CCNA Tools And Code Analysis Questions

25 of 100 questions · Page 2/2 · Tools And Code Analysis topic · Answers revealed

76
Drag & Dropmedium

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning involves setup, policy creation, execution, report analysis, and remediation verification.

77
MCQmedium

A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?

A.Cross-Site Scripting (XSS)
B.SQL Injection
C.NoSQL Injection
D.Directory Traversal
AnswerC

The $ne operator is a MongoDB query operator. By injecting it into the password field, the attacker attempts to make the query return true for any user, bypassing authentication.

Why this answer

The payload `password[$ne]=a` uses MongoDB's `$ne` (not equal) operator, which is a NoSQL query operator. When the backend parses this as a MongoDB query, it will match any document where the password is not equal to 'a', effectively bypassing authentication. This is a classic NoSQL injection attack, not SQL injection, because the syntax targets NoSQL databases like MongoDB.

Exam trap

The trap here is that candidates see a POST request with parameters and immediately think SQL injection, but the square bracket syntax `[$ne]` is a dead giveaway for NoSQL injection, which is a distinct attack vector targeting document-based databases.

How to eliminate wrong answers

Option A is wrong because Cross-Site Scripting (XSS) involves injecting client-side scripts into web pages, not manipulating database query operators via HTTP parameters. Option B is wrong because SQL injection uses SQL-specific syntax (e.g., `' OR 1=1 --`) to manipulate relational databases, whereas `[$ne]` is a MongoDB operator and does not work against SQL databases.

78
MCQmedium

A penetration tester is reviewing a Python script that attempts to exploit a command injection vulnerability. The script uses the 'subprocess' module with the 'shell=True' argument. Which of the following code changes would be MOST effective to reduce the risk of unintended consequences when executing system commands?

A.Replace subprocess with os.system()
B.Use the 'shlex.quote()' function to sanitize user input before passing to subprocess
C.Avoid using shell=True and pass the command as a list of arguments
D.Use the 'exec()' function to run the command
AnswerC

When shell=True is omitted and the command is a list, subprocess executes the command directly without invoking a shell, eliminating shell injection.

Why this answer

Option C is correct because setting `shell=True` in Python's `subprocess` module causes the command string to be interpreted by the system shell, which introduces command injection risks if any part of the string is user-controlled. By passing the command as a list of arguments (e.g., `['ls', '-l', filename]`) and omitting `shell=True`, the subprocess module directly executes the binary without shell interpretation, eliminating shell metacharacter injection. This is the most effective mitigation as it avoids shell parsing entirely, which is the root cause of the vulnerability.

Exam trap

CompTIA often tests the misconception that input sanitization (like quoting) is sufficient to prevent command injection, when in fact the most secure approach is to avoid shell invocation altogether by using a list of arguments with `shell=False`.

How to eliminate wrong answers

Option A is wrong because replacing `subprocess` with `os.system()` still invokes the system shell to execute the command, inheriting the same command injection risks and providing no improvement; in fact, `os.system()` offers even less control over execution. Option B is wrong because while `shlex.quote()` can help sanitize input for shell use, it is not foolproof—edge cases like null bytes or certain locale-dependent characters can bypass quoting, and relying on quoting still leaves the command exposed to shell parsing, making it less robust than removing shell involvement entirely.

79
MCQeasy

A penetration tester wants to enumerate SMB shares, user lists, and operating system information from a Windows target without authenticating. Which of the following tools is BEST suited for this task?

A.enum4linux
B.smbclient
C.nmblookup
D.nbtscan
AnswerA

enum4linux uses null sessions to extract extensive information from Windows/Samba targets without credentials.

Why this answer

enum4linux is a Perl wrapper around tools like smbclient, nmblookup, and nbtscan, specifically designed to extract SMB shares, user lists, and OS information from Windows targets without authentication by leveraging null sessions and SMB RPC calls (e.g., via MSRPC over SMB). It automates the enumeration of these details using the Server Message Block (SMB) protocol, making it the best choice for unauthenticated reconnaissance.

