1- Initiating an attack against targeted businesses and organizations, threat actors compromise a

carefully selected website by inserting an exploit resulting in malware infection. The attackers run
exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from
carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits
that target unpatched vulnerabilities. Thus, the targeted entitles are left with little or no defense
against these exploits.

What type of attack IS outlined in the scenario?

⃝Watering Hole Attack

⃝Heartbleed Attack

⃝Shellshock Attack

⃝Spear Phishing Attack

2- A medium-sized healthcare IT business decides to implement a risk management strategy.

Which of the following is NOT one of the five basic responses to risk?

⃝Accept

⃝Mitigate

⃝Delegate

⃝Avoid

3- Which of the following tools is used to analyze the files produced by packet-capture programs such
as tcpdump, WinDump, Wireshark, and Ether-peek?

⃝Nessus

⃝tcptrace

⃝ OpenVAS

⃝tcptraceroute

4- Which of the following statements is TRUE?

⃝Sniffers operate on Layer 3 of the OSI model.

⃝Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

⃝Sniffers operate on Layer 2 of the OSI model.

⃝Sniffers operate on the Layer 1 of the OSI model.

5- You have successfully gained access to a Linux server and would like to ensure that the succeeding
outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems
(NIDS)
What is the best way to evade the NIDS?

⃝Protocol Isolation

⃝Out of band signaling

⃝Alternate Data Streams

⃝Encryption

6- Which of the following is a design pattern based on distinct pieces of software providing application
functionality as services to other applications?

⃝Agile process

⃝Lean Coding

⃝Service Oriented Architecture

⃝Object Oriented Architecture

7- You are using NMAP to resolve domain names into IP addresses for a ping sweep later.
Which of the following commands looks for IP addresses?

⃝>host -t AXFR hackeddomain.com

⃝>host -t a hackeddomain.com

⃝>host -t ns hackeddomain.com

⃝>host -t soa hackeddomain.com

8- Which mode Of IPSec should you use to assure security and confidentiality of data within the same
LAN?

⃝AH Tunnel mode

⃝AH promiscuous

⃝ESP confidential

⃝ESP transport mode

9- Jimmy is standing outside a secure entrance to a facility. He is pretending to having a tense
conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the
phone, grabs the door as it begins to close
W'T1at just happened?

⃝Phishing

⃝Masqurading

⃝Whaling

⃝Piggybacking

10- Nation-state threat actors often discover vulnerabilities and hold on to them until they want to
launch a sophisticated attack. The Sutxnet attack was an unprecedented style of attack because it
used four types of vulnerability.
What is this style of attack called?

⃝zero-hour

⃝zero-day

⃝zero-sum

⃝no-day

11- To maintain compliance with regulatory requirements, a security audit of the systems on a network
must be performed to determine their compliance with security policies. Which one of the following
tools would most likely be used in such an audit?

⃝Port scanner

⃝Protocol analyzer

⃝Intrusion Detection System

⃝Vulnerability scanner
12- You are tasked to perform a penetration test. You are performing information gathering, you find an
employee list in Google. You find the receptionist's email, and you send her an email changing the
source email to her boss's email ( boss@company ). In this email, you ask for a pdf with information.
She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious
links (these links contain malware) and send back the modified pdf, saying that the links don’t work.
She reads your email, opens the links, and her machine gets infected. You now have access to the
company network. Which testing method did you use?

⃝Piggybacking

⃝Social engineering

⃝Eavesdropping

⃝Tailgating

13- Which of the following describes the characteristics Of a Boot Sector Virus?

⃝Overwrites the original MBR and only executes the new virus code

⃝Moves the MBR to another location on the RAM and copies itself to the original location of the
MBR

⃝Moves the MBR to another location on the hard disk and copies itself to the original location of
the MBR

⃝Modifies directory table entries so that directory entries point to the virus code instead of the
actual program

14- As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security
assessment through penetration testing. What document describes the specifics of the testing, the
associated violations, and essentially protects both the organization's interest and your liabilities as
a tester?

⃝Non-Disclosure Agreement

⃝Project Scope

⃝Terms Of Engagement

⃝Service Level Agreement

15- You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has
snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn
scan in your network, and you notice that kiwi sys log is not receiving the alert message from snort.
You decide to run wireshark in the snort machine to check if the messages are going to the kiwi
syslog machine.
What wireshark filter will show the connections from the snort machine to kiwi syslog machine?

