primary purpose of an attack called “Golden SAML”?
a) To exploit weak password hashes
b) To forge authentication responses in SAML-based Single Sign-On (SSO)
c) To manipulate API requests
d) To disable user accounts
Answer: b) To forge authentication responses in SAML-based Single Sign-On (SSO)
Explanation: Golden SAML attacks allow attackers to generate fraudulent authentication tokens without needing legitimate credentials.
130. Which attack technique can allow unauthorized code execution through serialized objects?
a) Insecure deserialization
b) CSRF
c) SQL Injection
d) Cross-Site Scripting (XSS)
Answer: a) Insecure deserialization
Explanation: Insecure deserialization vulnerabilities allow attackers to inject malicious objects, often leading to Remote Code Execution (RCE).
131. What is an important countermeasure against XXE (XML External Entity) injection?
a) Disabling XML parsing
b) Using JSON instead of XML
c) Disabling external entity processing in XML parsers
d) Allowing all file uploads
Answer: c) Disabling external entity processing in XML parsers
Explanation: Disabling external entities prevents attackers from accessing local files, executing commands, or initiating SSRF attacks via XML payloads.
132. What is a primary risk of exposing .env files in web applications?
a) They can contain sensitive API keys and credentials
b) They reduce website performance
c) They automatically encrypt user passwords
d) They disable firewalls
Answer: a) They can contain sensitive API keys and credentials
Explanation: Exposed .env files can leak database credentials, API keys, and other sensitive configuration details to attackers.
133. What is the primary goal of DNS exfiltration in penetration testing?
a) To bypass encryption mechanisms
b) To exfiltrate data covertly using DNS queries
c) To perform load balancing on a website
d) To brute-force domain names
Answer: b) To exfiltrate data covertly using DNS queries
Explanation: DNS exfiltration is a technique where attackers encode and transfer data via DNS requests, evading traditional security measures.
134. Which of the following is a critical security risk when using hardcoded credentials in source code?
a) Increased application load time
b) Increased risk of credential leakage and unauthorized access
c) Slower API response times
d) Higher memory usage
Answer: b) Increased risk of credential leakage and unauthorized access
Explanation: Hardcoded credentials in source code can be easily discovered in repositories or through reverse engineering, leading to security breaches.
135. What does a “Golden Ticket” attack allow an attacker to do?
a) Generate Kerberos Ticket Granting Tickets (TGTs) to impersonate any user
b) Exploit SQL Injection vulnerabilities
c) Intercept TLS-encrypted communications
d) Compromise multi-factor authentication
Answer: a) Generate Kerberos Ticket Granting Tickets (TGTs) to impersonate any user
Explanation: Golden Ticket attacks abuse Kerberos authentication to create forged TGTs, granting persistent domain access.
136. What is the primary purpose of Metasploit’s Meterpreter?
a) To scan networks for vulnerabilities
b) To provide an advanced post-exploitation shell
c) To detect malware infections
d) To perform automated compliance audits
Answer: b) To provide an advanced post-exploitation shell
Explanation: Meterpreter is a powerful in-memory post-exploitation tool that enables command execution, privilege escalation, and persistence.
137. What is a key security risk when using WebSockets in web applications?
a) They enable attackers to perform TCP SYN scanning
b) They can be exploited for Cross-Site WebSocket Hijacking (CSWH)
c) They only work on HTTPS connections
d) They cannot be used for real-time data transfer
Answer: b) They can be exploited for Cross-Site WebSocket Hijacking (CSWH)
Explanation: WebSockets lack built-in security controls like CORS headers, making them vulnerable to CSWH attacks.
138. What is the primary function of a backdoor in penetration testing?
a) To scan for software vulnerabilities
b) To provide unauthorized access and persistence on a compromised system
c) To generate fake traffic
d) To perform OSINT reconnaissance
Answer: b) To provide unauthorized access and persistence on a compromised system
Explanation: Backdoors allow attackers or pentesters to regain control of a compromised machine even after the system is rebooted or patched.
139. What type of attack exploits flaws in JSON Web Tokens (JWT) due to weak secrets?
a) JWT brute-force attack
b) Padding oracle attack
c) Watering hole attack
d) HTTP host header injection
Answer: a) JWT brute-force attack
Explanation: Weak JWT secrets allow attackers to brute-force the signature and generate valid authentication tokens to impersonate users.
