Final Exam

An attacker can __________ to deprive a system owner of the ability to detect activities that have been

carried out

disable auditing

Shoulder surfing, keyboard sniffing, and social engineering are considered what type of

attack?

Nontechnical password attack

The attacker's primary goal during enumeration is to:

uncover specific information about each target system.

What are alternate data streams (ADSs) associated with?

data hiding

What is a database on the local Windows system that is used to store user account

information?

Security Account Manager (SAM)

What is salting?

Adding extra characters to a password prior to hashing

 Final Exam

What is the unique ID assigned to each user account in Windows that identifies the account

or group?

Security identifier (SID)

What method can thwart a brute-force password attack?

A policy that locks user accounts after the password is entered incorrectly a certain number of times

Which Windows user account gets nearly unlimited access to the local system and can

perform actions on the local system with little or no restriction?

SYSTEM

Which of the following is a type of passive online attack?

Replay attack

_______ refers to software designed to alter system files and utilities on a victim's system with the intention of

changing the way a system behaves

Rootkit

___________ means that an account should possess only the minimum privileges necessary to carry out

required job functions.

 Final Exam

The principle of least privilege

Dean believes that a Trojan may have infected his system. Which command can he use to

query for open connections to help determine if a Trojan is using a specific port?

Netstat

Jane's organization recently experienced a security incident. Malware was triggered on the

chief executive officer's birthday, deleting all of the company's customer records. What type

of malware was used in this attack?

Logic bomb

Maria recently discovered that an attacker placed malware on a system used by her

company's chief financial officer. The malware is designed to track and report activity on the

system. The attacker has been able to capture passwords, confidential data, and other

corporate information. What software has Maria discovered?

keystroke logger

What infects using multiple attack vectors, including the boot sector and executable files on

a hard drive?

Multipartite virus

What is a malware program designed to replicate without attaching to or infecting other files
 Final Exam

on a host system?

Worm

What is a piece of code or software designed to lie in wait on a system until a specified event

occurs?

logic bomb

What is malware that looks legitimate but hides a payload that does something unwanted?

Trojan

Which law expanded on a previous law and covers damage to foreign computers involved in

U.S. interstate commerce?

The Patriot Act

Which of the following is a general term for software that is inherently hostile, intrusive, or

annoying in its operation?

Malware

Which of the following is a type of malware designed to hold your data hostage?

Ransomware
 Final Exam

Which of the following is designed to make the user take action even though no infection or

threat exists?

Hoax

__________ is a process where communications are redirected to different ports than they would normally be

destined for.

Port Redirection

Which of the following testing processes is the most intrusive?

Port scanning

Enumeration

Null scanning

d.Numeration

Security testers conduct enumeration for which of the following reasons? (Choose all that apply.)

Gaining access to shares and network resources

Obtaining user logon names and group memberships

 Final Exam

Discovering services running on computers and servers

Discovering open ports on computers and servers

Both a,b

To determine what resources or shares are on a network, security testers must use port

scanning and what other procedure first to determine what OS is being used?

Footprinting

What does the "NBT" part of the "NBTscan" stand for?

NetBIOS over TCP/IP

What upper-level service is required to utilize file and printer sharing in Windows?

Server Message Block (SMB)

The first Microsoft GUI product that didn't rely on DOS?

Windows 95

Windows programing interface that allows computers to communicate across a local area

network?

Network Basic Input/Output System (NetBIOS)

 Final Exam

Introduced Authentication Silos to prevent pass-the-hash attacks.

Windows Server 2012

Unauthenticated connection to a Windows computer that uses no logon and password values.

Null Session

n older network management service which enables remote administration and run on both Windows and *nix

systems.

Simple Network Management Protocol (SNMP)

First Windows version to introduce User Account Control and BitLocker.

Windows Vista

Which of the following tools can be used to enumerate Windows systems? (Choose all that

apply.)

a. OpenVAS or Nessus

b. Reddit
 Final Exam

c. DumpIt

d. Hyena

both a,d

Enumeration of Windows systems can be more difficult if port ______________________ is filtered.

