CCNA Ptp Tools Code Questions

59 questions · Ptp Tools Code topic · All types, answers revealed

1
MCQeasy

A penetration tester needs to identify live hosts and open ports on a target network. Which tool is most appropriate for this task?

A.Burp Suite
B.Nmap
C.Metasploit
D.Wireshark
AnswerB

Nmap is designed for host discovery and port scanning.

Why this answer

Nmap is the standard tool for network discovery and port scanning.

2
Multi-Selecthard

A penetration tester is performing post-exploitation on a Windows domain controller and wants to extract Kerberos tickets for offline cracking. Which two Impacket tools can be used to obtain ticket-granting service (TGS) tickets? (Choose TWO.)

Select 2 answers
A.GetNPUsers
B.GetUserSPNs
C.psexec
D.wmiexec
E.secretsdump
AnswersA, B

GetNPUsers is used for AS-REP roasting to get TGTs.

Why this answer

GetUserSPNs retrieves TGS tickets for accounts with SPNs (Kerberoasting), and GetNPUsers retrieves TGTs for accounts without pre-authentication (AS-REP roasting).

3
MCQeasy

A penetration tester wants to exploit a vulnerable service on a target using a known module. Which framework provides a large database of exploit modules, payloads, and post-exploitation tools?

A.Burp Suite
B.Wireshark
C.Nmap
D.Metasploit Framework
AnswerD

Correct: provides exploits, payloads, and post-exploitation modules.

Why this answer

The Metasploit Framework (option D) is the correct answer because it is specifically designed as a penetration testing platform that includes a vast, regularly updated database of exploit modules, payloads, and post-exploitation tools. This framework allows a tester to select a known module for a vulnerable service, configure a payload, and execute the exploit against a target, making it the standard tool for this purpose.

Exam trap

The trap here is that candidates may confuse a general-purpose security tool (like Burp Suite or Nmap) with the specialized exploit framework, overlooking that only Metasploit provides a centralized database of exploit modules and payloads for direct exploitation.

How to eliminate wrong answers

Option A is wrong because Burp Suite is an intercepting proxy and web application security testing tool; it does not provide a database of exploit modules or payloads for exploiting vulnerable services—it focuses on HTTP/S traffic manipulation and scanning. Option B is wrong because Wireshark is a network protocol analyzer used for packet capture and traffic inspection; it has no exploit modules or payloads and is purely a passive analysis tool. Option C is wrong because Nmap is a network discovery and port scanning tool; while it includes some scripting capabilities (NSE) for vulnerability detection, it does not offer a comprehensive database of exploit modules or payloads for exploitation.

4
MCQeasy

A penetration tester has been given a target IP address and needs to quickly determine which services are running on the target. Which Nmap option should the tester use to perform a SYN scan with service version detection and default NSE scripts?

A.nmap -sS -sV -sC 192.168.1.10
B.nmap -sT -sV -sC 192.168.1.10
C.nmap -A 192.168.1.10
D.nmap -sS -O 192.168.1.10
AnswerA

Correct. SYN scan, version detection, and default scripts.

Why this answer

Option A is correct because the -sS flag initiates a SYN stealth scan, -sV enables service version detection by probing open ports to determine application and version information, and -sC runs the default set of NSE scripts for common enumeration tasks. Together, these three options fulfill the requirement to quickly identify running services with version details and additional script-based reconnaissance, all while using a half-open TCP scan to minimize log generation.

Exam trap

The trap here is that candidates often choose -A (Option C) thinking it is a shortcut for all necessary scans, but it does not guarantee a SYN scan and includes extra features like OS detection and traceroute that are not requested, while the question explicitly requires a SYN scan with version detection and default scripts, which is precisely achieved by combining -sS, -sV, and -sC.

How to eliminate wrong answers

Option B is wrong because -sT performs a full TCP connect scan, which is slower, more detectable, and does not offer the stealth benefits of a SYN scan; it also completes the full three-way handshake, making it unsuitable for the quick, low-profile scan implied by the question. Option C is wrong because -A is an aggregate flag that enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute, which goes beyond the specific requirement of 'SYN scan with service version detection and default NSE scripts' by adding unnecessary OS detection and traceroute, and it does not explicitly specify a SYN scan (it defaults to a connect scan if run without privileges). Option D is wrong because -sS performs a SYN scan but -O enables OS detection instead of service version detection (-sV) and does not include default NSE scripts (-sC), so it fails to meet the requirement for service version detection and script execution.

5
MCQmedium

During code review, a penetration tester identifies the following line in a PHP web application: $sql = "SELECT * FROM users WHERE username='" . $_GET['user'] . "'"; Which type of vulnerability is most likely present?

A.SQL injection
B.Insecure deserialization
C.Command injection
D.Cross-site scripting (XSS)
AnswerA

Correct. Input is directly concatenated into an SQL query.

Why this answer

Direct concatenation of user input into an SQL query without sanitization results in SQL injection vulnerability.

6
MCQhard

A penetration tester is analyzing a Java application and finds the following code snippet: Object obj = ois.readObject(); where ois is an ObjectInputStream. What vulnerability is most likely present if the input is untrusted?

A.SQL injection
B.Path traversal
C.Insecure deserialization
D.Cross-site scripting
AnswerC

readObject() on untrusted input can lead to remote code execution.

Why this answer

Insecure deserialization occurs when readObject() is called on untrusted data, potentially leading to code execution.

7
Multi-Selectmedium

A tester is reviewing source code for security vulnerabilities. Which TWO of the following are examples of insecure coding practices that often lead to critical vulnerabilities?

Select 2 answers
A.Validating input with allowlists
B.Concatenating user input directly into SQL queries
C.Using parameterized queries for database operations
D.Storing plaintext credentials in configuration files
E.Using prepared statements in SQL
AnswersB, D

Correct: leads to SQL injection vulnerabilities.

Why this answer

Option B is correct because directly concatenating user input into SQL queries creates SQL injection vulnerabilities. An attacker can inject malicious SQL code through the input, which the database server will execute, potentially leading to data exfiltration, modification, or deletion. This is a classic insecure coding practice that bypasses any input validation if not properly sanitized.