140. What is the role of a dropper in malware deployment?
a) To brute-force authentication credentials
b) To act as a lightweight loader that installs additional malware
c) To block antivirus scans
d) To manipulate HTTP headers
Answer: b) To act as a lightweight loader that installs additional malware
Explanation: Droppers are small malware programs designed to download and execute more sophisticated malware payloads on the infected system.
141. What does an attacker achieve through a “Session Fixation” attack?
a) Manipulating session cookies to force a victim to use a predefined session ID
b) Cracking hashed user passwords
c) Redirecting users to malicious websites
d) Modifying security headers
Answer: a) Manipulating session cookies to force a victim to use a predefined session ID
Explanation: Session Fixation attacks force a user to authenticate with an attacker-controlled session ID, enabling account hijacking.
142. What is a key risk when an application allows file uploads without proper validation?
a) It can lead to Remote Code Execution (RCE)
b) It slows down server response times
c) It increases the need for additional RAM
d) It prevents XSS attacks
Answer: a) It can lead to Remote Code Execution (RCE)
Explanation: Unrestricted file uploads can allow attackers to upload malicious scripts or executables, leading to server compromise.
143. Which security flaw allows attackers to gain unauthorized database access by exploiting improperly sanitized input fields?
a) SQL Injection
b) Cross-Site Request Forgery (CSRF)
c) DNS Spoofing
d) ARP Poisoning
Answer: a) SQL Injection
Explanation: SQL Injection exploits insufficient input validation, allowing attackers to manipulate database queries and extract sensitive data.
144. What is a major risk of using outdated cryptographic algorithms like MD5 or SHA-1?
a) They are prone to hash collisions and brute-force attacks
b) They increase encryption speed
c) They prevent DoS attacks
d) They make passwords stronger
Answer: a) They are prone to hash collisions and brute-force attacks
Explanation: MD5 and SHA-1 are considered weak because they can be cracked using modern computing power, leading to data integrity risks.
145. What is a key characteristic of a polymorphic malware?
a) It changes its code and signature to evade detection
b) It only targets Linux-based systems
c) It cannot persist after reboot
d) It is only spread through USB devices
Answer: a) It changes its code and signature to evade detection
Explanation: Polymorphic malware continuously modifies its code, making it harder for traditional signature-based antivirus software to detect.
146. What is a critical security risk when applications store plaintext passwords?
a) They can be easily leaked and exposed in breaches
b) They slow down login processes
c) They prevent unauthorized access
d) They require multi-factor authentication
Answer: a) They can be easily leaked and exposed in breaches
Explanation: Storing plaintext passwords means attackers can immediately use them upon breach, compromising user accounts.
147. What is the primary security flaw of a Subdomain Takeover attack?
a) It allows attackers to take control of an abandoned subdomain
b) It triggers DDoS attacks
c) It only affects outdated web servers
d) It crashes web applications
Answer: a) It allows attackers to take control of an abandoned subdomain
Explanation: Subdomain takeovers occur when a subdomain points to a removed resource (e.g., cloud service), allowing an attacker to claim it.
148. Which of the following is a method to prevent privilege escalation attacks?
a) Implementing the principle of least privilege (PoLP)
b) Allowing unrestricted sudo access
c) Storing credentials in environment variables
d) Disabling all logging mechanisms
Answer: a) Implementing the principle of least privilege (PoLP)
Explanation: PoLP ensures users only have the minimum access rights required, reducing the risk of privilege escalation attacks.
149. What is the primary risk of an unrestricted XML Parser in a web application?
a) It can lead to XML External Entity (XXE) injection attacks
b) It slows down website performance
c) It prevents SQL injection attacks
d) It improves encryption strength
Answer: a) It can lead to XML External Entity (XXE) injection attacks
Explanation: Unrestricted XML parsing can allow attackers to inject external entities, which can access sensitive files or initiate Server-Side Request Forgery (SSRF).