Exam trap

The trap here is that candidates often confuse nmblookup or nbtscan as tools for SMB enumeration, but they only handle NetBIOS name resolution, not the deeper SMB share or user enumeration that enum4linux automates.

How to eliminate wrong answers

Option B (smbclient) is wrong because it requires authentication to list shares or access files; without credentials, it can only attempt a null session but lacks the automated enumeration of user lists and OS details that enum4linux provides. Option C (nmblookup) is wrong because it only performs NetBIOS name resolution via NBNS queries, not SMB share or user enumeration. Option D (nbtscan) is wrong because it scans for NetBIOS name services (port 137) to retrieve hostnames and MAC addresses, but it does not enumerate SMB shares or user lists.

80
MCQhard

A tester needs to analyze a compiled .NET application. Which tool is most suitable?

A.Ghidra
B.x64dbg
C.IDA Pro
D.dnSpy
AnswerD

dnSpy decompiles .NET assemblies and allows debugging.

Why this answer

Option A is correct because dnSpy is a .NET debugger and decompiler. Option B is wrong because IDA Pro is for binary analysis, not specifically .NET. Option C is wrong because Ghidra is for general reverse engineering.

Option D is wrong because x64dbg is for debugging x64 applications, not .NET native.

81
MCQhard

A penetration tester is writing a return-oriented programming (ROP) exploit for a Linux binary to bypass Data Execution Prevention (DEP). The binary has DEP enabled, but the tester identifies a gadget in a dynamically linked library that is not affected by ASLR. Which condition must be true for the ROP chain to succeed?

A.The library must be loaded at a fixed address
B.The stack must be executable
C.The binary must be compiled with stack canaries
D.The exploit must bypass ASLR for the main binary
AnswerA

Correct. If the library does not use ASLR, its base address is predictable, allowing the ROP chain to call gadgets reliably.

Why this answer

Option A is correct because for a ROP chain to succeed when DEP is enabled, the attacker needs to control the execution flow by chaining together gadgets (small instruction sequences ending with a return) that reside in executable memory regions. If a dynamically linked library is not affected by ASLR, it means it is loaded at a fixed, predictable address, allowing the tester to reliably use gadgets from that library without needing to bypass ASLR for that specific module. This fixed address ensures the ROP chain's addresses are valid across runs, which is essential for the exploit to work.

Exam trap

The trap here is that candidates often assume ASLR must be fully bypassed for any exploit to work, but the question specifically isolates a library not affected by ASLR, making the ROP chain viable without bypassing ASLR for the main binary.

How to eliminate wrong answers

Option B is wrong because DEP specifically prevents execution on the stack; if the stack were executable, the attacker could simply inject shellcode directly, making a ROP chain unnecessary. Option C is wrong because stack canaries are a defense against buffer overflow-based stack corruption, not against ROP; ROP chains operate by overwriting return addresses and chaining gadgets, and canaries would only prevent the initial overflow if not bypassed, but they do not affect the success of a ROP chain once the overflow occurs. Option D is wrong because the question states the library is not affected by ASLR, so the ROP chain can use gadgets from that library without needing to bypass ASLR for the main binary; the main binary's ASLR status is irrelevant if the gadgets are in a fixed-address library.

82
MCQhard

A penetration tester is analyzing a Python script that imports the 'scapy' library. The script defines a function that sends a series of TCP SYN packets to a target IP and port range, and then waits for SYN-ACK responses. Which attack is the script performing?

A.TCP SYN flood
B.Port scanning
C.ARP poisoning
D.DNS spoofing
AnswerB

The script performs a SYN scan to identify open ports by observing SYN-ACK responses, which is a form of port scanning.

