Reg. No. S.

No Questions
You need to capture packets on a wired network during the information gathering phase of a gray box
1
penetration test. Which utilities could you use on your laptop to accomplish this? Explain any 2.

You are performing a gray box penetration test for a client. The employees in the target organization
use an application that was developed in-house to complete their day-to-day work. It crashes
11701098 2 frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze
the application’s execution when run by a typical end user to see whether it contains weaknesses
that can be exploited. What should you do?
You are performing a vulnerability scan during a gray box penetration test. The scanner manipulates
3 the TCP three-way handshake to enumerate network hosts. Which type of scan are you performing?
Exlpain in detail.
You are performing a gray box penetration test. You are performing a vulnerability scan on the internal
1 network using a stealth scan. The target network has an IDS device installed. What is likely to
happen? Explain in detail.
You need to perform a vulnerability scan as part of a gray box penetration test. The rules of
engagement specify that the internal system administrators are not to receive any warning of when
11701448 2
your scan will occur, that you are to avoid detection, and that your scan should gather as much
information as possible. What should you do? Explain in detail
You are performing a gray box penetration test. You want to craft a custom packet to test how a
3 server responds and to see what information it responds with. Which utility could you use to do this?
Explain in detail

You are performing a black box penetration test. You have used theHarvester to enumerate a large
1
number of user email addresses in the target organization. What could you do with this information?

Kimberly is running a gray box penetration test. The target network uses a 10-net IP addressing
scheme with an 8-bit subnet mask (10.0.0.0/8). She needs to run a vulnerability scan on each host
11701533 2
on the network. She loads nmap on her laptop, which is connected to the same segment being
scanned, using the –T0 option. What did she do incorrectly in this scenario? Explain in detail.

You are assessing the results of a vulnerability scan and have noticed a common theme. You have
3 found that almost all of the target organization’s Windows Server 2012 R2 systems are missing the
same critical security updates. What should you do?
You are assessing the results of a vulnerability scan and notice that many network devices, such as
routers and access points, still use default administrative usernames and passwords. This
1
information can be easily found on the Internet and represents a significant security vulnerability.
What should you do?
You have just completed scanning a target network and are now prioritizing activities in preparation to
exploit the vulnerabilities found. You discover that the organization still uses several older
11701562 unsupported Windows 2000 Server systems. After performing some research, you identify several
2
vulnerabilities associated with these systems that could be exploited. You modify the source code for
a particular exploit such that it will work on these older systems, and then you compile it. What
should you do next?
A penetration tester has been asked to determine whether the client’s server farm is compliant with
3 the company’s software baseline by conducting a remote scan. What type of scan should the tester
perform to verify compliance?
After several attempts, a tester was able to gain unauthorized access through a biometric sensor by
1 using the tester’s own fingerprint without exploitation. What happened with the biometric device that
allowed the tester to gain access?
A penetration tester is using social media to gather information about different employees at a
11701575 2 company. The tester has created a list of popular words used frequently in the employee’s profiles.
What type of attack could this information be used for?
 You are a penetration tester, and after performing a recent test, you discover that the client’s staff is
3 using dictionary and seasonal passwords. What is the best way to control the use of common
dictionary words as being used as passwords?
A penetration tester wants to use rainbow tables against a password file that has been captured. How
1
does the rainbow table crack passwords? And how is it different from the brute force.
During a gray box penetration test, you discover an open SMTP service running on an older database
2 server. You want to use this SMTP service to send phishing emails to users within the organization.
11701577 What is this exploit called?

While performing a black box penetration test, you identify a significant amount of FTP data being
3 transferred between an unknown internal host on the target network and hosts on the Internet on
ports 20 and 21. How could you exploit this traffic to gain access to systems on the target network?

You are conducting a gray box penetration test. You want to capture C-level executives’
authentication credentials. To accomplish this, you set up a fake internal web server that looks
1 exactly like the web server used to manage employee time-off and reimbursement requests. You
inject a fake DNS record into the organization’s DNS server that redirects traffic from the real server
to your fake server. What is this exploit called? Explain
A penetration tester is conducting a gray box penetration test. She crafts a Trojan horse exploit that
flushes the DNS cache on the local workstation and replaces it with malicious name resolution
2 entries that point to a fake web server. When clients within the organization try to resolve
11701607
hostnames, the malicious entries from the local DNS cache are used. What is this exploit called?
Explain