⃝tcp.dstport==514 && ip.dst==192.168.0.0/16

⃝tcp.srcport==514 && ip.src==192.168.0.99

⃝tcp.dstport==514 && ip.dst==192.168.0.150

⃝tcp.srcport==514 && ip.src==192.168.150

16- You work as a Security Analyst for a retail organization. In securing the company's network, you set
up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you
discover that your IDS is not configured properly and therefore is unable to trigger alarms when
needed. What type of alert is the IDS giving?

⃝False Positive

⃝True Negative

⃝True Positive

⃝False Negative

17- You have several plain-text firewall logs that you must review to evaluate network traffic. You know
that in order to do fast, efficient searches of the logs you must use regular expressions.
Which command-line utility are you most likely to use?

⃝Grep

⃝Relational Database

⃝MS Excel

⃝Notepad

18- You have successfully compromised a machine on the network and found a server that is alive on
the same network. You tried to ping it but you didn’t get any response back. What is happening?

⃝You need to run the ping command with root privileges

⃝The ARP is disabled on the target server.

⃝TCP/IP doesn't support EMP.

⃝ICMP could be disabled on the target server.

19- A network administrator discovers several unknown files in the root directory of his Linux FTP
server. One of the files is a tarball, two are shell script files, and the third is a binary file is named
"nc." The FTP server's access logs show that the anonymous user account logged in to the server,
uploaded the files, and extracted the contents of the tarball and ran the script using a function
provided by the FTP server's software. The ps command shows that the nc file is running as process,
and the netstat command shows the nc process is listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?

⃝Directory traversal

⃝Privilege escalation

⃝File system permissions

⃝Brute force login

20- A regional bank hires your company to perform a security assessment on their network after a
recent data breach. The attacker was able to steal financial data from the bank by compromising
only a single server. Based on this Information, what should be one of your key recommendations to
the bank?

⃝Require all employees to change their passwords immediately

⃝Move the financial data to another server on the same IP subnet

⃝Place front-end web server in demilitarized zone that only handles external web traffic

⃝Issue new certificates to the web servers from the root certificate authority

21- This asymmetry cipher is based on factoring the product of two large prime numbers.
What cipher is described above?

⃝RC5

⃝RSA

⃝MDS

⃝SHA

22- Is the benefit of performing an unannounced Penetration Testing?

⃝The tester will have an actual posture Visibility of the target network.

⃝Network Security would be in a "best state" posture.

⃝It is best to catch critical infrastructure unpatched.

⃝The tester could not provide an honest analyses.

23- After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain
access. What would you do first?

⃝Disable IPTables

⃝Create User Account

⃝Disable Key Services

⃝Download and Install Netcat

24- Which of the following is the least-likely physical characteristic to be used in biometric control that
supports a large company?

⃝Iris patterns

⃝Height and Weight

⃝Fingerprints

⃝Voice

25- Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

⃝Jack the ripper

⃝tcpdump

⃝nessus

⃝ethereal

26- What does a firewall check to prevent particular ports and applications from getting packets into an
organization?

⃝Application layer port numbers and the transport layer headers

⃝Transport layer port numbers and application layer headers

⃝Network layer headers and the session layer port numbers

⃝Presentation layer headers and the session layer port numbers

27- Which of the following is a component of a risk assessment?

⃝DMZ

⃝Physical security

⃝Administrative safeguards

⃝Logical interface
28- It is an entity or event with the potential to adversely impact a system through unauthorized access,
destruction, denial of service or of data. Which of the following terms best matches the definition?

⃝Threat

⃝Vulnerability

⃝Attack

⃝Risk

29- A hacker has successfully infected an internet-facing server which he will then use to send junk mail,
take part in coordinated attacks or host junk email content.
Which sort of Trojan infects this server?

⃝Ransomware Trojans

⃝Botnet Trojan

⃝Banking Trojans

⃝Turtle Trojans

30- A penetration tester is conducting a port scan on a specific host. The tester found several ports
opened that were confusing in concluding the Operating System (OS) version installed. Considering
the NMAP result below, which of the following is likely to be installed on the target machine by the
OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.15.40.65 Host is up (1.00s
latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet
80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC
Address: 00:00:48:0D:EE:8

⃝The host is likely a Windows machine.

⃝The host is likely a printer.

⃝The host likely a Linux machine.

⃝The host is likely a router.

