Footprinting and reconnaissance, scanning, enumeration,

Vulnerability analysis

Q1:
If you want to only scan fewer ports than the default scan using Nmap tool, which option
would you use?

 A. -r
 B. -F Most Voted
 C. -P
 D. -sP

Q2:
If a tester is attempting to ping a target that exists but receives no response or a response that
states the destination is unreachable, ICMP may be disabled and the network may be using
TCP. Which other option could the tester use to get a response from a host using TCP?

 A. Traceroute
 B. Hping
 C. TCP ping
 D. Broadcast ping

Q3:
Which is the first step followed by Vulnerability Scanners for scanning a network?

 A. OS Detection
 B. Firewall detection
 C. TCP/UDP Port scanning
 D. Checking if the remote host is alive

Q4:
DNS cache snooping is a process of determining if the specified resource address is present in
the DNS cache records. It may be useful during the examination of the network to determine
what software update resources are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache?

 A. nslookup -fullrecursive update.antivirus.com

 B. dnsnooping -rt update.antivirus.com
 C. nslookup -norecursive update.antivirus.com Most Voted
 D. dns --snoop update.antivirus.com

Q5:
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy
servers, and Intrusion Detection Systems (IDS) on the network of an organization that has
experienced a possible breach of security. When the investigator attempts to correlate the
information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

 A. The network devices are not all synchronized.

 B. Proper chain of custody was not observed while collecting the logs.
 C. The attacker altered or erased events from the logs.
 D. The security breach was a false positive.

Q6:
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
communication?

 A. 113
 B. 69
 C. 123
 D. 161

Q7:
What term describes the amount of risk that remains after the vulnerabilities are classified and
the countermeasures have been deployed?

 A. Residual risk
 B. Impact risk
 C. Deferred risk
 D. Inherent risk

Q8:
You are attempting to run an Nmap port scan on a web server. Which of the following
commands would result in a scan of common ports with the least amount of noise in order to
evade IDS?

 A. nmap -A - Pn
 B. nmap -sP -p-65535 -T5
 C. nmap -sT -O -T0
 D. nmap -A --host-timeout 99 -T1

Q9:
A penetration tester is conducting a port scan on a specific host. The tester found several ports
opened that were confusing in concluding the Operating System
(OS) version installed. Considering that NMAP result below, which of the following is likely
to be installed on the target machine by the OS?

 A. The host is likely a Linux machine.

 B. The host is likely a printer.
 C. The host is likely a router.
 D. The host is likely a Windows machine.

Q10:
What does the `"oX flag do in an Nmap scan?

 A. Perform an eXpress scan

 B. Output the results in truncated format to the screen
 C. Output the results in XML format to a file
 D. Perform an Xmas scan

Q11:
The collection of potentially actionable, overt, and publicly available information is known as

 A. Open-source intelligence
 B. Real intelligence
 C. Social intelligence
 D. Human intelligence

Q12:
Suppose your company has just passed a security risk assessment exercise. The results display
that the risk of the breach in the main company application is
50%. Security staff has taken some measures and implemented the necessary controls. After
that, another security risk assessment was performed showing that risk has decreased to 10%.
The risk threshold for the application is 20%. Which of the following risk decisions will be
the best for the project in terms of its successful continuation with the most business profit?

 A. Accept the risk

 B. Introduce more controls to bring risk to 0%
 C. Mitigate the risk
 D. Avoid the risk

Q13:
Hackers often raise the trust level of a phishing message by modeling the email to look
similar to the internal email used by the target company. This includes using logos,
formatting, and names of the target company. The phishing message will often use the name
of the company CEO, President, or Managers. The time a hacker spends performing research
to locate this information about a company is known as?

 A. Exploration
 B. Investigation
 C. Reconnaissance
 D. Enumeration

Q14:
The `Gray-box testing` methodology enforces what kind of restriction?

 A. Only the external operation of a system is accessible to the tester.

 B. The internal operation of a system in only partly accessible to the tester.
 C. Only the internal operation of a system is known to the tester.
 D. The internal operation of a system is completely known to the tester.

Q15:
When analyzing the IDS logs, the system administrator noticed an alert was logged when the
external router was accessed from the administrator's Computer to update the router
configuration. What type of an alert is this?

 A. False negative
 B. True negative
 C. True positive
 D. False positive

Q16:
When you are getting information about a web server, it is very important to know the HTTP
Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are
two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE
can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT,
DELETE, TRACE) using NMAP script engine. What Nmap script will help you with this
task?