Why this answer

The script sends TCP SYN packets to a range of ports and waits for SYN-ACK responses. This is the classic behavior of a SYN scan, a type of port scanning that identifies open ports by observing which ports respond with a SYN-ACK. The use of Scapy to craft and send these packets confirms the script is performing port scanning, not a denial-of-service attack.

Exam trap

The trap here is confusing a TCP SYN flood (a denial-of-service attack that sends many SYN packets without completing handshakes) with a SYN scan (a reconnaissance technique that sends SYN packets and analyzes responses to identify open ports).

How to eliminate wrong answers

Option A is wrong because a TCP SYN flood aims to overwhelm a target with a high volume of SYN packets, exhausting resources and causing denial of service; the script described waits for SYN-ACK responses, which is not characteristic of a flood attack. Option C is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with the IP of another host on a local network, which is unrelated to sending TCP SYN packets to a range of ports. Option D is wrong because DNS spoofing involves corrupting DNS responses to redirect traffic to malicious sites, which does not involve sending TCP SYN packets to a target IP and port range.

83
MCQmedium

During a web application test, a penetration tester discovers that the server returns verbose error messages containing full file paths. Which type of attack is directly facilitated by this information disclosure?

A.Path traversal
B.SQL injection
C.CSRF
D.Cross-site scripting
AnswerA

Disclosed file paths allow an attacker to construct traversal payloads to access arbitrary files.

Why this answer

Verbose error messages revealing file paths can enable path traversal attacks, as the attacker learns the directory structure. SQL injection may be facilitated by database error messages, but file paths are specific to path traversal.

84
Matchingmedium

Match each compliance standard to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy

Personal data protection for EU citizens

Financial reporting and internal controls

Information security management system

Why these pairings

Penetration testers must understand compliance requirements relevant to clients.

85
MCQmedium

During a penetration test, a tester needs to perform a man-in-the-middle (MITM) attack on a local network to capture credentials. Which tool should the tester use to ARP spoof and intercept traffic?

A.Wireshark
B.Nmap
C.TCPDump
D.Ettercap
AnswerD

Ettercap is designed for MITM attacks including ARP poisoning.

Why this answer

Ettercap is a comprehensive MITM tool that supports ARP spoofing, sniffing, and injection. Wireshark is for packet analysis, not active spoofing. TCPDump is for packet capture only.

Nmap can be used for discovery but not MITM.

86
MCQmedium

A penetration tester is reviewing a Python script that uses the 'mitmproxy' library. The script sets up a proxy and captures HTTP traffic, then modifies certain requests in real time. Which of the following is the most likely purpose of this script?

A.To perform passive network mapping and port scanning
B.To intercept and manipulate API requests for security testing
C.To capture raw network packets for offline analysis
D.To automatically detect SQL injection vulnerabilities
AnswerB

Mitmproxy allows the tester to view and alter requests/responses, useful for testing input validation and logic flaws.

Why this answer

The mitmproxy library is specifically designed for man-in-the-middle interception and modification of HTTP/HTTPS traffic. By setting up a proxy and modifying requests in real time, the script's most likely purpose is to intercept and manipulate API requests for security testing, such as fuzzing parameters, injecting payloads, or bypassing client-side controls.

Exam trap

The trap here is that candidates often confuse mitmproxy with passive sniffing tools like Wireshark, failing to recognize that mitmproxy's core feature is active interception and modification of application-layer traffic, not just passive observation or raw packet capture.

How to eliminate wrong answers

Option A is wrong because passive network mapping and port scanning rely on tools like Nmap or Wireshark to observe traffic without modification, whereas mitmproxy actively intercepts and alters traffic, which is not passive. Option C is wrong because capturing raw network packets for offline analysis is the function of packet sniffers like tcpdump or Wireshark, which operate at the network layer (Layer 3) and do not modify requests; mitmproxy works at the application layer (Layer 7) and is designed for real-time manipulation, not offline capture.

