1Which cryptographic technique involves adding a random string of characters to a password before hashing it to defend against rainbow table attacks?
A.Padding
B.Stretching
C.Peppering
D.Salting
Correct Answer: Salting
Explanation:
Salting involves appending a unique, random string (the salt) to the password before hashing: . This ensures that identical passwords have different hashes, rendering pre-computed rainbow tables ineffective.
Incorrect! Try again.
2In the context of Windows password cracking, why is the LM (LAN Manager) hash considered significantly weaker than NTLM?
A.It splits the password into two 7-character chunks.
B.It supports passwords up to 128 characters.
C.It is salted by default.
D.It uses AES encryption.
Correct Answer: It splits the password into two 7-character chunks.
Explanation:
The LM hash converts the password to uppercase, pads it to 14 characters, and splits it into two 7-character blocks. Each block is hashed separately, making it trivial to brute-force compared to hashing the full string.
Incorrect! Try again.
3What is the primary purpose of a 'Rainbow Table' in password cracking?
A.To encrypt passwords using a reversible algorithm.
B.To offer a time-memory trade-off for faster hash lookup.
C.To salt hashes automatically.
D.To perform an online brute force attack.
Correct Answer: To offer a time-memory trade-off for faster hash lookup.
Explanation:
Rainbow tables are pre-computed tables of hash chains used to reverse cryptographic hash functions. They trade storage space (memory) for reduced computational time when cracking hashes.
Incorrect! Try again.
4Which command is used in Linux to list all users currently on the system?
A.cat /etc/passwd
B.ls /home
C.net user
D.cat /etc/shadow
Correct Answer: cat /etc/passwd
Explanation:
The /etc/passwd file contains the list of system users and their attributes. While /etc/shadow contains passwords, it requires root privileges and is not the primary method just for listing user accounts.
Incorrect! Try again.
5During a system hacking engagement, an attacker gains access to a machine but has limited privileges. The attacker uses a kernel vulnerability to gain root access. What is this process called?
A.Pivoting
B.Vertical Privilege Escalation
C.Lateral Movement
D.Horizontal Privilege Escalation
Correct Answer: Vertical Privilege Escalation
Explanation:
Vertical Privilege Escalation (PrivEsc) is the act of moving from a lower-privileged user account to a higher-privileged one (e.g., User to Admin/Root) on the same system.
Incorrect! Try again.
6Which of the following is a specific type of attack where a hacker hides malicious code inside a legitimate file or program?
A.Wrappers/Binders
B.Rootkit
C.Polymorphism
D.Steganography
Correct Answer: Wrappers/Binders
Explanation:
Wrappers (or binders) are programs used to combine a malicious executable (payload) with a legitimate legitimate executable (carrier), such that both run when the user clicks the file.
Incorrect! Try again.
7In the context of Reverse Engineering, what is the function of a Disassembler?
A.It modifies the source code dynamically.
B.It executes the code step-by-step.
C.It converts machine code into assembly language.
D.It converts high-level code to machine code.
Correct Answer: It converts machine code into assembly language.
Explanation:
A disassembler translates binary machine code (0s and 1s) back into assembly language mnemonics (like MOV, JMP, POP) for analysis.
Incorrect! Try again.
8Which hexadecimal value represents the NOP (No Operation) instruction in x86 architecture, often used in buffer overflow exploits?
A.0xFF
B.0x80
C.0x00
D.0x90
Correct Answer: 0x90
Explanation:
The opcode 0x90 represents the NOP instruction on x86 processors. Attackers use a 'NOP Sled' to guide the execution flow towards their shellcode.
Incorrect! Try again.
9What is the primary characteristic of a Reverse Shell?
A.The attacker connects to the victim's listening port.
B.The victim machine initiates a connection back to the attacker's machine.
C.It only works over UDP.
D.It requires the victim to have a public IP address.
Correct Answer: The victim machine initiates a connection back to the attacker's machine.
Explanation:
In a reverse shell, the target system executes code that connects back to the attacker's listening port. This is often used to bypass firewalls that block incoming connections but allow outgoing traffic.
Incorrect! Try again.
10Which tool is commonly used to extract passwords and hashes from memory (LSASS) on a Windows system?