31- Which of the following is designed to identify malicious attempts to penetrate systems?

⃝Router

⃝Intrusion Detection System

⃝Firewall

⃝Proxy
32- What is the best description of SQL injection

⃝It is a Denial of Service Attack.

⃝It is an attack used to modify code in an application.

⃝It is a Man-in-the-Middle attack between your SQL Server and Web App Server.

⃝It is an attack used to gain unauthorized access to database.

33- Which of the following is a protocol specifically designed for transporting event messages?

⃝SYSLOG

⃝SMS

⃝SNMP

⃝SNMP

34- Which of the following is the greatest threat posed by backups?

⃝A backup is incomplete because no verification was performed

⃝A backup is unavailable during disaster recovery

⃝An un-encrypted backup can be misplaced or stolen.

⃝A backup is the source of Malware or illicit information.

35- The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is
$300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a
further 4 hours to restore the database from the last backup to the new hard disk The recovery
person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
What is the closest approximate cost of this replacement and recovery operation per year?

⃝$1320

⃝$440

⃝$146

⃝$100

36- Which of the following tools is used to detect wireless LANs using the 802.11 a/b/g/n WLAN
standards on a Linux platform?

⃝Netstumbler

⃝Kismet

⃝Nessus

⃝Abel
37- You are logged in as a local admin on a Windows 7 system and you need to launch the Computer
Management Console from command line.
Which command would you use?

⃝c:\ncpa.cpl

⃝c:\gpedit

⃝c:\services.msc

⃝c:\compmgmt.msc

38- Which of the following parameters describe LM Hash:

I - The maximum password length is 14 characters.

II - There are no distinctions between uppercase and lowercase.

III - It’s a simple algorithm: so 10,000,000 hashes can be generated per second.

⃝I

⃝I and II

⃝II

⃝I, II and III

39- Jesse receives an email with an attachment labeled "Court Notice_21206.zip". Inside the Zip file is a
file named "Court Notice_21206.docx.exe" disguised as a word document. Upon execution, a
window appears stating, "This document is corrupt." In the background, the file copies itself to Jesse
APPDATA\loca1 directory and begins to beacon to a C2 server to download additional malicious
binaries.

What type of malware has Jesse encountered?

⃝Worm

⃝Trojan

⃝Key Logger

⃝Macro Virus

40- Your company was hired by a small healthcare provider to perform a technical assessment on the
network. What is the best approach for discovering vulnerabilities on a Windows-based computer?

⃝Use the built-in Windows Update tool

⃝Check MITRE.org for the latest list Of CVE findings

⃝Create a disk image of a clean Windows installation

⃝Use a scan tool like Nessus

41- What is a Collision attack" in cryptography?

⃝Collision attacks try to get the public key

⃝Collision attacks try to break the hash into three parts to get the value.

⃝Collision attacks try to find inputs producing the same hash.

⃝Collision attacks try to break the hash into two parts, with the same bytes in each part to get the
private key.

42- When you return to your desk after a lunch break, you notice a strange email in your Inbox. The
sender is someone you did business with recently, but the subject line has strange characters in it.
What should you do?

⃝Delete the email and pretend nothing happened.

⃝Forward the message to your Supervisor and ask for her opinion on how to handle the situation.

⃝Forward the message to your company's security response team and permanently delete the
message from your computer.

⃝Reply to the sender and ask them for more information about the message contents.

43- The security concept of "separation of duties" is most similar to the operation of which type of
security device?

⃝Intrusion Detection System

⃝Firewall

⃝Bastion host

⃝Honey pot

44- Port scanning can be used as part of a technical assessment to determine network vulnerabilities.
The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is
open. What happens?

⃝The port will send a SYN

⃝The port will send an ACK

⃝The port will send a RST

⃝The port will ignore the packets

45- The "gray box testing" methodology enforces what kind of restriction?

⃝The internal operation of a system is only party accessible to the tester.

⃝The internal operation of a system is completely known to the tester.

⃝Only the internal operation of a system is known to the tester.

⃝Only the external operation of a system is accessible to the tester.

46- It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles
any electronic medical data. These guidelines stipulate that all medical practices must ensure that all
necessary measures are in place while saving, accessing and sharing any electronic medical data to
keep patient data secure. Which of the following regulations best matches the description?

