1Which of the following creates a 'half-open' connection to determine if a port is open, making it less likely to be logged by the target system?
A.TCP Connect Scan (-sT)
B.TCP SYN Scan (-sS)
C.UDP Scan (-sU)
D.Ping Scan (-sn)
Correct Answer: TCP SYN Scan (-sS)
Explanation:A TCP SYN scan (-sS) sends a SYN packet and waits for a SYN-ACK. If received, it sends a RST immediately instead of an ACK, never completing the 3-way handshake. This is often called 'half-open' scanning and is stealthier than a full TCP Connect scan.
Incorrect! Try again.
2When analyzing vulnerability scan results, what is a False Positive?
A.The scanner fails to identify an existing vulnerability.
B.The scanner identifies a vulnerability that does not actually exist.
C.The scanner crashes the target service.
D.The scanner correctly identifies a critical vulnerability.
Correct Answer: The scanner identifies a vulnerability that does not actually exist.
Explanation:A False Positive occurs when the scanning tool reports a vulnerability (e.g., based on a version banner) that is not actually exploitable or present on the target system.
Incorrect! Try again.
3Which open-source vulnerability scanner was originally a fork of the last open-source version of Nessus?
A.OpenVAS
B.Qualys
C.Nexpose
D.Burp Suite
Correct Answer: OpenVAS
Explanation:OpenVAS (Open Vulnerability Assessment System) began as a fork of Nessus when Nessus moved to a proprietary license model.
Incorrect! Try again.
4In the context of Nmap timing templates used for evasion, which flag represents 'Paranoid' mode, sending packets very slowly to evade IDS?
A.-T5
B.-T3
C.-T1
D.-T0
Correct Answer: -T0
Explanation:Nmap offers timing templates from -T0 to -T5. -T0 (Paranoid) is the slowest, waiting minutes between probes to evade Intrusion Detection Systems (IDS).
Incorrect! Try again.
5Why are automated scanners generally poor at detecting Business Logic Vulnerabilities?
A.Scanners cannot decrypt SSL/TLS traffic.
B.Logic flaws depend on context and intended workflow, not syntax errors.
C.Scanners do not support HTTP POST requests.
D.Logic flaws are only found in compiled code, not web apps.
Correct Answer: Logic flaws depend on context and intended workflow, not syntax errors.
Explanation:Automated scanners look for technical signatures (like SQL syntax errors). Business logic flaws (e.g., buying an item for $0.00$) require understanding the human context of the application, which tools lack.
Incorrect! Try again.
6Which command allows an attacker to clear the command history in a Linux environment to cover tracks?
A.history -c
B.clear
C.cat /dev/null
D.ls -la
Correct Answer: history -c
Explanation:The command history -c clears the history list of the current shell session, helping to cover tracks.
Incorrect! Try again.
7What is the primary difference between a Credentialed Scan and a Non-Credentialed Scan?
A.Credentialed scans are illegal.
B.Non-credentialed scans are faster but cause more network traffic.
C.Credentialed scans log in to the system to audit local settings and patches.
D.Non-credentialed scans can read the registry and configuration files.
Correct Answer: Credentialed scans log in to the system to audit local settings and patches.
Explanation:A credentialed (authenticated) scan uses a valid username/password to log into the target, allowing it to inspect the registry, file versions, and configuration settings accurately. Non-credentialed scans only see what is exposed to the network.
Incorrect! Try again.
8Which CVSS v3.1 score range represents a Critical severity vulnerability?
A.
B.
C.
D.
Correct Answer:
Explanation:According to the Common Vulnerability Scoring System (CVSS) v3.1, a base score of to is classified as Critical.
Incorrect! Try again.
9Which Nmap technique involves sending packets from the attacker's IP mixed with packets from other spoofed IP addresses to confuse the target's IDS/Firewall?
A.Packet Fragmentation (-f)
B.Decoy Scanning (-D)
C.Source Port Manipulation (--source-port)
D.MAC Address Spoofing (--spoof-mac)
Correct Answer: Decoy Scanning (-D)
Explanation:The -D option allows the user to specify decoy IP addresses. The target sees scans coming from multiple IPs, making it difficult to determine which one is the real attacker.
Incorrect! Try again.
10Which tool is specifically designed for scanning web servers for dangerous files, outdated server software, and default configuration problems?