139/TCP

A null session is enabled by default in all the following Windows versions except:

a. Windows 95

b. Windows Server 2008

c. Windows 98

d. Windows 2000

b. Windows Server 2008

The net view command can be used to see whether there are any shared resources on a server. (T/F)

True

To identify the NetBIOS names of systems on the 193.145.85.0 network, which of the

following commands do you use?

 Final Exam

a. nbtscan 193.145.85.0/24

b. nbtscan 193.145.85.0-255

c. nbtstat 193.145.85.0/24

d. netstat 193.145.85.0/24

a. nbtscan 193.145.85.0/24

See an expert-written answer

Which of the following is a Windows command-line utility for seeing NetBIOS shares on a network?

a. net use

b. net user

c. net view

d. Nbtuser

c. net view

The Nbtstat command is used to enumerate *nix systems. (T/F)

False

A NetBIOS name can contain a maximum of ______________characters.

a. 10

b. 11
 Final Exam

c. 15

d. 16

c. 15

Which of the following commands connects to a computer containing shared files and folders?

a. new view

b. net use

c. netstat

d. nbstat

b. net use

Which port numbers indicate NetBIOS is in use on a remote target?

a. 135 to 137

b. 389 to 1023

c. 135 to 139

d. 110 and 115

c. 135 to 139

Which of the following is the vulnerability scanner from which OpenVAS was developed?

a. OpenVAS Pro

b. Nessus
 Final Exam

c. ISS Scanner

d. SuperScan

b. Nessus

Most NetBIOS enumeration tools connect to the target system by using which of the

following?

a. ICMP packets

b. Default logons and blank passwords

c. Null sessions

d. Admin accounts

c. null sessions

What is the best method of preventing NetBIOS attacks?

a. filtering certain ports at the firewall

b. telling users to create difficult-to-guess passwords

c. pausing the Workstation service

d. Stopping the Workstation service

a. filtering certain ports at the firewall

Which of the following is a commonly used UNIX enumeration tool?

a. Netcat
 Final Exam

b. Nbtstat

c. Netstat

d. SNMPWalk

d. SNMPWalk

See an expert-written answer

Which of the following commands should you use to determine whether there are any shared resources on a

Windows computer with the IP address 193.145.85.202?

a. netstat -c 193.145.85.202

b. nbtscan -a 193.145.85.202

c. nbtstat -a 193.145.85.202

d. nbtstat -a \\193.145.85.202

c. nbtstat -a 193.145.85.202

The Windows Net use command is a quick way to discover any shared resources on a computer or server.

(T/F)

False

An algorithm is defined as which of the following?

A list of possible solutions for solving a problem

 Final Exam

A method for automating a manual process

A program written in a high-level language

A set of instructions for solving a specific problem

A C program must contain which of the following?

Name of the computer programmer

A main()function

The #include<std.h> header file

A description of the algorithm used

Which of the following C statements has the highest risk of creating an infinite loop?

while (a > 10)

while (a < 10)

for (a = 1; a < 100; ++a)

for (;;)
 Final Exam

Which of the following is the Win32 API function for verifying the file system on a Windows

computer?

Filesystem()

FsType()

System()

IsNT()

Lab 4,

Lab Setup on Windows Server 2022

Which PowerShell command creates a low-privilege user on Windows Server 2022?

a. Add-User -Name testuser -Privilege Low

b. New-LocalUser -Name "testuser" -Password (ConvertTo-SecureString "Password123!" -AsPlainText

-Force)

c. Create-UserAccount -User testuser -Password Weak123!

d. Enable-UserAccount testuser -Type LowPrivilege

Answer: b

What is the purpose of enabling SMB on Windows Server 2022?

