1.

Which of the following techniques does an attacker use to snoop on the communication
between users or devices and record private information to launch passive attacks?

A. Session Hijacking
B. Spoofing
C. Privilege Escalation
D. Eavesdropping

2. Which of the following is the warfare category in which viruses, worms, Trojan horses, or
sniffers are used to make systems shut down automatically, corrupt data, steal information
or services, send fraudulent messages, and access unauthorized data?

A. Psychological warfare
B. Electronic warfare
C. Hacker warfare
D. C2 warfare

3. Which of the following techniques is a close-in attack where an attacker simply examines an
organization’s trash for any discarded sensitive information such as usernames, passwords,
credit-card statements, bank statements, ATM receipts, social security numbers, and private
telephone numbers?

A. Pod Slurping
B. Wiretapping
C. Dumpster Diving
D. Shoulder Surfing

4. Which of the following categories of information warfare is a sensor-based technology that

can directly disrupt technological systems?

A. Electronic warfare
B. Psychological warfare
C. Intelligence-based warfare
D. Economic warfare

5. Which of the following close-in attacks is performed by an attacker to gather information by

observing the target’s activity at the closest proximity?

A. Denial of service
B. Shoulder surfing
C. DNS Spoofing
D. ARP Poisoning
6. Which of the following categories of information warfare involves the use of information
systems against the virtual personas of individuals or groups and includes information
terrorism, semantic attacks, and simula-warfare?

A. Electronic warfare
B. Cyber warfare
C. Intelligence-based warfare
D. Economic warfare

7. Which of the following categories of information warfare involves the use of various
techniques such as propaganda and terror to demoralize the adversary in an attempt to
succeed in battle?

A. Psychological warfare
B. Command and Control warfare (C2)
C. Intelligence-based warfare
D. Electronic warfare

8. Bob recently joined an organization and completed his training. His work involved dealing
with important documents of the organization. On one Sunday, he connected to the
corporate network by providing authentication credentials to access a file online from his
residence.

Which of the following elements of information security was demonstrated in the above
scenario?

A. Authenticity
B. Non-repudiation
C. Integrity
D. Availability

9. Sam, an attacker, was hired to launch an attack on an organization to disrupt its operations
and gain access to a remote system for compromising the organization’s internal network. In
the process, Sam launched an attack to tamper with the data in transit to break into the
organization’s network.

What is the type of attack Sam has performed against the target organization?

A. Distribution Attack
B. Insider Attack
C. Passive Attack
D. Active Attack
10. Don, a professional hacker, was hired to break into an organization’s network and extract
sensitive data. In the attack process, Don found that the organization has purchased new
hardware. He accessed the new hardware while it was in transit and tampered with it to
launch further attacks on the target organization.
What is the type of attack Don has performed on the target organization?

A. Active Attack
B. Insider Attack
C. Distribution Attack
D. Passive Attack

11. James, a professional hacker, is performing an attack on a target organization. He succeeded

in gathering information about the target and identified vulnerabilities existing in the target
network. He is now in the process of exploiting the vulnerabilities to enter the target’s
network and escalate privileges so that he can have complete access to the target system.

Which of the following phases of hacking is James currently in?

A. Gaining Access
B. Maintaining Access
C. Scanning
D. Reconnaissance

12. In which of the following hacking phases does an attacker try to detect listening ports to find
information about the nature of services running on the target machine?

A. Clearing tracks
B. Scanning
C. Maintaining access
D. Gaining access

13. In which of the following hacking stages does an attacker use Trojans, spyware, backdoors,
and keyloggers to create and maintain remote access to a system?

A. Executing Applications
B. Gaining access
C. Escalating privileges
D. Covering tracks

14. Which of the following techniques is used by an attacker for identifying the active hosts,
open ports, and unnecessary services enabled on target hosts?

A. Enumeration
B. Scanning
C. Foot printing
D. Vulnerability analysis
15. Joel, a professional hacker, has targeted an organization to steal sensitive information
remotely. He was successful in the attack and was able to access sensitive data of the
organization. He is now trying to wipe out the entries corresponding to his activities in the
system to remain undetected.

Which of the following hacking steps is Joel performing now?

A. Escalating privileges
B. Gaining access
C. Maintaining access
D. Clearing logs

16. Given below are the various phases of the cyber kill chain methodology

1. Installation
2. Reconnaissance
3. Weaponisation
4. Exploitation
5. Actions on objectives
6. Delievery
7. Command and control

What is the correct sequence of phases involved in the cyber kill chain methodology?

A. 3 -> 1 -> 2 -> 6 -> 7 -> 4 -> 5

B. 2-> 3 -> 6 -> 4 -> 1 -> 7 -> 5
C. 2-> 4 -> 3 -> 5 -> 6 -> 1 -> 7
D. 1-> 2 -> 3 -> 4 -> 5 -> 6 -> 7

17. A phase of the cyber kill chain methodology triggers the adversary’s malicious code, which
utilizes a vulnerability in the operating system, application, or server on a target system. At
this stage, the organization may face threats such as authentication and authorization
attacks, arbitrary code execution, physical security threats, and security misconfiguration.

Which is this phase of the cyber kill chain methodology?

A. Reconnaissance
B. Weaponization
C. Exploitation
D. Installation

18. Which of the following techniques does an adversary use to communicate remotely with
compromised systems through an encrypted session, where the adversary can steal data,
delete data, and launch further attacks through the encrypted channel?

A. HTTP user agent

 B. Use of PowerShell
C. Command and control server
D. Unspecified proxy activities

19. Which IoC category can be obtained by analyzing aspects of the infected system within the
organizational network, such as filenames, file hashes, registry keys, DLLs, and mutex?

A. Network Indicators
B. Email Indicators
C. Host-based Indicators
D. Behavioural Indicators

20. Lisa, a security analyst, was tasked with analysing and documenting the possibility of
cyberattacks against an organization. In this task, she followed the diamond model of
intrusion analysis. During the initial analysis, Lisa started determining the strategies,
methods, procedures, or tools that an attacker might use against the organization’s network.

Which of the following features of the diamond model did Lisa employ in the above
scenario?

A. Capability
B. Adversary
C. Infrastructure
D. Victim

21. Which of the following meta-features of the diamond model can help a security analyst
analyse how an attacker was routed to the target network or system?

A. Resource
B. Direction
C. Result
D. Timestamp

22. Which of the following meta-features of the diamond model refers to any technique that is
used by an adversary to perform an attack?

A. Resource
B. Timestamp
C. Direction
D. Methodology

23. Identify the meta-feature of the diamond model that can assist a security analyst in
describing the relationship between infrastructure and capability.

A. Result
 B. Direction
C. Technology
D. Socio-political

24. Nick, a security professional, was tasked with performing intrusion analysis on a
compromised network of an organization. For this purpose, Nick employed the diamond
model of intrusion analysis. As part of the analysis, Nick determined the periodicity of the
event and documented the occurrence details of that event. These details helped him
correlate similar events and trace the duration of the attack on the target network.

Identify the event meta-feature of the diamond model implemented by Nick in the above
scenario.

A. Resource
B. Phase
C. Timestamp
D. Direction

25. Which of the following meta-features of the diamond model helps security professionals
determine whether an attack was successful?

A. Result
B. Methodology
C. Resource
D. Timestamp

26. Which of the following categories of hackers can increase awareness of their social or
political agendas and boost their reputations in online and offline arenas?

A. Hacktivists
B. Script kiddies
C. White hats
D. Suicide Hackers

27. Which of the following type of hackers compromise systems by running scripts, tools, and
software developed by real hackers and usually focus on the quantity rather than quality of
the attacks they initiate?

A. Suicide Hackers
B. Cyber Terrorists
C. Script Kiddies
D. State-sponsored Hackers

28. Yancey is a network security administrator for a large electric company. This company
provides power for over 100,000 people in Las Vegas. Yancey has worked for his company
for more than 15 years and has become very successful. One day, Yancey comes into work
 and finds out that the company will be downsizing and he will be out of a job in two weeks.
Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all
over the network to take down the company once he has left. Yancey does not care if his
actions land him in jail for 30 or more years; he just wants the company to pay for what they
are doing to him. What would Yancey be considered?

A. Since he does not care about going to jail, he would be considered a black hat.
B. Yancey would be considered a suicide hacker.
C. Yancey is a hacktivist hacker since he is standing up to a company that is
downsizing.
D. Because Yancey works for the company currently, he would be a white hat.

29. Which of the following terms refers to unskilled hackers who compromise systems by
running scripts, tools, and software developed by real hackers? They usually focus on the
quantity of attacks rather than the quality of the attacks that they initiate.

A. Script kiddies
B. Grey hats
C. Suicide Hackers
D. Hacktivists

30. Juan is the administrator of a Windows domain for a global corporation. He uses his
knowledge to scan the internal network to find vulnerabilities without the authorization of
his boss; he tries to perform an attack and gain access to an AIX server to show the results to
his boss. What kind of role is shown in the scenario?

A. Black hat hacker

B. Annoying employee
C. White hat hacker
D. Grey hat hacker

31. Which of the following terms refers to a person or security professional who employs their
hacking skills for defensive purposes?

A. Hacker
B. Ethical hacker
C. Cracker
D. Adversary

32. Jake, an ethical hacker, was appointed by an organization to run a security audit and to test
for possible loopholes and vulnerabilities on its network. Jake has completed all the
necessary steps for performing the security audit and disclosed the vulnerabilities in the
network.

Given below are the steps for performing a security audit of an organization.
 1. Organize an ethical hacking team and prepare the schedule for testing.
2. Analyse the results of the testing and prepare a report.
3. Talk to the client and discuss the needs to be addressed during the testing.
4. Present the findings to the client.
5. Prepare and sign NDA documents with the client.
6. Conduct the test.

What is the correct sequence of steps involved in performing a security audit?

A. 3 -> 5 -> 2 -> 1 -> 6 -> 4

B. 1 -> 3 -> 4 -> 2 -> 5 -> 6
C. 3 -> 5 -> 1 -> 6 -> 2 -> 4
D. 2-> 1 -> 3 -> 5 -> 4 -> 6

33. Anonymous, a known hacker group, claims to have taken down 20,000 Twitter accounts
linked to the Islamic State in response to the Paris attacks that left 130 people dead. How
can you categorize this attack by Anonymous?

A. Spoofing
B. Cracking
C. Hacktivism
D. Social Engineering

34. Individuals who promote security awareness or a political agenda by performing hacking
are known as:

A. Hacktivists
B. Cyber terrorists
C. Suicide hackers
D. Script kiddies

35. Jude, a security professional in an organization, was instructed to strengthen the security
of the organization. In the process, to prevent direct attacks against an information system,
Jude implemented a strategy based on the military principle that it is more difficult for an
enemy to defeat a complex and multi-layered security system.

What is the security strategy that Jude has implemented to prevent direct attacks against the
information system?

A. Defense-in-depth
B. Information assurance
C. Threat modeling
D. Incident management
36. In machine-learning classification techniques, which of the following is a subcategory of
supervised learning that is used when the data classes are not separated or the data are
continuous?

A. Dimensionality reduction
B. Regression
C. Classification
D. Clustering

37. Which of the following tasks DOES NOT fall under the scope of ethical hacking?

A. Defense-in-depth implementation
B. Risk assessment
C. Vulnerability scanning
D. Pen testing

38. If the final set of security controls does not eliminate all the risk in a system, what could be
done next?

A. Remove current controls since they are not completely effective.

B. Ignore any remaining risk.
C. If the residual risk is low enough, it can be accepted.
D. Continue to apply controls until there is zero risk.

39. Which security strategy requires using several, diverse methods to protect IT systems
against attacks?

A. Defense in depth
B. Covert channels
C. Three-way handshake
D. Exponential backoff algorithm

40. In which phase of risk management process does an analyst calculate the organization’s
risks and estimate the likelihood and impact of those risks?

A. Risk assessment
B. Risk monitoring and review
C. Risk identification
D. Risk treatment

41. Bayron is the CEO of a medium size company with regional operations in America. He
recently hired a security analyst to implement an Information Security Management System
(ISMS) to minimize risk and limit the impact of a security breach. The analyst was asked to
design and implement patch management, vulnerability management, IDS deployment, and
security incident handling procedures for the company. Which of these is a reactive process?

A. Security incident handling

B. Patch management
C. Vulnerability management
D. IDS deployment
42. Highlander, Incorporated, decides to hire an ethical hacker to identify vulnerabilities at the
regional locations and ensure system security.

What is the main difference between a hacker and an ethical hacker when they are trying
to compromise the regional offices.

A. Hackers don’t have any knowledge of the network before they compromise the network.
B. Hackers have more sophisticated tools.
C. Ethical hackers have the permission of the regional server administrators.
D. Ethical hackers have the permission of upper management.

43. Which of the following is the type of threat intelligence that provides contextual
information about security events and incidents to help defenders disclose potential risks and
provide greater insight into attacker methodologies?

A. Operational threat intelligence.

B. Technical threat intelligence.
C. Strategic threat intelligence.
D. Tactical threat intelligence.

44. Which of the following phases of incident handling and response helps responders prevent
the spread of infection to other organizational assets and avoid additional damage?

A. Incident recording and assignment

B. Containment
C. Incident triage
D. Recovery

Given below are the four key steps of the risk management phase.

1. Risk treatment
2. Risk tracking and review
3. Risk assessment
4. Risk identification

What is the correct sequence of steps involved in the risk management phase?

A. 3 -> 4 -> 2 -> 1

B. 1 -> 2 -> 3 -> 4
C. 4 -> 3 -> 1 -> 2
D. 2 -> 1 -> 3 -> 4

45. Given below are different steps in the threat modelling process.

1. Identify threats
2. Identify security objectives
 3. Decompose the application
4. Application overview
5. Identify vulnerabilities

What is the correct sequence of steps in the threat modelling process.

A. 1 -> 2 -> 3 -> 4 -> 5

B. 2 -> 1 -> 5 -> 3 -> 4
C. 2 -> 4 -> 3 -> 1 -> 5
D. 5 -> 2 -> 3 -> 1 -> 4

46. In machine-learning classification techniques, which of the following is a subcategory of

supervised learning that is used when the data classes are not separated or the data are
continuous?

A. Regression
B. Clustering
C. Classification
D. Dimensionality reduction

47. Which of the following tasks DOES NOT fall under the scope of ethical hacking?

A. Pen testing
B. Risk assessment
C. Vulnerability Scanning
D. Defence-in-depth implementation

48. If the final set of security controls does not eliminate all the risk in a system, what could be
done next?

A. Remove current controls since they are not completely effective.

B. If the residual risk is low enough, it can be accepted.
C. Continue to apply controls until there is zero risk.
D. Ignore any remaining risk.

49. In which phase of risk management process does an analyst calculate the organization’s
risks and estimate the likelihood and impact of those risks?

A. Risk monitoring and review

B. Risk assessment
C. Risk treatment
D. Risk identification

50. Highlander, Incorporated, is a medical insurance company with several regional company
offices in North America. There are various types of employees working in the company,
 including technical teams, sales teams, and work-from-home employees. Highlander takes
care of the security patches and updates of official computers and laptops; however, the
computers or laptops of the work-from-home employees are to be managed by the employees
or their ISPs. Highlander employs various group policies to restrict the installation of any
third-party applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones
to access the company email in order to respond to requests for updates. Employees are
responsible for keeping their phones up to date with the latest patches. The phones are
not used to directly connect to any other resources in the Highlander, Incorporated,
network.

The database that hosts the information collected from the insurance application is hosted
on a cloud-based file server, and their email server is hosted on Office 365. Other files
created by employees get saved to a cloud-based file server, and the company uses work
folders to synchronize offline copies back to their devices.

Management at Highlander, Incorporated, has agreed to develop an incident management

process after discovering laptops were compromised and the situation was not handled in
an appropriate manner.

What is the first phase that Highlander, Incorporated, needs to implement within their
incident management process?

A. Containment
B. Preparation for incident handling and response
C. Forensic Investigation
D. Classification and prioritisation

51. Bayron is the CEO of a medium size company with regional operations in America. He
recently hired a security analyst to implement an Information Security Management System
(ISMS) to minimize risk and limit the impact of a security breach. The analyst was asked to
design and implement patch management, vulnerability management, IDS deployment, and
security incident handling procedures for the company. Which of these is a reactive process?

A. Patch management
B. Security incident handling
C. Vulnerability management
D. IDS deployment

52. Which of the following countries’ cyber laws include the Patents (Amendment) Act, 1999;
Trademarks Act, 1999; and The Copyright Act, 1957?

A. USA
B. China
 C. UK
D. India

53. Which of the following titles of SOX consists of four sections; defines practices to restore
investor confidence in securities analysts; defines the SEC’s authority to censure or bar
securities professionals from practice; and defines the conditions to bar a person from
practicing as a broker, advisor, or dealer?

A. Title V: Analyst Conflicts of Interest

B. Title III: Corporate Responsibility
C. Title VII: Studies and Reports
D. Title VI: Commission Resources and Authority

54. Which of the following act contains “electronic transactions and code set standards” to
transfer information between two parties for specific purposes?

A. GLBA
B. PCI-DSS
C. SOX
D. HIPAA

55. Identify the SOX title that consists of four sections and defines practices to restore investor
confidence in securities analysts.

A. Studies and reports

B. Commission resources and authority
C. Corporate responsibility
D. Auditor independence

56. Which of the following acts was enacted to produce several key security standards and
guidelines required by Congressional legislation and provides a comprehensive framework
for ensuring the effectiveness of information security controls over information resources
that support federal operations and assets?

A. HIPAA
B. PCI-DSS
C. GLBA
D. FISMA

57. In which of the following footprinting threats does an attacker collect information directly
and indirectly through persuasion without using any intrusion methods?

A. System and Network attacks

B. Social Engineering
C. Business loss
D. Corporate espionage
58. Which of the following footprinting techniques allows an attacker to gather information
passively about the target without direct interaction?

A. Extracting DNS information

B. Extracting information using Internet archives
C. Performing social engineering
D. Performing traceroute analysis

59. Which of the following footprinting techniques allows an attacker to gather information
about a target with direct interaction?

A. Gathering information using groups, forums, blogs, and NNTP Usenet newsgroups
B. Gathering website information using web spidering and mirroring tools
C. Gathering infrastructure details of the target organization through job sites
D. Gathering financial information about the target through financial services

60. Passive reconnaissance involves collecting information through which of the following?

A. Social Engineering
B. Traceroute analysis
C. Publicly accessible resources
D. Email tracking

61. A pen tester was hired to perform penetration testing on an organization. The tester was
asked to perform passive footprinting on the target organization?

Which of the following techniques comes under passive footprinting?

A. Querying published name servers of the target

B. Performing traceroute analysis

C. Finding the top-level domains (TLDs) and sub-domains of a target through web
services

D. Performing social engineering

62. Which of the following search engine tools helps an attacker use an image as a search query
and track the original source and details of images, such as photographs, profile pictures, and
memes?

A. Intelius
B. Mention
 C. Sublist3r
D. TinEye

63. Which of the following web services provides useful information about a target company,
such as the market value of the company’s shares, company profile, and competitor details?

A. Dice.com
B. Indeed.com
C. Investing.com
D. Linkup.com
64. Which of the following deep and dark web searching tools helps an attacker obtain
information about official government or federal databases and navigate anonymously
without being traced?

A. Been verified
B. Spokeo
C. Whitepages
D. Exonera Tor

65. Which of the following web services is a repository that contains a collection of user-
submitted notes or messages on various subjects and topics?

A. Business profile sites

B. Online reputation services
C. NNTP Usenet newsgroups
D. People search services

66. Which of the following activities of an organization on social networking sites helps an
attacker footprint or collect information regarding the type of business handled by the
organization?

A. Background checks to hire employees

B. User surveys
C. User product
D. Promotion of products

67. Which of the following activities of a user on social networking sites helps an attacker
footprint or collect the identity of the user’s family members, the user’s interests, and related
information?

A. Maintaining the profile

B. Creating events
C. Sharing photos and videos
D. Playing games and joining groups
68. In website footprinting, which of the following information is acquired by the attacker when
they examine the cookies set by the server?

A. Software in use and its behavior

B. Comments present in the source code
C. File-system structure and script type
D. Contact details of the web developer or admin

69. Which of the following DNS record types indicates the authority for a domain of the target
DNS server?

A. PTR
B. SRV
C. SOA
D. CNAME

70. Which of the following types of DNS records points to a host’s IP address?

A. A
B. HINFO
C. TXT
D. NS

71. Which of the following is the direct approach technique that serves as the primary source
for attackers to gather competitive intelligence?

A. Search engines, Internet, and online databases

B. Social engineering
C. Support threads and reviews
D. Social media postings

72. Which Google search query can you use to find mail lists dumped on pastebin.com?

A. allinurl: pastebin.com intitle:“mail lists”

B. allinurl: pastebin.com intitle:*@*.com:*
C. cache: pastebin.com intitle:*@*.com:*
D. site:pastebin.com intext:*@*.com:*

73. Which Google search query will search for any files a target certifiedhacker.com may have?

A. site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg |

filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini
B. site: certifiedhacker.com ext:xml || ext:conf || ext:cnf || ext:reg || ext:inf || ext:rdp ||
ext:cfg || ext:txt || ext:ora || ext:ini
 C. allinurl: certifiedhacker.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp |
ext:cfg | ext:txt | ext:ora | ext:ini
D. site: certifiedhacker.com intext:xml | intext:conf | intext:cnf | intext:reg | intext:inf |
intext:rdp | intext:cfg | intext:txt | intext:ora | intext:ini

74. What is the output returned by search engines when extracting critical details about a
target from the Internet?

A. Search engine results pages (“SERPs”)

B. Advanced search operators
C. Open ports and services
D. Operating systems, location of web servers, users and passwords.

75. Which of the following techniques is used to create complex search engine queries?

A. Yahoo search
B. Bing search
C. Google hacking
D. DuckDuckGo

76. Sean works as a penetration tester in ABC firm. He was asked to gather information about
the target company. Sean begins with social engineering by following the steps:

• Secretly observes the target to gain critical information

• Looks at employee’s password or PIN code with the help of binoculars or a low-power
telescope

Based on the above description, identify the social engineering technique.

A. Phishing
B. Tailgating
C. Shoulder surfing
D. Dumpster diving

77. Which of the following tools consists of a publicly available set of databases that contain
personal information of domain owners?

A. WHOIS lookup tools

B. Web spidering tools
C. Traceroute tools
D. Metadata Extraction tools

78. What information is gathered about the victim using email tracking tools?

A. Username of the clients, operating systems, email addresses, and list of software
 B. Recipient’s IP address, geolocation, proxy detection, operating system, and
browser information
C. Information on an organization’s web pages since their creation
D. Targeted contact data, extracts the URL and meta tag for website promotion

79. Which of the following tools allows an attacker to extract information such as sender
identity, mail server, sender’s IP address, location, and so on?

A. Metadata extraction tools

B. Email tracking tools
C. Website mirroring tools
D. Web updates monitoring tools

80. Which of the following is a query and response protocol used for querying databases that
store the registered users or assignees of an Internet resource, such as a domain name, an IP
address block, or an autonomous system?

A. DNS lookup
B. TCP/IP
C. Traceroute
D. WHOIS lookup

81. Which of the following tools are useful in extracting information about the geographical
location of routers, servers, and IP devices in a network?

A. Website mirroring tools

B. Web spidering tools
C. Traceroute tools
D. Email tracking tools

82. Which of the following DNS record type helps in DNS footprinting to determine a domain’s
mail server?

A. A
B. NS
C. MX
D. CNAME

83. Steve, an attacker, wants to track the most shared content that belongs to the target
organization. For this purpose, he used an advanced social search engine that displayed
shared activity across all major social networks including Twitter, Facebook, LinkedIn,
Google Plus, and Pinterest.
 What is the tool employed by Steve in the above scenario?

A. Wireshark
B. BuzzSumo
C. Robber
D. Vindicate

84. Robert, an attacker, targeted a high-level executive of an organization and wanted to

obtain information about the executive on the Internet. He employed a tool through which he
discovered the target user on various social networking sites, along with the complete URL.

What is the tool used by Robert in the above scenario?

A. Sherlock
B. Beroot
C. Oputils
D. Sublist3e

85. Which of the following tools allows attackers to search for people belonging to the target
organization?

A. NetCraft
B. GFI LanGuard
C. OpenVAS
D. Spokeo

86. James, a professional hacker, targeted the employees of an organization to establish

footprints in their network. For this purpose, he employed an online reconnaissance tool to
extract information on individuals belonging to the target organization. The tool assisted
James in obtaining employee information such as phone numbers, email addresses, address
history, age, date of birth, family members, and social profiles.

Identify the tool employed by James in the above scenario.

A. Nikto
B. KFSensor
C. Photon
D. Spokeo

87. Which of the following tools is a command-line search tool for Exploit-DB that allows taking
a copy of the Exploit database for remote use?

A. Spokeo
B. Spyse
 C. Searchsploit
D. Droidsniff

88. Jacob, a professional hacker, targeted an organization’s website to find a way into its
network. To achieve his goal, he employed a footprinting tool that helped him in gathering
confidential files and other relevant information related to the target website from public
source-code repositories.

Identify the footprinting tool employed by Jacob in the above scenario.

A. Recon-ng
B. Netcraft
C. Reverse lookup
D. ShellPhish

89. Which of the following is a visualization and exploration tool that allows attackers to
explore and understand graphs, create hypotheses, and discover hidden patterns between
social networking connections?

A. Mention
B. TheHarevester
C. Gephi
D. Netcraft

90. Which of the following tools allows attackers to construct and analyze social networks and
obtain critical information about the target organization/users?

A. Burp Suite
B. Mention
C. HTTrack Web Site Copier
D. NodeXL

91. Which of the following tools allows attackers to retrieve archived URLs of a target website
from archive.org?

A. SecurityTrials
B. Sublist3er
C. Photon
D. Burp Suit

92. Which of the following tools does an attacker use to perform a query on the platforms
included in OSRFramework?
 A. usufy.py
B. domainfy.py
C. mailfy.py
D. searchfy.py

93. Which of the following utilities is used by Recon-Dog to detect technologies existing in the
target system?

A. findsubdomains.com
B. Wappalyzer.com
C. Shodan.io
D. Whoislookup

94. Which of the following countermeasures should be followed to safeguard the privacy, data,
and reputation of an organization and to prevent information disclosure?

A. Avoiding domain-level cross-linking for critical assets

B. Keeping the domain name profile public
C. Turning on geolocation access on all mobile devices
D. Enabling directory listings in the web servers

95. Which of the following practices helps security specialists protect a network against
footprinting attempts?

A. Do not keep the domain name profile private

B. Enable the geo-tagging functionality on cameras to allow geolocation tracking
C. Never disable or delete the accounts of employees who left the organization
D. Configure mail servers to ignore mails from anonymous individuals

96. Which of the following practices allows security professionals to defend an organization’s
network against footprinting attempts?

A. Never use TCP/IP and IPsec filters for defense in depth

B. Always enable protocols that are not required
C. Reveal location or travel plans on social networking sites
D. Disable of delete the accounts of employees who left the organisation

97. Which of the following TCP communication flags confirms the receipt of a transmission and
identifies the next expected sequence number?

A. FIN flag
B. ACK flag
C. RST flag
D. SYN flag
98. Which of the following TCP communication flags notifies the transmission of a new
sequence number and represents the establishment of a connection between two hosts?

A. SYN flag
B. PSH flag
C. RST flag
D. FYN flag

99. Which of the following types of scanning involves the process of checking the services
running on a target computer by sending a sequence of messages to break in?

A. Port Scanning
B. Banner Grabbing
C. Vulnerability Scanning
D. Network Scanning

100. Which of the following TCP communication flags is set to “1” to announce that no more
transmissions will be sent to the remote system and the connection established by the SYN
flag is terminated?

A. SYN flag
B. ACK flag
C. FIN flag
D. RST flag

101. Which of the following is NOT an objectives of network scanning?

A. Discover the services running

B. Discover the network’s live hosts
C. Discover the network’s live hosts
D. Discover usernames and passwords

102. Which of the following scanning tools is a mobile app for Android and iOS that provides
complete network information, such as the IP address, MAC address, device vendor, and ISP
location?

A. Maltego
B. Fing
C. Nmap
D. Netcraft

103. An attacker is using the scanning tool Hping to scan and identify live hosts, open ports,
and services running on a target network. He/she wants to collect all the TCP sequence
numbers generated by the target host.
 Which of the following Hping commands he/she needs to use to gather the required
information?

A. hping3 <Target IP> -Q -p 139 -s

B. hping3 –F –P –U 10.0.0.25 –p 80
C. hping3 -S <Target IP> -p 80 --tcp-timestamp
D. hping3 –A <Target IP> –p 80

104. If a tester is attempting to ping a target that exists but receives no response or a response
that states the destination is unreachable, ICMP may be disabled and the network may be
using TCP. Which other option could the tester use to get a response from a host using TCP?

A. TCP ping
B. Broadcast ping
C. Traceroute
D. Hping

105. Which of the following open-source tools would be the best choice to scan a network for
potential targets?

A. Hashcat
B. Cain & Abel
C. John the ripper
D. NMAP

106. Which of the following Hping3 command is used to perform ACK scan?

A. hping3 -1 <IP Address> –p 80

B. hping3 –A <IP Address> –p 80
C. hping3 -2 <IP Address> –p 80
D. hping3 -8 50-60 –S <IP Address> –V

107. Which of the following ping methods is effective in identifying active hosts similar to the
ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP
ECHO ping?

A. ICMP ECHO ping scan

B. ICMP ECHO ping sweep
C. ICMP address mask ping scan
D. UDP ping scan

108. Which of the following protocols uses the port number 88/TCP and can verify the identity
of a user or host connected to a network?

A. TFTP
B. Finger
 C. Kerberos
D. NTP

109. Which of the following scans detects when a port is open after completing the three-way
handshake, establishes a full connection, and closes the connection by sending an RST packet?

A. ACK flag probe scan

B. IDLE/IPID header scan
C. TCP connect scan
D. Stealth scan

110. Which of the following Nmap options is used by an attacker to perform an SCTP COOKIE
ECHO scan?

A. -sU
B. -sL
C. -sY
D. -sZ

111. In which of the following scanning techniques does an attacker send a spoofed source
address to a computer to determine the available services?

A. ACK flag probe scan

B. TCP Maimon scan
C. IDLE/IPID header scan
D. Inverse TCP flag scan

112. While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 for
all the pings you have sent out. What is the most likely cause of this?

A. UDP port is closed.

B. The firewall is dropping the packets.
C. The host does not respond to ICMP packets.
D. UDP port is open

113. A security engineer is attempting to perform scanning on a company’s internal network

to verify security policies of their networks. The engineer uses the following NMAP command:
nmap –n –sS –P0 –p 80 ***.***.**.**. What type of scan is this?

A. Intense scan
B. Quick scan
C. Comprehensive scan
D. Stealth scan

114. A penetration tester is conducting a port scan on a specific host. The tester found several
open ports that were confusing in concluding the operating system (OS) version installed.
 Considering the NMAP result below, which of the following is likely to be installed on the
target machine by the OS?

Starting NMAP 7.70 at 2018-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

A. The host is likely a printer.

B. The host is likely a Windows machine.
C. The host is likely a router.
D. The host is likely a Linux machine.

115. Which NMAP command combination would let a tester scan every TCP port from a class
C network that is blocking ICMP with fingerprinting and service detection?

A. NMAP -PN -O -sS -p 1-1024 192.168.0/8

B. NMAP -P0 -A -sT -p0-65535 192.168.0/16
C. NMAP -PN -A -O -sS 192.168.2.0/24
D. NMAP -P0 -A -O -p1-65535 192.168.0/24
116. Which protocol and port number might be needed to send log messages to a log analysis
tool that resides behind a firewall?

A. UDP 123
B. UDP 541
C. UDP 514
D. UDP 415

117. Which of the following OS discovery techniques is used by an attacker to identify a target
machine’s OS by observing the TTL values in the acquired scan result?

A. OS discovery using Unicornscan

B. OS discovery using Nmap
C. OS discovery using Nmap Script Engine
D. OS discovery using IPv6 fingerprinting

118. What type of OS fingerprinting technique sends specially crafted packets to the remote
OS and analyzes the received response?

A. Distributive
B. Active
C. Reflective
D. Passive

119. Which of the following IDS/firewall evasion techniques is used by an attacker to bypass
Internet censors and evade certain IDS and firewall rules?

A. IP address decoy
B. Source port manipulation
C. Anonymizers
D. Sending bad checksums

120. Which of the following IDS/firewall evasion techniques helps an attacker increase their
Internet anonymity?

A. IP address decoy
B. Source routing
C. Source port manipulation
D. Proxy chaining

121. Which NMAP feature can a tester implement or adjust while scanning for open ports to
avoid detection by the network’s IDS?-------------------

A. Timing options to slow the speed that the port scan is conducted
B. Fingerprinting to identify which operating systems are running on the network
C. ICMP ping sweep to determine which hosts on the network are not available
 D. Traceroute to control the path of the packets sent during the scan

122. Which of the following countermeasures is used to avoid banner grabbing attacks?

A. Use ServerMask tools to disable or change banner information

B. Enable the details of the vendor and version in the banners
C. Never display false banners to mislead or deceive attackers
D. Turn on unnecessary services on the network host to limit information disclosure

123. Which of the following types of techniques is used to prevent IP spoofing by blocking
outgoing packets with a source address that is not inside?

A. Access-control lists
B. Ingress filtering
C. Random initial sequence numbers
D. Egress filtering

124. Which of the following practices helps security professionals defend a network or service
against port scanning attempts?

A. Never configure firewall and intrusion detection system (IDS) rules to block probes.
B. Never use port scanning tools against hosts on the network.
C. Ensure that TCP wrappers limit access to the network based on domain names
or IP addresses.
D. Never use a custom rule set to lock down the network and block unwanted ports at
the firewall.

125. Which of the following practices can make the organization’s network susceptible to port
scanning attempts?

A. Avoid using proxy servers to block fragmented or malformed packets.

B. Block inbound ICMP message types and all outbound ICMP type-3 unreachable
messages at border routers arranged in front of the company’s main firewall.
C. Configure commercial firewalls to protect the network against fast port scans and SYN
floods.
D. Test how the network firewall and IDS manages fragmented packets using fragtest
and fragroute.

126. Which of the following practices helps security professionals prevent banner grabbing
attempts on the host?-----------

A. Never use server masking tools to disable or change banner information.

B. Never display false banners to mislead or deceive attackers.
C. Turn on unnecessary services on the network host to limit information disclosure.
D. Modify the value of Server Tokens from Full to Prod in Apache’s httpd.conf file
to prevent disclosure of the server version.
127. Which of the following is the active banner grabbing technique used by an attacker to
determine the OS running on a remote target system?

A. Banner grabbing from page extensions

B. Sniffing of network traffic
C. Banner grabbing from error messages
D. TCP sequence ability test

128. Which of the following is the best practice to follow to secure a system or network against
port scanning?

A. Ensure that the versions of services running on the ports are non-vulnerable
B. Ensure that firewall and routers do not block source routing techniques
C. Do not configure firewall and IDS rules to detect and block probes
D. Allow unwanted services running on the ports and update the service versions

129. Which of the following countermeasure helps organizations to prevent information

disclosure through banner grabbing?

A. Display false banners

B. Disable open relay feature
C. Disable the DNS zone transfers to the untrusted hosts
D. Restrict anonymous access through RestrictNullSessAccess parameter from the
Windows registry

130. Which of the following practices helps security professionals defend a network or service
against port scanning attempts?

A. Never configure firewall and intrusion detection system (IDS) rules to block probes.
B. Never use a custom rule set to lock down the network and block unwanted ports at
the firewall.
C. Ensure that TCP wrappers limit access to the network based on domain names
or IP addresses.
D. Never use port scanning tools against hosts on the network.

131. Which of the following practices can make the target device or system vulnerable to
banner grabbing attacks?

A. Change the ServerSignature line to ServerSignatureOff in the httpd.conf file.

B. Disable the details of the vendor and version in the banners.
C. For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to
change the banner information header and set the server as New Server Name.
D. Enable HTTP methods such as Connect, Put, Delete, and Options from web
application servers.
132. In which of the following enumeration techniques does an attacker take advantage of
different error messages generated during the service authentication process?

A. Extracting usernames using email IDs

B. Brute-force Active Directory
C. Extracting information using default passwords
D. Extracting usernames using SNMP

133. Which of the following port numbers is used by the Windows NetBIOS session service for
both null-session establishment as well as file and printer sharing?

A. TCP 23
B. TCP 139
C. TCP/UDP 53
D. TCP/UDP 389

134. Which of the following ports provides a name-resolution service for computers running
NetBIOS that is also known as the Windows Internet Name Service (WINS)?

A. TCP 135
B. TCP 22
C. UDP 137
D. UDP 161

135. Which of the following protocols is widely used by Internet service providers (ISPs) to
maintain huge routing tables and efficiently process Internet traffic?

A. TFTP
B. SIP
C. BGP
D. FTP

136. Jake, an attacker, is performing an attack on a target organization to gather sensitive

information. In this process, he exploited the protocol running on port 23 to perform banner
grabbing on other protocols, such as SSH and SMTP, as well as brute-forcing attacks on login
credentials.

Which of the following protocols is running on port 23?

A. Telnet
B. Fille Transfer Protocol
C. Secure Shell
D. Border Gateway Protocol
137. Which of the following port number is used to exploit vulnerabilities within DNS servers
to launch attacks?

A. UDP 137
B. TCP 139
C. TCP/UDP 53
D. TCP/UDP 135

138. Which of the following protocols uses TCP or UDP as its transport protocol over port 389?

A. SNMP
B. SIP
C. LDAP
D. SMTP

139. Which of the following protocols provides reliable multiprocess communication service
in a multinetwork environment?

A. SMTP
B. TCP
C. UDP
D. SNMP

140. An attacker identified that port 139 on the victim’s Windows machine is open and he used
that port to identify the resources that can be accessed or viewed on the remote system. What
is the protocol that allowed the attacker to perform this enumeration?

A. NetBIOS
B. LDAP
C. SMTP
D. SNMP

141. What is the default port used by IPSEC IKE protocol?

A. PORT 500
B. PORT 4500
C. PORT 51
D. PORT 50

142. Which of the following command-line tools displays the CPU and memory information or
thread statistics?

A. PsList
B. PsFile
 C. PsLogList
D. PsGetSid

143. Which of the following tools supports the nbstat.nse script that allows attackers to
retrieve the target’s NetBIOS names and MAC addresses?

A. Wireshark
B. Netcraft
C. Nmap
D. OpUtils

144. Which of the following NetBIOS service codes is used to obtain information related to the
master browser name for the subnet?

A. <1E>
B. <03>
C. <1D>
D. <20>

145. Which of the following windows utilities allow an attacker to perform NetBIOS
enumeration?

A. SetRequest
B. Nbtstat
C. Ntpdate
D. GetRequest

146. Which of the following tools is not a NetBIOS enumeration tool?

A. OpUtils
B. NetScanTools Pro
C. SuperScan
D. Hyena

147. Which of the following commands allows an SNMP agent to inform the pre-configured
SNMP manager of a certain event?

A. GetResponse
B. Trap
C. GetNextRequest
D. SetRequest

148. Which of the following management information bases (MIBs) contains object types for
workstation and server services?

A. MIB_II.MIB
 B. LNMIB2.MIB
C. HOSTMIB.MIB
D. WINS.MIB

149. Which protocol enables an attacker to enumerate user accounts and devices on a target
system?

A. SNMP
B. TCP
C. NetBIOS
D. SMTP

150. Which of the following SnmpWalk commands allows an attacker to identify configured
software on the target network node?

A. snmpwalk -v2c -c public <Target IP Address> <OID> <New Value>

B. snmpwalk -v2c -c public <Target IP Address> hrMemorySize
C. snmpwalk -v2c -c public <Target IP Address>
D. snmpwalk -v2c -c public <Target IP Address> hrSWInstalledName

151. Which of the following SnmpWalk commands helps attackers change the object identifier
of a network node?

A. snmpwalk -v2c -c public <Target IP Address> sysContact <New Value>

B. snmpwalk -v2c -c public <Target IP Address>
C. snmpwalk -v2c -c public <Target IP Address> hrSWInstalledName
D. snmpwalk -v2c -c public <Target IP Address> <OID> <New Value>

152. Which of the following LDAP enumeration tools is used by an attacker to access the
directory listings within Active Directory or other directory services?

A. SlowLoris
B. XOIC
C. HULK
D. AD Explorer

153. Which of the following tools can be used to perform LDAP enumeration?

A. SuperScan
B. Nsauditor network security auditor
C. AD Explorer
D. SoftPerfect network scanner

154. Identify the nmap NSE script that helps attackers in performing automated LDAP
enumeration on a target network.
 A. pip3 install ldap3
B. ntpdate
C. ldap-brute
D. get_info = ldap3.ALL

155. Edward, a professional hacker, was tasked with hacking critical information of a target
organization. For this purpose, Edward initiated an LDAP enumeration process. Using a
Python script, he successfully established a connection with the target LDAP server and
executed the following script:

>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN',
search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')

True

>> connection.entries

Which of the following did Edward accomplish using the above Python script?

A. Created a connection object

B. Retrieved the DSA-specific entry (DSE) naming contexts
C. Retrieved all directory objects
D. Listed all applications

156. Identify the tool used by attackers to enumerate AD users and perform different searches
using specific filters.

A. PortQry
B. DNSRecon
C. Ladpsearch
D. Netstat

157. Which of the following ntpdate parameters is used by an attacker to perform a function
that can force the time to always be slewed?

A. -q
B. -B
C. -b
D. -d

158. Sam, an ethical hacker, is launching an attack on a target company. He performed various
enumeration activities to detect any existing vulnerabilities on the target network and
systems. In this process, he performed NTP enumeration and executed some commands to
acquire the list of hosts connected to the NTP server.
 Which of the following NTP enumeration commands helps Sam in collecting system
information such as the number of time samples from several time sources?

A. Ntptrace
B. Ntpdc
C. Ntpq
D. Ntpdate

159. George, a professional hacker, wanted to test his computer skills. So, he decided to execute
an attack on a company and access important files of the company. In this process, he
performed NFS enumeration using a tool to download important files shared through the NFS
server. Which of the following tools helps George perform NFS enumeration?

A. Dependency Walker
B. RPCScan
C. OllyDbg
D. KeyGrabber

160. Which of the following command is used by the attackers to query the ntpd daemon about
its current state?

A. ntpdc
B. ntpq
C. ntpdate
D. ntptrace

161. Which of the following ntpdate parameters is used by an attacker to perform a function
that can force the time to always be stepped?

A. -B
B. -b
C. -q
D. -d

162. Which of the following protocols is responsible for synchronizing clocks of networked
computers?

A. NTP
B. LDAP
C. SMTP
D. DNS

163. Which of the following tools is used by an attacker for SMTP enumeration and to extract
all the email header parameters, including confirm/urgent flags?

A. NetScanTools Pro
 B. Wireshark
C. JXplorer
D. Snmpcheck

164. Which of the following smtp-user-enum options is used to select the file containing
hostnames running the SMTP service?

