CCNA Tools And Code Analysis Questions

75 of 100 questions · Page 1/2 · Tools And Code Analysis topic · Answers revealed

1
MCQmedium

You are performing a web application penetration test for a client that uses a custom content management system (CMS). During the initial reconnaissance, you identify that the CMS has a file upload feature that accepts JPEG images. You suspect that the application may be vulnerable to unrestricted file upload, allowing you to upload a malicious PHP script to gain remote code execution. However, the application validates file extensions and checks the MIME type of the uploaded file. You have access to Burp Suite and a Python environment. Which of the following approaches is most likely to successfully bypass the file upload restrictions and achieve remote code execution?

A.Change the file extension to .php.jpg and submit using Burp Repeater
B.Encode the PHP payload in base64 and submit it as a JPEG file
C.Use curl with --data-binary to send a raw PHP payload with a proper JPEG content-type header
D.Create a polyglot file that starts with JPEG magic bytes but contains PHP code at the end, and upload with a .php extension
AnswerD

Polyglot files can pass MIME type checks while containing executable code.

Why this answer

Option B is correct because appending PHP code to a valid JPEG image (polyglot) can bypass MIME type checks and extension filters if the application only inspects the magic bytes. Option A is wrong because changing the extension to .php.jpg will likely be rejected by the extension whitelist. Option C is wrong because curl's --data-binary is not designed for file upload with multipart/form-data.

Option D is wrong because base64 encoding the payload does not change the content type and will still be detected as PHP.

2
MCQmedium

A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?

A.Enumerate all installed services to find vulnerable applications
B.Identify services that run with elevated privileges
C.List services that have unquoted paths in their binary path
D.Check for services with weak file permissions
AnswerC

The wildcard pattern '* *' catches paths with spaces, which is the hallmark of an unquoted service path vulnerability. The script identifies such services for further analysis.

Why this answer

The script uses Get-WmiObject to query the Win32_Service class, then filters with Where-Object where the PathName property contains a space (the -like '* *' pattern). This specifically targets services whose binary path includes a space but is not enclosed in quotes, a classic unquoted service path vulnerability. The Select-Object then outputs the service name, path, and state, making option C the correct answer.

Exam trap

Cisco often tests the distinction between enumerating services for unquoted paths versus checking for weak permissions or privilege levels; the trap here is that candidates may confuse the path format check with a security permission audit.

How to eliminate wrong answers

Option A is wrong because the script does not check for vulnerabilities in the services themselves; it only looks at the path format. Option B is wrong because the script does not filter or check for elevated privileges (e.g., LocalSystem account); it simply lists services with unquoted paths regardless of privilege level. Option D is wrong because the script does not examine file permissions (e.g., using Get-Acl or checking weak DACLs); it only inspects the path string for spaces.

3
MCQeasy

A penetration tester runs the following command: nmap -sS -p 1-65535 -T4 -A -O --reason target. What is the primary purpose of the -A option in this command?

A.Enables OS detection, version detection, script scanning, and traceroute.
B.Sets the timing template to aggressive (level 4).
C.Enables aggressive scanning that is more likely to be detected by the target.
D.Performs a SYN (half-open) scan.
AnswerA

Correct. -A is an aggregation flag that combines several scanning techniques to provide detailed information about the target's operating system, running services, and other characteristics.

Why this answer

The -A option in nmap is a composite flag that enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) in a single switch. This is explicitly documented in nmap's man page and is designed to provide comprehensive reconnaissance in one command, making option A correct.

Exam trap

The trap here is that candidates confuse the 'aggressive' label of -A with nmap's timing templates (e.g., -T4 or -T5), which are actually named 'aggressive' and 'insane' in the documentation, leading them to incorrectly associate -A with scan speed or detectability rather than its true composite functionality.

How to eliminate wrong answers

Option B is wrong because the -T4 flag, not -A, sets the timing template to aggressive (level 4); -A does not control timing. Option C is wrong because while -A does enable 'aggressive' scanning in the sense of combining multiple scan types, the term 'aggressive scanning' in nmap specifically refers to timing templates (e.g., -T4 or -T5), not the -A option, and -A does not inherently make the scan more detectable than other scan combinations.

4
MCQhard

A penetration tester is analyzing a Bash script that automates a password spraying attack. The script contains the following loop: 'for user in $(cat users.txt); do for pass in $(cat passwords.txt); do curl -s -o /dev/null -w "%{http_code}" --data "user=$user&pass=$pass" http://target/login; done; done'. The script runs but the output is a continuous stream of HTTP status codes that are hard to interpret. Which improvement would most effectively help the tester identify a successful login?

A.Add a delay with 'sleep 1' between requests to avoid rate limiting.
B.Pipe the output to 'grep -v 200' to exclude any responses that are not 200 OK.
C.Add a conditional statement that checks if the HTTP status code is 302 (redirect) or 200, and if so, prints the successful credentials.
D.Use 'curl -v' to see the full response headers.
AnswerC

This directly identifies successful login attempts by checking for common success status codes and outputting the credentials.

Why this answer

Option C is correct because the script currently outputs a raw stream of HTTP status codes with no context. Adding a conditional to check for 302 (redirect, often indicating a successful login) or 200 (OK) and printing the corresponding credentials allows the tester to immediately identify which user/password pair succeeded, turning an unreadable output into actionable intelligence.

Exam trap

The trap here is that candidates assume filtering out 200 codes (Option B) will reveal successes, but they overlook that many real-world login flows use a 302 redirect for success, making 'grep -v 200' ineffective or misleading.

How to eliminate wrong answers

Option A is wrong because adding a delay with 'sleep 1' would only slow down the attack to avoid rate limiting or detection; it does not help interpret the output stream of status codes. Option B is wrong because piping to 'grep -v 200' would exclude 200 responses, but a successful login might return a 302 redirect (common in web apps) or even a 200; filtering out 200 could miss successes and still leave other codes (e.g., 401, 403) in the output, failing to clearly identify the successful credentials.

5
MCQmedium

A penetration tester is using Burp Suite to intercept and modify HTTP traffic. When browsing to an HTTPS site, the tester observes that the requests are encrypted and not being intercepted by Burp. Which configuration step is most likely missing?

A.The proxy listener is not configured to listen on the correct port
B.The Burp CA certificate has not been installed in the browser's trust store
C.The browser's proxy settings are not configured to use Burp
D.The target site is not in Burp's scope
AnswerB

Correct. Burp acts as a man-in-the-middle for HTTPS by generating a certificate for each site signed by its own CA. The browser's trust store must contain the Burp CA certificate, or it will reject the connection.

Why this answer

Burp Suite intercepts HTTPS traffic by acting as a man-in-the-middle, which requires the browser to trust Burp's self-signed CA certificate. Without installing the Burp CA certificate in the browser's trust store, the browser will refuse to establish a TLS connection through the proxy, leaving requests encrypted end-to-end and invisible to Burp.

Exam trap

The trap here is that candidates confuse proxy configuration (setting the browser to use Burp as a proxy) with TLS interception setup, assuming that simply pointing the browser at the proxy is sufficient to intercept HTTPS traffic.

How to eliminate wrong answers

Option A is wrong because the proxy listener port (typically 8080) is irrelevant to TLS interception; even if the port is correct, HTTPS traffic will still be encrypted without the CA certificate. Option C is wrong because the browser's proxy settings must be configured to route traffic through Burp, but the question states the tester is browsing and observing encrypted requests, implying proxy settings are already in place; the missing step is trust of the CA certificate.

6
MCQmedium

A penetration tester is reviewing a Bash script that contains the following line: 'hydra -l admin -P /usr/share/wordlists/rockyou.txt $TARGET http-post-form "/login:username=^USER^&password=^PASS^:Invalid login"'. What is the primary purpose of this command?

A.Directory brute-forcing
B.Password spraying
C.Credential brute-force on a web login form
D.SQL injection
AnswerC

Hydra's http-post-form module performs brute-force attacks on web forms, substituting username and password fields.

Why this answer

Option C is correct because the Hydra command targets a specific web login form (http-post-form) with a single username (-l admin) and a large password list (rockyou.txt), performing a credential brute-force attack. The syntax defines the POST parameters (username=^USER^&password=^PASS^) and the failure indicator ('Invalid login'), which Hydra uses to iterate through passwords until a successful login is found.

Exam trap

CompTIA often tests the distinction between brute-force (single user, many passwords) and password spraying (many users, single password), and candidates confuse the two because both involve credential guessing.

How to eliminate wrong answers

Option A is wrong because directory brute-forcing uses tools like dirb, gobuster, or ffuf to discover hidden paths or files, not Hydra with login credentials. Option B is wrong because password spraying uses a single password against multiple usernames, whereas this command uses a single username (-l admin) with many passwords, which is the opposite pattern.

7
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP POST requests to a target URL with different payloads. The script also implements a retry mechanism with exponential backoff. What is the most likely purpose of this script?

A.Directory brute-forcing
B.Password spraying
C.SQL injection testing
D.Session hijacking
AnswerB

The script sends POST requests (likely to a login endpoint) with different payloads (passwords) and uses retry with backoff to evade rate limiting, which is characteristic of password spraying.

Why this answer

The script sends HTTP POST requests with different payloads and implements a retry mechanism with exponential backoff. This behavior is characteristic of password spraying, where an attacker attempts a small number of common passwords against many usernames to avoid account lockouts. The exponential backoff helps evade rate-limiting and intrusion detection systems by gradually increasing delays between attempts.

Exam trap

The trap here is that candidates may confuse password spraying with brute-force attacks, but the key distinction is that password spraying uses a small set of passwords across many accounts, while brute-force focuses on many passwords for a single account.

How to eliminate wrong answers

Option A is wrong because directory brute-forcing typically uses HTTP GET requests to discover hidden paths, not POST requests with payloads. Option C is wrong because SQL injection testing usually involves sending crafted payloads in GET parameters or POST data, but the retry mechanism with exponential backoff is not a standard technique for SQLi; it is more aligned with authentication bypass attempts. Option D is wrong because session hijacking involves stealing or predicting session tokens (e.g., cookies or JWTs), not sending POST requests with different payloads and retries.

8
MCQmedium

A penetration tester is analyzing a PowerShell script used for post-exploitation on a Windows domain. The script contains the following line: Invoke-Command -ComputerName $target -ScriptBlock { get-process -Name "explorer" }. What is the primary purpose of this command?

A.To start the Explorer process on a remote system
B.To check if a user is logged in on the remote system
C.To enumerate running processes on the remote system
D.To execute a script block locally on the remote system
AnswerB

The presence of explorer.exe is a strong indicator of an interactive user session.

Why this answer

The `Get-Process -Name 'explorer'` command retrieves the Explorer process, which runs only when a user is interactively logged into the Windows desktop. If the command returns a process object, it confirms a user session is active on the remote system. This is a common post-exploitation technique to verify user presence before executing further actions like keylogging or token theft.