 A. http-methods
 B. http enum
 C. http-headers
 D. http-git

Q17:
Which system consists of a publicly available set of databases that contain domain name
registration contact information?
  A. WHOIS Most Voted
 B. CAPTCHA
 C. IANA
 D. IETF

Q18:
Why is a penetration test considered to be more thorough than vulnerability scan?

 A. Vulnerability scans only do host discovery and port scanning by default.

 B. A penetration test actively exploits vulnerabilities in the targeted infrastructure,
while a vulnerability scan does not typically involve active exploitation. Most Voted
 C. It is not ‫ג‬€" a penetration test is often performed by an automated tool, while a
vulnerability scan requires active engagement.
 D. The tools used by penetration testers tend to have much more comprehensive
vulnerability databases.

Q19:
Which results will be returned with the following Google search query? site:target.com `"
site:Marketing.target.com accounting

 A. Results from matches on the site marketing.target.com that are in the domain
target.com but do not include the word accounting.
 B. Results matching all words in the query.
 C. Results for matches on target.com and Marketing.target.com that include the word
‫ג‬€accounting‫ג‬€
 D. Results matching ‫ג‬€accounting‫ג‬€ in domain target.com but not on the site
Marketing.target.com Most Voted

Q20:
Which of the following incident handling process phases is responsible for defining rules,
collaborating human workforce, creating a back-up plan, and testing the plans for an
organization?

 A. Preparation phase
 B. Containment phase
 C. Identification phase
 D. Recovery phase

Q21:
Peter is surfing the internet looking for information about DX Company. Which hacking
process is Peter doing?

 A. Scanning
 B. Footprinting
 C. Enumeration
  D. System Hacking

Q22:
A hacker is an intelligent individual with excellent computer skills and the ability to explore a
computer's software and hardware without the owner's permission.
Their intention can either be to simply gain knowledge or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and
defensively at various times?

 A. White Hat
 B. Suicide Hacker
 C. Gray Hat
 D. Black Hat

Q23:
What is the way to decide how a packet will move from an untrusted outside host to a
protected inside that is behind a firewall, which permits the hacker to determine which ports
are open and if the packets can pass through the packet-filtering of the firewall?

 A. Session hijacking
 B. Firewalking Most Voted
 C. Man-in-the middle attack
 D. Network sniffing

Q23:
What is the role of test automation in security testing?

 A. It is an option but it tends to be very expensive.

 B. It should be used exclusively. Manual testing is outdated because of low speed and
possible test setup inconsistencies.
 C. Test automation is not usable in security due to the complexity of the tests.
 D. It can accelerate benchmark tests and repeat them with a consistent test setup. But it
cannot replace manual testing completely.

Q24:
Your company performs penetration tests and security assessments for small and medium-
sized business in the local area. During a routine security assessment, you discover
information that suggests your client is involved with human trafficking.
What should you do?

 A. Confront the client in a respectful manner and ask her about the data.
 B. Copy the data to removable media and keep it in case you need it.
 C. Ignore the data and continue the assessment until completed as agreed.
  D. Immediately stop work and contact the proper legal authorities. Most Voted

Q25:
Which regulation defines security and privacy controls for Federal information systems and
organizations?

 A. HIPAA
 B. EU Safe Harbor
 C. PCI-DSS
 D. NIST-800-53

Q26:
Your company was hired by a small healthcare provider to perform a technical assessment on
the network. What is the best approach for discovering vulnerabilities on a Windows-based
computer?

 A. Use the built-in Windows Update tool

 B. Use a scan tool like Nessus
 C. Check MITRE.org for the latest list of CVE findings
 D. Create a disk image of a clean Windows installation

Q27:
You just set up a security system in your network. In what kind of system would you find the
following string of characters used as a rule within its configuration?

 A. A firewall IPTable
 B. FTP Server rule
 C. A Router IPTable
 D. An Intrusion Detection System Most Voted

Q28:
Which of the following is a component of a risk assessment?

 A. Administrative safeguards
 B. Physical security
 C. DMZ
 D. Logical interface

Q29:
Wilson, a professional hacker, targets an organization for financial benefit and plans to
compromise its systems by sending malicious emails. For this purpose, he uses a tool to track
the emails of the target and extracts information such as sender identities, mail servers, sender
IP addresses, and sender locations from different public sources. He also checks if an email
address was leaked using the haveibeenpwned.com API.
Which of the following tools is used by Wilson in the above scenario?

 A. Factiva
 B. ZoomInfo
 C. Netcraft
 D. Infoga Most Voted

Q30:
A penetration tester is performing the footprinting process and is reviewing publicly available
information about an organization by using the Google search engine.
Which of the following advanced operators would allow the pen tester to restrict the search to
the organization's web domain?