A. -u user
B. -U file
C. -T file
D. -t host

165. Which of the following SMTP in-built commands tells the actual delivery addresses of
aliases and mailing lists?

A. RCPT TO
B. VRFY
C. EXPN
D. PSINFO

166. Which of the following commands allows an attacker to list all the SMTP commands
available in the nmap directory?

A. nmap -p 25 -script=smtp-open-relay <Target IP Address>

B. nmap -p 25, 365, 587 -script=smtp-commands <Target IP Address >
C. nmap -p 25 –script=smtp-enum-users <Target IP Address>
D. nmap -T4 -p 53 --script dns-brute <Target Domain>

167. Given below are the various steps to perform SMTP enumeration.

Launch the Metasploit msfconsole and switch to the relevant auxiliary scanner to initiate the
process: auxiliary/scanner/smtp/smtp_enum.

Use the command show advanced to view the complete list of available options in the SMTP
user enumeration module.

Use the command show options to view the entire list of options required to perform this
task.

Execute the run command to begin the enumeration process.

Use the option set RHOST to set the target SMTP server’s IP address or a range of IP addresses.

Set the USER _FILE option to use custom wordlists.

 Identify the correct sequence of steps involved in performing SMTP enumeration.

A. 3 -> 2 -> 1 -> 4 -> 5 -> 6

B. 6 -> 5 -> 4 -> 3 -> 2 -> 1
C. 1 -> 3 -> 5 -> 6 -> 2 -> 4
D. 1 -> 5 -> 3 -> 2 -> 6 -> 4

168. Which of the following commands is used by an attacker to check all NS records of the
target domain for zone transfers?

A. dig
B. ike-scan
C. ntpq
D. RPCScan

169. Which of the following enumeration techniques is used by a network administrator to

replicate domain name system (DNS) data across many DNS servers, or to backup DNS files?

A. Extract information using DNS zone transfer

B. Brute force active directory
C. Extract usernames using e-mail IDs
D. Extract information using default passwords

170. Which of the following tool is a DNS interrogation tool?

A. Hping
B. Dig
C. NetScan Tools Pro
D. SandCat Browser

171. Which of the following Nmap commands is used by an attacker to enumerate the SMB
service running on the target IP address?

A. # nmap -p 23 --script telnet-ntlm-info <target IP>

B. # nmap -sR <target IP/network>
C. # nmap -sV -v --script nbstat.nse <target IP address>
D. # nmap -p 445 -A <target IP>

172. Which of the following Nmap commands is used by an attacker to enumerate the TFTP
service running on the target domain?

A. # nmap -p 69 <target domain>

B. # nmap -p 23 <target domain>
C. # nmap -T4 –A <target IP/network>
D. # nmap -p 21 <target domain>
173. Which of the following options in the finger command-line utility is used for preventing
the matching of usernames?

A. -s
B. -l
C. -p
D. -m

174. Greg, a professional hacker, targeted an organization and performed user enumeration
on a remote system of the target organization. In this process, he used a command-line utility
to successfully gather the list of users who are logged into the remote system and their login
times.

Which of the following command-line utilities was employed by Greg for user enumeration?

A. PsFile
B. PsKill
C. Finger
D. PortQry

175. In which of the following enumeration steps does an penetration tester extract
information about encryption and hashing algorithms, authentication types, key distribution
algorithms, SA LifeDuration, etc.?

1. Perform SMTP enumeration

2. Perform DNS enumeration
3. Perform NTP enumeration
4. Perform IPsec enumeration

176. Which of the following protocols is the technology for both gateway-to-gateway (LAN-to-
LAN) and host to gateway (remote access) enterprise VPN solutions?

SNMP
SMTP
NetBios
IPSec

177. Which of the following commands allows attackers enumerate the SMB service running
on the target IP address?

A. nmap -Pn -sU -p 53 --script=dns-recursion <target IP>

B. nmap -p 21 <target domain>
C. nmap -p 445 -A <target IP>
D. nmap -p 25 -script=smtp-open-relay <target IP>
178. Which of the following countermeasures helps security professionals defend against FTP
enumeration?

A. Allowing access by IP or domain name to the FTP server

B. Ensuring that the unrestricted uploading of files on the FTP server is allowed
C. Enabling anonymous FTP accounts
D. Configuring filtering rules for FTP services

179. Which of the following is not a best practice to defend against DNS enumeration?

A. Disabling DNS zone transfers to untrusted hosts

B. Using standard network admin contacts for DNS registrations to avoid social
engineering attacks
C. Ensuring that the private hosts and their IP addresses are published in the DNS
zone files of the public DNS server
D. Using premium DNS registration services that hide sensitive information such as host
information (HINFO) from the public

180. Which of the following countermeasures helps security professionals defend against
SMTP enumeration?

A. Disabling EXPN, VRFY, and RCPT TO commands or restricting them to authentic

users
B. Enabling the open relay feature
C. Allowing unlimited accepted connections from a source
D. Including sensitive information on mail servers and local hosts in mail responses

181. Rick, a professional hacker, targeted an organization and found that the organization uses
FTP to transfer files over TCP. He exploited the FTP service to access the organization’s data.
Greg, a security professional of the organization, noticed that someone is accessing the data
and wants to strengthen the security of the FTP server.
Which of the following countermeasures should Greg employ to secure the organization’s
information?

A. Allow access by IP or domain name to the FTP server

B. Never restrict login attempts and time
C. Ensure that the unrestricted uploading of files on the FTP server is allowed
D. Implement a certification-based authentication policy

182. Which of the following practices helps security professionals defend the organizational
network against DNS enumeration attempts?

A. Ensure that the resolver can be accessed only by the hosts outside the network.
B. Disable DNS recursion in the DNS server configuration.
C. Restrict the auditing of DNS zones.
D. Never restrict DNS zone transfers to specific slave nameserver IP addresses.
183. Which of the following security practices can help security experts prevent DNS
enumeration attacks on a network?

A. Randomize source ports.

B. Enable DNS recursion.
C. Open all the unused ports and services.
D. Never use isolated DNS servers.

184. Which of the following practices allows attackers to execute external SNMP enumeration
attempts on the target network?

A. Avoid using the “NoAuthNoPriv” mode.

B. Regularly audit the network traffic.
C. Encrypt credentials using the “AuthNoPriv” mode.
D. Never change the default or current passwords.

185. Which of the following practices allows an attacker to perform NFS enumeration attempts
on a target network? Which of the following practices allows an attacker to perform NFS
enumeration attempts on a target network?

A. Implement firewall rules to allow NFS port 2049.

B. Use the principle of least privileges.
C. Log the requests to access the system files on the NFS server.
D. Ensure that users are not running suid and sgid on the exported file system.

186. Which of the following practices allows security experts to defend against SMTP
enumeration attempts on a network?

A. Do not share internal IP/host information or mail relay system information.

B. Never ignore email messages to unknown recipients.
C. Enable the open relay feature.
D. Include sensitive information on mail servers and local hosts in mail responses.

187. Which of the following countermeasures allows security professionals to defend their
organizational network against FTP enumeration attacks?

A. Run regular public services such as mail or the web on a single FTP server.
B. Never restrict login attempts and time.
C. Implement a Markov game–based analysis model for vulnerability assessment.
D. Never configure access controls on authenticated FTP accounts.

188. Which of the following phases of the vulnerability management lifecycle provides clear
visibility into a firm and allows security teams to check whether all the previous phases have
been perfectly employed?
 A. Monitoring
B. Verification
C. Remediation
D. Risk Assesment

189. Which of the following online resources helps an attacker in performing vulnerability
research?

A. AOL
B. MITRE CVE
C. GNUnet
D. EZGif

190. Given below are the different steps involved in the post-assessment phase of vulnerability
management.

1. Remediation
2. Monitoring
3. Risk Assesment
4. Verification

What is the correct sequence of steps involved in the post-assessment phase?

A. 3 -> 2 -> 4 -> 1

B. 1 -> 2 -> 3 -> 4
C. 3 -> 1 -> 4 -> 2
D. 2 -> 1 -> 3 -> 4

191. Which of the following terms refers to the existence of a weakness, design flaw, or
implementation error that can lead to an unexpected event compromising the security of the
system?

A. Exploit
B. Zero-day attack
C. Hacking
D. Vulnerability

192. What is the correct order for vulnerability management life cycle?

A. Monitor → risk assessment → remediation → verification → creating baseline →

vulnerability assessment
B. Verification → risk assessment → monitor → remediation → creating baseline →
vulnerability assessment
C. Verification → vulnerability assessment → monitor → remediation → creating
baseline → risk assessment
 D. Creating baseline → vulnerability assessment → risk assessment → remediation
→ verification → monitor

193. Which of the following terms refers to the process of reducing the severity of
vulnerabilities in the vulnerability management life cycle?

A. Risk Assesment
B. Verification
C. Remediation
D. Vulnerability Assesment

194. Which of the following terms is referred to as a weakness in the design or implementation
of a system or software that can be exploited to compromise its security?

A. Footprinting
B. Information assurance
C. Natural threat
D. Vulnerability

195. Peter, a security professional, was tasked with performing a vulnerability assessment on
an organization’s network. During the assessment, Peter identified that an Apache server was
improperly configured, potentially posing serious threats to the organization.

Identify the type of vulnerability identified by Peter in the above scenario.

A. User account vulnerabilities

B. Default password and settings
C. Internet service misconfiguration
D. Network device misconfiguration

196. Steve, an administrator, installed new software on an employee’s system but forgot to
change the credentials provided by the vendor. Greg, an attacker, browsed online resources
and obtained vendor-provided software credentials to gain remote access to the employee’s
system.

Identify the type of vulnerability exploited by Greg in the above scenario.

A. TCP protocol vulnerabilities

B. Operating system vulnerabilities
C. Default password and settings
D. IP protocol vulnerabilities

197. Clark, an IT professional, was hired by an MNC on a contract basis. After a few months,
the management became dissatisfied with Clark’s performance and asked him to serve a
notice period. Clark decided to seek revenge on the company after serving the notice period.
 On the last working day, he accessed the company’s shared drive and revealed secrets to a
third party, causing huge financial loss to the company.

Identify the cause of the vulnerability discussed in the above scenario.

A. End-user carelessness
B. Hardware or software misconfiguration
C. Intentional end-user acts
D. Inherent technology weaknesses

198. Which of the following functionalities is not an example of a misconfigured system?

A. Running old software on the system

B. Outbound connections to various Internet services
C. Unnecessary administrative ports that are open for an application
D. Running only necessary services on a machine

199. Which of the following types of vulnerability assessment sniffs the traffic present on the
network to identify the active systems, network services, applications, and vulnerabilities?

A. Passive assessment
B. Credentialed assessment
C. Active assessment
D. Distributed assessment

200. In which of the following types of vulnerability assessment does an ethical hacker assess
an enterprise network without possessing any privileges for the assets present in the
network?

A. Distributed assessment
B. Non-credentialed assessment
C. Manual assessment
D. Credentialed assessment

201. Highlander, Incorporated, is a medical insurance company with several regional company
offices in North America. There are various types of employees working in the company,
including technical teams, sales teams, and work-from-home employees. Highlander takes
care of the security patches and updates of official computers and laptops; however, the
computers or laptops of the work-from-home employees are to be managed by the employees
or their ISPs. Highlander employs various group policies to restrict the installation of any
third-party applications.
As per Highlander’s policy, all the employees are able to utilize their personal smartphones
to access the company email in order to respond to requests for updates. Employees are
responsible for keeping their phones up to date with the latest patches. The phones are not
used to directly connect to any other resources in the Highlander, Incorporated, network. The
company is concerned about the potential vulnerabilities that could exist on their devices.
 What would be the best type of vulnerability assessment for the employees’ smartphones?

A. Host-based assessment
B. Passive assessment
C. Wireless network assessment
D. Active assessment

202. Which term refers to common software vulnerabilities that happen due to coding errors
allowing attackers to get access to the target system?

A. Banner grabbing
B. Port scanning
C. Active footprinting
D. Buffer overflows

203. Sohum is carrying out a security check on a system. This security check involves carrying
out a configuration-level check through the command line in order to identify vulnerabilities
such as incorrect registry and file permissions, as well as software configuration errors.
Which type of assessment is performed by Sohum?

A. Host-based assessment
B. Network-based assessment
C. External assessment
D. Internal assessment

204. Which assessment focuses on transactional web applications, traditional client-server

applications, and hybrid systems?

A. Application assessment
B. Wireless network assessment
C. Active assessment
D. Passive assessment

205. Which of the following vulnerabilities is exploited by attackers before being

acknowledged and patched by software developers or security analysts?

A. Default installations
B. Supply-chain risks
C. Zero-day vulnerability
D. Legacy platform vulnerability

206. Sam, a newly joined security auditor, was tasked with deploying updates for all the
devices connected to a network. Before deploying the updates, he analyzed the network and
found many unknown devices connected to the organization’s LAN. He failed to understand
the topology because the newly added assets were not documented properly.
 Identify the type of vulnerability demonstrated in the above scenario.

A. System sprawl
B. Default installations
C. Misconfigurations
D. Default passwords

207. Which of the following terms is referred to as an undesirable incident that occurs when
software or a system program depends on the execution of processes in a sequence and on
the timing of the programs?

A. Null pointer/object dereference

B. Memory leaks
C. Race condition
D. Integer overflows

208. Which of the following features is not a good characteristic of a vulnerability assessment
solution?

A. Automatic scanning and checks against continuously updated databases

B. Imitation of the outside view of attackers to gain their objective
C. Use of a well-organized inference-based approach for testing
D. Support for a single network

209. Which of the following types of vulnerability assessment tools provides security
assessment by testing vulnerabilities in the applications and operating system by providing
standard controls?

A. Host-based vulnerability assessment tools

B. Depth assessment tools
C. Scope assessment tools
D. Application-layer vulnerability assessment tools

210. John, an ethical hacker, is performing a vulnerability assessment on an organization’s

network. He used tools such as fuzzers to discover and identify previously unknown
vulnerabilities in the system and tested whether a product is resistant to a known
vulnerability.
Which of the following types of vulnerability assessment tools did John employ?

A. Scope assessment tools

B. Application-layer vulnerability assessment tools
C. Host-based vulnerability assessment tools
D. Depth assessment tools

211. Jim, an ethical hacker, was hired to perform a vulnerability assessment on an organization
to check the security posture of the organization and its vulnerabilities. Jim used a tool that
 helped him continuously identify threats and monitor unexpected changes in the network
before they turn into breaches.
Which of the following tools did Jim employ in the above scenario?

A. theHarvester
B. Octoparse
C. Qualys VM
D. Sherlock

212. Which of the following tools will scan a network to perform vulnerability checks and
compliance auditing?

A. NMAP
B. Nessus
C. BeEF
D. Metasploit

213. Sanya is a security analyst in a multinational company who wants to schedule scans across
multiple scanners, use wizards to easily and quickly create policies, and send results via email
to her boss. Which vulnerability assessment tool should she use to get the best results?

A. Recon-ng
B. Wireshark
C. FOCA
D. Nessus Professional

214. SecTech Inc. is worried about the latest security incidents and data theft reports. The
management wants a comprehensive vulnerability assessment of the complete information
system at the company. However, SecTech does not have the required resources or
capabilities to perform a vulnerability assessment. They decide to purchase a vulnerability
assessment tool to test a host or application for vulnerabilities.
Which of the following factors should the organization NOT consider while purchasing a
vulnerability assessment tool?

A. Types of vulnerabilities being assessed

B. Functionality for writing own tests
C. Links to patches
D. Test run scheduling

215. Which of the following elements of a vulnerability scanning report allows a system
administrator to obtain additional information about the scan, such as assets scanned?

A. Risk Assessment
B. Assessment scope and objectives
C. Assessment Overview
D. Recommendations
216. Smith, an ethical hacker, was hired to perform a vulnerability analysis and security audit
on an organization. He used a vulnerability management tool for the assessment and
documented variations and findings including the final report, along with remediation steps
to mitigate the identified risks.
Which of the following elements of the vulnerability report includes each host’s detailed
information and contains the name and address of the host, operating system type, and date
of the test?

A. Findings
B. Assessment scope and objectives
C. Risk Assessment
D. Recommendations

217. Which of the following components of a vulnerability assessment report contains action
plans to implement remediations for each identified vulnerability?

A. Recommendations
B. Findings
C. Risk assessment
D. Assessment overview

218. In which of the following password attacks does an attacker gather a password database,
split each password entry into two- and three-character syllables to develop a new alphabet,
and then match it with the existing password database?

A. Combinator attack
B. Markov chain attack
C. PRINCE attack
D. Fingerprint attack

219. Which of the following countermeasures should be followed to protect systems against
password cracking?

A. Using the same password during a password change

B. Avoiding the use of passwords that can be found in a dictionary
C. Imposing no restriction on the password change policy
D. Always using system default passwords

220. Which of the following tools helps an ethical hacker detect buffer overflow vulnerabilities
in an application?

A. THC-Hydra
B. Hashcat
C. Medusa
D. OllyDbg
221. Which of the following types of password attacks does not lead to any changes in the
system and includes techniques such as wire sniffing, man-in-the-middle attacks, and replay
attacks?

A. Offline attacks
B. Non-electronic attacks
C. Passive online attacks
D. Active online attacks

222. Given below are the different steps involved in password guessing.
1. Create a list of possible passwords.
2. Rank passwords from high to low probability.
3. Find a valid user.
4. Key in each password until the correct password is discovered.
5. What is the correct sequence of steps involved in password guessing?
What is the correct sequence of steps involved in password guessing?

A. 4 -> 2 -> 3 -> 1

B. 3 -> 1 -> 2 -> 4
C. 1 -> 2 -> 3 -> 4
D. 2 -> 3 -> 1 -> 4

223. Ben is a disgruntled ex-employee of an organization and has knowledge of computers and
hacking. He decided to hack the organization and disrupt its operations. In this process, he
cracked the passwords of remote systems by recovering cleartext passwords from a
password hash dump.

Which of the following types of password attacks did Ben perform on the target organization?

A. Passive online attack

B. Active online attack
C. Offline attack
D. Non-electronic attack

224. Jim, a professional hacker, targeted a person to steal their banking credentials. When the
target user was performing an online transaction, Jim intercepted and acquired access to the
communication channel between the target and the server to obtain the credentials.

Which of the following types of attack did Jim perform in the above scenario?

A. Man-in-the-middle attack
B. Dictionary attack
C. Fingerprint attack
D. Rainbow table attack
225. Gary, a professional hacker, is attempting to access an organization’s systems remotely.
In this process, he used a tool to recover the passwords of the target system and gain
unauthorized access to critical files and other system software.

Which of the following tools did Gary use to crack the passwords of the target system?

A. Dependency Walker
B. OllyDbg
C. BeRoot
D. Hashcat

226. Tim, a network administrator in an organization, received several complaints about

unusual behavior in the network. He implemented a spoofing detection toolkit in the network
to quickly detect and isolate attackers on the network.

Which of the following tools did Tim use to detect the attacks on the network?

A. CCleaner
B. Sherlock
C. OpenStego
D. Vindicate

227. Jude, a security professional in an organization, decided to strengthen the security of the
applications used by the organization. In this process, he used a buffer-overflow detection
tool that recognizes buffer overflow vulnerabilities in the applications.

Which of the following tools helps Jude detect buffer overflow vulnerabilities?

A. Octoparse
B. Splint
C. Maltego
D. Infoga

228. How does the SAM database in Windows operating system store the user accounts and
passwords?

A. The operating system uses key distribution center (KDC) for storing all user
passwords.
B. The operating system stores the passwords in a secret file that users cannot find.
C. The operating system performs a one-way hash of the passwords.
D. The operating system stores all passwords in a protected segment of volatile memory.

229. Which of the following is the advantage of adopting a single sign on (SSO) system?
 A. A reduction in overall risk to the system since network and application attacks can
only happen at the SSO point
B. Impacts user experience when an application times out the user needs to login again
reducing productivity
C. A reduction in password fatigue for users because they do not need to know
multiple passwords when accessing multiple applications
D. Decreased security as the logout process is different across applications

230. John the Ripper is a technical assessment tool used to test the weakness of which of the
following?

A. File permissions
B. Usernames
C. Passwords
D. Firewall rulesets

231. Which of the following is an exploitation technique used by attackers to execute arbitrary
malicious code in the presence of security protections such as code signing and executable
space protection?

A. Dictionary attack
B. Return-oriented programming attack
C. Dumpster diving
D. Shoulder surfing

232. Which of the following is a cyberattack that combines various vulnerabilities to infiltrate
and compromise the target from its root level?

A. Exploit chaining
B. Man-in-the-middle attack
C. TCP/IP hijacking
D. DNS amplification attack

233. Given below are the various steps involved in an exploit chaining attack.
1. Gather exploits one after another.
2. Gain access to root-level services.
3. Combine all the exploits to compromise the system.
4. Initiate reconnaissance.

Identify the correct sequence of steps involved in performing exploit chaining attacks.

A. 4 -> 1 -> 3 -> 2

B. 1 -> 3 -> 4 -> 2
C. 2 -> 3 -> 4 -> 1
D. 4 -> 3 -> 2 -> 1
234. Which of the following practices makes an organization’s network vulnerable to
password cracking attacks?

A. Enable account lockout with a certain number of attempts, counter time, and lockout
duration.
B. Never perform continuous user behavior analysis and blind-spot analysis.
C. Ensure that password database files are encrypted and accessible only by system
administrators.
D. Perform a periodic audit of passwords in the organization.

235. Which of the following practices helps security professionals defend against
LLMNR/NBT-NS poisoning attacks on an organizational network?

A. Implement SMB signing

B. Allow changes to the DWORD registry
C. Enable LMBNR
D. Enable NBT-NS

236. Which of the following practices can be adopted by security experts to defend against
buffer overflow attacks within an organization?

A. Do not use stack canaries, a random value, or a string of characters.

B. Disallow the compiler to add bounds to all the buffers.
C. Employ the latest OSes that offer high protection.
D. Never use the NX bit to mark certain areas of memory as executable and
nonexecutable.

237. Given below are the different steps followed in pivoting.

1. Exploit vulnerable services.
2. Discover live hosts in the network.
3. Scan ports of live systems.
4. Set up routing rules.

What is the correct sequence of steps involved in pivoting?

A. 2 -> 1 -> 3 -> 4

B. 2 -> 3 -> 1 -> 4
C. 2 -> 4 -> 3 -> 1
D. 1 -> 2 -> 3 -> 4

238. Which of the following techniques is the best defensive measure against privilege
escalation?

A. Restrict interactive logon privileges

B. Run users and applications with the highest privileges
C. Increase the privileges of users and groups
 D. Run services as privileged accounts

239. Ray, a professional hacker, was hired to gather sensitive information from an
organization. In the attack process, he used a tool to determine which DLLs are executable
requests without an absolute path and to place his malicious DLL high up the search path so
that it gets invoked before the original DLL.

Which of the following tools helps Ray perform the above task?

A. BCTextEncoder
B. CrypTool
C. Robber
D. VeraCrypt

240. Richard, an attacker, is launching attacks on a target system to retrieve sensitive

information from it. In this process, he used a privilege escalation technique to place an
executable in a location such that the application will execute it instead of the legitimate
executable.

Which of the following techniques was employed by Richard to escalate privileges?

A. Path interception
B. Application shimming
C. Web shell
D. Kernel exploits

241. A pen tester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the
pen tester pivot using Metasploit?

A. Create a route statement in the meterpreter.

B. Reconfigure the network settings in the meterpreter.
C. Issue the pivot exploit and set the meterpreter.
D. Set the payload to propagate through the meterpreter.

242. In which of the following techniques does an unauthorized user try to access the
resources, functions, and other privileges that belong to the authorized user who has similar
access permissions?

A. Horizontal privilege escalation

B. Rainbow table attack
C. Kerberos authentication
D. Vertical privilege escalation

243. Which of the following operating systems allows loading of weak dylibs dynamically that
is exploited by attackers to place a malicious dylib in the specified location?
 A. MacOS
B. Android
C. Linux
D. Unix

244. Which of the following vulnerabilities allows attackers to trick a processor to exploit
speculative execution to read restricted data?

A. Spectre
B. Meltdown
C. Dylib hijacking
D. DLL hijacking

245. Which of the following vulnerabilities is found in all the Intel processors and ARM
processors deployed by Apple (and others) and leads to tricking a process to access out of
bounds memory by exploiting CPU optimization mechanisms such as speculative execution?

A. Meltdown
B. Dylib hijacking
C. DLL hijacking
D. Privilege escalation

246. Which of the following commands allows attackers to check for any share available for
mounting on a target host?

A. showmount -e <Target IP Address>

B. sudo mount -t nfs <Target IP Address>:/<Share Directory> /tmp/nfs
C. nmap -T4 –A <target IP/network>
D. ldns-walk @<IP of DNS Server> <Target domain>

247. Identify the scripts allocated using AD or GPOs, which are executed using any valid user’s
credentials and abused by attackers to gain local or administrator credentials based on the
access configuration.

A. RC scripts
B. Startup items
C. Network logon scripts
D. Logon script (Windows)

248. Which of the following tools allows attackers to perform a DCSync attack to retrieve
password hashes of other domain controllers?

A. Robber
B. Stream armor
C. Mimikatz
D. OllyDbg
249. Which of the following commands allows attackers to modify the crontab file of the
current user in a Linux system?

A. crontab -r
B. crontab -l
C. crontab -r <username>
D. crontab -e

250. Which of the following commands allows attackers to delete the crontab of the specified
user in a Linux system?

A. crontab -r
B. crontab -r <username>
C. crontab -u
D. crontab -l

251. Which of the following techniques is used to place an executable in a particular path in
such a way that it will be executed by the application in place of the legitimate target?

A. Scheduled Task
B. File system permissions weakness
C. Path interception
D. Application shimming

252. Which of the following types of spyware can record and monitor Internet activities, record
software usage and timings, record an activity log and store it at one centralized location, and
log users’ keystrokes?

A. GPS spyware
B. Email spyware
C. Audio spyware
D. Desktop spyware

253. Which of the following techniques is not a countermeasure to defend against spyware?

A. Adjust the browser security settings to medium or higher for the Internet zone
B. Always use the administrative mode
C. Avoid using any computer system that is not entirely under the user’s control
D. Be cautious of pop-up windows or web pages; never click anywhere on these windows

254. In which of the following steganography attacks does an attacker perform probability
analysis to test whether a given stego-object and original data are the same?

A. Distinguishing statistical
B. Known-cover
 C. Chosen-message
D. Chi-square

255. Henry, a professional hacker, united with a disgruntled employee of an organization to

launch a few attacks on the organization internally. To communicate with the employee,
Henry used a tool that hides data in a text file by appending sequences of up to seven spaces
interspersed with tabs.
Which of the following tools did Henry use to communicate with the disgruntled employee?

A. Snow
B. OllyDbg
C. Beroot
D. OllyDbg

256. Identify the technique used by the attackers to execute malicious code remotely?

A. Install malicious programs

B. Sniffing network traffic
C. Modify or delete logs
D. Rootkits and steganography

257. Fill in the blank. A _________________ is the type of rootkit most difficult to detect.

A. Hypervisor rootkit
B. Kernel-level rootkit
C. Application rootkit
D. Hardware/firmware rootkit

258. Which of the following is not a defense technique against malicious NTFS streams?

A. Use File Integrity Monitoring tool like tripwire

B. Use up-to-date antivirus software
C. Move suspected files to FAT partition
D. Write critical data to alternate data streams

259. Which type of rootkit is created by attackers by exploiting hardware features such as Intel
VT and AMD-V?

A. Boot loader level rootkit

B. Hypervisor level rootkit
C. Hardware/firmware rootkit
D. Kernel level rootkit

260. In the options given below; identify the nature of a library-level rootkit?

A. Uses devices or platform firmware to create a persistent malware image in hardware

 B. Works higher up in the OS and usually patches, hooks, or supplants system calls
with backdoor versions
C. Functions either by replacing or modifying the legitimate bootloader with another
one
D. Operates inside the victim’s computer by replacing the standard application files

261. Which of the following is sophisticated malware that targets Windows machines, spreads
its infection from one machine to another, and is distributed via a fake malicious Telegram
installer?

A. PoisonIvy
B. Purple Fox rootkit
C. Necurs
D. njRAT

262. Which of the following is malicious code concealed within UEFI firmware in SPI flash,
scheduled to be executed at a specific time?

A. MoonBounce
B. Restorator
C. Dreambot
D. GlitchPOS

263. Which of the following tools helps attackers implement the overpass-the-hash (OPtH)
attack on a target server?

A. Mimikatz
B. KFSensor
C. got-responded
D. clearrev

264. Which of the following is a process of taking control over critical assets such as domain
controllers (DCs) on a target system and gaining access to other networked resources?

A. Domain dominance
B. Steganalysis
C. Steganography
D. Kernel exploits

265. Which of the following commands allows attacks to abuse Data Protection API (DPAPI) to
obtain all the backup master keys from Windows domain controllers (DCs)?

A. Invoke-Mimikatz -command '"lsadump::dcsync /domain:<Target Domain>

/user:<krbtgt>\<Any Domain User>"
B. lsadump::dcsync /domain:domain name /user:krbtgt
C. lsadump::backupkeys /system:dc01.offense.local /export
 D. mimikatz “lsadump::dcsync /domain:(domain name) /user:Administrator”

266. George, a professional hacker, compromised the target domain controller to maintain
domain dominance. For this reason, he installed a memory-resident virus that injects false
credentials into a DC to create a backdoor password. Using the virus, George obtained the
master password to validate himself as a legitimate user in the domain.

Which of the following attacks did George perform in the above scenario?

A. Skeleton key attack

B. Dumpster diving
C. STP attack
D. Overpass-the-hash attack

267. Which of the following is a post-exploitation technique implemented by an attacker to

steal legitimate users’ credentials and create a fake Kerberos TGS to acquire permissions to
only a single service in an application

A. SSH brute-force attack

B. Silver ticket attack
C. Password spraying attack
D. HTTP response-splitting attack

268. Which of the following file-system commands allows attackers to discover SUID-
executable binaries?

A. keytool -list -v -keystore keystore.jks

B. chmod o-w file
C. find / -perm -3000 -ls 2> /dev/null
D. find / -name "*.txt" -ls 2> /dev/null

269. Which of the following commands helps network administrators view details about a
specific service?

A. sc queryex type=service state=all | find /i "Name of the service: myService"

B. netsh firewall show config
C. sc queryex type=service state=all
D. netsh firewall show state

270. Which of the following measures makes an organizational network vulnerable to

persistence attacks?

A. Deploy a minimum privileges access model.

B. Regularly change KRBTGT’s password and reset the service twice.
 C. Conduct security awareness campaigns/training on phishing attacks and password
creation policies.
D. Never restrict credential overlap within systems to maximize lateral
movement.

271. Which of the following techniques do attackers use to cover the tracks?

A. Disable auditing
B. Steganalysis
C. Steganography
D. Scanning

272. Identify the technique used by the attackers to wipe out the entries corresponding to their
activities in the system log to remain undetected?

A. Clearing logs
B. Escalating privileges
C. Executing applications
D. Gaining access

273. Which of the following is a sh-compatible shell that stores command history in a file?

A. Tchs/chs
B. BASH
C. ksh
D. zsh

274. Which of the following commands is used to disable the BASH shell from saving the
history?

A. shred ~/.bash_history
B. history -c
C. export HISTSIZE=0
D. history -w

275. Which of the following technique is used by the attacker to distribute the payload and to
create covert channels?

A. TCP parameters
B. Clear online tracks
C. Performing steganalysis
D. Covering tracks

276. Which of the following is used by an attacker to manipulate the log files?
 A. clearlogs.exe
B. SECEVENT.EVT
C. Auditpol.exe
D. Clear_Event_Viewer_Logs.bat

277. Which of the following registry entry you will delete to clear Most Recently Used (MRU)
list?

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\AppKey
B. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\M
ountPoint2
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\RecentDocs
D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Fi
leExts

278. Carter, a professional hacker, infiltrated a target Windows system and wanted to maintain
persistence without being traced. For this purpose, he executed a command to hide his
account in the Windows system.

Identify the command executed by Carter in the above scenario.

A. touch MaliciousFile.txt
B. net user <UserName> /active:yes
C. net user <UserName> /active:no
D. net user <UserName> /add

279. Which of the following practices helps security experts defend against covering track
attempts?

A. Deactivate the logging functionality on all critical systems.

B. Open all unused open ports and services.
C. Periodically back up log files to alterable media.
D. Use restricted ACLs to secure log files.

280. Which of the following techniques is used by an attacker to mimic legitimate institutions
such as banks and steal sensitive information such as login passwords and credit-card and
bank-account data?

A. Malvertising
B. Black-hat SEO
C. Social-engineered click-jacking
 D. Spear-phishing sites

281. Which of the following malware components performs the desired activity when
activated and is used by attackers for deleting or modifying files, degrading the system
performance, opening ports, and changing settings to compromise system security?

A. Payload
B. Dropper
C. Injector
D. Obfuscator

282. Which of the following malware components contains code or a sequence of commands
that can take advantage of a bug or vulnerability in a digital system or device?

A. Dropper
B. Exploit
C. Injector
D. Obfuscator

283. In which of the following techniques does an attacker use tactics such as keyword stuffing,
inserting doorway pages, page swapping, and adding unrelated keywords to obtain higher
rankings for malware pages on a web search?

A. Malvertising
B. Black-hat search engine optimization
C. Compromised legitimate websites
D. Social-engineered click-jacking

284. Which of the following malware components is a piece of software that can conceal the
existence of malware and can be used to elude antivirus detection?

A. Crypter
B. Injector
C. Dropper
D. Packer

285. Ransomware encrypts the files and locks systems, thereby leaving the system in an
unusable state. The compromised user has to pay ransom to the attacker to unlock the system
and get the files decrypted. Petya delivers malicious code can that even destroy the data with
no scope of recovery. What is this malicious code called?

A. Honeypot
B. Bot
C. Vulnerability
D. Payload
286. Stephany is worried because in the past six weeks she has received two and three times
the amount of e-mails that she usually receives, and most of it is not related to her work. What
kind of problem is Stephany facing?

A. External attack
B. Malware
C. SPAM
D. Phishing

287. Which of the following terms is used to refer the technique that uses aggressive SEO
tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated
keywords to get higher search engine ranking for their malware pages?

A. Blackhat Search Engine Optimization (SEO)

B. Malvertising
C. Spear Phishing
D. Drive-by Downloads

288. Which component of the malware conceals the malicious code via various techniques,
thus making it hard for security mechanisms to detect or remove it?

A. Downloader
B. Obfuscator
C. Crypter
D. Payload

289. How does an attacker perform a “social engineered clickjacking” attack?

A. By injecting malware into legitimate-looking websites to trick users by clicking

them
B. By attaching a malicious file to an e-mail and sending the e-mail to a multiple target
address
C. By exploiting flaws in browser software to install malware merely by visiting a
website
D. By mimicking legitimate institutions, such as banks, in an attempt to steal passwords
and credit card

290. A technique allows attackers to inject malicious macros into Windows-based files and
host them on their servers. When a user opens the document, the malicious template is
automatically retrieved from the remote server by evading security systems. Identify this
technique.

A. Rich Text Format injection

B. Honey trap
C. Eavesdropping
D. Pharming
291. Which of the following types of malware monitors the online activities of users and sends
information regarding the personal interests of users to third-party app owners?

A. Torrent
B. Marketing
C. Dialers
D. Virus

292. Identify the type of malware that displays unsolicited advertisements offering free sales
and pop-ups of online services when browsing websites.

A. Crypter
B. Shell viruses
C. Adware
D. Macro viruses

293. Identify the PUA that compels users to download unwanted programs that have features
of peer-to-peer file sharing.

A. IDA
B. Bin text
C. Dependency Walker
D. Torrent

294. Which of the following are programs that are automatically installed and configured in a
system to call a set of contacts at several locations without the user’s consent?

A. Adware
B. Dialers
C. Crypters
D. Wrappers

295. Which of the following characteristics of APT is defined as the amount of knowledge, tools,
and techniques required to perform an attack?

A. Actions
B. Risk tolerance
C. Objectives
D. Resources

296. Tom, a professional hacker, launched an APT attack on an organization to gather

information for a period of time. He was successful in the attack and was able to gather the
required information. He is now in the phase of clearing the evidence of compromise.

Which of the following phases of the APT lifecycle is Tom currently in?
 A. Expansion
B. Persistence
C. Search and exfiltration
D. Cleanup

297. Arturo is the leader of information security professionals of a small financial corporation
that has a few branch offices in Africa. The company suffered an attack of USD 10 million
through an interbanking system. The CSIRT explained to Arturo that the incident occurred
because 6 months ago the hackers came in from the outside through a small vulnerability,
then they did a lateral movement to the computer of a person with privileges in the
interbanking system. Finally, the hackers got access and did the fraudulent transactions.

What is the most accurate name for the kind of attack in this scenario?

A. Backdoor
B. APT
C. Ransomware
D. Internal attack

298. Which of the following attack vectors is a network attack in which an unauthorized person
gains access to a network and stays there undetected for a long period of time? The intention
of this attack is to steal data rather than to cause damage to the network or organization.

A. Advanced persistent threats

B. Mobile threats
C. Insider attack
D. Botnet

299. Highlander, Incorporated, is a medical insurance company with several regional company
offices in North America. Employees, when in the office, utilize desktop computers that have
Windows 10, Microsoft Office, anti-malware/virus software, and an insurance application
developed by a contractor. All of the software updates and patches are managed by the IT
department of Highlander, Incorporated. Group policies are used to lock down the desktop
computers, including the use of Applocker to restrict the installation of any third-party
applications.

There are one hundred employees who work from their home offices. Employees who work
from home use their own computers, laptops, and personal smartphones. They authenticate
to a cloud-based domain service, which is synchronized with the corporate internal domain
service. The computers are updated and patched through the cloud-based domain service.
Applocker is not used to restrict the installation of third-party applications.

The database that hosts the information collected from the insurance application is hosted on
a cloud-based file server, and their email server is hosted on Office 365. Other files created by
 employees get saved to a cloud-based file server, and the company uses work folders to
synchronize offline copies back to their devices.

A competitor learns that employees use their own personal smartphones to communicate
with other employees of Highlander, Incorporated.

Which information security attack vector should the competitor use to gather information
over a long period of time from the phones, without the victim being aware that he or she has
been compromised?

A. Advanced persistent threat

B. Mobile threats
C. Viruses and worms
D. Botnet

300. Which of the following port numbers is used by the Trojans Zeus, OceanSalt, and
Shamoon?

A. PORT 11000
B. PORT 443
C. PORT 80
D. PORT 8080

301. Which of the following types of Trojans is used by an attacker to physically change the
underlying HTML format, resulting in the modification of content, for destroying or changing
the entire content of a database?

A. Point-of-sale Trojans
B. E-banking Trojans
C. HTTP/HTTPS Trojans
D. Defacement Trojans

302. Which of the following tools is used by an attacker to employ a wrapper that can bind a
Trojan executable with genuine-looking .EXE applications, such as games or office
applications?

A. Emotet
B. Godzilla
C. IExpress Wizard
D. BitCrypter

303. Which of the following techniques is used by an attacker to deploy a Trojan through a
legal channel for securely transferring data or information in a company network?

A. Covert channel
B. USB/flash drives
 C. Proxy servers
D. Overt channel

304. Which of the following port numbers is used by Trojans such as Silencer and WebEx?

A. 1011
B. 1001
C. 1170
D. 1177

305. A covert channel is a channel that:

A. Transfers information over, within a computer system, or network that is encrypted.

B. Transfers information over, within a computer system, or network that is
outside of the security policy.
C. Transfers information via a communication path within a computer system, or
network for transfer of data.
D. Transfers information over, within a computer system, or network that is within the
security policy.

306. Which of the following Rootkit Trojans performs targeted attacks against various
organizations and arrives on the infected system by being downloaded and executed by the
Trickler dubbed "DoubleFantasy," covered by TSL20110614-01 (Trojan.Win32.Micstus.A)?

A. Hardware/firmware rootkit
B. GrayFish rootkit
C. Boot loader level rootkit
D. EquationDrug rootkit

307. Tina downloaded and installed a 3D screensaver. She is enjoying watching the 3D
screensaver but whenever the screensaver gets activated, her computer is automatically
scanning the network and sending the results to a different IP address on the network.
Identify the malware installed along with the 3D screensaver?

A. Beacon
B. Trojan horse
C. Worm
D. Virus

308. Which of the following ports does Tiny Telnet Server Trojan use?

A. 20
B. 21
C. 22
D. 23
309. Which of the following Trojans uses port number 1863 to perform attack?

A. Devil
B. Priority
C. Millenium
D. XtremeRAT

310. Which of the following Trojan construction kits is used to create user-specified Trojans
by selecting from the various options available?

A. Senna Spy Trojan Generator

B. Trojan.Gen
C. Win32.Trojan.BAT
D. DarkHorse Trojan Virus Maker

311. A hacker wants to encrypt and compress 32-bit executables and .NET apps without
affecting their direct functionality. Which of the following cryptor tools should be used by the
hacker?

A. Java crypter
B. Cypherx
C. Hidden sight crypter
D. Bit Crypter

312. Which of the following is not a remote access Trojan?

A. Wingbird
B. Theef
C. Kedi RAT
D. Netwire

313. Which of the following is a legal channel for the transfer of data or information in a
company network securely?

A. Overt channel
B. Covert storage channel
C. Covert timing channel
D. Covert channel

314. Steve, a professional hacker, was hired to target the IoT and routing devices of a target
organization. For this purpose, Steve employed an exploit kit to distribute DDoS
functionalities to devices installed on the target network.

Which of the following exploit kits did Steve employ in the above scenario?

A. Divergent
 B. Splunk
C. Process Monitor
D. BotenaGo

315. In which of the following stages of the virus lifecycle does a user install antivirus updates
and eliminate the virus threats?

A. Launch
B. Detection
C. Replication
D. Execution of the damage routine

316. Which of the following viruses stores itself with the same filename as the target program
file, infects the computer upon executing the file, and modifies hard-disk data?

A. Armored viruses
B. File-extension viruses
C. Camouflage viruses
D. Logic bomb viruses

317. Given below are the different stages of a virus lifecycle.

1. Given below are the different stages of a virus lifecycle.
2. Incorporation
3. Replication
4. Design
5. Launch
6. Detection
What is the correct sequence of stages in the virus lifecycle?

A. 1 -> 2 -> 3 -> 4 -> 5 -> 6

B. 5 -> 1 -> 3 -> 2 -> 6 -> 4
C. 3 -> 4 -> 6 -> 1 -> 5 -> 2
D. 4 -> 3 -> 5 -> 6 -> 2 -> 1

318. Which of the following types of viruses hides itself from antivirus programs by actively
altering and corrupting service call interrupts while running?

A. System or boot-sector viruses

B. Macro viruses
C. Tunnelling virus
D. File virus

319. Which of the following types of viruses transfers all controls of the host code to where it
resides in the memory, selects the target program to be modified, and corrupts it?

A. Transient virus
 B. Add-on virus
C. Armored virus
D. Ransomware

320. Which of the following characteristics of a worm makes it different from a virus?

A. Alters the way a computer system operates without the knowledge or consent of the
user
B. Infects a system by exploiting a vulnerability in an OS or application by
replicating itself
C. Spreads at a uniform rate, as programmed
D. Infects a system by inserting itself into a file or executable program

321. Which of the following ransomware is delivered when an attacker uses the RIG exploit kit
by taking advantage of outdated versions of applications such as Flash, Java, Silverlight, and
Internet Explorer?

A. SamSam
B. NamPoHyu
C. cryptgh0st
D. Cerber

322. Lee, a hacker, was hired to break into an organization’s network and gather sensitive
information. In this process, Lee installed a virus that will be triggered when a specific
date/time is reached, using which he can gain remote access and retrieve sensitive
information.
Which of the following types of viruses did Lee use in the above scenario?