Exam trap

The trap here is that candidates see 'Get-Process' and assume it enumerates all processes (option C), missing the specific filter for 'explorer' which is a known indicator of an active user session.

How to eliminate wrong answers

Option A is wrong because `Invoke-Command` with `Get-Process` does not start any process; it only queries existing processes. Option C is wrong because the script block filters specifically for the 'explorer' process, not all running processes, so it does not enumerate all processes. Option D is wrong because `Invoke-Command` executes the script block on the remote system specified by `-ComputerName`, not locally.

9
MCQmedium

A penetration tester is analyzing a web application's JavaScript files to discover hidden API endpoints and potential client-side vulnerabilities. Which tool is specifically designed to extract URLs and endpoints from JavaScript files?

A.Wireshark
B.Burp Suite's Target scope
C.LinkFinder
D.Nmap
AnswerC

LinkFinder is a dedicated tool for finding endpoints in JavaScript files.

Why this answer

LinkFinder is a Python-based tool specifically designed to extract URLs and endpoints from JavaScript files by using regular expressions and parsing techniques. It analyzes JS files for patterns like API routes, relative paths, and hardcoded URLs, making it ideal for discovering hidden endpoints during web application penetration testing.

Exam trap

The trap here is that candidates may confuse network analysis tools (Wireshark) or general-purpose scanners (Nmap) with specialized JavaScript endpoint extractors, or assume Burp Suite's scope management is a discovery tool rather than a filtering mechanism.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects packets at the OSI layers 2-7, not a tool for parsing JavaScript files or extracting URLs from code. Option B is wrong because Burp Suite's Target scope defines which hosts and URLs Burp will intercept or scan, but it does not extract endpoints from JavaScript files; that requires a dedicated JS parser like LinkFinder or Burp's built-in Engagement tools. Option D is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, and it has no capability to parse JavaScript files or extract API endpoints.

10
MCQhard

A tester is analyzing a piece of malware and needs to identify the original entry point after unpacking. Which technique is most appropriate?

A.Original Entry Point (OEP) finding
B.Hash analysis
C.Import hash matching
D.Code signing verification
AnswerA

OEP finding locates the real entry point after the unpacking stub.

Why this answer

Option A is correct because finding the Original Entry Point (OEP) is a standard step after unpacking to resume analysis. Option B is wrong because hash analysis identifies known malware. Option C is wrong because import hash matching identifies library versions.

Option D is wrong because code signing verification checks authenticity.

11
Matchingmedium

Match each Phase of the Penetration Testing Execution Standard (PTES) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scope definition, rules of engagement, legal agreements

Collecting information about the target via OSINT

Identifying assets, threats, and attack vectors

Scanning and testing for vulnerabilities

Gaining unauthorized access using exploits

Why these pairings

PTES defines standard phases for penetration testing engagements.

12
MCQhard

A penetration tester is analyzing a PowerShell script that uses the 'Invoke-Command' cmdlet to execute commands on remote machines, and 'Set-Service' to change service startup types. What attack is this script most likely performing?

A.Remote service modification for persistence.
B.Lateral movement via PsExec.
C.Credential dumping.
D.Data exfiltration.
AnswerA

By using Invoke-Command to run Set-Service on remote machines, the attacker can enable services or set them to auto-start, ensuring their backdoor continues to run after restart.

Why this answer

The script uses Invoke-Command to execute commands on remote machines and Set-Service to change service startup types. This combination is commonly used to modify a service to start automatically or to create a new service that runs malicious code, establishing persistence on a remote system. The attack does not involve lateral movement via PsExec (which uses SMB and service control manager differently) nor credential dumping (which requires tools like Mimikatz or direct memory access).

Exam trap

The trap here is that candidates confuse the use of Invoke-Command (PowerShell Remoting) with PsExec, but PsExec is a distinct tool that does not use the Invoke-Command cmdlet, and the focus on service modification points to persistence rather than lateral movement or credential theft.

How to eliminate wrong answers

Option B is wrong because PsExec is a separate tool that uses SMB and the Windows Service Control Manager to execute processes remotely, not the Invoke-Command cmdlet which relies on WinRM (WS-Management). Option C is wrong because credential dumping involves extracting password hashes or plaintext credentials from memory (e.g., LSASS) or registry, not modifying service startup types with Set-Service.

13
MCQmedium

A penetration tester writes a Python script to test for directory traversal vulnerabilities in a web application. The script uses the requests library to send a payload like '../../etc/passwd' and checks if the response contains the string 'root:'. However, the tester notices many false negatives because the application requires URL encoding of the dots and slashes. Which code modification would BEST improve the detection rate?

A.Increase the number of payloads in the list
B.URL-encode the payload using urllib.parse.quote()
C.Check the HTTP status code instead of response content
D.Use raw sockets to send HTTP requests manually
AnswerB

Proper URL encoding ensures the payload is correctly interpreted by the server, matching common attack vectors.

Why this answer

Option B is correct because the penetration tester's script is failing to detect directory traversal vulnerabilities due to the web application requiring URL-encoded characters. By using `urllib.parse.quote()` to URL-encode the dots and slashes in the payload (e.g., `%2e%2e%2f` for `../`), the request matches the application's expected input format, reducing false negatives. This directly addresses the root cause—encoding—rather than adding more payloads or changing the detection method.

Exam trap

The trap here is that candidates may think adding more payloads (Option A) or checking status codes (Option C) will solve the detection issue, but the core problem is the lack of proper encoding to match the application's input handling, which is a common oversight in web application testing.

How to eliminate wrong answers

Option A is wrong because increasing the number of payloads in the list does not fix the encoding issue; it only adds more unencoded payloads that will still be rejected or mishandled by the application, leading to continued false negatives. Option C is wrong because checking the HTTP status code instead of response content would not improve detection of directory traversal; the application might return a 200 OK even when the traversal fails (e.g., a generic error page), and the presence of 'root:' in the response is a more reliable indicator of successful exploitation.

14
Multi-Selecteasy

Which two tools are commonly used for password cracking in penetration testing?

Select 2 answers
A.Metasploit
B.Nmap
C.Hashcat
D.John the Ripper
E.Wireshark
AnswersC, D

Hashcat is a password cracking tool.

Why this answer

Options A and C are correct. John the Ripper and Hashcat are widely used password crackers. Option B is wrong because Wireshark is a packet analyzer.

Option D is wrong because Nmap is a network scanner. Option E is wrong because Metasploit is an exploitation framework.

15
MCQmedium

A penetration tester is writing a Bash script to automate the extraction of password hashes from a Windows system after gaining SYSTEM-level access. The script uses 'reg.exe' to save the SAM and SYSTEM hives. Which command should the tester include in the script to export the SAM hive to a file?

A.reg save HKLM\SAM sam.hive
B.reg export HKLM\SAM sam.hive
C.reg backup HKLM\SAM sam.hive
D.reg copy HKLM\SAM sam.hive
AnswerA

reg save creates a binary copy of the hive, which can be used for offline extraction.

Why this answer

The correct command is 'reg save HKLM\SAM sam.hive' because 'reg save' creates a binary copy of the specified registry hive, which is necessary for offline extraction of password hashes. The SAM hive contains the hashed credentials, and saving it as a file allows tools like 'samdump2' or 'secretsdump.py' to parse the hashes. The other options either export in a non-binary format or use a non-existent command.

Exam trap

The trap here is that candidates confuse 'reg export' (which produces a human-readable text file) with 'reg save' (which produces a binary hive file), leading them to choose the export option for hash extraction.

How to eliminate wrong answers

Option B is wrong because 'reg export' exports the registry hive in a text-based .reg file format, which is not suitable for binary hash extraction and cannot be parsed by hash-dumping tools. Option C is wrong because 'reg backup' is not a valid command in reg.exe; the correct command for saving a hive is 'reg save', and 'backup' is a misconception or a different utility.

16
MCQmedium

A penetration tester is using Burp Suite to test a web application. The tester notices that the application relies on client-side JavaScript validation to restrict input. To bypass this validation and test for server-side vulnerabilities, which Burp Suite feature is MOST useful for automatically modifying requests before they are sent to the server?

A.Proxy (with Match and Replace rules)
B.Intruder
C.Repeater
D.Decoder
AnswerA

The Proxy module intercepts HTTP traffic and can apply automatic modifications via Match and Replace rules, effectively bypassing client-side restrictions.

Why this answer

The Proxy's Match and Replace rules allow the tester to automatically modify HTTP requests in transit, such as stripping or altering client-side validation parameters (e.g., maxlength, pattern attributes) before they reach the server. This bypasses client-side JavaScript restrictions because the modifications occur after the browser's validation but before the request is forwarded to the server, enabling direct testing of server-side input handling.

Exam trap

The trap here is that candidates often confuse Intruder's ability to send many requests with automatic modification of live traffic, not realizing that Intruder requires manual payload configuration and does not intercept browser-generated requests in real-time like Proxy Match and Replace does.

How to eliminate wrong answers

Option B (Intruder) is wrong because Intruder is designed for automated brute-force attacks, fuzzing, or parameter enumeration by sending many crafted requests, but it does not automatically modify requests as they pass through a proxy; it requires manual configuration of payload positions and does not intercept live browser traffic. Option C (Repeater) is wrong because Repeater is used for manually resending and tweaking individual requests after they have been captured, but it does not automatically modify requests in real-time before they are sent to the server; it operates on already-captured requests and lacks the automatic, on-the-fly substitution capability of Match and Replace rules.

17
MCQeasy

A penetration tester needs to enumerate active hosts and open ports on a network segment with minimal network traffic. Which tool should the tester use?

A.Nmap
B.Metasploit
C.Nikto
D.Hydra
AnswerA

Nmap is the standard tool for host discovery and port scanning, with options like -sn for ping sweeps that produce minimal traffic.

Why this answer

Nmap with -sn (ping scan) is designed for host discovery using minimal network traffic. Hydra is for password cracking, Metasploit is an exploitation framework, and Nikto is a web server scanner.

18
MCQmedium

During a penetration test, a tester needs to capture and analyze the traffic between a client and a server over an encrypted HTTPS connection. The tester has access to the server's private key. Which technique or tool should the tester employ?

A.Use Nmap's ssl-enum-ciphers script
B.Use Burp Suite with a proxy
C.Import the private key into Wireshark and enable TLS decryption
D.Capture packets with TCPDump and analyze with OpenSSL
AnswerC

Wireshark can use the private key to decrypt TLS traffic when configured in the TLS protocol preferences.

Why this answer

Using Wireshark with the server's private key allows decryption of TLS traffic by configuring the SSL/TLS protocol with the private key in the preferences. Burp Suite requires a CA certificate and proxy setup, but without client-side changes, it's less direct. TCPDump alone cannot decrypt.

OpenSSL can be used to decrypt a captured session if the handshake is captured, but Wireshark is the standard tool for analysis.

