Chapter 1

1. Answer A. Ethical hackers and penetration testers adopt responsible or coordinated vulnerability disclosure practices.

2. Answer B. Ethical hackers mimic real-life attackers to find security vulnerabilities before threat actors are able to exploit such vulnerabilities.

3. Answer C. Hacktivists are typically not motivated by money. Hactivists look to make a point or to further their beliefs, using cybercrime as their method of attack. These types of attacks are often carried out by stealing sensitive data and then revealing it to the public for the purpose of embarrassing or financially affecting a target.

4. Answer B. In an unknown environment test (previously known as a black-box penetration test), the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. In a known environment test (previously known as a white-box penetration test), the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials.

5. Answer C. In bug bounty programs, security researchers and ethical hackers are rewarded for finding vulnerabilities in their systems.

6. Answer: D. A company’s financial status is not typically an environmental consideration that is relevant for a traditional penetration testing engagement. Network infrastructure (including on-premises wired and wireless networks) and cloud applications are typically environmental factors for a pen testing engagement.

7. Answer: A. OWASP is a nonprofit organization with local chapters around the world that provides significant guidance on how to secure applications. You can find more information about OWASP at owasp.org.

8. Answer: C. MITRE ATT&CK is a framework that provides detailed information about adversary tactics and techniques.

9. Answer: D. The OWASP Web Security Testing Guide, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES) are all examples of penetration testing methodology standards or guidance documents.

10. Answer: D. BlackArch, Kali Linux, and Parrot OS are Linux distributions that provide numerous security tools and can be used in penetration testing labs. The following GitHub repository includes a list of different Linux distributions, vulnerable applications, and tools that can be used for penetration testing and to build your own lab: https://github.com/The-Art-of-Hacking/h4cker/tree/master/build_your_own_lab.

Chapter 2

1. Answer: A. The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that aims to secure the processing of credit card payments and other types of digital payments. The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government program that authorizes the use of cloud products and services by government agencies. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a regulation that was created to simplify and standardize healthcare administrative processes. The General Data Protection Regulation (GDPR) is a European regulation on data protection and privacy.

2. Answer: A. A main goal of the General Data Protection Regulation (GDPR) is to strengthen and unify data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU.

3. Answer: C. A healthcare clearinghouse is an entity that processes nonstandard health information it receives from another entity into a standard format.

4. Answer: D. For the purposes of PCI DSS, a merchant is any entity that accepts payment cards bearing the logos of any of the members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods or services.

5. Answer: A. A statement of work (SOW) is a document that specifies the activities to be performed during a penetration testing engagement. The SOW can be a standalone document or can be part of a master service agreement (MSA).

6. Answer: D. All answers listed are correct. Rules of engagement documentation specifies the conditions under which the security penetration testing engagement will be conducted. You need to document and agree upon these rule of engagement conditions with the client or an appropriate stakeholder.

7. Answer: A. Scope creep is a project management term that refers to the uncontrolled growth of a project’s scope. You might encounter scope creep when there is poor change management in a penetration testing engagement, when there is ineffective identification of what technical and nontechnical elements will be required for the penetration test, or when there is poor communication among stakeholders, including your client and your own team.

8. Answer: A. With unknown-environment testing, the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have.

9. Answer: D. All the answers listed are correct. There are many scenarios in which an ethical hacker (penetration tester) should demonstrate professionalism and integrity. Some of these best practices include conducting background checks of penetration testing teams, adhering to the specific scope of the engagement, identifying criminal activity and immediately reporting breaches/criminal activities, and maintaining confidentiality of data/information.

10. Answer: D. A statement of work (SOW) is a document that specifies the activities to be performed during a penetration testing engagement.

Chapter 3

1. Answer: D. DNSRecon, Recon-ng, and Dig are all tools that can be used to perform passive reconnaissance, based on DNS data. Recon-ng supports many other sources of information, as well.

2. Answer: C. You can easily identify domain technical and administrative contacts by using the whois command. Keep in mind that many organizations keep their registration details private and use domain register organization contacts.

