1Which of the following creates a 'half-open' connection to determine if a port is open, making it less likely to be logged by the target system?
A.UDP Scan (-sU)
B.Ping Scan (-sn)
C.TCP SYN Scan (-sS)
D.TCP Connect Scan (-sT)
Correct Answer: TCP SYN Scan (-sS)
Explanation:
A TCP SYN scan (-sS) sends a SYN packet and waits for a SYN-ACK. If received, it sends a RST immediately instead of an ACK, never completing the 3-way handshake. This is often called 'half-open' scanning and is stealthier than a full TCP Connect scan.
Incorrect! Try again.
2When analyzing vulnerability scan results, what is a False Positive?
A.The scanner identifies a vulnerability that does not actually exist.
B.The scanner crashes the target service.
C.The scanner fails to identify an existing vulnerability.
D.The scanner correctly identifies a critical vulnerability.
Correct Answer: The scanner identifies a vulnerability that does not actually exist.
Explanation:
A False Positive occurs when the scanning tool reports a vulnerability (e.g., based on a version banner) that is not actually exploitable or present on the target system.
Incorrect! Try again.
3Which open-source vulnerability scanner was originally a fork of the last open-source version of Nessus?
A.Nexpose
B.Burp Suite
C.OpenVAS
D.Qualys
Correct Answer: OpenVAS
Explanation:
OpenVAS (Open Vulnerability Assessment System) began as a fork of Nessus when Nessus moved to a proprietary license model.
Incorrect! Try again.
4In the context of Nmap timing templates used for evasion, which flag represents 'Paranoid' mode, sending packets very slowly to evade IDS?
A.-T5
B.-T1
C.-T3
D.-T0
Correct Answer: -T0
Explanation:
Nmap offers timing templates from -T0 to -T5. -T0 (Paranoid) is the slowest, waiting minutes between probes to evade Intrusion Detection Systems (IDS).
Incorrect! Try again.
5Why are automated scanners generally poor at detecting Business Logic Vulnerabilities?
A.Logic flaws are only found in compiled code, not web apps.
B.Logic flaws depend on context and intended workflow, not syntax errors.
C.Scanners do not support HTTP POST requests.
D.Scanners cannot decrypt SSL/TLS traffic.
Correct Answer: Logic flaws depend on context and intended workflow, not syntax errors.
Explanation:
Automated scanners look for technical signatures (like SQL syntax errors). Business logic flaws (e.g., buying an item for $0.00$) require understanding the human context of the application, which tools lack.
Incorrect! Try again.
6Which command allows an attacker to clear the command history in a Linux environment to cover tracks?
A.history -c
B.cat /dev/null
C.clear
D.ls -la
Correct Answer: history -c
Explanation:
The command history -c clears the history list of the current shell session, helping to cover tracks.
Incorrect! Try again.
7What is the primary difference between a Credentialed Scan and a Non-Credentialed Scan?
A.Non-credentialed scans can read the registry and configuration files.
B.Credentialed scans are illegal.
C.Non-credentialed scans are faster but cause more network traffic.
D.Credentialed scans log in to the system to audit local settings and patches.
Correct Answer: Credentialed scans log in to the system to audit local settings and patches.
Explanation:
A credentialed (authenticated) scan uses a valid username/password to log into the target, allowing it to inspect the registry, file versions, and configuration settings accurately. Non-credentialed scans only see what is exposed to the network.
Incorrect! Try again.
8Which CVSS v3.1 score range represents a Critical severity vulnerability?
A.
B.
C.
D.
Correct Answer:
Explanation:
According to the Common Vulnerability Scoring System (CVSS) v3.1, a base score of to is classified as Critical.
Incorrect! Try again.
9Which Nmap technique involves sending packets from the attacker's IP mixed with packets from other spoofed IP addresses to confuse the target's IDS/Firewall?
A.MAC Address Spoofing (--spoof-mac)
B.Decoy Scanning (-D)
C.Packet Fragmentation (-f)
D.Source Port Manipulation (--source-port)
Correct Answer: Decoy Scanning (-D)
Explanation:
The -D option allows the user to specify decoy IP addresses. The target sees scans coming from multiple IPs, making it difficult to determine which one is the real attacker.
Incorrect! Try again.
10Which tool is specifically designed for scanning web servers for dangerous files, outdated server software, and default configuration problems?