19
Multi-Selectmedium

A penetration tester is analyzing a network packet capture to identify potential attacks. Which two indicators suggest a successful SQL injection attempt?

Select 2 answers
A.Multiple failed login attempts
B.A large number of HTTP 500 errors
C.A query string containing ' OR 1=1--
D.Unexpected data in the response body
E.A significant increase in outbound traffic
AnswersC, D

This is a classic SQL injection payload.

Why this answer

Options B and E are correct. B shows a direct SQL injection attempt. E shows unexpected data in the response, indicating successful extraction.

Option A is wrong because 500 errors might occur but are not specific. Option C is wrong because outbound traffic is not a direct indicator. Option D is wrong because login failures relate to authentication, not SQL injection.

20
MCQhard

A penetration tester is analyzing a password hash obtained from a Windows domain controller. The hash format is $NT$70676e... and the tester wants to crack it using a rule-based attack. Which tool is best suited for this task?

A.Cain & Abel
B.John the Ripper
C.Hydra
D.Nikto
AnswerB

John the Ripper has built-in support for NTLM hashes and rule-based attacks.

Why this answer

John the Ripper is a classic password cracker that supports NTLM hashes and rule-based attacks. Hashcat is also capable but typically requires specifying the hash mode; John is more straightforward for initial cracking. Hydra is for online cracking, not offline hash cracking.

Cain & Abel is outdated and less efficient.

21
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library. The script contains the line: `packet = IP(dst='10.0.0.1')/TCP(dport=80, flags='S')`. The tester then uses `sr1(packet, timeout=2)`. What is the primary purpose of this code?

A.Perform a TCP SYN scan to determine if port 80 is open
B.Perform a DNS resolution for the target IP
C.Send a TCP ACK packet to test firewall rules
D.Complete a full TCP three-way handshake
AnswerA

The SYN packet is sent; if a SYN-ACK is received, the port is open. This is a stealthy port scan technique.

Why this answer

The code constructs an IP packet with destination 10.0.0.1 and a TCP segment with destination port 80 and the SYN flag set (flags='S'). The sr1() function sends this packet and waits for a response (up to 2 seconds). This is the classic technique for a TCP SYN scan: if a SYN-ACK is received, the port is open; if an RST is received, the port is closed.

The primary purpose is therefore to probe whether port 80 on the target is open.

Exam trap

The trap here is confusing the flags in a TCP header: candidates may mistakenly think 'S' stands for 'send' or 'scan' rather than 'SYN', or they may conflate SYN scans with ACK scans, which serve different purposes in firewall rule detection.

How to eliminate wrong answers

Option B is wrong because DNS resolution is performed using DNS query packets (typically UDP port 53) or via libraries like socket.gethostbyname(), not by sending a TCP SYN packet to port 80. Option C is wrong because a TCP ACK packet would have flags='A', not flags='S'; ACK scans are used to map firewall rules (looking for RST responses), not to determine if a port is open.

22
MCQmedium

A penetration tester wrote a Python script to automate HTTP request fuzzing. The script uses the 'requests' library to send payloads and checks for reflected content in the response. The tester wants to analyze the script for potential improvements. Which of the following code changes would MOST directly reduce false positives in detecting reflection?

A.Convert the response to lowercase before checking for reflection
B.Add a random delay between requests
C.Remove the User-Agent header from requests
D.Use a session object to maintain cookies
AnswerA

Correct. Case-insensitive matching reduces false positives caused by case differences in the reflected content.

Why this answer

Option A directly reduces false positives by normalizing the case of the response before checking for reflected content. HTTP responses may contain the payload in different cases (e.g., 'Test' vs 'test'), and without case-insensitive matching, the script would miss reflections that differ only in case, incorrectly reporting a false negative. Converting to lowercase ensures that any case variation of the reflected payload is detected, thereby reducing false positives from case-sensitive mismatches.

Exam trap

CompTIA often tests the distinction between performance/evasion techniques (like delays or header manipulation) and accuracy improvements (like case normalization), leading candidates to mistakenly choose options that affect request timing or stealth rather than detection logic.

How to eliminate wrong answers

Option B is wrong because adding a random delay between requests is a technique to avoid rate limiting or detection by WAFs/IDS, not to reduce false positives in reflection detection; it does not affect the accuracy of content matching. Option C is wrong because removing the User-Agent header may actually increase false positives or cause request failures, as many web servers reject or alter responses for requests without a valid User-Agent, potentially introducing reflection artifacts or blocking the request entirely.

23
MCQhard

Based on the exhibit, which tool would be most effective for exploiting this vulnerability?

A.Burp Suite Repeater
B.Nikto
C.Hydra
D.sqlmap
AnswerD

sqlmap automates detection and exploitation of SQL injection flaws.

Why this answer

The error log shows a SQL injection vulnerability. SQLmap is designed to automate SQL injection exploitation. Burp Suite Repeater can manually craft requests, but sqlmap automates the process.

Hydra is for password cracking, and Nikto is for web scanning.

24
MCQmedium

While analyzing a malicious document, a tester extracts a VBA macro. Which tool can help decode the macro for analysis?

A.oledump
B.pdf-parser
C.Nmap
D.Wireshark
AnswerA

oledump can extract VBA macros from Office documents.

Why this answer

Option A is correct because oledump extracts and analyzes OLE objects, including VBA macros. Option B is wrong because pdf-parser is for PDF analysis. Option C is wrong because Wireshark is for network traffic.

Option D is wrong because Nmap is for network scanning.

25
MCQmedium

A penetration tester writes a Python script to test an API for vulnerabilities. The script sends requests with multiple payloads and checks if the response contains an error message indicating a potential injection. Which of the following code snippets would BEST reduce false positives by verifying that the injected parameter is processed?

A.Check if the response status code is 500 for each payload
B.Compare the response time of the injected request to a baseline without injection
C.Check if the response contains a specific error message that is only triggered when the injection is successful
D.Compare the response of the injected request to the response of a benign request with the same parameter structure
AnswerD

Correct. By comparing responses, the tester can confirm that the injection causes a different behavior than a normal request, reducing false positives.

Why this answer

Option D is correct because comparing the response of an injected request to a benign request with the same parameter structure directly confirms that the injected parameter was processed and caused a different application behavior, thereby reducing false positives. This technique, often called differential analysis, isolates the effect of the injection from normal variations in the API response, such as dynamic content or session tokens. It is more reliable than checking for specific error messages or status codes, which may be suppressed or generic.

Exam trap

The trap here is that candidates often choose Option C because they assume error messages are reliable indicators of injection success, but in practice, modern APIs suppress detailed errors and may return the same generic error for both benign and malicious inputs, making differential analysis a more robust approach.

How to eliminate wrong answers

Option A is wrong because a 500 status code indicates a server error but does not confirm that the injected parameter was processed; it could be triggered by malformed requests, resource exhaustion, or unrelated bugs, leading to false positives. Option B is wrong because comparing response time can detect time-based injections (e.g., SQLi with SLEEP), but it is not a general method for verifying that the injected parameter is processed; many injections do not cause measurable time differences, and network latency can introduce false positives. Option C is wrong because checking for a specific error message assumes the application exposes detailed error information, which is often disabled in production; moreover, the same error message might appear for benign inputs or other issues, causing false positives or negatives.

26
MCQeasy

A penetration tester is analyzing a Python script that uses the 'socket' library. The script creates a socket, connects to a target IP and port, sends a payload, and then receives a response. The script is most likely designed for which type of attack?

A.Port scanning
B.Brute-force attack
C.Buffer overflow exploit
D.SQL injection
AnswerC

A buffer overflow exploit sends a crafted payload that overwrites memory, often followed by receiving a shell or status response.

Why this answer

The script uses the 'socket' library to create a raw TCP connection, send a payload, and receive a response. This pattern is characteristic of a buffer overflow exploit, where a crafted payload is sent to trigger a memory corruption vulnerability, often followed by receiving a shell or error response. The direct send-and-receive cycle with a specific payload aligns with exploitation, not reconnaissance or authentication testing.

Exam trap

The trap here is that candidates confuse the send-and-receive pattern with port scanning or brute-force attacks, overlooking that the script's single-payload design and lack of iteration or credential logic specifically indicate an exploit delivery mechanism.

How to eliminate wrong answers

Option A is wrong because port scanning typically involves iterating through multiple ports and analyzing connection states (e.g., SYN, ACK, RST) or timeouts, not sending a single payload and waiting for a response on one port. Option B is wrong because a brute-force attack requires repeated authentication attempts with different credentials, not a single payload transmission and response reception; the script lacks any loop or credential generation logic.

27
MCQeasy

A penetration tester is analyzing a Bash script used for post-exploitation enumeration. The script contains the line: `cat /etc/shadow | awk -F: '{print $1, $2}'`. What is the primary purpose of this command?

A.Display all usernames and their associated password hashes
B.Show the number of users in the system
C.Extract the usernames and home directories
D.List the account expiration dates
AnswerA

Correct. The command reads /etc/shadow and outputs each username and its password hash.

Why this answer

The command `cat /etc/shadow | awk -F: '{print $1, $2}'` reads the shadow file, which stores user account information including password hashes. The `-F:` sets the field separator to colon, and `{print $1, $2}` outputs the first field (username) and second field (password hash). This is a common post-exploitation technique to extract password hashes for offline cracking.

Exam trap

The trap here is that candidates may confuse `/etc/shadow` with `/etc/passwd`, which stores user metadata like home directories, leading them to incorrectly select option C instead of recognizing the hash extraction purpose.

How to eliminate wrong answers

Option B is wrong because counting users would require a different command, such as `wc -l` to count lines, not printing specific fields. Option C is wrong because home directories are stored in `/etc/passwd` (typically field 6), not in `/etc/shadow`, and this command only accesses the shadow file.

28
MCQeasy

During a penetration test of a corporate network, you discover a Linux server running a custom Python application that handles authentication for a web portal. The server is configured to allow SSH access only from a specific management subnet. You have obtained a limited shell on a different host within the same VLAN as the target server. From your limited shell, you can reach the target server on TCP port 22, but you do not have valid credentials. The Python authentication script uses a flat file database to store user credentials in the format 'username:hashed_password'. You suspect the script has a vulnerability that allows reading arbitrary files, such as the password file. Which of the following actions should you take to exploit this vulnerability?

A.Use Wireshark on the limited shell to capture SSH traffic and extract credentials
B.Perform a port knocking sequence to open SSH access to the target server
C.Craft an HTTP request to the web portal's authentication script with a path traversal payload to read the password file
D.Use Hydra to brute-force SSH credentials from the limited shell because it is on the same VLAN
AnswerC

If the script is vulnerable to path traversal, you can read the password file and crack hashes.