 Final Exam

a. To allow remote desktop connections

b. To share files and printers over the network

c. To enable PowerShell remoting

d. To strengthen firewall rules

Answer: b

What port does Windows Remote Management (WinRM) use by default?

a. 22

b. 5985

c. 3389

d. 445

Answer: b

Which setting must be temporarily disabled to bypass Network Level Authentication (NLA)?

a. "Enable RDP Security"

b. "Allow connections without NLA"

c. "Turn off WinRM restrictions"

d. "Disable SMB authentication"

Answer: b

Reconnaissance Using Kali Linux

 Final Exam

Which command scans for open ports 445, 3389, and 5985 on a target Windows server?

a. nmap -A <Target_IP>

b. nmap -p 445,3389,5985 <Target_IP>

c. nmap -Pn <Target_IP>

d. nmap -sU -p 445,3389,5985 <Target_IP>

Answer: b

What is the expected result of a successful Nmap scan against a configured Windows Server 2022?

a. Detection of inactive ports only

b. Identification of open ports like SMB, RDP, and WinRM

c. Full access to server files

d. Immediate exploitation of vulnerabilities

Answer: b

Brute-Force Attacks

Which Metasploit module is used to brute-force SMB login credentials?

a. auxiliary/scanner/smb/smb_login

b. exploit/windows/smb/smb_bruteforce

c. post/smb/smb_scanner

d. scanner/windows/smb/smb_recon
 Final Exam

Answer: a

What file format is required for the username and password lists in Metasploit?

a. .json

b. .xml

c. .txt

d. .csv

Answer: c

Which command connects to an SMB share after successful brute-forcing?

a. smbclient -L //<Target_IP> -U <Username>

b. msfconsole -smb_access -Target_IP <Username>

c. exploit -smb -Target_IP <Username>

d. winrm_connect //<Target_IP> <Username>

Answer: a

What is the main risk of using weak passwords in network environments?

a. Slower server performance

b. Increased vulnerability to brute-force attacks

c. Loss of encrypted data

d. Reduced file-sharing capabilities

 Final Exam

Answer: b

Post-Exploitation and Privilege Escalation

Which command checks the current privileges of a user on Windows Server?

a. whoami

b. netstat

c. get-privileges

d. tasklist

Answer: a

Which tool allows remote PowerShell access via WinRM?

a. PuTTY

b. Evil-WinRM

c. PsExec

d. Metasploit

Answer: b

What is the purpose of creating a scheduled task for persistence?

a. To disable server auditing

b. To maintain long-term access to the system

c. To clean up after exploitation

 Final Exam

d. To install security patches

Answer: b

Which PowerShell command registers a scheduled task?

a. Add-ScheduledTask

b. Register-ScheduledTask

c. New-Task

d. Set-Task

Answer: b

Clean-Up and Reflection

Which command clears the Windows System event log?

a. Clear-EventLog

b. wevtutil cl System

c. Remove-Logs -Type System

d. ClearLogs -EventType System

Answer: b

What is the first step to mitigate scheduled task persistence?

a. Remove user accounts

 Final Exam

b. Use antivirus software

c. Unregister the malicious task

d. Block all network connections

Answer: c

Lab 1: Hacking the Next Generation & Virtual Environment Setup

VMware and Virtual Machine Setup

Which software is used to create virtual machines in Lab 1?

a. VirtualBox

b. VMware Workstation

c. Hyper-V

d. Docker

Answer: b

What is the recommended RAM allocation for the Windows Server 2022 virtual machine?

a. 1 GB

b. 2 GB

c. 4 GB

d. 8 GB
 Final Exam

Answer: c

Why is Bridged Mode chosen for the network adapter in VMware?

a. To isolate the VM from the host network

b. To allow communication with the physical network and other devices

c. To enable NAT translation for internet access

d. To limit access to only localhost

Answer: b

Network Configuration and Testing

Which configuration file is edited on Kali Linux to set a static IP?

a. /etc/network/interfaces

b. /etc/hosts

c. /etc/resolv.conf

d. /etc/sysconfig/network

Answer: a

What command restarts the networking service on Kali Linux?

a. sudo service networking start

b. sudo systemctl restart networking

c. sudo systemctl enable network

 Final Exam

d. sudo restart-network

Answer: b

What command is used to test connectivity between the two VMs?

a. ssh <IP>

b. traceroute <IP>

c. ping <IP>

d. netstat <IP>

Answer: c

Reconnaissance with Nmap

What is the purpose of the -sS flag in Nmap?

a. It performs a UDP scan.

b. It performs a SYN scan for open ports.

c. It performs a version scan of services.

d. It performs a script scan.