3. Answer: D. Incorrect or missing certificate revocation lists (CRLs), weak cryptographic algorithms, and legacy TLS/SSL versions are all examples of cryptographic flaws that can be identified while performing passive reconnaissance of a given application.

4. Answer: A. The goal of certificate transparency is for any organization or individual to be able to “transparently” verify the issuance of a digital certificate. Certificate transparency allows CAs to provide details about all related certificates that have been issued for a given domain and organization. Attackers can also use this information to reveal what other subdomains and systems an organization may own.

5. Answer: A. You can obtain a lot of information from metadata in files such as images, Microsoft Word documents, Excel files, PowerPoint files, and more. For instance, Exchangeable Image File Format (Exif) is a specification that defines the formats for images, sound, and supplementary tags used by digital cameras, mobile phones, scanners, and other systems that process image and sound files.

6. Answer: C. If the SYN probe does not receive a response, Nmap will mark the port as filtered because it was unable to determine whether it was open or closed.

7. Answer: D. A TCP connect scan (-sT) uses the underlying operating system’s networking mechanism to establish a full TCP connection with the target device being scanned. It creates a full connection and more traffic, and thus it takes more time to run the scan.

8. Answer: A. There are times when a SYN scan may be picked up by a network filter or firewall. In such a situation, you would need to operate a different type of packet in your port scan. With the TCP FIN scan, a FIN packet would be sent to a target port.

9. Answer: A. Authenticated scans may provide a lower rate of false positives than unauthenticated scans.

10. Answer: B. A CVE ID is composed of the letters CVE followed by the year of publication and four or more digits in the sequence number portion of the ID (for example, CVE-YYYY-NNNN with four digits in the sequence number, CVE-YYYY-NNNNN with five digits in the sequence number, CVE-YYYY-NNNNNNN with seven digits in the sequence number, and so on).

Chapter 4

1. Answer: D. With pretexting, or impersonation, an attacker presents as someone else in order to gain access to information. Social engineers may use pretexting to impersonate individuals in certain jobs and roles even if they do not have experience in those jobs or roles.

2. Answer: B. Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make emails look legitimate and perhaps make them appear to come from trusted users within the company.

3. Answer: D. Whaling is similar to phishing and spear phishing; however, with whaling, the attack is targeted at high-profile business executives and key individuals in a company. Whaling emails are designed to look like critical business emails or emails from someone who has legitimate authority, either from outside or within the company.

4. Answer: B. With Dumpster diving, a person scavenges for private information in garbage and recycling containers. To keep sensitive documents safe, an organization should store them in a safe place as long as possible and then, when the documents are no longer needed, the organization should shred them.

5. Answer: D. Attackers can perform different badge-cloning attacks. For example, an attacker can clone a badge/card used to access a building. Specialized software and hardware can be used to perform these cloning attacks. Attackers can often obtain detailed information about the design (look and feel) of corporate badges from social media websites such as Twitter, Instagram, and LinkedIn, when people post photos showing their badges when they get new jobs or leave old ones.

6. Answer: A. Cross-site scripting (XSS) vulnerabilities leverage input validation weaknesses on a web application. These vulnerabilities are often used to redirect users to malicious websites to steal cookies (session tokens) and other sensitive information. The Browser Exploitation Framework (BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities.

7. Answer: D. Social-Engineer Toolkit (SET) is a tool you can use to launch numerous social engineering attacks, including spear phishing attacks. SET can also be integrated with third-party tools and frameworks such as Metasploit.

8. Answer: A. SpoofCard is an Apple iOS and Android app that can spoof a phone number and change your voice, record calls, generate different background noises, and send calls straight to voicemail.

9. Answer: A. Social proof is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. For example, you might see others acting or doing something in a certain way and might assume that it is appropriate.

10. Answer: D. A social engineer uses authority to shows confidence and perhaps authority—whether legal, organizational, or social authority. Social engineers can use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate a victim.

Chapter 5

1. Answer: D. There are several name-to-IP address resolution technologies and protocols, including as Network Basic Input/Output System (NetBIOS), Link-Local Multicast Name Resolution (LLMNR), and Domain Name System (DNS).