A penetration tester is conducting a gray box penetration test. She notices that one of the branch
offices of the organization uses a caching-only DNS server to handle name resolution requests. She
3 sends a bogus reply to a name resolution request from the caching-only DNS server, using a spoofed
source address in the reply packets. The bogus name resolution records point users to a fake web
server that is used to harvest authentication credentials. What is this exploit called? Explain

During a gray box penetration test, the tester sends a fake ARP broadcast message on the local
1 network segment. As a result, her laptop’s MAC address is now mapped to the IP address of another
valid computer on the segment. What is this exploit called? Explain
2 An ARP spoofing attack is categorized as which type of exploit? And why?
11701627 During a black box penetration test, the tester parks in the target organizations parking lot and
captures wireless network signals emanating from the building with his laptop. By doing this, he is
3 able to capture the handshake process used by an authorized wireless client as it connects to the
network. He later resends this handshake on the wireless network, allowing his laptop to connect to
the wireless network as that authorized client. What kind of exploit is this? Explain
Which type of exploit fools a web server into presenting a user’s web browser with an HTTP
1
connection instead of an HTTPS connection as the user originally requested? Exlplain,
During a gray box penetration test, the tester decides to stress test a critical network router. She
sends thousands of ping requests addressed to all of the hosts on the subnet. However, she spoofs
2 the source address of the requests to the IP address of the network router. As a result, the router is
11701841 flooded with ICMP echo response traffic that it didn’t initiate, making it difficult for it to respond to
legitimate network requests. What kind of exploit is this? Explain
You are performing a gray box penetration test. To capture information from multiple VLANs, you
have configured the network board in your computer to emulate a trunk port on a network switch.
3
Your goal is to get the real switch to forward traffic from all VLANs to your device. What is this exploit
called? Explain
A penetration tester is searching for vulnerabilities within a web application used by the target
organization. In the login page, she enters the following string of text in the Password field: UNION
1
SELECT Username, Password FROM Users; What type of exploit is being used in this example?
Explain
 A penetration tester reviews social media accounts owned by the target organization’s CIO and
makes a list of possible passwords such as her spouse’s name, pet’s name, favorite sports teams,
11701911 2
and so on. The tester tries to log on to the CIO’s account using one possible password after another,
trying to find one that works. What type of authentication exploit is this? Explain
During a black box penetration test, the tester discovers that the organization’s wireless access point
has been configured with an administrative username of admin and a password of Admin. The tester
3
gains administrative access to the access point. What kind of authentication exploit occurred in this
scenario? Explain
Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? Why?
1
Explain?
During a gray box penetration test, the tester notices that the organization’s human resources
self-service web application uses Active Directory user accounts for authentication. It also includes a
“Remember me” option on the login page. The tester sends an email message to high-level
11701923
2 employees within the organization with the subject line “Check out this funny picture.” When the
email is opened, hidden HTML code actually sends an HTTP request to the self-service web
application that changes the user’s password. The attack relies on the saved session cookie from
the site to work. What type of authentication exploit is this? Why ? Explain,
3 What is stored in the SAM database on a Windows system? Explain in detail,
You are performing a gray box penetration test. You have successfully compromised a target
1 computer system. You now need to cover your tracks to hide the evidence of your actions. Which
techniques could you employ?
11701945 You are a penetration tester and have found a vulnerability in the client’s domain controller. The
2 vulnerability is that null sessions are enabled on the domain controller. What type of attack can be
performed to take advantage of this vulnerability?
3 What exactly is data packet sniffing, and what are some of the most widely used tools?
A deficiency has been discovered in production. If an unauthorized user copies a URL from a
session of an authorized user, the unauthorized user can paste the URL into their session and
continue to process with the authorized user’s rights. In the case that was reported, the unauthorized
1
user was able to use the authorized user’s URL to change the system administration password. In
order to close this gap, the developers will check the session ID and the user ID anytime a URL is
11701956 used. What is a realistic concern for this fix?