⃝COBIT

⃝ISO/IEC 27002

⃝FISMA

⃝HIPAA

47- The Heartbleed bug was discovered in 2014 and is widely referred to under MIRE’s Common
Vulnerabilities and Exposures (CVE) as this bug affects the OpenSSL implementation of the transport
layer security (TLS) protocols defined m RFC6520.
What type of key does this bug leave exposed to the internet making exploitation of any
compromised system very easy?

⃝Private

⃝Public

⃝Root

⃝Shared

48- The purpose of _________ is to deny network access to local area networks and other information
assets by unauthorized wireless devices.

⃝Wireless Access Point

⃝Wireless Intrusion Prevention System

⃝Wireless Analyzer

⃝Wireless Access Control List

49- Which of the following statements regarding ethical hacking is incorrect?

⃝Testing should be remotely performed offsite.

⃝An organization should use ethical hackers who do not sell vendor hardware/software or other
consulting services.

⃝Ethical hackers should never use tools or methods that have the potential of exploiting
vulnerabilities in an organization's systems.

⃝Ethical hacking should not involve writing to or modifying the target systems

50- This international organization regulates billions of transactions daily and provides security
guidelines to protect personally identifiable information (HI). These security controls provide a
baseline and prevent low-level hackers sometimes known as script kiddies from causing a data
breach.
Which of the following organization is being described?

⃝Payment Card Industry (PCI)

⃝Institute of Electrical and Electronics Engineers (IEEE)

⃝International Security Industry Organization (ISIO)

⃝Center for Disease Control (CDC)

51- In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering
the passkey in a matter of seconds. This security flaw led to a network invasion Of TJ Maxx and data
theft through a technique known as wardriving.
which Algorithm is this referring to?

⃝ Wi-Fi Protected Access (WPA)

⃝Wired Equivalent Privacy (WEP)

⃝Temporal Key Integrity Protocol (TKIP)

⃝Wi-Fi Protected Access 2 (WPA2)

52- A common crypto graphical tool is the use of XOR. XOR the following binary values :
10110001
00111010

⃝11011000

⃝10001011

⃝10011101

⃝10111100
53- Which of the following is considered the best way to protect personally Identifiable Information
(PIT) from Web application vulnerabilities?

⃝Use full disk encryption on all hard drives to protect PII

⃝Use a security token to log into all Web applications that use PII

⃝Use encrypted communications protocols to transmit PII

⃝Use cryptographic storage to store all PII

54- The "black box testing” methodology enforces which kind of restriction?

⃝only the external operation of a system is accessible to the tester.

⃝only the operation of a system is known to the tester.

⃝The internal operation of a system is only partly accessible to the tester.

⃝The internal operation of a system is completely known to the tester.

55- What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?

⃝Inherent risk

⃝Impact risk

⃝Deferred risk

⃝Residual risk

56- Ricardo wants to send secret messages to a competitor company. To secure these messages, he
uses a technique of hiding a secret message within an ordinary message. The technique provides
'security through obscurity'
What technique is Ricardo using?
⃝ Public-key cryptography

⃝RSA algorithm

⃝Encryption

⃝Steganography

57- During a recent security assessment, you discover the organization has one Domain Name Server
(DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
What is this type of DNS configuration commonly called?

⃝DNS scheme

⃝DynDNS

⃝DNSSEC
 ⃝Split DNS

58- Which of the following is assured by the use of a hash?

⃝Confidentiality

⃝Authentication

⃝Availability

⃝Integrity

59- Your team has won a contract to infiltrate an organization. The company wants to have the attack
be as realistic as possible; therefore they did not provide any information besides the company
name. What should be the first step in security testing the client?

⃝Escalation

⃝Reconnaissance

⃝Enumeration

⃝Scanning

60- Which of the following tools can be used for passive OS fingerprinting?

⃝tracert

⃝Ping

⃝tcpdump

⃝nmap

61- Which tool allows analysts and pen testers to examine links between data using graphs and link
analysis?

⃝Cain & Abel

⃝Maltego

⃝Wireshark

⃝Metasploit

62- An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious
sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was
captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if
these packets are genuinely malicious or simply a false positive?

⃝Intrusion Prevention System (IPS)

⃝Vulnerability scanner

⃝Protocol analyzer
 ⃝Network sniffer

63- Under the 'Post-attack Phase and Activities," it is the responsibility of the tester to restore the
systems to a pre-test state. Which of the following activities should not be included in this phase?