Why this answer

Option C is correct because a path traversal vulnerability in the authentication script can be used to read arbitrary files, including the password file, allowing you to extract hashes. Option A is wrong because brute-forcing SSH without knowing the management subnet source is unlikely to succeed and may be blocked. Option B is wrong because port knocking is not indicated in the scenario.

Option D is wrong because Wireshark is not available from the limited shell and would require local privilege escalation.

29
MCQeasy

A penetration tester wants to quickly identify the listening services on a target Linux server without performing a full port scan. The tester has obtained an unauthenticated shell as a low-privileged user. Which built-in command is most likely available on a modern Linux distribution to list all listening TCP sockets?

A.netstat -tlnp
B.ss -tlnp
C.lsof -i
D.ifconfig -a
AnswerB

ss is part of iproute2 and is commonly pre-installed; -t shows TCP, -l listening, -n numeric, -p shows process (if permitted).

Why this answer

Option B is correct because `ss -tlnp` is the modern replacement for `netstat` on Linux distributions that have deprecated `netstat` (e.g., RHEL 7+, Ubuntu 16.04+). It uses the `netlink` interface to read socket information directly from the kernel, making it faster and more reliable than parsing `/proc/net/tcp`. The flags `-t` (TCP), `-l` (listening), `-n` (numeric addresses/ports), and `-p` (show process) precisely list all listening TCP sockets without requiring root privileges for basic socket listing.

Exam trap

The trap here is that candidates assume `netstat` is universally available on Linux, but the PT0-002 exam tests awareness of modern tooling deprecation, where `ss` is the default built-in command on distributions like CentOS 7+ and Ubuntu 16.04+.

How to eliminate wrong answers

Option A is wrong because `netstat -tlnp` is not guaranteed to be available on modern Linux distributions; it is often deprecated or requires installation of the `net-tools` package, which is not installed by default on many minimal or containerized environments. Option C is wrong because `lsof -i` is not a built-in command on most Linux distributions; it must be installed separately via the `lsof` package, and it does not filter exclusively to listening TCP sockets without additional flags like `-sTCP:LISTEN`.

30
MCQmedium

A tester runs a Python script to perform a directory traversal attack. The output shows: 'Error: 403 Forbidden'. What is the most likely cause?

A.The script lacks authentication
B.The file does not exist
C.The request is malformed
D.The web server is patched against traversal attacks
AnswerD

A 403 Forbidden suggests the server rejected the malicious path.

Why this answer

Option A is correct because a 403 error indicates the server is blocking the request, likely due to proper input validation. Option B is wrong because if the file doesn't exist, a 404 would occur. Option C is wrong because the request is syntactically correct.

Option D is wrong because authentication is not shown; the error is forbidden, not unauthorized.

31
Multi-Selectmedium

Which TWO of the following are valid uses of the 'socat' tool during a penetration test? (Select TWO.)

Select 2 answers
A.Extracting files from an FTP server
B.Forwarding TCP ports to pivot through a compromised host
C.Performing a man-in-the-middle attack on HTTPS
D.Creating a reverse shell listener
E.Brute-forcing HTTP form authentication
AnswersB, D

Socat can create a relay to forward traffic, useful for pivoting.

Why this answer

Socat can be used to create a reverse shell (option A) and to forward ports (option D). It is not typically used for HTTP content discovery (B) or file extraction (C); those are better done with curl or wget. It can also be used for MITM but option E is incorrect as socat does not inherently perform MITM.

32
MCQeasy

A penetration tester is reviewing a Python script that automates a common network attack. The script imports the 'ftplib' and 'telnetlib' libraries. It reads a list of IP addresses from a file and, for each host, attempts to connect using a predefined username and password. If the connection succeeds, it logs the success. Which attack is the script most likely performing?

A.Brute-force attack against FTP and Telnet services
B.Vulnerability scanning for open ports
C.Password spraying attack against web applications
D.Service enumeration using banner grabbing
AnswerA

The script uses FTP and Telnet libraries to attempt connections with a known username and password, which is a brute-force attack against those services.

Why this answer

The script uses 'ftplib' and 'telnetlib' to attempt connections with a predefined username and password against multiple IP addresses. This is characteristic of a brute-force attack, where the attacker tries a single credential pair against many hosts to gain unauthorized access to FTP and Telnet services.

Exam trap

The trap here is confusing a brute-force attack (single credential against many hosts) with a password spraying attack (many usernames against a single host), leading candidates to incorrectly select option C when the script's logic clearly targets multiple hosts with one credential pair.

How to eliminate wrong answers

Option B is wrong because vulnerability scanning for open ports typically uses tools like Nmap or libraries like 'socket' to check for open ports, not 'ftplib' or 'telnetlib' for authenticated login attempts. Option C is wrong because password spraying attacks target web applications (often via HTTP/S) with many usernames and a few common passwords, whereas this script uses a single predefined username/password against multiple hosts, which is a classic brute-force pattern against network services, not web apps.

33
MCQeasy

Which tool is best for performing static analysis of Python code to find security vulnerabilities?

A.sqlmap
B.nmap
C.Bandit
D.Metasploit
AnswerC

Bandit scans Python code for common security issues.

Why this answer

Option A is correct because Bandit is a Python security linter. Option B is wrong because nmap is for network scanning. Option C is wrong because Metasploit is an exploitation framework.

Option D is wrong because sqlmap is for SQL injection testing.

34
MCQmedium

A penetration tester is analyzing a Python script used for web application testing. The script imports the 'socket' module and uses it to create a raw socket. Which of the following is the most likely purpose of the script?

A.Creating a reverse shell payload
B.Sending crafted TCP packets to perform a SYN flood
C.Parsing HTTP responses for header injection
D.Automating user-agent rotation for web requests
AnswerB

Raw sockets enable the construction of custom TCP packets with arbitrary flags, essential for a SYN flood attack where the attacker sends SYN packets without completing the handshake.

Why this answer

The 'socket' module in Python provides low-level networking interfaces, and creating a raw socket (using `socket.SOCK_RAW`) allows the script to craft and send custom packets at the IP layer. A SYN flood attack involves sending a high volume of TCP SYN packets with spoofed source IP addresses to exhaust a target's resources, which requires raw socket access to manipulate packet headers. Therefore, the most likely purpose of the script is sending crafted TCP packets to perform a SYN flood.

Exam trap

The trap here is that candidates may associate the 'socket' module only with standard TCP/UDP connections (like reverse shells) and overlook that raw sockets are specifically required for crafting custom packets in attacks like SYN floods, which operate at a lower network layer.

How to eliminate wrong answers

Option A is wrong because creating a reverse shell payload typically involves establishing a TCP connection (using `socket.SOCK_STREAM`) to a remote host, not raw sockets, and often uses higher-level libraries like `subprocess` or `pty` for shell interaction. Option C is wrong because parsing HTTP responses for header injection is an application-layer task that can be done with libraries like `requests` or `http.client`, and does not require raw socket manipulation at the network layer.

35
MCQhard

A penetration tester is analyzing a PowerShell script used during an internal test. The script contains the following code block: ```powershell $cred = Get-Credential $session = New-PSSession -ComputerName 'Server01' -Credential $cred Invoke-Command -Session $session -ScriptBlock { Get-ChildItem C:\Secrets.txt } Remove-PSSession $session ``` What is the primary purpose of this script?

A.To perform a local privilege escalation using stored credentials
B.To achieve lateral movement and access a file on a remote server
C.To brute-force the password of the user account via 'Get-Credential'
D.To execute a script from the remote server using the ScriptBlock
AnswerB

The script establishes a remote session to 'Server01' and executes a command to list a file, demonstrating lateral movement.

Why this answer

The script uses Get-Credential to obtain user credentials, creates a remote PowerShell session (PSSession) to Server01 via New-PSSession, and then executes Get-ChildItem C:\Secrets.txt on that remote server using Invoke-Command. This is the classic pattern for lateral movement: authenticating to a remote host and accessing a file stored there, not performing any local privilege escalation or password brute-forcing.

Exam trap

The trap here is that candidates may confuse the use of Get-Credential with a brute-force attack, or misinterpret the remote file access as a local privilege escalation, when the script's clear intent is lateral movement via PowerShell remoting.

How to eliminate wrong answers

Option A is wrong because the script does not attempt any local privilege escalation; it uses supplied credentials to connect to a remote server, not to elevate privileges on the local machine. Option C is wrong because Get-Credential simply prompts for or retrieves stored credentials; it does not perform any brute-force attack against a user account's password.

36
MCQeasy

A penetration tester is analyzing a Bash script that contains the following line: 'for ip in $(cat ip_list.txt); do nc -zv $ip 22; done'. What is the primary purpose of this script?

A.To perform a banner grab on port 22 for each IP
B.To test if port 22 is open on each IP in the list
C.To establish a remote shell connection to each IP on port 22
D.To scan all 65535 ports on each IP in the list
AnswerB

The '-z' flag makes netcat report whether the port is open by checking the TCP handshake without sending data.

Why this answer

The script uses `nc -zv $ip 22` which performs a TCP connection test to port 22 on each IP from the list. The `-z` flag tells netcat to scan without sending any data, and `-v` enables verbose output, so it only reports whether the connection succeeded (port open) or failed (port closed or filtered). This is a classic port connectivity check, not a full banner grab or shell establishment.

Exam trap

The trap here is that candidates confuse `-z` (zero I/O scan) with banner grabbing or interactive shell access, assuming netcat always reads banners or spawns shells, when in fact `-z` explicitly prevents data transfer.

How to eliminate wrong answers

Option A is wrong because `nc -zv` does not perform a banner grab; banner grabbing requires `-v` alone or a timeout with data exchange (e.g., `echo | nc -w 3 $ip 22`), and `-z` explicitly avoids sending data. Option C is wrong because `nc -zv` only tests connectivity; establishing a remote shell would require `-e` (if compiled with GAPING_SECURITY_HOLE) or a reverse shell payload, which is absent. Option D is wrong because the script only targets port 22, not all 65535 ports; a full port scan would require a loop over port numbers or a tool like `nmap -p-`.

37
MCQmedium

A penetration tester is analyzing a Python script that uses the Impacket library to perform an SMB relay attack. The script is failing to capture NTLM hashes from target machines. Which part of the script is MOST likely misconfigured?

A.The target IP address
B.The listener IP address
C.The SMB version negotiation
D.The authentication method (NTLMv1 vs NTLMv2)
AnswerB

The listener IP must be set to the attacker's IP and reachable from the target; an incorrect listener IP will prevent the relay from receiving hashes.

Why this answer

In an SMB relay attack using Impacket, the listener IP address must be set to the attacker's IP address where the relayed authentication is received. If the listener IP is misconfigured (e.g., set to the target's IP or left as localhost), the relay server will not receive the forwarded NTLM hashes, causing the capture to fail. This is a common configuration error when using Impacket's 'smbrelayx' or similar scripts.