150. What does the NTDS.dit file in an Active Directory environment contain?
a) User password hashes
b) Firewall configuration rules
c) System logs
d) Network traffic data
Answer: a) User password hashes
Explanation: The NTDS.dit file stores Active Directory domain credentials, including NTLM and Kerberos password hashes.
151. Which of the following is an example of an API security misconfiguration?
a) Exposing API keys in public repositories
b) Using brute-force authentication
c) Implementing strong encryption algorithms
d) Enforcing multi-factor authentication (MFA)
Answer: a) Exposing API keys in public repositories
Explanation: Publicly exposed API keys can be used by attackers to access cloud services, databases, and internal APIs without authentication.
152. What is the primary purpose of a “Heap Spray” attack?
a) To allocate malicious code in memory for exploitation
b) To increase network congestion
c) To conduct phishing attacks
d) To execute SQL injection
Answer: a) To allocate malicious code in memory for exploitation
Explanation: Heap spraying is a technique used in exploiting memory corruption vulnerabilities to control program execution.
153. What is the main advantage of using a Canary Token in penetration testing?
a) It alerts defenders when accessed by attackers
b) It encrypts system logs
c) It prevents brute-force attacks
d) It disables unauthorized API calls
Answer: a) It alerts defenders when accessed by attackers
Explanation: Canary Tokens are designed to detect unauthorized access attempts by triggering alerts when an attacker interacts with them.
154. What is the key security risk when using wildcard DNS records?
a) It enables subdomain hijacking attacks
b) It prevents DDoS attacks
c) It improves network speed
d) It forces all traffic through a VPN
Answer: a) It enables subdomain hijacking attacks
Explanation: Wildcard DNS records allow any subdomain to resolve, which can be abused for phishing or subdomain takeovers.
155. What technique is commonly used to detect hidden services in a Tor network?
a) Passive DNS analysis
b) Fingerprinting Tor nodes
c) SQL Injection
d) Cross-Site Scripting (XSS)
Answer: b) Fingerprinting Tor nodes
Explanation: Tor fingerprinting involves identifying unique characteristics of hidden services to trace their origin.
156. What is a significant security risk of enabling directory listing on a web server?
a) Attackers can browse and download sensitive files
b) It causes high CPU usage
c) It prevents phishing attacks
d) It strengthens authentication mechanisms
Answer: a) Attackers can browse and download sensitive files
Explanation: Directory listing allows attackers to see all available files on a server, increasing the risk of data leakage and exploitation.
157. What is the primary goal of a Silver Ticket attack?
a) To forge Kerberos service tickets for lateral movement
b) To crack VPN authentication
c) To modify firewall rules
d) To inject malware into SQL databases
Answer: a) To forge Kerberos service tickets for lateral movement
Explanation: Silver Ticket attacks allow attackers to forged Kerberos service tickets, enabling lateral movement within an Active Directory domain.
158. What is an effective way to mitigate a Padding Oracle Attack?
a) Implementing constant-time cryptographic operations
b) Increasing CPU speed
c) Disabling all encryption algorithms
d) Allowing unrestricted file uploads
Answer: a) Implementing constant-time cryptographic operations
Explanation: Padding Oracle attacks exploit error messages from padding validation, which can be mitigated by constant-time encryption responses.
159. What is the primary concern when using weak encryption algorithms like DES?
a) They are vulnerable to brute-force attacks
b) They slow down system performance
c) They prevent web application vulnerabilities
d) They increase network latency
Answer: a) They are vulnerable to brute-force attacks
Explanation: Weak encryption algorithms like DES can be easily cracked using modern computing power, making them insecure.
160. What is the primary function of the tool John the Ripper in penetration testing?
a) Cracking password hashes
b) Scanning network vulnerabilities
c) Detecting phishing emails
d) Encrypting system logs
Answer: a) Cracking password hashes
Explanation: John the Ripper is a powerful tool for performing dictionary and brute-force attacks on hashed passwords.
161. Which of the following attacks targets Weak Session Management?
a) Session Hijacking
b) DNS Spoofing
c) Clickjacking
d) SQL Injection
Answer: a) Session Hijacking
Explanation: Weak session management allows attackers to steal or manipulate session tokens, leading to unauthorized access.