A.Wireshark
B.Nikto
C.John the Ripper
D.Kismet
Correct Answer: Nikto
Explanation:
Nikto is a dedicated web server scanner that tests for thousands of dangerous files, outdated server versions, and specific server-related problems.
Incorrect! Try again.
11An attacker changes the source port of their packets to 53. What evasion technique is this, and why might it work?
A.Timing attack; it speeds up the scan.
B.Fragmentation; it splits the header.
C.Source Port Manipulation; firewalls may trust traffic from DNS ports.
D.Decoy scanning; it hides the IP address.
Correct Answer: Source Port Manipulation; firewalls may trust traffic from DNS ports.
Explanation:
By using --source-port 53 (DNS), an attacker attempts to bypass firewall rules that might allow incoming traffic if it appears to originate from a trusted service like DNS.
Incorrect! Try again.
12In a vulnerability assessment, what does deduplication refer to?
A.Running the scan twice to ensure accuracy.
B.Consolidating multiple reports of the same vulnerability on the same host into a single finding.
C.Removing critical vulnerabilities from the report.
D.Copying the report to multiple servers.
Correct Answer: Consolidating multiple reports of the same vulnerability on the same host into a single finding.
Explanation:
Deduplication is the process of grouping identical findings (e.g., the same missing patch detected on multiple ports or by multiple plug-ins) to reduce report noise.
Incorrect! Try again.
13What is the purpose of Packet Fragmentation (-f) in Nmap during a scan?
A.To increase scanning speed.
B.To split TCP headers into smaller fragments to bypass packet filters/firewalls.
C.To corrupt the target file system.
D.To verify the MTU size of the network.
Correct Answer: To split TCP headers into smaller fragments to bypass packet filters/firewalls.
Explanation:
Fragmentation splits the IP packet into smaller pieces. This can evade firewalls or IDSs that do not reassemble packets before inspecting them, as the malicious signature might be split across packets.
Incorrect! Try again.
14Which of the following is considered a Logical Vulnerability?
A.Using an outdated version of Apache.
B.Buffer Overflow in the search parameter.
C.Missing X-Frame-Options header.
D.Insecure Direct Object Reference (IDOR) allowing access to another user's bill.
Correct Answer: Insecure Direct Object Reference (IDOR) allowing access to another user's bill.
Explanation:
IDOR is a logic flaw where the application fails to verify if the user is authorized to access a specific object (like a bill ID) simply because they changed the ID number in the URL.
Incorrect! Try again.
15Which Windows command is used to manipulate or clear event logs?
A.netstat
B.rm -rf
C.wevtutil
D.chmod
Correct Answer: wevtutil
Explanation:
wevtutil is a Windows command-line utility that enables administrators (or attackers) to retrieve information about event logs and publishers, and to clear logs (e.g., wevtutil cl System).
Incorrect! Try again.
16What is the difference between a Vulnerability Scan and a Penetration Test?
A.A scan is more expensive than a pentest.
B.A scan is automated and identifies potential issues; a pentest involves manual exploitation to verify risks.
C.A scan is manual; a pentest is automated.
D.They are exactly the same.
Correct Answer: A scan is automated and identifies potential issues; a pentest involves manual exploitation to verify risks.
Explanation:
Vulnerability scanning is generally an automated process to identify known weaknesses. Penetration testing simulates a real-world attack, including exploitation, lateral movement, and chaining vulnerabilities.
Incorrect! Try again.
17Which specific Nmap script engine (NSE) category is safe to run on a production network without likely causing a crash?
A.safe
B.vuln
C.dos
D.exploit
Correct Answer: safe
Explanation:
The safe category in Nmap NSE includes scripts that are not designed to crash services, use large amounts of bandwidth, or exploit holes.
Incorrect! Try again.
18When interpreting vulnerability data, which metric defines the complexity required to exploit the vulnerability?
A.Attack Vector (AV)
B.User Interaction (UI)
C.Attack Complexity (AC)
D.Privileges Required (PR)
Correct Answer: Attack Complexity (AC)
Explanation:
In CVSS, Attack Complexity (AC) describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability (Low or High).
Incorrect! Try again.
19Which scan type is most likely to cause a Denial of Service (DoS) on unstable legacy equipment?
A.Intrusive / Aggressive scan
B.Host discovery
C.Discovery scan
D.Passive sniffing
Correct Answer: Intrusive / Aggressive scan
Explanation:
Intrusive scans that probe for buffer overflows or send malformed packets to check for vulnerabilities can crash fragile or legacy services.
Incorrect! Try again.