A.Nmap
B.Mimikatz
C.John the Ripper
D.Wireshark
Correct Answer: Mimikatz
Explanation:
Mimikatz is a post-exploitation tool that dumps passwords, hashes, PINs, and Kerberos tickets from memory (specifically the Local Security Authority Subsystem Service - LSASS).
Incorrect! Try again.
11In Linux Privilege Escalation, what does the SUID bit allow?
A.It allows the file to run automatically at startup.
B.It makes the file hidden.
C.It prevents the file from being deleted.
D.It allows a user to execute a file with the permissions of the file owner.
Correct Answer: It allows a user to execute a file with the permissions of the file owner.
Explanation:
SUID (Set User ID) allows a file to be executed with the privileges of the owner (often root), rather than the user running it. If a vulnerable binary has the SUID bit set, it can lead to privilege escalation.
Incorrect! Try again.
12Which Windows command is used to manipulate file attributes to hide files as part of maintaining persistence?
A.attrib +h file.txt
B.chmod +h file.txt
C.chown hidden file.txt
D.hide file.txt
Correct Answer: attrib +h file.txt
Explanation:
The attrib command in Windows allows users to change file attributes. The +h flag sets the 'Hidden' attribute.
Incorrect! Try again.
13What is DLL Hijacking?
A.Replacing a legitimate DLL with a malicious one in a directory searched by the application.
B.Deleting system DLLs to cause a crash.
C.Decrypting a DLL file.
D.Injecting code into a running process.
Correct Answer: Replacing a legitimate DLL with a malicious one in a directory searched by the application.
Explanation:
DLL Hijacking exploits the search order used by Windows to load Dynamic Link Libraries. If an attacker places a malicious DLL in a directory searched before the system directory, the application loads the malicious code.
Incorrect! Try again.
14Which type of rootkit operates at the same privilege level as the Operating System kernel (Ring 0)?
A.Library-level Rootkit
B.User-mode Rootkit
C.Kernel-mode Rootkit
D.Application-level Rootkit
Correct Answer: Kernel-mode Rootkit
Explanation:
Kernel-mode rootkits run in Ring 0 (the highest privilege level). They can intercept system calls and manipulate kernel data structures, making them extremely difficult to detect and remove.
Incorrect! Try again.
15Which Python library is most frequently used for network interaction and crafting custom packets in scripting exploits?
A.Pandas
B.Scapy
C.Matplotlib
D.NumPy
Correct Answer: Scapy
Explanation:
Scapy is a powerful interactive packet manipulation program in Python. It is used to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
Incorrect! Try again.
16When analyzing exploit code, what is the purpose of the payload?
A.To find the vulnerability.
B.To encrypt the connection.
C.To crash the service.
D.The code that runs on the target system after exploitation.
Correct Answer: The code that runs on the target system after exploitation.
Explanation:
The payload is the actual malicious code (e.g., a reverse shell, a user creation script) that is executed once the vulnerability has been successfully exploited.
Incorrect! Try again.
17What is the specific vulnerability related to 'Unquoted Service Paths' in Windows?
A.Services running as LocalSystem.
B.Services that cannot be stopped.
C.Services running without a password.
D.Paths containing spaces not enclosed in quotes allow execution of arbitrary executables.
Correct Answer: Paths containing spaces not enclosed in quotes allow execution of arbitrary executables.
Explanation:
If a service path contains spaces (e.g., C:\Program Files\My Service\service.exe) and is unquoted, Windows might try to execute C:\Program.exe. Attackers can place a malicious executable named Program.exe to escalate privileges.
Incorrect! Try again.
18Which Linux command helps identify commands a user can run as another user (often root) without a password?
A.su root
B.cat /etc/sudoers
C.sudo -l
D.whoami
Correct Answer: sudo -l
Explanation:
The sudo -l command lists the allowed (and forbidden) commands for the invoking user on the current host, which is crucial for identifying misconfigurations for privilege escalation.
Incorrect! Try again.
19What does the technique Steganography entail?
A.Cracking passwords using GPU.
B.Intercepting network traffic.
C.Flooding a server with requests.
D.Hiding data within another file, such as an image or audio file.
Correct Answer: Hiding data within another file, such as an image or audio file.
Explanation:
Steganography is the art and science of hiding information by embedding messages within other, seemingly harmless messages or media (like modifying the Least Significant Bit of image pixels).