Exam trap

The trap here is that candidates may confuse secure practices (like parameterized queries or allowlists) with insecure ones, or fail to recognize that storing plaintext credentials is a critical vulnerability because it exposes secrets if the configuration file is accessed.

8
MCQmedium

During a code review, a penetration tester identifies a PHP function that executes arbitrary shell commands. Which function poses the greatest security risk if user input is not sanitized?

A.echo
B.strlen
C.system
D.array_pop
AnswerC

system() executes shell commands and is dangerous with unsanitized input.

Why this answer

system() executes commands and returns output, allowing arbitrary command execution if input is unsanitized.

9
MCQmedium

In a Python script for a penetration test, you need to craft a custom TCP packet with specific flags. Which library is best suited for low-level packet manipulation?

A.requests
B.scapy
C.socket
D.impacket
AnswerB

Correct: designed for packet crafting and manipulation.

Why this answer

Scapy allows crafting, sending, and sniffing network packets at a low level, supporting custom TCP flags.

10
Multi-Selecteasy

A penetration tester is reviewing source code and wants to identify common hardcoded credentials and input validation gaps. Which three checks should the tester perform? (Choose THREE.)

Select 3 answers
A.Verify the use of HTTPS
B.Identify usage of eval, exec, or system with user input
C.Search for hardcoded passwords or API keys
D.Look for SQL queries constructed with string concatenation
E.Check for proper session timeout implementation
AnswersB, C, D

These functions can lead to command injection.

Why this answer

Hardcoded credentials, concatenated SQL queries, and dangerous functions like eval/exec/system are common vulnerabilities.

11
MCQhard

During a wireless penetration test, a tester captures WPA2 handshakes but finds they are unable to crack the password using a dictionary attack. Which technique could improve the likelihood of cracking the password?

A.Switch to John the Ripper with a brute-force attack
B.Use Wireshark to analyze the handshake for plaintext hints
C.Use aircrack-ng with the -r option to apply rules to the wordlist
D.Perform a deauthentication attack to force clients to reconnect and capture additional handshakes
AnswerC

Rules can mutate words to try common patterns, improving cracking.

Why this answer

Option C is correct because using aircrack-ng with the `-r` option applies rule-based mangling to the wordlist, generating password variations (e.g., appending numbers, capitalizing letters) that are more likely to match the actual passphrase. This technique leverages common password patterns that simple dictionary attacks miss, significantly improving cracking success against WPA2 PSK.

Exam trap

Cisco often tests the misconception that capturing more handshakes (via deauthentication) improves cracking success, but the trap is that the handshake only provides the nonces and MIC—the PMK is deterministic from the passphrase, so one valid handshake is sufficient for offline cracking.

How to eliminate wrong answers

Option A is wrong because John the Ripper's brute-force mode is computationally infeasible for WPA2 PSK (which uses PBKDF2 with 4096 iterations of SHA-1), requiring an astronomical keyspace for any reasonable-length password. Option B is wrong because Wireshark cannot extract plaintext hints from a WPA2 handshake; the handshake contains only encrypted data and the four-way handshake parameters (ANonce, SNonce, MIC) with no plaintext password information. Option D is wrong because capturing additional handshakes does not help crack the password; the same PMK is derived from the same passphrase and SSID, so more handshakes provide no cryptographic advantage for offline cracking.

12
Multi-Selectmedium

A penetration tester is conducting a wireless assessment and wants to capture WPA handshakes for offline cracking. Which two tools from the Aircrack-ng suite would be used? (Choose two.)

Select 3 answers
A.airodump-ng
B.airmon-ng
C.airodump-ng
D.aircrack-ng
E.aireplay-ng
AnswersA, C, E

Duplicate, but correct.

Why this answer

Airodump-ng captures packets and handshakes, while aireplay-ng can deauthenticate clients to force handshake capture.

13
MCQeasy

Which cloud security auditing tool is designed specifically for assessing AWS environments and can perform enumeration of misconfigurations?

A.CrackMapExec
B.Prowler
C.ScoutSuite
D.Pacu
AnswerD

Pacu is an AWS-specific exploitation framework.

Why this answer

Pacu is an AWS exploitation framework for security assessment.

14
MCQmedium

A tester needs to enumerate Windows domain users and groups from a compromised system. Which PowerShell script would be most useful?

A.Invoke-Mimikatz
B.PowerView
C.Prowler
D.ScoutSuite
AnswerB

PowerView is designed for AD enumeration.

Why this answer

PowerView is a PowerShell tool specifically designed for Windows domain enumeration, allowing testers to query Active Directory for users, groups, computers, and permissions via LDAP. It leverages the Active Directory Services Interface (ADSI) to gather detailed information without requiring additional privileges beyond those already obtained on the compromised system.

Exam trap

The trap here is that candidates may confuse credential-dumping tools (like Mimikatz) with enumeration tools, or mistake cloud auditing tools (Prowler, ScoutSuite) for Windows domain enumeration scripts, because all are used in post-exploitation but serve fundamentally different purposes.

How to eliminate wrong answers

Option A is wrong because Invoke-Mimikatz is a PowerShell wrapper for Mimikatz, which focuses on credential dumping (e.g., extracting plaintext passwords, hashes, and Kerberos tickets) rather than enumerating domain users and groups. Option C is wrong because Prowler is an AWS security auditing tool that checks for misconfigurations in cloud environments, not Windows Active Directory enumeration. Option D is wrong because ScoutSuite is a multi-cloud security auditing tool (AWS, Azure, GCP) and does not perform Windows domain user or group enumeration.

15
MCQmedium

A penetration tester is reviewing a Python script used for a custom exploit. Which of the following code snippets contains a dangerous function that could lead to remote code execution?

A.input('Enter name:')
B.open(filename, 'r')
C.eval(user_input)
D.subprocess.run(['ls'])
AnswerC

eval() executes arbitrary Python code from user input.