A. Polymorphic virus
B. Metamorphic virus
C. File-extension virus
D. Logic bomb virus

323. Rick, a hacker, infected a target system with malware that restricts access to the infected
computer system or critical files and documents stored in it. He then demanded an online
ransom payment to remove the user restrictions.

A. Virus
B. Computer worm
C. Ransomware
D. Backdoor

324. Which of the following malware types restricts access to the computer system’s files and
folders and demands a payment to the malware creator(s) in order to remove the
restrictions?
 A. Adware
B. Ransomware
C. Spyware
D. Trojan horse

325. Which of the following viruses tries to hide from anti-virus programs by actively altering
and corrupting the chosen service call interruptions when they are being run?

A. Metamorphic virus
B. Cavity virus
C. Stealth virus
D. Polymorphic virus

326. Which of the following viruses infect only occasionally upon satisfying certain conditions
or when the length of the file falls within a narrow range?

A. Encryption viruses
B. Cluster viruses
C. Sparse infector viruses
D. Stealth virus

327. Rita is a security analyst in a firm and wants to check a new antivirus software by creating
a virus so as to auto start and shutdown a system. Identify the virus maker tool she should
use to check the reliability of new anti-virus software?

A. JPS Virus Maker

B. VirusTotal
C. DELmE’s Batch Virus Generator
D. WannaCry

328. Which of the following is dangerous ransomware written in C that uses encryption keys
such as RSA public and AES keys for initializing and implementing Salsa20 encryption on
targeted files?

A. KeyGrabber
B. RemoteExec
C. Spytech SpyAgent
D. BackMatter

329. Which of the following malware is a specially crafted ransomware comprising four
encryption routines and supports several encryption algorithms such as ChaCha20 and AES?

A. Spytech SpyAgent
B. IExpress Wizard
C. Mirai
D. BlackCat
330. What is the fileless malware attack in which an attacker injects a malicious payload into
the RAM that targets a legitimate process without leaving any footprints?

A. Phishing
B. Document exploit
C. Script-based injection
D. In-memory exploit

331. Identify the fileless malware obfuscation technique in which an attacker uses the below
command to bypass antivirus software.

cmd.exe /c ((echo command1)

&&(
echo command2))

A. Inserting double quotes

B. Inserting characters
C. Custom environment variables
D. Inserting parentheses

332. Which of the following fileless techniques is used by an attacker to exploit operating
systems such as Windows that include pre-installed tools such as PowerShell and Windows
Management Instrumentation?

A. Malicious websites
B. Infection through lateral movement
C. Legitimate applications
D. Native applications

333. Henry, a professional hacker, targeted a crypto user to steal from their crypto wallet. For
this purpose, Henry employed Python-based fileless malware that spreads infections over
Microsoft exchange servers and enterprise-level Linux machines. The malware infected the
target machine to subvert security controls, steal cryptocurrency accounts, maintain
persistence, and make lateral movements.

Identify the fileless malware used by Henry in the above scenario.

A. LemonDuck
B. GlitchPOS
C. Dreambot
D. EquationDrug

334. Which of the following is Python-based fileless malware that spreads infections over
Microsoft exchange servers and enterprise-level Linux machines and uses cryptojacking
abilities to hide itself and stay intact even after security patches are applied?
 A. BasBanke
B. Mirai
C. Restorator
D. Lemon Duck

335. Which of the following techniques is also called behavioral analysis and involves
executing malware code to determine how it interacts with a host system as well as its impact
Static malware analysison the system after infection?

A. Data analysis
B. Static malware analysis
C. Dynamic malware analysis
D. File fingerprinting

336. Which of the following tools helps an attacker in performing malware disassembly?

A. Snyk
B. Resource hacker
C. Hakiri
D. Ghirda

337. In which of the following techniques does an antivirus execute the malicious code inside
a virtual machine to simulate CPU and memory activities?

A. Interception
B. Heuristic analysis
C. Integrity checking
D. Code emulation

338. Which of the following Windows Service Manager (SrvMan) commands is used to install
and start a legacy driver with a single call?

A. srvman.exe add <file.exe/file.sys> [service name] [display name] [/type:<service

type>] [/start:<start mode>] [/interactive:no] [/overwrite:yes]
B. srvman.exe delete <service name>
C. srvman.exe run <driver.sys> [service name] [/copy:yes] [/overwrite:no]
[/stopafter:<msec>]
D. srvman.exe restart <service name> [/delay:<delay in msec>]

339. Which of the following host integrity monitoring techniques can be adopted for
components that perform security operations, such as firewall systems, IDS/IPS, web servers,
and authentication servers?
 A. Event log monitoring
B. Startup program monitoring
C. Installation monitoring
D. File and folder monitoring

340. Which of the following virus detection methods helps detect new or unknown viruses that
are usually variants of an existing virus family?

A. Scanning
B. Interception
C. Heuristic analysis
D. Integrity checking

341. A computer installed with port monitoring, file monitoring, network monitoring, and
antivirus software and connected to network only under strictly controlled conditions is
known as:

A. Sandbox
B. Droidsheep
C. Malware bytes
D. Sheep Dip

342. Ramon is a security professional for xsecurity. During an analysis process, he has
identified a suspicious .exe file. Ramon executed the suspicious malicious file in a sandbox
environment where the malware cannot affect other machines in the network. What type of
analysis does Ramon conduct?

A. Sheep dipping
B. Static malware analysis
C. Dynamic malware analysis
D. Preparing testbed

343. In which of the following online services can a security analyst upload the suspicious file
to identify whether the file is a genuine one or a malicious one?

A. domainsearch.com
B. whois.com
C. VirusTotal.com
D. Netcraft.com

344. Identify the command that helps security experts retrieve the data types or symbols used
in the source code of an ELF executable.
 A. strings malware-sample > str.txt
B. readelf -s <malware-sample>
C. readelf -l <malware-sample>
D. readelf --file-header <malware-sample>

345. Which of the following commands helps a security analyst fetch the header information
within an ELF file while performing the static analysis of the ELF file?

A. readelf -h <malware-sample>
B. readelf --syms <malware-sample>
C. strings malware-sample > str.txt
D. readelf -s <malware-sample>

346. Asher, a security analyst, was tasked with analyzing a recent malware incident at an
organization. For this purpose, Asher employed a malware analysis platform that scans files,
URLs, end points, and memory dumps. It helped Asher extract strings from the malware
samples and in identifying whether those strings are used in other files.

Identify the tool employed by Asher in the above scenario.

A. xHelper
B. Intezer
C. Network Spoofer
D. cSploit

347. Which of the following is an executable file format in iOS similar to the Portable
Executable (PE) format for Windows and ELF for Linux?

A. ASPack
B. Monit
C. Mach-O
D. TCPView

348. Which of the following commands allows security analysts to dump the method names
from the Obj section of a Mach-O binary during malware analysis?

A. otool -tV UnPackNw > ~/Malware/disassembly.txt

B. nm -m UnpackNw
C. otool -oV UnPackNw > ~/Malware/methods.txt
D. otool -L UnPackNw > ~/Malware/libs.txt

349. Which of the following tools allows security analysts to parse a malicious Office document
to identify the streams that contain macros?

A. Oledump
B. Horse pill
 C. Ophcrack
D. Vindicate

350. Identify the tool that can be used to view the source code of all VBA macros embedded
within a document and to identify suspicious VBA keywords and obfuscation methods used
by malware.

A. Netstat
B. TCPView
C. Olevba
D. Jv16 PowerTools

351. David, a security analyst at an organization, was tasked with analyzing a Linux-based
system suspected to be infected with malware. As part of the analysis, David employed an
automated tool to intercept and record system calls by a process and the signals received by
the process.

Identify the tool employed by David in the above scenario.

A. Kiuwan
B. strace
C. RainbowCrack
D. Mimikatz

352. Which of the following strace commands assists security professionals in counting the
time, calls, and errors for each system call during malware analysis?

A. strace -o out.txt ./<sample file>

B. strace -c ls > /dev/null
C. strace -p <ProcessID>
D. strace -P <given path> ls /var/empty

353. Identify the strace command that allows a security analyst to view only system calls that
are accessing a specific path.

A. strace -c ls > /dev/null

B. strace -p <ProcessID>
C. strace -P <given path> ls /var/empty
D. strace -o out.txt ./<sample file>

354. Jeremy, a professional hacker, targeted a Windows-based system of a government agency

that contained confidential files. Using fileless malware, Jeremy compromised the legitimate
Windows processes on the target machine and established a secure C2 communication
channel to it without any open listening port.
Identify the fileless malware used by Jeremy in the above scenario.
 A. Gobuster
B. China Chopper
C. Astra
D. SockDetour

355. Which of the following countermeasures helps security professionals in preventing

Trojan attacks?

A. Download and execute applications from untrusted sources

B. Allow all unnecessary ports at the host and do not use a firewall
C. Generate his own new version of the antivirus with the malware hash
D. Wait for the antivirus company to release a new version

356. Javier works as a security analyst for a small company. He has heard about a new threat;
a new malware that the antivirus does not detect yet. Javier has the hash for the new virus.
What can Javier do to proactively protect his company?

A. Block with the antivirus anything that presents the same hash of the malware
B. Send the hash information to the antivirus company
C. Generate his own new version of the antivirus with the malware hash
D. Wait for the antivirus company to release a new version

357. Which of the following practices helps security analysts defend an organizational network
against Trojan attacks?

A. Enable the autorun option for external devices such as USB drives and hard drives.
B. Do not check the SSL authenticity before accessing any e-commerce website.
C. Avoid clicking on unsolicited pop-ups and banners.
D. Download and execute applications from untrusted sources.

358. Which of the following practices makes an organizational network susceptible to Trojan
attacks and causes severe damage to systems?

A. Prefer ISPs that provide network security and implement robust anti-spam
techniques.
B. Disable the autorun option for external devices such as USB drives and hard drives.
C. Permit anyone to use peer-to-peer file sharing.
D. Avoid clicking on unsolicited pop-ups and banners.

359. Which of the following practices makes networked devices susceptible to potential
backdoor attacks?

A. Check for user ratings and reviews before installing and providing permissions to any
product, even if it is downloaded from trusted sources.
B. Avoid using hardware components obtained from untrusted shopping sites or black
markets, which allow attackers to easily inject backdoors into the hardware.
 C. Ensure that the devices have the auto-update option enabled to keep them updated
with software-related security patches.
D. Never implement the pipeline emission analysis method to check and analyze
hardware-based backdoors.

360. Which of the following practices makes organizational systems vulnerable to virus and
worm attacks?

A. Since virus infections can corrupt data, perform regular data backups.
B. Never use an email filter to scan emails.
C. Regularly update antivirus software.
D. Install antivirus software that detects and removes infections as they occur.

361. Identify the practice that helps security experts in securing an organizational network
from fileless malware attacks.

A. Enable unused or unnecessary applications and service features.

B. Allow all incoming network traffic or files with the .exe format.
C. Check if any PowerShell scripts are hidden in any of the drives or in the \TEMP
folder.
D. Avoid using managed detection and response (MDR) services.

362. Which of the following practices makes an organizational network susceptible to fileless
malware attacks?

A. Disable macros and use only digitally signed trusted macros.

B. Disable PowerShell and WMI when not in use.
C. Utilize projects such as AltFS.
D. Enable Flash in the browser settings.

363. Which of the following tools is used for fileless malware detection and provides
functionalities such as threat detection, incident response, and compliance management?

A. Sonar lite
B. Monit
C. AlienVault® USM Anywhere™
D. GFI LanGuard

364. Which of the following tools is an antivirus program that is used to detect viruses?

A. WannaCry
B. DriverView
C. ClamWin
D. ZenS
365. In which of the following techniques does an attacker perform passive sniffing by
installing malware on the victim’s machine and compromising it to install a sniffer?

A. Trojan horse
B. MAC flooding
C. DNS poisoning
D. Switch port stealing

366. Which of the following protocols is used to communicate through port 23 and allows an
attacker to login to a network machine remotely via a TCP connection to sniff keystrokes,
including usernames and passwords, that are sent in cleartext?

A. HTTP
B. POP
C. Telnet
D. NNTP

367. Which of the following protocols transmits email messages over the Internet in cleartext,
allowing attackers to capture plaintext passwords?

E. IMAP
F. NNTP
G. FTP
H. SMTP

368. Which of the following techniques is an active wiretapping attack that allows an attacker
to monitor and record traffic as well as alter or inject data into the communication or traffic?

A. MITM
B. Spoofing
C. Spying
D. Eavesdropping

369. What is the TCP/IP-based protocol used for exchanging management information
between devices connected to a network?

A. IMAP
B. NNTP
C. SNMP
D. POP

370. Which of the following processes involves monitoring and capturing all data packets
passing through a given network using a software application or hardware device?

A. Blind hijacking
B. Packet sniffing
 C. Banner grabbing
D. Proxy chaining

371. Which of the following protocols is used in the ARPA–Internet community to distribute,
inquire into, retrieve, and post news articles through reliable stream-based transmission?

A. POP
B. FTP
C. NNTP
D. IMAP

372. Which of the following protocols allows a user’s workstation to access mail from a
mailbox server and send mail from the workstation to the mailbox server via SMTP?

A. SMTP
B. HTTP
C. FTP
D. POP

373. Out of the following, which layer is responsible for encoding and decoding data packets
into bits?

A. Network layer
B. Datalink layer
C. Session layer
D. Application layer

374. An attacker wants to monitor a target network traffic on one or more ports on the switch.
In such a case, which of the following methods can he use?

A. Lawful interception
B. Active sniffing
C. Wiretapping
D. Port mirroring

375. Sniffers work at which of the following open systems interconnect (OSI) layers?

A. Transport layer
B. Data link layer
C. Presentation layer
D. Application layer

376. Which of the following IOS Global commands is used to configure the number of DHCP
packets per second (pps) that an interface can receive?

A. ip dhcp snooping trust

 B. ip dhcp snooping
C. ip dhcp snooping limit rate
D. show ip dhcp snooping

377. Which of the following tools helps an attacker perform an ARP poisoning attack?

A. BetterCAP
B. Svmap
C. DNSRecon
D. Enyx

378. Which of the following techniques is used by an attacker to connect a rogue switch to the
network by tricking a legitimate switch and thereby creating a trunk link between them?

A. Double tagging
B. IRDP spoofing
C. Switch spoofing
D. Switch port stealing

379. In which of the following ARP poisoning threats does an attacker manipulate a client’s
connection to take complete control of the network?

A. Connection hijacking
B. Data manipulation
C. Man-in-the-middle attack
D. Connection resetting

380. Which of the following techniques enables devices to detect the existence of
unidirectional links and disable the affected interfaces in the network, in addition to causing
STP topology loops?

A. UDLD
B. Loop guard
C. BPDU guard
D. Root guard

381. Which of the following DHCPv6 messages is sent by a server to a client in response to
DHCPDiscover with the offer of configuration parameters?

A. Relay-Reply
B. Advertise
C. Reply
D. Advertise

382. Which of the following IPv4 DHCP packet fields includes a random number chosen by a
client to associate request messages and their responses between the client and server?
 A. SNAME
B. Opcode
C. Transaction ID (XID)
D. Flags

383. Which of the following IOS switch commands is used to drop packets with unknown
source addresses until a sufficient number of secure MAC addresses are removed?

A. switchport port-security aging type inactivity

B. switchport port-security
C. switchport port-security mac-address sticky
D. switchport port-security violation restrict

384. In one of the following techniques, an attacker must be connected to a LAN to sniff
packets, and on successful sniffing, they can send a malicious reply to the sender before the
actual DNS server. Which is this technique?

A. Intranet DNS spoofing

B. DNS cache poisoning
C. Proxy server DNS poisoning
D. Internet DNS spoofing

385. Ross, an attacker, targeted an organization’s network to sniff the DNS traffic. For this
purpose, he used a DNS poisoning tool that can create a list of fake DNS records and load it
while running to redirect a target employee to a malicious website.

Which of the following tools did Ross employ in the above scenario?

A. WIBR+
B. Reaver
C. DerpNSpoof
D. Suricata

386. What is the length of ID number of an organization in a MAC address?

A. 12 bits
B. 24 bits
C. 26 bits
D. 48 bits

387. What happens when a switch CAM table becomes full?

A. The switch then acts as a hub by broadcasting packets to all machines on the
network.
 B. Every packet is dropped and the switch sends out simple network management
protocol (SNMP) alerts to the intrusion detection system (IDS) port.
C. The CAM overflow table will cause the switch to crash causing denial-of-service (DoS).
D. The switch replaces outgoing frame switch factory default MAC address of
FF:FF:FF:FF:FF:FF.

388. Which of the following command is used to set the maximum number of secure MAC
addresses for the interface on a Cisco switch?

A. snmp-server enable traps port-security trap-rate 5

B. switchport port-security violation restrict
C. switchport port-security maximum 1 vlan access
D. switchport port-security aging time 2

389. Which of the following is a defense technique for MAC spoofing used in switches that
restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP
snooping binding database?

A. Dynamic ARP inspection

B. Authentication, authorization, and accounting (AAA)
C. IP Source Guard
D. DHCP snooping binding table

390. Which of the following is not a mitigation technique against MAC address spoofing?

A. DNS security (DNSSEC)

B. IP source guard
C. Dynamic ARP inspection
D. DHCP snooping binding table

391. Which of the following Cisco IOS global commands is used to enable or disable DHCP
snooping on one or more VLANs?

A. ip dhcp snooping vlan 4,104

B. ip dhcp snooping
C. no ip dhcp snooping information option
D. switchport port-security mac-address sticky

392. During the penetration testing, Marin identified a web application that could be exploited
to gain the root shell on the remote machine. The only problem was that in order to do that
he would have to know at least one username and password usable in the application.
Unfortunately, guessing usernames and brute-forcing passwords did not work. Marin does
not want to give up his attempts. Since this web application, was being used by almost all
users in the company and was using http protocol, so he decided to use Cain & Abel tool in
order to identify at least one username and password. After a few minutes, the first username
and password popped-up and he successfully exploited the web application and the physical
 machine. What type of attack did he use in order to find the username and password to access
the web application?

A. DNS spoofing
B. UDP protocol hijacking
C. ARP spoofing
D. TCP protocol hijacking

393. Which of the following is a network tool designed to take advantage of weaknesses in
different network protocols such as DHCP?

A. FileVault 2
B. BCTextEncoder
C. Secure Everything
D. Yersinia

394. Which of the following display filters in Wireshark is used by an attacker to perform
filtering by multiple IP addresses?

A. ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip

B. tcp.analysis. retransmission
C. ip.addr==192.168.1.100 && tcp.port=23
D. ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5

395. Which of the following tools helps an attacker capture all the data transmitted over a
network and perform expert analysis of each part of the target network?

A. OmniPeek
B. Spoof-Me-Now
C. ike-scan
D. DerpNSpoof

396. Which of the following filters in Wireshark displays only the traffic in a LAN (192.168.x.x)
between workstations and servers with no Internet?

A. ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5

B. ip.addr==192.168.1.100 && tcp.port=23
C. ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
D. ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

397. Karbon, a professional hacker, targeted an organization to bypass the network traffic. For
this purpose, he used a network forensic analysis tool that can monitor and extract
information from network traffic as well as capture application data contained in the network
traffic.

Which of the following tools did Karbon utilize in the above scenario?
 A. AnDOSid
B. Akamai
C. Xplico
D. Vindicate

398. Which of the following tools allows attackers to perform sniffing attempts on the target
network?

A. Sublist3r
B. Netcraft
C. theHarvester
D. RITA

399. Which of the following countermeasure should be followed to defend against sniffing?

A. Allow physical access to network media

B. Use dynamic IP addresses and ARP tables
C. Retrieve MAC addresses directly from NICs instead of the OS
D. Turn on network identification broadcasts

400. A tester wants to securely encrypt the session to prevent the network against sniffing
attack, which of the following protocols should he use as a replacement of Telnet?

A. Intrusion prevention system (IPS)

B. SSH
C. Load balancing (LB)
D. Public key infrastructure (PKI)

401. Which of the following tool a tester can use to detect a system that runs in promiscuous
mode, which in turns helps to detect sniffers installed on the network?

A. shARP
B. FaceNiff
C. Nmap
D. OmniPeek

402. An ethical hacker is performing penetration testing on the target organization. He decided
to test the organization’s network to identify the systems running in promiscuous mode.
Identify the tool that the ethical hacker needs to employ?

A. Nmap
B. FaceNiff
C. Recon-ng
D. FOCA
403. Which of the following practices helps security professionals defend the network against
sniffing attacks?

A. Avoid accessing unsecured networks and open Wi-Fi networks

B. Never use POP2 or POP3 instead of POP
C. Allow physical access to the network media
D. Retrieve MAC addresses directly from OS instead of the NICsS

404. Mat, a software engineer, received an email from his colleague John, stating that project
files were missing from his system and asking Mat to send them to his personal email. Mat
was suspicious and called John on his personal number. To his surprise, John replied that he
has never written an email recently to Mat.

Which of the following types of attacks was Mat subjected to?

A. Authority
B. Intimidation
C. Scarcity
D. Consensus

405. Jack a malicious hacker wants to break into Brown Co.’s computers and obtain their secret
information related to Company’s quotations. Jack calls Jane, an accountant at Brown Co.,
pretending to be an administrator from Brown Co. Jack tells Jane that there has been a
problem with some accounts and asks her to verify her password with him “just to double
check our records.” Jane does not suspect anything amiss, and reveals her password. Jack can
now access Brown Co.’s computers with a valid username and password, to steal the
confidential company’s quotations.

Identify the attack performed by Jack?

A. Reverse engineering
B. Footprinting
C. Scanning
D. Social engineering

406. Jacob Hacker wants to infect the network of a competitor with a worm virus. He sets the
worm to autoexecute and loads 50 copies of the worm onto 50 separate USB drives. He drives
to the competitor’s campus and drops the USB keys at various locations around the campus.
He waits for random employees to pick it up and who might check to see what is on them by
plugging them into their computer. Once an employee has inserted the key, the worm
autoexecutes and the network is infected.

What type of attack is described here?

A. Social engineering
B. Virus attack
 C. Distributed denial-of-service (DDoS) attack
D. Brute force attack

407. What is the correct order of phases of social engineering attack?

A. Selecting target -> research on target company -> develop the relationship -> exploit
the relationship
B. Selecting target -> develop the relationship -> research on target company -> exploit
the relationship
C. Develop the relationship -> research on target company -> selecting target -> exploit
the relationship
D. Research on target company -> selecting target -> develop the relationship ->
exploit the relationship

408. Which of the following factors makes companies vulnerable to social engineering attacks?

A. Single organizational unit

B. Centralized security policies
C. Unregulated access to information
D. Sufficient security training

409. In which of the following attacks does an attacker enter a building or security area with
the consent of the authorized person?

A. Piggybacking
B. Phishing
C. Scareware
D. SMiShing

410. In which of the following attacks does an attacker send an email or message to the target
offering free gifts such as money and software on the condition that the user forwards the
email to a predetermined number of recipients?

A. Instant chat messenger

B. Chain letters
C. Hoax letters
D. Pop-up windows

411. In which of the following social engineering techniques does an attacker trick a delivery
person into delivering the consignment to a location other than the intended location?

A. Social engineering
B. Tailgating
C. Diversion theft
D. Reverse Piggybacking
412. In which of the following types of phishing techniques does an attacker use bots to harvest
instant message IDs and spread spam?

A. Pharming
B. Whaling
C. Spear phishing
D. Spimming

413. Abel, a student, was browsing online for information about his college project. He clicked
on a link and suddenly observed many warning windows on his laptop about a virus, which
he could not close. He became suspicious and reached out to his friend, who advised him to
install a reputed antivirus software.
Which of the following types of attack was performed on Abel in the above scenario?

A. Instant Chat Messenger

B. Spam email
C. Chain letters
D. Hoax

414. A consultant is hired to do a physical penetration test at a large financial company. On the
first day of his assessment, the consultant goes to the company’s building dressed as an
electrician and waits in the lobby for an employee to pass through the main access gate, and
then the consultant follows the employee behind to get into the restricted area. Which type of
attack did the consultant perform?

A. Social engineering
B. Shoulder surfing
C. Tailgating
D. Mantrap

415. Jose sends a link to the employee of a target organization, falsely claiming to be from a
legitimate site in an attempt to acquire his account information. Identify the attack performed
by Jose?

A. Vishing
B. Eavesdropping
C. Phishing
D. Impersonation

416. Which of the following terms refers to an advanced form of phishing in which the attacker
redirects the connection between the IP address and its target server?

A. Pretexting
B. Skimming
C. Hacking
D. Pharming
417. Jim, a notorious hacker, has created a falsified video of a senior journalist using AI. For
this purpose, he used the previously recorded audio and video samples of the targeted person
and made similar recordings to fool the end users into making them trust him as a legitimate
entity.

Identify the type of attack performed by Jim in the above scenario.

A. Shoulder surfing
B. Honey trap
C. Deepfake attack
D. Quid pro quo

418. Which of the following types of attacks involves creating a fake social media account of a
targeted person and masquerading as the owner of the account to communicate with other
users through chatterbox and perform cyberbullying?

A. Catfishing attack
B. SMiShing
C. Elicitation
D. Scareware

419. Which of the following types of insiders has the primary intention of taking revenge on
the company and keeps waiting for the appropriate time to perform an attack to compromise
the organization’s resources?

A. Accident-prone employee
B. Undertrained employee
C. Disgruntled employee
D. Terminated employee

420. In which of the following behavioral indicators of an insider threat does the attacker
attempt to access unauthorized systems or applications by brute-forcing?

A. Changes in network usage patterns

B. Alerts of data exfiltration
C. Missing or modified network logs
D. Multiple failed login attempts

421. Which of the following insider threat is caused due to the employee’s laxity toward
security measures, policies, and practices?

A. Professional insider
B. Compromised insider
C. Negligent insider
D. Malicious insider
422. Which of the following online resources helps an attacker extract complete information
regarding the professional career of a target employee, along with their current company and
total experience?

A. Eweka
B. WolframAlpha
C. LinkedIn
D. DuckDuckGo

423. Identify the type of threats that occur from the inadvertent exposure of confidential
details to an external entity.

A. Accidental insider threats

B. Negligent insider threats
C. Malicious insider threats
D. Professional insider threats

424. In which of the following techniques does an attacker use cache poisoning to redirect the
connection between an IP address and its target server?

A. Wardriving
B. Pretexting
C. Skimming
D. Pharming

425. In one of the following types of identity theft, the perpetrator obtains information from
different victims to create a new identity by stealing a social security number and uses it with
a combination of fake names, date of birth, address, and other details required for creating a
new identity. Which is this type of identity theft?

A. Social identity theft

B. Child identity theft
C. Medical identity theft
D. Synthetic identity theft

426. Ben, a professional hacker, performed an attack on an organization. He found that the
attack was noticed by officials and that he would be charged for it. Ben prepared a new
identity for himself by using the details of Henry, a person who used to post all his details in
social media.
Which of the following types of identity theft was performed by Ben in the above scenario?

A. Child identity theft

B. Tax identity theft
C. Criminal identity theft
D. Medical identity theft
427. While Don, a hacker, was travelling in a bus, he searched for unsecured wireless networks.
Once he found an unsecured Wi-Fi network from a laptop, he connected to it secretly and
accessed sensitive information that was being transmitted over the unsecured Wi-Fi
connections.

Which of the following types of attack did Don perform in the above scenario?

A. Skimming
B. Pharming
C. Wardriving
D. Phishing

428. Which of the following threats is closely related to medical identity theft?

A. Insurance identity theft

B. Social identity theft
C. Synthetic identity theft
D. Criminal identity theft

429. Which of the following countermeasures involves dividing responsibilities among

multiple employees to restrict the amount of power or influence held by any individual?

A. Archival of critical data

B. Legal policies
C. Logging and auditing
D. Separation and rotation of duties

430. Which of the following activities can lead to identity theft attacks?

A. Reviewing credit-card reports regularly

B. Monitoring online banking activities regularly
C. Using public Wi-Fi to access sensitive information
D. Enabling two-factor authentication on all online accounts

431. Greg, a security professional, trained the employees of his organization to use a toolbar to
check updated information about sites visited by them. The tool helps them in making an
informed choice about the integrity of those sites and further protects the organization from
phishing attacks and fraudsters.

Which of the following toolbars was introduced by Greg in the organization?

A. Factiva
B. Mention
C. Netcraft
D. Shodan
432. Which of the following is an appropriate defense strategy to prevent attacks such as
piggybacking and tailgating?

A. Implement strict badge, token or biometric authentication, employee training,

and security guards
B. Train technical support executives and system administrators never to reveal
passwords or other information by phone or email
C. Educate vendors about social engineering
D. Employee training, best practices, and checklists for using passwords

433. Which of the following practices makes a user’s profile or account vulnerable to identity
theft attacks?

A. Use public Wi-Fi for sharing or accessing sensitive information

B. Do not allow family members or friends to open a personal account
C. Read website privacy policies
D. Be cautious before clicking on a link provided in an email or instant message

434. Which of the following social engineering countermeasures involves applying policies to
restrict the usage of USB devices?

A. Implement a hardware policy

B. Implement two-factor authentication
C. Implement a spam filter
D. Implement a software policy

435. Which of the following practices can make individuals susceptible to social engineering
attacks?

A. Train individuals on security policies

B. Never implement a spam filter
C. Implement proper access privileges
D. Ensure a regular update of software

436. Which of the following practices can make an organization’s network vulnerable to
insider threats?

A. Build a professional security team that monitors the physical security of the
organization.
B. Activate credentials of terminated employees.
C. Install video cameras to monitor all critical assets.
D. Implement additional monitoring mechanisms for system administrators and
privileged users.
437. Which of the following is the best practice to be followed to increase password security?

A. Always communicate passwords over the phone or through email or SMS

B. Avoid using the same password for different accounts
C. Do not change passwords for a long time
D. Share a computer account with colleagues

438. Roy is a network administrator at an organization. He decided to establish security

policies at different levels in the organization. He decided to restrict the installation of USB
drives in the organization and decided to disable all the USB ports. Which of the following
countermeasure Roy must employ?

A. Use multiple layers of antivirus defenses

B. Adopt documented change management
C. Implement proper access privileges
D. Ensure a regular update of software

439. Which of the following consequences is NOT a result of a denial-of-service (DoS) attack?

A. Destruction of malicious programming and files in a computer system

B. Consumption of bandwidth, disk space, CPU time, or data structures
C. Sudden increase in the availability of resources
D. Physical destruction or alteration of network components

440. Gordon was not happy with the product that he ordered from an online retailer. He tried
to contact the seller’s post purchase service desk, but they denied any help in this matter.
Therefore, Gordon wants to avenge this by damaging the retailer’s services. He uses a utility
named high orbit ion cannon (HOIC) that he downloads from an underground site to flood the
retailer’s system with requests so that the retailer’s site was unable to handle any further
requests even from legitimate users’ purchase requests. What type of attack is Gordon using?

A. Gordon is using a denial-of-service attack

B. Gordon is executing commands or is viewing data outside the intended target path
C. Gordon is using poorly designed input validation routines to create and/or to alter
commands so that he gains access to the secure data and execute commands
D. Gordon is taking advantage of an incorrect configuration that leads to access with
higher-than-expected privilege

441. What is the goal of a DDoS attack?

A. Render a network or computer incapable of providing normal service

B. Create bugs in web applications
C. Exploit a weakness in the TCP stack
D. Capture files from a remote computer
442. Marko is attacking John’s computer with a custom-made application that is sending a
specially crafted packet to John’s computer after which John’s computer shows a blue screen.
Marko repeats this process every 3 seconds. John’s computer is now under constant blue
screen and reboots over and over again. This is an example of ____________.

A. SYN flood attack

B. DDoS attack
C. Ping of death attack
D. DoS attack

443. A systems administrator in a small company named “We are Secure Ltd.” has a problem
with their Internet connection. The following are the symptoms: the speed of the Internet
connection is slow (so slow that it is unusable). The router connecting the company to the
Internet is accessible and it is showing a large amount of SYN packets flowing from one single
IP address. The company’s Internet speed is only 5 Mbps, which is usually enough during
normal working hours. What type of attack is this?

A. DRDoS
B. DDos
C. DoS
D. MITM

444. Remin, a professional hacker, targeted an organization and attempted to propagate

malicious code. In this process, he placed an attack toolkit on his own system, and a copy of
the attack toolkit was transferred to a newly discovered vulnerable system in the
organization’s network.

Which of the following techniques did Remin employ in the above scenario?

A. Central source propagation

B. Autonomous propagation
C. Back-chaining propagation
D. Spyware propagation

445. Which of the following scanning methods makes use of the information obtained from an
infected machine to find new vulnerable machines in a target network?

A. Hit-list scanning
B. Permutation scanning
C. Random scanning
D. Topological scanning

446. In which of the following techniques does the attacking host itself transfer the attack
toolkit to a newly discovered vulnerable system, exactly when it breaks into that system?

A. Central source propagation

 B. Spyware propagation
C. Autonomous propagation
D. Back-chaining propagation

447. Mike works for a company “Fourth Rose Intl.” as the sales manager. He was sent to Las
Vegas on a business trip to meet his clients. After the successful completion of his meeting,
Mike went back to his hotel room, connected to the hotel Wi-Fi network and attended his
other scheduled online client meetings through his laptop. After returning back to his office
headquarters, Mike connects his laptop to the office Wi-Fi network and continues his work;
however, he observes that his laptop starts to behave strangely. It regularly slows down with
blue screening from time-to-time and rebooting without any apparent reason. He raised the
issue with his system administrator. Some days later, the system administrator in Mike’s
company observed the same issue in various other computers in his organization. Meanwhile,
he has also observed that large amounts of unauthorized traffic from various IP addresses of
“Fourth Rose Intl.” were directed toward organizational web server. Security division of the
company analyzed the network traces and identified that Mike’s Laptop’s IP address has
authorized and initiated other computers in the network to perform DDoS abuse over the
organizational web server. They further identified a malicious executable backdoor file on
Mike’s Laptop that connects to a remote anonymous computer. This remote computer is
responsible for sending commands to Mike’s Laptop in order to initiate and execute DDoS
attack over the organizational web server. In this case, Mike’s laptop was part of the_________?

A. IRC attack
B. Bot attack
C. Command-and-control (C&C) center
D. Botnet attack

448. When a client’s computer is infected with malicious software which connects to the
remote computer to receive commands, the client’s computer is called a ___________

A. Botnet
B. Bot
C. Command and Control(C&C)
D. Client

449. Which of the following attack techniques falls under the category of volumetric denial-of-
service attacks?

A. Fragmentation attack
B. Slowloris attack
C. Spoofed session flood attack
D. Ping-of-death (PoD) attack

450. Which of the following attacks is performed by an attacker before the DDoS vulnerabilities
of a system have been patched or effective defensive mechanisms are implemented?
 A. Smurf attack
B. Peer-to-peer attack
C. Pulse-wave DDoS attack
D. Zero-day DDoS attack

451. In which of the following attacks does an attacker use a combination of volumetric,
protocol, and application-layer attacks to take down a target system or service?

A. Multi-vector attack
B. Peer-to-peer attack
C. HTTP GET/POST attack
D. Slowloris attack

452. Fiona, an attacker, targeted an organization to diminish their network bandwidth. In this
process, she used an attack technique in which zombies send large volumes of traffic to the
victim’s systems to exhaust the network, application, or service resources, thereby restricting
access to legitimate employees.

Which of the following types of attack did Fiona perform in the above scenario?

A. Amplification attack
B. Flood attack
C. Peer-to-peer attack
D. Smurf attack

453. Wiley, a hacker, aimed to crash his target John’s machine. For this purpose, he spoofed the
source IP address with John’s IP address and sent many ICMP ECHO request packets to an IP
broadcast network, causing all the hosts to respond to the received ICMP ECHO requests and
ultimately crashing John’s machine.

Which of the following attack techniques did Wiley utilize in the above scenario?

A. Smurf attack
B. Slowloris attack
C. Zero-day DDoS attack
D. Pulse-wave DDoS attack

454. Which of the following network attacks relies on sending an abnormally large packet
size that exceeds TCP/IP specifications?

A. Smurf attack
B. SYN flooding
C. Ping of death
D. TCP hijacking
455. Bob is trying to access his friend Jason’s email account without his knowledge. He
guesses and tries random passwords to log into the email account resulting in the lockdown
of the email account for the next 24 hours. Now, if Jason tries to access his account even with
his genuine password, he cannot access the email account for the next 24 hours. How can
you categorize this DoS?

A. Permanent denial-of-service (PDoS) attack

B. Bandwidth attack
C. Application-level flood attack
D. Peer-to-peer attack

456. Identify the type of DDoS attack from the following diagram:

A. Peer-to-peer attack
B. Distributed reflection denial-of-service (DRDoS) attack
C. Phlashing attack
D. Permanent denial-of-service attack

457. A systems administrator in a small company named “We are Secure Ltd.” has a problem
with their Internet connection. The following are the symptoms: The speed of the Internet
connection is slow (so slow that it is unusable). The router connecting the company to the
Internet is accessible and it is showing large amount of router solicitation messages from
neighboring routers even though the router is not supposed to receive any of these
messages. What type of attack is this?

A. Dos
B. MitM
C. DDos
D. DRDoS
458. Martha is a network administrator in a company named “Dubrovnik Walls Ltd.” She
realizes that her network is under a DDoS attack. After careful analysis, she realizes that
large amounts of UDP packets are being sent to the organizational servers that are present
behind the “Internet facing firewall.”

What type of DDoS attack is this?

A. Protocol attack
B. Application layer attack
C. SYN flood attack
D. Volume (volumetric) attack

459. Martha is a network administrator in a company named “Dubrovnik Walls Ltd.”. She
realizes that her network is under a DDoS attack. After careful analysis, she realizes that a
large amount of fragmented packets are being sent to the servers present behind the
“Internet facing firewall.”

What type of DDoS attack is this?

A. Protocol attack
B. Application layer attack
C. SYN flood attack
D. Volume (volumetric) attack

460. Martha is a network administrator in company named “Dubrovnik Walls Ltd.” She
realizes that her network is under a DDoS attack. After careful analysis, she realizes that
large amount of HTTP POST requests are being sent to the web servers behind the WAF. The
traffic is not legitimate, since the web application requires workflow to be finished in order
to send the data with the POST request, and this workflow data is missing. So, What type of
DDoS attack is this?

A. Protocol attack
B. Application layer attack
C. SYN flood attack
D. Volume (volumetric) attack

461. Which of the following is NOT a type of DDoS attack?

A. Protocol attack
B. Phishing attack
C. Volume (volumetric) attack
D. Application layer attack
462. Edwards, a professional hacker, has targeted a Linux server hosted on the target
organization’s network. To achieve his goal, he initiated sending multiple specially crafted
packets to the server with a malformed maximum segment size (MSS). This forced the
server’s buffer to exceed its sustainable limit, which led to a DoS attack.

Which of the following attacks did Edwards perform in the above scenario?

A. BlueBorne attack
B. TCP SACK panic attack
C. Misconfigured AP attack
D. Agent smith attack

463. Robert, a professional hacker, has launched a reflection attack on the target
organization’s Microsoft Azure environment to downgrade its network capacity. For this
purpose, he initiated sending a large number of spoofed UDP packets with fake IP addresses
that resembled the source IP addresses to an intermediary server. The intermediary server
started responding to all the source IP addresses at once causing legitimate users to wait for
some time to receive the resources.

Which of the following types of attacks did Robert launch in the above scenario?

A. DDoS attack
B. IRDP spoofing
C. MarioNet attack
D. DNS server hijacking

464. Which of the following best practices should be followed to thwart DoS/DDoS attacks?

A. Use functions such as gets and strcpy

B. Do not implement cognitive radios in the physical layer
C. Allow return addresses to be overwritten
D. Block all inbound packets originating from the service ports

465. Which algorithm does the “sequential change-point detection” technique use to identify
and locate the DoS attacks?

A. Obfuscation
B. BlackShades
C. Cumulative sum
D. Advanced encryption standard

466. Which of the following DoS/DDoS countermeasures strategy can you implement using a
honeypot?

A. Absorbing attacks
 B. Degrading services
C. Deflecting attacks
D. Mitigating attacks

467. Which of the following DoS/DDoS detection techniques isolates the changes in the
network traffic statistics and traffic flow rate that are caused by attacks?

A. Sequential change-point detection

B. Absorbing the attack
C. Wavelet-based signal analysis
D. Activity profiling

468. Ivan works as security consultant at “Ask Us Intl.” One of his clients is under a large-
scale protocol-based DDoS attack, and they have to decide how to deal with this issue. They
have some DDoS appliances that are currently not configured. They also have a good
communication channel with providers, and some of the providers have fast network
connections. In an ideal scenario, what would be the best option to deal with this attack.
Bear in mind that this is a protocol-based DDoS attack with at least 10 000 bots sending the
traffic from the entire globe!

A. Absorb the attack at the client site

B. Block the traffic at the provider level
C. Absorb the attack at the provider level
D. Filter the traffic at the company’s Internet facing routers

469. Ivan works as security consultant at “Ask Us Intl.” One of his clients is under a large-
scale application layer-based DDoS attack, and they have to decide how to deal with this
issue. Web application under attack is being used to send the user filled forms and save the
data in MySQL database. Since the DDoS is abusing POST functionality, not only web
application and web server are in DDoS condition but also MySQL database is in DDoS
condition.

They have some DDoS appliances that are currently not configured. They also have good
communication channel with providers, and some of the providers have fast network
connections. In an ideal scenario, what would be the best option to deal with this attack.
Bear in mind that this is an application layer-based DDoS attack which sends at least 1000
malicious POST requests per second spread through the entire globe!

A. Absorb the attack at the client site

B. Filter the traffic at the company’s Internet facing routers
C. Absorb the attack at the provider level
D. Use CAPTCHA
470. John’s company is facing a DDoS attack. While analyzing the attack, John has learned that
the attack is originating from the entire globe, and filtering the traffic at the Internet Service
Provider’s (ISP) level is an impossible task to do. After a while, John has observed that his
personal computer at home was also compromised similar to that of the company’s
computers. He observed that his computer is sending large amounts of UDP data directed
toward his company’s public IPs.

John takes his personal computer to work and starts a forensic investigation. Two hours
later, he earns crucial information: the infected computer is connecting to the C&C server,
and unfortunately, the communication between C&C and the infected computer is
encrypted. Therefore, John intentionally lets the infection spread to another machine in his
company’s secure network, where he can observe and record all the traffic between the Bot
software and the Botnet. After thorough analysis he discovered an interesting thing that the
initial process of infection downloaded the malware from an FTP server which consists of
username and password in cleartext format. John connects to the FTP Server and finds the
Botnet software including the C&C on it, with username and password for C&C in
configuration file. What can John do with this information?

After successfully stopping the attack against his network, and informing the CERT about
the Botnet and new password which he used to stop the attack and kick off the attackers
from C&C, John starts to analyze all the data collected during the incident and creating the
so-called “Lessons learned” document. What is John doing?

A. Postattack forensics
B. Protect secondary victims
C. Neutralize the handlers
D. Prevent potential attacks

471. Which of the following DoS/DDoS protection appliances ensures reliable access to key
network services by detecting and blocking external threats such as DDoS and other cyber-
attacks before they escalate into costly service outages?

A. DDoS-GUARD
B. A10 Thunder TPS
C. Akamai DDoS Protection
D. Imperva Incapsula DDoS Protection

472. Which of the following botnet defending techniques involves discarding packets at the
routing level?

A. RFC 3704 filtering

B. DDoS prevention offerings from ISP or DDoS service
C. Cisco IPS source IP reputation filtering
D. Black-hole filtering
473. Which of the following techniques is similar to reverse engineering, helps identify the
true source of an attack, and allows taking necessary steps to block further attacks?