2. Answer: D. The following ports and protocols are used by NetBIOS-related operations:

• TCP port 135: Microsoft Remote Procedure Call (MS-RPC) endpoint mapper, used for client-to-client and server-to-client communication

• UDP port 137: NetBIOS Name Service

• UDP port 138: NetBIOS Datagram Service

• TCP port 139: NetBIOS Session Service

• TCP port 445: Server Message Block (SMB) protocol, used for sharing files between different operating system, including Windows and Unix-based systems

3. Answer: A. A common vulnerability in Link-Local Multicast Name Resolution (LLMNR) involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP port 5355 and NBT-NS traffic over UDP port 137. The attacker basically poisons the LLMNR service to manipulate the victim’s system. If the requested host belongs to a resource that requires identification or authentication, the username and NTLMv2 hash are sent to the attacker. The attacker can then gather the hash sent over the network by using tools such as sniffers. Subsequently, the attacker can brute-force or crack the hashes offline to get the plaintext passwords.

4. Answer: C. One of the most commonly used SMB exploits in recent times is the EternalBlue exploit, which was leaked by an organization or an individual (nobody knows) that allegedly stole numerous exploits from the U.S. National Security Agency (NSA). Successful exploitation of EternalBlue allows an unauthenticated remote attacker to compromise an affected system and execute arbitrary code. This exploit has been used in ransomware such as WannaCry and Nyeta.

5. Answer: C. DNS cache poisoning involves manipulating the DNS resolver cache by injecting corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim, redirecting the victim to the attacker’s system.

6. Answer: D. SNMPv2c uses two authenticating credentials: The first is a public community string to view the configuration or to obtain the health status of the device, and the second is a private community string to configure the managed device. SNMPv3 authenticates SNMP users by using usernames and passwords and can protect confidentiality. SNMPv2 does not provide confidentiality protection.

7. Answer: C. ARP cache poisoning (or ARP spoofing) is an example of an attack that leads to an on-path attack (previously known as man-in-the-middle) scenario. An ARP spoofing attack can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

8. Answer: A. In an evil twin attack, an attacker creates a rogue access point and configures it exactly the same as the existing corporate network. Typically, the attacker uses DNS spoofing to redirect the victim to a cloned captive portal or website.

9. Answer: C. War driving is a method attackers use to find wireless access points wherever they may be. By just driving (or walking) around, an attacker can obtain a significant amount of information over a very short period of time.

10. Answer: D. WEP keys exist in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys. In addition, WEP uses a 24-bit IV, which is prepended to the PSK. When you configure a wireless infrastructure device with WEP, the IVs are sent in plaintext.

11. Answer: A. KRACK attacks take advantage of a series of vulnerabilities in the WPA and WPA2 protocols.

12. Answer: D. KARMA is an on-path (previously known as a man-in-the-middle) attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic. KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could be a mobile device, a laptop, or any Wi-Fi-enabled device.

Chapter 6

1. Answer: D. REST or RESTful is a type of API technology. The following are examples of HTTP methods:

• GET: Retrieves information from the server

• HEAD: Basically the same as a GET but returns only HTTP headers and no document body

• POST: Sends data to the server (typically using HTML forms, API requests, and so on)

• TRACE: Does a message loopback test along the path to the target resource

• PUT: Uploads a representation of the specified URI

• DELETE: Deletes the specified resource

• OPTIONS: Returns the HTTP methods that the server supports

• CONNECT: Converts the request connection to a transparent TCP/IP tunnel

2. Answer: D. DVWA, OWASP WebGoat, and OWASP JuiceShop are examples of intentionally vulnerable applications that you can use to practice your penetration testing skills. Cyber ranges are virtual or physical networks that mimic areas of production environments where you can safely practice your skills. Offensive security teams and cybersecurity defense teams (including security operation center [SOC] analysts, computer security incident response teams [CSIRTs], InfoSec, and many others) use cyber ranges. You can set up WebSploit Labs (websploit.org) and practice your skills with all these intentionally vulnerable applications and many penetration testing tools, payloads, and scripts.