Why this answer

Option C is correct because the `eval()` function in Python interprets and executes the string passed to it as a Python expression. If an attacker can control the `user_input` string, they can inject arbitrary Python code, leading to remote code execution (RCE). This is a classic dangerous function in Python that should never be used with untrusted input.

Exam trap

Cisco often tests the misconception that `input()` in Python 3 is dangerous like Python 2's `input()`, or that `subprocess.run` with a list is automatically safe, when the real danger is `eval()` and its equivalents (`exec()`, `compile()`).

How to eliminate wrong answers

Option A is wrong because `input()` in Python 3 simply returns the user's input as a string without evaluating it; it is safe from code injection (unlike Python 2's `input()` which used `eval()`). Option B is wrong because `open()` is a standard file operation that does not execute code; it only opens a file for reading or writing and is not inherently dangerous. Option D is wrong because `subprocess.run(['ls'])` runs a fixed command (`ls`) with no user-controlled arguments; while `subprocess.run` can be dangerous if user input is passed unsanitized, this specific snippet uses a hardcoded list, so it does not allow arbitrary command injection.

16
MCQeasy

A penetration tester needs to perform an online brute-force attack against an SSH service. Which tool is most appropriate?

A.Hydra
B.John the Ripper
C.CrackMapExec
D.Hashcat
AnswerA

Hydra performs online brute-force attacks against services like SSH.

Why this answer

Hydra is a versatile online brute-force tool supporting many protocols including SSH.

17
MCQmedium

A penetration tester has captured a WPA2 handshake. Which tool from the Aircrack-ng suite is used to crack the pre-shared key?

A.airmon-ng
B.airodump-ng
C.aireplay-ng
D.aircrack-ng
AnswerD

Correct: cracks WEP and WPA keys from captured handshakes.

Why this answer

Aircrack-ng (option D) is the tool in the Aircrack-ng suite specifically designed to crack WPA2 pre-shared keys (PSK) by performing an offline dictionary or brute-force attack against the captured four-way handshake. It uses the handshake data (specifically the EAPOL frames) to derive the Pairwise Master Key (PMK) and verify it against candidate passphrases, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse the tool that captures the handshake (airodump-ng) or the tool that forces the handshake (aireplay-ng) with the tool that actually performs the cryptographic cracking (aircrack-ng), leading them to select a wrong option.

How to eliminate wrong answers

Option A (airmon-ng) is wrong because it is used to enable or disable monitor mode on wireless interfaces, not to crack captured handshakes. Option B (airodump-ng) is wrong because it captures packets and handshakes but does not perform any cracking; it only outputs the handshake for later use. Option C (aireplay-ng) is wrong because it injects packets (e.g., deauthentication frames) to force a client to reconnect and generate a handshake, but it does not crack the PSK.

18
MCQmedium

A penetration tester wants to exploit a Windows system using a known vulnerability and gain a meterpreter session. Which tool is most appropriate?

A.CrackMapExec
B.Metasploit Framework
C.Impacket
D.Hydra
AnswerB

Metasploit has exploits and payloads for Windows.

Why this answer

Metasploit Framework (B) is the most appropriate tool because it provides a comprehensive exploit development and execution environment, including pre-built modules for known Windows vulnerabilities and seamless integration with Meterpreter payloads. Unlike the other options, Metasploit is specifically designed to deliver a Meterpreter session after exploitation, handling payload generation, staging, and post-exploitation tasks natively.

Exam trap

The trap here is that candidates confuse tools used for post-exploitation or credential attacks (CrackMapExec, Hydra) with the actual exploit delivery framework (Metasploit) required to gain a Meterpreter session from a known vulnerability.

How to eliminate wrong answers

Option A (CrackMapExec) is wrong because it is a post-exploitation and lateral movement tool that automates tasks like credential spraying and SMB enumeration, but it does not include exploit modules to trigger a known vulnerability or deliver a Meterpreter session. Option C (Impacket) is wrong because it is a collection of Python scripts for network protocol manipulation (e.g., SMB, Kerberos) and can be used for exploitation (e.g., PsExec), but it lacks a built-in exploit framework and does not natively generate or handle Meterpreter payloads. Option D (Hydra) is wrong because it is a network login cracker that performs brute-force attacks against authentication services (e.g., SSH, FTP, RDP) and has no capability to exploit software vulnerabilities or deliver a Meterpreter session.

19
MCQeasy

During a penetration test, the tester wants to capture network traffic for later analysis. Which tool is most appropriate for capturing packets and saving them to a pcap file?

A.Wireshark
B.Metasploit
C.Burp Suite
D.Nmap
AnswerA

Correct. Wireshark captures and analyzes network packets.

Why this answer

Wireshark is a network protocol analyzer capable of capturing live traffic and saving it to pcap files.

20
MCQmedium

A penetration tester has obtained a set of NTLM password hashes from a Windows domain controller. The tester wants to perform an offline cracking attack using GPU acceleration. Which tool is best suited for this purpose?

A.Hashcat
B.CrackMapExec
C.John the Ripper
D.Hydra
AnswerA

Correct. Hashcat is optimized for GPU-accelerated cracking.

Why this answer

Hashcat is a powerful password cracker that supports GPU acceleration and can crack NTLM hashes efficiently.

21
Multi-Selectmedium

A penetration tester has captured network traffic and wants to analyze it using Wireshark. Which two actions can the tester perform to focus on specific types of communication? (Choose TWO.)

Select 2 answers
A.Use the Conversations window
B.Decrypt SSL/TLS traffic
C.Apply a display filter
D.Run a port scan
E.Generate a report with Nmap
AnswersA, C

Conversations show traffic between specific endpoints.

Why this answer

Display filters filter packets based on criteria, and conversation analysis groups traffic between endpoints.

22
MCQmedium

A tester needs to perform an online brute-force attack against an SSH service. Which tool is most suitable?

A.Hashcat
B.Hydra
C.John the Ripper
D.Aircrack-ng
AnswerB

Hydra supports online brute-force for SSH.

Why this answer

Hydra is a fast online brute-force tool that supports many protocols including SSH.