What is SQL injection and what can you do to help ensure SQL injection attacks will not plague your
2
organization?
3 What are some of the most common network security vulnerabilities that a pentester comes across?
You have been testing a system that has 20 defined components. You have done extensive security
1 testing on each of the components. The system is now ready to move into component integration
11701972 security testing. How should you approach this testing?
2 How important is it to stay up-to-date with changes in the vulnerability landscape?
3 Describe the different phases of a network intrusion attack.
You have been given the following requirement for security testing. A user will be allowed to request
their password. If they make this request, they must answer two of their three security questions
correctly. If they answer correctly, a link will be sent to their email. The link will take them to a page
where they can reset their password. Once reset, they can login with the new password. The link
1
must be disabled 1 hour after it is sent. The user is allowed only two password requests without a
reset, after which they will have to call the help desk. For any other errors, the user ID is locked and
11702003 must be unlocked by the help desk. List the test conditions to adequately test the functional
security covered by this requirement?
Design and justify the requirements for penetration testing, preventing hacking, data loss and data
2
manipulation with e-commerce as case study.
After a pentest is conducted, what are some of the top network controls you would advise your client
3
to implement?
 You are implementing procedures for evaluating system hardening in an effort to test the system’s
1 security effectiveness. What procedure might you follow to ensure the hardening mechanisms put in
place are working as expected?
11702025
Mary has added an apostrophe after an ?id= parameter within the URL of a webpage. She now sees
2
an error, saying there was a syntax error. What did Mary find? Explain in detail.
3 What exactly is CSRF and how can it be prevented when executing a pentest exercise?
Typical encryption mechanisms are vulnerable to threats which makes it important to understand
1 their effectiveness at any given time. Identify some points that you should implement to gain
confidence in your encryption mechanisms?
A site uses dynamically generated content. By making use of a specific technique, it is possible to
2
11702086 steal login credentials of the user. Which technique is meant here? Explain in detail.
Your role as the Security Administrator is to help your organization understand the effectiveness of
security policies and procedures across the enterprise. You will report your effectiveness findings to
3
Senior Management after your analysis has been completed. What would be the optimum
strategy to accomplish this?
1 List some techniques to effectively test the abilities of an intrusion detection tool?
Before beginning the ethical hack at a client, a penetration tester should always be prepared for any
2
11702150 legal issues. What should the penetration tester do to prevent legal liability?
If an organization experiences a security breach and legal action results, how does it help the
3
organization to have done security testing?
1 List the disadvantages of malware scanning tools.
A penetration tester is testing a web application. To check for vulnerabilities she decides to check if
2 SQL injections are possible. Which character is typically used first by the penetration tester? Explain
the next steps to be carried out.
11702337
You are working at a bank as part of the security testing team. During a recent security audit it was
noted that the user’s passwords were not strong enough. Since that time, a new set of requirements
3
has been issued to ensure password strength. Given this information, what would be a reasonable
set of security objectives for general password rule testing
You are responsible for security testing your company’s financial application. You have recently
received email from a person who claims to have hacked into the system using Shodan and has
discovered that you are running an out-of-date and vulnerable OS on one of your servers. You have
1
checked and the hacker is correct. You have made sure the server has been updated. Your
preliminary check has shown no trace of how the hacker got into your system. Should you be
concerned? If yes why ? If no Why ?
You are a penetration tester and have found a vulnerability in the client’s domain controller. The
11702914 2 vulnerability is that null sessions are enabled on the domain controller. What type of attack can be
performed to take advantage of this vulnerability?
Your company recently made headlines after a security breach resulted in confidential customer
information being stolen. Management has reacted with an edict that the scope of the security
testing objectives needs to be expanded immediately. While you agree that something needs to be
3
done, you are worried that this approach may be too reactive and may not result in the testing that is
needed. what is a reasonable concern if these initiatives are implemented?