87
MCQmedium

A penetration tester is writing a Bash script to automate enumeration of a Linux system after gaining a shell. The script needs to extract user information from the /etc/passwd file. Which command would be most efficient for listing only the usernames?

A.cat /etc/passwd | cut -d: -f1
B.cat /etc/passwd | awk '{print $1}'
C.cat /etc/passwd | head
D.grep 'user' /etc/passwd
AnswerA

This correctly splits each line by colon and outputs the first field (username).

Why this answer

Option A is correct because the `cut` command with `-d: -f1` splits each line of /etc/passwd on the colon delimiter and extracts the first field, which is the username. This is the most efficient and purpose-built approach for parsing colon-delimited files in Linux, avoiding unnecessary overhead from other tools.

Exam trap

The trap here is that candidates often assume `awk` with default field splitting works for colon-delimited files, but they forget to specify the `-F:` flag, leading to incorrect output that includes the entire line or unexpected fields.

How to eliminate wrong answers

Option B is wrong because `awk '{print $1}'` defaults to whitespace field splitting, but /etc/passwd uses colons as delimiters, so it would print the entire line (since the line has no spaces before the first colon) rather than just the username. Option C is wrong because `head` outputs the first 10 lines of the file by default, not just usernames, and does not parse or extract specific fields at all.

88
MCQhard

A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?

A.The IP address and port of the target service
B.The exact location of a JMP ESP instruction in memory
C.The version of the operating system running on the target
D.The username and password for the target service
AnswerB

For a buffer overflow where the shellcode is placed in the stack, overwriting the return address with the address of a JMP ESP instruction (which must be at a fixed, predictable address) will redirect execution to the shellcode. Determining this address is crucial for a reliable exploit.

Why this answer

The script performs a buffer overflow attack by overwriting a return address. To redirect execution to attacker-controlled shellcode, the tester must overwrite the return address with the address of a JMP ESP instruction (or equivalent) that is reliably located in memory. Without this address, the overwritten return pointer will cause a crash or unpredictable behavior, making exploitation impossible.

Exam trap

The trap here is that candidates often focus on network connectivity (IP/port) or OS version, overlooking that the core technical challenge in a buffer overflow exploit is controlling execution flow via a reliable return address like JMP ESP.

How to eliminate wrong answers

Option A is wrong because while the IP address and port are necessary to connect to the target service, they are not the most critical piece of information for the exploitation phase; the script already imports socket and presumably has connection details. Option C is wrong because the OS version can help in selecting appropriate offsets or shellcode, but the immediate critical requirement is the address of a JMP ESP instruction, which depends on the specific executable or loaded DLL, not just the OS version.

89
MCQeasy

A penetration tester needs to automate a series of web application attacks against a login page to identify weak credentials. Which tool is most appropriate?

A.Nmap
B.Hydra
C.Burp Suite
D.Wireshark
AnswerB

Hydra is a network logon cracker that supports multiple protocols for brute-forcing credentials.

Why this answer

Option A is correct because Hydra is a tool designed for brute-force attacks on login pages. Option B is wrong because Nmap is for network discovery. Option C is wrong because Wireshark is for packet capture.

Option D is wrong because Burp Suite is for web application testing but not primarily for brute-forcing credentials.

90
MCQmedium

A penetration tester is reviewing a Python script that uses the `requests` library to send HTTP POST requests to a login endpoint. The script attempts to bypass authentication by sending SQL injection payloads in the username field. Which of the following code changes would MOST effectively help the tester identify successful injections by reducing false negatives?

A.Using a `requests.Session` object to maintain cookies across requests
B.Parsing the response for specific error messages such as 'SQL syntax' or 'mysql_fetch_array'
C.Implementing a random delay between requests to avoid rate limiting
D.Adding a function to automatically resend each payload multiple times
AnswerB

This allows the script to confirm that the injection payload was processed by the database, reducing false negatives.