A.Nikto
B.Kismet
C.Wireshark
D.John the Ripper
Correct Answer: Nikto
Explanation:Nikto is a dedicated web server scanner that tests for thousands of dangerous files, outdated server versions, and specific server-related problems.
Incorrect! Try again.
11An attacker changes the source port of their packets to 53. What evasion technique is this, and why might it work?
A.Decoy scanning; it hides the IP address.
B.Source Port Manipulation; firewalls may trust traffic from DNS ports.
C.Fragmentation; it splits the header.
D.Timing attack; it speeds up the scan.
Correct Answer: Source Port Manipulation; firewalls may trust traffic from DNS ports.
Explanation:By using --source-port 53 (DNS), an attacker attempts to bypass firewall rules that might allow incoming traffic if it appears to originate from a trusted service like DNS.
Incorrect! Try again.
12In a vulnerability assessment, what does deduplication refer to?
A.Running the scan twice to ensure accuracy.
B.Consolidating multiple reports of the same vulnerability on the same host into a single finding.
C.Removing critical vulnerabilities from the report.
D.Copying the report to multiple servers.
Correct Answer: Consolidating multiple reports of the same vulnerability on the same host into a single finding.
Explanation:Deduplication is the process of grouping identical findings (e.g., the same missing patch detected on multiple ports or by multiple plug-ins) to reduce report noise.
Incorrect! Try again.
13What is the purpose of Packet Fragmentation (-f) in Nmap during a scan?
A.To increase scanning speed.
B.To verify the MTU size of the network.
C.To split TCP headers into smaller fragments to bypass packet filters/firewalls.
D.To corrupt the target file system.
Correct Answer: To split TCP headers into smaller fragments to bypass packet filters/firewalls.
Explanation:Fragmentation splits the IP packet into smaller pieces. This can evade firewalls or IDSs that do not reassemble packets before inspecting them, as the malicious signature might be split across packets.
Incorrect! Try again.
14Which of the following is considered a Logical Vulnerability?
A.Buffer Overflow in the search parameter.
B.Insecure Direct Object Reference (IDOR) allowing access to another user's bill.
C.Using an outdated version of Apache.
D.Missing X-Frame-Options header.
Correct Answer: Insecure Direct Object Reference (IDOR) allowing access to another user's bill.
Explanation:IDOR is a logic flaw where the application fails to verify if the user is authorized to access a specific object (like a bill ID) simply because they changed the ID number in the URL.
Incorrect! Try again.
15Which Windows command is used to manipulate or clear event logs?
A.chmod
B.rm -rf
C.wevtutil
D.netstat
Correct Answer: wevtutil
Explanation:wevtutil is a Windows command-line utility that enables administrators (or attackers) to retrieve information about event logs and publishers, and to clear logs (e.g., wevtutil cl System).
Incorrect! Try again.
16What is the difference between a Vulnerability Scan and a Penetration Test?
A.They are exactly the same.
B.A scan is automated and identifies potential issues; a pentest involves manual exploitation to verify risks.
C.A scan is manual; a pentest is automated.
D.A scan is more expensive than a pentest.
Correct Answer: A scan is automated and identifies potential issues; a pentest involves manual exploitation to verify risks.
Explanation:Vulnerability scanning is generally an automated process to identify known weaknesses. Penetration testing simulates a real-world attack, including exploitation, lateral movement, and chaining vulnerabilities.
Incorrect! Try again.
17Which specific Nmap script engine (NSE) category is safe to run on a production network without likely causing a crash?
A.vuln
B.dos
C.exploit
D.safe
Correct Answer: safe
Explanation:The safe category in Nmap NSE includes scripts that are not designed to crash services, use large amounts of bandwidth, or exploit holes.
Incorrect! Try again.
18When interpreting vulnerability data, which metric defines the complexity required to exploit the vulnerability?
A.Attack Vector (AV)
B.Attack Complexity (AC)
C.Privileges Required (PR)
D.User Interaction (UI)
Correct Answer: Attack Complexity (AC)
Explanation:In CVSS, Attack Complexity (AC) describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability (Low or High).
Incorrect! Try again.
19Which scan type is most likely to cause a Denial of Service (DoS) on unstable legacy equipment?
A.Passive sniffing
B.Discovery scan
C.Intrusive / Aggressive scan
D.Host discovery
Correct Answer: Intrusive / Aggressive scan
Explanation:Intrusive scans that probe for buffer overflows or send malformed packets to check for vulnerabilities can crash fragile or legacy services.
Incorrect! Try again.