 A. [allinurl:]
 B. [location:]
 C. [site:] Most Voted
 D. [link:]

Q31:
You are a penetration tester working to test the user awareness of the employees of the client
XYZ. You harvested two employees' emails from some public sources and are creating a
client-side backdoor to send it to the employees via email.
Which stage of the cyber kill chain are you at?

 A. Reconnaissance
 B. Weaponization Most Voted
 C. Command and control
 D. Exploitation

Q32:
Sam is working as a system administrator in an organization. He captured the principal
characteristics of a vulnerability and produced a numerical score to reflect its severity using
CVSS v3.0 to properly assess and prioritize the organization's vulnerability management
processes. The base score that Sam obtained after performing CVSS rating was 4.0.
What is the CVSS severity level of the vulnerability discovered by Sam in the above
scenario?

 A. Critical
 B. Medium
 C. High
 D. Low
Q33:
Techno Security Inc. recently hired John as a penetration tester. He was tasked with
identifying open ports in the target network and determining whether the ports are online and
any firewall rule sets are encountered.
John decided to perform a TCP SYN ping scan on the target network.
Which of the following Nmap commands must John use to perform the TCP SYN ping scan?

 A. nmap -sn -PO < target IP address >

 B. nmap -sn -PS < target IP address > Most Voted
 C. nmap -sn -PA < target IP address >
 D. nmap -sn -PP < target IP address >

Q34:
John, a professional hacker, targeted an organization that uses LDAP for accessing distributed
directory services. He used an automated tool to anonymously query the LDAP service for
sensitive information such as usernames, addresses, departmental details, and server names to
launch further attacks on the target organization.
What is the tool employed by John to gather information from the LDAP service?

 A. ike-scan
 B. Zabasearch
 C. JXplorer
 D. EarthExplorer

Q35:

Richard, an attacker, targets an MNC. In this process, he uses a footprinting technique to

gather as much information as possible. Using this technique, he gathers domain information
such as the target domain name, contact details of its owner, expiry date, and creation date.
With this information, he creates a map of the organization's network and misleads domain
owners with social engineering to obtain internal details of its network.
What type of footprinting technique is employed by Richard?

 A. VoIP footprinting
 B. Email footprinting
 C. Whois footprinting Most Voted
 D. VPN footprinting
Q36:
Louis, a professional hacker, had used specialized tools or search engines to encrypt all his
browsing activity and navigate anonymously to obtain sensitive/hidden information about
official government or federal databases. After gathering the information, he successfully
performed an attack on the target government organization without being traced.
Which of the following techniques is described in the above scenario?

 A. Website footprinting
 B. Dark web footprinting Most Voted
 C. VPN footprinting
 D. VoIP footprinting

Q37:
An organization is performing a vulnerability assessment for mitigating threats. James, a pen
tester, scanned the organization by building an inventory of the protocols found on the
organization's machines to detect which ports are attached to services such as an email server,
a web server, or a database server. After identifying the services, he selected the
vulnerabilities on each machine and started executing only the relevant tests.
What is the type of vulnerability assessment solution that James employed in the above
scenario?

 A. Service-based solutions
 B. Product-based solutions
 C. Tree-based assessment
 D. Inference-based assessment Most Voted

Q38:
Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities.
During analysis, he found that these issues are not true vulnerabilities.
What will you call these issues?

 A. False positives
 B. True negatives
 C. True positives
 D. False negatives

Q39:
Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices
hidden by a restrictive firewall in the IPv4 range in a given target network.
Which of the following host discovery techniques must he use to perform the given task?
  A. UDP scan
 B. ARP ping scan Most Voted
 C. ACK flag probe scan
 D. TCP Maimon scan

Q40:
Ralph, a professional hacker, targeted Jane, who had recently bought new systems for her
company. After a few days, Ralph contacted Jane while masquerading as a legitimate
customer support executive, informing that her systems need to be serviced for proper
functioning and that customer support will send a computer technician. Jane promptly replied
positively. Ralph entered Jane's company using this opportunity and gathered sensitive
information by scanning terminals for passwords, searching for important documents in desks,
and rummaging bins.
What is the type of attack technique Ralph used on Jane?

 A. Impersonation
 B. Dumpster diving
 C. Shoulder surfing
 D. Eavesdropping

Q41:
Sam is a penetration tester hired by Inception Tech, a security organization. He was asked to
perform port scanning on a target host in the network. While performing the given task, Sam
sends FIN/ACK probes and determines that an RST packet is sent in response by the target
host, indicating that the port is closed.
What is the port scanning technique used by Sam to discover open ports?

