1.
Which type of reconnaissance would involve using tools that send network probes directly at a target device?
2.
Which of the following is a specification that defines the formats for images, sound, and supplementary tags used by digital cameras, mobile phones, scanners, and other systems that process image and sound files?
3.
Which of the following is not a name-to-IP address resolution technology or protocol?
4.
When an attacker is planning a course of action to gain access to a target, what is the initial phase the attacker performs?
5.
What term refers to path from the “root” directory of the server to the desired resource?
6.
What type of person asks good open-ended questions to learn about an individual’s viewpoints, values, and goals?
7.
Which of the following is an example of how to detect an account takeover attack?
8.
Which term refers to obtaining information, such as personally identifiable information (PII), passwords, and other confidential data, by looking over the victim’s shoulder?
9.
Which of the following is an example of a source code injection attack?
10.
Which of the following are NOT injection-based vulnerabilities?
11.
Which of the following threat actors typically acts from inside an organization?
12.
Which of the following is a method of information gathering in which the tools used send out probes to the target network or systems in order to elicit responses that are then used to determine the posture of the network or system?
13.
Which of the following is a comprehensive guide focused on web application testing?
14.
Which social engineering motivation technique is used to create a feeling of urgency in a decision-making context?
15.
Which attack involves getting close to a person and looking over his or her shoulder to see what the person is typing on a laptop, phone, or tablet?
16.
What type of attack leverages the weakest link, which is the human user?
17.
Which of the following is a method of associating a user’s identity across different identity management systems?
18.
Which of the following is an authentication protocol defined in RFC 4120 that has been used by Windows for several years?
19.
Which of the following is an example of a common misconfiguration of IoT devices and cloud-based solutions?
20.
What is the primary deliverable for a contracted penetration tester?
21.
Which of the following is a cloud-based DoS attack in which threat actors are able to reveal the origin network or IP address behind a content delivery network (CDN) or large proxy placed in front of web services in a cloud provider?
22.
Which of the following is NOT an example of active reconnaissance?
23.
Which of the following refers to hiding a message or other content within an image or video file?
24.
Which of the following is NOT an HTTP client?
25.
Which of the following is not true about cross-site request forgery (CSRF or XSRF) attacks?
26.
Which of the following is related to an attacker having no need to install any additional software or binaries on a compromised system to execute C2 activities?
27.
Which of the following is the term for an attacker presenting to a user a link or an attachment that looks like a valid, trusted resource?
28.
Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware?
29.
Which of the following is not a tool that is commonly used for passive reconnaissance?
30.
Which of the following is a project management term that refers to the uncontrolled growth of a project’s scope?
31.
Which term describes the act of gaining knowledge or information from people?
32.
Which port and protocol is used for Secure SMTP (SSMTP) protocol for encrypted communications, as defined in RFC 2487, using STARTTLS?
33.
Which penetration testing methodology is similar to other methodologies but has some additional phases, like enumerating further and covering the tracks?
34.
Which of the following is a legal document and contract between you and an organization that has hired you as a penetration tester?
35.
Which of the following is a best practice to keep in mind during the post-penetration test cleanup process?
36.
Organizations sometimes require which of the following to feel comfortable with the penetration testing team that they are giving access to their environment and information?
37.
Which HTTP status code messages are related to client errors?
38.
Which of the following is an example of a social engineering attack that is not related to email?
39.
Which of the following is a targeted attack that occurs when an attacker profiles the websites that the intended victim accesses?
40.
Which NetBIOS service is for connection-oriented communication?
41.
In which type of attack does an attacker create a malicious application and inject it into a SaaS, PaaS, or IaaS environment?
42.
Your company has suffered a data breach. You are now being asked to show proof that you have been doing your due diligence to secure the environment. What can you provide to show this proof?
43.
Which of the following terms describes an attack in which the end user’s system hard drive or files are encrypted with a key known only to the attacker?
44.
Which of the following is a tool used to enumerate SMB shares, vulnerable Samba implementations, and corresponding users?
45.
Which of the following is typically a corporate security team that defends an organization against cybersecurity threats?
46.
Which of the following involves applying security best practices, patches, and other configurations to remediate or mitigate the vulnerabilities found in systems and applications?
47.
Which type of attack is often based on information gained from the implementation of the underlying computer system (or cloud environment) instead of a specific weakness in the implemented technology or algorithm?
48.
Which of the following tools is highly effective in social networking site enumeration because of its use of application programming interfaces (APIs) to gather information?
49.
Which of the following describes a KARMA attack?
50.
Which type of vulnerability scan requires you to provide the scanner with a set of credentials that have root-level access to the system?
51.
Which of the following are post-exploitation activities to maintain persistence in a compromised system?
52.
Which HTTP status code is related to HTTP redirections?
53.
Which character in normal SQL queries can be used to specify that the end of a statement has been reached and what follows is a new statement?
54.
Which of the following tasks helps you cover your tracks to remain undetected?