20In the context of covering tracks, what is Time Stomping?
A.Slowing down the CPU.
B.Modifying the timestamp (access, modify, create) of a file to hide when it was used.
C.Deleting the time server.
D.Running a scan at 3:00 AM.
Correct Answer: Modifying the timestamp (access, modify, create) of a file to hide when it was used.
Explanation:Time Stomping involves altering the metadata (MACE - Modify, Access, Create, Entry) timestamps of files to hide the fact that they were uploaded or executed during the attack window.
Incorrect! Try again.
21Which tool is essentially a suite of tools centered around a web proxy, used for manual web application security testing?
A.Burp Suite
B.Nmap
C.Snort
D.Nessus
Correct Answer: Burp Suite
Explanation:Burp Suite is a leading platform for web app testing, featuring a proxy to intercept/modify traffic, a scanner, and various other tools.
Incorrect! Try again.
22What is a False Negative in scanning results?
A.The scanner reports a vulnerability that exists.
B.The scanner reports a vulnerability that does not exist.
C.The scanner fails to identify a vulnerability that actually exists.
D.The scanner cannot connect to the host.
Correct Answer: The scanner fails to identify a vulnerability that actually exists.
Explanation:A False Negative is a dangerous error where the tool misses a real vulnerability, giving the user a false sense of security.
Incorrect! Try again.
23Which scanning technique determines the operating system of the target by analyzing the TCP/IP stack implementation responses?
A.Banner Grabbing
B.OS Fingerprinting
C.Port Sweeping
D.Zone Transfer
Correct Answer: OS Fingerprinting
Explanation:OS Fingerprinting (e.g., Nmap -O) analyzes subtle differences in how operating systems implement the TCP/IP stack (TTL values, window sizes, etc.) to guess the OS.
Incorrect! Try again.
24To perform an 'Idle Scan' (zombie scan) using Nmap to stay completely invisible, which flag is used?
A.-sI
B.-sZ
C.-sA
D.-sN
Correct Answer: -sI
Explanation:The -sI flag initiates an Idle Scan, which uses a zombie host to probe the target, ensuring no packets are sent directly from the attacker's IP to the target.
Incorrect! Try again.
25When analyzing results, a vulnerability with a high CVSS score but no known exploit code is generally prioritized:
A.Higher than a low score vulnerability with an active exploit.
B.Lower than a medium score vulnerability with an active exploit being used in the wild.
C.As a False Positive.
D.As 'Informational' only.
Correct Answer: Lower than a medium score vulnerability with an active exploit being used in the wild.
Explanation:Risk = Likelihood x Impact. Even if the CVSS (Impact) is high, if there is no exploit (Likelihood is low), it is often lower priority than a medium issue that is actively being exploited in the wild.
Incorrect! Try again.
26Which of the following is a method to cover tracks on a web server?
A.Using nmap -T4.
B.Modifying the User-Agent string to look like a standard browser.
C.Sending SQL injection queries.
D.Running ipconfig.
Correct Answer: Modifying the User-Agent string to look like a standard browser.
Explanation:Attackers often modify the HTTP User-Agent header (via tools or scripts) to blend in with normal user traffic in the web server logs, avoiding detection by log analyzers.
Incorrect! Try again.
27Which mathematical equation represents the number of possible ports in a TCP/IP connection?
A.
B.
C.
D.
Correct Answer:
Explanation:TCP and UDP ports are 16-bit unsigned integers, resulting in a range from 0 to 65,535, or possibilities.
Incorrect! Try again.
28What is the primary function of the Common Vulnerabilities and Exposures (CVE) list?
A.To provide a dictionary of common names for publicly known cybersecurity vulnerabilities.
B.To provide a scoring system for severity.
C.To sell antivirus software.
D.To list all IP addresses of hackers.
Correct Answer: To provide a dictionary of common names for publicly known cybersecurity vulnerabilities.
Explanation:CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
Incorrect! Try again.
29A scanner detects that http://target.com/admin returns a 200 OK status code without requiring a password. This is an example of:
A.Cross-Site Scripting (XSS)
B.Broken Access Control / Authentication Bypass
C.SQL Injection
D.Buffer Overflow
Correct Answer: Broken Access Control / Authentication Bypass
Explanation:If an administrative interface is accessible without credentials, it is a failure of access control mechanisms (Authentication Bypass).
Incorrect! Try again.
30Which Nmap scan type is characterized by sending packets with no flags set (Null scan)?