23
MCQhard

During a source code review of a PHP application, the tester finds the following line: $query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'"; Which vulnerability is present?

A.Cross-site scripting (XSS)
B.Path traversal
C.Command injection
D.SQL injection
AnswerD

The input is concatenated into the SQL query, allowing injection.

Why this answer

Concatenating user input directly into an SQL query without sanitization leads to SQL injection.

24
MCQhard

A penetration tester is performing a cloud security audit of an AWS environment. Which tool is specifically designed for AWS exploitation and post-exploitation, including privilege escalation and persistence?

A.Pacu
B.CrackMapExec
C.ScoutSuite
D.Prowler
AnswerA

Correct. Pacu is an AWS exploitation framework.

Why this answer

Pacu is an AWS exploitation framework that provides modules for enumeration, privilege escalation, and persistence.

25
Multi-Selectmedium

During a penetration test, a tester needs to perform a deauthentication attack to force a client to reconnect and capture the WPA handshake. Which two tools from the Aircrack-ng suite are required? (Choose TWO.)

Select 2 answers
A.airmon-ng
B.aircrack-ng
C.aireplay-ng
D.airodump-ng
E.airolib-ng
AnswersC, D

aireplay-ng injects deauth packets to disconnect clients.

Why this answer

Airodump-ng captures the handshake, and aireplay-ng sends deauth packets.

26
MCQhard

During a reverse engineering task on a .NET binary, which tool would allow you to decompile the code into readable C# source code?

A.IDA Pro Free
B.Ghidra
C.jadx
D.dnSpy
AnswerD

Correct: specialized .NET decompiler and debugger.

Why this answer

dnSpy is a .NET decompiler that can produce high-level source code from .NET assemblies.

27
MCQeasy

Which tool would be best for capturing and analyzing network packets to troubleshoot a web application?

A.Nmap
B.Wireshark
C.Burp Suite
D.Aircrack-ng
AnswerB

Wireshark captures and analyzes packets.

Why this answer

Wireshark is the correct tool because it is designed specifically for deep packet inspection, allowing you to capture live network traffic and analyze individual packets at multiple OSI layers. For troubleshooting a web application, you can filter HTTP/HTTPS requests and responses, examine TCP handshakes, and identify latency or payload issues, which is essential for diagnosing performance or functional problems.

Exam trap

The trap here is that candidates often confuse Burp Suite (a web application proxy) with a packet analyzer, but Burp Suite operates at the application layer and does not capture raw network packets or provide low-level protocol analysis like Wireshark does.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for host discovery and port enumeration, not for capturing and analyzing the contents of network packets. Option C is wrong because Burp Suite is an intercepting proxy focused on web application security testing (e.g., manipulating HTTP requests), not a general-purpose packet capture and analysis tool like Wireshark. Option D is wrong because Aircrack-ng is a suite of tools for wireless network security auditing (e.g., cracking WEP/WPA keys), not for capturing and analyzing packets from a wired or wireless web application traffic stream.

28
MCQmedium

After gaining initial access to a Windows domain controller, a tester wants to extract password hashes from the SAM database and domain account hashes. Which Impacket tool is designed for this purpose?

A.psexec.py
B.GetUserSPNs.py
C.wmiexec.py
D.secretsdump.py
AnswerD

Correct: extracts password hashes from Windows systems.

Why this answer

D is correct because secretsdump.py is the Impacket tool specifically designed to extract password hashes from the SAM database and domain account hashes (NTDS.dit) on a Windows domain controller. It can perform remote dump operations using techniques like DRSUAPI replication or volume shadow copy, making it the standard choice for credential harvesting in penetration testing.

Exam trap

The trap here is that candidates confuse tools for remote execution (psexec.py, wmiexec.py) or Kerberoasting (GetUserSPNs.py) with the specific hash-dumping functionality of secretsdump.py, failing to recognize that only secretsdump.py directly extracts SAM and domain account hashes.

How to eliminate wrong answers

Option A is wrong because psexec.py is used for remote command execution via SMB, not for extracting password hashes. Option B is wrong because GetUserSPNs.py is designed to enumerate Service Principal Names (SPNs) for Kerberoasting attacks, targeting service account tickets rather than SAM or domain hashes. Option C is wrong because wmiexec.py enables remote command execution over WMI, lacking the functionality to dump SAM or NTDS.dit hashes.

29
MCQmedium

After gaining initial access to a Windows system, a penetration tester wants to extract password hashes from the local SAM database. Which Impacket tool should be used?

A.GetUserSPNs
B.secretsdump
C.psexec
D.wmiexec
AnswerB

secretsdump dumps hashes from SAM, NTDS.dit, or LSASS.

Why this answer

The correct answer is B, secretsdump, because it is the Impacket tool specifically designed to extract password hashes from a Windows SAM database, as well as from NTDS.dit and LSA secrets. It remotely accesses the SAM hive via the Windows registry or uses Volume Shadow Copy to dump hashes without requiring interactive login.

Exam trap

The trap here is that candidates may confuse secretsdump with tools like psexec or wmiexec, which are for remote execution, not credential extraction, or with GetUserSPNs, which targets Kerberos tickets rather than local SAM hashes.

How to eliminate wrong answers

Option A is wrong because GetUserSPNs is used to request Kerberos service tickets for user accounts associated with Service Principal Names (SPNs), not to extract SAM hashes. Option C is wrong because psexec executes commands remotely via SMB and creates a service, but it does not dump password hashes. Option D is wrong because wmiexec executes commands via WMI, providing a semi-interactive shell, but it lacks the functionality to extract SAM hashes.

30
MCQmedium

A tester needs to brute-force SSH credentials on a target. Which tool is most appropriate for this task?

A.Aircrack-ng
B.Hashcat
C.Hydra
D.John the Ripper
AnswerC

Correct: supports SSH, FTP, HTTP form brute-force online.

Why this answer

Hydra is a versatile online brute-force tool supporting many protocols including SSH.