55.
Which of the following uses graph theory to reveal the hidden relationships in a Windows Active Directory environment?
56.
Which protocol is used primarily by Microsoft Windows for host identification?
57.
Which of the following is an attack against the WPA and WPA2 protocols?
58.
Which of the following PowerShell commands copies a file?
59.
Which of the following is not true?
60.
Which document was created for the purpose of providing organizations with guidelines on planning and conducting information security testing?
61.
In which environment would the tester not have prior knowledge of the target’s organization and infrastructure?
62.
Which security rule focuses on safeguarding electronic protected health information (ePHI), which is defined as individually identifiable health information (IIHI) that is stored, processed, or transmitted electronically?
63.
What is the term for a collection of compromised machines that the attacker can manipulate from a command and control (CnC, or C2) system to participate in a DDoS attack, send spam emails, and perform other illicit activities?
64.
Which of the following is a newer Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality?
65.
Which of the following is one of the differences between SNMPv2c and SNMPv3?
66.
ARP spoofing can be used to do which of the following?
67.
Which of the following is true about Shodan?
68.
Which of the following is a tool that can help automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection vulnerabilities.?
69.
In which of the following does the attacker retrieve data using a different channel?
70.
Software developers should escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent what type of attack?
71.
Which of the following describes moving from one device to another to avoid detection, steal sensitive data, and maintain access to these devices to exfiltrate the sensitive data?
72.
Which of the following is true about spear phishing?
73.
Which Nmap command is used to enumerate hosts on a network?
74.
Which rule requires technical and nontechnical safeguards to protect electronic health information?
75.
Which of the following can ethical hackers use to practice using tools on known vulnerable systems?
76.
Which of the following is used to manage data and operations on Windows operating systems?
77.
In which type of attack does a vulnerable web application inject malicious code or scripts using any method that yields a response as part of a valid HTTP request?
78.
Which kind of penetration test is used by a tester who starts with very little information?
79.
Which of the following documents includes the penetration testing timeline?
80.
Which of the following statements is not true?
81.
Which of the following is not true about USB key drop attacks?
82.
Which type of threat actors are looking to make a point or to further their beliefs, using cybercrime as their method of attack?
83.
Which regulation aims to secure the processing of credit card payments and other types of digital payments?
84.
Which tool included in Kali is most helpful in compiling a quality penetration testing report?
85.
Which of the following is a mitigation technique for preventing clickjacking attacks?
86.
With which of the following shells can an attacker have a listener (port open) when the victim initiates a connection back to the attacking system?
87.
In which of the following does an attacker broadcast a large number of DHCP REQUEST messages with spoofed source MAC addresses?
88.
Which port and protocol are the defaults used by the POP3 protocol in non-encrypted communications?
89.
Which of the following refers to analyzing a compiled mobile app to extract information about its source code?
90.
Very well-funded and motivated groups that typically use any and all of the latest attack techniques are known as _____.
91.
Which of the following allows an attacker to change the caller ID information that is displayed on any phone?
92.
Which cloud model is shared between several organizations?
93.
Which of the following describes an attack in which an attacker places himself or herself in-line between two devices or individuals that are communicating in order to eavesdrop?
94.
Which type of attack is targeted at high-profile business executives and key individuals in a corporation?
95.
Which of the following metrics lists used to determine CVSS scores includes exploit code maturity, remediation level, and report confidence?
96.
Which of the following is an approach that allows an ethical hacker to validate a finding using the same test with a different tool to see if the results are the same?
97.
Which of the following are examples of code injection vulnerabilities?
98.
Which cloud model is used just by a client organization on the premises or at a dedicated area in a cloud provider?
99.
Which basis DNS tool can perform name resolution and obtain additional information about a domain?
100.
In which of the following attacks does a threat actor impersonate the MAC address of another device (typically an infrastructure device such as a router)?
101.
Which attack can allow an attacker to view, insert, delete, or modify records in a database?
102.
An ethical hacker must understand the motivations of a malicious user, or a(n) ________, to better protect the network.
103.
Which method of information gathering uses publicly available information sources to collect and analyze information about a target?
104.
Which of the following indicates that an organization is willing to accept the level of risk associated with a given activity or process?
105.
Which term describes the act of exploiting a bug or design flaw in a software or firmware application to gain access to resources that normally would have been protected from an application or a user?
106.
Which Kerberos post-exploitation activity is used by an attacker to extract service account credential hashes from Active Directory for offline cracking?
107.
Which of the following is a popular SMB exploit that has been used in ransomware?
108.
Which of the following is an open-source framework that includes a PowerShell Windows agent and a Python Linux agent and has the ability to run PowerShell agents without the need for powershell.exe?
109.
Which agency is responsible for enforcing GLBA as it pertains to financial firms that are not covered by federal banking agencies?
110.
Which of the following is not true about whaling?
111.
Which of the following describes a DNS cache poisoning attack?