A.-sN
B.-sF
C.-sX
D.-sP
Correct Answer: -sN
Explanation:The -sN flag performs a TCP Null scan, sending a packet with the header flags all set to zero (0). It is used to bypass certain filtering rules.
Incorrect! Try again.
31Which tool is commonly used for automated SQL injection and database takeover during a vulnerability scan?
A.Hydra
B.SQLMap
C.Wireshark
D.Aircrack-ng
Correct Answer: SQLMap
Explanation:SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
Incorrect! Try again.
32In the context of evasion, what is Steganography?
A.Encrypting the hard drive.
B.Hiding data (or malicious code) within another file, such as an image or audio file.
C.Using a VPN.
D.Spoofing MAC addresses.
Correct Answer: Hiding data (or malicious code) within another file, such as an image or audio file.
Explanation:Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video, used to evade detection by DLP or antivirus.
Incorrect! Try again.
33Which component of the CVSS score is NOT constant and changes over time?
A.Base Score
B.Temporal Score
C.Vector String
D.Impact Subscore
Correct Answer: Temporal Score
Explanation:The Temporal Score changes over time based on factors outside the vulnerability itself, such as the availability of exploit code, the existence of a patch, or the confidence in the vulnerability report.
Incorrect! Try again.
34What is the specific risk of running a UDP Scan (-sU) compared to a TCP scan?
A.It is always faster.
B.It is incredibly slow because open ports often don't respond and closed ports send ICMP errors which are rate-limited.
C.It cannot detect open ports.
D.It requires authentication.
Correct Answer: It is incredibly slow because open ports often don't respond and closed ports send ICMP errors which are rate-limited.
Explanation:UDP scanning is slow because open UDP ports rarely send a response (empty packet), and closed ports send ICMP Port Unreachable messages, which OSs rate-limit (e.g., 1 per second).
Incorrect! Try again.
35A vulnerability report shows 'Apache 2.4.49' is running. This information was likely gathered via:
A.Heuristic Analysis
B.Service Banner Grabbing
C.Source Code Review
D.Social Engineering
Correct Answer: Service Banner Grabbing
Explanation:Banner grabbing involves connecting to a port and reading the initial text string (banner) sent by the service, which often includes the software name and version.
Incorrect! Try again.
36Which of the following is a technique to evade Network Access Control (NAC) by impersonating a printer or VoIP phone?
A.MAC Spoofing
B.IP Fragmentation
C.Null Scan
D.Cross-Site Scripting
Correct Answer: MAC Spoofing
Explanation:NAC systems often whitelist devices like printers or phones based on their MAC address Organizationally Unique Identifier (OUI). Attackers spoof these MACs to bypass NAC.
Incorrect! Try again.
37What is the purpose of a Proxy Chain in the context of scanning and evasion?
A.To speed up the connection.
B.To route traffic through multiple intermediate servers to hide the attacker's true IP.
C.To decrypt SSL traffic.
D.To chain multiple exploits together.
Correct Answer: To route traffic through multiple intermediate servers to hide the attacker's true IP.
Explanation:Proxy chaining involves routing traffic through a sequence of proxy servers (e.g., Tor or SOCKS proxies) to obfuscate the origin of the scan.
Incorrect! Try again.
38Which logical vulnerability occurs when an application checks for a condition (like balance > 0) but the state changes before the action is completed?
A.Race Condition
B.SQL Injection
C.XSS
D.Path Traversal
Correct Answer: Race Condition
Explanation:A Race Condition (Time-of-Check to Time-of-Use) occurs when critical data changes between the moment the application checks a condition and the moment it uses the result.
Incorrect! Try again.
39In a vulnerability scan report, 'Severity' is usually a combination of:
A.Cost and Time
B.Impact and Likelihood
C.Source and Destination
D.TCP and UDP
Correct Answer: Impact and Likelihood
Explanation:Risk or Severity is standardly calculated as the Impact (damage caused) multiplied by the Likelihood (probability of occurrence).
Incorrect! Try again.
40Which type of scan focuses solely on identifying live hosts on a network range without checking for open ports?
A.Vulnerability Scan
B.Ping Sweep / Discovery Scan
C.Port Scan
D.Compliance Scan
Correct Answer: Ping Sweep / Discovery Scan
Explanation:A Discovery Scan (or Ping Sweep) sends ICMP (or similar) packets to a range of IPs to determine which hosts are 'alive' (online) before performing more intensive scans.