1 Why is an attack from inside the organization particularly worrisome?

You are performing a gray box penetration test. You have successfully compromised a target
2 computer system. You now need to cover your tracks to hide the evidence of your actions. Which
techniques could you employ?
 You have just accepted a job to create a security testing team for a company than handles sensitive
medical information that is shared between doctors and hospitals. You have noticed that the security
11702987 around this information is not sufficient to protect it from hackers or even accidental exposure. The
person who had your job previously brought in a number of consultants to do testing, but the findings
were not documented and no changes were implemented. In fact, you don’t even know what the
3
coverage was from the testing. You have presented your findings to the executive management
team. While they have agreed in principle that they need security testing, they have not allocated the
necessary budget or time to the project. It appears that while they think security is a good idea, they
really have no understanding of what should be done or how it should be done. What should be your
first step toward getting the executives aligned with the work that needs to be done?

During testing of an upgrade, you have discovered that it is possible to create a man-in-the-middle
attack that can change the amount charged to customers on your e-commerce web site. Your tester
1
successfully changed the amount so that customers were all getting a 10% discount. What should
you do first?
Download pwdump and RainbowCrack and attempt to crack the passwords on your own computer.
2
11704575 Repeat this process using ophcrack. Note which is more effective at cracking your passwords.
You have just come from a meeting where there was much discussion regarding the security
approach of the organization. One of the points of emphasis was the importance of testing to ensure
3 that data is protected from fraudulent access, particularly credit card information. You have been
asked to prepare a set of testing objectives that will help address this risk area. Write the objectives
accordingly.
1 Why is it important to reassess security risk expectations on a frequent basis?
2 What is stored in the SAM database on a Windows system? Explain in detail,
You have been developing a security test plan for a system that will store medical information for
11704577 patients and will transfer that data to specialist doctors. You have covered the following areas in your
plan: • Scope (what’s in scope and out of scope) • Roles and assignments • Responsibilities
3
(vendors vs. internal) • High level schedule • Environment requirements and setup • List of
necessary authorizations and approvals What information do you still need to supply in this test plan
to meet the minimum requirements as noted in the syllabus?
1 What could be benefits of conforming to security testing standards?
John is trying to get a list of passwords from a machine, so that he can enter these into a rainbow
2
11705424 table and try and retrieve the password. What tool would be most helpful to him? And how?
List down 5 test cases that would best test a system’s security procedure?
3

You are finalizing your security test status report for a project that is ready for deployment into
production. There is a high degree of risk for this project due to the nature of the system. As a result,
1
you want to place particular emphasis on risk. Based on this, what is the best way to articulate risk
on your report?
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this
11705590 process, you have defined off-limit times when you should not attack the target, a list of in-scope and
out-of-scope systems, and data-handling requirements for the information you gather during the test.
2
You also phoned one of the help-desk technicians at the target site and received verbal permission to
conduct the test. You recorded the technician’s name and the date in the ROE document. What did
you do incorrectly in this scenario?
3 What would be the significant concern when seeking approval for the security testing tools?
You have been given the job of testing the organization’s firewall. You have reviewed the
implementation plan and steps, verified that the configuration has been set up as instructed by the
firewall vendor and have conducted port scanning. Your organization is particularly concerned about
1
denial of service (DOS) attacks, particularly since they had one when the old firewall was in place.
What type of testing should you conduct to help detect unexpected behavior that could be exploited
by a DOS attack?
11705786 You have just completed a gray box penetration test for a client. You have written up your final report
and delivered it to the client. You also made sure that all access granted to you by the client to
2 conduct the test has been disabled. You write a blog article identifying the client and the results of
the assessment and post it to ensure no one else makes the same security mistakes the client
made. Did you terminate the penetration test properly? if yes why? if no why?
You are in the initial stages of scoping a gray box penetration test with a new client. What is a
3
question you should ask to better define the project scope?
You are reviewing a set of security test results run on a product that is going through final testing
before release to production. This is an update of a version that is currently in production. The
1
application just tested was your e-commerce site, and it has a defect that allows cross-site scripting.
List the steps that you should take as a security expert in this situation.
You are scoping a black box penetration test. Where should the penetration testers be physically
2
11705790 located? Explain why and scenario.
You have been asked by the business analyst to help with defining the requirements for the security
aspects of a system. This is a safety-critical system that stores medical information for patients and
3 supplies this information to health professionals at hospitals, doctors’ offices and ambulances. At
what point in the lifecycle should the security requirements be documented and at what level of
detail?
1 What are advantages to imposing security standards in contracts?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
2 penetration tests and are considering using an internal penetration testing team consisting of your
11706961 own employees. What could be benefits in internal team selection?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
3 penetration tests and are considering using an external penetration testing contractor. What could be
benefits of using an external team?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
1 penetration tests and are considering using an internal penetration testing team consisting of your
own employees. What could be disadvantages of using an internal team?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
2 penetration tests and are considering using an external penetration testing contractor. What could be
11707944 disadvantages of using an external team?
Joshua works for a penetration testing consulting firm. During a recent penetration test, he ran an
attack tool against the client’s public-facing e-commerce website. It went offline for more than an
3 hour. The client is now threatening to sue Joshua’s employer. At what stage of the penetration
testing process should the consulting firm and the client have agreed upon the risks associated with
the test? Explain in detail

1 As a penetration tester, you analyzed that in an organization one range of network is facing malicious activities. Suggest some methods for isolating and evaluating that network part.

11707967 2 You are penetration tester, you want to conduct impact analysis. Discuss what attacks you would perform on the network for this.