20In the context of covering tracks, what is Time Stomping?
A.Running a scan at 3:00 AM.
B.Deleting the time server.
C.Slowing down the CPU.
D.Modifying the timestamp (access, modify, create) of a file to hide when it was used.
Correct Answer: Modifying the timestamp (access, modify, create) of a file to hide when it was used.
Explanation:
Time Stomping involves altering the metadata (MACE - Modify, Access, Create, Entry) timestamps of files to hide the fact that they were uploaded or executed during the attack window.
Incorrect! Try again.
21Which tool is essentially a suite of tools centered around a web proxy, used for manual web application security testing?
A.Nessus
B.Burp Suite
C.Nmap
D.Snort
Correct Answer: Burp Suite
Explanation:
Burp Suite is a leading platform for web app testing, featuring a proxy to intercept/modify traffic, a scanner, and various other tools.
Incorrect! Try again.
22What is a False Negative in scanning results?
A.The scanner fails to identify a vulnerability that actually exists.
B.The scanner reports a vulnerability that does not exist.
C.The scanner reports a vulnerability that exists.
D.The scanner cannot connect to the host.
Correct Answer: The scanner fails to identify a vulnerability that actually exists.
Explanation:
A False Negative is a dangerous error where the tool misses a real vulnerability, giving the user a false sense of security.
Incorrect! Try again.
23Which scanning technique determines the operating system of the target by analyzing the TCP/IP stack implementation responses?
A.Port Sweeping
B.Banner Grabbing
C.OS Fingerprinting
D.Zone Transfer
Correct Answer: OS Fingerprinting
Explanation:
OS Fingerprinting (e.g., Nmap -O) analyzes subtle differences in how operating systems implement the TCP/IP stack (TTL values, window sizes, etc.) to guess the OS.
Incorrect! Try again.
24To perform an 'Idle Scan' (zombie scan) using Nmap to stay completely invisible, which flag is used?
A.-sA
B.-sI
C.-sZ
D.-sN
Correct Answer: -sI
Explanation:
The -sI flag initiates an Idle Scan, which uses a zombie host to probe the target, ensuring no packets are sent directly from the attacker's IP to the target.
Incorrect! Try again.
25When analyzing results, a vulnerability with a high CVSS score but no known exploit code is generally prioritized:
A.As 'Informational' only.
B.Lower than a medium score vulnerability with an active exploit being used in the wild.
C.As a False Positive.
D.Higher than a low score vulnerability with an active exploit.
Correct Answer: Lower than a medium score vulnerability with an active exploit being used in the wild.
Explanation:
Risk = Likelihood x Impact. Even if the CVSS (Impact) is high, if there is no exploit (Likelihood is low), it is often lower priority than a medium issue that is actively being exploited in the wild.
Incorrect! Try again.
26Which of the following is a method to cover tracks on a web server?
A.Sending SQL injection queries.
B.Running ipconfig.
C.Modifying the User-Agent string to look like a standard browser.
D.Using nmap -T4.
Correct Answer: Modifying the User-Agent string to look like a standard browser.
Explanation:
Attackers often modify the HTTP User-Agent header (via tools or scripts) to blend in with normal user traffic in the web server logs, avoiding detection by log analyzers.
Incorrect! Try again.
27Which mathematical equation represents the number of possible ports in a TCP/IP connection?
A.
B.
C.
D.
Correct Answer:
Explanation:
TCP and UDP ports are 16-bit unsigned integers, resulting in a range from 0 to 65,535, or possibilities.
Incorrect! Try again.
28What is the primary function of the Common Vulnerabilities and Exposures (CVE) list?
A.To provide a dictionary of common names for publicly known cybersecurity vulnerabilities.
B.To provide a scoring system for severity.
C.To sell antivirus software.
D.To list all IP addresses of hackers.
Correct Answer: To provide a dictionary of common names for publicly known cybersecurity vulnerabilities.
Explanation:
CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
Incorrect! Try again.
29A scanner detects that http://target.com/admin returns a 200 OK status code without requiring a password. This is an example of:
A.Broken Access Control / Authentication Bypass
B.Cross-Site Scripting (XSS)
C.SQL Injection
D.Buffer Overflow
Correct Answer: Broken Access Control / Authentication Bypass
Explanation:
If an administrative interface is accessible without credentials, it is a failure of access control mechanisms (Authentication Bypass).
Incorrect! Try again.
30Which Nmap scan type is characterized by sending packets with no flags set (Null scan)?