31
Multi-Selectmedium

A penetration tester is writing a Bash script to automate scanning of multiple subnets with Nmap and parse the output. Which three features are commonly used in such a script? (Choose THREE.)

Select 3 answers
A.PowerShell cmdlets
B.Nmap XML output (-oX)
C.For loop
D.grep
E.PySerial
AnswersB, C, D

XML output is machine-parseable for further processing.

Why this answer

B is correct because Nmap's XML output (-oX) provides structured, machine-parseable data that a Bash script can easily process with tools like grep, sed, or XML parsers (e.g., xmllint). This allows the penetration tester to extract specific fields (e.g., open ports, service versions) reliably across multiple subnets, avoiding the fragility of parsing human-readable text output.

Exam trap

The trap here is that candidates may confuse cross-platform scripting features (like PowerShell cmdlets) with Bash-native constructs, or mistakenly think PySerial is relevant for network scanning, when the exam focuses on Bash-specific tools (for loops, grep) and Nmap's structured output (-oX) for automation.

32
MCQmedium

A tester wants to perform an evil twin attack to capture WPA handshakes. Which tool from the Aircrack-ng suite is used to deauthenticate clients from a legitimate AP to force reconnection to the rogue AP?

A.airmon-ng
B.airodump-ng
C.aircrack-ng
D.aireplay-ng
AnswerD

Correct: injects deauth packets to disconnect clients.

Why this answer

aireplay-ng can send deauthentication packets to disconnect clients, facilitating handshake capture.

33
MCQmedium

A tester wants to perform a Kerberoasting attack against an Active Directory environment. Which Impacket tool would be most appropriate?

A.wmiexec
B.psexec
C.secretsdump
D.GetUserSPNs
AnswerD

GetUserSPNs is designed for Kerberoasting.

Why this answer

GetUserSPNs is the correct Impacket tool for Kerberoasting because it queries Active Directory for Service Principal Names (SPNs) associated with user accounts, then requests TGS tickets for those services. These tickets can be cracked offline to recover the service account's password hash, enabling privilege escalation.

Exam trap

Cisco often tests the distinction between tools that extract hashes (secretsdump) versus tools that request Kerberos tickets (GetUserSPNs), leading candidates to confuse hash dumping with Kerberoasting.

How to eliminate wrong answers

Option A is wrong because wmiexec is used for remote command execution via Windows Management Instrumentation (WMI), not for extracting Kerberos tickets. Option B is wrong because psexec executes commands remotely using SMB and service creation, not for Kerberoasting. Option C is wrong because secretsdump extracts password hashes from the SAM, NTDS.dit, and LSA secrets, but does not perform Kerberos TGS ticket requests or SPN enumeration.

34
MCQeasy

During a web application test, a penetration tester needs to intercept and modify HTTP requests before forwarding them to the server. Which tool is best suited for this task?

A.Hydra
B.Nmap
C.Wireshark
D.Burp Suite
AnswerD

Burp Suite's proxy is designed for intercepting and modifying requests.

Why this answer

Burp Suite's proxy allows intercepting and modifying HTTP/S requests, making it the standard tool for web application testing.

35
MCQmedium

During a penetration test, you are asked to identify all live hosts on a subnet. Which Nmap scan type is most likely to evade firewalls and determine if a host is up without completing the TCP handshake?

A.Ping sweep (-sn)
B.SYN scan (-sS)
C.TCP connect scan (-sT)
D.UDP scan (-sU)
AnswerB

Correct: half-open scan that doesn't complete handshake.

Why this answer

SYN scan (half-open) sends SYN packets and listens for SYN-ACK; it never completes the handshake, making it stealthier and useful for firewall evasion.

36
MCQhard

A tester decompiles a .NET application using dnSpy and finds a function that loads a serialized object from a file. Which vulnerability is most likely present?

A.Path traversal
B.SQL injection
C.Hardcoded credentials
D.Insecure deserialization
AnswerD

Deserializing untrusted data can lead to code execution.

Why this answer

The function loads a serialized object from a file, which is a classic indicator of insecure deserialization. In .NET, deserializing untrusted data without validation can allow an attacker to execute arbitrary code or manipulate application logic, as the runtime reconstructs objects from the serialized stream. dnSpy decompilation revealing this pattern directly points to the risk of insecure deserialization.

Exam trap

Cisco often tests the distinction between the action (loading a file) and the vulnerability (insecure deserialization), leading candidates to mistakenly choose path traversal because the file is loaded from disk, ignoring the core risk of deserializing untrusted objects.

How to eliminate wrong answers

Option A is wrong because path traversal involves manipulating file paths to access unauthorized directories, not the deserialization of objects from a file. Option B is wrong because SQL injection targets database queries through input injection, not the loading of serialized objects. Option C is wrong because hardcoded credentials refer to embedded usernames or passwords in source code, which is unrelated to the deserialization process.

37
MCQmedium

A penetration tester is writing a Python script to send a crafted TCP packet to a target. Which Python library should the tester use for low-level packet crafting and injection?

A.requests
B.impacket
C.scapy
D.socket
AnswerC

Correct. Scapy allows crafting and sending custom packets.

Why this answer

Scapy is the correct choice because it is a powerful Python library specifically designed for low-level packet crafting, manipulation, and injection. It allows the tester to construct arbitrary TCP packets at the raw socket level, control individual flags, sequence numbers, and payloads, and send them directly over the wire using Layer 2 or Layer 3 sockets. This makes it ideal for tasks like SYN flooding, TCP handshake manipulation, or custom protocol fuzzing.

Exam trap

Cisco often tests the distinction between high-level protocol libraries (requests, impacket) and low-level packet crafting tools (scapy), trapping candidates who confuse 'network scripting' with 'raw packet manipulation'.

How to eliminate wrong answers

Option A is wrong because the 'requests' library is a high-level HTTP client library used for sending and receiving HTTP requests; it operates at the application layer and cannot craft or inject raw TCP packets. Option B is wrong because 'impacket' is a collection of Python classes for working with network protocols, particularly SMB and Kerberos, but it is not designed for low-level packet crafting and injection; it focuses on protocol-level interactions rather than raw packet manipulation. Option D is wrong because the 'socket' library provides low-level networking interfaces (e.g., raw sockets) but lacks the high-level abstractions, protocol dissection, and packet-building utilities that Scapy offers; using raw sockets alone would require manually constructing all packet headers and handling checksums, which is error-prone and far less efficient.