3 You want to conduct vulnerability assessment on misconfigured devices in your organization. List all the steps that are required in the process

1 You have been working in IT department of BCP organization from last years. You are now assigned duty to train new intern regarding various classification of vulnerability assessment.
11708027
2 Discuss various steps involved in conducting a social engineering penetration test. Support your answer with example.
3 Specify how you gather information about the target website using GHDB.
1 An organization wants to check security of their DNS server. As a penetration tester, describe how you can access company’s DNS record.
11712722
2 Discuss various tools for gathering information about telephone numbers of the employees working in devetech company.
3 Discuss various types of vulnerability assessment phases.
 1 A new organization named TCL Infotech wants to test their security of different types of servers and web applications used. Specify how you would perform vulnerability assessment.

2 There is always ambiguity between penetration testing and vulnerability assessment. What are the differences between two? Support your answer with appropriate examples.
11712733

3 Director of sales company is concerned about the security related to network and web applications. Suggest certain assessment methods, a company should perform to avoid future attacks on network a

1 Discuss atleast five tools you can use for performing vulnerability assessment.
2 Describe the process how penetration testing enables an organization to identify strengths, weaknesses, threats, and defenses on the network.
11716354
3 After performing penetration testing, company finds there are vulnerabilities in its network. Suggest various defense mechanism.

1 If a penetration tester wants to perform vulnerability assessment on web application. Discuss what methods and parameters he/she should follow.

11701452 2 Describe the process how penetration testing can help to trace the vulnerabilities and weaknesses that exist in a network.

3 Portray the process how penetration testing can assist with following the weaknesses and shortcomings that exist in an organization.

1 Illustrate using appropriate example , how you would gather information about any person through job search website.
11702289
2 Discuss which automated tools can be used in performing information gathering about a company named TCL.
3 Differentiate between tool maltego and Nmap.
1 Can you retrieve registered information in public database. If yes ,Discuss any two tools used to gather information.
11702371 2 How phishing can be used by penetration testers to extract information from targets hosts.
3 Suppose you are performing password cracking penetration testing using John The ripper. Discuss in detail the process involved.

1 Suppose you are performing password cracking penetration testing using cain and abel. Discuss in detail the process involved.

11702410 2 You have performed vulnerability assessment on organization’s resources like network devices ,servers etc. Discuss how you will draft a report on test performed.

3 After gathering information about the target organization from publically available resources. Identify what reports would be delivered after the test.

1 During the process of penetration testing, you have identified vulnerabilities in network architecture of an organization. Suggest what vulnerability assessment solution would be implemented.
11702481 2 Discuss various types of tools used in vulnerability assessment.
3 What is timeline? Does it necessary to set a timeline in every phase. Also, discuss importance of timeline in vulnerability assessment phase.

1 suppose you found a misconfiguration in the network devices in an GCP company while performing vulnerability assessment. Describe what elements you would include in the reports.
11702484 2 Differentiate the report generated by nessus and QualsGuard.
3 Suppose you are given responsibility of performing penetration testing on LPU’ network. How you would gather information using active reconnaissance tool.

1 Suppose you are given responsibility of performing penetration testing on LPU’ network. How you would gather information using passive reconnaissance tool.

11702633 2 Gather information about employees of BCL organization. Mention the process and what tools you would use to perform this activity.

3 Using an appropriate tool, evaluate whether your organization is vulnerable to SQL injection attack or not? Explain the process required.

1 Using an appropriate tool, evaluate whether your organization’s website is vulnerable to XSS attack or not? Explain the process required.
11702777
2 Using nmap, discuss various types of scans you would use to audit the network of your organization from internal network.
3 Discuss the difference between Hping and nmap using alteast 2 examples.
1 Analyze the results of vulnerability assessment performed on organization’s policies, configuration of devices, servers and employees’ data. Construct a plan of action.

11702809 2 Discuss various password cracking techniques. Choose the password cracking technique that best suits your need.