A.-sX
B.-sP
C.-sF
D.-sN
Correct Answer: -sN
Explanation:
The -sN flag performs a TCP Null scan, sending a packet with the header flags all set to zero (0). It is used to bypass certain filtering rules.
Incorrect! Try again.
31Which tool is commonly used for automated SQL injection and database takeover during a vulnerability scan?
A.Aircrack-ng
B.SQLMap
C.Hydra
D.Wireshark
Correct Answer: SQLMap
Explanation:
SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
Incorrect! Try again.
32In the context of evasion, what is Steganography?
A.Using a VPN.
B.Hiding data (or malicious code) within another file, such as an image or audio file.
C.Encrypting the hard drive.
D.Spoofing MAC addresses.
Correct Answer: Hiding data (or malicious code) within another file, such as an image or audio file.
Explanation:
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video, used to evade detection by DLP or antivirus.
Incorrect! Try again.
33Which component of the CVSS score is NOT constant and changes over time?
A.Impact Subscore
B.Base Score
C.Temporal Score
D.Vector String
Correct Answer: Temporal Score
Explanation:
The Temporal Score changes over time based on factors outside the vulnerability itself, such as the availability of exploit code, the existence of a patch, or the confidence in the vulnerability report.
Incorrect! Try again.
34What is the specific risk of running a UDP Scan (-sU) compared to a TCP scan?
A.It is always faster.
B.It cannot detect open ports.
C.It is incredibly slow because open ports often don't respond and closed ports send ICMP errors which are rate-limited.
D.It requires authentication.
Correct Answer: It is incredibly slow because open ports often don't respond and closed ports send ICMP errors which are rate-limited.
Explanation:
UDP scanning is slow because open UDP ports rarely send a response (empty packet), and closed ports send ICMP Port Unreachable messages, which OSs rate-limit (e.g., 1 per second).
Incorrect! Try again.
35A vulnerability report shows 'Apache 2.4.49' is running. This information was likely gathered via:
A.Heuristic Analysis
B.Service Banner Grabbing
C.Social Engineering
D.Source Code Review
Correct Answer: Service Banner Grabbing
Explanation:
Banner grabbing involves connecting to a port and reading the initial text string (banner) sent by the service, which often includes the software name and version.
Incorrect! Try again.
36Which of the following is a technique to evade Network Access Control (NAC) by impersonating a printer or VoIP phone?
A.MAC Spoofing
B.Null Scan
C.Cross-Site Scripting
D.IP Fragmentation
Correct Answer: MAC Spoofing
Explanation:
NAC systems often whitelist devices like printers or phones based on their MAC address Organizationally Unique Identifier (OUI). Attackers spoof these MACs to bypass NAC.
Incorrect! Try again.
37What is the purpose of a Proxy Chain in the context of scanning and evasion?
A.To speed up the connection.
B.To decrypt SSL traffic.
C.To chain multiple exploits together.
D.To route traffic through multiple intermediate servers to hide the attacker's true IP.
Correct Answer: To route traffic through multiple intermediate servers to hide the attacker's true IP.
Explanation:
Proxy chaining involves routing traffic through a sequence of proxy servers (e.g., Tor or SOCKS proxies) to obfuscate the origin of the scan.
Incorrect! Try again.
38Which logical vulnerability occurs when an application checks for a condition (like balance > 0) but the state changes before the action is completed?
A.XSS
B.SQL Injection
C.Race Condition
D.Path Traversal
Correct Answer: Race Condition
Explanation:
A Race Condition (Time-of-Check to Time-of-Use) occurs when critical data changes between the moment the application checks a condition and the moment it uses the result.
Incorrect! Try again.
39In a vulnerability scan report, 'Severity' is usually a combination of:
A.Cost and Time
B.Source and Destination
C.TCP and UDP
D.Impact and Likelihood
Correct Answer: Impact and Likelihood
Explanation:
Risk or Severity is standardly calculated as the Impact (damage caused) multiplied by the Likelihood (probability of occurrence).
Incorrect! Try again.
40Which type of scan focuses solely on identifying live hosts on a network range without checking for open ports?
A.Port Scan
B.Ping Sweep / Discovery Scan
C.Compliance Scan
D.Vulnerability Scan
Correct Answer: Ping Sweep / Discovery Scan
Explanation:
A Discovery Scan (or Ping Sweep) sends ICMP (or similar) packets to a range of IPs to determine which hosts are 'alive' (online) before performing more intensive scans.