L Removing all files uploaded on the system

II. Cleaning all registry entries
III. Mapping of network state
IV Removing all tools and maintaining backdoor for reporting

⃝IV

⃝III and IV

⃝III

⃝All should be included

64- You have compromised a server on a network and successfully opened a shell. You aimed to identify
all operating systems running on the network. However as you attempt to fingerprint all machines in
the using the nmap syntax below, it is not going through.
invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx.
QUITTING!

What seems to be wrong?

⃝The nmap syntax is wong.

⃝OS Scan requires root privileges.

⃝This is a common behavior for a corrupted nmap application.

⃝The outgoing TCP/IP fingerprinting IS blocked by the host firewall.

65- It is a short-range wireless communication technology intended to replace the cables connecting
portable of fixed devices while maintaining high levels of security. It allows mobile phones,
computers and other devices to connect and communicate using a short-range wireless connection.
Which of the following terms best matches the definition?

⃝Bluetooth

⃝WLAN

⃝InfraRed

⃝Radio-Frequency Identification
66- The "white box testing" methodology enforces what kind of restriction?

⃝The internal operation of a system is completely known to the tester.

⃝Only the internal operation of a system is known to the tester.

⃝The internal operation of a system is only partly accessible to the tester.

⃝Only the external operation of a system is accessible to the tester.

67- You have compromised a server and successfully gained a root access. You want to pivot and pass
traffic undetected over the network and evade any possible Intrusion Detection System.
What is the best approach?

⃝Install and Telnet to encrypt all outgoing traffic from this server.

⃝Use Alternate Data Streams to hide the outgoing packets from this server.

⃝Install Cryptcat and encrypt outgoing packets from this server.

⃝Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
Detection Systems.

68- Which of the following is the BEST way to defend against network sniffing?

⃝Use Static IP Address

⃝Register all machines MAC Address in a Centralized Database

⃝Restrict Physical Access to Server Rooms hosting Critical Servers

⃝Using encryption protocols to secure network communications

69- Your company performs penetration tests and security assessments for small and medium-sized
business in the local area. During a routine security assessment, you discover Information that
suggests your client is involved with human trafficking
What should you do?

⃝Confront the client in a respectful manner and ask her about the data.

⃝Ignore the data and continue the assessment until completed as agreed.

⃝Copy the data to removable media and keep it in case you need it.

⃝Immediately stop work and contact the proper legal authorities.

70- In Risk Management, how is the term "likelihood' related to the concept of "threat?"

⃝Likelihood is a possible threat-source that may exploit a vulnerability.

⃝Likelihood is the likely source of threat that could exploit a vulnerability.

⃝Likelihood is the probability that a vulnerability is a threat-source.

⃝Likelihood is the probability that a threat-source will exploit a vulnerability.

71- Using Windows CMD, how would an attacker list all the shares to which the current user context has
access?

⃝NET FILE

⃝NET

⃝NET use

⃝NET CONFIG

72- It is a vulnerability in GNU’s bash shell, discovered in September of 2014 that gives attackers access
to run remote commands on a vulnerable system. The malicious software can take control of an
infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable
devices (including routers).
Which of the following vulnerabilities is being described?

⃝Rootshell

⃝Shellbash

⃝Shellshock

⃝Rootshock

73- Which of the following types of firewalls ensures that the packets are part of the established
session?

⃝Application-level firewall

⃝Switch-level firewall

⃝Stateful inspection firewall

⃝Circuit-level firewall

74- Which of the following is not a Bluetooth attack?

⃝Bluesnarfing

⃝Bluedriving

⃝Bluesmaking
 ⃝Bluejacking

75- You've gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When
you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you
have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's
password or to activate disabled Windows accounts?

⃝Cain & Abel

⃝John the Ripper

⃝CHNTPW

⃝SET

76- To determine if a software program properly handles a wide range of invalid input, a form of
automated testing can be used to randomly generate invalid input in an attempt to crash the
program.
What term is commonly used when referring to this type of testing?

⃝Bounding

⃝Mutating

⃝Fuzzing

⃝Randomizing

77- An attacker gains access to a Web server's database and displays the contents of the table that holds
all of the names, passwords, and other user information. The attacker did this by entering
information into the Web site's user login page that the software's designers did not expect to be
entered. This is an example of what kind of software design problem?

⃝Insufficient exception handling

⃝Insufficient database hardening

⃝Insufficient security management

⃝Insufficient input validation

78- Which of the following is the structure designed to verify and authenticate the identity of individuals
within the enterprise taking part in a data exchange?