3 After reviewing vulnerabilities identified in scans of GCPG servers and BxB web app. Determine the exploitation tactics you will use.
The Company needs to verify the security of its DNS server. As a penetration tester, explain how to r
1
each the company's DNS record.
11702903 Open-source intelligence (OSINT) collection frameworks are used to effectively manage sources of
2
collected information. Justify this statement with the help of any example.
3 What exactly is data packet sniffing, and what are some of the most widely used tools?
A deficiency has been discovered in production. If an unauthorized user copies a URL from a
session of an authorized user, the unauthorized user can paste the URL into their session and
continue to process with the authorized user’s rights. In the case that was reported, the unauthorized
1
user was able to use the authorized user’s URL to change the system administration password. In
order to close this gap, the developers will check the session ID and the user ID anytime a URL is
11702906 used. What is a realistic concern for this fix?
What is SQL injection and what can you do to help ensure SQL injection attacks will not plague your
2
organization?
3 What are some of the most common network security vulnerabilities that a pentester comes across?
You have been testing a system that has 20 defined components. You have done extensive security
1 testing on each of the components. The system is now ready to move into component integration
11702967 security testing. How should you approach this testing?
2 How important is it to stay up-to-date with changes in the vulnerability landscape?
3 Describe the different phases of a network intrusion attack.
You have been given the following requirement for security testing. A user will be allowed to request
their password. If they make this request, they must answer two of their three security questions
correctly. If they answer correctly, a link will be sent to their email. The link will take them to a page
where they can reset their password. Once reset, they can login with the new password. The link
1
must be disabled 1 hour after it is sent. The user is allowed only two password requests without a
reset, after which they will have to call the help desk. For any other errors, the user ID is locked and
11703134 must be unlocked by the help desk. List the test conditions to adequately test the functional
security covered by this requirement?
Design and justify the requirements for penetration testing, preventing hacking, data loss and data
2
manipulation with e-commerce as case study.
After a pentest is conducted, what are some of the top network controls you would advise your client
3
to implement?
You are implementing procedures for evaluating system hardening in an effort to test the system’s
1 security effectiveness. What procedure might you follow to ensure the hardening mechanisms put in
place are working as expected?
11703159
Mary has added an apostrophe after an ?id= parameter within the URL of a webpage. She now sees
2
an error, saying there was a syntax error. What did Mary find? Explain in detail.
3 What exactly is CSRF and how can it be prevented when executing a pentest exercise?
Typical encryption mechanisms are vulnerable to threats which makes it important to understand
1 their effectiveness at any given time. Identify some points that you should implement to gain
confidence in your encryption mechanisms?
A site uses dynamically generated content. By making use of a specific technique, it is possible to
2
11703203 steal login credentials of the user. Which technique is meant here? Explain in detail.
 Your role as the Security Administrator is to help your organization understand the effectiveness of
security policies and procedures across the enterprise. You will report your effectiveness findings to
3
Senior Management after your analysis has been completed. What would be the optimum
strategy to accomplish this?
1 List some techniques to effectively test the abilities of an intrusion detection tool?
Before beginning the ethical hack at a client, a penetration tester should always be prepared for any
2
11703280 legal issues. What should the penetration tester do to prevent legal liability?
If an organization experiences a security breach and legal action results, how does it help the
3
organization to have done security testing?
1 List the disadvantages of malware scanning tools.
A penetration tester is testing a web application. To check for vulnerabilities she decides to check if
2 SQL injections are possible. Which character is typically used first by the penetration tester? Explain
the next steps to be carried out.
11703454
You are working at a bank as part of the security testing team. During a recent security audit it was
noted that the user’s passwords were not strong enough. Since that time, a new set of requirements
3
has been issued to ensure password strength. Given this information, what would be a reasonable
set of security objectives for general password rule testing
You are responsible for security testing your company’s financial application. You have recently
received email from a person who claims to have hacked into the system using Shodan and has
discovered that you are running an out-of-date and vulnerable OS on one of your servers. You have
1
checked and the hacker is correct. You have made sure the server has been updated. Your
preliminary check has shown no trace of how the hacker got into your system. Should you be
concerned? If yes why ? If no Why ?
During a gray box penetration test, the tester notices that the organization’s human resources
self-service web application uses Active Directory user accounts for authentication. It also includes a
“Remember me” option on the login page. The tester sends an email message to high-level
11703477 2 employees within the organization with the subject line “Check out this funny picture.” When the
email is opened, hidden HTML code actually sends an HTTP request to the self-service web
application that changes the user’s password. The attack relies on the saved session cookie from
the site to work. What type of authentication exploit is this? Why ? Explain,
Your company recently made headlines after a security breach resulted in confidential customer
information being stolen. Management has reacted with an edict that the scope of the security
testing objectives needs to be expanded immediately. While you agree that something needs to be
3
done, you are worried that this approach may be too reactive and may not result in the testing that is
needed. what is a reasonable concern if these initiatives are implemented?

1 Why is an attack from inside the organization particularly worrisome?

2 Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? Why?
Explain?