A. Event log analysis

B. Packet traceback
C. Traffic pattern analysis
D. Zombie zapper

474. In which of the following session hijacking phases does an attacker break the connection
to a victim’s machine with knowledge of the next sequence number (NSN)?

A. Monitor
B. Session desynchronization
C. Session ID prediction
D. Command injection

475. In which of the following attacks does an attacker seize control of a valid TCP
communication session between two computers and gain access to a machine while a
session is in progress?

A. Spoofing attack
B. Brute forcing
C. Client-side attack
D. Session hijacking

476. In one of the following attacks, an attacker pretends to be another user to gain access
without seizing control of an existing active session; instead, the attacker initiates a new
session using the victim’s stolen credentials. Which is this attack?

A. Session sniffing
B. Session hijacking
C. Brute forcing
D. Spoofing attack

477. When a person (or software) steals, can calculate, or can guess part of the
communication channel between client and the server application or protocols used in the
communication, he can hijack the ______.

A. Channel
B. TCP protocol
C. Session
D. UDP protocol

478. During a penetration test, Marin exploited a blind SQLi and exfiltrated session tokens
from the database. What can he do with this data?

A. Marin can do Session Hijacking

 B. Marin can do XSS (Cross-Site Scripting)
C. Marin can do SQLi (SQL injection)
D. Marin can do CSRF (Cross-Site Request Forgery)

479. Which of the following attack techniques allows an attacker to inject malicious client-
side scripts into web pages viewed by other users?

A. CSRF
B. XSS
C. Trojans
D. Malicious JavaScript

480. Which of the following techniques is also called a one-click attack or session riding and
is used by an attacker to exploit a victim’s active session with a trusted site to perform
malicious activities?

A. Session fixation
B. Cross-site script attack
C. Session replay attacks
D. Cross-site request forgery attack

481. Which of the following attacks exploits the reuse of cryptographic nonce during the TLS
handshake to hijack HTTPS sessions, leading to the disclosure of sensitive information?

A. Proxy servers
B. CRIME attack
C. Session donation attack
D. Forbidden attack

482. In one of the following attacks, an attacker exploits the vulnerabilities present in the
data compression feature of protocols, such as SSL/TLS, SPDY, and HTTPS, and hijacks the
session by decrypting secret session cookies. Which is this attack?

A. Session donation attack

B. CRIME attack
C. Proxy servers
D. Forbidden attack

483. In which of the following techniques does an attacker obtain session IDs by attempting
all possible permutations of session ID values until finding one that works?

A. Session hijacking
B. Stealing
C. Brute forcing
D. Guessing

484. Which of the following is the phase of a session fixation attack wherein an attacker waits
for a victim to login to a target web server using a trap session ID and then enters the
victim’s session?
 A. Session set-up
B. Brute forcing
C. Fixation
D. Entrance

485. In one of the following attacks, an attacker captures the authentication token of a user
by listening to a conversation between the user and server and reiterates the authentication
request to the server with the captured authentication token to gain unauthorized access to
the server. Which is this attack?

A. Cross-site request forgery attack

B. CRIME attack
C. Session replay attack
D. Forbidden attack

486. During a penetration test, Marin identified a web application that could be exploited to
gain a root shell on the remote machine. The only problem was that in order to do that he
would have to know at least one valid username and password that could be used in the
application. Unfortunately, guessing usernames and brute-forcing passwords did not work.
Marin does not want to give up his attempts. Since this web application is being used by
almost all users in the company, and moreover it was using the http protocol, so he decided
to use the Cain & Abel tool in order to identify at least one username and password. Marin
found that the network was using layer 2 switches with no configuration or management
features.

Which of the following attack will help Marin to do this?

A. Cross-site Scripting attack

B. DoS attack
C. MitM (Man in the Middle)
D. MitB (Man in the Browser)

487. MitB (Man in the Browser) is a session hijacking technique heavily used by e-banking
Trojans. The most popular ones are Zeus and Gameover Zeus. Explain how MitB attack
works.

A. Malware is injected between the browser and OS API, enabling to see the data
before encryption (when data is sent from the machine) and after decryption
(when data is being received by the machine)
B. Malware is injected between the browser and network.dll, enabling to see the data
before it is sent to the network and while it is being received from the network
C. Malware is injected between the browser and keyboard driver, enabling to see all
the keystrokes
D. Man-in-the-Browser is just another name for sslstrip MitM attack

488. A session hijacking attack that gains control over the HTTP’s user session by obtaining
the session IDs, is known as_______________

A. Passive attack
B. Active hijacking
 C. Network level hijacking
D. Application level hijacking

489. In which of the following technique does an attacker use spoofed packets to seize
control of a connection between a victim and target machine on the same network as the
victim?

A. Blind hijacking
B. HTTP Public Key Pinning
C. Forced ARP entry
D. TCP/IP hijacking

490. In which of the following types of hijacking can an attacker inject malicious data or
commands into intercepted communications in a TCP session, even if the victim disables
source routing?

A. Session fixation
B. RST hijacking
C. Blind hijacking
D. UDP hijacking

491. In order to hijack TCP traffic, an attacker has to understand the next sequence and the
acknowledge number that the remote computer expects. Explain how the sequence and
acknowledgment numbers are incremented during the 3-way handshake process.

A. Sequence and acknowledgment numbers are incremented by two during the 3-way
handshake process

B. Sequence number is incremented by one and acknowledge number is not

incremented during the 3-way handshake process

C. Sequence and acknowledgment numbers are incremented by one during the 3-

way handshake process

D. Sequence number is not incremented and acknowledgment number is incremented

by one during the 3-way handshake process

492. John, a malicious attacker, was intercepting packets during transmission between the
client and server in a TCP and UDP session, what is this type of attack called?

A. Session hijacking
B. Intrusion
C. Application-level hijacking
D. Network-level hijacking

493. If an attacker intercepts an established connection between two communicating parties

using spoofed packets, and then pretends to be one of them, then which network-level
hijacking is he performing?

A. TCP/IP hijacking
 B. IP spoofing
C. Man-in-the-middle: packet sniffer
D. RST hijacking

494. Out of the following, which network-level session hijacking technique is useful in gaining
unauthorized access to a target computer with the help of a trusted host’s IP address?

A. TCP/IP Hijacking
B. Bling Hijacking
C. UDP Hijacking
D. IP Spoofing: Source Routed Packets

495. Which of the following tools can be used to perform RST hijacking on a network?

A. Recon-ng
B. Nmap
C. Colasoft’s Packet Builder
D. FOCA

496. Out of the following, which network-level session hijacking technique can be used to
inject malicious data or commands into the intercepted communications in a TCP session?

A. RST hijacking
B. TCP/IP hijacking
C. UDP hijacking
D. Blind hijacking

497. Which of the following protocols is an extension of IP to send error messages? An

attacker can use it to send messages to fool the client and the server.

A. ARP
B. ICMP
C. SSL
D. FTP

498. Which of the following commands helps attackers retrieve details regarding the
certificate authority of a target domain?

A. Mole
B. Hping3
C. Nbtstat
D. certutil.exe

499. Which of the following tools allows attackers to inspect and modify traffic between a
browser and target application?

A. Yersiniadroidsheep
B. Burp suite
C. Vindicate
D. DerpNSpoof
500. Robert, a professional hacker, was performing a session hijacking attack on a target
organization. In this process, he installed a tool on an Android device and connected it to the
organization’s network to obtain the session IDs of active users on the Wi-Fi network. He used
those session IDs to access a website as an authorized user.

A. ShellPhish
B. Droidsheep
C. Vega
D. PortQry

501. Glenn, a hacker, targeted an employee of an organization. In the attack process, he

connected his smartphone to the target’s Wi-Fi network and used a tool to sniff and intercept
web-session profiles over the Wi-Fi network to hijack the target employee’s sessions.

Which of the following tools did Glenn use in the above scenario?

A. Apility.io
B. OhPhish
C. FaceNiff
D. Netcraft

502. Which of the following tools allows attackers to inspect and modify traffic between a
browser and target application?

A. BCTextEncoder
B. FileVault 2
C. Hetty
D. Vindicate

503. Which of the following is a portable framework written in Go that allows security
researchers, red teamers, and reverse engineers to perform reconnaissance and various
attacks on Wi-Fi networks?

A. Netcraft
B. Bettercap
C. theHarvester
D. Secure Everything

504. Which of the following web-development guidelines should be followed to eliminate the
risk of session hijacking?

A. Create sessions for unauthenticated users

B. Expire the session as soon as the user logs out
C. Increase the life span of a session or cookie
D. Allow eavesdropping within the network

505. Which of the following techniques is a trust on first use (TOFU) technique used in an HTTP
header that allows a web client to associate a public key certificate with a server to minimize
the risk of MITM attacks?
 A. HPKP
B. Token binding
C. WEP/WPA encryption
D. HSTS

506. Which of the following IPsec components is software that allows two computers to
communicate by encrypting the data exchanged between them?

A. ISAKMP
B. IKE
C. Oakley
D. IPsec driver

507. In the protocol structure of the IPsec architecture, which of the following documents
defines the payload formats, types of exchange, and naming conventions for security
information such as cryptographic algorithms or security policies?

A. IPsec Domain of Interpretation (DOI)

B. IPsec policies
C. Encapsulating Security Payload (ESP)
D. Authentication Header (AH)

508. Which of the following security services is useful in providing connectionless integrity
and data origin authentication for IP datagrams as well as anti-replay protection for the data
payload and some portions of the IP header of each packet.

A. Token binding
B. Encapsulation Security Payload (ESP)
C. HTTP Public Key Pinning (HPKP)
D. Authentication Header (AH)

509. A security engineer has been asked to deploy a secure remote access solution that will
allow employees to connect to the company’s internal network. Which of the following can be
implemented to minimize the opportunity for a man-in-the-middle attack to occur?

A. Static IP addresses
B. SSL
C. IPSec
D. Mutual authentication

510. Out of the following, which session hijacking detection technique involves using packet-
sniffing software such as Wireshark and SteelCentral packet analyzer to monitor session
hijacking attacks?

A. Forcing an ARP entry

B. Manual method
 C. Automatic method
D. Normal Telnet session

511. Which of the following technique allows users to authenticate web servers?

A. HPKP
B. SSH
C. HTTPS
D. SFTP

512. OpenSSH or SSH is a more secure solution to which of the following protocol?

A. Telnet, rlogin
B. HTTP
C. IP
D. SMB

513. Which of the following protocols is used to implement virtual private networks (VPNs)?

A. HPKP
B. HTTPS
C. IPsec
D. Token binding

514. Out of the following, which is not a component of the IPsec protocol?

A. IPsec policy agent

B. Oakley
C. HPKP
D. IKE

515. Which protocol defines the payload formats, types of exchange, and naming conventions
for security information such as cryptographic algorithm or security policies. Identify from
the following options.

A. DOI
B. AH
C. ESP
D. ISAKMP

516. A user wants to securely establish a remote connection to a system without any
interference from perpetrators. Which of the following methods should he incorporate in
order to do so?
 A. VPN
B. SFTP
C. SMB Signing
D. HTTPS

517. Jimmy, a security expert, was tasked with securing the organization’s network from
malicious intrusion attempts. Considering all the possible attacks from internal and external
sources, Jimmy enforced a security measure that considers even internal users or employees
as external entities and forces them to authenticate as common end users.

Which of the following security measures did Jimmy enforce in the above scenario?

A. Password managerSS
B. Deterrence controls
C. Zero-trust principle
D. IPsec policy agent

518. Which of the following guidelines helps developers eliminate the risk of session hijacking
during communication between web client and web server?

A. Increase the life span of a session or cookie

B. Create sessions for unauthenticated users
C. Ensure that the web application is able to redirect HTTP requests to HTTPS
D. Disable the HTTPOnly property

519. The general indicators of which of the following types of intrusions are repeated login
attempts from remote hosts, a sudden influx of log data, and a sudden increase in bandwidth
consumption?

A. Network intrusion
B. File-system intrusion
C. System intrusion
D. Signature recognition

520. Which of the following types of honeypots is very effective in determining the entire
capabilities of adversaries and is mostly deployed in an isolated virtual environment along
with a combination of vulnerable servers?

A. Spider honeypots
B. Spam honeypots
C. Honeynets
D. Malware honeypots

521. Which of the following attributes in a packet can be used to check whether the packet
originated from an unreliable zone?
 A. Interface
B. Source IP address
C. Direction
D. TCP flag bits

522. Which of the following types of firewall inspects only header information in network
traffic?

A. Circuit-level gateway
B. Application-level gateway
C. Packet filter
D. Stateful inspection

523. Which of the following intrusion detection technique involves first creating models of
possible intrusions and then comparing these models with incoming events to make a
detection decision?

A. Anomaly Detection
B. Obfuscating
C. Signature Recognition
D. Protocol Anomaly Detection

524. Which solution can be used to emulate computer services, such as mail and ftp, and to
capture information related to logins or actions?

A. DeMilitarized zone (DMZ)

B. Honeypot
C. Intrusion detection system (IDS)
D. Firewall

525. Sean who works as a network administrator has just deployed an IDS in his organization’s
network. Sean deployed an IDS that generates four types of alerts that include: true positive,
false positive, false negative, and true negative.
In which of the following conditions does the IDS generate a true positive alert?

A. A true positive is a condition occurring when an event triggers an alarm when no

actual attack is in progress
B. A true positive is a condition occurring when an event triggers an alarm and
causes the IDS to react as if a real attack is in progress
C. A true positive is a condition occurring when an IDS identifies an activity as acceptable
behavior and the activity is acceptable
D. A true positive is a condition occurring when an IDS fails to react to an actual attack
event
526. Which of the following indicators falls in the category of general indications of system
intrusion?

A. Missing files
B. Repeated probes of the available services on machines
C. Repeated login attempts from remote hosts
D. Missing logs or logs with incorrect permissions or ownership

527. A circuit-level gateway works at which of the following layers of the OSI model?

A. Layer 3 – Network
B. Layer 4 – Transport
C. Layer 5 – Session
D. Layer 2 – Data Link

528. Which type of intrusion detection system can monitor and alert on attacks, but cannot
stop them?

A. Reactive
B. Passive
C. Intuitive
D. Detective

529. An advantage of an application-level firewall is the ability to

A. Retain state information for each packet

B. Filter specific commands, such as http:post
C. Monitor TCP handshaking
D. Filter packets at the network level

530. Jamie needs to keep data safe in a large datacenter, which is in desperate need of a firewall
replacement for the end of life firewall. The director has asked Jamie to select and deploy an
appropriate firewall for the existing datacenter. The director indicates that the amount of
throughput will increase over the next few years and this firewall will need to keep up with
the demand while other security systems do their part with the passing data. What firewall
will Jamie use to meet the requirements?

A. Packet filtering firewall because it will best keep the increased traffic moving at
an acceptable level

B. Application-level proxy firewall because the connection between internal and

external systems are inspected but not broken; data moves more rapidly

C. Packet filtering firewall because layer 7 inspections use less overhead, allowing more
packets to be inspected per second than other firewall types
 D. Application-level proxy firewall because unlike the old packet filtering firewall
technology, it can adjust speed based on applications

531. Teyla is a security analyst for BAYARA Company. She is responsible for the firewall,
antivirus, IPS, and web filtering security controls. She wants to protect the employees from a
new phishing attack.
What should Teyla do?

A. Block the phishing via antivirus

B. Use the web filtering application to prevent the employees from accessing the
phishing webpage
C. Use IPS to block phishing
D. Block outbound traffic to the ports 80 and 443 in the firewall

532. When analyzing the IDS logs, the system administrator notices connections from outside
of the LAN have been sending packets where the source IP address and destination IP address
are the same. However, no alerts have been sent via email or logged in the IDS. Which type of
an alert is this?

A. False negative
B. True positive
C. True negative
D. False positive

533. Which of the following methods detects an intrusion based on the fixed behavioral
characteristics of the users and components of a computer system?

A. Anomaly detection
B. Signature recognition
C. Bastion host
D. Protocol anomaly detection

534. Which of the following is a mobile intrusion detection tool that allows users to find all the
devices connected to a network and provides relevant data such as the IP addresses,
manufacturer names, device names, and MAC addresses of the connected devices?

A. WIBR+
B. Reaver
C. Wifiphisher
D. Wifi Inspector

535. Which of the following commands is an example of a Snort rule using a bidirectional
operator?

A. log tcp any any -> 192.168.1.0/24 !6000:6010

B. alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111
 C. 192.168.1.0/24 1:1024
D. log !192.168.1.0/24 any <> 192.168.1.0/24 23

536. Which of the following is a security solution for mobile devices that can reduce a mobile
device’s network traffic and battery consumption as well as allow users to create network
rules based on apps, IP addresses, and domain names?

A. Snort
B. Bitvise
C. NetPatch Firewall
HFSensor

537. Which of the following is a host-based IDS that acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services and Trojans?

A. KFSensor
B. Suricata
C. zIPS
D. Snort

538. When an alert rule is matched in a network-based IDS like snort, the IDS does which of
the following:

A. Blocks the connection with the source IP address in the packet

B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Drops the packet and moves on to the next one

539. Which of the following is not an action present in Snort IDS?

A. Pass
B. Audit
C. Log
D. Alert

540. Which of the following firewalls is used to secure mobile device?

A. Glasswire
B. NetPatch firewall
C. TinyWall
D. Comodo firewall

541. Which of the following firewall solution tool has the following features:

• Two-way firewall that monitors and blocks inbound as well as outbound traffic
• Allows users to browse the web privately
 • Identity protection services help to prevent identity theft by guarding crucial data
of the users. It also offers PC protection and data encryption
• Through Do Not Track, it stops data-collecting companies from tracking the online
users
• Online Backup to backs up files and restores the data in the event of loss, theft,
accidental deletion or disk failure

A. Wifi Inspector
B. zIPS
C. Vangaurd Enforcer
D. ZoneAlarm Free Firewall

542. Which of the following is a malware research tool that allows security analysts to detect
and classify malware or other malicious codes through a rule-based approach?

A. YARA
B. ping
C. Hping3
D. Nmap

543. Which of the following tools helps security professionals in generating YARA rules from
strings identified in malware files?

A. Weevely
B. HoneyBOT
C. yarGen
D. Tamper Chrome

544. Which of the following is an IDS evasion technique used by an attacker to confuse the IDS
by forcing it to read invalid packets as well as blindly trust and accept a packet that an end
system rejects?

A. Insertion attack
B. Fragmentation attack
C. Obfuscation
D. Invalid RST packets

545. One of the following is an IDS evasion technique used by an attacker to send a huge
amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not analyze the
noise traffic, the true attack traffic goes undetected. Which is this IDS evasion technique?

A. Overlapping fragments
B. Flooding
C. Encryption
D. Denial-of-service attack
546. In which of the following IDS evasion techniques does an attacker use an existing buffer-
overflow exploit and set the “return” memory address on the overflowed stack to the entrance
point of the decryption code?

A. Urgency flag
B. Polymorphic shellcode
C. Invalid RST packets
D. Overlapping fragments

547. Which of the following techniques is used by an attacker to exploit a host computer and
results in the IDS discarding packets while the host that must receive the packets accepts
them?

A. Obfuscation
B. Fragmentation attack
C. Evasion
D. Session splicing

548. In which of the following IDS evasion techniques does an attacker split the attack traffic
into an excessive number of packets such that no single packet triggers the IDS?

A. Evasion
B. Insertion attack
C. Denial-of-service attack (DoS)
D. Session splicing

549. The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but
introduces which of the following vulnerabilities?

A. Thresholding interferes with the IDS’ ability to reassemble fragmented packets

B. An attacker, working slowly enough, can evade detection by the IDS
C. Network packets are dropped if the volume exceeds the threshold
D. The IDS will not distinguish among packets originating from different sources

550. Which evasion technique is used by attackers to encode the attack packet payload in such
a way that the destination host can only decode the packet but not the IDS?

A. Obfuscation
B. Session splicing
C. Fragmentation attack
D. Unicode evasion
551. How many bit checksum is used by the TCP protocol for error checking of the header and
data and to ensure that communication is reliable?

A. 13-bit
B. 14-bit
C. 15-bit
D. 16-bit

552. An attacker hides the shellcode by encrypting it with an unknown encryption algorithm
and by including the decryption code as part of the attack packet. He encodes the payload and
then places a decoder before the payload. Identify the type of attack executed by attacker.

A. Postconnection SYN
B. Polymorphic shellcode
C. ASCII shellcode
D. Preconnection SYN

553. Which network-level evasion method is used to bypass IDS where an attacker splits the
attack traffic in too many packets so that no single packet triggers the IDS?

A. Fragmentation attack
B. Session splicing
C. Overlapping fragments
D. Unicode evasion

554. Which of the following tools provides secure remote login capabilities using SSH TCP/IP
tunneling to Windows workstations and servers by encrypting data during transmission?

A. Suricata
B. Snort
C. Bitvise
D. zIPS

555. Which of the following attack techniques is used by an attacker to exploit the
vulnerabilities that occur while processing the input parameters of end users and the server
responses in a web application?

A. MITM attack
B. XSS attack
C. Social engineering attack
D. Denial-of-service attack

556. Which of the following techniques is used by attackers for collecting information about
remote networks behind firewalls, where the TTL value is used to determine ACL gateway
filters and map networks by analyzing the IP packet response?
 A. Source routing
B. Banner grabbing
C. Tiny fragments
D. Firewalking

557. Which of the following is a fingerprinting technique used by an attacker to detect the
vendor of a firewall, firmware version, and services running on a system?

A. Port scanning
B. Source routing
C. Firewalking
Banner grabbing

558. Firewalk has just completed the second phase (the scanning phase) and a technician
receives the output shown below.

What conclusions can be drawn based on these scan results?

TCP port 21—no response

TCP port 22—no response
TCP port 23—Time-to-live exceeded

A. The lack of response from ports 21 and 22 indicate that those services are not running
on the destination server.
B. The scan on port 23 passed through the filtering device. This indicates that port
23 was not blocked at the firewall.
C. The scan on port 23 was able to make a connection to the destination host prompting
the firewall to respond with a TTL error.
D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23
of the target host.

559. Check Point's FireWall-1 listens to which of the following TCP ports?

A. 1072
B. 1080
C. 1745
D. 259

560. Which method of firewall identification has the following characteristics:

• uses TTL values to determine gateway ACL filters
• maps networks by analyzing IP packet response
• probes ACLs on packet filtering routers/firewalls using the same method as trace-
routing
• sends TCP or UDP packets into the firewall with TTL value is one hop greater than
the targeted firewall
 A. Firewalking
B. Port scanning
C. Banner grabbing
D. Source routing

561. Which of the following tools is used to execute commands of choice by tunneling them
inside the payload of ICMP echo packets if ICMP is allowed through a firewall?

A. Anonymizer
B. AckCmd
C. Loki
D. HTTPTunnel

562. Which of the following is a two-way HTTP tunneling software tool that allows HTTP,
HTTPS, and SOCKS tunneling of any TCP communication between any client–server systems?

A. Super network tunnel

B. Loki
C. Bitvise
D. Secure Pipes

563. Which feature of Secure Pipes tool open application communication ports to remote
servers without opening those ports to public networks?

A. Remote backwards
B. SOCKS proxies
C. Remote forwards
D. Local forwards

564. Which of the following is a hijacking technique where an attacker masquerades as a

trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access
to a network?

A. Firewalking
B. IP address spoofing
C. Source routing
D. Port scanning

565. An organization’s web application firewall (WAF) allows specific queries and syntaxes
that originate from their internal addresses. Jack, a professional hacker, exploited this
functionality to send spoofed requests to trick the target WAF and server into believing that
the request originated from their internal network. Jack also appended various extensions
such as X-Originating-IP, X-Forwarded-For, X-Remote-IP, and X-Remote-Addr to the spoofed
requests to bypass the target WAF.

Identify the technique employed by Jack to bypass the target WAF.

 A. HTTP header spoofing
B. VLAN hopping
C. MAC Spoofing
D. ARP Spoofing

566. In which of the following techniques do attackers first send payloads to the WAF
connected to their local network to identify the payloads that can be used for evasion and
then send those payloads to the target WAF for evasion?

A. Runtime execution path profiling

B. Function testing
C. Fuzzing/brute-forcing
D. Code emulation

567. In which of the following attacks does an attacker create a malicious link by developing a
JavaScript-based blob with a compatible MIME that is set to automatically download the
malware on the victim’s machine?

A. Pre-connection SYN
B. URL encoding
C. HTML smuggling
D. Polymorphic shellcode

568. Mark, a professional hacker, has targeted an organization’s employee to create a backdoor
on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS
that distributes automatic updates to its global users. The administrators often disregard
monitoring this service as it delivers continuous updates.

Which of the following features did Mark abuse in the above scenario?

A. HTTP tunnelling
B. SSH tunnelling
C. ICMP protocol
D. Windows BITS

569. Identify the evasion technique used by attackers to bypass endpoint detection and
response (EDR) to infect the devices with potential malware and establish command and
control to maintain a foothold without being detected.

A. Banner grabbing
B. Dark web footprinting
C. XLM weaponization
D. Website mirroring
570. Which of the following is a simple VLAN enumeration and hopping script that sniffs out
CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID,
and IOS version of Cisco devices?

A. Maltego
B. got-responded
C. Frogger
D. Nikto

571. Identify the evasion technique in which attackers perform DDL hijacking to place a
malicious DLL with a legitimate name that the application is looking for in the same directory
where the executable resides and then the malicious DLL gets executed along with the
application to disable the endpoint security.

A. Application whitelisting
B. Using blacklist detection
C. Overlapping fragments
D. Fake security applications

572. Which of the following tools allows an attacker to identify the hooked syscalls that are
stored in the memory during execution?

A. Censys
B. USM Anywhere
C. WIBR+-WIfi BRuteforce
D. X64dbg debugger

573. Which of the following tools allows attackers to analyze the detection rate of a malicious
file that is being propagated to bypass the antivirus solution?

A. VirusTotal
B. BeRoot
C. Robber
D. Zsteg

574. Which of the following is a cyber defense software suite with antivirus, anti-malware, and
intrusion detection capabilities?

A. Mention
B. Euromonitor
C. Followerwonk
D. Symantec Endpoint Protection
575. Which of the following tools allows attackers to create malicious payload or launcher to
bypass endpoint protection?

A. Metagoofil
B. Octoparse
C. Covenant C2 Framework
D. Sherlock

576. Which of the following commands allows attackers to transform a malicious payload
created using Covenant C2 Framework into a position-independent shellcode?

A. ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q

B. Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs
C. mimikatz “lsadump::dcsync /domain:(domain name) /user:Administrator”
D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin

577. Identify the bypass technique in which attackers use hex-format encryption to ping
different IP addresses for evading detection mechanisms.

A. Heuristic analysis
B. Website defacement
C. Honey trap
D. Passing encoded commands

578. Which of the following techniques allows attackers to leverage trusted in-built utilities for
the execution of malicious codes to evade EDR solutions?

A. Masking and filtering

B. Spawning using XMLDOM
C. Distortion techniques
D. Signed binary proxy execution

579. Which of the following techniques manipulates the TCP/IP stack and is effectively
employed to slow down the spread of worms and backdoors?

A. Layer 2 tar pits

B. Layer 7 tar pits
C. Layer 4 tar pits
D. Honeyd honeypot

580. One of the following techniques redirects all malicious network traffic to a honeypot after
any intrusion attempt is detected. Attackers can identify such honeypots by examining
specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP
timestamp. Which is this technique?
 A. User-Mode Linux (UML)
B. Fake AP
C. Snort_inline
D. Bait and switch

581. In what way do the attackers identify the presence of layer 7 tar pits?

A. By looking at the IEEE standards for the current range of MAC addresses
B. By looking at the responses with unique MAC address 0:0:f:ff:ff:ff
C. By looking at the latency of the response from the service
D. By analyzing the TCP window size

582. Which of the following methods is NOT a countermeasure to defend against IDS evasions?

A. Shut down switch ports associated with known attack hosts

B. Regularly update the antivirus signature database
C. Never define the DNS server for client resolver in routers
D. Train users to identify attack patterns

583. Which of the following countermeasures allows security professionals to defend against
IDS evasion?

A. Never store the attack information for future analysis

B. Always open switch ports associated with known attack hosts
C. Avoiding traffic normalization solutions at the IDS to protect the system from
evasions
D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

584. Which of the following methods is NOT a countermeasure to defend against firewall
evasion?

A. Never run regular risk queries to identify vulnerable firewall rules

B. Control physical access to the firewall
C. Take regular backups of the firewall rule set and configuration files
D. Catalog and review all inbound and outbound traffic allowed through the firewall

585. Riya wants to defend against the polymorphic shellcode problem. What countermeasure
should she take against this IDS evasion technique?

A. Catalog and review all inbound and outbound traffic

B. Configure a remote syslog server and apply strict measures to protect it from
malicious users
C. Disable all FTP connections to or from the network
D. Look for the nopopcode other than 0x90
586. Which of the following practices makes an organization’s network susceptible to IDS
evasion attempts?

A. Allow malicious script injection in snort rules directory

B. Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode
problem
C. Perform an in-depth analysis of ambiguous network traffic for all possible threats
D. Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

587. Which of the following methods is NOT a countermeasure to defend against IDS evasions?

A. Never define the DNS server for client resolver in routers

B. Shut down switch ports associated with known attack hosts
C. Regularly update the antivirus signature database
D. Train users to identify attack patterns

588. Which of the following practices helps security professionals defend their network
against firewall bypass attempts?

A. Never configure a remote syslog server

B. The firewall should be configured such that the IP address of an intruder should not
be filtered out
C. By default, enable all FTP connections to or from the network
D. Use HTTP Evader to run automated testing for suspected firewall evasions

589. Which of the following is a web-server component that provides storage on a different
machine or disk after the original disk is filled up?

A. Virtual hosting
B. Document root
C. Server root
D. Virtual document tree

590. Which of the following is a type of attack in which the attacker alters or deletes the data
of a web server and replaces the data with malware?

A. Data theft
B. Website defacement
C. Compromise of user accounts
D. Data tampering

591. Which of the following technologies belongs to the application layer and is used to
generate dynamic web content?

A. MySQL
 B. Linux
C. PHP
D. Apache

592. Which of the following techniques makes a web server vulnerable to attacks?

A. Blocking unrestricted internal and outbound traffic

B. Using different system administrator credentials everywhere
C. Running unhardened applications and servers
D. Regularly updating the web server with the latest patches

593. Which of the following types of damage is caused when attackers access sensitive data
such as financial records, future plans, and the source code of a program?

A. Damage of the reputation of the company

B. Data theft
C. Data tampering
D. Website defacement

594. Identify the component of the web server that provides storage on a different machine or
a disk after the original disk is filled-up?

A. Virtual document tree

B. Server root
C. Document root
D. Virtual hosting

595. Which of the following stores critical HTML files related to the webpages of a domain
name that will be served in response to requests?

A. Server root
B. Virtual document tree
C. Web proxy
D. Document root

596. Which of the following stores a server’s configuration, error, executable, and log files?

A. Server root
B. Virtual document tree
C. Web proxy
D. Document root
597. Which of the following provides storage on a different machine or disk after the original
disk is filled up?

A. VirtualHosting
B. Virtual document tree
C. Server root
D. Document root

598. In which of the following attack types does an attacker exploit the trust of an
authenticated user to pass malicious code or commands to a web server?

A. Cross-site scripting
B. Unvalidated input and file injection
C. SQL injection attack
D. Cross-site request forgery

599. In which of the following attack types does an attacker alter the visual appearance of a
web page by injecting code to add image popups or text?

A. Website defacement
B. Web cache poisoning
C. Web-server misconfiguration
D. Server-side request forgery

600. In which of the following attack types does an attacker flood an application with an excess
amount of data so that the application may crash or exhibit vulnerable behavior?

A. Denial-of-service attack
B. Directory traversal
C. Parameter/form tampering
D. Buffer overflow attack

601. In which of the following attack types does an attacker modify the content of a web page
by examining its HTML code and identifying form fields that lack valid constraints?

A. Buffer overflow attack

B. Command injection attack
C. Directory traversal
D. Cross-site scripting (XSS) attack

602. An attacker sends numerous fake requests to the webserver from various random
systems that results in the webserver crashing or becoming unavailable to the legitimate
users. Which attack did the attacker perform?
 A. DNS amplification attack
B. HTTP response splitting attack
C. DNS server hijacking
D. DoS attack

603. If an attacker compromises a DNS server and changes the DNS settings so that all the
requests coming to the target webserver are redirected to his/her own malicious server, then
which attack did he perform?

A. DNS server hijacking

B. HTTP response splitting attack
C. DoS attack
D. DNS amplification attack

604. Which of the following attacks allows an attacker to access sensitive information by
intercepting and altering communications between an end user and webservers?

A. HTTP response splitting attack

B. Man-in-the-middle attack
C. Directory traversal attack
D. DoS attack

605. Which of the following attacks occurs when an intruder maliciously alters the visual
appearance of a webpage by inserting or substituting provocative, and frequently, offending
data?

A. Man-in-the-middle attack
B. Directory traversal attack
C. Website defacement
D. HTTP response splitting attack

606. Which of the following is not a session hijacking technique?

A. DNS hijacking
B. Session sidejacking
C. Cross-site scripting
D. Session fixation

607. The security analyst for Danels Company arrives this morning to his office and verifies
the primary home page of the company. He notes that the page has the logo of the competition
and writings that do not correspond to the true page. What kind of attack do the observed
signals correspond to?

A. Defacement
B. Phishing
C. HTTP attack
D. DDoS
608. Which of the following is a lookup database for default passwords, credentials, and ports?

A. ID Serve
B. Netcraft
C. Open Sez Me
D. NCollector Studio

609. Which of the following tools is a simple Internet server identification utility that is capable
of performing reverse DNS lookup and HTTP server identification?

A. ID Serve
B. OllyDbg
C. Dylib Hijack Scanner
D. NCollector Studio

610. Which of the following is a web security testing tool that can be used by an attacker to
predict and use the next possible session ID token to take over a valid session?

A. Burp Suite
B. Netcraft
C. Nikto2
D. NCollector Studio

611. Which of the following commands does an attacker use to detect HTTP Trace?

A. nmap --script hostmap <host>

B. nmap --script http-enum -p80 <host>
C. nmap -p80 --script http-trace <host>
D. nmap -p80 --script http-userdir -enum localhost

612. Which of the following command does an attacker use to enumerate common web
applications?

A. nmap --script hostmap <host>

B. nmap --script http-enum -p80 <host>
C. nmap -p80 --script http-trace <host>
D. nmap -p80 --script http-userdir -enum localhost

613. Which of the following tools is used by an attacker to perform website mirroring?

A. Hydra
B. Nessus
C. Netcraft
D. HTTrack
614. An attacker wants to perform a session hijacking attack. What tool should he use to
achieve his objective?

A. Hydra
B. Nessus
C. Netcraft
D. Burp suite

615. Attackers use GET and CONNECT requests to use vulnerable web servers as which of the
following?

A. Application servers
B. DNS servers
C. Proxies
D. None of the above

616. Which of the following types of payload modules in the Metasploit framework is self-
contained and completely stand-alone?

A. Stages
B. Singles
C. Stagers
D. Exploit

617. Which of the following is a web crawler optimized for searching and analyzing directories,
and it can find interesting results if the server has the "index of" mode enabled?

A. Hashcat
B. Shadowsocks
C. Dirhunt
D. Ettercap

618. Which of the following techniques is NOT a countermeasure for securing accounts?

A. Eliminate unnecessary database users and stored procedures

B. Enable unused default user accounts
C. Use secure web permissions, NTFS permissions, and .NET Framework access control
mechanisms
D. Remove all unused modules and application extensions

619. Which of the following techniques is NOT a countermeasure to defend against web server
attacks?

A. Relocate sites and virtual directories to non-system partitions

 B. Use a dedicated machine as a web server
C. Install IIS server on a domain controller
D. Secure the SAM

620. Which of the following is not a defensive measure for web server attacks while
implementing Machine.config?

A. Encrypt or restrict intranet traffic

B. Restrict code access security policy settings
C. Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL)
D. Ensure that tracing is enabled <trace enable="true"/> and debug compiles are
turned on

621. Which of the following is not a defensive measure for web server attacks?

A. Ensure that protected resources are mapped to HttpForbiddenHandler and unused

HttpModules are removed
B. Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL)
C. Encrypt or restrict intranet traffic
D. Configure IIS to accept URLs with "../"

622. Which of the following is NOT a best approach to protect your firm against web server
attacks?

A. Remove unnecessary ISAPI filters from the web server

B. Allow remote registry administration
C. Secure the SAM (Stand-alone Servers Only)
D. Apply restricted ACLs

623. Which of the following is NOT a best approach to protect your firm against web server
files and directories?

A. Avoid mapping virtual directories between two different servers, or over a network
B. Eliminate unnecessary files within the .jar files
C. Disable serving certain file types by creating a resource mapping
D. Enable serving of directory listings

624. Which of the following is not a webserver security tool?

A. Retina CS
B. NetIQ secure configuration manager
C. Netcraft
D. Fortify WebInspect
625. Which of the following countermeasures helps administrators in securing user accounts
on a web server?

A. Run processes using elevated privileged accounts

B. Enable administrator or root-level access to maximum number of users
C. Enable unused default user accounts
D. Use password managers such as KeePass

626. Which of the following security practices makes user accounts on a web server
vulnerable to various attacks?

A. Enable the user account locking feature

B. Disable unused default user accounts
C. Disable the Separation of Duties (SoD) feature on the server config settings
D. Implement 2FA or MFA for user accounts

627. Which of the following security practices can make files and directories on a web server
vulnerable to various cyberattacks?

A. Eliminate unnecessary files

B. Never allow file integrity checkers to verify the web content
C. Disable the serving of certain file types by creating a resource map
D. Run the web server within a sandbox directory

628. Which of the following teams has the responsibility to check for updates and patches
regularly?

A. Vulnerability assessment team

B. Red team
C. Patch management team
D. Security software development team

629. A security administrator is looking for a patch management tool which scans
organizational network and manages security and non-security patches. Which of the
following patch management tool, he/she can use in order to perform the required task?

A. Netscan Pro
B. GFI LanGuard
C. Burp suite
D. Nikto

630. Which of the following is not a patch management tool?

A. Netscan Pro
B. GFI LanGuard
C. Burp suite
D. Nikto
631. Andrew, a software developer in CyberTech organization has released a security update
that acts as defensive technique against the vulnerabilities in the software product the
company has released earlier. Identify the technique used by Andrew to resolve the software
vulnerabilities?

A. Patch Management
B. Vulnerability Management
C. Product Management
D. Risk Management

632. Which of the following is true for automated patch management process?

A. Acquire -> assess -> detect -> deploy -> test -> maintain
B. Assess -> detect -> acquire -> deploy -> test -> maintain
C. Acquire -> assess -> detect -> test -> deploy -> maintain
D. Detect -> assess -> acquire -> test -> deploy -> maintain

633. Which of the following is considered as a repair job to a programming problem?

A. Patch
B. Assessment
C. Penetration test
D. Vulnerability

634. Which of the following layers in the web application architecture contains various
components such as a firewall, an HTTP request parser, a proxy caching server, an
authentication and login handler, a resource handler, and a hardware component?

A. Client or presentation layer

B. Web-server logic layer
C. Database layer
D. Business logic layer

635. Which of the following web services is designed to make services more productive and
uses many underlying HTTP concepts to define the services?

A. XML-RPC
B. RESTful
C. SOAP
D. JSON-RPC

636. Which of the following components of the web service architecture is an extension of
SOAP and can be used to maintain the integrity and confidentiality of SOAP messages?
 A. WS-Security
B. UDDI
C. WSDL
D. WS-policy

637. In which layer of the web application vulnerability stack does an attacker exploit
business-logic flaws and technical vulnerabilities to perform input validation attacks such as
XSS?

A. Layer 4
B. Layer 5
C. Layer 6
D. Layer 7

638. Which technology do SOAP services use to format information?

A. PCI
B. ISDN
C. SATA
D. XML

639. Which of the following security misconfigurations supports weak algorithms and uses
expired or invalid certificates, resulting in data exposure and account theft?

A. Parameter/form tampering
B. Insufficient transport layer protection
C. Unvalidated inputs
D. Improper error handling

640. Which of the following attacks allows an attacker to encode portions of the attack with
Unicode, UTF-8, Base64, or URL encoding to hide their attacks and avoid detection?

A. Network access attack

B. Authentication hijacking
C. Obfuscation application
D. Cookie snooping

641. One of the following is a clickjacking technique in which an attacker creates an iframe of
1 × 1 pixels containing malicious content placed secretly under the mouse cursor. When the
user clicks on this cursor, it will be registered on a malicious page. Which is this clickjacking
technique?

A. Hidden overlay
B. Rapid content replacement
C. Click event dropping
 D. Complete transparent overlay

642. Which of the following is an application security threat that occurs when an application
includes untrusted data in a new web page without proper validation or escaping or when
an application updates an existing web page with user-supplied data?

A. XML external entity (XXE)

B. Security misconfiguration
C. Components with known vulnerabilities
D. Cross-site scripting (XSS)

643. Which of the following is an attack that can majorly affect web applications, including
the basic level of service, and allows a level of privilege that standard HTTP application
methods cannot grant?

A. Network access attacks

B. Buffer overflow
C. CAPTCHA attacks
D. Platform exploits

644. In which of the following attacks does an attacker load the target website inside a low-
opacity iframe?

A. Clickjacking attack
B. RC4 NOMORE attack
C. JavaScript hijacking
D. DNS rebinding attack

645. In which of the following attacks does an attacker trick or attract a user into accessing a
legitimate web server using an explicit session ID value?

A. Session fixation attack

B. Malicious file execution
C. Failure to restrict URL access
D. Security management exploits

646. The Open Web Application Security Project (OWASP) testing methodology addresses the
need to secure web applications by providing which one of the following services?

A. A security certification for hardened web applications

B. A list of flaws and how to fix them
C. An extensible security framework named COBIT
D. Web application patches
647. Which of the following attacks can take place due to flaws such as insecure
cryptographic storage and information leakage?

A. SQL injection
B. Sensitive data exposure
C. Command injection
D. Shell injection

648. Which of the following attacks exploits vulnerabilities in dynamically generated

webpages, which enables malicious attackers to inject client-side scripts into webpages
viewed by other users?

A. Broken access control

B. Cross-site scripting
C. Sensitive data exposure
D. Security misconfiguration

649. If a threat detection software installed in any organization network either does not
record the malicious event or ignores the important details about the event, then what kind
of vulnerability is it?

A. Security Logging and Monitoring Failures

B. Security misconfiguration
C. Broken access control
D. Sensitive data exposure

650. During a penetration test, a tester finds that the web application being analyzed is
vulnerable to XSS. Which of the following conditions must be met to exploit this
vulnerability?

A. The victim user should not have an endpoint security solution.

B. The web application does not have the secure flag set.
C. The victim's browser must have ActiveX technology enabled.
D. The session cookies do not have the HttpOnly flag set.

651. A security analyst in an insurance company is assigned to test a new web application
that will be used by clients to help them choose and apply for an insurance plan. The analyst
discovers that the application has been developed in ASP scripting language and it uses
MSSQL as a database backend. The analyst locates the application's search form and
introduces the following code in the search input field: IMG
SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC"
originalPath="vbscript:msgbox("Vulnerable");>"
When the analyst submits the form, the browser returns a pop-up window that says
“Vulnerable.”
 Which web applications vulnerability did the analyst discover?