⃝Single sign on

⃝biometrics

⃝PKI

⃝SOA
79- Perspective clients want to see sample reports from previous penetration tests.
What should you do next?

⃝Decline but, provide references.

⃝Share reports, after NDA is signed.

⃝Share full reports with redactions.

⃝Share full reports, not redacted.

80- Which of the following is a low-tech way of gaining unauthorized access to systems?

⃝Scanning

⃝Social Engineering

⃝Sniffing

⃝Eavesdropping

81- Which of these options is the most secure procedure for storing backup tapes?

⃝In a climate controlled facility offsite

⃝Inside the data center for faster retrieval in a fireproof safe

⃝In a cool dry environment

⃝On a different floor in the same building

82- You have successfully gained access to your clients internal network and successfully comprised a
Linux server which is part of the Internal IP network. You want to know which Microsoft Windows
have file sharing enabled.
Which port would you see listening on these Windows machines in the network?
⃝ 1433

⃝161

⃝445

⃝3389

83- While using your bank's online servicing you notice the following string m the URL bar:
"http://www.MyPersonalBank.com/account?
id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the
Damount & Camount values and submit the request, that data on the web page reflect the changes.
Which type of vulnerability is present on this site?
 ⃝Cookie Tampering

⃝XSS Reflection

⃝Web parameter Tampering

⃝SQL injection

84- Which of the following tools performs comprehensive tests against web servers, including
dangerous files and CGIs?

⃝Nikto

⃝Snort

⃝Dsniff

⃝John the Ripper

85- The configuration allows a wired or wireless network interface controller to pass all traffic It receives
to the central processing unit (CPU), rather than passing only the frames that the controller is
intended to receive.
Which of the following is being described?

⃝Multi-cast mode

⃝WEM

⃝Promiscuous mode

⃝Port forwarding

86- The network administrator contacts you and tells you that she noticed the temperature on the
internal wireless router increases by more than 20% during weekend hours when the office was
closed. She asks you to Investigate the issue because she is busy dealing with a big conference and
she doesn't have time to perform the task
What tool can you use to view the network traffic being sent and received by the wireless router?

⃝Netcat

⃝Wireshark

⃝Nessus

⃝Netstat

87- A new wireless client is configured to join a 802.11 network. This client uses the same hardware and
software as many of the other clients on the network. The client can see the network, but cannot
connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to
the association requests being sent by the wireless client.
What is a possible source of this problem?

⃝The wireless client is not configured to use DHCP

 ⃝The WAP does not recognize the client's MAC address

⃝The client cannot the SSID of the wireless network

⃝Client is configured for the wrong channel

88- During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?

⃝Terminate the audit

⃝Create a procedures document

⃝Identify and evaluate existing practices

⃝Conduct compliance testing

89- The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable
organization focused on improving the security of software. What item is the primary concern on
OWASP's Top Ten Project Most Critical Web Application Security Risks?

⃝Cross Site Request Forgery

⃝Cross Site Scripting

⃝Path disclosure

⃝Injection

90- It is a kind of malware (malicious software) that criminals install on your computer so they can lock it
from a remote location. This malware generates a pop-up window, webpage, or email warning from
what looks like an official authority. It explains that your computer has been locked because of
possible illegal activities on it and demands payment before you can access your files and programs
Which of the following terms best matches the definition?

⃝Spyware

⃝Riskware

⃝Ransomware

⃝Adware

91- Risks = Threats x Vulnerabilities is referred to as the:

⃝BIA equation

⃝Threat assessment

⃝Disaster recovery formula

⃝Risk equation
92- A company's security policy states that all Web browsers must automatically delete their HTTP
browser cookies upon terminating. What sort of security breach is this policy attempting to
mitigate?

⃝Attempts by attackers to access passwords stored on the user's computer without the user's
knowledge.

⃝Attempts by attackers to determine the user's Web browser usage patterns, including when
sites were visited and for how long.

⃝Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's
authentication credentials.

⃝Attempts by attackers to access the user and password information stored in the company’s SQL
database.

93- Which of the following is the successor of SSL?

⃝GRE

⃝TLS

⃝IPSec

⃝RSA

94- A company's Web development team has become aware of a certain type of security vulnerability in
their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants
to modify the software requirements to disallow users from entering HTML as input into their Web
application.
What kind Of Web application vulnerability likely exists in their software?