You have just accepted a job to create a security testing team for a company than handles sensitive
medical information that is shared between doctors and hospitals. You have noticed that the security
around this information is not sufficient to protect it from hackers or even accidental exposure. The
11703505 person who had your job previously brought in a number of consultants to do testing, but the findings
were not documented and no changes were implemented. In fact, you don’t even know what the
3
coverage was from the testing. You have presented your findings to the executive management
team. While they have agreed in principle that they need security testing, they have not allocated the
necessary budget or time to the project. It appears that while they think security is a good idea, they
really have no understanding of what should be done or how it should be done. What should be your
first step toward getting the executives aligned with the work that needs to be done?
 During testing of an upgrade, you have discovered that it is possible to create a man-in-the-middle
attack that can change the amount charged to customers on your e-commerce web site. Your tester
1
successfully changed the amount so that customers were all getting a 10% discount. What should
you do first?
Download pwdump and RainbowCrack and attempt to crack the passwords on your own computer.
2
11703885 Repeat this process using ophcrack. Note which is more effective at cracking your passwords.
You have just come from a meeting where there was much discussion regarding the security
approach of the organization. One of the points of emphasis was the importance of testing to ensure
3 that data is protected from fraudulent access, particularly credit card information. You have been
asked to prepare a set of testing objectives that will help address this risk area. Write the objectives
accordingly.
1 Why is it important to reassess security risk expectations on a frequent basis?
During a black box penetration test, the tester discovers that the organization’s wireless access point
2 has been configured with an administrative username of admin and a password of Admin. The tester
gains administrative access to the access point. What kind of authentication exploit occurred in this
scenario? Explain
11703899 You have been developing a security test plan for a system that will store medical information for
patients and will transfer that data to specialist doctors. You have covered the following areas in your
plan: • Scope (what’s in scope and out of scope) • Roles and assignments • Responsibilities
3
(vendors vs. internal) • High level schedule • Environment requirements and setup • List of
necessary authorizations and approvals What information do you still need to supply in this test plan
to meet the minimum requirements as noted in the syllabus?
1 What could be benefits of conforming to security testing standards?
John is trying to get a list of passwords from a machine, so that he can enter these into a rainbow
2
11704502 table and try and retrieve the password. What tool would be most helpful to him? And how?
List down 5 test cases that would best test a system’s security procedure?
3

You are finalizing your security test status report for a project that is ready for deployment into
production. There is a high degree of risk for this project due to the nature of the system. As a result,
1
you want to place particular emphasis on risk. Based on this, what is the best way to articulate risk
on your report?
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this
11704978 process, you have defined off-limit times when you should not attack the target, a list of in-scope and
out-of-scope systems, and data-handling requirements for the information you gather during the test.
2
You also phoned one of the help-desk technicians at the target site and received verbal permission to
conduct the test. You recorded the technician’s name and the date in the ROE document. What did
you do incorrectly in this scenario?
3 What would be the significant concern when seeking approval for the security testing tools?
You have been given the job of testing the organization’s firewall. You have reviewed the
implementation plan and steps, verified that the configuration has been set up as instructed by the
firewall vendor and have conducted port scanning. Your organization is particularly concerned about
1
denial of service (DOS) attacks, particularly since they had one when the old firewall was in place.
What type of testing should you conduct to help detect unexpected behavior that could be exploited
by a DOS attack?
11705315 You have just completed a gray box penetration test for a client. You have written up your final report
and delivered it to the client. You also made sure that all access granted to you by the client to
2 conduct the test has been disabled. You write a blog article identifying the client and the results of
the assessment and post it to ensure no one else makes the same security mistakes the client
made. Did you terminate the penetration test properly? if yes why? if no why?
You are in the initial stages of scoping a gray box penetration test with a new client. What is a
3
question you should ask to better define the project scope?
 You are reviewing a set of security test results run on a product that is going through final testing
before release to production. This is an update of a version that is currently in production. The
1
application just tested was your e-commerce site, and it has a defect that allows cross-site scripting.
List the steps that you should take as a security expert in this situation.
You are scoping a black box penetration test. Where should the penetration testers be physically
2
11705593 located? Explain why and scenario.
You have been asked by the business analyst to help with defining the requirements for the security
aspects of a system. This is a safety-critical system that stores medical information for patients and
3 supplies this information to health professionals at hospitals, doctors’ offices and ambulances. At
what point in the lifecycle should the security requirements be documented and at what level of
detail?
1 What are advantages to imposing security standards in contracts?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
2 penetration tests and are considering using an internal penetration testing team consisting of your
11706989 own employees. What could be benefits in internal team selection?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
3 penetration tests and are considering using an external penetration testing contractor. What could be
benefits of using an external team?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
1 penetration tests and are considering using an internal penetration testing team consisting of your
own employees. What could be disadvantages of using an internal team?
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular
2 penetration tests and are considering using an external penetration testing contractor. What could be
11708069 disadvantages of using an external team?
Joshua works for a penetration testing consulting firm. During a recent penetration test, he ran an
attack tool against the client’s public-facing e-commerce website. It went offline for more than an
3 hour. The client is now threatening to sue Joshua’s employer. At what stage of the penetration
testing process should the consulting firm and the client have agreed upon the risks associated with
the test? Explain in detail