162. What does the Nikto tool primarily scan for?
a) Web server vulnerabilities
b) Wireless network traffic
c) Encrypted password files
d) Firewall misconfigurations
Answer: a) Web server vulnerabilities
Explanation: Nikto scans web servers for misconfigurations, outdated software, and security vulnerabilities.
163. What is a key security risk when enabling auto-complete in web forms?
a) It allows attackers to steal saved credentials
b) It improves web page load times
c) It prevents brute-force attacks
d) It encrypts password inputs
Answer: a) It allows attackers to steal saved credentials
Explanation: Auto-complete settings in web browsers can expose saved credentials to attackers through malware or physical access.
164. What is an important security measure for preventing privilege escalation attacks?
a) Enforcing the principle of least privilege (PoLP)
b) Storing passwords in plaintext
c) Allowing unlimited sudo access
d) Using outdated software
Answer: a) Enforcing the principle of least privilege (PoLP)
Explanation: PoLP ensures that users only have the minimum permissions necessary, reducing the risk of privilege escalation.
165. What is a key risk of running outdated web frameworks in a production environment?
a) Increased risk of known vulnerabilities being exploited
b) Slower website load times
c) Lower network traffic
d) Reduced database query efficiency
Answer: a) Increased risk of known vulnerabilities being exploited
Explanation: Outdated web frameworks often contain unpatched security flaws, making them vulnerable to known exploits and attacks.
166. Which of the following is a primary concern when using default credentials on a system?
a) Attackers can easily gain unauthorized access
b) It increases system processing power
c) It prevents brute-force attacks
d) It improves password recovery
Answer: a) Attackers can easily gain unauthorized access
Explanation: Default credentials (e.g., admin/admin) are widely known and can be easily guessed or found in public breach databases.
**167. What is a primary purpose of an Intrusion Prevention System (IPS)?
a) To actively block malicious traffic before it reaches the target system
b) To scan and log all network packets for later review
c) To allow all encrypted traffic through without inspection
d) To improve bandwidth efficiency
Answer: a) To actively block malicious traffic before it reaches the target system
Explanation: IPS systems monitor network traffic in real-time, detecting and preventing suspicious or known attack patterns before they cause harm.
168. Which security mechanism prevents brute-force attacks by increasing response time after multiple failed login attempts?
a) Rate limiting
b) Session fixation
c) TLS encryption
d) DNS caching
Answer: a) Rate limiting
Explanation: Rate limiting restricts the number of login attempts per user/IP, reducing the effectiveness of brute-force attacks.
169. What is the primary function of a keylogger?
a) To capture and record keystrokes entered by a user
b) To scan for open ports on a system
c) To detect phishing websites
d) To analyze firewall configurations
Answer: a) To capture and record keystrokes entered by a user
Explanation: Keyloggers record keyboard inputs, allowing attackers to steal credentials, personal data, and sensitive information.
170. What is a primary risk of allowing unrestricted outbound network traffic?
a) It enables data exfiltration and command-and-control (C2) communication
b) It improves firewall efficiency
c) It prevents malware from spreading
d) It reduces DNS resolution time
Answer: a) It enables data exfiltration and command-and-control (C2) communication
Explanation: Unrestricted outbound traffic allows attackers to exfiltrate data and maintain persistent access through C2 servers.
171. What is the key purpose of a honeypot in cybersecurity?
a) To attract and analyze malicious activity by mimicking vulnerable systems
b) To store user credentials securely
c) To provide a backup firewall configuration
d) To improve network performance
Answer: a) To attract and analyze malicious activity by mimicking vulnerable systems
Explanation: Honeypots are decoy systems that lure attackers, helping security teams analyze attack methods and behaviors.
172. Which of the following is a common risk associated with weak cryptographic random number generation?
a) Predictable key values leading to easier brute-force attacks
b) Increased CPU processing time
c) Slower database queries
d) Reduced firewall efficiency
Answer: a) Predictable key values leading to easier brute-force attacks
Explanation: Weak random number generation can produce predictable encryption keys, making brute-force decryption feasible.
173. Which tool is widely used for performing wireless network penetration testing?
a) Aircrack-ng
b) Nikto
c) Sqlmap
d) WPScan
Answer: a) Aircrack-ng
Explanation: Aircrack-ng is a suite of tools designed for wireless network security testing, packet sniffing, and WEP/WPA key cracking.