 A. Xmas scan. Most Voted

 B. IDLE/IPID header scan
 C. TCP Maimon scan
 D. ACK flag probe scan

Q42:
Gerard, a disgruntled ex-employee of Sunglass IT Solutions, targets this organization to
perform sophisticated attacks and bring down its reputation in the market.
To launch the attacks process, he performed DNS footprinting to gather information about
DNS servers and to identify the hosts connected in the target network.
He used an automated tool that can retrieve information about DNS zone data including DNS
domain names, computer names, IP addresses, DNS records, and network Whois records. He
further exploited this information to launch other sophisticated attacks.
What is the tool employed by Gerard in the above scenario?

 A. Towelroot
 B. Knative
 C. zANTI
 D. Bluto Most Voted

Q43:
A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was
to blame for the Equifax data breach that affected 143 million customers. A fix was available
from the software vendor for several months prior to the intrusion. This is likely a failure in
which of the following security processes?

 A. Secure development lifecycle

 B. Security awareness training
 C. Vendor risk management
 D. Patch management Most Voted

Q44:
If you send a TCP ACK segment to a known closed port on a firewall but it does not respond
with an RST, what do you know about the firewall you are scanning?

 A. It is a non-stateful firewall.
 B. There is no firewall in place.
 C. It is a stateful firewall. Most Voted
 D. This event does not tell you anything about the firewall.
Q45:
Harry, a professional hacker, targets the IT infrastructure of an organization. After preparing
for the attack, he attempts to enter the target network using techniques such as sending spear-
phishing emails and exploiting vulnerabilities on publicly available servers. Using these
techniques, he successfully deployed malware on the target system to establish an outbound
connection.
What is the APT lifecycle phase that Harry is currently executing?

 A. Initial intrusion Most Voted

 B. Persistence
  C. Cleanup
 D. Preparation

Q46:
In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does
medium vulnerability fall in?

 A. 4.0-6.0
 B. 3.9-6.9
 C. 3.0-6.9
 D. 4.0-6.9

Q47:
Clark, a professional hacker, was hired by an organization to gather sensitive information
about its competitors surreptitiously. Clark gathers the server IP address of the target
organization using Whois footprinting. Further, he entered the server IP address as an input to
an online tool to retrieve information such as the network range of the target organization and
to identify the network topology and operating system used in the network.
What is the online tool employed by Clark in the above scenario?

 A. DuckDuckGo
 B. AOL
 C. ARIN
 D. Baidu

Q48:
Henry is a cyber security specialist hired by BlackEye `" Cyber Security Solutions. He was
tasked with discovering the operating system (OS) of a host. He used the Unicornscan tool to
discover the OS of the target system. As a result, he obtained a TTL value, which indicates
that the target system is running a Windows
OS.
Identify the TTL value Henry obtained, which indicates that the target OS is Windows.

 A. 128
 B. 255
 C. 64
 D. 138

Q49:
Based on the below log, which of the following sentences are true?
Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

 A. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server.
 B. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client.
 C. SSH communications are encrypted; it's impossible to know who is the client or the
server.
  D. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.

Q50:
You have been authorized to perform a penetration test against a website. You want to use
Google dorks to footprint the site but only want results that show file extensions.
What Google dork operator would you use?

 A. inurl
 B. site
 C. ext
 D. filetype

Q51:
David is a security professional working in an organization, and he is implementing a
vulnerability management program in the organization to evaluate and control the risks and
vulnerabilities in its IT infrastructure. He is currently executing the process of applying fixes
on vulnerable systems to reduce the impact and severity of vulnerabilities.
Which phase of the vulnerability-management life cycle is David currently in?

 A. Remediation
 B. Verification
 C. Risk assessment
 D. Vulnerability scan

Q52:
Attacker Lauren has gained the credentials of an organization's internal server system, and she
was often logging in during irregular times to monitor the network activities. The organization
was skeptical about the login times and appointed security professional Robert to determine
the issue. Robert analyzed the compromised device to find incident details such as the type of
attack, its severity, target, impact, method of propagation, and vulnerabilities exploited.
What is the incident handling and response (IH&R) phase, in which Robert has determined
these issues?