Exam trap

The trap here is that candidates often confuse the listener IP with the target IP, assuming the script needs the target's IP to capture hashes, when in fact the listener IP must be the attacker's own IP to receive the relayed authentication.

How to eliminate wrong answers

Option A is wrong because the target IP address is typically the machine being attacked or relayed to, and while it must be correct for the relay to reach the intended service, an incorrect target IP would cause the relay to fail at a different stage (e.g., connection refused), not specifically prevent hash capture. Option C is wrong because SMB version negotiation is handled automatically by Impacket's SMB connection; misconfiguring it might cause a connection failure but would not prevent hash capture if the relay is set up correctly. Option D is wrong because the authentication method (NTLMv1 vs NTLMv2) affects the hash format captured, but both can be relayed; the script's failure to capture hashes is not due to the NTLM version but rather the relay listener not receiving the authentication attempt.

38
MCQeasy

A penetration tester wants to quickly identify known vulnerabilities in a web application without triggering many alarms. Which tool should the tester use?

A.SQLmap
B.Metasploit
C.OpenVAS
D.Nikto
AnswerD

Nikto is a lightweight web scanner that checks for outdated servers and common vulnerabilities.

Why this answer

Nikto is a web server scanner that performs checks for known vulnerabilities with minimal noise. SQLmap is for SQL injection only, OpenVAS is a comprehensive vulnerability scanner that may be noisy, and Metasploit is for exploitation.

39
MCQmedium

A penetration tester is analyzing a Python script that uses the 'paramiko' library to automate SSH key-based authentication across multiple servers. The script fails with 'AuthenticationException' for some servers that the tester is certain have the correct private key configured. Which of the following is the most likely cause of this failure?

A.The servers are running a different SSH version.
B.The public key is not in the server's authorized_keys file.
C.The SSH server host key is not in the known_hosts file.
D.The username specified is incorrect.
AnswerC

Correct. Paramiko verifies host keys by default; if the host key is not known, it raises AuthenticationException to prevent man-in-the-middle attacks.

Why this answer

The 'paramiko' library in Python handles SSH key-based authentication by first verifying the server's host key against the known_hosts file. If the host key is missing or mismatched, paramiko raises an AuthenticationException before even attempting client key authentication, even if the private key is correct. This is because paramiko enforces host key verification by default to prevent man-in-the-middle attacks, and a failure at this stage blocks the authentication process entirely.

Exam trap

The trap here is that candidates often assume AuthenticationException always means a client credential problem (private key or username), but Cisco tests the nuance that paramiko's host key verification failure can raise this exception before client authentication even begins.

How to eliminate wrong answers

Option A is wrong because SSH version differences (e.g., SSH-1 vs SSH-2) would typically cause a connection failure or protocol error, not an AuthenticationException, and paramiko supports SSH-2 which is the modern standard. Option B is wrong because if the public key were missing from authorized_keys, the server would reject the key-based authentication attempt, but paramiko would still attempt it and raise an AuthenticationException only after the key exchange fails—however, the question states the tester is certain the private key is correct, so the failure occurs before client key authentication due to host key verification. Option D is wrong because an incorrect username would cause the server to reject the authentication attempt at a later stage, but paramiko would still proceed with host key verification first; the AuthenticationException in this context is specifically tied to host key verification failure, not username issues.

40
MCQeasy

A tester is reviewing code and sees a function that concatenates user input directly into a SQL query. Which vulnerability is most likely present?

A.Buffer overflow
B.SQL injection
C.Command injection
D.Cross-site scripting (XSS)
AnswerB

Concatenation of input into SQL statements enables SQL injection.

Why this answer

Option A is correct because concatenating input into SQL queries allows SQL injection. Option B is wrong because XSS involves injecting scripts into web pages. Option C is wrong because buffer overflow involves memory corruption.

Option D is wrong because command injection targets system commands.

41
MCQeasy

A penetration tester wants to perform a slow and stealthy port scan to avoid intrusion detection systems. Which Nmap option should be used?

A.-O
B.-A
C.-T0
D.-sV
AnswerC

Timing template 0 (Paranoid) is the slowest and most stealthy.

Why this answer

The -T0 option sets the timing template to Paranoid, which is extremely slow and avoids IDS detection. -O is for OS detection, -sV for version detection, and -A for aggressive scan.

42
MCQhard

A tester uses OllyDbg to step through a binary. The EAX register contains 0x00401234. What does this represent?

A.A system call number
B.A file handle
C.A memory address
D.An ASCII character
AnswerC

The value 0x00401234 is within the typical user-mode address space.

Why this answer

Option A is correct because EAX holds a memory address (0x00401234 is a typical address in a process). Option B is wrong because an ASCII character would be a small value. Option C is wrong because file handles are usually small integers or pointers.

Option D is wrong because system call numbers are typically small integers.

43
Multi-Selecthard

A tester is conducting a code review of a web application. Which three coding practices can help prevent cross-site scripting (XSS)?

Select 3 answers
A.Parameterized queries
B.Content Security Policy (CSP) headers
C.Disabling JavaScript in the client
D.Output encoding
E.Input validation
AnswersB, D, E

CSP headers restrict script sources and mitigate XSS.

Why this answer

Options A, B, and D are correct. Input validation filters malicious input. Output encoding prevents script execution in the browser.

Content Security Policy (CSP) restricts the execution of inline scripts. Option C is wrong because parameterized queries prevent SQL injection, not XSS. Option E is wrong because disabling JavaScript in the client is not a coding practice.

44
Multi-Selectmedium

A penetration tester is examining a compiled binary obtained during an engagement. The tester wants to identify potential buffer overflow vulnerabilities and understand the control flow. Which TWO tools would be most appropriate for this task?

Select 2 answers
A.Wireshark
B.Nmap
C.OllyDbg
D.Burp Suite
E.Ghidra
AnswersC, E

OllyDbg is a debugger that can step through the binary to observe behavior and identify overflows.

Why this answer

OllyDbg is a debugger that allows dynamic analysis to identify overflow vulnerabilities by examining memory and registers. Ghidra is a disassembler and decompiler that provides static analysis of control flow and potential vulnerabilities. Nmap is a network scanner, Wireshark is a packet analyzer, and Burp Suite is a web proxy, none of which are suitable for binary analysis.

45
MCQmedium

A penetration tester is using Hashcat to crack NTLM hashes obtained from a Windows system. The tester wants to use a rule-based attack to maximize cracking success. Which Hashcat mode should be used for NTLM hashes?

A.-m 1000
B.-m 1100
C.-m 3000
D.-m 5500
AnswerA

Mode 1000 is specifically for NTLM hashes, which is the correct choice for cracking NTLM.

Why this answer

Hashcat mode -m 1000 is specifically designated for NTLM hashes, which are the Windows NT LAN Manager hash format stored in the SAM database. A rule-based attack with this mode applies transformation rules to wordlists to generate candidate passwords, maximizing cracking success by leveraging common password patterns and mutations.

Exam trap

The trap here is confusing NTLM hashes (mode 1000) with NetNTLMv1 (mode 5500) or other Windows-related hash types, as candidates often mix up local authentication hashes with network authentication challenge-response hashes.

How to eliminate wrong answers

Option B (-m 1100) is wrong because it corresponds to Domain Cached Credentials (DCC), also known as MS Cache Hash, not NTLM. Option C (-m 3000) is wrong because it is used for LM (LAN Manager) hashes, an older and weaker Windows hash format. Option D (-m 5500) is wrong because it is used for NetNTLMv1 hashes, which are challenge-response hashes used in network authentication, not the local NTLM hash stored in the SAM.

46
Multi-Selecthard

Which TWO of the following are benefits of using a fuzzing tool during the code analysis phase of a penetration test? (Select TWO.)

Select 2 answers
A.Replaces the need for static code analysis
B.Identifies input validation vulnerabilities
C.Validates authentication mechanisms
D.Reveals crashes or error conditions that may indicate exploitable bugs
E.Guarantees 100% code coverage
AnswersB, D

Fuzzing sends unexpected inputs to trigger validation flaws.

Why this answer

Fuzzing can discover input validation flaws (A) and reveal crashes or error conditions (D). It does not directly perform static code analysis (B) or validate authentication (C). It may help find buffer overflows, but that is a subset of input validation issues.

47
MCQhard

Which of the following best describes the purpose of a return-oriented programming (ROP) chain?

A.Bypass Data Execution Prevention (DEP)
B.Bypass Address Space Layout Randomization (ASLR)
C.Evade antivirus detection
D.Execute shellcode directly
AnswerA

ROP chains execute payloads without injecting code, bypassing DEP.

Why this answer

Option A is correct because ROP chains bypass Data Execution Prevention (DEP) by using existing code gadgets. Option B is wrong because ASLR is bypassed by information leaks. Option C is wrong because shellcode insertion is not the primary goal; ROP chains enable execution without new code.

Option D is wrong because evasion is not the main purpose.

48
MCQeasy

A penetration tester is analyzing a Python script that uses the 'paramiko' library. The script reads a list of IP addresses from a file and attempts to connect to each host using the same username and a list of common passwords. Which attack technique is the script most likely performing?

A.Brute-force attack against SSH credentials
B.SQL injection attack against a database
C.Cross-site scripting (XSS) attack against a web application
D.ARP spoofing attack to intercept network traffic
AnswerA

The script iterates over hosts and passwords, attempting SSH authentication with 'paramiko'. This is the definition of a brute-force attack on SSH credentials.

Why this answer

The script uses the 'paramiko' library, which is a Python implementation of the SSHv2 protocol. By reading a list of IP addresses and attempting connections with the same username and a list of common passwords, it is performing a brute-force attack against SSH credentials. This technique systematically tries multiple password guesses to gain unauthorized access to SSH services.

Exam trap

The trap here is that candidates may confuse the paramiko library with general network scripting and incorrectly associate it with web attacks like SQL injection or XSS, rather than recognizing it as an SSH-specific library used for credential brute-forcing.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database queries via input fields, not SSH connections using paramiko. Option C is wrong because cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users, and has no relation to SSH authentication attempts. Option D is wrong because ARP spoofing manipulates the Address Resolution Protocol to intercept network traffic at Layer 2, and does not involve password guessing against SSH services.

49
MCQmedium

A penetration tester is performing an internal network assessment and needs to quickly identify all live hosts and their open ports across a large subnet (10.0.0.0/16). The tester wants to minimize network disruption and avoid IDS detection. Which tool and technique should the tester use?

A.Use nmap with -sT (TCP connect scan) and -p- (all ports) on the entire subnet
B.Use masscan with a low rate (--rate=100) to scan all ports on all IPs
C.Use a combination of ping sweep with fping followed by nmap -sS (SYN scan) on discovered hosts
D.Use netcat to perform a sequential port scan on each IP in the subnet
AnswerC

Reduces scope and uses stealthy SYN scan, minimizing detection.