Why this answer

Option B is correct because parsing the HTTP response for database-specific error messages (e.g., 'SQL syntax', 'mysql_fetch_array') directly indicates that the SQL injection payload triggered a detectable database error, confirming a successful injection. This reduces false negatives by catching cases where the login fails but the injection still executes, rather than relying solely on authentication bypass (which may not occur if the injection is blind or the query structure differs).

Exam trap

The trap here is that candidates often confuse session management (Option A) or evasion techniques (Option C) with detection logic, overlooking that the core goal is to reduce false negatives by explicitly checking for injection success indicators in the response.

How to eliminate wrong answers

Option A is wrong because using a `requests.Session` object maintains cookies and session state across requests, which is useful for session handling but does not help identify whether a SQL injection payload succeeded; it addresses session continuity, not detection of injection success. Option C is wrong because implementing a random delay between requests helps avoid rate limiting or WAF detection, but it does not improve the accuracy of identifying successful injections; it only evades defenses, not reduces false negatives in detection.

91
MCQeasy

A penetration tester runs the following command and receives the output. What does this output indicate?

A.The target has three services running
B.The target has a misconfigured SSL certificate
C.The target is using default credentials
D.The target is running a vulnerable version of OpenSSH
AnswerA

The scan shows three open ports (22, 80, 443) with services.

Why this answer

Option B is correct because the output shows three open ports: 22, 80, 443. Option A is wrong because OpenSSH 7.4 is not necessarily vulnerable. Option C is wrong because no credentials are shown.

Option D is wrong because the SSL certificate is not detailed.

92
MCQmedium

Based on the exhibit, which additional Nmap command should the tester run to gather the most useful information for a web application test?

A.nmap -A 192.168.1.10
B.nmap -sV 192.168.1.10
C.nmap -O 192.168.1.10
D.nmap -sC 192.168.1.10
AnswerB

Version detection identifies software and versions, essential for web app testing.

Why this answer

The -sV option performs version detection on open ports, revealing software versions on HTTP/HTTPS and the proxy. -O is OS detection, -sC runs default scripts (useful but version first), and -A does both. However, -sV is the most direct for web app testing as it identifies application versions, which is crucial for vulnerability research.

93
MCQmedium

A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP requests with a custom header that mimics a mobile device. The script also uses 'beautifulsoup4' to parse the response and extract specific data. Which task is this script most likely performing?

A.Web scraping to gather publicly available information.
B.Fuzzing for SQL injection.
C.Performing a brute-force attack on a login form.
D.Testing for directory traversal vulnerabilities.
AnswerA

The combination of requests and BeautifulSoup indicates scraping. The mobile User-Agent helps evade simple bot detection, making it ideal for collecting data from web pages.

Why this answer

The script uses the 'requests' library to send HTTP requests with a custom header mimicking a mobile device, and 'beautifulsoup4' to parse the HTML response and extract data. This combination is specifically designed for web scraping, where the custom header helps avoid bot detection by making the request appear to come from a mobile browser, and BeautifulSoup extracts targeted information from the page structure.

Exam trap

The trap here is that candidates may confuse the use of a custom header with security testing (e.g., fuzzing or brute-forcing), but the presence of BeautifulSoup for HTML parsing clearly indicates data extraction, not injection or authentication bypass.

How to eliminate wrong answers

Option B is wrong because fuzzing for SQL injection typically involves sending malformed input (e.g., special characters, SQL keywords) in parameters or form fields, not setting a custom User-Agent header or parsing HTML with BeautifulSoup; tools like Burp Suite Intruder or custom loops with 'requests' are used, but the focus is on injecting payloads, not extracting data from responses. Option C is wrong because a brute-force attack on a login form requires iterating through username/password combinations and analyzing response status codes or error messages, not simply setting a mobile User-Agent and parsing HTML for data extraction; BeautifulSoup is unnecessary for brute-force logic, which typically checks for login success indicators like redirects or specific text.