 A. Incident triage
 B. Preparation
 C. Incident recording and assignment
 D. Eradication

Q53:
Emily, an extrovert obsessed with social media, posts a large amount of private information,
photographs, and location tags of recently visited places. Realizing this, James, a professional
hacker, targets Emily and her acquaintances, conducts a location search to detect their
geolocation by using an automated tool, and gathers information to perform other
sophisticated attacks.
What is the tool employed by James in the above scenario?
  A. ophcrack
 B. VisualRoute
 C. Hootsuite
 D. HULK

Q54:
Attacker Steve targeted an organization's network with the aim of redirecting the company's
web traffic to another malicious website. To achieve this goal, Steve performed DNS cache
poisoning by exploiting the vulnerabilities in the DNS server software and modified the
original IP address of the target website to that of a fake website.
What is the technique employed by Steve to gather information for identity theft?

 A. Pharming
 B. Skimming
 C. Pretexting
 D. Wardriving

Q55:
Nicolas just found a vulnerability on a public-facing system that is considered a zero-day
vulnerability. He sent an email to the owner of the public system describing the problem and
how the owner can protect themselves from that vulnerability. He also sent an email to
Microsoft informing them of the problem that their systems are exposed to.
What type of hacker is Nicolas?

 A. Black hat
 B. White hat
 C. Gray hat
 D. Red hat

Q56:
After an audit, the auditors inform you that there is a critical finding that you must tackle
immediately. You read the audit report, and the problem is the service running on port 389.
Which service is this and how can you tackle the problem?

 A. The service is NTP, and you have to change it from UDP to TCP in order to
encrypt it.
 B. The service is LDAP, and you must change it to 636, which is LDAPS.
 C. The findings do not require immediate actions and are only suggestions.
 D. The service is SMTP, and you must change it to SMIME, which is an encrypted
way to send emails.

Q57:
Morris, a professional hacker, performed a vulnerability scan on a target organization by
sniffing the traffic on the network to identify the active systems, network services,
applications, and vulnerabilities. He also obtained the list of the users who are currently
accessing the network.
What is the type of vulnerability assessment that Morris performed on the target organization?

 A. Credentialed assessment
 B. Internal assessment
 C. External assessment
 D. Passive assessment Most Voted

Q58:
Bob was recently hired by a medical company after it experienced a major cyber security
breach. Many patients are complaining that their personal medical records are fully exposed
on the Internet and someone can find them with a simple Google search. Bob's boss is very
worried because of regulations that protect those data.
Which of the following regulations is mostly violated?

 A. PCI DSS
 B. PII
 C. ISO 2002
 D. HIPPA/PHI

Q59:
Allen, a professional pen tester, was hired by XpertTech Solutions to perform an attack
simulation on the organization's network resources. To perform the attack, he took advantage
of the NetBIOS API and targeted the NetBIOS service. By enumerating NetBIOS, he found
that port 139 was open and could see the resources that could be accessed or viewed on a
remote system. He came across many NetBIOS codes during enumeration.
Identify the NetBIOS code used for obtaining the messenger service running for the logged-in
user?

 A. <00>
 B. <20>
 C. <03> Most Voted
 D. <1B>

Q60:
During the enumeration phase, Lawrence performs banner grabbing to obtain information
such as OS details and versions of services running. The service that he enumerated runs
directly on TCP port 445.
Which of the following services is enumerated by Lawrence in this scenario?

 A. Remote procedure call (RPC)

 B. Telnet
 C. Server Message Block (SMB) Most Voted
 D. Network File System (NFS)

Q61:
John, a disgruntled ex-employee of an organization, contacted a professional hacker to exploit
the organization. In the attack process, the professional hacker installed a scanner on a
machine belonging to one of the victims and scanned several machines on the same network
to identify vulnerabilities to perform further exploitation.
What is the type of vulnerability assessment tool employed by John in the above scenario?

 A. Agent-based scanner Most Voted

 B. Network-based scanner
 C. Cluster scanner
 D. Proxy scanner

Q62:
Widespread fraud at Enron, WorldCom, and Tyco led to the creation of a law that was
designed to improve the accuracy and accountability of corporate disclosures. It covers
accounting firms and third parties that provide financial services to some organizations and
came into effect in 2002. This law is known by what acronym?

 A. SOX
 B. FedRAMP
 C. HIPAA
 D. PCI DSS

Q63:
Consider the following Nmap output:

What command-line parameter could you use to determine the type and version number of the
web server?

 A. -sV Most Voted

 B. -sS
 C. -Pn
 D. -V

Q64:
A newly joined employee, Janet, has been allocated an existing system used by a previous
employee. Before issuing the system to Janet, it was assessed by
Martin, the administrator. Martin found that there were possibilities of compromise through
user directories, registries, and other system parameters. He also identified vulnerabilities
such as native configuration tables, incorrect registry or file permissions, and software
configuration errors.
What is the type of vulnerability assessment performed by Martin?