Incorrect! Try again.
20Which Metasploit payload executes a payload within the memory of the compromised process without writing to the disk?
A.Meterpreter
B.Command Shell
C.VNC Inject
D.Bind Shell
Correct Answer: Meterpreter
Explanation:
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection. It resides entirely in memory and writes nothing to the disk, helping avoid antivirus detection.
Incorrect! Try again.
21In a brute-force attack, if the password length is and the character set size is , what is the complexity of the attack?
A.
B.
C.
D.
Correct Answer:
Explanation:
The total number of possible combinations for a password of length using a character set of size is calculated as ( times), which is .
Incorrect! Try again.
22Which registry key is commonly targeted for maintaining persistence on Windows so that malware runs on user login?
The Run and RunOnce registry keys define programs that execute automatically when a user logs in. Attackers add entries here to ensure their malware survives reboots.
Incorrect! Try again.
23What is NTFS Data Hiding using Alternate Data Streams (ADS)?
A.Moving files to a hidden partition.
B.Deleting the file allocation table.
C.Hiding a file inside another file's metadata stream on NTFS filesystems.
D.Encrypting the hard drive.
Correct Answer: Hiding a file inside another file's metadata stream on NTFS filesystems.
Explanation:
NTFS ADS allows data to be stored in hidden streams attached to a file. For example, notepad file.txt:secret.exe can hide an executable behind a text file.
Incorrect! Try again.
24Which of the following tools is a popular open-source reverse engineering framework developed by the NSA?
A.OllyDbg
B.Ghidra
C.IDA Pro
D.Radare2
Correct Answer: Ghidra
Explanation:
Ghidra is a software reverse engineering (SRE) suite of tools developed by the NSA, featuring a disassembler and a decompiler.
Incorrect! Try again.
25What is Dirty COW (CVE-2016-5195)?
A.A Windows SMB exploit.
B.A method for SQL injection.
C.A Linux kernel privilege escalation vulnerability.
D.A password cracking tool.
Correct Answer: A Linux kernel privilege escalation vulnerability.
Explanation:
Dirty COW is a famous privilege escalation vulnerability in the Linux Kernel aimed at the Copy-On-Write (COW) mechanism, allowing an unprivileged user to write to read-only files (like /etc/passwd).
Incorrect! Try again.
26In the context of scripting for pen-testing, what is Bash primarily used for?
A.Developing web applications.
B.Reverse engineering binaries.
C.Windows kernel exploitation.
D.Automating tasks in Unix/Linux environments.
Correct Answer: Automating tasks in Unix/Linux environments.
Explanation:
Bash (Bourne Again SHell) is the default command-line interpreter for most Linux distributions and is heavily used to script and automate sequences of commands.
Incorrect! Try again.
27Which attack involves capturing the NTLM hash of a user and using it to authenticate without cracking the password?
A.Brute Force
B.Dictionary Attack
C.Golden Ticket
D.Pass the Hash
Correct Answer: Pass the Hash
Explanation:
Pass the Hash (PtH) allows an attacker to authenticate to a remote server or service using the underlying NTLM hash of a user's password instead of the plaintext password.
Incorrect! Try again.
28What is the purpose of timestomping in post-exploitation?
A.Modifying file timestamps (access, modify, create) to hide malicious activity.
Timestomping involves changing the 'Modified', 'Accessed', and 'Created' timestamps of malicious files to match system files, making them harder to spot during forensic analysis.
Incorrect! Try again.
29Which command allows you to view the currently loaded modules and their memory addresses in a Windows debugging environment like OllyDbg?
A.Executable Modules
B.CPU Registers
C.Memory Map
D.Call Stack
Correct Answer: Executable Modules
Explanation:
Viewing Executable Modules allows a reverse engineer to see which DLLs are loaded and their base addresses, which is crucial for bypassing ASLR (Address Space Layout Randomization).
Incorrect! Try again.
30What does the command chmod 4755 filename do in Linux?
A.Sets the file to read-only.
B.Sets the SUID bit on the file.
C.Deletes the file.
D.Hides the file.
Correct Answer: Sets the SUID bit on the file.
Explanation:
The '4' in 4755 represents the SUID (Set User ID) bit. This permission setting allows the file to be executed with the permissions of the owner.