38
MCQhard

A penetration tester is conducting a wireless assessment and needs to capture the four-way handshake to perform offline WPA cracking. Which tool is best suited for capturing the handshake?

A.aircrack-ng
B.aireplay-ng
C.Airmon-ng
D.airodump-ng
AnswerD

airodump-ng captures raw 802.11 frames, including handshakes.

Why this answer

Airodump-ng (option D) is the correct tool for capturing the four-way handshake because it passively monitors wireless traffic and can save captured packets to a file (e.g., .cap or .pcap). The four-way handshake occurs during the WPA/WPA2 authentication process between a client and an access point, and airodump-ng's ability to filter on a specific channel and BSSID allows the tester to isolate and record the handshake frames for offline cracking.

Exam trap

The trap here is that candidates confuse airodump-ng (capture tool) with aircrack-ng (cracking tool) or aireplay-ng (injection tool), leading them to pick a tool that cannot actually capture the handshake.

How to eliminate wrong answers

Option A (aircrack-ng) is wrong because it is a WEP/WPA key cracking tool that uses captured handshake files, not a packet capture tool; it cannot capture the handshake itself. Option B (aireplay-ng) is wrong because it is used for packet injection and replay attacks (e.g., deauthentication attacks to force a client to reconnect), not for passively capturing the handshake. Option C (airmon-ng) is wrong because it is a utility to enable or disable monitor mode on a wireless interface, not a packet capture tool; it prepares the interface for capture but does not capture frames.

39
MCQmedium

During a web application test, a penetration tester intercepts requests between the browser and server and modifies them in real time. Which Burp Suite tool is designed for this purpose?

A.Repeater
B.Sequencer
C.Intruder
D.Proxy
AnswerD

Burp Proxy intercepts traffic between browser and server.

Why this answer

Burp Proxy intercepts and allows modification of HTTP/HTTPS requests.

40
MCQmedium

A penetration tester needs to perform a Kerberoasting attack against a Windows Active Directory environment. Which tool from the Impacket suite should the tester use to request service tickets and extract TGS hashes for offline cracking?

A.wmiexec.py
B.secretsdump.py
C.GetUserSPNs.py
D.psexec.py
AnswerC

Correct. Specifically for requesting TGS for SPN accounts.

Why this answer

GetUserSPNs.py in the Impacket suite is used to find and request service principal names (SPNs) and retrieve TGS hashes for Kerberoasting.

41
MCQhard

During a web application test, a penetration tester needs to modify an HTTP request in real-time, send it repeatedly with different parameter values, and analyze the responses. Which Burp Suite tool is best suited for this task?

A.Intruder
B.Repeater
C.Proxy
D.Sequencer
AnswerA

Correct: automates sending requests with multiple payloads and analyzes responses.

Why this answer

Burp Suite Intruder is specifically designed for automated, customizable attacks that send multiple HTTP requests with varying parameter values (payloads) and analyze responses. It supports real-time modification of requests, payload positions, and response analysis, making it the ideal tool for fuzzing, brute-forcing, and parameter testing during a web application penetration test.

Exam trap

The trap here is that candidates often confuse Repeater's ability to manually resend requests with Intruder's automated, multi-payload capability, leading them to choose Repeater when the question explicitly requires repeated sending with different parameter values.

How to eliminate wrong answers

Option B (Repeater) is wrong because Repeater is used for manually sending a single request multiple times with manual modifications, not for automated, repeated sending with different parameter values. Option C (Proxy) is wrong because Proxy intercepts and forwards HTTP traffic between browser and server but does not provide automated payload substitution or response analysis across multiple requests. Option D (Sequencer) is wrong because Sequencer analyzes the randomness of session tokens or other data, not for modifying and replaying requests with different parameter values.

42
MCQeasy

A penetration tester wants to identify all live hosts and open ports on a network segment. Which Nmap scan type is most efficient for this purpose?

A.Nmap -sP
B.Nmap -sU
C.Nmap -sT
D.Nmap -sS
AnswerD

SYN scan is the default and efficient for port scanning.

Why this answer

The -sS option performs a SYN stealth scan, which is fast and less likely to be logged by services, making it efficient for live host and open port discovery.

43
MCQhard

A penetration tester is conducting a wireless security assessment. The target network uses WPA2-PSK. The tester has captured the four-way handshake. Which tool from the Aircrack-ng suite can be used to attempt to recover the pre-shared key by performing a dictionary attack?

A.airtun-ng
B.aircrack-ng
C.airodump-ng
D.aireplay-ng
AnswerB

Correct. It cracks WEP/WPA keys using captured packets.

Why this answer

Aircrack-ng is the tool within the suite that performs dictionary or brute-force attacks on captured WPA/WPA2 handshakes to recover the PSK.

44
Multi-Selecthard

During a cloud security assessment of AWS, a tester wants to identify misconfigurations using automated tools. Which THREE tools are specifically designed for AWS security auditing?

Select 3 answers
A.Hashcat
B.Pacu
C.Prowler
D.CrackMapExec
E.ScoutSuite
AnswersB, C, E

Correct: AWS exploitation framework.

Why this answer

Pacu is an open-source AWS exploitation framework designed for offensive security testing. It automates the identification of misconfigurations, such as overly permissive IAM policies, exposed S3 buckets, and vulnerable Lambda functions, making it a correct choice for cloud security auditing.

Exam trap

Cisco often tests candidates' ability to distinguish between general-purpose security tools (like Hashcat for cracking) and cloud-specific auditing tools (like Pacu, Prowler, and ScoutSuite), leading to confusion when tools have overlapping names or functions.

45
Multi-Selectmedium

A penetration tester is analyzing a network capture with Wireshark. Which TWO of the following are common uses of Wireshark in a pentest?