174. What does the Evil Twin Attack primarily target?
a) Wireless networks by creating a rogue access point
b) Web applications through SQL Injection
c) API endpoints via insecure CORS policies
d) Email servers with spam filters
Answer: a) Wireless networks by creating a rogue access point
Explanation: An Evil Twin Attack tricks users into connecting to a rogue Wi-Fi hotspot, allowing traffic interception and credential theft.
**175. What is the main security risk of cross-site script inclusion (XSSI)?
a) Sensitive data exposure through unauthorized script execution
b) Bypassing encryption protocols
c) Manipulating DNS responses
d) Overloading a network with excessive requests
Answer: a) Sensitive data exposure through unauthorized script execution
Explanation: XSSI attacks exploit JavaScript file inclusions, allowing attackers to steal user-sensitive data from trusted origins.
176. What is the purpose of BitLocker in Windows security?
a) To provide full-disk encryption for data protection
b) To detect SQL Injection attacks
c) To prevent brute-force logins
d) To scan for malware infections
Answer: a) To provide full-disk encryption for data protection
Explanation: BitLocker encrypts entire disk partitions, ensuring data remains protected even if a device is physically stolen.
**177. What is an effective defense against a Pass-the-Hash (PtH) attack?
a) Enforcing multi-factor authentication (MFA)
b) Allowing plaintext password storage
c) Disabling all administrator accounts
d) Avoiding software updates
Answer: a) Enforcing multi-factor authentication (MFA)
Explanation: Pass-the-Hash (PtH) attacks use hashed credentials for authentication. MFA ensures additional authentication layers are required.
178. Which vulnerability allows an attacker to inject unintended SQL queries into a web application?
a) SQL Injection
b) Cross-Site Scripting (XSS)
c) Cross-Site Request Forgery (CSRF)
d) Remote File Inclusion (RFI)
Answer: a) SQL Injection
Explanation: SQL Injection (SQLi) exploits improper input validation, allowing attackers to manipulate database queries.
179. What is the main objective of buffer overflow exploitation?
a) To execute arbitrary code by overwriting memory regions
b) To inject fake DNS responses
c) To overload a web server with excessive requests
d) To brute-force login credentials
Answer: a) To execute arbitrary code by overwriting memory regions
Explanation: Buffer overflow attacks manipulate memory buffers, leading to remote code execution (RCE) or system crashes.
180. What is the purpose of an LFI (Local File Inclusion) attack?
a) To read or execute files on the server
b) To perform denial-of-service attacks
c) To bypass firewall rules
d) To inject JavaScript into web pages
Answer: a) To read or execute files on the server
Explanation: LFI attacks exploit poor file handling in web applications, allowing local file access (e.g., /etc/passwd).
181. What is the primary goal of a Cross-Site Request Forgery (CSRF) attack?
a) To force an authenticated user to perform unintended actions
b) To inject SQL queries into a database
c) To brute-force user credentials
d) To sniff network traffic
Answer: a) To force an authenticated user to perform unintended actions
Explanation: CSRF attacks trick authenticated users into executing unwanted actions on a web application without their consent.
182. What is the main security concern with public Wi-Fi networks?
a) They slow down encrypted communications
b) They are susceptible to man-in-the-middle (MITM) attacks
c) They prevent DNS resolution
d) They always use secure VPN connections
Answer: b) They are susceptible to man-in-the-middle (MITM) attacks
Explanation: Public Wi-Fi networks often lack proper encryption, making them vulnerable to MITM attacks, session hijacking, and data interception.
183. What is the primary purpose of the robots.txt file on a website?
a) To prevent unauthorized access to the web server
b) To instruct search engine crawlers on which pages to index or avoid
c) To encrypt user login credentials
d) To improve the website’s security against SQL Injection
Answer: b) To instruct search engine crawlers on which pages to index or avoid
Explanation: The robots.txt file helps search engines decide which pages to crawl but should not be relied upon for security.