Answer: b

Which Nmap command discovers all devices on the network?

a. nmap -sV
 Final Exam

b. nmap -sn <Network_Range>

c. nmap -Pn <IP>

d. nmap -sC

Answer: b

What information does the Nmap -sV flag provide?

a. IP address of the target

b. Open ports and running service versions

c. List of vulnerabilities

d. Network topology

Answer: b

Banner Grabbing and Vulnerability Detection

Which tool is used for banner grabbing in Lab 1?

a. Wireshark

b. Netcat

c. Metasploit

d. OpenVAS

Answer: b
 Final Exam

Which Nmap script detects vulnerabilities on a target?

a. --script vuln

b. --script discovery

c. -sC

d. -sV

Answer: a

What does the command nc -v <IP> <Port> do?

a. Opens a TCP connection to the specified IP and port

b. Scans all ports on the target IP

c. Enumerates users on the target

d. Closes open connections

Answer: a

Active Directory and User Management

Which role must be installed on Windows Server 2022 to configure Active Directory?

a. IIS (Internet Information Services)

b. Active Directory Domain Services (AD DS)

c. Network Policy Server (NPS)

d. File Server
 Final Exam

Answer: b

What is the purpose of promoting a server to a domain controller?

a. To enable file sharing

b. To manage DNS settings

c. To create and manage a centralized directory for users and resources

d. To configure firewalls

Answer: c

What group is typically assigned to high-privilege users in Active Directory?

a. Domain Guests

b. Domain Admins

c. Remote Desktop Users

d. Users

Answer: b

General Ethical Hacking Concepts

What is the main purpose of using Nmap in penetration testing?

a. Exploit vulnerabilities

b. Scan networks to discover devices and open ports

c. Secure a network against attacks

 Final Exam

d. Remove malicious software

Answer: b

Why is it important to configure static IPs for VMs in a lab environment?

a. To ensure consistent network communication during testing

b. To enable dynamic IP allocation

c. To limit bandwidth usage

d. To isolate the VMs

Answer: a

What is a common vulnerability found in outdated SMB services?

a. Buffer overflow attacks (e.g., EternalBlue)

b. SQL injection

c. Directory traversal

d. Cross-site scripting

Answer: a

Here are multiple-choice questions (MCQs) tailored for Lab 3: Advanced Passive Reconnaissance

Techniques in ethical hacking, focusing on tools, methods, and key concepts:

General Concepts of Passive Reconnaissance

 Final Exam

What is the primary goal of passive reconnaissance in penetration testing?

a. Exploit vulnerabilities on the target system

b. Collect information without direct interaction to avoid detection

c. Gain administrative access to the target network

d. Deploy malware on the target system

Answer: b

Which of the following is considered a passive reconnaissance activity?

a. Brute-forcing login credentials

b. Using Nmap to scan open ports

c. Analyzing public DNS records

d. Exploiting SMB vulnerabilities

Answer: c

Why is passive reconnaissance less likely to be detected compared to active techniques?

a. It relies on direct server interaction

b. It avoids interacting with the target systems directly

c. It uses brute force to collect data

d. It depends on system misconfigurations

Answer: b
 Final Exam

Tool-Specific Questions

Which tool gathers information like emails, subdomains, and open ports from public sources?

a. Recon-ng

b. theHarvester

c. Maltego CE

d. SpiderFoot

Answer: b

What is the primary use of Maltego CE in passive reconnaissance?

a. Automated OSINT collection

b. Graphical visualization of relationships between entities

c. DNS enumeration

d. Brute-force attacks

Answer: b

Which tool is specifically designed for automating OSINT data collection?