Select 2 answers
A.Brute-forcing SSH credentials
B.Identifying cleartext protocols (e.g., FTP, HTTP) and extracting credentials
C.Performing active vulnerability scanning of hosts
D.Reassembling data streams to extract files transferred over the network
E.Cracking WPA2 handshakes directly
AnswersB, D

Correct: Wireshark can filter and display cleartext passwords.

Why this answer

Wireshark captures and inspects network traffic at the packet level. It can identify cleartext protocols like FTP (port 21) and HTTP (port 80), which transmit data without encryption, allowing an attacker to extract credentials directly from the payload. This is a passive reconnaissance technique, not an active attack.

Exam trap

Cisco often tests the distinction between passive observation (Wireshark) and active exploitation (e.g., brute-forcing or cracking), leading candidates to mistakenly attribute active attacks to Wireshark's capabilities.

46
MCQeasy

Which PowerShell script is commonly used for post-exploitation enumeration of Active Directory, such as querying user accounts and group memberships?

A.Nishang
B.Empire
C.Invoke-Mimikatz
D.PowerView
AnswerD

Correct: AD enumeration tool in PowerShell.

Why this answer

PowerView (option D) is a PowerShell script within the PowerSploit framework specifically designed for post-exploitation enumeration of Active Directory. It provides cmdlets like Get-NetUser, Get-NetGroup, and Get-NetComputer to query user accounts, group memberships, and domain trust relationships via LDAP queries, making it the correct choice for this task.

Exam trap

The trap here is that candidates confuse post-exploitation frameworks (Empire) or credential-dumping tools (Invoke-Mimikatz) with the specific script designed for AD enumeration, or they assume Nishang's broad toolkit includes dedicated AD enumeration, when PowerView is the precise answer for querying user accounts and group memberships.

How to eliminate wrong answers

Option A (Nishang) is wrong because it is a collection of PowerShell scripts for penetration testing and offensive security, but it focuses on broader tasks like reverse shells, keylogging, and data exfiltration, not specifically on Active Directory enumeration. Option B (Empire) is wrong because it is a post-exploitation framework that uses PowerShell agents for command and control, but it is not a single script; it relies on modules like PowerView for AD enumeration, so it is not the script itself. Option C (Invoke-Mimikatz) is wrong because it is a PowerShell wrapper for Mimikatz, which extracts credentials (e.g., plaintext passwords, Kerberos tickets) from memory, not for querying AD user accounts or group memberships.

47
Multi-Selectmedium

A penetration tester is reviewing code for insecure deserialization vulnerabilities. Which two languages are commonly associated with this vulnerability? (Choose two.)

Select 2 answers
A.Ruby
B.Python
C.Java
D.PHP
E..NET
AnswersC, E

Java deserialization vulnerabilities are common.

Why this answer

Java and .NET deserialization vulnerabilities are well-known and have been exploited in many frameworks.

48
MCQmedium

During a web application penetration test, the tester captures a login request in Burp Suite and wants to automate a brute-force attack against the password field. Which Burp Suite tool is specifically designed for this purpose?

A.Intruder
B.Scanner
C.Sequencer
D.Repeater
AnswerA

Intruder is the tool for performing automated, customizable attacks.

Why this answer

Intruder is the correct tool because it is specifically designed for automated customized attacks, including brute-force attacks, against web application parameters. It allows the tester to define a payload position (e.g., the password field in a login request) and iterate through a list of candidate passwords, automatically resending the request with each payload value and analyzing the responses.

Exam trap

The trap here is that candidates often confuse Repeater (which is for manual, single-request testing) with Intruder (which is for automated, multi-request attacks), leading them to choose Repeater because they think it can be used for brute-forcing by manually sending requests one by one.

How to eliminate wrong answers

Option B (Scanner) is wrong because Burp Scanner is an automated vulnerability detection tool that identifies security flaws (e.g., SQL injection, XSS) by passively and actively scanning requests, not for performing brute-force attacks against a specific field. Option C (Sequencer) is wrong because it analyzes the randomness of session tokens or other data to assess cryptographic strength, not for automating password guessing. Option D (Repeater) is wrong because it allows manual resending and modification of a single request for testing, but it lacks the ability to automate multiple requests with varying payloads, which is essential for a brute-force attack.

49
MCQeasy

Which tool is used for security auditing of AWS environments and can enumerate misconfigurations in IAM, S3, and other services?

A.Pacu
B.CrackMapExec
C.Prowler
D.ScoutSuite
AnswerA

Correct: AWS-specific security testing framework.

Why this answer

Pacu is an open-source AWS security testing framework designed for offensive security audits. It includes modules that enumerate and exploit misconfigurations in IAM policies, S3 bucket permissions, and other AWS services, making it the correct tool for this specific purpose.

Exam trap

The trap here is that candidates often confuse Prowler or ScoutSuite with Pacu because all three are AWS security tools, but only Pacu is designed for offensive enumeration and exploitation of misconfigurations, while the others are primarily compliance and reporting tools.

How to eliminate wrong answers

Option B (CrackMapExec) is wrong because it is a post-exploitation tool for assessing Active Directory environments, not AWS cloud services. Option C (Prowler) is wrong because, while it is an AWS security auditing tool, it focuses on CIS benchmark compliance and best-practice checks rather than active exploitation or enumeration of misconfigurations. Option D (ScoutSuite) is wrong because it is a multi-cloud security auditing tool that provides a compliance report but lacks the offensive, exploitation-oriented modules that Pacu offers for enumerating and exploiting misconfigurations.

50
MCQeasy

A penetration tester needs to enumerate Active Directory users and groups from a Windows domain. Which PowerShell tool is specifically designed for AD enumeration and is commonly used in post-exploitation?

A.Invoke-Mimikatz
B.Nmap
C.CrackMapExec
D.PowerView
AnswerD

Correct. PowerView is for AD reconnaissance.