 A. Database assessment
 B. Host-based assessment Most Voted
 C. Credentialed assessment
 D. Distributed assessment

Q65:
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
  A. hping2 -1 host.domain.com Most Voted
 B. hping2 host.domain.com
 C. hping2 -l host.domain.com
 D. hping2 --set-ICMP host.domain.com

Q66:
Which of the following scanning method splits the TCP header into several packets and
makes it difficult for packet filters to detect the purpose of the packet?

 A. ACK flag probe scanning

 B. ICMP Echo scanning
 C. SYN/FIN scanning using IP fragments Most Voted
 D. IPID scanning

Q67:
Which of the following provides a security professional with most information about the
system's security posture?

 A. Phishing, spamming, sending trojans

 B. Social engineering, company site browsing tailgating
 C. Wardriving, warchalking, social engineering
 D. Port scanning, banner grabbing service identification

Q68:
An attacker scans a host with the below command. Which three flags are set?

 A. This is SYN scan. SYN flag is set.

 B. This is Xmas scan. URG, PUSH and FIN are set. Most Voted
 C. This is ACK scan. ACK flag is set.
 D. This is Xmas scan. SYN and ACK flags are set.

Q69:
If executives are found liable for not properly protecting their company's assets and
information systems, what type of law would apply in this situation?

 A. Criminal
 B. International
  C. Common
 D. Civil

Q70:
What would you enter if you wanted to perform a stealth scan using Nmap?

 A. nmap -sM
 B. nmap -sU
 C. nmap -sS
 D. nmap -sT

Q71:
Firewalk has just completed the second phase (the scanning phase) and a technician receives
the output shown below. What conclusions can be drawn based on these scan results?

TCP port 21 no response -

TCP port 22 no response -

TCP port 23 Time-to-live exceeded

 A. The lack of response from ports 21 and 22 indicate that those services are not
running on the destination server
 B. The scan on port 23 was able to make a connection to the destination host
prompting the firewall to respond with a TTL error
 C. The scan on port 23 passed through the filtering device. This indicates that port 23
was not blocked at the firewall
 D. The firewall itself is blocking ports 21 through 23 and a service is listening on port
23 of the target host

Q72:
Mary found a high vulnerability during a vulnerability scan and notified her server team.
After analysis, they sent her proof that a fix to that issue had already been applied. The
vulnerability that Marry found is called what?

 A. False-negative
  B. False-positive
 C. Brute force attack
 D. Backdoor

Q73:
What is the least important information when you analyze a public IP address in a security
alert?

 A. DNS
 B. Whois
 C. Geolocation
 D. ARP Most Voted

Q74:

What does the option * indicate?

 A. t
 B. s
 C. a
 D. n Most Voted

Q75:
On performing a risk assessment, you need to determine the potential impacts when some of
the critical business processes of the company interrupt its service.
What is the name of the process by which you can determine those critical businesses?
  A. Emergency Plan Response (EPR)
 B. Business Impact Analysis (BIA)
 C. Risk Mitigation
 D. Disaster Recovery Planning (DRP)

Q76:
The network in ABC company is using the network address 192.168.1.64 with mask
255.255.255.192. In the network the servers are in the addresses
192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers
but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28.
Why he cannot see the servers?

 A. He needs to add the command ‫ג‬€‫ג‬€ip address‫ג‬€‫ג‬€ just before the IP address
 B. He needs to change the address to 192.168.1.0 with the same mask
 C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the
servers are not in that range
 D. The network must be dawn and the nmap command and IP address are ok

Q77:
Which Nmap option would you use if you were not concerned about being detected and
wanted to perform a very fast scan?

 A. -T5
 B. -O
 C. -T0
 D. -A

Q78:
You are a penetration tester and are about to perform a scan on a specific server. The
agreement that you signed with the client contains the following specific condition for the
scan: `The attacker must scan every port on the server several times using a set of spoofed
source IP addresses.` Suppose that you are using
Nmap to perform this scan.
What flag will you use to satisfy this requirement?

 A. The -g flag
 B. The -A flag
 C. The -f fag
 D. The -D flag Most Voted

Q79:
While performing an Nmap scan against a host, Paola determines the existence of a firewall.
In an attempt to determine whether the firewall is stateful or stateless, which of the following
options would be best to use?
  A. -sA Most Voted
 B. -sX
 C. -sT
 D. -sF

Q80:
Roma is a member of a security team. She was tasked with protecting the internal network of
an organization from imminent threats. To accomplish this task,
Roma fed threat intelligence into the security devices in a digital format to block and identify
inbound and outbound malicious traffic entering the organization's network.
Which type of threat intelligence is used by Roma to secure the internal network?