3. Answer: A. Business logic flaws enable an attacker to use legitimate transactions and flows of an application in a way that results in a negative behavior or outcome. Most common business logic flaws are different from the typical security vulnerabilities in an application (such as XSS, CSRF, and SQL injection). A challenge with business logic flaws is that they can’t typically be found by using scanners or other similar tools.

4. Answer: D. SQL injection, HTML script injection, and object injection are examples of code injection vulnerabilities.

5. Answer: D. Ben' or '1'='1 is a string that could be used in an SQL injection attack. In this particular attack, Ben is a username, and it is followed by an escape that is tailored to try to force the application to display to the attacker all records in the database table.

6. Answer: A. DirBuster (along with other tools, such as gobuster and ffuf) can be used to enumerate files and directories in web applications using wordlists.

7. Answer: B. Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as usernames and passwords, one-time passwords, and client-based digital certificates. Also, in order to keep the authenticated state and track the user’s progress, an application provides a user with a session ID, or token. This token is assigned at session creation time and is shared and exchanged by the user and the web application for the duration of the session. The session ID is a name/value pair.

8. Answer: C. You can find HTTP parameter pollution (HPP) vulnerabilities by finding forms or actions that allow user-supplied input. Then you can append the same parameter to the GET or POST data—but insert a different assigned value.

9. Answer: B. Insecure Direct Object Reference vulnerabilities can be used to execute a system operation. In the referenced URL, the value of the user parameter (chris) is used to have the system change the user’s password. An attacker can try other usernames and see if it is possible to modify the password of another user.

10. Answer: A. This string is an example of how to use hexadecimal HTML characters to potentially evade XSS filters. You can also use a combination of hexadecimal HTML character references to potentially evade XSS filters and security products such as web application firewalls (WAFs).

11. Answer: C. You should escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent XSS vulnerabilities.

12. Answer: C. CSRF attacks typically affect applications (or websites) that rely on a user’s identity. Also, CSRF attacks can occur when unauthorized commands are transmitted from a user who is trusted by the application. CSRF vulnerabilities are also referred to as “one-click attacks” or “session riding.” An example of a CSRF attack is a user who is authenticated by an application through a cookie saved in the browser unwittingly sending an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

13. Answer: A. The URL displayed is an example of a cross-site request forgery (CSRF or XSRF) attack against a vulnerable server.

14. Answer: D. Clickjacking involves using multiple transparent or opaque layers to induce a user to click on a web button or link on a page that he or she did not intend to navigate or click. Clickjacking attacks are often referred to as “UI redress attacks.” User keystrokes can also be hijacked using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool the user into entering information or clicking on links in an invisible frame that could be rendered from a site an attacker created.

15. Answer: B. A mitigation to prevent clickjacking could be to send the proper content security policy (CSP) frame ancestors directive response headers that instruct the browser not to allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.) All other options are examples of XSS mitigation techniques.

16. Answer: A. This URL is an example of a directory (path) traversal vulnerability and attack.

17. Answer: C. A best practice to avoid cookie manipulation attacks is to not dynamically write to cookies using data originating from untrusted sources.

18. Answer: B. Local file inclusion (LFI) vulnerabilities occur when a web application allows a user to submit input into files or upload files to a server. Successful exploitation could allow an attacker to read and (in some cases) execute files on the victim’s system. Some of these vulnerabilities could be critical if the web application is running with high privileges (or as root). This could allow the attacker to gain access to sensitive information and even enable the attacker to execute arbitrary commands in the affected system.

19. Answer: D. This URL is an example of a remote file inclusion attack, in which the attacker redirects the user to a malicious link to install malware.

20. Answer: B. A race condition takes place when a system or an application attempts to perform two or more operations at the same time. However, due to the nature of such a system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. The attack complexity in race condition situations is very high. In other words, race condition attacks are very difficult to exploit.

21. Answer: C. Swagger is a modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). Additional information about Swagger can be obtained at https://swagger.io. The OAS specification is available at https://github.com/OAI/OpenAPI-Specification.