Why this answer

Option B is correct because it reduces the scan scope with a ping sweep, then uses a stealthy SYN scan to identify open ports, minimizing traffic and detection risk. Option A scans all ports with connect scan which is noisy. Option C is extremely slow and inefficient.

Option D masscan is fast but less stealthy and may still trigger alerts.

50
MCQhard

You are a penetration tester performing an internal assessment of a corporate network. The network consists of a Windows Active Directory domain with Windows 10 clients and Windows Server 2019 servers. The goal is to escalate privileges from a standard domain user to domain administrator. You have obtained initial access to a workstation as a low-privileged user named 'jdoe'. During reconnaissance, you discover that the workstation has PowerShell Remoting (WinRM) enabled and that a scheduled task runs every 5 minutes with the credentials of a service account 'svc_app'. The service account is a member of the 'Backup Operators' group, which has SeBackupPrivilege. You also find that the system has an outdated version of the PsExec tool in the PATH. Which of the following is the most effective course of action to escalate privileges?

A.Wait for the scheduled task to run and capture the service account password using a network sniffer.
B.Use PsExec to run a command as SYSTEM directly.
C.Modify the scheduled task to run a reverse shell with the service account's privileges.
D.Exploit the SeBackupPrivilege by using the Windows Backup and Restore capabilities to copy the SAM registry hive and dump local account hashes.
AnswerD

SeBackupPrivilege allows reading any file, including SAM and SYSTEM hives, enabling extraction of local administrator hashes.

Why this answer

Option C is correct because by leveraging SeBackupPrivilege, you can backup and restore system files, such as the SAM and SYSTEM hives, to extract local administrator password hashes. Option A is less effective because PsExec may not work without admin rights. Option B relies on guessable credentials.

Option D is noisy and may alert defenders.

51
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library. The script sends a GET request to a target URL with a crafted parameter value containing a SQL sleep function, then measures the response time. What attack is the script most likely performing?

A.Cross-site scripting (XSS) attack.
B.Blind time-based SQL injection.
C.Command injection attack.
D.Error-based SQL injection.
AnswerB

Correct. The script uses a sleep function to cause a delay if the injection is successful, then compares response times to detect the vulnerability.

Why this answer

The script sends a crafted parameter containing a SQL sleep function (e.g., `' OR SLEEP(5)--`) and measures the response time. If the database executes the sleep, the response is delayed, confirming a SQL injection vulnerability without relying on visible output. This is the hallmark of a blind time-based SQL injection attack using the `requests` library to time the HTTP response.

Exam trap

The trap here is that candidates see 'sleep function' and assume it is a command injection payload, but the `SLEEP()` function is a SQL-specific function, not an OS command, and the context of the `requests` library sending a GET request with a crafted parameter points directly to SQL injection, not command injection.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages to execute in a victim's browser, not measuring server-side response times with SQL sleep functions. Option C is wrong because command injection involves injecting operating system commands into a vulnerable application (e.g., via shell metacharacters), not SQL sleep functions or database timing delays.

52
MCQeasy

A penetration tester wants to quickly capture and analyze network packets during an internal test to identify unencrypted protocols. Which command-line tool is commonly used for packet capture on Linux?

A.tcpdump
B.nslookup
C.nmap
D.netcat
AnswerA

tcpdump captures and displays packets in real-time or from a file.

Why this answer

tcpdump is the standard command-line packet capture tool on Linux, allowing the tester to capture raw network packets and filter them by protocol (e.g., HTTP, FTP, Telnet) to identify unencrypted traffic. It uses libpcap to capture packets at the network interface level, making it ideal for quickly analyzing plaintext protocols during an internal penetration test.

Exam trap

The trap here is that candidates may confuse nmap's ability to detect open ports and services with packet capture, but nmap does not capture or display packet payloads, which is required for identifying unencrypted protocols.

How to eliminate wrong answers

Option B (nslookup) is wrong because it is a DNS lookup tool used to query name servers for domain name resolution, not for capturing or analyzing network packets. Option C (nmap) is wrong because it is a network scanning tool used for port discovery and service enumeration, not for real-time packet capture or protocol analysis.

53
MCQmedium

A penetration tester is analyzing a Bash script that performs network scanning. The script contains the following command: 'for ip in $(seq 1 254); do hping3 -S -p 22 -c 1 $TARGET_SUBNET.$ip 2>/dev/null | grep -q "flags=SA" && echo "$TARGET_SUBNET.$ip: open"; done'. What is the primary purpose of this script?

A.Conduct a TCP SYN scan to identify hosts with port 22 open
B.Perform a vulnerability assessment against SSH services
C.Execute an ICMP ping sweep to discover live hosts
D.Complete a full TCP three-way handshake and log successful connections
AnswerA

The script sends SYN packets to port 22 and looks for SYN-ACK responses, which is the definition of a TCP SYN scan.

Why this answer

The script uses hping3 with the -S flag (SYN) and -p 22 (port 22) to send TCP SYN packets to each IP in the target subnet. The grep -q 'flags=SA' checks for a SYN-ACK response, which indicates the port is open and listening. This is the classic behavior of a TCP SYN scan (half-open scan) to identify hosts with port 22 open.

Exam trap

The trap here is that candidates may confuse a TCP SYN scan on a specific port with a general ICMP ping sweep, or assume that scanning port 22 automatically implies an SSH vulnerability assessment, when in fact the script only performs port discovery, not vulnerability testing.

How to eliminate wrong answers

Option B is wrong because the script does not perform any vulnerability assessment; it only checks if port 22 is open (SYN-ACK received) and does not attempt to exploit or enumerate SSH service versions or vulnerabilities. Option C is wrong because the script uses TCP SYN packets to port 22, not ICMP echo requests (ping), so it is not an ICMP ping sweep; it specifically targets a single TCP port to identify live hosts with that port open.

54
MCQmedium

A penetration tester is analyzing a Python script that uses the requests library to automate web vulnerability scanning. The script sends POST requests with payloads but receives 403 Forbidden responses for many requests, even though manual testing with the same payloads works. Which is the most likely cause?

A.Missing User-Agent header
B.Incorrect Content-Type header
C.Script is sending too many requests too fast
D.Payloads are URL-encoded incorrectly
AnswerA

Many WAFs block requests that lack a common browser User-Agent, flagging them as automated. Adding a realistic User-Agent often resolves 403 errors.

Why this answer

Option A is correct because many web servers and WAFs (Web Application Firewalls) block requests that lack a User-Agent header or use a default one like 'python-requests/2.x.x'. Manual testing typically uses a browser, which sends a legitimate User-Agent, while the script's default header triggers the 403 Forbidden response. Setting a realistic User-Agent header in the script mimics browser behavior and bypasses this common filter.

Exam trap

CompTIA often tests the misconception that 403 errors are always due to rate limiting or authentication issues, but here the trap is that the script's default User-Agent header is the root cause, not request frequency or content type.

How to eliminate wrong answers

Option B is incorrect because an incorrect Content-Type header would typically cause a 400 Bad Request or 415 Unsupported Media Type, not a 403 Forbidden, and the payloads work manually, so the Content-Type is likely correct. Option C is incorrect because rate limiting usually results in 429 Too Many Requests or connection timeouts, not a consistent 403 Forbidden on every request; the issue is with the request's identity, not its frequency.

55
MCQeasy

A penetration tester is performing internal reconnaissance on a Windows domain. The tester wants to enumerate SMB shares on multiple hosts quickly. Which tool is best suited for this task?

A.nmap -sV --script=smb-enum-shares
B.enum4linux
C.nbtscan
D.dig
AnswerB

enum4linux automates enumeration of SMB shares, users, and other Windows information.

Why this answer

B is correct because enum4linux is a dedicated tool that automates the enumeration of SMB shares, users, and other information from Windows and Samba systems using the SMB protocol (primarily over TCP/445 and NetBIOS over TCP/139). It leverages the SMB RPC calls (e.g., NetShareEnum) to quickly list shares across multiple hosts, making it ideal for internal reconnaissance in a Windows domain.

Exam trap

The trap here is that candidates often choose nmap because it is a versatile scanning tool, but they overlook that enum4linux is purpose-built for rapid SMB share enumeration across multiple hosts, making it the more efficient choice for this specific task.

How to eliminate wrong answers

Option A is wrong because while nmap with the smb-enum-shares script can enumerate SMB shares, it is not the fastest tool for quickly scanning multiple hosts; nmap's script scanning is slower and more suited for detailed single-host analysis. Option C is wrong because nbtscan only enumerates NetBIOS name tables (using NBNS over UDP/137) and does not enumerate SMB shares; it provides hostnames and MAC addresses, not share lists.

56
MCQeasy

A penetration tester is conducting an internal assessment of a company's web application. The application provides a file upload feature that accepts images but does not validate the file type on the server side. The tester has identified that the application runs on an Apache server with PHP support. The tester wants to execute a command on the server to establish a reverse shell. The tester has a Linux client and has already crafted a PHP reverse shell payload. The tester has also verified that outbound connections are allowed from the server. After uploading the malicious PHP file, the tester attempts to access it via a browser but receives a 404 error. The tester suspects the uploaded file may have been renamed or moved. Which of the following steps should the tester take next to achieve code execution?

A.Modify the PHP payload to avoid detection by antivirus on the server.
B.Use a directory listing tool to scan for hidden files in the upload directory.
C.Re-upload the file with a different extension like .php5 or .phtml.
D.Check the web server access and error logs to identify the actual path where the file was saved.
AnswerD

Logs can show the URL and path used, revealing any renaming or relocation of the uploaded file.

Why this answer

The 404 error suggests the file is not at the expected location. Checking the web server access logs can reveal the actual path or filename that the server used for the uploaded file. Option C is the most logical next step.

Option A is incorrect because the server is providing a 404, not a parsing error. Option B is premature before determining the file path. Option D would only be relevant if the file were successfully accessed but not executed.

57
MCQmedium

During a penetration test, a tester discovers a binary that appears to be obfuscated. Which approach is best for deobfuscation?

A.Use a debugger like GDB
B.Execute the binary in a sandbox
C.Run the 'strings' command
D.Recompile the binary from source
AnswerA

A debugger steps through code, helping to reverse obfuscation.

Why this answer

Option A is correct because a debugger like GDB allows dynamic analysis to follow execution and decode obfuscation. Option B is wrong because strings may not reveal obfuscated content. Option C is wrong because sandboxes analyze behavior, not code deobfuscation.

Option D is wrong because source is not available.

58
MCQeasy

A penetration tester has obtained a dump of NTLM password hashes from a Windows Domain Controller. The tester wants to crack these hashes as quickly as possible using GPU acceleration. Which tool is the BEST choice for this task?

A.John the Ripper
B.Hashcat
C.Ophcrack
D.THC-Hydra
AnswerB

Hashcat is designed for high-speed password cracking with GPU support; it is the fastest tool for NTLM hashes when a compatible GPU is available.