94
MCQmedium

A penetration tester is analyzing a Python script that uses the 'scapy' library to craft custom network packets. The relevant code is: ```python from scapy.all import * packet = IP(dst="192.168.1.1")/TCP(dport=80, flags="S") response = sr1(packet, timeout=2) if response.haslayer(TCP): print(response.getlayer(TCP).flags) ``` What is the primary goal of this script?

A.To perform a TCP connect scan by completing the three-way handshake
B.To perform a SYN scan and determine if port 80 is open
C.To send an HTTP GET request and capture the web page
D.To perform a UDP scan on port 80
AnswerB

The script sends a SYN packet to port 80 and analyzes the response flags; a SYN-ACK indicates the port is open.

Why this answer

The script uses Scapy to craft a TCP SYN packet (flags='S') to port 80 and sends it with sr1(), which waits for a single response. If a TCP layer is present in the reply, it prints the flags. This is the classic behavior of a SYN scan (half-open scan): it sends a SYN and analyzes the response to determine if the port is open (SYN-ACK) or closed (RST), without completing the handshake.

Option B correctly identifies this as a SYN scan to check if port 80 is open.

Exam trap

The trap here is that candidates may confuse a SYN scan with a full connect scan (Option A) because both involve sending a SYN, but the key difference is that a SYN scan never sends the final ACK, making it stealthier and not a full handshake.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK), whereas this script only sends a SYN and does not send the final ACK, making it a half-open SYN scan. Option C is wrong because the script sends a raw TCP SYN packet, not an HTTP GET request; it does not include any HTTP payload or application-layer data, so it cannot retrieve a web page.

95
MCQmedium

A penetration tester is analyzing a PowerShell script that uses Invoke-WebRequest and Invoke-RestMethod to interact with a target web service. The script parses JSON responses to extract session tokens and then uses those tokens in subsequent requests. Which attack technique is this script most likely performing?

A.Brute-forcing web application login credentials.
B.Exploiting an API by manipulating request parameters and observing responses.
C.Performing a SQL injection attack on a web form.
D.Conducting a directory traversal attack to read arbitrary files.
AnswerB

The script dynamically extracts session tokens and reuses them, which is common when testing APIs for parameter manipulation, privilege escalation, or injection flaws. It allows the tester to bypass authentication and test authenticated endpoints.

Why this answer

The script uses Invoke-WebRequest and Invoke-RestMethod to interact with a web service, parsing JSON responses to extract session tokens and reusing them in subsequent requests. This pattern is characteristic of API manipulation, where an attacker modifies request parameters (e.g., headers, query strings, or payload) and observes how the API responds to infer vulnerabilities or escalate privileges, rather than directly attacking authentication or injecting SQL.

Exam trap

The trap here is that candidates confuse the use of Invoke-WebRequest and Invoke-RestMethod with brute-force attacks, but the script's focus on token extraction and reuse points to API parameter manipulation, not credential guessing.

How to eliminate wrong answers

Option A is wrong because brute-forcing login credentials would involve repeatedly submitting different username/password pairs, not parsing JSON session tokens from responses and using them in subsequent requests; the script's focus on token extraction indicates session management exploitation, not credential guessing. Option C is wrong because SQL injection requires injecting SQL syntax into input fields to manipulate database queries, whereas the script uses Invoke-WebRequest and Invoke-RestMethod to handle structured JSON data and tokens, with no mention of SQL payloads or database error responses.

96
Drag & Dropmedium

Drag and drop the steps to perform a social engineering campaign using a phishing email with a malicious attachment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Social engineering involves pretexting, payload creation, listener setup, delivery, and shell acquisition.

97
MCQmedium

A penetration tester is analyzing a Bash script that uses 'curl' to send HTTP requests with payloads and checks for a specific string in the response. The script contains: 'if echo $response | grep -q "root:x:0:0"'. Which vulnerability is the script most likely testing for?