⃝Cross-site scripting vulnerability

⃝Web Site defacement vulnerability

⃝Cross- Site Request Forgery vulnerability

⃝SQL injection vulnerability

95- You are performing a penetration test. You achieved access via a buffer overflow exploit and you
proceed to find interesting data, such as files with usernames arid passwords. You find a hidden
folder that has the administrator’s bank account password and login information for the
administrators bitcoin account. What should you do?

⃝Do not transfer the money but steal the bitcoins

⃝Transfer money from the administrator’s account to another account

⃝Do not report it and continue the penetration test

⃝Report immediately to the administrator

96- Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in
software applications?

⃝Use security policies and procedures to define and implement proper security settings

⃝Verify access right before allowing access to protected information and UI controls

⃝Validate and escape all information sent to a server

⃝Use digital certificates to authenticate a server prior to sending data

97- An Internet Service Provider (ISP) has a need to authenticate users connecting using analog
modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN)
over a Frame Relay network. AAA protocol is most likely able to handle this requirement?
⃝ TACACS+

⃝Kerberos

⃝RADIUS

⃝DIAMETER

98- When you are testing a web application, it is very useful to employ a proxy tool to save every
request and response. You can manually test every request and analyze the response to find
vulnerabilities. You can test parameter and headers manually to get more precise results than if
using web vulnerability scanners. What proxy tool will help you find web vulnerabilities?

⃝Burpsuite

⃝Dimitry

⃝Maskgen

⃝Proxychains
99- env x=’(){:;}; echo exploit' bash -c 'cat /etc/passwd'
What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?

⃝Changes all passvvords in passwd

⃝Removes the passwd file

⃝Add new user to the passwd file

⃝Display passwd content to prompt

100- PGP, SSL, and IKE are all examples of which type of cryptography?

⃝Hash Algorithm

⃝Public Key

⃝Digest

⃝Secret Key

101- An attacker has installed a RAT on a host. The attacker wants to ensure that when a user
attempts to go to www.MyPersona1Bank.com, that the user is directed to a phishing site.
Which file does the attacker need to modify?

⃝Sudoers

⃝Hosts

⃝Networks

⃝Boot.ini

102- You’ve just been hired to perform a pen test on an organization that has been subjected to a
large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally
eliminate risk.
What is one of the first things you should do when given the job?

⃝Interview all employees in the company to rule out possible insider threats

⃝Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
acceptable levels.

⃝Stat the Wireshark application to start sniffing network traffic.

⃝Establish attribution to suspected attackers

103- This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
enough data packets have been captured. It implements the standard FMS attack along with some
optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster
compared to other WEP cracking tools. Which of the following tools is being described?

⃝Aircrack-ng

⃝wificracker

⃝Airguard

⃝WLAN-crack

104- An Incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers,
and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a
possible breach of security. When the investigator attempts to correlate the information in all of the
logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

⃝The network devices are not all synchronized.

⃝Proper chain of custody was not observed while collecting the logs.

⃝The security breach was a false positive.

⃝The attacker altered or erased events from the logs.

105- Which method of password cracking takes the most time and effort?

⃝Dictionary attack

⃝Brute force

⃝Shoulder surfing

⃝Rainbow tables

106- You are the Systems Administrator for a large corporate organization. You need to monitor all
network traffic on your local network for suspicious activities and receive notifications when an
attack is occurring. Which tool would allow you to accomplish this goal?

⃝Host-based IDS

⃝Network-based IDS

⃝Firewall

⃝Proxy
107- NMAP -sn 192.168.11.200-215
The NMAP command above performs which of the following?

⃝A ping scan

⃝A trace sweep

⃝An operating system detect

⃝A port scan

108- Which of the following security operations is used for determining the attack surface of an
organization?

⃝Training employees on the security policy regarding social engineering

⃝Running a network scan to detect network services in the corporate DMZ

⃝Using configuration management to determine when and where to apply security patches

⃝Reviewing the need for a security clearance for each employee

109- You have successfully comprised a server having an IP address of 10.10.0.5. You would like to
enumerate all machines in the same network quickly. What is the best nmap command you will
use?

⃝Nmap -T4 –F 10.10.0.0/24

⃝Nmap -T4 -O 10.10.0.0/24

⃝Nmap –T4 –r 10.10.1.0/24

⃝Nmap -T4 -q 10.10.0.0/24

110- You are attempting to man-in-the-middle session. Which protocol will allow you to guess a
sequence number?