A. Command injection
B. SQL injection
C. Cross-site request forgery
D. Cross-site scripting

652. An attacker identifies the kind of websites a target company/individual is frequently

surfing and tests those particular websites to identify any possible vulnerabilities. When the
attacker identifies the vulnerabilities in the website, the attacker injects malicious
script/code into the web application that can redirect the webpage and download the
malware onto the victim’s machine. After infecting the vulnerable web application, the
attacker waits for the victim to access the infected web application. What kind of an attack is
this?

A. Water hole attack

B. Phishing attack
C. Jamming attack
D. Denial-of-service attack

653. Which of the following application security risks occurs as a result of failure in the
implementation of proper key management systems or using old keys for protecting the
sensitive data of an organization?

A. Cryptographic failures
B. Security misconfiguration
C. Software and data integrity failures
D. Injection

654. Which of the following HTTP service port numbers is used for connecting to a remote
network server system?

A. Port 80
B. Port 81
C. Port 88
D. Port 384

655. Which of the following techniques is used by an attacker to enumerate usernames from a
target web application?

A. Dictionary attack
B. Bypass SAML-based SSO
C. Cookie poisoning
D. Verbose failure message
656. Which of the following is a built-in tool of Burp Suite that is used for inspecting and
modifying traffic between a browser and target application?

A. Intruder tool
B. Application-aware
C. Intercepting proxy
D. Sequencer tool

657. Which of the following techniques does an attacker use to replace the value of the data
source parameter with that of a rogue Microsoft SQL server?

A. Hash stealing
B. Port scanning
C. Hijacking web credentials
D. Connection pool DoS

658. Which of the following attacks is possible when an attacker executes .bat or .cmd files
and changes the values by superimposing one or more operating-system commands through
the request?

A. SOAPAction spoofing
B. WS-address spoofing
C. XML injection attack
D. Parsing attack

659. Which of the following attacks allows an attacker to inject malicious content, modify the
user´s online experience, and obtain unauthorized information?

A. Session prediction
B. Cross-site request forgery
C. Session poisoning
D. Session brute-forcing

660. In which of the following cookie exploitation attacks does an attacker modify the cookie
contents to obtain unauthorized information about a user and thereby perform identity
theft?

A. Cookie replay
B. Session brute-forcing
C. Cookie sniffing
D. Cookie poisoning

661. Which of the following automatically discover hidden content and functionality by
parsing HTML form and client-side JavaScript requests and responses?
 A. Firewalls
B. Web spiders
C. Banners
D. Proxies

662. An attacker wants to exploit a webpage. From which of the following points does he start
his attack process?

A. Identify server-side technologies

B. Mapthe attack surface
C. Identify server-side functionality
D. Identify entry points for user input

663. Which of the following data can be gathered by attackers after infecting the Google
Chrome browser?

E. News articles, press releases, and related documents

F. Legal documents related to the organization
G. User’s spoken language
H. Partners of the organization

664. Which of the following web-service APIs is programmed to generate, recover, modify,
and erase different logs such as profiles, credentials, and business leads?

A. XML-RPC
B. SOAP API
C. RESTful API
D. JSON-RPC

665. Which of the following types of API vulnerabilities occurs when an input is not sanitized
and can be exploited by adding malicious SQL statements to input fields to steal session
cookies and user credentials?

A. Business logic flaws

B. Sharing resources via unsigned URLs
C. Improper use of CORS
D. Code injections

666. Which of the following API vulnerabilities allows attackers to gain unauthorized access
to API objects or perform actions such as viewing, updating, or deleting?

A. No ABAC validation
B. RBAC privilege escalation
C. Enumerated resources
D. Business logic flaws
667. Which of the following protocols provides transport-level security for API messages to
ensure confidentiality through encryption and integrity through signature?

A. SSL
B. IMAP
C. FTP
D. NTP

668. Which of the following metadata formats does the SOAP API use to reveal a large amount
of technical information such as paths, parameters, and message formats?

A. Swagger
B. API-Blueprint
C. WSDL/XML-Schema
D. I/O Docs

669. Which of the following techniques is used by an attacker to connect a fake account on the
provider with a victim’s account on the client side?

A. CSRF on authorization response

B. Access token reusage
C. Attack on “Connect” request
D. Attack on “redirect_uri”

670. Which of the following APIs is a user-defined HTTP callback or push API that is raised
based on events triggered, such as receiving a comment on a post or pushing code to the
registry?

A. Webhook
B. REST API
C. SOAP API
D. RESTful API

671. Which of the following best practices should be followed to prevent web-shell
installation?

A. Activate directory browsing in the web server

B. Do not use escapeshellarg() or escapeshellcmd()
C. Enable all PHP functions such as exec(), shell_exec(), show_source(), proc_open(),
passthru(), and pcntl_exec()
D. Establish a reverse proxy service for retrieving resources
672. In which of the following attacks does an attacker repeatedly send some random input to
a target API to generate error messages that reveal critical information?

A. Invalid input attack

B. Login/credential stuffing attack
C. Malicious input attack
D. Fuzzing

673. In one of the following features of the RESTful API, the client end stores the state of the
session, and the server is restricted to save data during request processing. Which is this
feature?

A. Code on demand
B. Stateless
C. Cacheable
D. Uniform interface

674. In which of the following layers of API security, an SQL join can be used to query an SQL
database using the data link layer based on API calls to verify the user context, in contrast to
its data stored by the SQL layer?

A. Layer two
B. Layer four
C. Layer one
D. Layer three

675. Identify the API security layer that creates a mapper layer to enable the conversion of all
the database records into different user-visible models.

A. Layer two
B. Layer four
C. Layer one
D. Layer three

676. Which of the following practices helps security experts secure web APIs from various
attacks?

A. Do not implement a pagination technique

B. Use client-generated tokens embedded in HTML as hidden fields for validating the
incoming request
C. Ensure that all the requests made from stateful communication APIs
D. Use SOAP APIs with in-built security features instead of conventional design-
based REST APIs

677. Which of the following countermeasures should be followed to defend against watering-
hole attacks?
 A. Use browser plug-ins that allow HTTP redirects
B. Enable third-party content such as advertising services, which track user activities
C. Secure the DNS server to prevent attackers from redirecting the user to a new
location
D. Never run the web browser in a virtual environment

678. Which of the following countermeasures should be followed to protect web applications
against broken authentication and session management attacks?

A. Apply pass phrasing with at least five random words

B. Never use SSL for all authenticated parts of the application
C. Do not check weak passwords against a list of the top bad passwords
D. Submit session data as part of GET and POST

679. Which of the following countermeasures should be followed to protect web applications
against broken access control?

A. Implement a session timeout mechanism

B. Never remove session tokens on the server side on user logout
C. Implement client-side caching mechanisms
D. Never limit file permissions to authorized users

680. Which statement is TRUE regarding network firewalls in preventing web application
attacks?

A. Network firewalls cannot prevent attacks because ports 80 and 443 must be
kept opened.
B. Network firewalls cannot prevent attacks if they are properly configured.
C. Network firewalls can prevent attacks because they can detect malicious HTTP
traffic.
D. Network firewalls cannot prevent attacks because they are too complex to configure.

681. In which type of fuzz testing does the protocol fuzzer send forged packets to the target
application that is to be tested?

A. Generation-based
B. Mutation-based
C. Protocol-based
D. None of the above

682. Which of the following practices helps security professionals defend web applications
against SQL injection attempts?

A. Never use custom error messages

 B. Do not move extended stored procedures to an isolated server
C. Avoid using shared databases and the same account for multiple databases
D. Use dynamic SQL and construct queries with user input

683. Identify the practice that can make an organization’s web application environment
susceptible to SQL injection attacks.

A. Use shared databases and the same account for multiple databases
B. Harden OSes and applications by following the guidelines issued by vendors
C. Always use the latest versions of programming languages and technologies for
development
D. Use vulnerability scanners to identify possible entry points

684. Identify the practice that can help security experts protect the organizational network
against LDAP injection attacks.

A. Never configure LDAP with bind authentication

B. Construct LDAP search filters by concatenating strings
C. Establish the LDAP binding account in the environment with the least
privileges possible
D. Do not use the AND filter to enforce restrictions on similar entries

685. Which of the following practices can make an organizational network susceptible to
LDAP injection attacks?

A. Use SaaS-based testing services for combating LDAP injection attacks

B. Never configure LDAP with bind authentication
C. Use LDAPS for encrypting and securing communication on web servers
D. Sanitize all the user-end inputs and escape any special characters

686. Which of the following practices helps administrators protect web applications from file
injection attempts?

A. Configure a separate database for the files and file paths, along with a unique
identifier/ID for each path, to avoid MITM attacks
B. Allow the execution of files in default directories
C. PHP: Enable allow_url_fopen and allow_url_include in php.ini.
D. PHP: Enable register_globals and avoid using E_STRICT to find uninitialized variables

687. Which of the following practices makes an organization’s web application vulnerable to
file injection attacks?

A. Employ a WAF security layer for monitoring the file injection attacks at the server
 B. Check for PHP wrappers such as PHP filter and PHP ZIP to prevent access to
sensitive files in the local server’s file system
C. PHP: Disable allow_url_fopen and allow_url_include in php.ini
D. Allow the execution of files in default directories

688. Which of the following practices helps security experts secure an organization’s web
application from the server-side, including injection attacks?

A. Ensure that user input includes characters used in SSI directives

B. Implement SUExec for the execution of pages as the file owner
C. Never use HTML encoding to the user input before executing it on the web pages
D. Use pages with file name extensions such as .stm, .shtm, and .shtml

689. In which of the following SQL injection attacks does an attacker deface a web page,
insert malicious content into web pages, or alter the contents of a database?

A. Compromised data integrity

B. Compromised availability of data
C. Remote code execution
D. Authorization bypass

690. Which of the following is the result obtained after executing the SQL query “SELECT *
FROM User_Data WHERE Email_ID = 'blah' OR 1=1”?

A. Update Table
B. Add New Records
C. Identify the Table Name
D. Return More Data

691. SQL injection attacks do not exploit a specific software vulnerability; instead they target
websites that do not follow secure coding practices for accessing and manipulating data
stored in a relational database.

A. True
B. False

692. Which of the following system table does MS SQL Server database use to store metadata?
Hackers can use this system table to acquire database schema information to further
compromise the database.

A. Sysobjects
B. Syscells
C. Sysdbs
D. Sysrows
693. Which of the following methods carries the requested data to the webserver as a part of
the message body?

A. IBM DB2
B. HTTP GET
C. HTTP POST
D. Cold fusion

694. Which of the following is the most effective technique in identifying vulnerabilities or
flaws in the web page code?

A. Packet analysis
B. Code analysis
C. Traffic analysis
D. Data analysis

695. An attacker injects the following SQL query:

blah' AND 1=(SELECT COUNT(*) FROM mytable); --
What is the intention of the attacker?

A. Deleting a table
B. Identifying the table name
C. Updating table
D. Adding new records

696. Identify the reason why Web Applications are vulnerable to SQL injection attacks.

A. Reject entries that contain binary data, escape sequences, and comment characters.
B. Avoid constructing dynamic SQL with concatenated input values.
C. Error messages reveal important information
D. Tests the content of string variables and accepts only expected values.

697. In which of the following attacks does an attacker pose a true or false question to an
database to determine whether an application is vulnerable to SQL injection?

A. Union SQL injection

B. Blind SQL injection
C. In-band SQL injection
D. In-band SQL injection

698. In which of the following attacks does an attacker inject an additional malicious query
into an original query to make the DBMS execute multiple SQL queries?

A. Illegal/logically incorrect query

 B. Piggybacked query
C. System stored procedure
D. Tautology

699. In one of the following attacks, an attacker uses different communication channels to
perform the attack and obtain results. It is difficult to perform as the attacker needs to
communicate with a database server and determine the server features used by a web
application. Which is this attack?

A. In-band SQL injection

B. Out-of-band SQL injection
C. Union SQL injection
D. End-of-line comment

700. What is the main difference between a “Normal” SQL injection and a “Blind” SQL
injection vulnerability?

A. The request to the webserver is not visible to the administrator of the vulnerable
application.
B. A successful attack does not show an error message to the administrator of the
affected application.
C. The vulnerable application does not display errors with information about the
injection results to the attacker.
D. The attack is called “Blind” because, although the application properly filters user
input, it is still vulnerable to code injection.

701. Steve works as a penetration tester in a firm named InfoSecurity. Recently, Steve was
given an assignment to test the security of the company’s web applications and backend
database. While conducting the test, he sends a malicious SQL query with conditional timing
delays to the backend database through the web application. This conditional time delay
forces the database to wait for a specified amount of time before responding. He performs
the same task using different malicious SQL queries. By observing various query responses
from the database, Steve came to know that the web application is vulnerable to an SQL
injection attack.

What type of SQL injection attack is Steve most likely performing?

A. Out-of-band SQL Injection

B. Error-based SQL injection
C. Union-based SQL injection
D. Blind SQL injection

702. In which of the following attacks does an attacker use a conditional OR clause in such a
way that the condition of the WHERE clause will always be true?
 A. Illegal/logically incorrect query
B. UNION SQL injection
C. Tautology
D. End-of-line comment

703. In which of the following attacks does an attacker inject an additional malicious query to
the original query?

A. Piggybacked query
B. UNION SQL injection
C. Tautology
D. End-of-line comment

704. Which of the following attacks is time-intensive because the database should generate a
new statement for each newly recovered bit?

A. Blind SQL injection

B. In-band SQL injection
C. Error-based SQL injection
D. UNION SQL injection

705. Which of the following commands is used to make the CPU wait for a specified amount of
time before executing an SQL query?

A. UNION SELECT 1,null,null—

B. WAITFOR DELAY '0:0:10'—
C. ORDER BY 10—
D. GET_HOST_NAME()

706. Which of the following SQL queries is an example of a heavy query used in SQL injection?

A. SELECT Name, Price, Description FROM ITEM_DATA WHERE ITEM_ID = 67 AND 1 =

1
B. SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM
all_users A, all_users B, all_users C
C. SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT
creditCardNumber,1,1 FROM CreditCardTable
D. SELECT * FROM products WHERE id_product=$id_product

707. In one of the following methods, an attacker attempts to replicate error-free navigation
by injecting simple inputs such as ' and '1' = '1 Or ' and '1' = '2 and forces an application to
generate application errors that reveal information such as table names, column names, and
data types. Which is this method?
 A. Determining a SELECT query structure
B. Parameter tampering
C. Determining the database engine type
D. Type mismatch

708. Which of the following issues can be detected when testers send long strings of junk
data, similar to strings for detecting buffer overruns that throw SQL errors on a page?

A. Truncation
B. SQL modification
C. Input sanitization
D. SQL injection

709. In which of the following techniques does an attacker use logical requests such as
AND/OR to bypass a firewall?

A. Blind SQL injection

B. Normalization method
C. HPF technique
D. CRLF technique

710. In which of the following database technologies is the SQL query [SELECT * FROM
syscat.columns WHERE tabname= 'tablename'] used for column enumeration?

A. MSSQL
B. MySQL
C. Oracle
D. DB2

711. Which of the following operators is used for string concatenation in an Oracle database?

A. " "&" "

B. concat(,)
C. ' '+' '
D. ' '||'

712. Which of the following queries is used to create a database account in Microsoft SQL
Server?

A. CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp

DEFAULT TABLESPACE users; GRANT CONNECT TO victor; GRANT RESOURCE TO
victor;
B. exec sp_addlogin 'victor', 'Pass123' exec sp_addsrvrolemember 'victor',
'sysadmin'
C. CREATE USER victor IDENTIFIED BY 'Pass123'
 D. INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost',
PASSWORD('Pass123'))

713. Which of the following functions can be used by an attacker to link a target SQL server’s
database to the attacker’s own machine and retrieve data from the target SQL server
database?

A. OPENROWSET()
B. CONVERT()
C. LOAD_FILE()
D. INTO OUTFILE()

714. Which of the following countermeasures allows developers to protect PL/SQL code from
SQL injection attacks?

A. Maximize user inputs to dynamic SQL

B. Make use of bind parameters in dynamic SQL
C. Always use single quotes
D. Never sanitize user inputs before including them in dynamic SQL statements

715. Shea is a licensed penetration tester. She is working with a client to test their new e-
commerce website for SQL injection. After signing the NDA and agreeing on the rules of
engagement (RoE), she starts by examining and listing all the input fields on the website. She
tries to insert a string value in the CVV2 textbox, where a three-digit number is expected,
and she ends up with the below error message.

Identify in which stage of the SQL injection methodology is Shea right now.

A. Information gathering and SQL injection vulnerability detection

B. Launch SQL injection attacks
C. Exploit second-order SQL injection
D. Perform blind SQL injection

716. A tester has been hired to perform source code review of a web application to detect SQL
injection vulnerabilities. As part of the testing process, he needs to get all the information
about the project from the development team. During the discussion with the development
 team, he comes to know that the project is in the initial stage of the development cycle. As
per the above scenario, which of the following processes does the tester need to follow in
order to save the company’s time and money?

A. The tester needs to perform static code analysis as it covers the structural and
statement coverage testing
B. The tester needs to perform dynamic code analysis as it finds and fixes the defects
C. The tester needs to perform dynamic code analysis as it uncovers bugs in the
software system
D. The tester needs to perform static code analysis as it covers the executable file of the
code

717. David, a penetration tester, was asked to check the MySQL database of the company for
SQL injection attacks. He decided to check the back end database for a double blind SQL
injection attack. He knows that double blind SQL injection exploitation is performed based
on an analysis of time delays and he needs to use some functions to process the time delays.
David wanted to use a function which does not use the processor resources of the server.
Which of the following function David need to use?

A. sleep()
B. benchmark()
C. addcslashes()
D. mysql_query()

718. In which of the following evasion techniques does an attacker use a WHERE statement
that is always evaluated as “true” so that any mathematical or string comparison can be
used, such as “' or '1'='1'”?

A. Variations
B. Declare variables
C. Case variation
D. Null byte

719. Which of the following practices helps developers defend against SQL injection attacks?

A. Always construct dynamic SQL with concatenated input values

B. Allow entries that contain binary data, escape sequences, and comment characters
C. Test the content of string variables and accept only expected values
D. Build Transact-SQL statements directly from user input

720. Which of the following commands has to be disabled to prevent exploitation at the OS
level?

A. cat
B. ping
C. execute
 D. xp_cmdshell

721. Which of the following is a Snort rule that is used to detect and block an SQL injection
attack?

A. SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" +

Login.Text +"'", conn);
B. UNION Select Password
C. /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
D. ' OR 5 BETWEEN 1 AND 7

722. Finch, a security professional, was tasked with securing an organization’s database from
SQL injection attacks. For this purpose, he updated the code using the Replace () method and
inserted wildcard characters such as % and [ between the square brackets so that such
characters are omitted from the actual code.

Identify the defensive technique employed by Finch in the above scenario.

A. Wrapping parameters with QUOTENAME () and REPLACE ()

B. LIKE clauses
C. Whitelist validation
D. Enforcing least privileges

723. Which of the following practices makes an organization’s database server vulnerable to
SQL injection attacks?

A. Use the same database accounts for multiple applications.

B. Reject entries that contain binary data, escape sequences, and comment characters.
C. Never build Transact-SQL statements directly from user input and use stored
procedures to validate user input.
D. Test the contents of string variables and accept only expected values.

724. Which of the following technologies is an air interface for 4G and 5G broadband wireless
communications?

A. MIMO-OFDM
B. OFDM
C. DSSS
D. FHSS
725. Which of the following wireless standards uses modulation schemes such as GFSK, π/4-
DPSK, and 8DPSK and a frequency of 2.4 GHz with data transfer rates in the range of 25–50
Mbps?

A. 802.15.1 (Bluetooth)
B. 802.11a
C. 802.16 (WiMAX)
D. 802.11g

726. Which type of antenna is used in wireless communication?

A. Bidirectional
B. Omnidirectional
C. Unidirectional
D. Parabolic

727. In LAN-to-LAN Wireless Network, the APs provide wireless connectivity to local
computers, and computers on different networks that can be interconnected?

A. True
B. False

728. Which of the following is used to connect wireless devices to a wireless/wired network?

A. Access point (AP)

B. Hotspot
C. Bandwidth
D. Association

729. In which of the following processes do the station and access point use the same WEP
key to provide authentication, which means that this key should be enabled and configured
manually on both the access point and the client?

A. Shared key authentication process

B. WEP encryption
C. Open-system authentication process
D. WPA encryption

730. Which of the following networks is used for very long-distance communication?

A. WiMax
B. Bluetooth
C. Wi-Fi
D. ZigBee
731. Which of the following is considered as the method of transmitting radio signals by
rapidly switching a carrier among many frequency channels?

A. Frequency-hopping Spread Spectrum (FHSS)

B. Direct-sequence Spread Spectrum (DSSS)
C. Orthogonal Frequency-division Multiplexing (OFDM)
D. Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-
OFDM)

732. In which of the following is the original data signal multiplied with a pseudo random
noise spreading code?

A. Direct-sequence Spread Spectrum (DSSS)

B. Multiple input, multiple output orthogonal frequency-division multiplexing (MIMO-
OFDM)
C. Orthogonal Frequency-division Multiplexing (OFDM)
D. Frequency-hopping Spread Spectrum (FHSS)

733. Which of the following is a standard for Wireless Local Area Networks (WLANs) that
provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g
standards?

A. 802.11d
B. 802.11n
C. 802.11i
D. 802.11e

734. Which of the following Wi-Fi security protocols uses GCMP-256 for encryption and
HMAC-SHA-384 for authentication?

A. WPA3
B. PEAP
C. WEP
D. CCMP

735. Which of the following encryption methods has KRACK vulnerabilities that make it
susceptible to packet sniffing, connection hijacking, malware injection, and decryption
attacks?

A. EAP
B. WEP
C. WPA
D. WPA2

736. WPA2 uses AES for wireless data encryption at which of the following encryption levels?
 A. 64 bit and CCMP
B. 128 bit and CRC
C. 128 bit and CCMP
D. 128 bit and TKIP

737. Which of the following cryptographic algorithms is used by CCMP?

A. RC4
B. AES
C. DES
D. TKIP

738. Donald works as a network administrator with ABCSecurity, Inc., a small IT based firm in
San Francisco. He was asked to set up a wireless network in the company premises which
provides strong encryption to protect the wireless network against attacks. After doing
some research, Donald decided to use a wireless security protocol which has the following
features:

• Provides stronger data protection and network access control

• Uses AES encryption algorithm for strong wireless encryption
• Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)
• Which of the following wireless security protocol did Donald decide to use?

A. WPA
B. WPA2
C. WEP
D. TKIP

739. Which of the following Encryption technique is used in WPA?

A. TKIP
B. DES
C. RSA
D. AES

740. Which of the following does not provide cryptographic integrity protection?

A. WPA2
B. TKIP
C. WEP
D. WPA
741. Which of the following protocol encapsulates the EAP within an encrypted and
authenticated Transport Layer Security (TLS) tunnel?

A. PEAP
B. RADIUS
C. CCMP
D. LEAP

742. Which of the following consists of 40/104 bit Encryption Key Length?

A. WPA
B. WPA2
C. WEP
D. RSA

743. Which of the following includes mandatory support for Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol (CCMP)?

A. WPA2
B. WEP
C. TKIP
D. WPA

744. Which of the following attack techniques is used by an attacker to send forged control,
management, or data frames over a wireless network to misdirect wireless devices and
perform other types of attacks such as DoS?

Integrity attack
Availability attack
Confidentiality attack
Authentication attack

745. Which of the following is a type of access-control attack in which an attacker uses any USB
adapter or wireless card and connects a host to an unsecured client to attack a specific client
or to avoid AP security?

A. Promiscuous client
B. Unauthorized association
C. Ad hoc association
D. Client mis-association

746. In which of the following types of attack does an attacker exploit the carrier-sense
multiple access with collision avoidance (CSMA/CA) clear channel assessment (CCA)
mechanism to make a channel appear busy?

A. Denial of service
 B. Access point theft
C. EAP failure
D. Beacon flood

747. In which of the following attacks does an attacker exploit dynamic routing protocols, such
as DSR and AODV, and place themselves strategically in a target network to sniff and record
ongoing wireless transmissions?

A. Wormhole attack
B. RADIUS replay
C. Sinkhole attack
D. Honeypot AP attack

748. Which of the following availability attacks involve exploiting the CSMA/CA Clear Channel
Assessment (CCA) mechanism to make a channel appear busy?

A. Routing Attack
B. Authenticate Flood
C. Beacon Flood
D. Denial-of-Service

749. John is a pen tester working with an information security consultant based in Paris. As
part of a penetration testing assignment, he was asked to perform wireless penetration
testing for a large MNC. John knows that the company provides free Wi-Fi access to its
employees on the company premises. He sets up a rogue wireless access point with the same
SSID as that of the company’s Wi-Fi network just outside the company premises. He sets up
this rogue access point using the tools that he has and hopes that the employees might
connect to it. What type of wireless confidentiality attack is John trying to do?

A. Evil Twin AP
B. War Driving
C. WEP Cracking
D. KRACK Attack

750. Fill in the blank.

Posing as an authorized AP by beaconing the WLAN's service set identifier (SSID) to lure users
is known as __________.

A. Honeypot AP
B. Masquerading
C. Man-in-the-Middle Attack
D. Evil Twin AP
751. Steven, a wireless network administrator, has just finished setting up his company’s
wireless network. He has enabled various security features such as changing the default SSID
and enabling strong encryption on the company’s wireless router. Steven decides to test the
wireless network for confidentiality attacks to check whether an attacker can intercept
information sent over wireless associations, whether sent in clear text or encrypted by Wi-Fi
protocols. As a part of testing, he tries to capture and decode unprotected application traffic
to obtain potentially sensitive information using hardware or software tools such as Ettercap,
Kismet, Wireshark, etc. What type of wireless confidentiality attack is Steven trying to do?

A. Evil twin AP
B. Eavesdropping
C. WEP Key Cracking
D. Masquerading

752. Which of the following attacks is an inter-chip privilege escalation attack, where an
attacker exploits the underlying vulnerabilities in wireless chips that handle wireless
communications such as Bluetooth and Wi-Fi?

A. aLTEr attack
B. Evil twin
C. Wireless co-existence attack
D. AP MAC spoofing

753. In a GNSS spoofing technique, attackers track the receiver’s position and identify the
deviation from the original location to a fake one. Identify this technique.

A. Interrupting the lock mechanism

B. Meaconing method
C. Drag-off strategy
D. Cancellation methodology

754. In which of the following techniques does an attacker draw symbols in public places to
advertise open Wi-Fi networks?

A. Warflying
B. Warchalking
C. Wardriving
D. Warwalking

755. Which of the following tools is designed to capture a WPA/WPA2 handshake and act as
an ad-hoc AP?

A. Airodump-ng
B. Airbase-ng
C. Airolib-ng
 D. Airmon-ng

756. Which of the following tools is used by an attacker to create rogue APs and perform
sniffing and MITM attacks?

A. Skyhook
B. Halberd
C. Gobuster
D. MANA Toolkit

757. Which of the following security standards contains the Dragonblood vulnerabilities that
help attackers recover keys, downgrade security mechanisms, and launch various
information-theft attacks?

A. WPA3
B. WEP
C. WPA2
D. WPA

758. Which tool would be used to collect wireless packet data?

A. Nessus
B. NetStumbler
C. John the Ripper
D. Netcat

759. There is a WEP encrypted wireless AP with no clients connected. In order to crack the
WEP key, a fake authentication needs to be performed. Which of the following steps need to
be performed by the attacker for generating fake authentication?

A. Ensure association of source MAC address with the AP

B. Set the wireless interface to monitor mode
C. Use cracking tools
D. Capture the IVs

760. During a wireless penetration test, a tester detects an AP using the WPA2 encryption.
Which of the following attacks should be used to obtain the key?

A. The tester must capture the WPA2 authentication handshake and then crack it.
B. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i
standard.
C. The tester must change the MAC address of the wireless network card and then use
the AirTraf tool to obtain the key.
D. The tester must use the tool inSSIDer to crack it using the ESSID of the network
761. . Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct
wireless network penetration testing. Kenneth proceeds with the standard steps of wireless
penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection
method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific
AP. Which of the following aircrack-ng commands will help Kenneth to do this?

A. airodump-ng -c 9 -- bssid 00:14:6C:7E:40:80 -w output ath0

B. aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
C. aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0
D. airmon-ng start wifi0 9

762. Which of the following tools helps attackers identify networks by passively collecting
packets and detecting standard named networks, hidden networks, and the presence of non-
beaconing networks via data traffic?

A. Robber
B. L0phtCrack
C. Netcraft
D. Kismet

763. Which of the following is a portable RFID cloning device that can be used by attackers to
clone RFID tags?

A. iCopy-X
B. KeyGrabber
C. Hardware Protocol Analyzer
D. PCB-2040 Jammer

764. Which of the following btlejack commands allows an attacker to sniff new Bluetooth low-
energy connections?

A. btlejack -f 0x129f3244 -j
B. btlejack -c any
C. btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s
D. btlejack -s

765. Fill in the blank.

_________ is the art of collecting information about Bluetooth enabled devices such as
manufacturer, device model and firmware version.

A. BluePrinting
B. Bluebugging
C. BlueSniff
 D. Bluejacking

766. Thomas is a cyber thief trying to hack Bluetooth-enabled devices at public places. He
decided to hack Bluetooth-enabled devices by using a DoS attack. He started sending an
oversized ping packet to a victim’s device, causing a buffer overflow and finally succeeded.
What type of Bluetooth device attack is Thomas most likely performing?

A. Bluesmacking
B. Bluesnarfing
C. Bluejacking
D. Bluebugging

767. Which of the following protocols is used by BlueJacking to send anonymous messages to
other Bluetooth-equipped devices?

A. LMP
B. SDP
C. OBEX
D. L2CAP

768. An attacker collects the make and model of target Bluetooth-enabled devices analyzes
them in an attempt to find out whether the devices are in the range of vulnerability to exploit.
Identify which type of attack is performed on Bluetooth devices.

A. Bluebugging
B. BluePrinting
C. MAC Spoofing Attack
D. BlueSniff

769. Which of the following is to be used to keep certain default wireless messages from
broadcasting the ID to everyone?

A. MAC Spoofing
B. SSID Cloaking
C. Bluejacking
D. Bluesmacking

770. Which of the following components of Cisco’s WIPS deployment forwards attack
information from wireless IPS monitor-mode APs to the MSE and distributes configuration
parameters to APs?

A. Wireless LAN controller

B. Mobility services engine
C. Local mode AP
 D. Wireless control system

771. Which of the following practices assists security professionals in defending a wireless
network against KRACK attacks?

A. Access sensitive resources when the device is connected to an unprotected network.

B. Allow using public Wi-Fi networks.
C. Employ the EAPOL-key replay counter to ensure that the AP recognizes only the
latest counter value.
D. Turn off auto updates for all the wireless devices.

772. Which of the following practices helps manufacturers protect their devices against GNSS
spoofing attacks?

A. Deploy defensive devices such as antennae and radio spectra against software
attacks.
B. Never deploy spatial-based processing with space-time adaptive processing (STAP).
C. Avoid deploying GNSS cryptographic methods such as spreading code encryption
(SCE).
D. Do not correlate the GNSS timing with other timing sources such as inertial
measurement units (IMUs).

773. Which of the following practices makes an organization’s wireless environment

vulnerable to various attacks?

A. Set the router access password and enable firewall protection.

B. Enable Simple Network Management Protocol (SNMP).
C. Enable MAC address filtering on APs or routers.
D. Disable the Dynamic Host Configuration Protocol (DHCP) and rely on static IP
addresses.

774. Which of the following browser-based attacks involves emails or pop-ups that redirect
users to fake web pages that mimic trustworthy sites, demanding the users to submit personal
information?

A. Framing
B. Man-in-the-Mobile
C. Phishing
D. Clickjacking

775. Which of the following attacks is performed by attackers to eavesdrop on existing

network connections between two systems, intrude, and then read or modify data?

A. Man-in-the-middle
 B. Packet sniffing
C. Fake SSL certificates
D. DNS poisoning

776. In which of the following attacks does an attacker exploit vulnerabilities in the SSL/TLS
implementation on websites and invisibly downgrade connections to HTTP without
encryption?

A. SSLStrip
B. Rogue access points
C. Packet sniffing
D. Fake SSL certificates

777. Which of the following technique helps protect mobile systems and users by limiting the
resources the mobile application can access on the mobile platform?

A. Sandbox
B. Anti-malware
C. Spam filter
D. Firewal

778. Which of the following attacks can be performed by spam messages?

A. Bluesnarfing attacks
B. Bluebugging attacks
C. Phishing attacks
D. Wardriving attacks

779. Which of the following is not a mobile platform risk?

A. Jailbreaking and Rooting

B. Sandboxing
C. Malicious Apps in App Store
D. Mobile Malware

780. When Jason installed a malicious application on his mobile, the application modified the
content in other applications on Jason’s mobile phone. What process did the malicious
application perform?

A. Data Loss
B. Data Exfiltration
C. Data Tampering
D. Data Mining
781. In which of the following attacks does an attacker bribe or socially engineer telecom
providers to obtain ownership of a target user’s SIM?

A. Framing
B. OTP hijacking
C. Camfecting attack
D. Clickjacking

782. In which of the following attacks does an attacker infect the target device with a remote
access Trojan (RAT) and compromise it to access the victim’s camera and microphone?

A. Camfecting attack
B. GPU-based attack
C. Rainbow table attack
D. OS command execution

783. Which of the following is a native library used in the Android OS architecture and is meant
for rendering fonts?

A. FreeType
B. Open Max AL
C. Surface Manager
D. Libc

784. Which of the following native libraries in the Android OS architecture is meant for
Internet security?

A. SQLite
B. WebKit and Blink
C. Open GL | ES
D. SSL

785. Which of the following countermeasures helps in protecting an Android device from
malicious users?

A. Never block ads displayed by apps

B. Install apps that invade privacy
C. Do not directly download Android package (APK) files
D. Disable screen lock for the Android device

786. Which of the following is an option in Android OS that is used to store private primitive
data in key–value pairs?

A. Internal storage
B. SQLite databases
 C. External storage
D. Shared preferences

787. Which of the following practices is NOT a countermeasure to protect an Android device
and the data stored on it from malicious users?

A. Enable the screen pinning option to securely access Android apps

B. Download apps only from official Android markets
C. Never root the Android device
D. Enable features such as SmartLock instead of passwords

788. Which of the following tools is used to root the Android OS?

A. TunesGo
B. zANTI
C. LOIC
D. DroidSheep

789. Which of the following browser applications encrypts your Internet traffic and then hides
it by bouncing through a series of computers around the world?

A. UC Browser
B. Mozilla FireFox
C. Google Chrome
D. ORBOT

790. Which of the following applications allows attackers to identify the target devices and
block the access of Wi-Fi to the victim devices in a network?

A. KingoRoot
B. NetCut
C. Network Spoofer
D. DroidSheep

791. Which of the following android applications allows you to find, lock or erase a lost or
stolen device?

A. X-Ray
B. Find My iPhone
C. Find My Device
D. Faceniff

792. Which of the following mobile applications is used to perform denial-of-service attacks?
 A. Low orbit ion cannon (LOIC)
B. DroidSheep
C. Unrevoked
D. MTK droid

793. Which of the following tools is a web-based mirror operating system for all the latest
iPhones?

A. Apricot
B. Hexxa Plus
C. Spyzie
D. Cydia

794. One of the following layers in Apple iOS contains low-level features on which most other
technologies are based. Furthermore, frameworks in this layer are useful when dealing
explicitly with security or communicating with external hardware and networks. Which is
this layer?

A. Core services
B. Media
C. Cocoa application
D. Core OS

795. Which of the following is an online tool that allows attackers to hack a device remotely in
an invisible mode without jailbreaking the device and access SMSes, call logs, app chats, GPS,
etc…

A. Apricot
B. Cydia
C. Hexxa Plus
D. Spyzie

796. Which of the following iOS applications allows you to find, lock or erase a lost or stolen
device?

A. Find My iPhone
B. Faceniff
C. Find My Device
D. X-Ray

797. Which of the following Jailbreaking techniques will make the mobile device jailbroken
after each reboot?
 A. Untethered Jailbreaking
B. None of the Above
C. Tethered Jailbreaking
D. Semi-Tethered Jailbreaking

798. Which of the following types of jailbreaking allows user-level access but does not allow
iboot-level access?

A. None of the above

B. Bootrom Exploit
C. iBoot Exploit
D. Userland Exploit

799. Which of the following statements is not true for securing iOS devices?

A. Do not jailbreak or root your device if used within enterprise environments

B. Disable Jailbreak detection
C. Disable Javascript and add-ons from web browser
D. Do not store sensitive data on client-side database

800. Which of the following is a runtime manipulation tool used by attackers to exploit
vulnerabilities in source code and modify functionality during iOS application runtime?

A. cycript
B. Censys
C. SEMRush
D. OpenOCD

801. Chris, a professional hacker, was tasked with obtaining credentials and certificates from
a target iOS device. For this purpose, Chris employed a tool to extract secrets such as
passwords, certificates, and encryption keys from the target iOS device’s storage system.

Identify the tool used by Chris in the above scenario.

A. ScanMyServer
B. Keychain Dumper
C. CORE Impact
D. N-Stalker X

802. John, an employee of an organization, always connects to the corporate network using his
own mobile device. Which of the following best practices prevents BYOD risk when John
connects to the corporate network?

A. Separating personal and private data

 B. Not reporting a lost or stolen device
C. Improperly disposing of a device
D. Providing support for many different devices

803. Which of the following is the correct BYOD security guideline that an employee should
follow to secure sensitive personal or corporate information stored on a mobile device?

A. Disable session authentication and the timeout policy on the access gateway
B. Provide offline access to the organization’s sensitive information
C. Do not allow jailbroken and rooted devices
D. Never control access based on a need-to-know basis

804. Which of the following is not a feature of Mobile Device Management Software?

A. Remotely wipe data in the lost or stolen device

B. Sharing confidential data among devices and networks
C. Perform real time monitoring and reporting
D. Enforce policies and track inventory

805. Which of the following is a Mobile Device Management Software?

A. VMware AirWatch
B. Mobistealth
C. iHound
D. SpyBubble

806. Which of the following refers to a policy allowing an employee to bring his or her personal
devices such as laptops, smartphones, and tablets to the workplace and using them for
accessing the organization’s resources as per their access privileges?

A. Social Engineering
B. pear-Phishing
C. BYOD
D. Phishing

807. Which of the following tools helps security professionals reverse engineer third-party,
closed, binary Android apps and allows them to decode resources to their original form and
rebuild them after making some modifications?

A. Lookout Personal
B. FaceNiff
C. Promon Shield
D. Apktool
808. Which of the following practices makes mobile devices vulnerable to SMS phishing
attacks?

A. Report any fraud SMS.

B. Do not fall for scams, gifts, and offers that seem unexpected.
C. Review the bank’s SMS policy.
D. Subscribe or sign-up using the links provided via SMS by any third-party
vendor.

809. Which of the following layers in the IoT architecture is responsible for important
functions such as data management and device management as well as various issues such as
data analysis, data aggregation, data filtering, device information discovery, and access
control?

A. Internet layer
B. Access gateway layer
C. Middleware layer
D. Edge technology layer

810. Which of the following technologies is a short-range communication protocol based on

the IEEE 203.15.4 standard and is used in devices that transfer data infrequently at a low rate
in a restricted area, within a range of 10–100 m?

A. BLE
B. Wi-Fi Direct
C. Thread
D. Zigbee

811. Which of the following long-range wireless communication protocols is used for data
transfer through small dish antennas for both broadband and narrowband data?

A. PLC
B. NFC
C. VSAT
D. QUIC

812. Which of the following operating systems is used in low-power wireless devices such as
street lighting and sound monitoring systems?

A. Edge
B. LWM2M
C. CoAP
D. Contiki
813. Which of the following protocols is used to enable fast and seamless interaction with
nearby IoT devices and reveals the list of URLs being broadcasted by nearby devices with BLE
beacons?

A. LWM2M
B. Physical Web
C. CoAP
D. XMPP

814. In which of the following IoT communication models does a device upload its data to the
cloud to be later accessed or analyzed by third parties?

A. Device-to-gateway communication model

B. Device-to-cloud communication model
C. Device-to-device communication model
D. Back-end data-sharing communication model

815. Which of the following IoT technology components bridges the gap between the IoT
device and the end user?

A. IoT gateway
B. Cloud server/data storage
C. Sensing technology
D. Remote control using mobile app

816. Which of the following IoT architecture layers consists of all the hardware parts like
sensors, RFID tags, readers or other soft sensors, and the device itself?

A. Application layer
B. Middleware layer
C. Access gateway layer
D. Edge technology layer

817. Which of the following IoT devices is included in the buildings service sector?

A. HVAC, transport, fire and safety, lighting, security, access, etc.

B. Turbines, windmills, UPS, batteries, generators, meters, drills, fuel cells, etc.
C. MRI, PDAs, implants, surgical equipment, pumps, monitors, telemedicine, etc.
D. Digital cameras, power systems, MID, e-readers, dishwashers, desktop computers, etc.

818. Name the communication model where the IoT devices communicate with the cloud
service through gateways?
 A. Device-to-cloud communication model
B. Device-to-device communication model
C. Back-end data-sharing communication model
D. Device-to-gateway communication model

819. Which of the following IoT threats is prone to various attacks such as buffer overflow that
result in denial of service, leaving the device inaccessible to the user?

A. Insecure ecosystem interfaces

B. Insecure default settings
C. Insecure data transfer and storage
D. Insecure network services

820. Which of the following IoT attack surface areas has username enumeration, weak
passwords, account lockout, known default credentials, and an insecure password recovery
mechanism as its major vulnerabilities?

A. Device firmware
B. Network traffic
C. Device web interface
D. Device physical interfaces

821. In which of the following IoT attacks does an attacker extract information about
encryption keys by observing the emission of signals?

A. DNS rebinding attack

B. Sybil attack
C. Side-channel attack
D. Exploit kits

822. One of the following tools is used by attackers to obtain the rolling code sent by a victim
to unlock a vehicle, which is later used for unlocking and stealing the vehicle. Which is this
tool?

A. MultiPing
B. RFCrack
C. SearchDiggity
D. CyberX

823. In which of the following attacks does an attacker use a malicious script to exploit poorly
patched vulnerabilities in an IoT device?
 A. Sybil attack
B. Side channel attack
C. Exploit kits
D. Replay attack

824. Name an attack where an attacker uses an army of botnets to target a single online service
or system.

A. DDoS attack
B. Side channel attack
C. Sybil attack
D. Replay attack

825. Name an attack where an attacker interrupts communication between two devices by
using the same frequency signals on which the devices are communicating.

A. Jamming attack
B. Man-in-the-middle attack
C. Replay attack
D. Side channel attack

826. In which of the following attacks does an attacker use multiple forged identities to create
a strong illusion of traffic congestion, affecting communication between neighboring nodes
and networks?

A. Sybil attack
B. DoS attack
C. Replay attack
D. Rolling code attack

827. Given below are the various steps involved in the Enemybot malware attack.

1. Gaining access
2. Disabling other malware on the target
3. Launching attack
4. Persistence
5. Creating exploits
Identify the correct sequence of steps involved in the Enemybot malware attack.
A. 5 -> 3 -> 4 -> 1 -> 2
B. 5 -> 2 -> 1 -> 3 -> 4
C. 3 -> 4 -> 5 -> 1 -> 2
D. 1 -> 2 -> 3 -> 4 -> 5
828. Identify the Enemybot malware attack stage in which the malware targets multiple
architectures to spread its infection.