A.SQL injection
B.Local file inclusion
C.Cross-site scripting
D.Remote code execution
AnswerB

The script is attempting to read the /etc/passwd file via a file inclusion vulnerability, which would return the password file content containing the 'root:x:0:0' line.

Why this answer

The script checks for the string 'root:x:0:0' in the HTTP response, which is the standard format of the root user entry in the /etc/passwd file on Unix-like systems. This indicates the script is testing whether the server is returning the contents of a local file (e.g., /etc/passwd) via a path traversal or file inclusion vulnerability, making Local File Inclusion (LFI) the correct answer.

Exam trap

The trap here is that candidates may confuse the presence of a specific string in the response with SQL injection (e.g., thinking 'root:x:0:0' is a database record), but the format is a direct match for the /etc/passwd file, which is a classic LFI indicator.

How to eliminate wrong answers

Option A is wrong because SQL injection typically involves manipulating SQL queries to extract database contents, not checking for static system file strings like 'root:x:0:0'. Option C is wrong because cross-site scripting (XSS) focuses on injecting client-side scripts into web pages, not on retrieving server-side file contents. Option D is wrong because remote code execution (RCE) would involve executing arbitrary commands on the server, whereas the script only checks for a file content string in the response, not command output or execution indicators.

98
MCQhard

A penetration tester is assessing a custom web application that uses JSON Web Tokens (JWT) for authentication. The tester suspects the token may be using a weak secret. Which tool is best suited to attempt cracking the JWT secret?

A.Hashcat
B.DirBuster
C.Burp Suite Intruder
D.sqlmap
AnswerA

Hashcat supports JWT (HMAC-SHA) cracking with its mode 16500.

Why this answer

Hashcat is a powerful password cracking tool that can crack JWT secrets using dictionary or brute-force attacks. John the Ripper is similar but hashcat is generally faster and more GPU-optimized. DirBuster is for directory discovery, sqlmap for SQL injection, and Burp Suite Intruder can be used but is less efficient for offline cracking.

99
MCQmedium

A penetration tester wants to fuzz a network protocol to find buffer overflows. Which tool is most appropriate?

A.John the Ripper
B.Peach Fuzzer
C.Nessus
D.Wireshark
AnswerB

Peach Fuzzer generates malformed data for protocol fuzzing.

Why this answer

Option A is correct because Peach Fuzzer is designed for protocol fuzzing. Option B is wrong because Wireshark captures packets. Option C is wrong because Nessus is a vulnerability scanner.

Option D is wrong because John the Ripper cracks passwords.

100
MCQeasy

A penetration tester wants to identify live hosts on a large internal network. Which Nmap option would be the FASTEST for initial host discovery?

A.-sV (Version detection)
B.-sS (SYN stealth scan)
C.-sn (Ping sweep)
D.-A (Aggressive scan)
AnswerC

The -sn option uses minimal probes to determine host availability and is the fastest method for host discovery.

Why this answer

The -sn option performs a ping sweep, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. It does not perform port scanning, making it the fastest method for initial host discovery on a large internal network because it only checks for host availability without enumerating services.

Exam trap

The trap here is that candidates often confuse host discovery with port scanning, assuming that a SYN scan (-sS) is the fastest because it is stealthy, but they overlook that -sn is designed specifically for host discovery and avoids the overhead of port scanning entirely.

How to eliminate wrong answers

Option A is wrong because -sV performs version detection, which requires an open port to be found first and then sends additional probes to determine service versions, making it significantly slower and not suitable for initial host discovery. Option B is wrong because -sS performs a SYN stealth scan, which scans for open ports on each host, requiring multiple packet exchanges per port and per host, which is much slower than a simple ping sweep for just identifying live hosts.

← PreviousPage 2 of 2 · 100 questions total

Ready to test yourself?

Try a timed practice session using only Tools And Code Analysis questions.