Incorrect! Try again.
41What is the function of the command rm ~/.bash_history?
A.It removes the bash shell.
B.It deletes the user's command history file to hide executed commands.
C.It deletes the Linux kernel.
D.It updates the system.
Correct Answer: It deletes the user's command history file to hide executed commands.
Explanation:
This command removes the file that stores the history of commands typed by the user in the bash shell, a common anti-forensics technique.
Incorrect! Try again.
42Which tool would be best suited for analyzing the results of a vulnerability scan and prioritizing remediation based on asset value?
Correct Answer: A Vulnerability Management Platform (e.g., Tenable.sc)
Explanation:
While Nmap and Netcat find information, Management Platforms aggregate data, add context (asset value), and help prioritize remediation.
Incorrect! Try again.
43If an attacker wants to scan a target behind a firewall that drops all incoming SYN packets, which scan might succeed by sending ACK packets to map firewall rules?
A.Stealth Scan
B.Version Scan
C.TCP ACK Scan (-sA)
D.TCP Connect Scan
Correct Answer: TCP ACK Scan (-sA)
Explanation:
The ACK scan (-sA) is used to map out firewall sets. It determines if ports are filtered or unfiltered rather than open or closed. If a packet gets through, the port is 'unfiltered'.
Incorrect! Try again.
44What is a compliance scan?
A.A scan that checks if the system meets specific configuration standards (like PCI-DSS or CIS Benchmarks).
B.A scan run by the government.
C.A scan that checks for malware.
D.A scan that is legally required every day.
Correct Answer: A scan that checks if the system meets specific configuration standards (like PCI-DSS or CIS Benchmarks).
Explanation:
Compliance scans (or configuration audits) check system settings (password policy, registry settings) against defined standards (PCI-DSS, HIPAA, CIS) rather than just looking for software bugs.
Incorrect! Try again.
45Which vulnerability arises from trusting user input without validation, allowing script execution in the victim's browser?
A.Cross-Site Scripting (XSS)
B.SQL Injection
C.Man-in-the-Middle
D.Buffer Overflow
Correct Answer: Cross-Site Scripting (XSS)
Explanation:
XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing scripts to execute in the user's browser.
Incorrect! Try again.
46When covering tracks, why might an attacker use a Rootkit?
A.To scan the network faster.
B.To crack passwords faster.
C.To encrypt the data for ransom.
D.To maintain persistent, privileged access while hiding processes and files from the OS.
Correct Answer: To maintain persistent, privileged access while hiding processes and files from the OS.
Explanation:
Rootkits modify the OS kernel or runtime libraries to hide the attacker's presence (processes, network connections, files) from standard system monitoring tools.
Incorrect! Try again.
47Which of the following describes Parameter Manipulation?
A.Flooding the network with packets.
B.Guessing passwords.
C.Changing the URL query string values (e.g., price=100 to price=1) to exploit logic.
D.Scanning for open ports.
Correct Answer: Changing the URL query string values (e.g., price=100 to price=1) to exploit logic.
Explanation:
Parameter manipulation involves modifying data sent between the client and server (cookies, form fields, URL parameters) to change application behavior.
Incorrect! Try again.
48In Nmap, what does the flag -p- denote?
A.Scan only popular ports.
B.Scan all 65,535 ports.
C.Scan ports 1-1024.
D.Scan no ports (Ping only).
Correct Answer: Scan all 65,535 ports.
Explanation:
The -p- flag tells Nmap to scan every possible TCP port from 1 to 65,535, rather than just the top 1,000 common ports.
Incorrect! Try again.
49Which tool is primarily a framework for developing and executing exploit code against a remote target machine?
A.Metasploit Framework
B.Nessus
C.John the Ripper
D.Wireshark
Correct Answer: Metasploit Framework
Explanation:
Metasploit is the most widely used framework for exploit development and execution. While it can scan, its primary purpose is exploitation.
Incorrect! Try again.
50During scanning, what is the 'Christmas Tree' scan (-sX)?
A.A scan that logs all data.
B.A scan that uses red and green packets.
C.A scan sent only on holidays.
D.A scan with the FIN, URG, and PSH flags set to 'on'.
Correct Answer: A scan with the FIN, URG, and PSH flags set to 'on'.
Explanation:
A Xmas scan (-sX) sets the FIN, URG, and PSH flags. It is called this because the packet is 'lit up like a Christmas tree'. It exploits RFC compliance details to determine port status.