Why this answer

Hashcat (Option B) is the best choice because it is specifically designed for GPU-accelerated password cracking, supporting NTLM hashes with the -m 1000 mode. It leverages OpenCL or CUDA to parallelize cracking across thousands of GPU cores, making it significantly faster than CPU-based tools for large hash dumps. John the Ripper can use GPUs but requires additional configuration and is generally slower for NTLM hashes, while Ophcrack is limited to LM hashes and cannot handle NTLM hashes at all.

Exam trap

The trap here is that candidates often assume John the Ripper is the universal cracking tool due to its popularity, overlooking that Hashcat is the industry standard for GPU-accelerated NTLM cracking because of its optimized kernel and native support for the NTLM hash mode (-m 1000).

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of GPU acceleration via the 'john --devices' flag, is primarily CPU-optimized and requires manual setup for OpenCL, resulting in slower performance compared to Hashcat's native GPU pipeline for NTLM hashes. Option C is wrong because Ophcrack is designed exclusively for LM hashes using rainbow tables and cannot process NTLM (NT hash) dumps, making it completely unsuitable for this task.

59
Multi-Selecteasy

A penetration tester is reviewing Python code for a web application and finds the following snippet: import sqlite3 def get_user(username): conn = sqlite3.connect('users.db') cursor = conn.cursor() query = "SELECT * FROM users WHERE username = '" + username + "'" cursor.execute(query) return cursor.fetchall() Which TWO of the following vulnerabilities are present in this code? (Select TWO.)

Select 2 answers
A.Improper error handling
B.SQL injection
C.Cross-site scripting (XSS)
D.Command injection
E.Path traversal
AnswersA, B

No try-except block is present, so exceptions may leak stack traces.

Why this answer

Option A is correct because the code concatenates user input directly into an SQL query, allowing SQL injection. Option E is correct because the code does not handle exceptions; if the database query fails, unhandled exceptions could reveal sensitive information. Options B, C, and D are not present because there is no output to a browser (XSS), no system command execution (command injection), and no file path manipulation (path traversal).

60
MCQeasy

A penetration tester is reviewing a Bash script that contains the following command: 'openssl s_client -connect target:443 -servername target 2>/dev/null | openssl x509 -noout -text'. What is the primary purpose of this command?

A.Extract the SSL certificate in text form.
B.Perform a man-in-the-middle attack.
C.Test for weak cipher suites.
D.Verify the certificate's revocation status.
AnswerA

Correct. 'openssl s_client' establishes a connection, and piping to 'openssl x509 -noout -text' outputs the certificate details.

Why this answer

The command uses `openssl s_client` to establish a TLS connection to `target:443` and then pipes the certificate output to `openssl x509 -noout -text`, which decodes and prints the certificate in human-readable text form. The primary purpose is to retrieve and display the SSL/TLS certificate details (e.g., issuer, subject, validity dates, SANs) for inspection, not to attack or test cipher suites.

Exam trap

The trap here is that candidates may confuse certificate retrieval with cipher suite testing or assume any use of `openssl s_client` implies an attack, when in fact the command is a standard diagnostic tool for inspecting certificate content.

How to eliminate wrong answers

Option B is wrong because the command does not intercept or modify traffic between two parties; it simply connects to the server and displays its certificate, which is a normal client operation, not a man-in-the-middle attack. Option C is wrong because testing for weak cipher suites requires specifying cipher lists or using tools like `sslscan` or `nmap --script ssl-enum-ciphers`; this command only retrieves the certificate and does not enumerate or test cipher negotiation.

61
MCQmedium

A penetration tester is using an Nmap NSE script to enumerate SMB shares on a target Windows server. The script runs without errors but returns no shares, even though the server has shares configured. Which is the MOST likely cause?

A.The script requires administrative credentials
B.The target is running Windows 10 with SMB signing enabled
C.The script is not being run with the correct arguments
D.The target is blocking ICMP traffic
AnswerA

SMB share enumeration typically requires valid credentials, without which the script cannot enumerate shares.

Why this answer

The Nmap SMB enumeration scripts (e.g., smb-enum-shares.nse) by default attempt to connect as a guest or anonymous user. On modern Windows servers, especially those with default security configurations, anonymous access to SMB shares is disabled. The script requires valid administrative credentials to list all shares, as the SMB protocol restricts share enumeration to authenticated users with appropriate privileges.

Exam trap

The trap here is that candidates assume Nmap scripts run with full default access, overlooking that SMB enumeration on modern Windows requires explicit authentication, not just a null session.

How to eliminate wrong answers

Option B is wrong because SMB signing, while a security feature, does not prevent enumeration of shares; it only ensures packet integrity and authentication, and the Nmap script can handle signed connections. Option C is wrong because the script runs without errors and returns no shares, indicating it executed correctly but lacked the necessary permissions; incorrect arguments would typically cause a syntax error or unexpected behavior, not a silent empty result.

62
MCQmedium

A penetration tester is analyzing a Python script that uses the 'subprocess' module to execute shell commands. The tester notices that the script passes user-supplied input directly to the shell without any sanitization or validation. Which vulnerability class is most likely present in this script?

A.Command injection
B.SQL injection
C.Path traversal
D.Buffer overflow
AnswerA

Untrusted input passed directly to a shell interpreter allows attackers to execute arbitrary system commands, which is the definition of command injection.

Why this answer

The script uses the `subprocess` module to execute shell commands with user-supplied input passed directly to the shell without sanitization. This allows an attacker to inject arbitrary shell metacharacters (e.g., `;`, `|`, `&&`) to execute unintended commands, which is the classic definition of command injection. The vulnerability arises because the input is concatenated into a command string rather than passed as a list of arguments, bypassing the shell's argument separation.

Exam trap

The trap here is that candidates may confuse command injection with SQL injection because both involve untrusted input, but the key differentiator is the execution context—shell commands versus database queries—and the specific module (`subprocess`) indicates shell execution, not database interaction.

How to eliminate wrong answers

Option B is wrong because SQL injection requires the input to be passed to a database query (e.g., via SQL statements), not to a shell command via the `subprocess` module. Option C is wrong because path traversal involves manipulating file paths to access restricted directories (e.g., using `../`), which is unrelated to executing arbitrary shell commands through the `subprocess` module.

63
MCQhard

A penetration tester is analyzing a malicious script found on a compromised Linux server. The script uses obfuscation techniques including base64 encoding and variable substitution. Which tool or method is most effective for deobfuscating the script to understand its functionality?

A.Use a Python emulator like Unicorn
B.Analyze packet captures with Wireshark
C.Disassemble with IDA Pro
D.Run the script with 'bash -x' in a sandbox
AnswerD

'bash -x' prints each command before execution, revealing the deobfuscated actions in a controlled environment.

Why this answer

For deobfuscating shell scripts, running the script in a sandboxed environment with static analysis (e.g., using 'set -x' or a debugger) is most effective. IDA Pro is for binary analysis, Wireshark for network packets, and Nmap for scanning.

64
MCQmedium

A penetration tester is analyzing a Ruby script that uses the 'metasploit-framework' gem. The script includes a line: `Msf::Simple::Framework.create` and then calls `run_single('use exploit/multi/handler')`. What is the primary purpose of this script?

A.Automate a port scan across multiple targets
B.Set up a Metasploit payload handler to catch reverse shells
C.Create a Metasploit resource script for automated attacks
D.Load and execute a local exploit against a specified target
AnswerB

The multi/handler module is a generic payload handler that listens for incoming connections from exploited systems.

Why this answer

The script uses `Msf::Simple::Framework.create` to instantiate a Metasploit Framework instance and then calls `run_single('use exploit/multi/handler')` to load the multi/handler module. This module is specifically designed to listen for incoming connections from payloads (e.g., reverse shells) that have been executed on a target, making the script's primary purpose to set up a handler to catch reverse shells.

Exam trap

The trap here is that candidates may confuse the `use exploit/multi/handler` command with a generic exploit or attack automation, when in fact it is purely a listener for incoming reverse connections, not an active exploit or scanning tool.

How to eliminate wrong answers

Option A is wrong because the script does not include any port scanning logic or calls to modules like `auxiliary/scanner/portscan`; it only loads a handler module. Option C is wrong because the script directly executes a Metasploit command via `run_single` rather than writing or generating a resource script (`.rc` file) for later automated execution.

65
MCQhard

Refer to the exhibit. A penetration tester runs this script against a target service and receives the output 'Error: [Errno 104] Connection reset by peer'. What is the most likely cause?

A.The target service is not running.
B.The target service expects a different protocol.
C.The payload caused the service to crash due to a buffer overflow.
D.The target is blocking the IP after detecting scanning.
AnswerC

The large payload and abrupt disconnection are consistent with a buffer overflow crash.

Why this answer

The connection reset indicates that the remote server closed the connection abruptly, often because the service crashed. Sending a large payload of 'A' characters suggests a buffer overflow attempt, which could cause the service to crash. Option B correctly identifies this.

If the service were not running, the error would be 'Connection refused'. Option C is possible but less likely given the script's purpose. Option D is not supported by the evidence.

66
MCQmedium

A Python proof-of-concept sends repeated login attempts but does not preserve cookies between requests. The application sets a CSRF token in a session cookie. What change is most likely required for accurate testing?

A.Use a requests.Session object and refresh the CSRF token before each attempt.
B.Remove all headers from the requests.
C.Increase the payload length only.
D.Disable TLS certificate verification as the main fix.
AnswerA

This maintains session state and handles token-based workflows.

Why this answer

The correct answer is A because the proof-of-concept fails to maintain session state across requests, which is essential for handling CSRF tokens that are typically tied to a session. Using a `requests.Session` object automatically persists cookies (including the session cookie containing the CSRF token) across requests, and refreshing the CSRF token before each attempt ensures the token is valid for each login attempt, mimicking real browser behavior.

Exam trap

The trap here is that candidates may think the issue is about request headers or payload size, when the real problem is the lack of session state management (cookie persistence) and CSRF token synchronization across requests.

How to eliminate wrong answers

Option B is wrong because removing all headers would likely break the application's request handling (e.g., missing Content-Type or User-Agent), and does not address the core issue of cookie persistence or CSRF token management. Option C is wrong because increasing payload length only affects the data sent in the request body, but does not solve the problem of missing session cookies or invalid CSRF tokens, which are handled via headers and cookies, not payload size.

67
MCQmedium

A penetration tester analyzes a PowerShell script that uses the 'Invoke-Command' cmdlet to run a command on multiple remote Windows systems. The script checks if the local Administrator account is using a default password. Which phase of the penetration test is this script most directly supporting?

A.Lateral movement
B.Credential dumping
C.Enumeration of misconfigurations
D.Privilege escalation
AnswerC

The script enumerates remote systems to identify if the default Administrator password is still in use, which is a misconfiguration. This is a form of enumeration used to identify weaknesses.