. You need to capture packets on a wired network during the information gathering phase of a gray
1
box penetration test. Which utilities could you use on your laptop to accomplish this? Explain any 2.

You are performing a gray box penetration test for a client. The employees in the target organization
use an application that was developed in-house to complete their day-to-day work. It crashes
11710912 2 frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze
the application’s execution when run by a typical end user to see whether it contains weaknesses
that can be exploited. What should you do?
You are performing a vulnerability scan during a gray box penetration test. The scanner manipulates
3 the TCP three-way handshake to enumerate network hosts. Which type of scan are you performing?
Exlpain in detail.
You are performing a gray box penetration test. You are performing a vulnerability scan on the internal
1 network using a stealth scan. The target network has an IDS device installed. What is likely to
happen? Explain in detail.
You need to perform a vulnerability scan as part of a gray box penetration test. The rules of
engagement specify that the internal system administrators are not to receive any warning of when
11712786 2
your scan will occur, that you are to avoid detection, and that your scan should gather as much
information as possible. What should you do? Explain in detail
You are performing a gray box penetration test. You want to craft a custom packet to test how a
3 server responds and to see what information it responds with. Which utility could you use to do this?
Explain in detail
You are performing a black box penetration test. You have used theHarvester to enumerate a large
1
number of user email addresses in the target organization. What could you do with this information?
 Kimberly is running a gray box penetration test. The target network uses a 10-net IP addressing
scheme with an 8-bit subnet mask (10.0.0.0/8). She needs to run a vulnerability scan on each host
2
11717875 on the network. She loads nmap on her laptop, which is connected to the same segment being
scanned, using the –T0 option. What did she do incorrectly in this scenario? Explain in detail.

You are assessing the results of a vulnerability scan and have noticed a common theme. You have
3 found that almost all of the target organization’s Windows Server 2012 R2 systems are missing the
same critical security updates. What should you do?
You are assessing the results of a vulnerability scan and notice that many network devices, such as
routers and access points, still use default administrative usernames and passwords. This
1
information can be easily found on the Internet and represents a significant security vulnerability.
What should you do?
You have just completed scanning a target network and are now prioritizing activities in preparation to
exploit the vulnerabilities found. You discover that the organization still uses several older
11717995 unsupported Windows 2000 Server systems. After performing some research, you identify several
2
vulnerabilities associated with these systems that could be exploited. You modify the source code for
a particular exploit such that it will work on these older systems, and then you compile it. What
should you do next?
A penetration tester has been asked to determine whether the client’s server farm is compliant with
3 the company’s software baseline by conducting a remote scan. What type of scan should the tester
perform to verify compliance?
After several attempts, a tester was able to gain unauthorized access through a biometric sensor by
1 using the tester’s own fingerprint without exploitation. What happened with the biometric device that
allowed the tester to gain access?
A penetration tester is using social media to gather information about different employees at a
11718389 2 company. The tester has created a list of popular words used frequently in the employee’s profiles.
What type of attack could this information be used for?
You are a penetration tester, and after performing a recent test, you discover that the client’s staff is
3 using dictionary and seasonal passwords. What is the best way to control the use of common
dictionary words as being used as passwords?
A penetration tester wants to use rainbow tables against a password file that has been captured. How
1
does the rainbow table crack passwords? And how is it different from the brute force.
During a gray box penetration test, you discover an open SMTP service running on an older database
2 server. You want to use this SMTP service to send phishing emails to users within the organization.
11719799 What is this exploit called?

While performing a black box penetration test, you identify a significant amount of FTP data being
3 transferred between an unknown internal host on the target network and hosts on the Internet on
ports 20 and 21. How could you exploit this traffic to gain access to systems on the target network?