A. Persistence
B. Disabling other malware on the target
C. Creating exploits
D. Launching attack

829. Which of the following tools helps attackers find the details and certification granted to
IoT devices?

A. RFCrack
B. MultiPing
C. FCC ID Search
D. IoTSeeker

830. Which of the following Nmap commands is used by an attacker to identify the IPv6
capabilities of a target IoT device?

A. nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name> <IP>

B. nmap -p 80,81,8080,8081 <Target IP address range>
C. nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name> <IP>
D. nmap -n -Pn -sS -pT:0-65535 -v -A -oX <Name> <IP>

831. Which of the following Nmap command is used by attackers to identify IPv6 capabilities
of an IoT device?

A. nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><IP>

B. nmap -sA -P0 <IP>
C. nmap -n -Pn -sS -pT:0-65535 -v -A -oX <Name><IP>
D. nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name><IP>

832. Once an attacker gathers information about a target device in the first phase, what is the
second phase in IoT device hacking?

A. Vulnerability scanning
B. Maintain access
C. Gain access
D. Information gathering

833. Which of the following tools can an attacker use to gather information such as open ports
and services of IoT devices connected to the network?

A. Foren6
 B. RFCrack
C. Multiping
D. Nmap

834. Using which one of the following tools can an attacker perform BlueBorne or airborne
attacks such as replay, fuzzing, and jamming?

A. Foren6
B. HackRF one
C. Zigbee framework
D. RIoT vulnerability scanning

835. If an attacker wants to reconstruct malicious firmware from legitimate firmware in order
to maintain access to the victim device, which of the following tools can he use to do so?

A. Firmware Mod Kit

B. RFCrack
C. Zigbee framework
D. RIoT vulnerability scanner

836. Which of the following tools is a smart fuzzer that detects buffer-overflow vulnerabilities
by automating and documenting the process of delivering corrupted inputs and watching for
an unexpected response from the application?

A. Universal Radio Hacker

B. RTL-SDR
C. beSTORM
D. Censys

837. If an attacker wants to gather information such as IP address, hostname, ISP, device’s
location, and the banner of the target IoT device, which of the following types of tools can he
use to do so?

A. IoT hacking tools

B. Sniffing tools
C. Vulnerability scanning tools
D. Information gathering tools

838. Out of the following tools, which tool can be used to find buffer overflow vulnerabilities
present in the system?

A. beSTORM
B. Censys
C. Firmalyzer Enterprise
 D. Z-Wave sniffer

839. Which of the following tools allows attackers to identify IoT communication systems and
interfaces?

A. ophcrack
B. Vindicate
C. BUS Auditor
D. beSTORM

840. Identify the technique that involves gaining privileged root access while booting a device
and can be performed by making a ground connection to the serial I/O pin of a flash memory
chip.

A. Zones and conduits

B. Anti-disassembly
C. Pharming
D. NAND glitching

841. Which of the following commands returns bootlogs communicated during IoT device
bootup that help an attacker in obtaining the actual memory chip loaded with the booting
firmware?

A. minicom -D /dev/ttyUSB0 -w -C D-link_startup.txt

B. msfvenom -p windows/shell_reverse_tcp LHOST=<IP address> LPORT=<port>
EXITFUNC=thread -f c -a x86 -b “\x00”
C. cmd.exe /c “%CommonProgramFiles:~3,1%owerShell.exe” -windowstyle hidden -
command wscript myscript.vbc
D. access-list access-list-number {deny | permit} tcp any destination destination-
wildcard

842. Which of the following TCP/UDP port is used by the infected devices to spread malicious
files to other devices in the network?

A. Port 23
B. Port 53
C. Port 22
D. Port 4801

843. Which of the following tools can be used to protect private data and home networks while
preventing unauthorized access using PKI-based security solutions for IoT devices?

A. Firmalyzer Enterprise
B. SeaCat.io
C. DigiCert IoT Device Manager
 D. Censys

844. Which of the following tools offers SaaS technology and assists in operating IoT products
in a reliable, scalable, and secure manner?

A. beSTORM
B. DigiCert IoT security solution
C. SeaCat.io
D. Firmalyzer Enterprise

845. Which of the following practices makes an organization’s IoT devices susceptible to
various attacks?

A. Retain the default settings of the router.

B. Protect the devices against physical tampering.
C. Patch vulnerabilities and update the device firmware regularly.
D. Allow only trusted IP addresses to access the device from the Internet.

846. Which of the following practices makes IoT devices’ physical components vulnerable to
persistent attacks?

A. Implement a root-on-trust mechanism

B. Secure legacy units by enabling modern gateway security features
C. Isolate devices from regular supply units
D. Open access to the hardware unit

847. Which of the following components of an industrial control system is a small solid-state
control computer where instructions can be customized to perform a specific task?

A. BPCS
B. PLC
C. SIS
D. DCS

848. In which of the following levels of the Purdue model can the analysis and alteration of the
physical process be performed?

A. Level 0
B. Level 2
C. Level 1
D. Level 3
849. Which of the following components of an industrial control system is an automated
control system designed to safeguard the manufacturing environment in case of any
hazardous incident in the industry?

A. DCS
B. PLC
C. SIS
D. SCADA

850. Which of the following protocols provides a flexible framework for addressing and
mitigating current and future security vulnerabilities in industrial automation and control
systems?

A. IEC 61850
B. ISA/IEC 62443
C. ICCP (IEC 60870-6)
D. HSCP

851. Which of the following levels of the Purdue model uses protocols such as 6LoWPAN,
DNP3, DNS/DNSSEC, FTE, HART-IP, IEC 60870-5-101/104, and SOAP?

A. Level 1
B. Level 0
C. Level 2
D. Level 4

852. In which of the following attacks does an attacker use techniques such as timing analysis
and power analysis to obtain critical information from a target industrial system?

A. Buffer overflow attack

B. Malware attack
C. Protocol abuse
D. Side-channel attack

853. Identify the technique in which an attacker can gain access to an OT system by exploiting
the target user’s web browser after tricking them into visiting a compromised website during
a normal browsing session.

A. Checking the filtering systems of target networks

B. Drive-by compromise
C. Shoulder surfing
D. Launch daemon

854. Which of the following techniques allows an attacker to achieve higher-level access and
authorizations to perform further malicious activities on an ICS system or network?
 A. Hooking
B. Obfuscating
C. Network address translation
D. Activity profiling

855. Smith, a professional hacker, was attempting to gain access to a target ICS network. To
achieve his goal, he initiated reconnaissance to gather information about the devices in the
network, their IP addresses, hostnames, and other details.

Which of the following techniques did Smith employ in the above scenario?

A. Identifying remote systems

B. IP address decoy
C. Password guessing
D. Hooking

856. Which of the following techniques allows attackers to perform additional movements
across a target ICS environment by leveraging existing access?

A. Drive-by downloads
B. Cookie sniffing
C. Proxy server DNS poisoning
D. Remote services

857. Identify the technique that allows an attacker to deactivate, control, or exploit the physical
control processes within a target ICS environment using command and control.

A. Impersonation
B. Connection proxy
C. Alternative trusted medium
D. Anti-disassembly

858. Peter, a professional hacker, managed to gain unauthorized access to a target ICS network.
He wanted to thwart reactions to any security event such as a hazard or failure. For this
purpose, Peter employed a technique to block command messages to stop defense solutions
from reacting to any security event.

Identify the technique employed by Peter in the above scenario.

A. Persistence
B. Inhibit response function
C. Evasion
D. Command and control
859. In which of the following phases of MITRE ATT&CK for ICS does an attacker use various
tactics such as I/O brute-forcing and parameter altering to disable, exploit, or control the
physical control processes in the target environment?

A. Lateral movement
B. Privilege escalation
C. Collection
D. Impair process control

860. In which of the following malware attacks do attackers use DustTunnel and LazyCargo to
penetrate IT systems and pivot OT networks to perform various malicious activities?

A. PIPEDREAM
B. Kovter
C. Wingbird
D. Zmist

861. Robert, a professional hacker, targeted an ICS network to cause power disruption in
specific areas of a targeted region. To achieve his goal, he employed malware that has self-
contained executables and configuration files and implements the communication protocol
IEC-104 on the target network to manipulate the RTUs over TCP connections for disrupting
the target OT-based power grids.

Identify the malware employed by Robert in the above scenario.

A. Divergent
B. INDUSTROYER.V2
C. Dharma
D. eCh0raix

862. Which of the following online tools allows attackers to discover the default credentials of
a device or product simply by entering the device name or manufacturer name?

A. CRITIFENCE
B. Censys
C. Netcraft
D. Thingful

863. Which of the following Nmap commands helps attackers identify the HMI systems in a
target OT network?

A. nmap -Pn -sT -p 102 --script s7-info <Target IP>

B. nmap -Pn -sT -p 46824 <Target IP>
C. nmap -Pn -sU -p 44818 --script enip-info <Target IP>
D. nmap -Pn -sT -p 1911,4911 --script fox-info <Target IP>
864. Which of the following tools passively maps and visually displays an ICS/SCADA network
topology while safely conducting device discovery, accounting, and reporting on these critical
cyber-physical systems?

A. GRASSMARLIN
B. Gqrx
C. SCADA Shutdown Tool
D. Shodan

865. Which of the following tools helps attackers scan and examine firmware binaries and
images as well as retrieve information such as encryption types, sizes, partitions, and file
systems?

A. GDB
B. Fritzing
C. Binwalk
D. Multimeter

866. Which of the following tools helps security professionals perform an automated security
assessment of software to identify configuration and application vulnerabilities?

A. Gqrx
B. LOIC
C. Azure IoT Central
D. IoTVAS

867. Which of the following practices is NOT a countermeasure to defend against OT hacking?

A. Regularly conduct risk assessment

B. Enable unused services and functionalities
C. Regularly upgrade OT hardware and software tools
D. Maintain an asset register to track information

868. Which of the following Purdue levels is commonly referred to as an industrial

demilitarized zone (IDMZ)?

A. Level 2
B. Level 3.5
C. Level 4
D. Level 3

869. Which of the following organizations addresses the risks of a production-hindering attack
by unexpected sources both inside and outside an organization’s OT network?
 A. CWE
B. EDGAR Database
C. IISF
D. PCI DSS

870. Which of the following organizations is a non-profit professional association of engineers,

technicians, and managers engaged in industrial automation?

A. FISMA
B. ISA/IEC-62443
C. Factiva
D. MITRE CVE

871. Which of the following cloud services provides features such as single sign-on, multi-
factor authentication, identity governance and administration, access management, and
intelligence collection?

A. PaaS
B. IaaS
C. SaaS
D. IDaaS

872. Which of the following cloud deployment models is a combination of two or more clouds
that remain unique entities but are bound together, where an organization makes available
and manages some resources in-house and provides other resources externally?

A. Public cloud
B. Community cloud
C. Hybrid cloud
D. Multi cloud

873. Which of the following cloud broker services improves a given function by a specific
capability and provides value-added services to cloud consumers?

A. Distributed storage
B. Service aggregation
C. Service arbitrage
D. Service intermediation

874. Which of the following is the layer in the cloud storage architecture that performs several
functions such as data de-duplication and data replication?

A. Back-end layer
B. Application laye
 C. Front-end layer
D. Middleware layer

875. In one of the following characteristics of cloud computing, cloud systems employ the “pay-
per-use” metering method, and subscribers pay for cloud services by monthly subscription or
according to the usage of resources such as storage levels, processing power, and bandwidth.
Which is this characteristic of cloud computing?

A. Virtualization technology
B. Distributed storage
C. Measured service
D. Distributed storage

876. In which of the following characteristics of cloud computing does cloud automation
expedite the process, reduce labor costs, and minimize the possibility of human error by
minimizing user involvement?

A. Automated management
B. Broad network access
C. Rapid elasticity
D. Resource pooling

877. Which of the following actors in the NIST cloud deployment reference architecture acts
as an intermediary for providing connectivity and transport services between cloud
consumers and providers?

A. Cloud auditor
B. Cloud carrier
C. Cloud consumer
D. Cloud provider

878. You are a security engineer for XYZ Corp. You are looking for a cloud-based e-mail
provider to migrate the company’s legacy on-premise e-mail system to. What type of cloud
service model will the new e-mail system be running on?

A. SaaS
B. XaaS
C. IaaS
D. PaaS

879. You are a security engineer for a cloud-based startup, XYZ Partners LLC, and they would
like you to choose the best platform to run their environment from. The company stores
sensitive PII and must be SOC 2 compliant. They would like to run their Windows server VMs
 and directory services from the cloud. Which of the following services and deployment
models would meet the company’s requirements?

A. PaaS and public

B. IaaS and private
C. XaaS and community
D. SaaS and hybrid

880. Which of the following types of cloud computing services provides virtual machines and
other abstracted hardware and operating systems (OSs) which may be controlled through a
service API?

A. SaaS
B. XaaS
C. IaaS
D. PaaS

881. Which of the following NIST cloud reference architecture factors manages cloud services
in terms of use, performance, and delivery, and who also maintains a relationship between
cloud providers and consumers?

A. Cloud consumer
B. Cloud carrier
C. Cloud provider
D. Cloud broker

882. Which of the following is a cloud-computing and remote-access service that offers
anything as a service over the Internet based on the user’s demand?

A. MBaaS
B. XaaS
C. FWaaS
D. DaaS

883. Which of the following cloud computing services allows app developers to integrate their
frontend applications with backend infrastructure through an application programming
interface (API) and software development kit (SDK)?

A. DaaS
B. IDaaS
C. MBaaS
D. FWaaS
884. Which of the following cloud computing models allows manufacturers to sell or lease
equipment to clients and receive a percentage of profits generated by that equipment?

A. MaaS
B. SECaaS
C. PaaS
D. FWaaS

885. Which of the following cloud deployment models is a highly flexible model that holds
several types of cloud services that can be supplied to different other clouds to help users
choose a specific feature required from each cloud?

A. Poly cloud
B. Private cloud
C. Public cloud
D. Distributed cloud

886. Which of the following tiers in the container technology architecture transforms images
into containers and deploys containers to hosts?

A. Tier 4: Orchestrators
B. Tier 2: Testing and accreditation systems
C. Tier 1: Developer machines
D. Tier 3: Registries

887. Which of the following components in the container network model assigns default
subnet and IP addresses to the endpoints and networks if they are not assigned?

A. IPAM drivers
B. Network drivers
C. Sandbox
D. Endpoint

888. Which of the following processes manages the lifecycles of software containers and
schedules and distributes the work of individual containers for microservices-based
applications?

A. Container orchestration
B. Domain snipping
C. Microservices
D. Sandbox

889. Which of the following tiers in the container technology architecture operates and
manages containers as instructed by the orchestrator?
 A. Tier 1: Developer machines
B. Tier 3: Registries
C. Tier 2: Testing and accreditation systems
D. Tier 5: Hosts

890. Which of the following components of the docker engine allows the communication and
assignment of tasks to the daemon?

A. Client CLI
B. Rest API
C. Docker swarm
D. Server

891. Which of the following docker objects are read-only binary templates with instructions
for container creation and are used to store and deploy containers?

A. Volumes
B. Services
C. Networking
D. Images

892. Which of the following docker components processes API requests and handles various
docker objects, such as containers, volumes, images, and networks?

A. Docker client
B. Docker daemon
C. Docker registries
D. Docker images

893. Which of the following node components of the Kubernetes cluster architecture is an
important service agent that runs on each node and ensures that containers run in a pod?

A. Etcd cluster
B. Kubelet
C. Container runtime
D. Kube-proxy

894. Which of the following is the property of container technology that makes it less secure
than virtual machines?

A. Created and launched in minutes

B. Heavyweight
C. Complete isolation
 D. Process-level isolation

895. Which of the following serverless computing platforms allows users to run code without
provisioning and managing servers?

A. Knative
B. Portainer
C. Red Hat OpenShift
D. Microsoft Azure Functions

896. In one of the following OWASP cloud security risks, unsecured data in transit are
susceptible to eavesdropping and interception attacks. Which is this risk?

A. Incidence analysis and forensic support

B. Multi tenancy and physical security
C. Service and data integration
D. Business continuity and resiliency

897. Which of the following cloud computing threats involves disgruntled current or former
employees, contractors, or other business partners who have authorized access to cloud
resources and can misuse their access to compromise the information available in the cloud?

A. Cloud provider acquisition

B. Malicious insiders
C. Supply chain failure
D. Isolation failure

898. Which of the following cloud computing threats reflects the inability of a client to migrate
from one CSP to another CSP or in-house systems owing to the lack of tools, procedures,
standard data formats, applications, and service portability?

A. Cloud provider acquisition

B. Lock-in
C. Theft of computer equipment
D. Licensing risks

899. Which of the following cloud attacks is triggered at MSPs and their customers and
involves compromising staff accounts by initiating spear-phishing emails with custom-made
malware?

A. Man-in-the-cloud attack
B. Cross-guest VM breaches
C. Wrapping attack
D. Cloud hopper attack
900. Which of the following types of DNS attack involves conducting phishing scams by
registering a domain name that is similar to a CSP?

A. Cybersquatting
B. Domain hijacking
C. Domain snipping
D. DNS poisoning

901. Which of the following cloud computing threats is caused by incomplete and non-
transparent terms of use, hidden dependencies created by cross-cloud applications,
inappropriate CSP selection, and lack of supplier redundancy?

A. Hardware failure
B. Isolation failure
C. Supply chain failure
D. Subpoena and e-discovery

902. In which of the following attacks does an attacker exploit the vulnerability residing in a
bare-metal cloud server and use it to implant a malicious backdoor in its firmware?

A. Cryptanalysis attack
B. Wrapping attack
C. Cloudborne attack
D. Cross-site scripting attack

903. Which of the following types of DNS attack involves registering an elapsed domain name?

A. Cybersquatting
B. Domain hijacking
C. Domain snipping
D. DNS poisoning

904. Which of the following practices is NOT a countermeasure for defending against
cryptojacking attacks?

A. Never review third-party components used by the company’s websites

B. Implement CoinBlocker URL and IP blacklist/blackholing in the firewall
C. Use encrypted SSH key pairs instead of passwords
D. Implement browser extensions for scanning and terminating scripts

905. Which of the following is not a legitimate cloud computing attack?

A. Man-in-the-middle (MiTM)
B. Privilege escalation
 C. Denial-of-service (DoS)
D. Port scanning

906. A privilege escalation threat is caused due to which of the following weaknesses?

A. A mistake in the access allocation system causes a customer, third party, or

employee to get more access rights than needed.
B. Due to flaws while provisioning or de-provisioning networks or vulnerabilities in
communication encryption.
C. Weak authentication and authorization controls could lead to illegal access thereby
compromising confidential and critical data stored in the cloud.
D. Due to isolation failure, cloud customers can gain illegal access to the data.

907. In which of the following attacks does an attacker steal a CSP’s or client’s credentials by
methods such as phishing, pharming, social engineering, and exploitation of software
vulnerabilities?

A. DNS attack
B. Wrapping attack
C. Side-channel attack
D. Service hijacking using social engineering attacks

908. In which of the following attacks does an attacker ride an active computer session by
sending an email or tricking the user into visiting a malicious web page while they are logged
into the targeted site?

A. Wrapping attack
B. DNS attack
C. Side-channel attack
D. Session hijacking using session riding

909. Which of the following Nimbostratus commands is used by an attacker to dump all the
permissions for provided credentials?

A. $ nimbostratus dump-credentials
B. $ nimbostratus create-iam-user --access-key=... --secret-key=...
C. $ nimbostratus dump-ec2-metadata
D. $ nimbostratus dump-permissions --access-key=... --secret-key=...

910. An attacker is using DumpsterDiver, an automated tool, to identify potential secret leaks
and hardcoded passwords in target cloud services.

Which of the following flags is set by the attacker to analyze the files in search of hardcoded
passwords?
 A. -o OUTFILE
B. -s, --secret
C. -r, --remove
D. -a, --advance

911. Which of the following is the docker command used by an attacker to create a container
from an image to exploit the docker remote API?

A. $ docker -H <Remote IP:Port> exec modest_goldstine ls

B. $ docker -H <docker host> run --network=host --rm marsmensch/nmap -ox <IP
Range>
C. $ docker -H <Remote IP:Port> run -t -d alpine
D. $ docker -H <Remote IP:Port> pull alpine

912. Which of the following is a security vulnerability that arises mostly from business
associates and current or former employees who already have trusted access to an
environment and do not need to compromise AWS credentials separately for performing
malicious activities?

A. Password reuse
B. Insider threat
C. Social engineering
D. Reading local file

913. Given below are the steps involved in exploiting AWS docker containers.

1. Pull the target docker image

2. Push the backdoor docker image
3. Create a backdoor image
4. Abuse AWS credentials
What is the correct sequence of steps involved in exploiting AWS docker containers?
A. 2 -> 1 -> 3 -> 4
B. 3 -> 4 -> 2 -> 1
C. 4 -> 1 -> 3 -> 2
D. 1 -> 2 -> 3 -> 4

914. Which of the following scripts is an example of a lambda function that responds to user-
delete events by creating more copies of the deleted user?

A. rabbit_lambda
B. cli_lambda
C. backdoor_created_users_lambda
D. backdoor_created_roles_lambda
915. Which of the following tools allows an attacker to perform account enumeration on an
Azure Active Directory (AD) environment and assess the overall security of the target Azure
environment?

A. Azucar
B. OWASP ZAP
C. bettercap
D. Hetty

916. Which of the following tools contains two main scanning modules, AWStealth and
AzureStealth, which attackers can use to discover users, groups, and roles that have the most
sensitive and risky permissions?

A. CxSAST
B. Fiddler
C. SkyArk
D. DroidSheep

917. Which of the following cloud security layers is a secured computational environment that
implements internal control, auditability, and maintenance to ensure the availability and
integrity of cloud operations?

A. Computation and storage

B. Trusted computing
C. Physical layer
D. Network layer

918. Which of the following vulnerabilities in serverless security can be resolved by using the
cloud provider’s built-in services, such as AWS Trust Advisor, to identify public resources and
by setting functions with a minimum required timeout?

A. Broken access control

B. XML external entities
C. Security misconfiguration
D. Cross-site scripting

919. Which of the following technologies is a security implementation that assumes every user
attempting to access a network is not a trusted entity by default and verifies every incoming
connection before allowing access to the network?

A. Zero-trust network
B. Trusted computing
C. Serverless computing
D. Container technology
920. Which of the following best practices allows security professionals to secure the docker
environment?

A. Always expose the docker daemon socket

B. Disable the read-only mode on file systems and volumes
C. Never use tools such as InSpec and DevSec to detect docker vulnerabilities
D. Always run docker images with --security-opt=no-new-privileges

921. Which of the following best practices helps security professionals in securing a serverless
computing environment?

A. Never use secret storage for sensitive information

B. Disable signed requests for cloud vendors
C. Deploy functions in minimal granularity
D. Maximize serverless permissions in the development phase

922. The components such as DLP, CMF, database activity monitoring, and encryption are
included in which of the following cloud security control layers?

A. Management layer
B. Applications layer
C. Computer and storage
D. Information layer

923. Which of the following is NOT a best practice for cloud security?

A. Verify one’s cloud in public domain blacklists

B. Disclose applicable logs and data to customers
C. Undergo AICPA SAS 70 Type II audits
D. Provide unauthorized server access using security checkpoints

924. Which of the following categories of security controls strengthens the system against
incidents by minimizing or eliminating vulnerabilities?

A. Detective controls
B. Corrective controls
C. Preventive controls
D. Deterrent controls

925. Which of the following categories of security controls minimizes the consequences of an
incident by limiting the damage?

A. Corrective controls
B. Detective controls
C. Preventive controls
D. Deterrent controls
926. Which of the following practices allows administrators to secure a container environment
from various cloud-based attacks?

A. Harden the host environment by removing non-critical native services.

B. Change the users’ default privileges from non-root to root.
C. Implement immutable containers that allow container modification after deployment.
D. Write sensitive information to code and configuration files.

927. Which of the following is a network routing solution that establishes and manages
communication between an on-premises consumer network and VPCs via a centralized unit?

A. VPC endpoint
B. Interface endpoint
C. Transit gateways
D. Public and private subnets

928. Which of the following entities of cloud network security establishes a private connection
between a VPC and another cloud service without access to the Internet, external gateways,
NAT solutions, VPN connections, or public addresses?

A. VPC endpoint
B. Transit gateway
C. Gateway-load-balancer endpoint
D. Public subnet

929. Which of the following objectives of cryptography defines the trustworthiness of data or
resources in terms of preventing improper and unauthorized changes?

A. Nonrepudiation
B. Authentication
C. Integrity
D. Confidentiality

930. Which of the following objectives of cryptography ensures that information is accessible
only to those who are authorized to access it?

A. Nonrepudiation
B. Authentication
C. Confidentiality
D. Integrity

931. The fundamental difference between symmetric and asymmetric key cryptographic
systems is that symmetric key cryptography uses__________________?
 A. The same key on each end of the transmission medium
B. Different keys on both ends of the transport medium
C. Multiple keys for nonrepudiation of bulk data
D. Bulk encryption for data transmission over fiber

932. Which of the following describes a component of public key infrastructure (PKI) where a
copy of a private key is stored to provide third-party access and to facilitate recovery
operations?

A. Directory
B. Recovery agent
C. Key escrow
D. Key registry

933. Which of the following tools helps users compress, encrypt, and convert plaintext data
into ciphertext using symmetric and public-key algorithms?

A. Hash Driod
B. BCTextEncoder
C. MD5 Calculator
D. HashMyFiles

934. In one of the following types of cipher, letters in plaintext are rearranged according to a
regular system to produce ciphertext. Which is this type of cipher?

A. Block cipher
B. Transposition cipher
C. Substitution cipher
D. Stream cipher

935. Which of the following encryption algorithms is also called Magma and is a symmetric-
key block cipher having a 32-round Feistel network working on 64-bit blocks with a key
length of 256 bits?

A. TEA
B. Camellia
C. GOST
D. Serpent

936. Which of the following types of hardware encryption devices is a crypto-processor or chip
present in the motherboard that can securely store encryption keys and perform many
cryptographic operations?
 A. USB encryption
B. Hard-drive encryption
C. HSM
D. TPM

937. Which of the following is an encryption technique where math operations are performed
to encrypt plaintext, allowing users to secure and leave their data in an encrypted format even
while the data are being processed or manipulated?

A. Homomorphic encryption
B. Hardware-based encryption
C. Quantum cryptography
D. Elliptic curve cryptography

938. Which of the following algorithms uses a sponge construction where message blocks are
XORed into the initial bits of the state that the algorithm then invertibly permutes?

A. MD5
B. SHA-2
C. MD6
D. SHA-3

939. Some passwords are stored using specialized encryption algorithms known as hashes.
Why is this an appropriate method?

A. It is impossible to crack hashed user passwords unless the key used to encrypt them
is obtained.
B. Hashing is faster when compared to more traditional encryption algorithms.
C. If a user forgets the password, it can be easily retrieved using the hash key stored by
administrators.
D. Passwords stored using hashes are nonreversible, making finding the password
much more difficult.

940. After gaining access to the password hashes used to protect access to a web-based
application, the knowledge of which cryptographic algorithms would be useful to gain access
to the application?

A. SHA1
B. RSA
C. Diffie–Helman
D. AES

941. Which cipher encrypts the plain text digit (bit or byte) one by one?
 A. Modern cipher
B. Classical cipher
C. Stream cipher
D. Block cipher

942. Which of the following algorithms provides better protection against brute force attacks
by using a 160-bit message digest?

A. SHA-1
B. MD5
C. RC4
D. MD4

943. Which of the following is a symmetric cryptographic algorithm?

A. RSA
B. 3DES
C. DHA
D. DSA

944. Which property ensures that a hash function will not produce the same hashed value for
two different messages?

A. Bit length
B. Key strength
C. Entropy
D. Collision resistance

945. What is the primary drawback of using Advanced Encryption Standard (AES) algorithm
with a 256-bit key to share sensitive data?

A. It has been proven to be a weak cipher; therefore, should not be trusted to protect
sensitive data.
B. It is a symmetric key algorithm, meaning each recipient must receive the key
through a different channel than the message.
C. Due to the key size, the time it will take to encrypt and decrypt the message hinders
efficient communication.
D. To get messaging programs to function with this algorithm requires complex
configurations.

946. When setting up a wireless network, an administrator enters a preshared key for security.
Which of the following is true?
 A. The key entered is a symmetric key used to encrypt the wireless data.
B. The key entered is based on the Diffie–Hellman method.
C. The key is an RSA key used to encrypt the wireless data.
D. The key entered is a hash that is used to prove the integrity of the wireless data.

947. In a cipher mode of operation, the initialization vector (IV) stored in the shift register is
sent as input to the encryption algorithm along with the secret key. From the result of
encryption, the first S bits are selected to perform XOR with a plaintext block of size S to
produce a cipher block. Identify this cipher mode of operation.

A. Electronic code book (ECB) mode

B. Counter mode
C. Cipher block chaining (CBC) mode
D. Cipher feedback (CFB) mode

948. In a mode of authenticated encryption, the plaintext is first encrypted using a secret key.
Then, a hash value is generated for the obtained cipher text and is attached to the cipher text
before transmission. Identify this mode of authenticated encryption.

A. Encrypt-then-MAC (EtM)
B. Authenticated encryption with associated data (AEAD)
C. MAC-then-Encrypt (MtE)
D. Encrypt-and-MAC (E&M)

949. In a mode of authenticated encryption, a hash value is first generated for the plaintext.
Then, both the plaintext and hash value are combined and encrypted with a secret key to
produce cipher text. Identify this mode of authenticated encryption.

A. MAC-then-Encrypt (MtE)
B. Authenticated encryption with associated data (AEAD)
C. Encrypt-and-MAC (E&M)
D. Encrypt-then-MAC (EtM)

950. Identify the type of blockchain in which there is no central authority or administration to
manage the blocks or ledgers.

A. Federated blockchain
B. Public blockchain
C. Private ledger
D. Hybrid blockchain

951. Which of the following components of public key infrastructure stores certificates along
with their public keys?
 A. Certificate authority
B. Validation authority
C. Registration authority
D. Certificate management system

952. Which of the following defines the role of a root certificate authority (CA) in a public key
infrastructure (PKI)?

A. The root CA stores the user’s hash value for safekeeping.

B. The root CA is the recovery agent used to encrypt data when a user’s certificate is lost.
C. The CA is the trusted root that issues certificates.
D. The root CA is used to encrypt e-mail messages to prevent unintended disclosure of
data.

953. Which of the following is a characteristic of public key infrastructure (PKI)?

A. Public-key cryptosystems do not require a secure key distribution channel.

B. Public-key cryptosystems are faster than symmetric-key cryptosystems.
C. Public-key cryptosystems do not provide technical nonrepudiation via digital
signatures.
D. Public-key cryptosystems distribute public-keys within digital signatures.

954. Which element of public key infrastructure (PKI) verifies the applicant?

A. Certificate authority
B. Validation authority
C. Registration authority
D. Verification authority

955. Steve is the new CISO for a global corporation; he hired Dayna as a security consultant to
do a security assessment. Steve wants to protect the corporate webpage with encryption and
asks Dayna about the procedure to do that. Which of the following is the correct option?

A. You need to use digital signature.

B. You need to use Blowfish encryption.
C. You need to use digital certificates.
D. You need to use quantum encryption.

956. Which of the following protocols allows a client and server to authenticate each other,
select an encryption algorithm, and exchange a symmetric key prior to data exchange?

A. TLS handshake protocol

B. TLS record protocol
C. GNU privacy guard
 D. Pretty good privacy

957. Which of the following is an example of an asymmetric encryption implementation?

A. MD5
B. SHA1
C. 3DES
D. PGP

958. A person approaches a network administrator and wants advice on how to send
encrypted e-mail from home. The end user does not want to have to pay for any license fees
or manage server services. Which of the following is the most secure encryption protocol that
the network administrator should recommend?

A. Hypertext transfer protocol with secure socket layer (HTTPS)

B. Pretty good privacy (PGP)
C. Multipurpose Internet mail extensions (MIME)
D. IP security (IPSEC)

959. To send a PGP-encrypted message, which piece of information from the recipient must
the sender have before encrypting the message?

A. Master encryption key

B. Recipient’s private key
C. Sender’s public key
D. Recipient’s public key

960. Which of the following is end-to-end email encryption software configured with OpenPGP
for securing emails and attachments in Google Mail?

A. Bitvise
B. FlowCrypt
C. Hashcat
D. Super network tunnel

961. Which of the following is a Linux-based utility used to perform disk encryption based on
the DMCrypt kernel module?

A. CORE Impact
B. Cryptsetup
C. Vega
D. Gobuster
962. Identify the disk encryption tool that utilizes the XTS-AES-128 encryption technology
along with a 256-bit key to prevent unauthorized access to the information on the startup
disk.

A. FileVault 2
B. Astra
C. SoapUI pro
D. Veracode

963. Which of the following tools allows users to create hidden and encrypted partitions on a
computer, a USB flash drive, or cloud storage services such as Google Drive, OneDrive, and
Dropbox?

A. RMail
B. HashTools
C. Rohos Disk Encryption
D. HashMyFiles

964. Which of the following is a code-breaking methodology that involves the use of social
engineering techniques to extract cryptography keys?

A. Frequency analysis
B. One-time pad
C. Trickery and deceit
D. Brute force

965. In one of the following attacks, an attacker has complete access to a plaintext message
including its encryption, and they can modify the content of the message by making a series
of interactive queries, choosing subsequent plaintext blocks based on the information from
the previous encryption queries and functions. Which is this attack?

A. Adaptive chosen-plaintext attack

B. Chosen-plaintext attack
C. Known-plaintext attack
D. Ciphertext-only attack

966. In which of the following attacks does an attacker reduce the number of brute-force
permutations required to decode text encrypted by more than one key and use the space-time
trade-off?

A. Meet-in-the-middle attack
B. Side-channel attack
C. Hash collision attack
D. DUHK attack
967. Which of the following e-learning software allows comprehensive cryptographic
experimentation on Linux, Mac OS X, and Windows and also allows users to develop and
extend its platform in various ways with their own crypto plug-ins?

A. CrypTool 2 (CT2)
B. CrypTool 1 (CT1)
C. CrypTool-Online (CTO)
D. JCrypTool (JCT)

968. An attacker tries to recover the plaintext of a message without knowing the required key
in advance. For this he may first try to recover the key, or may go after the message itself by
trying every possible combination of characters. Which code breaking method is he using?

A. Trickery and deceit

B. One-time pad
C. Frequency analysis
D. Brute force

969. In which of the following attacks, can an attacker obtain ciphertexts encrypted under two
different keys and gather plaintext and matching ciphertext?

A. Related-key attack
B. Chosen-plaintext attack
C. Ciphertext-only attack
D. Adaptive chosen-plaintext attack
970. Out of the following attacks, which attack is a physical attack that is performed on a
cryptographic device/cryptosystem to gain sensitive information?

A. Side channel attack

B. DUHK attack
C. MITM attack
D. Hash collision attack

971. Which of the following attacks mainly affects any hardware/software using an ANSI X9.31
random number generator (RNG)?

A. DUHK attack
B. Rainbow table attack
C. Hash collision attack
D. Side channel attack

972. Out of the following, identify the attack that is used for cracking a cryptographic algorithm
using multiple keys for encryption.

A. Rainbow table attack

B. Side channel attack
C. DUHK attack
 D. Meet-in-the-middle attack

973. In one of the following techniques, attackers use two algorithms. They use Shor’s quantum
factoring algorithm on public-key cryptographic algorithms such as RSA and ECDH to find the
factors of large numbers in polynomial time. Further, they use Grover’s quantum search
algorithm to make brute-force key search faster for block ciphers. Identify this technique.

A. Quantum cryptanalysis
B. Differential cryptanalysis
C. Quantum cryptography
D. Post-quantum cryptography

974. Which of the following practices is NOT a countermeasure to mitigate side-channel

attacks?

A. Mask and blind algorithms using random nonces

B. Implement differential matching techniques to minimize net data-dependent leakage
C. Add amplitude or temporal noise to reduce the attacker’s signal-to-noise ratio
D. Avoid using fixed-time algorithms

975. An attacker has captured a target file that is encrypted with public key cryptography.
Which of the attacks below is likely to be used to crack the target file?

A. Replay attack
B. Chosen plain-text attack
C. Timing attack
D. Memory trade-off attack

1. Highlander, Incorporated, is a medical insurance company with several regional

company offices in North America. Employees, when in the office, utilize desktop
computers that have Windows 10, Microsoft Office, anti-malware/virus software, and
an insurance application developed by a contractor. All the software updates and
patches are managed by the IT department of Highlander, Incorporated. Group
policies are used to lock down the desktop computers, including the use of Applocker
to restrict the installation of any third-party applications.

There are one hundred employees who work from their home offices. Employees who
work from home use their own computers, laptops, and personal smartphones. They
authenticate to a cloud-based domain service, which is synchronized with the
corporate internal domain service. The computers are updated and patched through the
cloud-based domain service. Applocker is not used to restrict the installation of third-
party applications.

The laptops utilize direct access to automatically connect their machines to the
Highlander, Incorporated, network when they are not in the regional offices. The
laptops are set up to use IPsec when communicating with the cloud-based file server.
The protocol that they have chosen is Authentication Header (AH).

The database that hosts the information collected from the insurance application is
hosted on a cloud-based file server, and their email server is hosted on Office 365.
Other files created by employees get saved to a cloud-based file server, and the
company uses work folders to synchronize offline copies back to their devices.

Based on the knowledge of the network topology, which of the main elements of
information security has Highlander, Incorporated, NOT addressed in its plans for its
laptops?

Confidentiality

Integrity

Authenticity

Availiability

2. Which of the following categories of information warfare is a sensor-based

technology that directly corrupts technological systems?

Command-and-control warfare (C2 warfare)

Intelligence-based warfare

Electronic warfare

Economic warfare

3. In which of the following phases of the cyber kill chain methodology does an
adversary select or create a tailored deliverable malicious payload using an exploit
and a backdoor to send it to the victim?

Weaponization
Delivery

Installation

Reconnaissance

4. Which of the following IoC categories is useful for command and control, malware
delivery, and identifying details about the operating system, browser type, and other
computer-specific information?

Behavioral indicators

Email indicators

Network indicators

Host-based indicators

5. Which of the following categories of PRE-ATT&CK techniques is associated with the

MITRE ATT&CK framework for describing attacks?

Exploit

Deliver

Weaponize

Execute

6. Identify the meta-feature of the diamond model that helps a security analyst in
determining the progress of an attack or any malicious activity.

Phase

Timestamp

Direction

Resource

7. John, a security professional, was tasked with intrusion analysis on a compromised

system. For this purpose, John followed the diamond model of intrusion analysis. In
this process, John analyzed the hardware and software used by the target and
verified whether they have any connection with the attacker. This verification helped
John in determining what the attacker used to reach the victim.
Which of the following features of the diamond model did John employ in the above
scenario?

Direction

Result

Timestamp

Infrastructure

8. Highlander, Incorporated, decides to hire an ethical hacker to identify

vulnerabilities at the regional locations and ensure system security.

What is the main difference between a hacker and an ethical hacker when they are
trying to compromise the regional offices?

Hackers have more sophisticated tools.

Ethical hackers have the permission of the regional server administrators.

Ethical hackers have the permission of upper management.

Hackers don’t have any knowledge of the network before they compromise the
network.

9. Which of the following phases of incident handling and response helps responders
prevent the spread of infection to other organizational assets and avoid additional
damage?

Recovery

Incident recording and assignment

Containment

Incident triage

10. Given below are different steps in the threat modeling process.

Identify threats

Identify security objectives

 Decompose the application

Application overview

Identify vulnerabilities

What is the correct sequence of steps in the threat modeling process?

1 -> 2 -> 3 -> 4 -> 5

5 -> 2 -> 3 -> 1 -> 4

2 -> 1 -> 5 -> 3 -> 4

2 -> 4 -> 3 -> 1 -> 5

11. Which of the following guidelines or standards governs the credit card industry?

Payment Card Industry Data Security Standards (PCI DSS)

Health Insurance Portability and Accountability Act (HIPAA)

Control Objectives for Information and Related Technology (COBIT)

Sarbanes-Oxley Act (SOX)

12. A penetration tester was hired to perform a penetration test for a bank. The tester
began searching for IP ranges owned by the bank, performing lookups on the bank’s
DNS servers, reading news articles online about the bank, watching the bank
employees time in and out, searching the bank’s job postings (paying special attention
to IT-related jobs), and visiting the local dumpster for the bank’s corporate office.
What phase of the penetration test is the tester currently in?

Passive information gathering

Active information gathering

Information reporting

Vulnerability assessment

13. What type of information is gathered by an attacker through Whois database

analysis and tracerouting?

DNS records and related information

Usernames, passwords, and so on

Background of the organization

Publicly available email addresses

14. Smith, a professional hacker, has targeted an organization. He employed some

footprinting tools to scan through all the domains, subdomains, reachable IP
addresses, DNS records, and Whois records to perform further attacks.

What is the type of information Smith has extracted through the footprinting attempt?

Company’s product information

Network information

Policy information

Physical security information

15. Which of the following tools is used for gathering email account information from
different public sources and checking whether an email was leaked using the
haveibeenpwned.com API?

Infoga

Professional Toolset

Octoparse

Metagoofil

16. Sean works as a professional ethical hacker and penetration tester. He is assigned a
project for information gathering on a client’s network. He started penetration testing

and was trying to find out the company’s internal URLs, looking for any information
about the different departments and business units. Sean was unable find any
information.

What should Sean do to get the information he needs?

Sean should use Sublist3r tool

Sean should use WayBackMachine in Archive.org

Sean should use website mirroring tools

Sean should use email tracking tools

17. You are doing research on SQL injection attacks. Which of the following
combination of Google operators will you use to find all Wikipedia pages that contain
information about SQL, injection attacks, or SQL injection techniques?

allinurl: Wikipedia.org intitle:“SQL Injection”

site:Wikipedia.org related:“SQL Injection”

SQL injection site:Wikipedia.org

site:Wikipedia.org intitle:“SQL Injection”

18. Peter, a professional hacker, targeted an organization’s network to gather as much

information as possible to perform future attacks. For this purpose, he employed a
reconnaissance framework that helped him gather confidential information such as
private Secure Shell (SSH) and Secure Sockets Layer (SSL) keys as well as dynamic
libraries from an online third-party repository.

Identify the online third-party repository targeted by Peter in the above scenario.

GitLab

Sublist3r

BeRoot

MITRE ATT&CK framework

19. Jude, a professional hacker, targeted an organization’s web server. Jude wanted to
extract the information removed from older copies or archived links of the target
website. For this purpose, he employed an exploration tool that assisted him in
retrieving the archived URLs of the target website.

Identify the tool employed by Jude in the above scenario.

Burp Suite

Photon

Netcraft

Gephi

20.Which of the following options of Sublist3r allows the user to specify a comma-
separated list of search engines?

-e
-p

-o

-d

21. Which of the following tools allows attackers to collect information such as
subdomains, IP addresses, HTTP response status, SSL/TTL certificates, vulnerability
scores, and DNS records of the target domain or website?

Nagios

L0phtCrack

THC-Hydra

Spyse

22. Which of the following features in FOCA allows an attacker to find more servers
in the same segment of a determined address?