a. SpiderFoot

b. Wireshark

c. Burp Suite

d. OpenVAS
 Final Exam

Answer: a

What command installs Recon-ng on Kali Linux?

a. sudo apt install recon-ng

b. sudo install recon-ng

c. apt-get update && install recon-ng

d. sudo apt install recon

Answer: a

Practical Reconnaissance Tasks

Which command in theHarvester performs a scan across all data sources?

a. theharvester -a example.com

b. theharvester -d example.com -b all

c. theharvester -t example.com -b dns

d. theharvester --all example.com

Answer: b

What command is used to export theHarvester results in an HTML format?

a. theharvester -e example.com -o report.html

b. theharvester -d example.com -b all -f example_report.html

c. theharvester -f example_report.html example.com

 Final Exam

d. theharvester -x html -d example.com

Answer: b

Which Recon-ng command sets the workspace for a specific target?

a. workspaces use example.com

b. workspaces create example_workspace

c. add workspace example.com

d. workspace start example_workspace

Answer: b

DNS and Network Analysis

Which tool performs DNS enumeration and checks for zone transfers?

a. Recon-ng

b. dnsenum

c. Maltego CE

d. SpiderFoot

Answer: b

What is the purpose of the command dig axfr @ns1.example.com example.com?

a. Scan open ports on the nameserver

 Final Exam

b. Perform a zone transfer to gather DNS records

c. Test connectivity to the nameserver

d. Enumerate subdomains using OSINT

Answer: b

Which Nmap script checks for DNS brute force?

a. --script dns-brute

b. --script vuln

c. --script dns-enum

d. --script dns-transfer

Answer: a

Legal and Ethical Considerations

What is an essential legal consideration when performing passive reconnaissance?

a. Use any tool available without restriction

b. Always have explicit permission from the target organization

c. Focus only on systems outside the organization's scope

d. Use anonymous proxies to hide your identity

Answer: b
 Final Exam

Which law governs unauthorized access to computer systems in the United States?

a. General Data Protection Regulation (GDPR)

b. Computer Fraud and Abuse Act (CFAA)

c. Digital Millennium Copyright Act (DMCA)

d. Cybersecurity Information Sharing Act (CISA)

Answer: b

Why is responsible disclosure important in cybersecurity?

a. To gain unauthorized access to the system

b. To notify the organization about discovered vulnerabilities ethically

c. To publicly share vulnerabilities for faster resolution

d. To bypass legal implications of passive reconnaissance

Answer: b

Advanced Techniques

Which public tool helps discover SSL certificates related to a domain?

a. crt.sh

b. Netcraft

c. SpiderFoot

d. theHarvester
 Final Exam

Answer: a

Which command launches SpiderFoot's web interface?

a. spiderfoot start

b. spiderfoot -w

c. spiderfoot -l 127.0.0.1:5001

d. spiderfoot --gui

Answer: c

What type of vulnerabilities can be identified using SSL Labs' SSL Test?

a. SQL Injection vulnerabilities

b. SSL/TLS configuration weaknesses

c. Misconfigured DNS records

d. Unauthorized access to shared drives

Answer: b

What information can be obtained from certificate transparency logs?

a. Subdomains and related domains

b. Internal network topology

c. Vulnerable services

d. Active connections
 Final Exam

Answer: a

Lab 2: Linux, Penetration Testing Tools & Service Exploitation,:

Part 1: Configuring Samba on Kali Linux

What is the primary function of Samba in a Linux system?

a. Encrypt network traffic

b. Share files and printers between Linux and Windows systems

c. Perform vulnerability scanning

d. Enable remote shell access

Answer: b

Which command installs Samba on Kali Linux?

a. sudo apt install smbd

b. sudo apt install samba

c. sudo install samba-utils

d. sudo service install samba

Answer: b

What must be configured in /etc/samba/smb.conf to allow guest access?