Why this answer

The script uses Invoke-Command to check if the local Administrator account on multiple remote Windows systems uses a default password. This directly supports the enumeration of misconfigurations phase, as it identifies a common security weakness (default credentials) that could be exploited. It does not involve moving between systems (lateral movement) or extracting stored credentials (credential dumping).

Exam trap

The trap here is confusing the act of checking for default credentials (enumeration of misconfigurations) with the subsequent exploitation step (lateral movement) or the method of extracting stored credentials (credential dumping).

How to eliminate wrong answers

Option A is wrong because lateral movement involves using compromised credentials or techniques to access additional systems, not simply checking for default passwords across remote hosts. Option B is wrong because credential dumping refers to extracting password hashes or plaintext credentials from memory (e.g., using Mimikatz) or from SAM/registry hives, not testing if a known default password is still in use.

68
MCQmedium

A penetration tester is writing a Bash script to enumerate network shares on multiple Windows hosts. The script uses smbclient to list shares. Which command should be used within the script to attempt to connect to a host with a known username and password?

A.smbclient -L //host -U username%password
B.smbclient //host/share -U username%password
C.smbmap -H host -u username -p password
D.net use \\host\share /user:username password
AnswerA

The -L flag lists shares, and -U specifies credentials. This is the standard method to enumerate SMB shares.

Why this answer

Option A is correct because the `smbclient -L //host` command lists available shares on a remote SMB/CIFS host, and appending `-U username%password` provides the credentials for authentication. This matches the requirement to enumerate network shares on multiple Windows hosts using a known username and password within a Bash script.

Exam trap

The trap here is that candidates confuse the `-L` (list shares) option with the direct share connection syntax (`//host/share`), or they mistakenly select a different tool like `smbmap` when the question explicitly specifies using `smbclient` in the script.

How to eliminate wrong answers

Option B is wrong because `smbclient //host/share -U username%password` attempts to connect directly to a specific share (e.g., `//host/share`) rather than listing all shares, which is not the goal of enumeration. Option C is wrong because `smbmap` is a different tool (not `smbclient`) and is not the command specified in the question's context of using `smbclient` within a Bash script.

69
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft and send packets. The script contains the following code snippet: 'send(IP(dst=target)/TCP(dport=port, flags='S'))'. The script then listens for responses and looks for packets with flags 'SA'. Which type of scan is this script performing?

A.TCP Connect scan
B.TCP SYN scan (half-open scan)
C.TCP FIN scan
D.TCP Xmas scan
AnswerB

The script sends SYN packets and checks for SYN-ACK responses, indicating an open port. It does not complete the handshake, making it a half-open scan.

Why this answer

The script sends a TCP SYN packet (flags='S') and listens for a SYN-ACK response (flags='SA'), which is the defining behavior of a TCP SYN scan (also known as a half-open scan). This scan never completes the three-way handshake, making it stealthier than a full TCP Connect scan. The use of Scapy's `send()` function (Layer 3) rather than `sr()` or a socket-level connect confirms it is crafting raw packets, not relying on the OS's TCP stack.

Exam trap

The trap here is that candidates see the use of Scapy and assume any crafted packet scan is a 'half-open' scan, but the specific flag combination (SYN sent, SYN-ACK expected) is what uniquely identifies a TCP SYN scan, not the library used.

How to eliminate wrong answers

Option A is wrong because a TCP Connect scan uses the operating system's `connect()` system call to complete the full three-way handshake, whereas this script manually crafts and sends raw packets with Scapy and never sends the final ACK. Option C is wrong because a TCP FIN scan sends a packet with only the FIN flag set (flags='F'), not a SYN flag, and expects a RST response from closed ports or no response from open ports, not a SYN-ACK.

70
MCQmedium

A penetration tester is analyzing a Python script used during a test. The script contains the following code: 'import requests; r = requests.get('http://target', headers={'User-Agent': 'Mozilla/5.0'}); print(r.text)'. What is the primary purpose of setting the User-Agent header in this script?

A.To bypass IP-based rate limiting.
B.To mimic a legitimate browser to evade detection by web application firewalls.
C.To authenticate to the web server.
D.To enable SSL/TLS encryption.
AnswerB

Many WAFs inspect the User-Agent and may block requests that don't look like they come from a standard browser.

Why this answer

Setting the User-Agent header to 'Mozilla/5.0' makes the HTTP request appear to originate from a standard web browser rather than a Python script. This helps evade detection by web application firewalls (WAFs) and other security controls that may block or flag requests with non-browser User-Agent strings, which are common indicators of automated or malicious traffic.

Exam trap

The trap here is that candidates may confuse the User-Agent header with mechanisms that affect rate limiting or authentication, when in fact it is purely a client identification field used for evasion and content negotiation.

How to eliminate wrong answers

Option A is wrong because the User-Agent header does not affect IP-based rate limiting, which is enforced by the server based on the source IP address, not the User-Agent string. Option C is wrong because authentication to a web server typically requires credentials (e.g., via HTTP Basic Auth, tokens, or cookies), not a User-Agent header; the User-Agent is merely a client identification string defined in RFC 7231.

71
MCQeasy

A penetration tester is analyzing a Python script that uses the 'socket' module to create a TCP connection to a target IP and port. The script then sends a payload (e.g., 'GET / HTTP/1.0\r\n\r\n') and waits for a response. Which tool function is this script most likely performing?

A.Port scanning
B.Banner grabbing
C.Vulnerability scanning
D.Password cracking
AnswerB

Sending a payload and reading the response is the typical method for banner grabbing.

Why this answer

The script creates a TCP connection, sends an HTTP GET request, and waits for a response. This is the classic behavior of banner grabbing, where the goal is to retrieve the service banner (e.g., HTTP server version) from the target. The 'socket' module is used to manually craft the connection and payload, which is a low-level technique for service identification, not for scanning multiple ports or assessing vulnerabilities.

Exam trap

The trap here is that candidates may confuse banner grabbing with port scanning because both involve connecting to a port, but banner grabbing focuses on service identification from a single connection, not enumeration of open ports.

How to eliminate wrong answers

Option A is wrong because port scanning involves iterating over multiple ports to discover open ones, whereas this script targets a single IP and port. Option C is wrong because vulnerability scanning requires checking for known weaknesses (e.g., via a database of CVEs) and often uses automated tools like Nessus, not a simple socket connection sending a static HTTP request.

72
Multi-Selecthard

Which THREE of the following are common elements found in a Burp Suite project file? (Select THREE.)

Select 3 answers
A.Target scope definitions
B.Session handling rules
C.Active scan insertion points
D.Intruder attack definitions
E.Proxy history
AnswersA, D, E

The project file includes the configured scope.

Why this answer

Burp Suite project files store target scope (A), proxy history (C), and intrusion attack definitions (E). Active scan rules (B) are predefined but not stored per project; session handling rules (D) are stored in project options.

73
MCQhard

You are conducting a penetration test on a web application that uses a JavaScript challenge-response authentication mechanism. During testing, you notice that the client-side JavaScript code is heavily obfuscated and includes a function that seems to compute a token based on user input and a server-provided nonce. Your goal is to bypass the authentication by generating valid tokens without interacting with the server's intended logic. You have extracted the obfuscated JavaScript and used a beautifier to make it more readable, but the logic is still complex. Which of the following approaches is most likely to succeed in bypassing the authentication?

A.Capture a valid token and replay it with a new nonce
B.Use a JavaScript debugger to dynamically analyze the obfuscated function and replicate its token generation
C.Send random tokens to the server and rely on statistical guessing
D.Use a brute-force script to try all possible token values based on the nonce
AnswerB

Debugging allows you to understand the logic and create a script to generate valid tokens.

Why this answer

Option D is correct because using a JavaScript debugger to step through the obfuscated code allows you to understand the token generation logic and replicate it locally. Option A is wrong because sending random tokens has a negligible chance of success. Option B is wrong because brute-forcing the token algorithm is impractical without understanding the logic.

Option C is wrong because replaying the nonce from a previous session will likely be rejected by the server due to nonce expiration or reuse protection.

74
MCQmedium

A penetration tester is reviewing a Bash script that uses 'nmap' with the '-sC' and '-sV' flags. The script runs the scan and saves the output to a text file. Later, the tester uses 'grep' to extract lines containing 'open'. What is the primary purpose of this script?

A.Identify all open ports and services running on them
B.Perform a vulnerability scan using NSE scripts
C.Detect the operating system of the target
D.Perform a stealthy SYN scan
AnswerA

This is the primary purpose of combining service detection and default scripts.

Why this answer

The '-sC' flag runs default NSE scripts (which perform service enumeration and basic checks), and '-sV' enables version detection. Together, they identify open ports and the services/versions running on them. The subsequent 'grep' for 'open' extracts lines showing open ports, confirming the primary purpose is to enumerate open ports and their associated services.

Exam trap

CompTIA often tests the distinction between default NSE scripts (service enumeration) and vulnerability-specific scripts (e.g., 'vuln'), leading candidates to mistakenly think '-sC' implies vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because '-sC' runs default NSE scripts, not a full vulnerability scan; vulnerability scanning typically requires specific NSE scripts like 'vuln' or '-sV' with '--script vuln'. Option C is wrong because OS detection requires the '-O' flag, which is not used in this script; '-sC' and '-sV' do not perform OS fingerprinting.

75
MCQmedium

A penetration tester is writing a Bash script to enumerate users from the /etc/passwd file on a compromised Linux system. Which command will efficiently print only the usernames?

A.cut -d: -f1 /etc/passwd
B.awk -F: '{print $1}' /etc/passwd
C.grep -o '^[^:]*' /etc/passwd
D.sed 's/:.*//' /etc/passwd
AnswerA

Cut splits lines at ':' and outputs field 1 (the username). This is simple and efficient.

Why this answer

Option A is correct because the `cut` command with `-d:` sets the field delimiter to colon (the separator in /etc/passwd) and `-f1` extracts the first field, which is the username. This is the most efficient and straightforward method for this specific task, as it directly isolates the username column without pattern matching or processing overhead.

Exam trap

The trap here is that candidates often overthink the problem and choose `awk` or `grep` because they are more familiar with them for text processing, overlooking that `cut` is the simplest and most efficient tool for fixed-delimiter column extraction.

How to eliminate wrong answers

Option B is wrong because although `awk -F: '{print $1}'` also correctly extracts the first colon-delimited field, it is less efficient than `cut` for this simple column extraction; `awk` is a full text-processing language that incurs more overhead, making it not the 'most efficient' choice as asked. Option C is wrong because `grep -o '^[^:]*'` uses a regular expression to match from the start of the line up to the first colon, which works but is slower and more complex than necessary; it also requires the `-o` flag to output only the matched portion, and the regex engine adds unnecessary processing for a simple field extraction.

Page 1 of 2 · 100 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Tools And Code Analysis questions.