Incorrect! Try again.
31Which tool is primarily designed for performing online password attacks against network services (FTP, SSH, Telnet)?
A.Hashcat
B.John the Ripper
C.Ophcrack
D.Hydra
Correct Answer: Hydra
Explanation:
Hydra is a parallelized login cracker which supports numerous protocols to attack network services (online attacks), whereas John the Ripper and Hashcat are primarily for offline hash cracking.
Incorrect! Try again.
32In a Buffer Overflow attack, the attacker attempts to overwrite the EIP register. What does EIP stand for?
A.Extended Instruction Pointer
B.Extended Index Pointer
C.Extended Immediate Pointer
D.Extended Internal Process
Correct Answer: Extended Instruction Pointer
Explanation:
EIP (Extended Instruction Pointer) is a register in x86 architecture that contains the memory address of the next instruction to be executed. Controlling EIP means controlling the execution flow.
Incorrect! Try again.
33Which of the following is a method of covering tracks on a Windows system?
A.Creating a new user.
B.Using wevtutil cl to clear event logs.
C.Running ipconfig.
D.Running whoami.
Correct Answer: Using wevtutil cl to clear event logs.
Explanation:
wevtutil is a Windows tool to retrieve information about event logs and publishers. The cl (clear-log) command is used to clear specific event logs (e.g., Security, System) to hide evidence.
Incorrect! Try again.
34What is the primary function of a Keylogger?
A.To encrypt user files.
B.To log network traffic.
C.To record every keystroke made by the user.
D.To log into the system automatically.
Correct Answer: To record every keystroke made by the user.
Explanation:
Keyloggers are surveillance software (or hardware) that has the capability to record every keystroke made on a computer to steal passwords and sensitive data.
Incorrect! Try again.
35Which Windows feature can be exploited by pressing the SHIFT key 5 times?
A.Mouse Keys
B.Toggle Keys
C.Filter Keys
D.Sticky Keys
Correct Answer: Sticky Keys
Explanation:
The Sticky Keys feature is activated by pressing SHIFT 5 times. Attackers can replace sethc.exe (Sticky Keys binary) with cmd.exe to gain a SYSTEM shell at the login screen.
Incorrect! Try again.
36What is the purpose of Pivoting in penetration testing?
A.Rotating the screen display.
B.Switching from Linux to Windows.
C.Changing the password frequently.
D.Using a compromised system to attack other systems in the same network.
Correct Answer: Using a compromised system to attack other systems in the same network.
Explanation:
Pivoting (or island hopping) is the technique of using an instance (compromised host) to be able to move around inside a network and access systems that would otherwise be inaccessible from outside.
Incorrect! Try again.
37Which PowerShell command is used to download a file from a remote server?
A.Invoke-WebRequest
B.Get-File
C.wget
D.Download-File
Correct Answer: Invoke-WebRequest
Explanation:
Invoke-WebRequest (often aliased as iwr or wget in PowerShell) is the standard cmdlet used to send HTTP/HTTPS requests and download content from the web.
Incorrect! Try again.
38Which component of the Metasploit Framework stores information about targets, loot, and collected data?
A.msfvenom
B.Meterpreter
C.msfconsole
D.The Database (PostgreSQL)
Correct Answer: The Database (PostgreSQL)
Explanation:
Metasploit uses a PostgreSQL database to store results from scans, compromised hosts, looted credentials, and other data gathered during the penetration test.
Incorrect! Try again.
39What distinguishes Static Analysis from Dynamic Analysis in malware analysis?
A.Static analysis is for Linux; dynamic analysis is for Windows.
C.Static analysis examines code without execution; dynamic analysis observes code behavior during execution.
D.Static analysis runs the code; dynamic analysis does not.
Correct Answer: Static analysis examines code without execution; dynamic analysis observes code behavior during execution.
Explanation:
Static analysis involves looking at the code structure, strings, and headers without running it. Dynamic analysis involves running the malware in a sandbox/VM to observe its behavior (network connections, file changes).
Incorrect! Try again.
40Which script allows an attacker to automate the search for privilege escalation vectors on a Linux system?
A.BloodHound
B.WinPEAS
C.LinPEAS
D.PowerView
Correct Answer: LinPEAS
Explanation:
LinPEAS (Linux Privilege Escalation Awesome Script) is a script that searches for possible paths to escalate privileges on Linux/Unix hosts.