184. What is a major risk of weak CAPTCHA implementations in login forms?
a) Attackers can bypass them using automated scripts
b) They increase user authentication speed
c) They protect against all phishing attacks
d) They prevent brute-force attacks entirely
Answer: a) Attackers can bypass them using automated scripts
Explanation: Weak CAPTCHA implementations can be solved by bots or CAPTCHA-solving services, reducing their effectiveness against brute-force attacks.
185. What is an effective defense against a Clickjacking attack?
a) Using the X-Frame-Options header
b) Implementing brute-force protection
c) Encrypting session cookies
d) Enabling JavaScript input validation
Answer: a) Using the X-Frame-Options header
Explanation: The X-Frame-Options header prevents web pages from being embedded inside iframes, blocking Clickjacking attacks.
186. What is the purpose of the Shodan search engine in cybersecurity?
a) To scan the internet for exposed devices and services
b) To detect phishing emails
c) To decrypt encrypted passwords
d) To simulate denial-of-service attacks
Answer: a) To scan the internet for exposed devices and services
Explanation: Shodan is a search engine that indexes exposed internet-connected devices, services, and vulnerabilities.
187. What is the security risk of exposing server banners in HTTP responses?
a) Attackers can fingerprint the server software and exploit known vulnerabilities
b) It increases server performance
c) It reduces brute-force attack effectiveness
d) It prevents phishing attacks
Answer: a) Attackers can fingerprint the server software and exploit known vulnerabilities
Explanation: Exposed server banners provide attackers with information about the software version, allowing them to target known vulnerabilities.
188. What is an effective way to mitigate credential stuffing attacks?
a) Implementing multi-factor authentication (MFA)
b) Using only short passwords
c) Disabling account lockout features
d) Avoiding encryption
Answer: a) Implementing multi-factor authentication (MFA)
Explanation: MFA ensures that even if an attacker obtains credentials, they still require an additional factor (e.g., OTP, biometrics) to gain access.
189. What type of penetration test assumes the attacker has no prior knowledge of the target?
a) Black-box testing
b) White-box testing
c) Gray-box testing
d) Compliance testing
Answer: a) Black-box testing
Explanation: Black-box testing simulates an external attacker with no prior knowledge of the system, focusing on publicly accessible vulnerabilities.
190. Which of the following is a common indicator of DNS tunneling attacks?
a) Unusual spikes in DNS query traffic
b) High CPU usage on client devices
c) Slow web page loading times
d) Increased encryption speed
Answer: a) Unusual spikes in DNS query traffic
Explanation: DNS tunneling uses DNS requests to exfiltrate data or maintain a command-and-control channel, often causing anomalous traffic patterns.
191. What is an example of a business logic vulnerability in web applications?
a) Bypassing payment validation by modifying API requests
b) Exploiting SQL Injection in login forms
c) Running a phishing campaign
d) Conducting a denial-of-service attack
Answer: a) Bypassing payment validation by modifying API requests
Explanation: Business logic vulnerabilities arise when attackers manipulate intended application processes, such as skipping payment validation.
192. What does the hydra tool primarily help penetration testers achieve?
a) Performing brute-force attacks on authentication mechanisms
b) Detecting web application vulnerabilities
c) Scanning networks for open ports
d) Extracting metadata from images
Answer: a) Performing brute-force attacks on authentication mechanisms
Explanation: Hydra is a brute-force password-cracking tool used for testing login security across various protocols.
193. What is a key risk of misconfigured CORS (Cross-Origin Resource Sharing)?
a) It allows unauthorized cross-domain API requests
b) It disables SQL Injection protection
c) It prevents phishing attacks
d) It increases network latency
Answer: a) It allows unauthorized cross-domain API requests
Explanation: Misconfigured CORS can allow malicious websites to make unauthorized requests on behalf of authenticated users.
194. What is the main purpose of an incident response plan in cybersecurity?
a) To provide a structured approach for handling security breaches
b) To increase network bandwidth
c) To automate software updates
d) To improve session management
Answer: a) To provide a structured approach for handling security breaches
Explanation: An incident response plan defines procedures for detecting, responding to, and recovering from security incidents.