Chapter 7

1. Answer: D. Credential harvesting (or password harvesting) is the process of gathering and stealing valid usernames, passwords, tokens, PINs, and other types of credentials through infrastructure breaches. One of the most common ways that attackers perform a credential harvesting attack is by using phishing and spear phishing emails with links that could redirect a user to a bogus site.

2. Answer: D. With horizontal privilege escalation, a normal or non-privileged user (a user who does not have administrative access) accesses functions or content reserved for other normal users. Horizontal privilege escalation can be done through hacking or by a person walking over to someone else’s computers and simply reading their email.

3. Answer: D. There are a variety of ways to detect account takeover attacks, such as by analyzing login locations, failed login attempts, abnormal file sharing and downloading, and malicious OAuth, SAML, or OpenID Connect connections.

4. Answer: C. When an application requires access to specific assets, it can query the metadata service to get a set of temporary access credentials. This temporary set of credentials can then be used to access services such as AWS Simple Cloud Storage (S3) buckets and other resources. In addition, these metadata services are used to store the user data supplied when launching a new VM (for example, an Amazon Elastic Compute Cloud or AWS EC2 instance) and configure the application during instantiation. This metadata service is one of the most attractive services on AWS for an attacker to access. Anyone who is able to access these resources can, at the very least, get a set of valid AWS credentials to interface with the API. Software developers often include sensitive information in user startup scripts.

5. Answer: C. Examples of vulnerabilities that could lead to side channel attacks are the Spectre and Meltdown vulnerabilities, which affect Intel, AMD, and ARM processors. Cloud providers that use Intel CPUs in their virtualized solutions may be affected by these vulnerabilities if they do not apply the appropriate patches.

6. Answer: C. iOS and Android apps are isolated from each other via sandbox environments. Sandboxes in mobile devices are a mandatory access control mechanism describing the resources that a mobile app can and can’t access. Android and iOS provide different interprocess communication (IPC) options for mobile applications to communicate with the underlying operating system. An attacker could perform detailed analysis of the sandbox implementation in a mobile device to potentially bypass the access control mechanisms implemented by Google (Android) or Apple (iOS), as well as mobile app developers.

7. Answer: D. The following are just some of the prevalent vulnerabilities affecting mobile devices:

• Insecure storage: A best practice is to save as little sensitive data as possible in a mobile device’s permanent local storage. However, at least some user data must be stored on most mobile devices. Both Android and iOS provide secure storage APIs that allow mobile app developers to use the cryptographic hardware available on the mobile platform.

• Passcode vulnerabilities and biometrics integrations: Often mobile users “unlock” a mobile device by providing a valid PIN (passcode) or password or by using biometric authentication, such as fingerprint scanning or face recognition. Android and iOS provide different methods for integrating local authentication into mobile applications. Vulnerabilities in these integrations could lead to sensitive data exposure and full compromise of a mobile device. Attacks such as the objection biometric bypass attack can be used to bypass local authentication in iOS and Android devices.

• Certificate pinning: The goal of certificate pinning is to reduce the attack surface by removing the trust in external certificate authorities (CAs). CAs have in many cases been compromised or tricked into issuing certificates to impostors.

8. Answer: A. Drozer is an Android testing platform and framework that provides access to numerous exploits that can be used to attack Android platforms. You can download Drozer from https://labs.f-secure.com/tools/drozer.

9. Answer: C. Mobile Security Framework (MobSF) is an automated mobile application and malware analysis framework. You can download MobSF from https://github.com/MobSF/Mobile-Security-Framework-MobSF.

10. Answer: D. Intelligent Platform Management Interface (IPMI) is a collection of compute interface specifications (often used by IoT systems) designed to offer management and monitoring capabilities independently of the host system’s CPU, firmware, and operating system. An attacker can obtain access to an IPMI baseboard management controller to obtain direct access to the system’s motherboard and other hardware.