DNS search

IP resolution

Web search

PTR scanning

23. Which of the following is an online platform that can be used to collect and
analyze information about devices and websites available on the Internet?

Spyse

Zimperium’s zIPS

FTK Imager

Dependency Walker

24. Which of the following hping commands is used by an attacker to collect the
initial sequence number?

hping3 -2 10.0.0.25 –p 80

hping3 192.168.1.103 -Q -p 139 -s

hping3 –A 10.0.0.25 –p 80
hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

25. Which of the following techniques helps the attacker in identifying the OS used on
the target host in order to detect vulnerabilities on a target system?

Source routing

Port scanning

Banner grabbing

IP address decoy

26. Which of the following tools provides complete visibility, real-time detection, and
intelligent response to malicious network scanning attempts?

WinHex

Orbot

CyberGhost VPN

ExtraHop

27.Which of the following commands is used by an SNMP agent to meet a request

made by the SNMP manager?

SetRequest

GetRequest

GetResponse

GetNextRequest
28.Alfred, a professional hacker, was performing SNMP enumeration on a target
network. In this process, he executed an nmap command that lists all the running
SNMP processes along with the associated ports on the target host.

Identify the command executed by Alfred in the above scenario.

nmap -sU -p 161 --script=snmp-processes <Target IP Address>

nmap -p 25 -script=smtp-open-relay <Target IP Address>

snmpwalk -v2c -c public <Target IP Address> <OID> <New Value>

nmap -p 25 –script=smtp-enum-users <Target IP Address

29.Which of the following tools allows attackers to perform LDAP enumeration on

the target network?

DNSRecon

nbtstat

AD Explorer

Euromonitor

30.Which of the following commands allows attackers to fetch the SNMP server type
and operating system?
nmap -sU -p 161 --script=snmp-processes <Target IP Address>

nmap -sU -p 161 --script=snmp-sysdescr <Target IP Address>

nmap -p 25 –script=smtp-enum-users <Target IP Address>

nmap -p 25 -script=smtp-open-relay <Target IP Address

31.Which of the following protocols is responsible for accessing distributed

directories and access information such as valid usernames, addresses, departmental
details, and so on?

LDAP

NTP

SMTP

DNS

32.Which of the following NTP commands determines where the NTP server obtains
the time from and follows the chain of NTP servers back to its primary time source?

ntpg
ntpdate

ntptrace

ntpdc

33.Which of the following ntpdate parameters is used by an attacker to perform a

function that can force the time to always be slewed?

-b

-B

-d

-q

34.Which of the following tools allows an attacker to scan domains and obtain a list of
subdomains, records, IP addresses, and other valuable information from a target host?

cSploit

Experian

X-Ray
Nmap

35.Carter, a professional hacker, was tasked with fetching valuable information from
the rival organization. For this purpose, Carter started enumerating the target network
to identify existing vulnerabilities. He executed an nmap command to retrieve all the
subdomains associated with the target network.

Identify the command executed by Carter in the above scenario.

nmap -Pn -sU -p 53 --script=dns-recursion 192.168.1.150

nmap -T4 -p 53 --script dns-brute <Target Domain>

nmap -p 25 -script=smtp-open-relay <Target IP Address>

nmap -p 25 –script=smtp-enum-users <Target IP Address>

36.Which of the following tools is a framework that contains an SMTP enumeration

module that allows attackers to connect to the target SMTP server and enumerate
usernames using predefined wordlists?

LDNS

Tasklist

PortQry

Metasploit
37.Which of the following enumeration tools allows an attacker to fetch the IPv6
address of a machine through SNMP?

dig

Enyx

Svmap

ike-scan

38.A hacker is attempting to use nslookup to query domain name service (DNS). The
hacker uses the nslookup interactive mode for the search. Which command should the
hacker type into the command shell to request the appropriate records?

Set type=ns

Transfer type=ns

Request type=ns

Locate type=ns
39.Which of the following practices can make a network vulnerable to DNS
enumeration attacks?

Host the application server along with the DNS server.

Enforce two-factor authentication to provide secure access.

Use a DNS change lock or client lock to restrict the alteration of DNS settings.

Use a VPN for secure communication.

40.Which of the following practices makes an organizational network susceptible to

SNMP enumeration attacks?

Always use the “NoAuthNoPriv” mode.

Regularly audit the network traffic.

Modify the registry to allow only restricted or permitted access to the SNMP
community name.

Configure access-control lists (ACLs) for all SNMP connections.

41.Identify the security practice that helps administrators prevent external SNMP
enumeration attempts.

Encrypt credentials using the “AuthNoPriv” mode.

Allow access to TCP/UDP port 161.

Configure the SNMP service with read-write authorization.

Never audit the network traffic.

42.Which of the following practices helps security professionals defend against NFS
enumeration attempts?

Never implement NFS tunneling through SSH.

Implement the principle of least privileges.

Implement firewall rules to allow NFS port 2049.

Ensure that users are running suid and sgid on the exported file system.

43.Which of the following practices allows an attacker to perform NFS enumeration

attempts on a target network?

Ensure that users are not running suid and sgid on the exported file system.

Log the requests to access the system files on the NFS server.

Implement firewall rules to allow NFS port 2049.

Use the principle of least privileges.

44.Identify the practice that makes an organizational network susceptible to SMTP

enumeration attacks.

Disable the open relay feature.

Do not share internal IP/host information or mail relay system information.

Do not limit the number of accepted connections from a source.

Ignore emails to unknown recipients by configuring SMTP servers.

45.Which of the following practices can make a network vulnerable to DNS

enumeration attacks?

Use a VPN for secure communication.

Use a DNS change lock or client lock to restrict the alteration of DNS settings.

Host the application server along with the DNS server.

Enforce two-factor authentication to provide secure access.

46.Which of the following practices helps security experts prevent external LDAP
enumeration attempts within a network?

Allow users to access certain AD entities by changing the permissions on those

objects/attributes.

Never deploy canary accounts, which resemble real accounts.

Log access to AD services.

Avoid using NT LAN Manager (NTLM), Kerberos, or any basic authentication

mechanism.
47.Which of the following practices helps security professionals defend against NFS
enumeration attempts?

Never implement NFS tunneling through SSH.

Ensure that users are running suid and sgid on the exported file system.

Implement firewall rules to allow NFS port 2049.

Implement the principle of least privileges.

48.A newly discovered flaw in a software application would be considered as which

kind of security vulnerability?

HTTP header injection vulnerability

Time-to-check to a time-to-use flaw

Input validation flaw

Zero-day vulnerability

49..Which among the following is not a metric for measuring vulnerabilities in

common vulnerability scoring system (CVSS)?

Environmental metrics
Base metrics

Temporal metrics

Active metrics

50.Williams, a professional hacker, targeted an organization’s network to cause data

loss at a massive scale. To achieve his goal, he exploited a system running an older
version of a web browser. Williams implanted a Trojan on the target browser, through
which he made a lateral movement in the target network.

Identify the type of vulnerability exploited by Williams in the above scenario?

Intentional end-user acts

Insecure or poor design of the network and application

End-user carelessness

Inherent technology weaknesses

51.Finch, a security professional, was tasked with assessing their organizational

network. In this process, Finch identified that one of the servers connected to the
corporate network used the insecure FTP for file transmission, which can pose serious
security risks.

Identify the type of vulnerability identified by Finch in the above scenario.

Operating system vulnerability

TCP/IP protocol vulnerability

Network device vulnerability

User account vulnerabilities

52.Don, a professional hacker, was attempting to access an organization’s systems
from a remote location. Don scanned the target environment and identified a security
loophole in the firewall implementation. He exploited this loophole to intrude into and
gain access to all the interconnected systems within the environment.

Identify the type of vulnerability exploited by Don in the above scenario.

Inherent technology weaknesses

Insecure or poor design of the network and application

Intentional end-user acts

End-user carelessness

53.Which term refers to common software vulnerabilities that happen due to coding
errors allowing attackers to get access to the target system?

Banner grabbing

Port scanning

Buffer overflows

Active footprinting

54.Henry, an employee of an organization, faced issues with a newly allocated system,

which was purchased from a refurbished market. When he raised a complaint, the
security team analyzed the system components and identified that the vendor did not
properly sanitize the system’s drive.

Identify the third-party risk demonstrated in the above scenario.

Design flaws
Unpatched firmware

Supply-chain risk

Data storage

55.Which of the following vulnerabilities is caused by obsolete or familiar code that is

usually not supported when patching technical assets?

Legacy platform vulnerability

DLL injection

Third-party risk

Race conditions

56.Which of the following types of vulnerability assessment solutions relies on the

administrator providing a starting shot of intelligence and then scanning continuously
without incorporating any information found at the time of scanning?

Service-based solutions

Product-based solution

Inference-based assessment

Tree-based assessment

57.Vulnerability scanning solutions perform vulnerability penetration tests on

organizational networks in three steps. After performing which of the following steps
does a pen tester enumerate the open ports and services along with the operating
system on the target systems?
Service and OS discovery

Testing the OS

Testing the services

Locating nodes

58.Which of the following location and data examination tools allows ethical hackers
to perform two or more scans on different machines in the network?

Cluster scanner

Agent-based scanner

Network-based scanner

Proxy scanner

59.Which of the following malware masks itself as a benign application or software

that initially appears to perform a desirable or benign function but steals information
from a system?

Worm

Virus

Keylogger

Trojan

60.An attacker is exploiting a buffer overflow vulnerability identified on a target

server. Which of the following steps allows the attacker to send a large amount of data
to the target server so that it experiences buffer overflow and overwrites the EIP
register?

Fuzzing

Spiking
Overwriting of the EIP Register

Generation of shellcode

61.In which of the following password attacks does an attacker attempt every
combination of characters until the password is found?

Combinator attack

Dictionary attack

Brute-force attack

Rule-based attack

62.Jake, a professional hacker, was hired to perform attacks on a target organization

and disrupt its services. In this process, Jake decided to exploit a buffer overflow
vulnerability and inject malicious code into the buffer to damage files. He started
performing a stack-based buffer overflow to gain shell access to the target system.

Which of the following types of registers in the stack-based buffer overflow stores the
address of the next data element to be stored onto the stack?

ESP

EDI

EIP

EBP

63.How can rainbow tables be defeated?

Lockout accounts under brute force password cracking attempts

Password salting
All uppercase character passwords

Use of nondictionary words

64.Which of the following tools allows attackers to perform password attacks such as
brute-force, dictionary, and mask attacks?

Dylib Hijack Scanner

Dependency Walker

linpostexp

Hashcat

65.Which of the following commands allows attackers crack passwords that contain
six characters when the first three are lowercase alphabets and the last three are
numbers?

hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d

usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337

run post/windows/gather/arp_scanner RHOSTS <target subnet range>

msfvenom -p windows/shell_reverse_tcp LHOST=<IP address> LPORT=<port>

EXITFUNC=thread -f c -a x86 -b “\x00”

66.Henry, a professional hacker, was hired by an organization to crack the password

of a target server. For this purpose, Henry employed a Python-based tool that helped
him in cracking the passwords of the target server and establishing unauthorized
access to the target network.

Identify the tool employed by Henry in the above scenario.

DPAT

Spytech SpyAgent

Scranos

StegoStick
67.Which of the following tools allows attackers to perform Active Directory (AD)
enumeration to extract sensitive information such as users, groups, domains, and other
resources from the target AD environment?

Fiddler

CxSAST

PowerView

AlienVault USM

68.Which of the following PowerView commands allows attackers to retrieve users

having modification rights for an Active Directory (AD) domain group?

Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs

Get-NetForestCatalog

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

Get-NetForestDomain

69.Which of the following tools is a JavaScript web application that helps attackers
identify complex attack paths in the target Active Directory (AD) environment?

mimikatz

zsteg

Bloodhound

OmniHide Pro
70.Which of the following practices makes an organization’s network vulnerable to
buffer overflow attacks?

Use C programming language instead of Python, COBOL, or Java.

Ensure that the function does not perform a write operation when it reaches the end
after determining the buffer’s size.

Implement Structured Exception Handler Overwrite Protection (SEHOP).

Audit the libraries and frameworks used to develop source code to ensure that they are
not vulnerable.

71.Which of the following techniques acts as a defensive measure against buffer

overflow attacks?

Avoiding code review at the source code level

Allowing the execution of code outside the code space

Implementing automatic bounds checking

Not allowing the compiler to add bounds to all buffers

72.Lee, a professional hacker, decided to launch a few attacks on an organization to

test his hacking skills. In this process, he employed a password cracking technique in
which he merged the entries of one dictionary with those of another dictionary to
produce full names and compound words, consequently cracking a password on the
target system.

Which of the following password attacks did Lee perform in the above scenario?

Markov-chain attack

Combinator attack

Fingerprint attack

Toggle-case attack
73.You have retrieved the raw hash values from a Windows 2000 Domain Controller.
Using social engineering, you know that they are enforcing strong passwords. You
understand that all users are required to use passwords that are at least eight characters
in length. All passwords must also use three of the four following categories: lower-
case letters, capital letters, numbers, and special characters. With your given
knowledge of users, likely user account names, and the possibility that they will
choose the easiest passwords possible, what would be the fastest type of password
cracking attack you can run against these hash values to get results?

Brute-Force attack

Replay attack

Dictionary attack

Hybrid attack

74.Which of the following attacks is similar to a brute-force attack but recovers

passwords from hashes with a specific set of characters based on information known
to the attacker?

Mask attack

Combinator attack

Wire sniffing

Fingerprint attack

75.Given below are the various steps involved in performing a GPU-based attack.

1. When the victim installs the malware-loaded application, the malware starts
accessing the browser’s OpenGL API.

2. When the victim accesses any website via the browser, attackers can copy
every character entered by the victim on the password field of the website.

3. The malware on OpenGL API sets up a spy on the device to track activities on
the browser.
4. The attacker lures or forces the victim into visiting an insecure site or
downloading a malware-loaded application on their system.

Identify the correct sequence of steps.

3 -> 2 -> 4 -> 1

2 -> 1 -> 3 -> 4

1 -> 3 -> 2 -> 4

4 -> 1 -> 3 -> 2

76.Which of the following is a password cracking tool that allows attackers to reset
the passwords of the Windows local administrator, domain administrator, and other
user accounts?

DeepSound

OmniHide Pro

Audio Spyware

Secure Shell Bruteforcer

77.Identify the PowerView command that allows attackers to identify all the live hosts
available within the current domain.

Get-NetComputer -Ping

Invoke-EnumerateLocalAdmin

Get-DomainSID

Get-DomainPolicy
78.Which of the following tools allows attackers to collect host information including
PowerShell security settings, Kerberos tickets, and items in Recycle Bin?

Veracode

Robber

GhostPack Seatbelt

Dylib Hijack Scanner

79.Which of the following practices helps security experts defend an organizational

network against various password cracking attempts?

Use passwords that can be found in a dictionary.

Employ geo-lock accounts to restrict users from logging in from different locations.

Always use the same password during a password change.

Disable information security auditing.

80.Which of the following practices makes an organization’s network vulnerable to

buffer overflow attacks?

Implement Structured Exception Handler Overwrite Protection (SEHOP).

Audit the libraries and frameworks used to develop source code to ensure that they are
not vulnerable.

Ensure that the function does not perform a write operation when it reaches the end
after determining the buffer’s size.

Use C programming language instead of Python, COBOL, or Java.

81.Which of the following tool is used for cracking passwords?

John the Ripper

OpenVAS

Nikto

Havij

82.What statement is true regarding LAN Manager (LM) hashes?

LM hashes consist in 48 hexadecimal characters.

LM hashes limit the password length to a maximum of 14 characters.

Uppercase characters in the password are converted to lowercase.

LM hashes are based on AES128 cryptographic standard.

83.A computer science student needs to fill some information into a password
protected Adobe PDF job application that was received from a prospective employer.
Instead of requesting the password, the student decides to write a script that pulls
passwords from a list of commonly used passwords to try against the secured PDF
until the correct password is found or the list is exhausted. Identify the type of
password attack.

Brute-force attack

Session hijacking

Dictionary attack

Man-in-the-middle attack
84.Identify the PowerView command that retrieves information related to the current
domain including domain controllers (DCs).

(Get-DomainPolicy)."SystemAccess"

Get-NetDomain

Get-NetGroup -UserName <"username">

Get-DomainSID

85.Identify the tool that uses graph theory to reveal hidden and often unintended
relationships within an Active Directory (AD) environment.

One Click Root

Bluesnarfing

Bloodhound

Bluebugging

86.Aster, a professional hacker, was tasked with identifying insecurities in an

organizational network. For this purpose, Aster employed a toolset to perform security
checks and find insecurities, which can be exploited to launch active attacks.

Which of the following tools did Aster employ in the above scenario?

GhostPack Seatbelt

xHelper

X-Ray

FaceNiff
87.Identify the practice that makes an organizational network susceptible to
LLMNR/NBT-NS poisoning attacks.

Implement SMB signing to prevent relay attacks.

Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.

Monitor specific event IDs such as 4697 and 7045, which can be indicators of relay
attacks.

Never monitor the host on UDP ports 5355 and 137.

88.Which of the following misconfigured services allows attackers to deploy

Windows OS without the intervention of an administrator?

Modifiable registry autoruns

Service object permissions

Unattended installs

Unquoted service paths

89.Which of the following is a shim that runs in the user mode and is used by
attackers to bypass UAC and perform different attacks including the disabling of
Windows Defender and backdoor installation?

launchd

Schtasks

WinRM

RedirectEXE
90.What is the best defense against a privilege escalation vulnerability?

Never place executables in write-protected directories.

Never perform debugging using bounds checkers and stress tests and increase the
amount of code that runs with particular privilege.

Review user roles and administrator privileges for maximum utilization of automation
services.

Run services with least privileged accounts and implement multifactor authentication
and authorization.

91.Which of the following techniques allows attackers to inject malicious script on a

web server to maintain persistent access and escalate privileges?

Web shell

Launch daemon

Scheduled task

Access token manipulation

92.George, a professional hacker, targeted an organization’s server to sniff the data

and files passing through the server. For this purpose, he initially gained access to a
low-privilege user account. Then, he exploited a misconfiguration in a communication
protocol that uses port 2049 to gain root-level access to a remote server.

Which of the following privilege escalation techniques did George exploit in the
above scenario?

Privilege escalation using DLL hijacking

Privilege escalation using network file system

Privilege escalation by bypassing user account control (UAC)

Privilege escalation using Windows sticky keys

93.Don, a professional hacker, targeted a Windows-based system to implant a fake
domain controller (DC). To achieve his goal, he modified the configuration settings of
domain policies to perform unintended activities such as creating a new account,
disabling or modifying internal tools, ingress tool transfer, unwanted service
executions, and extracting passwords in plaintext.

In which of the following paths did Don find the domain policies folder?

C:\Windows\System32\osk.exe

C:\Windows\Panther\ UnattendGC\

\<DOMAIN>\SYSVOL\<DOMAIN>\

C:\Windows\system32>nltest/domain_trusts

94.Which of the following is a post-exploitation tool used to check for common

misconfigurations and find a way to escalate privileges?

L0phtCrack

CCleaner

rtgen

BeRoot

95.Cooper, a professional hacker, managed to gain unauthorized access to a target

system. To escalate privileges and maintain persistence, he created a new process via
the CreateProcess API by abusing system processes such as svchost.exe.
Consequently, Cooper bypassed security mechanisms that restrict process spawning
from a root process and escalated privileges.

Which of the following techniques did Cooper implement to escalate privileges in the
above scenario?

SID-History injection

Access token manipulation

Parent PID spoofing

Abusing SUID and SGID permissions

96.Which of the following terms refers to a unique value assigned to each user and
group account issued by the domain controller (DC) at the time of creation?

Uniform Resource Identifier (URI)

Service set identifier (SSID)

Basic service set identifier (BSSID)

Security Identifier (SID)

97.Which of the following tools allows attackers to obtain detailed information about
the kernel, which can be used to escalate privileges on the target system?

clearev

CrackMapExec

pwdump7

linpostexp

98. Which of the following best practices should be adopted to defend against
spyware?

Read all disclosures before installing an application

Always use the administrative mode

Download open-source music files, screensavers, or emoticons

Disable a firewall to enhance the security level of the computer

99. Which of the following types of rootkits replaces original system calls with fake
ones to hide information about the attacker?

Boot-loader-level rootkit

Hypervisor-level rootkit

Library-level rootkit

Hardware/firmware rootkit

100. Which of the following best practices should be followed to defend against
rootkits?

Uninstall network and host-based firewalls

Login to an account with administrative privileges

Adhere to the least privilege principle

Reinstall OS/applications from a third-party or unknown source

101. Which of the following types of steganography involves the process of

converting sensitive information into user-definable free speech, such as a play?

Spam/email steganography

Natural text steganography

Document steganography

Web steganography

102 Ben, a professional hacker, is performing attacks on a target organization. In this

process, he performed a steganography attack with a known stego-object,
steganography tool, and algorithm used to hide the message.

Which of the following types of steganography attacks did Ben perform on the target
organization?
Chi-square attack

Chosen-stego attack

Chosen-message attack

Stego-only attack

103. Which of the following are valid types of rootkits? (Choose three.)

Network level

Hypervisor level

Physical level

Application level

Kernel level

Data access level

104. Which of the following techniques refers to the art of hiding data “behind” other
data without the target’s knowledge?

Scanning

Enumeration

Steganography

Footprinting

105. Which of the following measures makes an organizational network vulnerable to

spyware attacks?

Avoid connecting to unknown/rogue devices or networks.

Do not install anti-tracking-based browser extensions.

Check an app’s legitimacy before providing permissions.

Bookmark frequently visited websites for safe browsing.

106. Which of the following countermeasures allows security experts to defend

against rootkits?

Use configuration management and vulnerability-scanning tools to verify the effective

deployment of updates.

Surf the Internet while logged into an administrator account.

Skip reading the instructions in the end-user license agreement (EULA) before
installing software.

Disable write protection on the motherboard to prevent BIOS from being infected by a
rootkit.

107. Which of the following is a PowerShell toolset for building malicious WMI event
subscriptions?

GFI LanGuard

PowerLurk

Hashcat

Immunity’s CANVAS

108. Which of the following commands allows an attacker to retrieve all the users
who have shell access?

/sbin/ifconfig -a

ls -la /etc/cron.d

egrep -e '/bin/(ba)?sh' /etc/passwd

cat /etc/redhat* /etc/debian* /etc/*release

109. Which of the following post-exploitation wmic commands allows attackers to
retrieve the service name and path of executable files?

wmic os where Primary='TRUE' reboot

wmic useraccount get name, sid

wmic service get name,displayname,pathname,startmode > wmic_service.txt

wmic /node:"" product get name,version,vendor

110. In which of the following steganography techniques does a user implement a

sequence of modifications to the cover to obtain a stego-object?

Spread spectrum techniques

Transform domain techniques

Distortion techniques

Substitution techniques

111. Which one of the following techniques is used by attackers to hide their
programs?

Enumeration

Scanning

NTFS stream

Footprinting

112. Which one of the following software program helps the attackers to gain
unauthorized access to a remote system and perform malicious activities?

Antivirus

Anti-spyware

Rootkit
Keylogger

113. Which of the following steganography techniques allows the user to add white
spaces and tabs at the end of the lines?

Image steganography

Folder steganography

Video steganography

Document steganography

114. In a Windows system, an attacker was found to have run the following
command: type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt. What does the above
command indicate?

Attacker has used Alternate Data Streams to copy the content of SecretFile.txt file
into LegitFile.txt

Attacker was trying to view SecretFile.txt file hidden using an Alternate Data Stream

Attacker has used Alternate Data Streams to rename SecretFile.txt file to LegitFile.txt

Attacker has used Alternate Data Streams to hide SecretFile.txt file into LegitFile.txt

115. Which of the following is a form of malware that attackers use to inject false
credentials into domain controllers (DCs) to create a backdoor password?

NTFS data stream

Skeleton key

Keylogger

Spyware
116. Joseph, a professional hacker, was tasked with compromising the security of an
organization's Active Directory (AD) environment. After gaining access to the target
host, Joseph abused the SDProp process to establish persistence. Further, he added a
new user account to the ACL to gain GenericAll privileges, which are equivalent to
the privileges of the domain administrator.

Which of the following attacks did Joseph perform in the above scenario?

Cross-site scripting (XSS) attack

Domain persistence through AdminSDHolder

Persistence by abusing boot or logon autostart executions

Rainbow table attack

117. Which of the following practices helps security professionals defend a network
against persistence attacks?

Restrict domain users within a local administrator group across multiple systems.

Never restrict credential overlap within systems to maximize lateral movement.

Allow all the inbound traffic through Windows Firewall.

Never deploy the Kerberos validation tool for verifying the legitimacy of individual
tickets.

118. Harry recently joined an organization and was assigned a system that was used
by a previous employee. While working on the system, he observed that the system
was behaving in a suspicious manner and raised a complaint. After investigation, the
security team found software that allows an attacker to monitor everything users do on
the computer.

Which of the following software did the attacker install on the target system?

CCleaner

Stream Armor

GFI LanGuard

NetVizor
119. Harper, a security professional in an organization, was instructed to increase the
security of the organization. In this process, he trained the employees on the best
practices that they should employ to defend against keyloggers.

Which of the following is NOT a countermeasure to defend against keyloggers?

Use pop-up blockers and avoid opening junk emails

Install antivirus programs and keep the signatures up to date

Recognize phishing emails and delete them

Never update and patch system software

120. Don, a professional hacker, compromised a legitimate user’s privileges to gain

control over the Active Directory (AD) environment. Using the privileges, he further
compromised the KRBTGT service and obtained a password hash to forge TGTs.
Using the forged TGTs, Don impersonated a legitimate user and gained access to
other resources.

Identify the attack performed by Don in the above scenario.

Directory traversal attack

Insertion attack

Mask attack

Golden ticket attack

121. Which of the following commands is used by an attacker to delete only the
history of the current shell and retain the command history of other shells?

cat /dev/null > ~.bash_history && history –c && exit

history –c

history -w

export HISTSIZE=0
122. Which of the following Windows command-line tools is utilized by an attacker to
overwrite data for preventing recovery in the future and also encrypt and decrypt data
in NTFS partitions?

Auditpol.exe

ATTRIB.exe

adslist.exe

Cipher.exe

123. Which of the following commands allows an attacker having administrator

privileges to hide any file or folder in a Windows system?

mkdir .HiddenMaliciousFiles

net user <UserName> /add

attrib +h +s +r <FolderName>

net user <UserName> /active:no

124. Which of the following countermeasures allows a security professional to defend

against techniques for covering tracks?

Periodically back up log files to alterable media

Ensure that new events overwrite old entries in log files

Leave all unused open ports and services as they are

Activate the logging functionality on all critical systems

125. Which of the following techniques is used by the attackers to clear online tracks?

Disable LMNR and NBT-NS services

Disable LAN manager

Disable auditing

Disable the user account

126. Which of the following techniques opens the door for malware entry when users
and IT administrators do not update their application software as often as they should?

Insecure patch management

Network propagation

Browser and email software bugs

Instant messenger applications

127. Which of the following channels is used by an attacker to hide data in an

undetectable protocol?

Covert

Overt

Classified

Encrypted

128. In which of the following phases of the advanced persistent threat lifecycle does
an attacker inject malicious code or malware into the target system to initiate an
outbound connection?

Cleanup

Initial intrusion

Preparation

Persistence
129. Which of the following types of Trojans is used by an attacker to create fake
form fields on e-banking pages and collect the target’s account details, credit-card
number, and date of birth to impersonate the target and compromise their account?

HTML injection

Covert credential grabber

Form grabber

TAN grabber

130. Which of the following types of Trojans intercepts the victim’s account
information before the system can encrypt it and sends the intercepted information to
the attacker's command-and-control center?

Rootkit Trojans

Backdoor Trojans

Destructive Trojans

E-banking Trojans

131. Which of the following techniques rely on tunneling to transmit one protocol data
in another protocol?

Scanning

Steganography

Covert channel

Asymmetric routing

132. Which of the following is a program that is installed without the user’s
knowledge and can bypass the standard system authentication or conventional system
mechanism like IDS, firewalls, etc. without being detected?

Proxy Server Trojans

Remote Access Trojans

Covert Channel Trojans

Backdoor Trojans

133. What is the sole purpose of writing destructive Trojans?

To copying itself to the system and create a scheduled task that executes the copied
payload

To stop the working of security programs such as firewall and IDS

To trick the victim to install the malicious application

To randomly delete files, folders, registry entries, and local and network drives

134.Which of the following ports is used by Trojans such as WannaCry, Petya, and
Dragonfly 2.0?

421

445

443

456

135. Identify the Botnet Trojan that exhibits the following characteristics:

Login attempts with 60 different factory default username and password pairs

Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola)

Connects to CnC to allows the attacker to specify an attack vector

Increases bandwidth usage for infected bots

Identifies and removes competing malware

Mirai

PlugBot

Windigo

Ramnit

136. Which of the following types of viruses overwrites a part of the host file with a
constant without increasing the length of the file and while preserving its
functionality?

Sparse infector viruses

Cavity viruses

Polymorphic viruses

Metamorphic viruses

137. Which of the following types of viruses is programmed in such a manner that
they rewrite themselves completely each time they infect a new executable file?

Encryption virus

FAT virus

Shell virus

Metamorphic virus

138. Ben, a security professional in an organization, received several complaints about

abnormal behavior in the network. Upon research, he found that some of the
employees clicked on malicious attachments in their emails.

In which of the following stages of the virus lifecycle is the virus activated when the
user performs specific actions such as running an infected program?

Execution of the damage routine

Detection
Launch

Incorporation

139. Mark, a professional hacker, was hired to disrupt the operations of an

organization. In this process, he injected a virus into the target network that is
designed to confuse or trick deployed antivirus systems for preventing them from
detecting the actual source of the infection.

Which of the following types of viruses did Mark use on the target organization?

Add-on virus

Armored virus

Web scripting virus

Logic bomb virus

140. Which of the following malware is a self-replicating program that produces its
code by attaching copies of itself to other executable codes and operates without the
knowledge of the user?

Trojan

Exploit kit

Worm

Virus

141. During malware reverse engineering and analysis, Sheena has identified
following characteristics present in the malware:

Self-replicating

Reprograms itself

Cannot be detected by antivirus

 Changes the malicious code with each infection

What is the type of malware identified by Sheena?

Botnet Trojan

Polymorphic virus

Covert Channel Trojan

Metamorphic virus

142. Which virus has the following characteristics:

1. Inserts dead code

2. Reorders instructions

3.Reshapes the expressions

4.Modifies program control structure

Macro virus

Cluster virus

Stealth virus

Metamorphic virus

143. Identify the malware that allows attackers to crash targeted devices and running
processes, applications, and VMs during their encryption process.

Necurs

Horse Pill

BlackCat

iSpy
144. In which stage of a fileless malware attack does an attacker perform data exfiltration
and credential harvesting?

Point of entry

Achieving objectives

Code execution

Persistence

145. Which of the following techniques is used to compute the hash value for a given binary
code to uniquely identify malware or periodically verify changes made to the binary code
during analysis?

File fingerprinting

Local and online malware scanning

Malware disassembly

Strings search

146. Which of the following file dependencies is a networking DLL that helps connect to a
network or perform network-related tasks?

Ntdll.dll

Advapi32.dll

Kernel32.dll

WSock32.dll

147. In the below command, identify the parameter that displays active TCP connections and
includes the process ID (PID) for each connection.

netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]

[-a]

[-n]

[-s]
[-o]

148. Marina is a malware analyst with a bank in London. One day, she suspects a file to be a
malware and tries to perform static analysis to identify its nature. She wants to analyze the
suspicious file and extract the embedded strings in the file into a readable format. Which of
the following tool can she use to perform this task?

UPX

ASPack

BinText

PE Explorer

149. Which of the following analysis techniques involves going through the executable
binary code without actually executing it to have a better understanding of the malware and
its purpose?

System baselining

Dynamic malware analysis

Static malware analysis

Spectrum analysis

150. Which of the following is an application that is used for determining file types
and can easily add its own algorithms for detecting or modifying existing signatures?

Runscope

pagestuff

TCPView

Detect It Easy (DIE)

151. Which of the following is a debugging tool that allows security experts to
identify the language used for programming malware and APIs and to reveal their
function?

Universal Radio Hacker

KillerBee

beSTORM

x64dbg

152. Which of the following tools allows security analysts to retrieve information
about one or more ELF object files and extract static artifacts from an ELF
executable?

Gqrx

readelf

Foren6

RFCrack

153. Which of the following is a malware analysis platform that scans files, URLs,
endpoints, and memory dumps; extracts strings from malware samples; and
identifies whether those strings are used in other files?

Fing

Intezer

Cydia

Apricot

154. Which of the following is a cross-platform tool developed by QuarksLab for

parsing and manipulating different executable formats including Mach-O binary
formats?
Loggly

DriverView

Verisys

LIEF

155. Identify the utility that can be used to view Mach-O executable files and find
information regarding the logical pages associated with those files.

pagestuff

BeRoot

Veracode

Robber

156. Which of the following commands allows security analysts to analyze malicious
Microsoft Office documents and identify the streams containing macros?

python oledump.py ‘<path to the suspect document>’

readelf -l <malware-sample>

strings malware-sample > str.txt

readelf -s <malware-sample>

157. Which of the following acts as an interface between an application and the
kernel and provides an interface for processes that are activated by an OS?

Registry

Mach-O

Syscalls

Portable Executable
158. Which of the following phases of an ElectroRAT attack involves the use of
malware for forcing victims into connecting to their cryptocurrency exchange
accounts and for recording credentials or API keys entered on their keyboard?

Deploying malware

Maintaining persistence

Exploitation

Initial propagation and infection

159. Identify the fileless malware that allows attackers to create a stealthy backup
backdoor that can continue operation even after the primary backdoor is detached
from the infected machine.

Arachni

SockDetour

Weevely

Fuzzapi

160. Given below are the attack steps involved in the SockDetour fileless malware
infection flow.

SockDetour is loaded.

DonutLoader shellcode is injected into the target’s process.

PowerSploit memory injector injects shellcode into the target’s process.

SockDetour establishes a C2 connection with the attacker.

A hook is bound to the Winsock accept () function using the Detours library.

Non-C2 requests are directed to their original services.

Identify the correct sequence of steps involved in the SockDetour fileless malware
infection flow.

4 -> 3 -> 1 -> 6 -> 2 -> 5

3 -> 2 -> 6 -> 5 -> 1 -> 4

1 -> 3 -> 2 -> 4 -> 5 -> 6

3 -> 2 -> 1 -> 5 -> 4 -> 6

161. In which of the following phases of an Emotet malware attack does Emotet
communicate with a malicious C&C Server to receive a malicious payload and
upgrade itself to exploit the system?

Infection

Network propagation

Maintaining persistence

System compromise

162. While preparing testbeds for malware analysis, which of the following
techniques is used to manually perform dynamic analysis?

Log analyzers

Registry/configuration tools

Sandbox

File/data analysis
163. Which of the following sections of the PE file contains instructions and program
code that the CPU executes?

.text

.rsrc

.rdata

.data

164. Joe, a security professional in an organization, employed a tool that provides

information about the files in the organization such as the full path of the file, date of
creation, date of modification, file size, file attributes, file version, and extension to
compare similar files and identify any changes to the data.

Which of the following tools did Joe employ to perform file fingerprinting?

HashMyFiles

Netcraft

ShellPhish

GiliSoft File Lock Pro

165. Identify the monitoring tool that exhibits the following features:

Reliable capture of process details, including image path, command line, user and
session ID.

Configurable and moveable columns for any event property.

Filters can be set for any data field, including fields not configured as columns.

Advanced logging architecture scales to tens of millions of captured events and

gigabytes of log data.

Process tree tool shows the relationship of all processes referenced in a trace.
 Native log format preserves all data for loading in a different Process Monitor
instance

Process monitor

IDA pro

TCP view

Netstat

166. Identify the tool that allows security analysts to identify malicious code and
Objective-C methods such as deleteAppBySelf during malware analysis.

pagestuff

RemoteExec

Splint

Pupy

167. Which of the following countermeasures helps security professionals in

preventing Trojan attacks?

Disable unused functionalities including protocols and services

Accept programs transferred by instant messaging

Allow all unnecessary ports at the host and do not use a firewall

Download and execute applications from untrusted sources

168. Which of the following is the best practice for protecting a system from
backdoor attacks?

Run registry monitoring tools to find malicious registry entries added by a backdoor

Use untrusted software and ensure that the firewall is turned off
Never inspect network packets using protocol monitoring tools

Do not remove malicious registry entries added by a backdoor Trojan

169. Which of the following countermeasures helps security professionals defend

against fileless malware attacks?

Implement multi-layer security to detect and defend against memory-resident

malware

Allow all the incoming network traffic or files with the .exe format

Enable macros and do not use digitally signed trusted macros

Add all the administrative tools and restrict access through Windows Group Policy or
Windows AppLocker

170. Davis, a network engineer, was instructed to strengthen the network security of
an organization. In this process, he introduced a few best practices for the
employees to defend against Trojan attacks.

Which of the following is a best practice to defend against Trojan attacks?

Scan external USB drives and DVDs with antivirus software before using them

Open email attachments received from unknown senders

Always accept programs transferred by instant messaging

Download and execute applications from untrusted sources

171. Identify the practice that can make an organizational network vulnerable to
Trojan attacks and data breaches.

Run host-based antivirus, firewall, and intrusion detection software.

Avoid downloading and executing applications from untrusted sources.

Enable the autorun option for external devices such as USB drives and hard drives.
Monitor the internal network traffic for odd ports or encrypted traffic.

172. In which of the following OSI layers do sniffers operate and perform an initial
compromise?

Network layer

Physical layer

Transport layer

Data link layer

173. Which of the following techniques is used by a third party to monitor telephone
or Internet conversations with covert intentions?

DNS spoofing

VLAN hopping

Wiretapping

ARP spoofing

174. Which of the following security measures should be followed to defend against
DNS spoofing?

Allow DNS requests being sent to external servers

Do not restrict DNS zone transfers to a limited set of IP addresses

Avoid using DNS non-existent domain (NXDOMAIN) rate limiting

Restrict the DNS recusing service, either fully or partially, to authorized users

175. Which of the following Cisco switch port configuration commands is used to
enter a secure MAC address for the interface and the maximum number of secure
MAC addresses?
switchport port-security mac-address mac_address

switchport port-security limit rate invalid-source-mac

switchport port-security maximum value

switchport port-security mac-address sticky

176. Which of the following measures should NOT be followed to prevent DNS
spoofing attacks?

Secure internal machines

Maintain a single or specific range of IP addresses to login to the systems

Implement an intrusion detection system (IDS) and deploy it correctly

Allow outgoing traffic to use UDP port 53 as a default source port

177. Which of the following techniques is used by attackers to compromise the

security of network switches that connect network segments and force a switch to
act as a hub to sniff the traffic easily?

MAC flooding

ARP spoofing

Switch spoofing

Wiretapping

178. Which of the following IOS global commands verifies the DHCP snooping
configuration?

show ip dhcp snooping

ip dhcp snooping trust

no ip dhcp snooping information option

ip dhcp snooping

179. Which of the following DNS poisoning techniques uses ARP poisoning against
switches to manipulate routing table?

DNS cache poisoning

Proxy server DNS poisoning

Internet DNS spoofing

Intranet DNS spoofing

180. What method should be incorporated by a network administrator to prevent

the organization’s network against ARP poisoning?

Resolve all DNS queries to local DNS server

Implement dynamic arp inspection (DAI) using the dynamic host configuration
protocol (DHCP) snooping binding table

Use secure shell (SSH) encryption

Use SSL for secure traffic

181. A network administrator wants to configure port security on a Cisco switch.

Which of the following command helps the administrator to enable port security on
an interface?

switchport port-security maximum 1

switchport port-security aging time 2

switchport port-security

switchport port-security aging type inactivity

182. Which of the following is a type of network protocol for port-based network
access control (PNAC)?

SSL

SSH

SFTP

IEEE 802.1X suites

183. Martin, a security professional, was tasked with enhancing the security of the
switches connected to their organizational network. For this purpose, he applied
MAC limiting feature on the switches. Now, Martin executed a command to verify if
the MAC limiting process is perfectly implemented on each switch.

Identify the command executed by Martin to verify MAC limiting process on a

specific switch.

show ethernet-switching table

ip dhcp snooping vlan number [number] | vlan {vlan range}]

switchport port-security aging time 2

switchport port-security violation restrict

184. Ben, a professional hacker, exploited obsolete DNS software on a target

organization’s server to inject harmful DNS records into the server’s DNS cache and
divert all traffic to his servers. With this technique, he attempted to mislead client
browsers to fake websites infected with malicious files, instead of the legitimate
website.

Which of the following types of attacks did Ben perform in the above scenario?

SAD DNS attack

Chi-square attack

DNS amplification attack

Dictionary attack
185. Which of the following is a hacking toolkit that provides various commands to
perform ARP poisoning attacks?

Habu

SPECTER

Traffic IQ Professional

Mole

186. Which of the following fields in an IPv4 DHCP message has a size of 128 octets?

Server name (SNAME)

Hardware address length

Gateway IP address (GIADDR)

File name

187. Which of the following techniques should be used to defend against MAC
spoofing attacks?

Root guard

IP source guard

Loop guard

BPDU guard

188. Cyrus, a professional hacker, performed an ARP poisoning attack on a target

network by using an automated tool. The tool used by Cyrus sends fake ARP
messages to divert all communications between two machines so that all traffic is
redirected through his machine.

Which of the following tools did Cyrus employ in the above scenario?

Nikto
Nexpose

OpenVAS

Dsniff

189. A tester is attempting to capture and analyze the traffic on a given network and
realizes that the network has several switches. What could be used to successfully
sniff the traffic on this switched network? (Choose three.)

ARP broadcasting

Reverse smurf attack

MAC flooding

MAC duplication

Address resolution protocol (ARP) spoofing

SYN flooding

190. What is the correct pcap filter to capture all transmission control protocol
(TCP)traffic going to or from host 192.168.0.125 on port 25?

host 192.168.0.125:25

port 25 and host 192.168.0.125

tcp.port == 25 and ip.addr == 192.168.0.125

tcp.src == 25 and ip.host == 192.168.0.125

191. Which of the following protocols is not vulnerable to sniffing?

Post office protocol (POP)

Secure sockets layer (SSL)

Hypertext transfer protocol (HTTP)

Telnet and Rlogin

192. In one of the following techniques, a non-broadcast ARP is sent to all the nodes
in a network, and a node running in the promiscuous mode broadcasts a ping
message on the network with the local IP address but a different MAC address.
Which is this technique?

ARP method

Ping method

ARP spoofing

ARP poisoning

193. Which of the following practices makes an organization’s network susceptible to

sniffing attacks?

Use a switch instead of the hub, as a switch delivers data only to the intended recipient

Never implement network segmentation

Use IPv6 instead of IPv4, as IPsec implementation is optional in IPv4 but mandatory in IPv6.

Permanently add the MAC address of the gateway to the ARP cache

194. In which of the following social engineering contexts does an attacker create a feeling of
urgency in a decision-making process and controls the victim’s state of mind to obtain
information?

Consensus

Scarcity

Intimidation

Authority
195. Given below are the different phases involved in a social engineering attack.

Develop a relationship

Research the target company

Select a target

Exploit the relationship

Identify the correct sequence of steps involved in a social engineering attack.

2 -> 4 -> 3 -> 1

1 -> 2 -> 3 -> 4

2 -> 3 -> 1 -> 4

2 -> 1 -> 3 -> 4

196. Bad Pete would like to locally log onto a PC located inside a secure facility. He dresses
like a delivery driver and holds a package outside of the secure facility and waits for someone
to open the door. Once he gains entry, he finds an empty office with a PC and gains entry to
the network. What is this type of activity known as?