Why this answer

PowerView (option D) is a PowerShell tool specifically designed for Active Directory enumeration, providing functions to query users, groups, computers, and permissions via LDAP. It is widely used in post-exploitation because it runs in-memory, avoids writing to disk, and integrates seamlessly with PowerShell's pipeline for stealthy reconnaissance.

Exam trap

The trap here is that candidates confuse post-exploitation credential tools (like Invoke-Mimikatz) with enumeration tools, or assume general-purpose scanners (Nmap) or multi-function frameworks (CrackMapExec) are PowerShell-native AD enumeration tools, when PowerView is the correct specialized PowerShell module for this task.

How to eliminate wrong answers

Option A is wrong because Invoke-Mimikatz is a tool for credential dumping (e.g., extracting plaintext passwords, hashes, and Kerberos tickets), not for enumerating AD users and groups. Option B is wrong because Nmap is a network scanning tool that discovers hosts and services via raw packets, not a PowerShell-based AD enumeration tool. Option C is wrong because CrackMapExec is a post-exploitation tool that automates credential spraying, SMB enumeration, and lateral movement, but it is not a PowerShell tool specifically designed for AD user/group enumeration; PowerView fills that niche.

51
MCQmedium

A penetration tester is performing a password cracking task against a dump of NTLM hashes obtained from a Windows domain controller. Which tool would be the most efficient for this task?

A.Hydra
B.John the Ripper
C.Hashcat
D.CrackMapExec
AnswerC

Hashcat is optimized for fast hash cracking using GPU.

Why this answer

Hashcat is a GPU-accelerated password cracker that can crack NTLM hashes quickly, especially with a good wordlist and rules.

52
Multi-Selectmedium

A penetration tester is conducting a post-exploitation phase on a Windows target and wants to dump credentials. Which of the following tools can be used? (Choose TWO.)

Select 2 answers
A.secretsdump.py
B.Mimikatz
C.Nmap
D.Hydra
E.Wireshark
AnswersA, B

Secretsdump.py dumps SAM and NTDS.dit hashes.

Why this answer

Mimikatz is a well-known credential dumping tool, and secretsdump.py from Impacket can dump hashes remotely.

53
MCQmedium

A penetration tester needs to perform a dictionary attack against an SSH service. Which of the following tools is best suited for this task?

A.CrackMapExec
B.John the Ripper
C.Hashcat
D.Hydra
AnswerD

Correct. Hydra performs online brute-force attacks against services.

Why this answer

Hydra is a versatile online brute-force tool that supports many protocols, including SSH.

54
Multi-Selectmedium

A penetration tester is reviewing a Java application for insecure deserialization vulnerabilities. Which of the following should the tester look for? (Choose TWO.)

Select 2 answers
A.Accepting serialized objects from user input without sanitization
B.Use of eval() functions
C.Hardcoded credentials in configuration files
D.Use of prepared statements for SQL queries
E.Use of ObjectInputStream without validation
AnswersA, E

Untrusted input can lead to deserialization attacks.

Why this answer

Insecure deserialization vulnerabilities often arise from using ObjectInputStream without filtering and from accepting serialized data from untrusted sources.

55
MCQhard

During a code review of a PHP web application, you encounter the following code: $result = mysql_query("SELECT * FROM users WHERE username='" . $_GET['user'] . "'");. Which vulnerability does this represent?

A.Cross-site scripting (XSS)
B.Path traversal
C.Command injection
D.SQL injection
AnswerD

Correct: unsanitized input in SQL query leads to injection.

Why this answer

Direct concatenation of user input into SQL query without sanitization or parameterization is classic SQL injection.

56
Multi-Selecthard

A penetration tester is reverse-engineering a .NET binary to understand its authentication logic. Which three tools are suitable for decompiling .NET assemblies? (Choose THREE.)

Select 3 answers
A.jadx
B.dotPeek
C.Ghidra
D.ILSpy
E.dnSpy
AnswersB, D, E

JetBrains dotPeek is a free .NET decompiler.

Why this answer

dnSpy, ILSpy, and JetBrains dotPeek are decompilers for .NET. Ghidra is for native code, jadx for Android APK.

57
MCQhard

A penetration tester is analyzing a Linux binary and wants to decompile it to understand its logic. Which open-source tool is specifically designed for reverse engineering and can generate C-like pseudocode from compiled binaries?

A.IDA Pro Free
B.dnSpy
C.Ghidra
D.jadx
AnswerC

Correct. Ghidra includes a decompiler that produces pseudocode.

Why this answer

Ghidra, developed by the NSA, is a reverse engineering framework that can decompile binaries into C-like pseudocode.

58
Multi-Selecthard

A penetration tester is performing a wireless assessment and wants to set up an evil twin attack. Which of the following steps are necessary? (Choose THREE.)

Select 3 answers
A.Create a rogue access point with the same SSID as the target network
B.Configure WPA3 encryption on the rogue AP
C.Use Wireshark to decrypt the traffic
D.Capture the WPA handshake when clients attempt to connect
E.Send deauthentication frames to disconnect clients from the genuine AP
AnswersA, D, E

The evil twin must mimic the legitimate AP.

Why this answer

An evil twin attack involves creating a rogue access point with the same SSID as a legitimate network, deauthenticating clients, and capturing the handshake.

59
Multi-Selecthard

A tester has compromised a Linux server and wants to maintain persistence. Which three actions would be typical for post-exploitation? (Choose three.)

Select 4 answers
A.Change the root password to a known value
B.Install a web shell in the web root directory
C.Disable SELinux
D.Create a new user account with root privileges
E.Add an SSH public key to the root authorized_keys file
AnswersA, B, D, E

Also a common persistence method.

Why this answer

Changing the root password to a known value ensures the tester can regain root access even if the original password is changed or the session is lost. This is a common persistence technique because it directly controls authentication credentials for the most privileged account on the system.

Exam trap

Cisco often tests the distinction between persistence (maintaining access) and defense evasion (hiding or disabling security controls), so candidates mistakenly select disabling SELinux as a persistence action when it is actually a technique to avoid detection or enforcement of policies.

Ready to test yourself?

Try a timed practice session using only Ptp Tools Code questions.