195. What is an example of an indirect attack vector?
a) Phishing emails leading to credential theft
b) Exploiting an unpatched server
c) Using SQL Injection to gain database access
d) Running a buffer overflow exploit
Answer: a) Phishing emails leading to credential theft
Explanation: Indirect attack vectors involve social engineering or manipulation to trick users into compromising their own security.
196. What is an effective defense against privilege escalation attacks?
a) Implementing the principle of least privilege (PoLP)
b) Allowing default administrator accounts
c) Storing credentials in plaintext
d) Using outdated operating systems
Answer: a) Implementing the principle of least privilege (PoLP)
Explanation: PoLP ensures users only have the minimum required access, reducing the risk of privilege escalation exploits.
197. What is a primary risk of an insecure direct object reference (IDOR) vulnerability?
a) It allows unauthorized access to sensitive objects or records
b) It enables brute-force attacks on authentication mechanisms
c) It leads to increased web server latency
d) It prevents cross-site scripting (XSS) attacks
Answer: a) It allows unauthorized access to sensitive objects or records
Explanation: IDOR vulnerabilities occur when applications do not properly validate user permissions, allowing attackers to access or modify unauthorized records.
198. What is the main purpose of a SQLmap tool in penetration testing?
a) Automating SQL Injection detection and exploitation
b) Scanning networks for open ports
c) Performing brute-force password attacks
d) Encrypting database credentials
Answer: a) Automating SQL Injection detection and exploitation
Explanation: SQLmap is an automated SQL Injection tool that helps penetration testers identify and exploit database vulnerabilities.
199. What security issue can arise from improperly validated user input in a file upload feature?
a) Remote Code Execution (RCE)
b) DNS Spoofing
c) ARP Poisoning
d) Session Timeout Issues
Answer: a) Remote Code Execution (RCE)
Explanation: Unvalidated file uploads can allow attackers to upload malicious scripts, leading to RCE and full system compromise.
200. What is an effective mitigation technique for preventing subdomain takeovers?
a) Removing orphaned DNS records
b) Enabling auto-scaling on servers
c) Increasing DNS lookup speed
d) Blocking all HTTP requests
Answer: a) Removing orphaned DNS records
Explanation: Subdomain takeovers occur when unused subdomains still point to decommissioned cloud services or platforms, allowing attackers to hijack them.
201. What is the primary risk of exposing .git directories on a public-facing web server?
a) Attackers can retrieve the entire source code repository
b) It prevents session hijacking
c) It disables SQL Injection vulnerabilities
d) It increases firewall security
Answer: a) Attackers can retrieve the entire source code repository
Explanation: Exposed .git directories allow attackers to download source code, credentials, and security configurations, leading to data leaks and exploitation.
202. What is the primary goal of a BGP hijacking attack?
a) To manipulate internet routing and redirect traffic
b) To execute SQL Injection on database servers
c) To brute-force SSH passwords
d) To conduct man-in-the-middle attacks on HTTPS
Answer: a) To manipulate internet routing and redirect traffic
Explanation: BGP hijacking involves manipulating Border Gateway Protocol (BGP) routes, enabling attackers to redirect and intercept network traffic.
203. What is a common security risk of using default SNMP community strings?
a) Unauthorized network reconnaissance and control
b) Increased website load time
c) Slower authentication processes
d) Prevention of phishing attacks
Answer: a) Unauthorized network reconnaissance and control
Explanation: Default SNMP community strings (e.g., “public” and “private”) can allow attackers to query and modify network device configurations.
204. What is the primary risk of allowing eval() function usage in web applications?
a) It enables Remote Code Execution (RCE) vulnerabilities
b) It speeds up script execution
c) It prevents SQL Injection attacks
d) It reduces the risk of privilege escalation
Answer: a) It enables Remote Code Execution (RCE) vulnerabilities
Explanation: The eval() function executes arbitrary code, which can be exploited for RCE if user input is not sanitized properly.
205. What is an effective countermeasure against DLL hijacking attacks?
a) Implementing code signing for DLL files
b) Disabling TLS encryption
c) Using only HTTP instead of HTTPS
d) Allowing unrestricted file execution
Answer: a) Implementing code signing for DLL files
Explanation: DLL hijacking occurs when attackers replace legitimate DLL files with malicious ones, which can be prevented by enforcing digital signatures.