Incorrect! Try again.
41What is the function of the command rm ~/.bash_history?
A.It deletes the Linux kernel.
B.It deletes the user's command history file to hide executed commands.
C.It removes the bash shell.
D.It updates the system.
Correct Answer: It deletes the user's command history file to hide executed commands.
Explanation:This command removes the file that stores the history of commands typed by the user in the bash shell, a common anti-forensics technique.
Incorrect! Try again.
42Which tool would be best suited for analyzing the results of a vulnerability scan and prioritizing remediation based on asset value?
Correct Answer: A Vulnerability Management Platform (e.g., Tenable.sc)
Explanation:While Nmap and Netcat find information, Management Platforms aggregate data, add context (asset value), and help prioritize remediation.
Incorrect! Try again.
43If an attacker wants to scan a target behind a firewall that drops all incoming SYN packets, which scan might succeed by sending ACK packets to map firewall rules?
A.TCP ACK Scan (-sA)
B.TCP Connect Scan
C.Stealth Scan
D.Version Scan
Correct Answer: TCP ACK Scan (-sA)
Explanation:The ACK scan (-sA) is used to map out firewall sets. It determines if ports are filtered or unfiltered rather than open or closed. If a packet gets through, the port is 'unfiltered'.
Incorrect! Try again.
44What is a compliance scan?
A.A scan that checks if the system meets specific configuration standards (like PCI-DSS or CIS Benchmarks).
B.A scan that checks for malware.
C.A scan that is legally required every day.
D.A scan run by the government.
Correct Answer: A scan that checks if the system meets specific configuration standards (like PCI-DSS or CIS Benchmarks).
Explanation:Compliance scans (or configuration audits) check system settings (password policy, registry settings) against defined standards (PCI-DSS, HIPAA, CIS) rather than just looking for software bugs.
Incorrect! Try again.
45Which vulnerability arises from trusting user input without validation, allowing script execution in the victim's browser?
A.SQL Injection
B.Cross-Site Scripting (XSS)
C.Buffer Overflow
D.Man-in-the-Middle
Correct Answer: Cross-Site Scripting (XSS)
Explanation:XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing scripts to execute in the user's browser.
Incorrect! Try again.
46When covering tracks, why might an attacker use a Rootkit?
A.To crack passwords faster.
B.To maintain persistent, privileged access while hiding processes and files from the OS.
C.To scan the network faster.
D.To encrypt the data for ransom.
Correct Answer: To maintain persistent, privileged access while hiding processes and files from the OS.
Explanation:Rootkits modify the OS kernel or runtime libraries to hide the attacker's presence (processes, network connections, files) from standard system monitoring tools.
Incorrect! Try again.
47Which of the following describes Parameter Manipulation?
A.Changing the URL query string values (e.g., price=100 to price=1) to exploit logic.
B.Guessing passwords.
C.Flooding the network with packets.
D.Scanning for open ports.
Correct Answer: Changing the URL query string values (e.g., price=100 to price=1) to exploit logic.
Explanation:Parameter manipulation involves modifying data sent between the client and server (cookies, form fields, URL parameters) to change application behavior.
Incorrect! Try again.
48In Nmap, what does the flag -p- denote?
A.Scan only popular ports.
B.Scan all 65,535 ports.
C.Scan no ports (Ping only).
D.Scan ports 1-1024.
Correct Answer: Scan all 65,535 ports.
Explanation:The -p- flag tells Nmap to scan every possible TCP port from 1 to 65,535, rather than just the top 1,000 common ports.
Incorrect! Try again.
49Which tool is primarily a framework for developing and executing exploit code against a remote target machine?
A.Metasploit Framework
B.Nessus
C.Wireshark
D.John the Ripper
Correct Answer: Metasploit Framework
Explanation:Metasploit is the most widely used framework for exploit development and execution. While it can scan, its primary purpose is exploitation.
Incorrect! Try again.
50During scanning, what is the 'Christmas Tree' scan (-sX)?
A.A scan sent only on holidays.
B.A scan with the FIN, URG, and PSH flags set to 'on'.
C.A scan that uses red and green packets.
D.A scan that logs all data.
Correct Answer: A scan with the FIN, URG, and PSH flags set to 'on'.
Explanation:A Xmas scan (-sX) sets the FIN, URG, and PSH flags. It is called this because the packet is 'lit up like a Christmas tree'. It exploits RFC compliance details to determine port status.