Chapter 8

1. Answer: D. You can maintain persistence in a compromised system by doing the following:

• Creating a bind or reverse shell

• Creating and manipulating scheduled jobs and tasks

• Creating custom daemons and processes

• Creating new users

• Creating additional backdoors

2. Answer: A. The Netcat utility is used to create a bind shell on the victim system and to execute the Bash shell. The -e option executes the /bin/bash shell on the victim system so that the attacker can communicate using that shell.

3. Answer: D. The nc -lvp <port> command can be used to create a listener on a given TCP port.

4. Answer: C. Lateral movement (also referred to as pivoting) is a post-exploitation technique that can be performed using many different methods. The main goal of lateral movement is to move from one device to another to avoid detection, steal sensitive data, and maintain access to many devices to exfiltrate the sensitive data. Lateral movement involves scanning a network for other systems, exploiting vulnerabilities in other systems, compromising credentials, and collecting sensitive information for exfiltration. Lateral movement is possible if an organization does not segment its network properly. After compromising a system, you can use basic port scans to identify systems or services of interest that you can further attack in an attempt to compromise valuable information.

5. Answer: B. PowerSploit is not a legitimate Windows tool; rather, it is a collection of PowerShell scripts that can be used post-exploitation.

6. Answer: C. The New-ObjectSystem.Net.WebClient PowerShell script is downloading a file from 192.168.78.147.

7. Answer: A. The Invoke-ReflectivePEInjection PowerSploit script can reflectively inject a DLL in to a remote process.

8. Answer: A. Mimikatz, PowerSploit, and Empire are tools that are used in post-exploitation activities. The Social-Engineer Toolkit (SET) is typically used for social engineering attacks.

9. Answer: A. As a best practice, you can discuss post-engagement cleanup tasks and document them in the rules of engagement document during the pre-engagement phase. You should delete all files, executable binaries, scripts, and temporary files from compromised systems after a penetration testing engagement is completed. You should return any modified systems and their configuration to their original values and parameters.

10. Answer: D. After compromising a system, you should always cover your tracks to avoid detection by suppressing logs (when possible), deleting application logs, and deleting any files that were created.

Chapter 9

1. Answer: D. As a best practice, you should always include an executive summary, details about your methodology, and metrics and measures that could help with remediation of the vulnerabilities found in your penetration testing report.

2. Answer: D. The Common Vulnerability Scoring System (CVSS) includes a three metrics groups: base, temporal, and environmental.

3. Answer: B. Parameterized queries are some of the most common and effective mitigations for vulnerabilities such as SQL injection.

4. Answer: A. Job rotation, mandatory vacations, and user training are examples of operational controls. Administrative controls include policies, procedures, and guidelines. Examples of physical controls include cameras, gates, fences, and guards.

5. Answer: D. Critical findings, status reports, and indicators of prior compromise are very important communication triggers during a penetration testing engagement.

6. Answer: D. You must always understand the communication path and communication channels with the person who hired you to do the penetration testing (your client), the technical contacts that can help in case of any technical problems, and any other contacts that can help in the event of an emergency.

7. Answer: C. You should always clean up any systems, including databases, during pen testing post-engagement activities.

8. Answer: A, B, and C. You should always remove all users created during the pen testing phases, flush all logs of data, and record all activities performed on any compromised system or application after completing the testing.

9. Answer: C. Using an industry standard such as Common Vulnerability Scoring System (CVSS) will increase the value of your report to your client. CVSS scores are rated from 0 to 10, with 10 being the most severe.

10. Answer: B. System hardening is a technical control that involves applying security best practices, patches, and other configurations to remediate or mitigate the vulnerabilities in systems and applications. In your report to the customer, you should suggest closing open ports and disabling unnecessary services as part of this strategy.