a. read only = yes

 Final Exam

b. guest ok = yes

c. auth required = no

d. enable share = true

Answer: b

Which command restarts the Samba service to apply configuration changes?

a. sudo service samba restart

b. sudo systemctl restart samba

c. sudo systemctl restart smbd

d. sudo restart samba-service

Answer: c

How do you map a network drive to a Samba share in Windows Server 2022?

a. Use the mapdrive CLI command

b. Add the IP address and share name in the File Explorer's address bar

c. Open Command Prompt and use connect-samba

d. Configure Samba from the Windows Control Panel

Answer: b

Part 2: Password Cracking with John the Ripper

 Final Exam

What is the primary function of John the Ripper?

a. Crack passwords by brute force or dictionary attacks

b. Perform network reconnaissance

c. Scan for web vulnerabilities

d. Encrypt sensitive files

Answer: a

What is the purpose of the rockyou.txt file in password cracking?

a. It contains precomputed hashes for rainbow table attacks

b. It is a wordlist used for dictionary-based attacks

c. It is a configuration file for John the Ripper

d. It stores password policies for Linux systems

Answer: b

Which command is used to display the cracked passwords after running John the Ripper?

a. john --cracked

b. john --results passwd.txt

c. john --show passwd.txt

d. john --output cracked

Answer: c
 Final Exam

Part 2: Network and Vulnerability Scanning

Which Nmap command scans all ports and detects service versions?

a. nmap -sS -A <IP>

b. nmap -p- -sV <IP>

c. nmap -sU -T4 <IP>

d. nmap -O -Pn <IP>

Answer: b

What is the purpose of using Nikto in penetration testing?

a. Perform OS-level privilege escalation

b. Scan for web server vulnerabilities and misconfigurations

c. Exploit SMB vulnerabilities

d. Brute-force login credentials

Answer: b

Part 3: Exploiting SMB Vulnerabilities with Metasploit

Which Metasploit module is used to exploit the EternalBlue vulnerability?

a. exploit/windows/smb/ms17_010_eternalblue

b. auxiliary/scanner/smb/smb_login

c. exploit/linux/smb/smb_shell
 Final Exam

d. exploit/windows/misc/smb_eternalblue

Answer: a

What is the role of the set LHOST command in Metasploit?

a. Specify the target IP address

b. Set the local host IP address for the reverse shell

c. Enable logging for exploits

d. Choose the type of payload

Answer: b

Which Meterpreter command displays system information about the target machine?

a. info

b. sysinfo

c. targetinfo

d. show

Answer: b

What does the Meterpreter persistence command do?

a. Scans for additional vulnerabilities

b. Creates a persistent backdoor on the target system

c. Extracts credentials from the target system

 Final Exam

d. Deletes traces of the exploit

Answer: b

Part 4: Post-Exploitation

Which tool within Meterpreter is used to extract NTLM password hashes?

a. Mimicats

b. WDigest

c. Mimikatz

d. Hashcat

Answer: c

Which command in Meterpreter installs a backdoor that reconnects to the attacker?s system?

a. backdoor -persist

b. set persistence -X

c. persistence -X -i 60

d. meterpreter persistence --install

Answer: c

General Concepts
 Final Exam

Which type of attack does John the Ripper perform by trying all possible combinations of characters?

a. Dictionary attack

b. Brute-force attack

c. Hybrid attack

d. Credential stuffing

Answer: b

What is the main purpose of scanning with the --script vuln option in Nmap?

a. Scan for vulnerabilities on open ports

b. Test DNS services

c. Perform a zone transfer

d. Exploit identified vulnerabilities

Answer: a

Why is it important to clean up after penetration testing?

a. To ensure persistent access to the target system

b. To comply with legal and ethical guidelines

c. To keep evidence of the penetration test for future reference

d. To hide the vulnerabilities discovered

Answer: b
 Final Exam

Which command removes a persistent backdoor created using Meterpreter?

a. persistence -remove

b. exit-persistence

c. rm -backdoor

d. Reboot the target system

Answer: d