 A. Operational threat intelligence

 B. Strategic threat intelligence
 C. Tactical threat intelligence
 D. Technical threat intelligence. Most Voted

Q81:
Jude, a pen tester, examined a network from a hacker's perspective to identify exploits and
vulnerabilities accessible to the outside world by using devices such as firewalls, routers, and
servers. In this process, he also estimated the threat of network security attacks and
determined the level of security of the corporate network.
What is the type of vulnerability assessment that Jude performed on the organization?

 A. Application assessment
 B. External assessment
 C. Passive assessment
 D. Host-based assessment

Q82:
Which of the following Google advanced search operators helps an attacker in gathering
information about websites that are similar to a specified target URL?

 A. [inurl:]
 B. [info:]
 C. [site:]
 D. [related:]

Q83:
Which of the following allows attackers to draw a map or outline the target organization's
network infrastructure to know about the actual environment that they are going to hack?

 A. Vulnerability analysis
 B. Malware analysis
 C. Scanning networks
  D. Enumeration

Q84:
Which among the following is the best example of the hacking concept called "clearing
tracks"?

 A. An attacker gains access to a server through an exploitable vulnerability.

 B. During a cyberattack, a hacker injects a rootkit into a server.
 C. After a system is breached, a hacker creates a backdoor to allow re-entry into a
system.
 D. During a cyberattack, a hacker corrupts the event logs on all machines.

Q85:
Harris is attempting to identify the OS running on his target machine. He inspected the initial
TTL in the IP header and the related TCP window size and obtained the following results:

TTL: 64 -

Window Size: 5840 -

What the OS running on the target machine?

 A. Windows OS
 B. Mac OS
 C. Linux OS Most Voted
 D. Solaris OS

Q86:
Which Nmap switch helps evade IDS or firewalls?

 A. -D Most Voted
 B. -n/-R
 C. -T
 D. -oN/-oX/-oG

Q87:
Leverox Solutions hired Arnold, a security professional, for the threat intelligence process.
Arnold collected information about specific threats against the organization. From this
information, he retrieved contextual information about security events and incidents that
helped him disclose potential risks and gain insight into attacker methodologies. He collected
the information from sources such as humans, social media, and chat rooms as well as from
events that resulted in cyberattacks. In this process, he also prepared a report that includes
identified malicious activities, recommended courses of action, and warnings for emerging
attacks.
What is the type of threat intelligence collected by Arnold in the above scenario?

 A. Strategic threat intelligence

 B. Operational threat intelligence Most Voted
 C. Technical threat intelligence
 D. Tactical threat intelligence

Q88:
What useful information is gathered during a successful Simple Mail Transfer Protocol
(SMTP) enumeration?

 A. A list of all mail proxy server addresses used by the targeted host.
 B. The internal command RCPT provides a list of ports open to message traffic.
 C. The two internal commands VRFY and EXPN provide a confirmation of valid
users, email addresses, aliases, and mailing lists. Most Voted
 D. Reveals the daily outgoing message limits before mailboxes are locked.

Q89:
Elante company has recently hired James as a penetration tester. He was tasked with
performing enumeration on an organization's network. In the process of enumeration, James
discovered a service that is accessible to external sources. This service runs directly on port
21.
What is the service enumerated by James in the above scenario?

 A. Network File System (NFS)

 B. Remote procedure call (RPC)
 C. Border Gateway Protocol (BGP)
 D. File Transfer Protocol (FTP)

Q90:
When considering how an attacker may exploit a web server, what is web server footprinting?

 A. When an attacker creates a complete profile of the site's external links and file
structures
 B. When an attacker uses a brute-force attack to crack a web-server password
 C. When an attacker implements a vulnerability scanner to identity weaknesses
 D. When an attacker gathers system-level data, including account details and server
names Most Voted
Q91:
Given below are different steps involved in the vulnerability-management life cycle.
1) Remediation
2) Identify assets and create a baseline
3) Verification
4) Monitor
5) Vulnerability scan
6) Risk assessment
Identify the correct sequence of steps involved in vulnerability management.

 A. 2 - 5 - 6 - 1 - 3 - 4 Most Voted
 B. 2 – 4 – 5 – 3 – 6 - 1
 C. 2 - 1 - 5 - 6 - 4 - 3
 D. 1 - 2 - 3 - 4 - 5 - 6

Q92:
What information security law or standard aims at protecting stakeholders and the general
public from accounting errors and fraudulent activities within organizations?