Chapter 10

1. Answer: D. A shell is a command-line tool that allows for interactive or non-interactive command execution. Having a good background in Bash enables you to quickly create scripts, parse data, and automate different tasks and can be helpful in penetration testing engagements. The following websites provide examples of Bash scripting concepts, tutorials, examples, and cheat sheets:

• LinuxConfig Bash Scripting Tutorial: https://linuxconfig.org/bash-scripting-tutorial

• DevHints Bash Shell Programming Cheat Sheet: https://devhints.io/bash

2. Answer: A. A function is a block of code that is very useful when you need to execute similar tasks over and over.

3. Answer: D. A dictionary is a collection of data values that are ordered using a key/value pair. A list is a data structure in programming languages that contains an ordered structure of elements. A function is a block of code that is very useful when you need to execute similar tasks over and over. An array is a special variable that holds more than one value at a time.

4. Answer: B. Nmap is a tool used for active reconnaissance. Maltego, Shodan, and Dig are tools used for passive reconnaissance.

5. Answer: C. theHarvester is used to enumerate DNS information about a given hostname or IP address. It is useful for passive reconnaissance. It can query several data sources, including Baidu, Google, LinkedIn, public Pretty Good Privacy (PGP) servers, Twitter, vhost, Virus Total, ThreatCrowd, CRTSH, Netcraft, and Yahoo.

6. Answer: D. Shodan is a search engine for devices connected to the Internet. It continuously scans the Internet and exposes its results to users via its website (https://www.shodan.io) and via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices and infrastructure devices). Penetration testers can use Shodan to gather information about potentially vulnerable systems exposed to the Internet without actively scanning their victims.

7. Answer: A and C. Recon-ng and Maltego are tools that can be used to automate open-source intelligence (OSINT) gathering.

8. Answer: B. The command nmap -sS 10.1.1.1 performs a TCP SYN scan.

9. Answer: C. Enum4linux is a great tool that can be used to enumerate SMB shares, vulnerable Samba implementations, and corresponding users.

10. Answer: A. OpenVAS is an open-source vulnerability scanner that was created by Greenbone Networks. It is a framework that includes several services and tools that allow you to perform detailed vulnerability scanning against hosts and networks. Retina, Qualys, and Nexpose are commercial scanners.

11. Answer: A. SQLmap is a tool that helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection vulnerabilities.

12. Answer: D. OWASP ZAP, w3af, and Burp Suite are all examples of web application penetration testing tools.

13. Answer: C. The -sS option of the nmap command triggers a TCP SYN scan. Nmap scans all the hosts in the specified subnet because the 10.1.01.0/24 network is included in this case.

14. Answer: D. PowerShell and related tools can be used for exploitation and post-exploitation activities. Microsoft has a vast collection of free video courses and tutorials that include PowerShell at the Microsoft Virtual Academy (see https://docs.microsoft.com/en-us/powershell/scripting/learn/more-powershell-learning?view=powershell-7.1).

Chapter 1

1. Answer: Unknown-environment test

2. Answer: ethical hacker

3. Answer: permission to attack

4. Answer: Web application test

5. Answer: OWASP’s Web Security Testing Guide (WSTG)

Chapter 2

1. Answer: safeguarding electronic protected health information (PHI)

2. Answer: rules of engagement

3. Answer: Risk acceptance

4. Answer: known-environment

5. Answer: Red team

6. Answer: Unilateral NDA

7. Answer: Scope creep

8. Answer: MSAs

9. Answer: API

10. Answer: disclaimer

Chapter 3

1. Answer: SYN

2. Answer: TCP full connect

3. Answer: smb-enum-users.nse

4. Answer: Scapy

5. Answer: dorks

6. Answer: Passive

7. Answer: ls()

8. Answer: -sn

9. Answer: TCP RST

10. Answer: compliance

Chapter 4

1. Answer: method of influence. Explanation: Scarcity, urgency, social proof, likeness, and fear are methods of influence that social engineers commonly use.

2. Answer: pretexting. Explanation: Pretexting, or impersonation, involves presenting yourself as someone else in order to gain access to information.

3. Answer: Social-Engineer Toolkit (SET). Explanation: SET is one of the most popular social engineering tools that can allow you to launch many different attacks including spear phishing, credential harvesting, and website attacks, as well as creating payloads.

4. Answer: Spear phishing. Explanation: Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific groups of individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make the emails look legitimate and perhaps make them appear to come from trusted users within the company.