⃝ICMP

⃝UPD

⃝UPX

⃝TCP
111- During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised
web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded.
What type of firewall is inspecting outbound traffic?

⃝Packet Filtering

⃝Circuit

⃝Statefull

⃝Application

112- How does the Address Resolution Protocol (ARP) work?

⃝It sends a reply packet to all the network elements asking for the MAC address from a specific
IP.

⃝It sends a request packet to all the network elements, asking for the MAC address from a
specific IP.

⃝It sends a request packet to all the network elements, asking for the domain name from a
specific IP.

⃝It sends a reply packet for a specific IP, asking for the MAC address.

113- You just set up a security system in your network. In what kind of system would you find the
following string of characters used as a rule within its configuration?
alert tcp any any -> 192.168.100.0/24 21 (msg: ""FTP on the network!"";)

⃝An Intrusion Detection System

⃝FTP server rule

⃝A firewall IPTable

⃝A Router IPTable

114- You are performing information gathering for an important penetration test. You have found
pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze
it. What tool will help you with the task?

⃝cdpsnarf
 ⃝Armitage

⃝Dimitry

⃝Metagoofil

115- Which regulation defines security and privacy controls for Federal information systems and
organizations?

⃝EU Safe Harbor

⃝NIST-800-53

⃝HIPAA

⃝PCI-DSS

116- When you are getting Information about a web server, it is very important to know the HTTP
Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical
methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the
server. You can detect all these methods (GET, HEAD, PUT, DELETE, TRACE) using script engine.
What nmap script will help you with this task?

⃝http-git

⃝http-methods

⃝http-headers

⃝http enum

117- Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small
sized packets to the target computer, making it very difficult for an IDS to detect the attack
signatures.
Which tool can be used to perform session splicing attacks?

⃝Whisker

⃝tcpsplice

⃝Burp

⃝Hydra

118- This phase will increase the odds of success in later phases of the penetration test. It is also the
very first step in Information Gathering, and it will tell you what the "landscape" looks like.
What is the most important phase of ethical hacking in which you need to spend a considerable
amount of time?
 ⃝escalating privileges

⃝gaining access

⃝Network mapping

⃝footprinting

119- What is the process of logging, recording, and resolving events that take place in an
organization?

⃝Internal Procedure

⃝Incident Management Process

⃝Security Policy

⃝Metrics

120- An attacker changes the profile information of a particular user (victim) on the target website.
The attacker uses this string to update the victim's profile to a text file arid then submit the data to
the attacker's database.
<iframe src=”http://www.vulnweb.com/updateif.php” style=”display:none”></iframe>
What is this type of attack (that can use either HTTP GET or HTTP POST) called?

⃝Browser Hacking

⃝Cross-site Request Forgery

⃝Cross-site Scripting

⃝SQL Injection

121- Which of the following incident handling process phases is responsible for defining rules,
collaborating human workforce, creating a back-up plan, and testing the plans for an organization?

⃝Recovery phase

⃝Containment phase

⃝Identification phase

⃝Preparation phase

122- WIIi1e performing online banking using a Web browser, a user receives an email that contains a
link to an interesting Website. When the user clicks on the link, another Web browser session starts
and displays a video of cats playing a piano. The next business day, the user receives what looks like
an email from his bank, indicating that his bank account has been accessed from a foreign country.
The email asks the user to call his bank and the authorization of a funds transfer that took place.
What Web browser-based security vulnerability was exploited to compromise the user?

⃝Cross-Site Scripting

⃝Cross- Site Request Forgery

 ⃝Clickjacking

⃝Web form input validation

123- Which of the following is an extremely common IDS evasion technique in the web world?

⃝Spyware

⃝Unicode characters

⃝Port knocking

⃝subnetting

124- What is the most common method to exploit the 'Bash Bug" or "Shellshock" vulnerability?

⃝Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed
environment variable to a vulnerable Web server

⃝SYN Flood

⃝SSH

⃝Manipulate format strings in fields

125- When you are collecting information to perform a data analysis. Google commands are very
useful to find sensitive information and files. These files may contain information about passwords,
system functions, or documentation.
What command will help you to search files using Google as a search engine?

⃝inurl: target.com filename:xls username password email

⃝domain: target.com archive:xls username password email

⃝site: target.com filetype:xls username password email

⃝Site: target.com file:xls username password email