 A. FISMA
 B. PCI-DSS
 C. SOX
 D. ISO/IEC 27001:2013

Q93:
Which among the following is the best example of the third step (delivery) in the cyber kill
chain?

 A. An intruder creates malware to be used as a malicious attachment to an email.

 B. An intruder's malware is triggered when a target opens a malicious email
attachment.
 C. An intruder's malware is installed on a targets machine.
 D. An intruder sends a malicious attachment via email to a target. Most Voted
Q94:
James is working as an ethical hacker at Technix Solutions. The management ordered James
to discover how vulnerable its network is towards footprinting attacks. James took the help of
an open-source framework for performing automated reconnaissance activities. This
framework helped James in gathering information using free tools and resources.
What is the framework used by James to conduct footprinting and reconnaissance activities?

 A. OSINT framework
 B. WebSploit Framework
 C. Browser Exploitation Framework
 D. SpeedPhish Framework

Q95:
Shiela is an information security analyst working at HiTech Security Solutions. She is
performing service version discovery using Nmap to obtain information about the running
services and their versions on a target system.
Which of the following Nmap options must she use to perform service version discovery on
the target host?

 A. -sN
 B. -sV
 C. -sX
 D. -sF

Q96:
A security analyst uses Zenmap to perform an ICMP timestamp ping scan to acquire information
related to the current time from the target host machine.
Which of the following Zenmap options must the analyst use to perform the ICMP timestamp ping
scan?

 A. -Pn
 B. -PU
 C. -PP
 D. -PY

Q97:
Juliet, a security researcher in an organization, was tasked with checking for the authenticity
of images to be used in the organization's magazines. She used these images as a search query
and tracked the original source and details of the images, which included photographs, profile
pictures, and memes.
Which of the following footprinting techniques did Rachel use to finish her task?

 A. Google advanced search

 B. Meta search engines
 C. Reverse image search Most Voted
 D. Advanced image search
Q98:
Jack, a disgruntled ex-employee of Incalsol Ltd., decided to inject fileless malware into
Incalsol's systems. To deliver the malware, he used the current employees' email IDs to send
fraudulent emails embedded with malicious links that seem to be legitimate. When a victim
employee clicks on the link, they are directed to a fraudulent website that automatically loads
Flash and triggers the exploit.
What is the technique used by Jack to launch the fileless malware on the target systems?

 A. In-memory exploits
 B. Legitimate applications
 C. Script-based injection
 D. Phishing Most Voted

Q99:
Becky has been hired by a client from Dubai to perform a penetration test against one of their
remote offices. Working from her location in Columbus, Ohio, Becky runs her usual
reconnaissance scans to obtain basic information about their network. When analyzing the
results of her Whois search, Becky notices that the IP was allocated to a location in Le Havre,
France.
Which regional Internet registry should Becky go to for detailed information?

 A. ARIN
 B. LACNIC
 C. APNIC
 D. RIPE Most Voted

Q100:
Jude, a pen tester working in Keiltech Ltd., performs sophisticated security testing on his
company's network infrastructure to identify security loopholes. In this process, he started to
circumvent the network protection tools and firewalls used in the company. He employed a
technique that can create forged TCP sessions by carrying out multiple SYN, ACK, and RST
or FIN packets. Further, this process allowed Jude to execute DDoS attacks that can exhaust
the network resources.
What is the attack technique used by Jude for finding loopholes in the above scenario?

 A. Spoofed session flood attack Most Voted

 B. UDP flood attack
 C. Peer-to-peer attack
 D. Ping-of-death attack
Q101:
In an attempt to damage the reputation of a competitor organization, Hailey, a professional
hacker, gathers a list of employee and client email addresses and other related information by
using various search engines, social networking sites, and web spidering tools. In this process,
she also uses an automated tool to gather a list of words from the target website to further
perform a brute-force attack on the previously gathered email addresses.
What is the tool used by Hailey for gathering a list of words from the target website?

 A. CeWL
 B. Orbot
 C. Shadowsocks
 D. Psiphon

Q102:
John, a security analyst working for an organization, found a critical vulnerability on the
organization's LAN that allows him to view financial and personal information about the rest
of the employees. Before reporting the vulnerability, he examines the information shown by
the vulnerability for two days without disclosing any information to third parties or other
internal employees. He does so out of curiosity about the other employees and may take
advantage of this information later.
What would John be considered as?

 A. Cybercriminal
 B. White hat
 C. Gray hat Most Voted
 D. Black hat