5. Answer: malvertising. Explanation: Malvertising is very similar to pharming, but it involves using malicious ads. Malvertising involves incorporating malicious ads on trusted websites. Users who click these ads are inadvertently redirected to sites hosting malware.

6. Answer: Whaling i. Explanation: Whaling is similar to phishing and spear phishing, but this attack targets high-profile individuals and executives.

Chapter 5

1. Answer: Open SMTP relays

2. Answer: Pass-the-hash

3. Answer: Mimikatz

4. Answer: Empire

5. Answer: Dynamic ARP Inspection (DAI)

6. Answer: POODLE

7. Answer: Kerberoasting

8. Answer: Botnet

9. Answer: Bluetooth Low Energy (BLE)

10. Answer: To cause a full or partial DoS condition

Chapter 6

1. Answer: Fuzzing. Explanation: Fuzzing is an unknown environment/black box testing technique that consists of sending malformed/semi-malformed data injection in an automated fashion.

2. Answer: Insecure hidden form elements. Explanation: Web application parameter tampering attacks can be executed by manipulating parameters exchanged between a web client and web server in order to modify application data. This can be achieved by manipulating cookies and by abusing hidden form fields. It may be possible to tamper with the values stored by a web application in hidden form fields.

3. Answer: Directory (path) traversal. Explanation: The attack shown is a directory (path) traversal attack. (%2e%2e%2f is the same as ../.)

4. Answer: XSS. Explanation: The example shows an XSS attack using embedded SVG files to attempt to bypass security controls, including WAFs.

5. Answer: CSRF. Explanation: A CSRF attack occurs when a user who is authenticated by an application through a cookie saved in the browser unwittingly sends an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

6. Answer: DOM-based. Explanation: In DOM-based XSS, the payload is never sent to the server. Instead, the payload is only processed by the web client (browser).

7. Answer: Reflected. Explanation: Reflected XSS attacks (non-persistent XSS attacks) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request.

8. Answer: SQL. Explanation: SQLmap is a tool that is used to automate SQL injection attacks.

9. Answer: Fingerprint web application development frameworks. Explanation: PHPSESSID and JSESSIONID are session ID names used by PHP and J2EE. They can be used to fingerprint those web application development frameworks and respective languages.

10. Answer: proxy. Explanation: A web proxy can be used to intercept, modify, and delete web transactions between a web browser and a web application.

Chapter 7

1. Answer: Account takeover

2. Answer: Direct-to-origin (D2O)

3. Answer: Side-channel attacks

4. Answer: Swagger

5. Answer: Reverse engineering

6. Answer: Business logic vulnerability

7. Answer: Industrial Internet of Things (IIoT)

8. Answer: iOS

9. Answer: Frida

10. Answer: Intelligent Platform Management Interface (IPMI)

Chapter 8

1. Answer: PsExec

2. Answer: Instrumentation

3. Answer: python3 -m http.server

4. Answer: PowerSploit

5. Answer: Launching a port scan to the 10.1.2.3 host (scanning for ports 1 through 1024)

6. Answer: Pivoting

7. Answer: command and control (C2 or CnC)

Chapter 9

1. Answer: distribution tracking log

2. Answer: temporal

3. Answer: executive summary

4. Answer: A penetration testing report generation tool

5. Answer: As soon as you start collecting data in testing phases

6. Answer: audience

7. Answer: operational controls

8. Answer: Physical controls

9. Answer: Attestation of findings

10. Answer: You need to employ a good secrets management solution to eliminate hard-coded credentials, enforce password best practices (or eliminate passwords with other types of authentication), perform credential use monitoring, and extend secrets management to third parties in a secure manner.

Chapter 10

1. Answer: SQL injection

2. Answer: scanner

3. Answer: crack passwords

4. Answer: Cracking passwords

5. Answer: Launching a brute-force attack against an SSH server

6. Answer: CeWL

7. Answer: Mimikatz

8. Answer: Metasploit

9. Answer: Ruby

10. Answers: These statements are methods, and the programming language used is Ruby.