Incorrect! Try again.
41What is a Logic Bomb?
A.Malware that explodes the hardware.
B.A script that brute forces logical ports.
C.Code intentionally inserted into a software system that sets off a malicious function when specified conditions are met.
D.A DoS attack tool.
Correct Answer: Code intentionally inserted into a software system that sets off a malicious function when specified conditions are met.
Explanation:
A logic bomb is a piece of code that lies dormant until a specific condition occurs (e.g., a specific date, or a user being removed from the payroll system), at which point it executes a malicious payload.
Incorrect! Try again.
42In the context of enumerating assets, what information does SNMP (Simple Network Management Protocol) primarily provide if misconfigured (public community string)?
A.Firewall rules.
B.Web application source code.
C.Encrypted passwords.
D.Network statistics, system information, and user accounts.
Correct Answer: Network statistics, system information, and user accounts.
Explanation:
SNMP is used for managing devices. If the community string is guessed (like 'public'), attackers can enumerate system uptime, running processes, installed software, and user accounts.
Incorrect! Try again.
43Which type of shellcode is typically used when the target system is behind a firewall that blocks incoming connections?
A.Reverse TCP
B.Bind TCP
C.Loopback TCP
D.Null TCP
Correct Answer: Reverse TCP
Explanation:
A Reverse TCP payload makes the target connect back to the attacker. Since firewalls usually allow outbound traffic, this is the preferred method for bypassing incoming traffic restrictions.
Incorrect! Try again.
44What is the SAM file in Windows?
A.Security Account Manager
B.Secure Access Module
C.System Access Method
D.System Admin Manager
Correct Answer: Security Account Manager
Explanation:
The SAM (Security Account Manager) is a database file in Windows operating systems that stores user passwords (in hashed format).
Incorrect! Try again.
45Which of the following describes a Dictionary Attack?
A.Using a pre-defined list of likely passwords.
B.Capturing the handshake and decrypting it.
C.Trying every possible combination of characters.
D.Using a rainbow table.
Correct Answer: Using a pre-defined list of likely passwords.
Explanation:
A dictionary attack uses a wordlist (dictionary) of common passwords. It is faster than brute force but will fail if the password is complex and not in the list.
Incorrect! Try again.
46When creating a persistent backdoor using Windows Scheduled Tasks, which command is used?
A.at (deprecated)
B.cron
C.taskmgr
D.schtasks
Correct Answer: schtasks
Explanation:
schtasks.exe is the command-line tool used to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
Incorrect! Try again.
47What is the main purpose of Ruby in the context of the Metasploit Framework?
A.It is used for database management.
B.It is used for network scanning only.
C.It is the language used to write Metasploit modules.
D.It is the GUI framework.
Correct Answer: It is the language used to write Metasploit modules.
Explanation:
The Metasploit Framework is written primarily in Ruby. Exploit modules, auxiliary modules, and payloads are typically developed using Ruby.
Incorrect! Try again.
48Which vulnerability allows an attacker to escalate privileges by exploiting a program that runs with higher privileges but insecurely loads libraries from the current directory?
A.Buffer Overflow
B.XSS
C.DLL Hijacking
D.SQL Injection
Correct Answer: DLL Hijacking
Explanation:
DLL Hijacking occurs when a trusted application loads a malicious DLL from the current directory (or other locations in the path) because the application did not specify the full path to the system DLL.
Incorrect! Try again.
49What does the Sticky Bit do on a directory in Linux?
A.It shares files with everyone.
B.It makes files executable.
C.It prevents users from deleting files they do not own.
D.It keeps files in memory.
Correct Answer: It prevents users from deleting files they do not own.
Explanation:
The Sticky Bit (t) is commonly used on shared directories like /tmp. It ensures that only the file's owner, the directory's owner, or root can rename or delete the file.
Incorrect! Try again.
50Which tool allows for the creation of custom wordlists based on the content of a target website?
A.Nmap
B.Wireshark
C.Netcat
D.CeWL
Correct Answer: CeWL
Explanation:
CeWL (Custom Word List generator) is a Ruby app that crawls a given URL to a specified depth and returns a list of words, which can then be used as a dictionary for password cracking.