Social engineering

Open door policy attack

Social equity attack

Personal attack

197. In which of the following social engineering techniques does an attacker call a
company’s help desk while pretending to be someone in a position of authority or relevance
and thereby attempts to extract sensitive information?

Vishing

Shoulder surfing

Diversion theft

Honey trap
198. Which of the following types of phishing attacks targets high-profile individuals such as
CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly
valuable information?

Whaling

Elicitation

Baiting

Spimming

199. Bob, a professional hacker, targeted Ray, a software engineer, to steal his bank-account
credentials. He crafted a message stating that Ray’s bank account was locked and that Ray
needed to click on a link and login to activate it. Ray panicked and clicked the link, revealing
his credentials to Bob.

Which of the following types of attack did Bob perform on Ray in the above scenario?

Honey trap

Spam email

SMiShing

Chain letters

200. Which of the following techniques is used to distribute malicious links via some
communication channel such as mails to obtain private information from the victims?

Piggybacking

Dumpster diving

Phishing

Vishing

201. Jean Power wants to try and locate passwords from company XYZ. He waits until
nightfall and climbs into the paper recycling dumpster behind XYZ, searching for
information. What is Jean doing?

Social engineering
Password finding

Dumpster diving

Paper tracking

202. John is a college dropout and spends most of his time on social networking sites looking
for the people living in the city and gather their details. One day, he saw a girl's profile and
found her email ID from her timeline. John sent her a mail stating that he possessed her
private photos and if she fails to provide him her bank account details, he will upload those
images to social networking sites.

What type of social engineering attack does John attempt on the girl?

Spear Phishing

Pharming

Vishing

Whaling

203. Which of the following types of insiders uses their technical knowledge to identify
weaknesses and vulnerabilities in the company’s network and attempts to sell confidential
information to competitors or black-market bidders?

Compromised insider

Negligent insider

Malicious insider

Professional insider

204. Jasmin, a receptionist in an organization, has received a phishing email embedded with a
malicious link. The email address resembled her manager’s email address. This tricked
Jasmin into clicking on the malicious link; as a result, malicious software automatically got
installed on her system and gave remote access to the attacker.

Identify the type of insider threat discussed in the above scenario.

Malicious insider

Compromised insider
Professional insider

Accidental insider

205. Which of the following signs is an indication of identity theft?

Receiving credit card, bank, or utility statements

There is more than one tax return filed under your name

Familiar charges to your credit card

Receiving electricity, gas, water, or other services bills

206. In which of the following identity thefts does an attacker acquire information from
different victims to create a new identity?

Synthetic identity theft

Tax identity theft

Social identity theft

Identity cloning and concealment

207. Which of the following guidelines will NOT be addressed in physical security policies?

Office security or personnel must escort visitors to designated visitor rooms or lounges

Dispose of old documents that contain valuable information by using equipment such as
paper shredders and burn bins

Be sure to lock or shut down the computer before stepping away from it

Issue identification cards (ID cards) and uniforms, along with other access-control measures,
to the employees of the organization

208. Which of the following is a generic exploit designed to perform advanced attacks
against human elements to compromise a target to offer sensitive information?

Social-engineer toolkit (SET)

NetScanTools Pro

Wireshark

Cain and Abel

209. Which of the following attacks can be prevented by implementing token or biometric
authentication as a defense strategy?

Eavesdropping

Impersonation

Shoulder surfing

Fake SMS

210. Which of the following practices can help individuals protect their online accounts or
profiles against identity theft attacks?

Do not verify requests for personal data

Ensure your name is present on the marketers’ hit lists

Never shred credit card offers and “convenience checks” that are not useful

Utilize trusted digital wallets that provide high security

211. Which of the following practices can make employees or users vulnerable to phishing
attacks?

Respond to emails requesting sensitive information

Confirm the sender before providing any requested information via email

Immediately report social media accounts confirmed to be fake

Verify the profile pictures of a suspicious account by performing a reverse image search
212. Which of the following indicators implies that an email is legitimate and not a phishing
email?

It seems to be from a person listed in your email address book

It includes links to HTTPS websites

It contains offers that seem too good to be true

It has an urgent tone or makes a veiled threat

213. When utilizing technical assessment methods to assess the security posture of a network,
which of the following techniques would be most effective in determining whether end-user
security training would be beneficial?

Network sniffing

Vulnerability scanning

Social engineering

Application security testing

214. Which of the following toolbars is used to provide an open application program
interface (API) for developers and researchers to integrate anti-phishing data into their
applications?

SET

DroidSheep

Netcraft

Metasploit

215. A security consultant decides to scrutinize the information by categorizing information

as top secret, proprietary, for internal use only, for public use, etc. Which of the following
attack can be mitigated using such countermeasure?

Scanning attack

Address Resolution Protocol (ARP) spoofing attack

Forensic attack
Social engineering attack

216. Which of the following security practices can help individuals defend themselves
against phishing attacks?

Hover over links to identify whether they point to the correct location

Always provide credentials over the phone

Disable spam filters that detect emails from suspicious sources

Ensure that employees use HTTP websites

217. Systems administrator in a company named “We are Secure Ltd.” has encountered with
a problem where he suspects the possibility of a cyber attack over his company’s router. He
observed that vast amount of network traffic is directed toward the network router, causing
router CPU utilization to reach 100% and making it non-functional to legitimate users. What
kind of attack is this?

SQL injection (SQLi) attack

DoS attack

Buffer overflow(BoF) attack

MitM attack

218. Jacob Hacker is a disgruntled employee and is fired from his position as a network
engineer. He downloads a program outside the company that transmits a very small packet to
his former company’s router, thus overloading the router and causing lengthy delays in
operational service of his former company. He loads the program on a bunch of computers at
several public libraries and executes them. What type of attack is this?

SSH Brute-Force attack

Man-in-the-middle attack

DDoS attack

HTTP response-splitting attack

221. In which of the following attack techniques does the attacker use a SOCKS proxy to
harvest email addresses from web pages or other sources?

Sniffing traffic

Spamming

Google AdSense abuse

Installing advertisement add-ons

219. In one of the following scanning techniques, an attacker first collects a set of potentially
vulnerable machines, then creates a zombie army, and finally scans these set to find a
vulnerable machine. Which is this scanning technique?

Hit-list scanning

Permutation scanning

Topological scanning

Local subnet scanning

220. When a client’s computer is infected with malicious software which connects to the
remote computer to receive commands, the network created with infected computers is called
___________

Bot area network (BAN)

Bot

C&C

Botnet

221. Jobin, an attacker, planned sophisticated and complex DoS/DDoS attacks on a target
organization’s network with the intention of interrupting their network services. In this
process, he used a tool that can take over a single- or multiple-network system to exhaust the
organization’s computing resources and render them unavailable to legitimate employees.

Which of the following DoS/DDoS attack tools did Jobin utilize in the above scenario?
Pupy

HULK

CORE Impact

NetVizor

222. Which of the following statements is not true for a SYN flooding attack?

In a SYN attack, the attacker exploits the three-way handshake method

Attacker sends a TCP SYN request with a spoofed source address to the target server

Attacker sends an ACK response to the SYN/ACK from the target server

Tuning the TCP/IP stack will help reduce the impact of SYN attacks

223. Bob is frustrated with his competitor, Brownies Inc., and he decides to launch an attack
that would result in severe financial losses to his competitor. He plans and executes his attack
carefully at an appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc.,
realized that their primary financial transaction server had been attacked. As a result, one of
their pieces of network hardware is rendered unusable, and he needs to replace or reinstall it
to resume services. This process involves human interaction to fix it. What kind of DoS
attack has been best illustrated in the aforementioned scenario?

Application-level flood attack

Bandwidth attack

Peer-to-peer attack

PDoS attack

224. Which of the following is considered to be a smurf attack?

An attacker sends a large amount TCP traffic with a spoofed source IPaddress

An attacker sends a large number of TCP connection requests with spoofed source IPaddress

An attacker sends a large amount of ICMP traffic with a spoofed source IPaddress

An attacker sends a large number of TCP/user datagram protocol (UDP) connection requests
225. Which of the following volumetric attacks technique transfers messages to the broadcast
IP address in order to increase the traffic over a victim system and consuming his entire
bandwidth?

Flood attack

Application layer attacks

Protocol attack

Amplification attack

226. Which of the following tools allows an attacker to perform DoS/DDoS attacks on a web
server from a mobile device?

Akamai

AnDOSid

A10 Thunder TPS

FortiDDoS-1200B

227. The DDoS tool created by anonymous sends junk HTTP GET and POST requests to
flood the target, and its second version of the tool (the first version had different name) that
was used in the so-called Operation Megaupload is called _______.

BanglaDOS

Dereil

Pandora DDoS

HOIC

228.The DDoS tool used by anonymous in the so-called Operation Payback is called _______

BanglaDOS

Dereil

HOIC

LOIC
229. Which of the following attacks is also referred to as ransom DDoS (RDDoS), where
attackers threaten the target organizations with a DDoS attack and insist them to pay a
specified ransom amount to prevent it?

DNS amplification attack

Wrapping attack

DRDoS attack

DDoS extortion attack

230. Identify the DoS attack that does not use botnets for the attack. Instead, the attackers
exploit flaws found in the network that uses the DC++ (direct connect) protocol, which
allows the exchange of files between instant messaging clients.

Service request flood attack

Bandwidth attack

Peer-to-peer attack

DRDoS attack

231. In which of the following attacks does the attacker spoofs the source IP address
with the victim’s IP address and sends large number of ICMP ECHO request packets
to an IP broadcast network?

Ping of death attack

Smurf attack

UDP flood attack

SYN flood attack

232. The renowned open-source cloud platform GitHub experienced a DDoS attack
that made its service unavailable to users. The attack was propagated by abusing
memcached instances that were inadvertently accessible on the public Internet with
UDP support enabled. Which of the following types of DDoS attacks did GitHub
encounter?

Rogue DHCP server attack

STP attack

Blind hijacking

Amplification attack

233. What is the DoS/DDoS countermeasure strategy to at least keep the critical
services functional?

Shutting down the services

Deflecting attacks

Degrading services

Absorbing the attack

234. Smith, a network security administrator, is configuring routers in his organization

to protect the network from DoS attacks. Which router feature can he use to prevent
SYN flooding effectively?

Egress filtering

Ingress filtering

TCP intercept

Mac address filtering

235. Which of the following practices is NOT a countermeasure against DoS/DDoS

attacks?

Configure the firewall to accept external ICMP traffic

Disable unused and unsecure services

Perform thorough input validation

Implement cognitive radios in the physical layer

236.In one of the following DoS/DDoS defensive techniques, honeypots are
intentionally set up with low security to gain the attention of DDoS attackers, serving
as a means for gaining information about attackers, attack techniques, and tools used
by attackers. Which is this DoS/DDoS defensive technique?

Deflect attacks

Detect and neutralize handlers

Mitigate attacks

Prevent potential attacks

237. Scarlet, a security professional at Imperial Tech, received intermittent complaints

from her colleagues about service unavailability, diminishing network bandwidth, and
suspended network services. She recognized that these issues were due to DoS/DDoS
attacks. To curb the occurrence of such issues in the future, she used a service that
enabled high-end protection from these severe DoS/DDoS attacks.

Which of the following DoS/DDoS protection services did Scarlet use in the above
scenario?

KillerBee

Suphacap

Fritzing

Stormwall PRO

238. Which of the following practices can make the organization’s network vulnerable
to DoS/DDoS attacks?

Enable TCP SYN cookie protection

Do not perform extensive simulations of DoS/DDoS attacks to avoid sudden surges

Block all inbound packets originating from the service ports to block traffic from
reflection servers

Update the kernel to the latest release and disable unused and insecure services
239. Which of the following techniques is a basic access-control list (ACL) filter that
limits the impact of DDoS attacks by blocking traffic with spoofed addresses?

Cisco IPS source IP reputation filtering

Black-hole filtering

RFC 3704 filtering

DDoS prevention offerings from ISP or DDoS service

240. Which of the following techniques can be used to prevent a botnet attack?

Information gathering

Black hole filtering

Physical security

Port scanning

241. John’s company is facing a DDoS attack. While analyzing the attack, John has
learned that the attack is originating from the entire globe, and filtering the traffic at
the Internet Service Provider’s (ISP) level is an impossible task to do. After a while,
John has observed that his personal computer at home was also compromised similar
to that of the company’s computers. He observed that his computer is sending large
amounts of UDP data directed toward his company’s public IPs.

John takes his personal computer to work and starts a forensic investigation. Two
hours later, he earns crucial information: the infected computer is connecting to the
C&C server, and unfortunately, the communication between C&C and the infected
computer is encrypted. Therefore, John intentionally lets the infection spread to
another machine in his company’s secure network, where he can observe and record
all the traffic between the Bot software and the Botnet. After thorough analysis he
discovered an interesting thing that the initial process of infection downloaded the
malware from an FTP server which consists of username and password in cleartext
format. John connects to the FTP Server and finds the Botnet software including the
C&C on it, with username and password for C&C in configuration file. What can
John do with this information?

Mitigate the attack

Protect secondary victims

Deflect the attack

Neutralize handlers

242. John’s company is facing a DDoS attack. While analyzing the attack, John has
learned that the attack is originating from entire globe and filtering the traffic at the
Internet Service Provider’s (ISP) level is an impossible task to do. After a while, John
has observed that his personal computer at home was also compromised similar to that
of the company’s computers. He observed that his computer is sending large amounts
of UDP data directed toward his company’s public IPs.

John takes his personal computer to work and starts a forensic investigation. Two
hours later, he earns crucial information: the infected computer is connecting to the
C&C server, and unfortunately, the communication between C&C and the infected
computer is encrypted. Therefore, John intentionally lets the infection spread to
another machine in his company’s secure network, where he can observe and record
all the traffic between the Bot software and the Botnet. After thorough analysis he
discovered an interesting thing that the initial process of infection downloaded the
malware from an FTP server which consists of username and password in cleartext
format. John connects to the FTP Server and finds the Botnet software including the
C&C on it, with username and password for C&C in configuration file. What can
John do with this information?

After successfully stopping the attack against his network, John connects to the C&C
again, dumps all the IPs the C&C is managing, and sends this information to the
national CERT. What is John trying to do?

Neutralizing handlers

Protecting secondary victims

Mitigating the attack

Deflecting the attack

Which of the following is considered to be a session hijacking attack?

Monitoring a UDP session

 Monitoring a TCP session
Taking over a TCP session
Taking over a UDP session

An attacker is using session hijacking on the victim system to perform further

exploitation on the target network. Identify the type of attacks an attacker can perform
using session hijacking?

Tailgating
Sniffing
Dumpster Diving
Piggybacking

Until a few years ago, most of the web sites (including highly exposed ones like
Facebook, Twitter, Gmail) used a secure (https) connection only during the logon
process, after which they switched back to insecure (http) connection. One of the tools
FireSheep exploited this behavior in order to steal user session and effectively educate
the public that a secure connection was required to be used from the first to the last
packet of connection. The attack this tool was using is
called________________________

Session splicing
Session hijacking
Session piggybacking
Session duplicating

Which of the following techniques is used to compromise session IDs, with an attacker
intruding into an existing connection between systems and attempting to intercept the
messages being transmitted?

Man-in-the-middle attack
Client-side attack
Fragmentation attack
Man-in-the-browser attack

During a penetration test, Marin discovered that a web application does not change
the session cookie after successful login. Instead, the cookie stays the same and is
allowed additional privileges. This vulnerability and application-level session hijacking
is called ______________.

Session fixation
Session sniffing
 Predictable session token
Session replay attack

Network-level session hijacking attacks ____________ level protocols.

Physical level protocols

Application-level protocols
Data link-level protocols
Network- or Internet-level protocols

Given below are the various steps involved in PetitPotam hijacking attack.

1. Now, the attacker initiates an NTLM replay attack to gain remote access to the
target AD CS.
2. The attacker uses the EfsRpcOpenFileRaw command from MS-EFSRPC API
to coerce the target server to perform NTLM authentication of another system.
3. The attacker uses the already captured NTLM credentials to authenticate with
the target server.
4. Finally, the attacker creates an AD certificate to gain administrator privileges to
the target AD server.
Identify the correct sequence of steps involved in PetitPotam hijacking.

3 -> 1 -> 2 -> 4

1 -> 2 -> 3 -> 4
3 -> 2 -> 1 -> 4
2 -> 3 -> 1 -> 4

Which of the following protocols reduces the chance of a successful hijack by sending
data using encryption and digital certificates?

FTPS
IP
HTTP
FTP

Which of the following guidelines should be implemented for protecting connections

against session hijacking?

Pass authentication cookies over HTTP connections

Use the same usernames and passwords for different accounts
 Use strings or long random numbers as session keys
Include the session ID in the URL or query string

Which of the following techniques is NOT a best practice for web developers to
minimize the risk of session hijacking?

Increase the life span of a session or cookie

Make the session expire as soon as the user logs out
Regenerate the session ID after a successful login
Create session keys with lengthy strings or random numbers

Which of the following security measures constitutes a set of standardized user pre-
verification procedures that requires all users (inside or outside) to be authenticated
before providing access to any resource?

HTTP referrer header

Compensating controls
WEP/WPA encryption
Zero-trust principle

Which of the following practices helps a security professional protect an organizational

network from session hijacking attempts?

Use small random numbers as session keys

Employ the Microsoft-based solution (SMB signing) to enable traffic signing
Pass authentication cookies over HTTP connections
Do not implement DNS-based authentication

Which of the following practices will make an organization’s network vulnerable to

session hijacking attacks?

Disable the HTTPOnly property

Employ encrypted FTP
Use firewalls and browser settings to confine cookies
Use switches rather than hubs

Which of the following components of an HTTP request contains the URL or URI of
the web page, which can be used to navigate to the target web page along with the IP
address and session ID?
 Session ID
MS-EFSRPC API call
HTTP referrer header
HTTP public key pinning

Which of the following elements in the firewall architecture is a computer system

designed and configured to protect network resources from attacks and acts as a
mediator between inside and outside networks?

Demilitarized zone
Screened subnet
Bastion host
Multi-homed firewall

Which of the statements concerning proxy firewalls is correct?

Proxy firewalls block network packets from passing to and from a protected
network
Firewall proxy servers decentralize all activity for an application
Proxy firewalls increase the speed and functionality of a network
Computers establish a connection with a proxy firewall that initiates a new network
connection for the client

Which of the following is a hardware requirement that either an IDS/IPS system or a

proxy server must have in order to properly function?

They must be dual-homed

Similar RAM requirements
Fast network interface cards
Fast processor to help with network traffic analysis

Jamie has purchased and deployed an application firewall to protect his company
infrastructure which includes various email servers, file server shares, and
applications. Also, all the systems in his company share the same onsite physical
datacenter. Jamie has positioned the newly purchased firewall nearest to the
application systems so as to protect the applications from attackers. This positioning
does not protect the complete network.

What can be done to address the security issues by this deployment for Jamie?
 Jamie will need to add at least three additional firewalls at the DMZ, internet, and
intranet
Jamie will need to add at least one additional firewall at the network edge
Jamie will need to replace the application firewall with a packet filtering firewall at
the network edge
Jamie will need to add at least three additional firewalls at the untrusted network,
router side, and application side

Jamie was asked by their director to make new additions to the firewall in order to
allow traffic for a new software package. After the firewall changes, Jamie receives
calls from users that they cannot access other services, such as email and file shares,
that they were able to access earlier.

What was the problem in the latest changes that is denying existing users from
accessing network resources?

Jamie’s additional entries were processed first

Jamie should exit privileged mode to allow the settings to be effective
Jamie needs to have the users restart their computers in order to make settings
effective
Jamie needs to restart the firewall to make the changes effective

When analyzing the IDS logs, the system administrator noticed an alert was logged
when the external router was accessed from the administrator’s computer to update
the router configuration. What type of an alert is this?

True-negative
False-negative
False-positive
True-positive

Manav wants to simulate a complete system and provide an appealing target to push
hackers away from the production systems of his organization. By using some
honeypot detection tool, he offers typical Internet services such as SMTP, FTP, POP3,
HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap
for an attacker by messing them so that he leaves some traces knowing that they had
connected to a decoy system that does none of the things it appears to do; but instead,
it logs everything and notifies the appropriate people. Can you identify the tool?

SPECTER
PeerBlock
Glasswire
TinyWall

Which term is used to refer service announcements provided by services in response

to connection requests and often carry vendor’s version of information?

Scanning phase
Port
Network discovery phase
Banner

Which of the following tools audits and validates the behavior of security devices and
is generally used by security personnel for assessing, auditing, and testing the
behavioral characteristics of a non-proxy packet filtering device?

SPECTER
Traffic IQ Professional
Colasoft Packet Builder
AckCmd

Which of the following practices helps security professionals in defending against

HTML smuggling attacks?

Recommend user to access web browser activated with Microsoft Defender

SmartScreen
Disable cloud delivery-based protection
Never block auto-execution of .js and .jse files
Never verify the perimeter operation of security devices

Which of the following tools allows attackers to place their device between a network
switch and an authenticated device to ensure that the traffic flows through their device?
InSpectre
OmniPeek
nac_bypass_setup.sh
Dependency Walker

Which of the following tools is used by attackers to bypass antivirus software by

utilizing binary deconstruction, insertion of arbitrary assembly code, and
reconstruction?
 FaceNiff
Ghostwriting.sh
Colasoft Packet Builder
KFSensor

Identify the technique in which attackers abuse Microsoft Excel macro sheets to
bypass endpoint protection and execute a malicious payload on a target system.

Fuzzing/brute-forcing
Fast flux DNS method
Password grabbing
XLM weaponization

Which of the following techniques helps an attacker circumvent blacklists and hide the
C&C server behind the compromised systems operating as reverse proxies?

Fast flux DNS method

Reverse DNS lookup
Web application fuzz testing
WHOIS lookup

Which of the following is a honeypot application that captures rootkits and other
malicious malware that hijacks the read() system call?

Sebek
Fake AP
Tar pits
Bait and switch

Which of the following countermeasures can be employed to defend against firewall

evasion?

Disable all FTP connections to or from the network

Do not specify the source and destination IP addresses or ports
Set the firewall rule set to accept all traffic
Never notify the security policy administrator about firewall changes

In which of the following attacks does an attacker attempt to access sensitive

information by intercepting and altering communications between an end user and a
web server?
Website defacement attack
HTTP response splitting attack
Man-in-the-middle attack
Phishing attack

Which of the following techniques is NOT a countermeasure for securing files and
directories on a web server?

Eliminate unnecessary files within.jar files

Map virtual directories between two different servers or over a network
Disable the serving of directory listings
Eliminate sensitive configuration information within the byte code

Which of the following countermeasures should be followed to defend against DNS

hijacking?

Use the default router password included in the factory settings

Include DNS hijacking into incident response and business continuity planning
Download audio and video codecs and other downloaders from untrusted websites
Do not safeguard the registrant account information

Choose an ICANN accredited registrar and encourage them to set registrar-lock on

the domain name in order to avoid which attack?

Session hijacking attack

Denial-of-service attack
Man-in-the-middle attack
DNS hijacking attack

Which of the following countermeasures helps administrators in secure update and

patch management of web servers?
Enable all unused script extension mappings
Make a standardized patch management and security update methodology as part
of the SDLC
Never make a detailed inventory of all the endpoints, services, and dependencies
Use default configurations dispatched with web servers
Which of the following practices helps administrators in secure update and patch
management of web servers?

Enable all unused script extension mappings

Reduce exposure to third-party risks by limiting the number of software versions
you employ
Ensure that service packs, hotfixes, and security patch levels are non-consistent
on all domain controllers (DCs)
Never make a detailed inventory of all the endpoints, services, and dependencies

Which of the following tools is not used to perform webserver information gathering?
Nmap
Wireshark
Whois
Nikto

Which of the following types of payload modules in the Metasploit framework is self-
contained and completely stand-alone?

Stagers
Exploit
Singles
Stages

A network administrator has observed that the computers in his network have
Windows 7 operating system. The administrator has learned that theWannaCry
ransomware is affecting Windows 7 Systems across the globe. Which of the following
is the best option that the network administrator has to provide efficient security and
defend his network?

Update security patches and fixes provided by Microsoft

Remove all Windows 7 machines from the network
Conduct vulnerability assessment of all the machines in the network
Perform penetration testing on all the machines in the network

Which of the following terms refers to a set of hotfixes packed together?

 Hotfix pack
Service pack
Repair pack
Patch

In which layer of the web-application vulnerability stack does an attacker scan an

operating system to find open ports and vulnerabilities and develop viruses/backdoors
to exploit them?

Layer 2
Layer 3
Layer 5
Layer 4

Which of the following provides an interface between end users and webservers?

Database
Web applications
Firewall
Demilitarized zone

Which of the following is a timing attack performed by measuring the approximate

time taken by a server to process a POST request so that the existence of a
username can be deduced?

Direct timing attack

Browser-based timing attack
Cross-site timing attack
Cache storage timing attack

Which of the following is a web application attack that is also known as a one-click
attack and occurs when a hacker instructs a user’s web browser to send a request to
a vulnerable website through a malicious web page?

Web service attack

 Cross-site request forgery
Hidden field manipulation
Cookie snooping

In which of the following attacks does an attacker load the target website inside a low-
opacity iframe?

JavaScript hijacking
Clickjacking attack
RC4 NOMORE attack
DNS rebinding attack

Which of the following is a clickjacking technique that overlays only the selected
controls from a transparent page and involves masking buttons with hyperlinks and
text labels containing false information?

Click event dropping

Cropping
Rapid content replacement
Complete transparent overlay

While testing web applications, you attempt to insert the following test script into the
search area on the company’s website:

<script>alert(“Testing Testing Testing”)</script>

Afterwards, when you press the search button, a pop up box appears on your screen
with the text, “Testing Testing Testing.” What vulnerability is detected in the web
application here?

A hybrid attack
Cross-site scripting
Password attacks
A buffer overflow

Which of the following involves injection of malicious html code through a web
application?

Command injection
LDAP injection
 Shell injection
SQL injection

An attacker has been successfully modifying the purchase price of items purchased
on the company’s website. The security administrators verify the webserver and
Oracle database have not been compromised directly. They have also verified the
intrusion detection system (IDS) logs and found no attacks that could have caused
this. What is the most likely way the attacker has been able to modify the purchase
price?

By using cross site scripting

By utilizing a buffer overflow attack
By using SQL injection
By changing hidden form values

Which of the following conditions must be given to allow a tester to exploit a cross-site
request forgery (CSRF) vulnerable web application?

The victim user must open a malicious link with Firefox prior to version 3.
The session cookies generated by the application do not have the HttpOnly flag
set.
The victim user must open a malicious link with an Internet Explorer prior to
version 8.
The web application should not use random tokens.

Robert, a security professional, examined a web application for discovering potential

vulnerabilities and protecting it from evolving threats. During analysis, he discovered
that certain application functions related to the session management and user
validation methods were poorly implemented.

Identify the type of application security risk discovered by Robert in the above
scenario.

Identification and authentication failures

Vulnerable and outdated components
Security logging and monitoring failures
Cryptographic failures
Which of the following is a vulnerability that allows attackers to add their parameters
to a URL to redirect users from trusted websites to malicious sites where they can
steal sensitive user data and redirect users back to the original website?
 Banner grabbing
Header-based open redirection
Direct timing attack
Open redirection

Which of the following involves the process of modifying the HTTP location header to
redirect users to a malicious page without their knowledge?

Directory traversal
HTML injection
LDAP injection
Header-based open redirection

Which of the following attacks is also known as a related-domain attack, which occurs
when an attacker targets a subdomain of a trusted organization and attempts to
redirect users to an attacker-controlled web page?

Direct timing attack

Same-site attack
SQL injection attack
DoS attack

Which of the following attacks occurs when attackers obtain a clone of a cookie from
the user’s browser and use it to establish a session with the target web server and
further allow attackers to access a user’s web services without providing any identity?

Pass-the-cookie attack
Connection string parameter pollution
DNS rebinding attack
SSRF attack

Which of the following is a DNS interrogation tool that allows an attacker to retrieve
information about the location and type of servers related to the target web
infrastructure?

WAFW00F
Domain Dossier
Vega
 Halberd

Which of the following techniques allows an attacker to inject unusual characters into
HTML code to bypass client-side controls?

Attack hidden form fields

Source-code review
Evade XSS filters
Attack browser extensions

Which of the following vulnerabilities occurs when an application adds files without the
proper validation of inputs, thereby enabling an attacker to modify the input and embed
path traversal characters?

File fingerprinting
Security misconfiguration
Fileless malware
Local file inclusion

In which of the following attack techniques does an attacker lure victims via email or a
link that is constructed such that the loopholes of remote execution code become
accessible, allowing the attacker to obtain access privileges equal to those of
authorized users?

Request forgery attack

ActiveX attack
Frame injection
Session fixation

An attacker tries to enumerate the username and password of an account named “rini
Mathew” on wordpress.com. On the first attempt, the attacker tried to login as
“rini.mathews,” which resulted in the login failure message “invalid email or username.”
On the second attempt, the attacker tried to login as “rinimathews,” which resulted in
a message stating that the password entered for the username was incorrect, thus
confirming that the username “rinimathews” exists. What is the attack that is performed
by the attacker?

Man-in-the-middle
Brute-forcing
Username enumeration
Phishing
In which of the following attacks does an attacker saturate an API with a massive
volume of traffic from multiple infected computers or botnets to delay the API services
to legitimate users?

API DDoS attack

Invalid input attack
Credential stuffing attack
Fuzzing

Which of the following parameters defines the level of access to an application to

redirect a user agent to the authorization server?

redirect_uri
State
scope
response_type

Which of the following API security risks can be prevented by performing input
validation, implementing a parameterized interface for processing inbound API
requests, and limiting the number of records returned?

Mass assignment
Excessive data exposure
Security misconfiguration
Injection

Which of the following techniques is NOT a best practice for securing webhooks?

Ensure that event processing is idempotent

Use rate limiting on webhook calls in the web server
Use threaded requests to send multiple requests simultaneously
Avoid validating the X-OP-Timestamp within the threshold of the current time

Which of the following is a standard protocol used to display all user information
through a GET request?
 SOAP API
Webhooks
WebFinger
Web API

Which of the following tools allows attackers to gain remote control over the target web
servers and manipulate the files and databases?

CyberX
SearchDiggity
China chopper
CRITIFENCE

Which of the following practices can help security experts in securing webhooks from
malicious attacks?

Validate the X-OP-Timestamp above a threshold from the current time

Do not send confidential information using webhooks; instead, use authorized APIs
Use the same event ID to record every webhook payload within the database
Ensure that the event processing is non-idempotent toward event receipts

Which of the following practices can make webhooks vulnerable to unauthorized

access or manipulation of user resources?

Use threaded requests to send multiple requests simultaneously and to update

data in the API rapidly
Use the same event ID to record every webhook payload within the database
Verify clients through the implementation of mutual TLS
Log each sent webhook for debugging when required

Which of the following countermeasures should be followed to defend against

watering-hole attacks?

Never run the web browser in a virtual environment

Use browser plug-ins that allow HTTP redirects
Enable third-party content such as advertising services, which track user activities
Secure the DNS server to prevent attackers from redirecting the user to a
new location
If your web application sets any cookie with a secure attribute, what does this mean?

Cookies will be sent cross-domain

The client will send the cookie only over an HTTPS connection
The cookie cannot be accessed by JavaScript
The cookie will not be sent cross-domain

In which type of fuzz testing do the current data samples create new test data and the
new test data again mutates to generate further random data?

Generation-based
Mutation-based
None of the above
Protocol-based

Which of the following practices helps security professionals prevent SQL injection
attacks and safeguard organizational data?

Enable unused functionalities of the database

Use dynamic SQL or construct queries with user input
Avoid using prepared statements, parameterized queries, or stored procedures to
access the database
Audit databases, logs, privileges, and binding terms regularly

Which of the following practices helps administrators protect web applications

against command injection attacks?

Do not perform input and output encoding

Scan the applications with a dynamic web vulnerability scanner to prevent code
injection
Avoid using modular shell disassociation from the kernel
Avoid using built-in library functions and call the OS commands directly

Identify the practice that makes an organization’s web application vulnerable to server-
side including injection attempts.
 Ensure that directives are confined only to the web pages where they are required
Apply HTML encoding to the user input before executing it on the web pages
Use pages with file name extensions such as .stm, .shtm, and .shtml.
Implement SUExec for the execution of pages as the file owner

Which of the following practices helps administrators prevent server-side template

injection attempts on a web application?

Never execute the template inside a sandboxed environment

Ensure that the template strings and variables are always combined
Always create templates from user inputs
Use predefined payloads along with in-built template expressions to examine the
server responses periodically

Which of the following practices makes an organization’s web server vulnerable to log
injection attacks?

Examine the application carefully for any vulnerability that is used to render logs
Control execution flow by using proper synchronization
Always view logs with tools having the ability to interpret control characters within
a file
Use correct error codes and easily recognizable error messages

Identify the practice that makes an organization’s web application vulnerable to HTML
injection attacks.

Employ security solutions that avoid false positives and detect possible injections
Educate the developer teams along with the security teams regarding the most
prevalent HTML injection attacks and their preventive measures
Disable the HttpOnly flag on the server side
Check the inputs for unwanted script or HTML code such as <script></script>,
<html></html>

Identify the practice that helps security experts defend the organization’s web
application from broken authentication and session management attacks.

Check URLs for insecure information such as session IDs while sharing the URLs
 Ensure that the session value is valid after logging out
Allow login attempts also after a certain number of failed attempts
Always submit session data as part of a GET or POST

Which of the following practices assists security experts in defending web applications
against insecure deserialization attacks?

Monitor the process of deserialization to detect constant deserialization by a user

Enforce the deserialization of domain objects
The deserialization of trusted data must not cross a trust boundary
Enforce serialization for security-sensitive classes

Which of the following security practices helps administrators prevent web service
attacks on an organization’s web server?

Always enable the SOAPAction attribute

Enable the SOAPAction attribute when not in use
Enable WS-Addressing completely
Use an XML proxy to hide internal configuration information

Which of the following practices helps security professionals secure web applications
from same-site attacks?

Duly update DNS records on the corresponding DNS server

Never educate users on CNAME DNS entry verification and its impacts
Disable DNS misconfiguration verification and validation process
Avoid using dangling domain records as a validation mechanism

A security administrator notices that the log file of the company’s webserver contains
suspicious entries:

[20/Mar/2011:10:49:07] "GET /login.php?user=test'+oR+3>2%20-- HTTP/1.1" 200

9958
[20/Mar/2011:10:51:02] "GET /login.php?user=admin';%20-- HTTP/1.1" 200 9978

The administrator decides to further investigate and analyze the source code of the
login.php file:

php
include('../../config/db_connect.php');
$user=$_GET['user'];
$pass=$_GET['pass'];
$sql = "SELECT * FROM USERS WHERE username = '$user' AND password =
'$pass'";
$result=mysql_query($sql) or die ("couldn't execute query");

if(mysql_num_rows($result)!=0) echo 'Authentication granted!';

else echo 'Authentication failed!';
?>
Based on the source code analysis, the analyst concludes that the login.php script is
vulnerable to:

LDAP injection
Directory traversal
Command injection
SQL injection

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The

bank has recently deployed a new Internet-accessible web application. Customers can
access their account balances, transfer money between accounts, pay bills, and
conduct online financial business using a web browser.

John Stevens is in charge of information security at the Bank of Timbuktu. After one
month in production, several customers have complained about the Internet-enabled
banking application. Strangely, the account balances of many of the bank’s customers
have been changed! However, money has not been removed from the bank; instead,
money is transferred between accounts. Given this attack profile, John Stevens
reviewed the web application’s logs and found the following entries:

Attempted login of unknown user: johnm

Attempted login of unknown user: susaR

Attempted login of unknown user: sencat

Attempted login of unknown user: pete'';

Attempted login of unknown user: ' or 1=1--

Attempted login of unknown user: '; drop table logins--

Login of user jason, sessionID= 0x75627578626F6F6B

Login of user daniel, sessionID= 0x98627579539E13BE

Login of user rebecca, sessionID= 0x9062757944CCB811

Login of user mike, sessionID= 0x9062757935FB5C64

Transfer Funds user jason

Pay Bill user mike

Logout of user mike

What kind of attack did the hacker attempt to carry out at the bank?

The hacker attempted session hijacking, in which the hacker opened an account
with the bank, then logged in to receive a session ID, guessed the next ID, and
took over Jason’s session.
The hacker first attempted logins with suspected user names, and then used SQL
injection to gain access to valid bank login IDs.
The hacker used a generator module to pass results to the webserver and
exploited web application CGI vulnerability.
Brute force attack in which the hacker attempted guessing login IDs and
passwords from password-cracking tools.

In blind SQLi, attackers can steal data by asking a series of true or false questions
through SQL statements. Select all the correct types of blind SQL injections.

System-stored procedure
Tautology
Boolean exploitation
Time delay

In which of the following attacks does an attacker use the same communication
channel to perform the attack and retrieve the results?

In-band SQL injection

 Blind SQL injection
Out-of-band SQL injection
Inferential SQL injection

Which of the following issues can be detected when testers send long strings of junk
data, similar to strings for detecting buffer overruns that throw SQL errors on a page?

SQL injection
Truncation
SQL modification
Input sanitization

Which of the following DB2 queries allows an attacker to perform column enumeration
on a target database?

show columns from tablename

SELECT * FROM all_tab_columns WHERE table_name='tablename'

SELECT * FROM syscat.columns WHERE tabname= 'tablename'

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects

WHERE name = 'tablename') sp_columns tablename

Which of the following MSSQL queries allows an attacker to perform column

enumeration on a target database?

SELECT * FROM all_tab_columns WHERE table_name='tablename'

SELECT attnum,attname from pg_class, pg_attribute WHERE relname=

'tablename' AND pg_class.oid=attrelid AND attnum > 0

SELECT * FROM syscat.columns WHERE tabname= 'tablename'

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects

WHERE name = 'tablename')

A tester has been hired to perform source code review of a web application to detect
SQL injection vulnerabilities. As part of the testing process, he needs to get all the
information about the project from the development team. During the discussion with
the development team, he comes to know that the project is in the initial stage of the
development cycle. As per the above scenario, which of the following processes does
the tester need to follow in order to save the company’s time and money?

The tester needs to perform dynamic code analysis as it uncovers bugs in the
software system
The tester needs to perform static code analysis as it covers the structural and
statement coverage testing
The tester needs to perform dynamic code analysis as it finds and fixes the defects
The tester needs to perform static code analysis as it covers the executable file of
the code

Robert, a penetration tester, is trying to perform SQL penetration testing on the SQL
database of the company to discover coding errors and security loopholes. Robert
sends massive amounts of random data to the SQL database through the web
application in order to crash the web application of the company. After observing the
changes in the output, he comes to know that the web application is vulnerable to SQL
injection attacks. Which of the following testing techniques is Robert using to find out
the loopholes?

Stored Procedure Injection

Alternate Encodings
Fuzzing Testing
Out of Band Exploitation

Which of the following tools does an attacker use to perform SQL injection exploitation
through techniques such as union and blind SQL exploitation and bypass certain
IPS/IDS rules with generic filters?

China Chopper
Weevely
Astra
Mole

Which of the following characters is used in an SQL injection query as a wildcard

attribute indicator?

' or "
%
/*…*/
#
In one of the following defensive techniques, only the list of entities such as data type,
range, size, and value that have been approved for secured access are accepted.
Which is this technique?

Output encoding
Enforcing least privileges
Blacklist validation
Whitelist validation

Snort is an open-source, free and lightweight network intrusion detection system

(NIDS) software for Linux and Windows to detect emerging threats. Snort can be used
to detect SQL injection attacks.

Identify the correct Snort rule to detect SQL injection attacks using regular expression.

meta: description = ""SQL Injection tester"" author = ""Ellaria Sand"" date = ""2016-
04-26"" hash = ""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = ""
SQL Injection tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 =
""SELECT UNICODE(SUBSTRING((system_user),{0},1))"" fullword wide condition:
uint16(0) == 0x5a4d and filesize < 1040KB and all of them }

alert tip $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL

Injection – Paranoid"; flow:to_server,
established;uricontent:“.pl";pcre:"/(\')|(\%27)|(\-\-)|(#)|(\%23)/ix”;classtype:Web-
application-attack;sid:9099; rev:5;)

rule SQLiTester { meta: description = ""SQL Injection tester"" author = ""Ellaria

Sand"" date = ""2016-04-26"" hash =
""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = "" SQL Injection
tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 = ""WAITFOR
DELAY '0:0:10' --"" fullword wide condition: uint32(0) == 0x5a4d and filesize <
1040KB and all of them }

/?id=1+AND+if((ascii(lower(substring((select password from user limit

0,1),0,1))))=97,1,benchmark(2000000,md5(now())))

Which of the following practices helps security professionals protect an organization’s

database from SQL injection attacks?

Never use a prepared statement to create a parameterized query.

 Avoid using xp_cmdshell to control the interaction between the SQL server and
components of other servers.
Do not isolate the web server by locking it in different domains.
Enable shell access to the database.

Which of the following tools is used to build rules that aim to detect SQL injection
attacks?

Nmap
Masscan
Snort
SuperScan

Which of the following practices helps security professionals protect an organization’s

database from SQL injection attacks?

Never use a prepared statement to create a parameterized query.

Enable shell access to the database.
Do not isolate the web server by locking it in different domains.
Avoid using xp_cmdshell to control the interaction between the SQL server and
components of other servers.

Which of the following is a communication standard that is also known as WiMAX and
is designed to provide multiple physical layer (PHY) and MAC options?

802.11n
802.15.1
802.16
802.11g

Which of the following terms describes the amount of information that may be
broadcast over a connection?
Hotspot
BSSID
Bandwidth
ISM band

Andrew, a professional penetration tester, was hired by ABC Security, Inc., a small IT-
based firm in the United States to conduct a test of the company’s wireless network.
During the information-gathering process, Andrew discovers that the company is using
the 802.11 g wireless standard. Using the NetSurveyor Wi-Fi network discovery tool,
Andrew starts gathering information about wireless APs. After trying several times, he
is not able to detect a single AP. What do you think is the reason behind this?

NetSurveyor does not work against 802.11g.

SSID broadcast feature must be disabled, so APs cannot be detected.
Andrew must be doing something wrong, as there is no reason for him to not
detect access points.
MAC address filtering feature must be disabled on APs or router.

Mark is working as a penetration tester in InfoSEC, Inc. One day, he notices that the
traffic on the internal wireless router suddenly increases by more than 50%. He knows
that the company is using a wireless 802.11 a/b/g/n/ac network. He decided to capture
live packets and browse the traffic to investigate the issue to find out the actual cause.
Which of the following tools should Mark use to monitor the wireless network?

WiFiFoFum
WiFish Finder
CommView for Wi-Fi
BlueScan

Which of the following terms is used to describe an attack in which an attacker gains
remote access to a target Bluetooth-enabled device without the victim being aware of
it?

Bluebugging
Bluejacking
Bluesmacking
Bluesnarfing

Which of the following techniques is used by network management software to detect

rogue APs?
RF scanning
Wired side inputs
AP scanning
Virtual-private network

Which of the following practices makes the Bluetooth-enabled devices of an

organization vulnerable to various attacks?
 Always grant Bluetooth access permission to applications.
Change the default settings of the Bluetooth-enabled device to the best security
standard.
Avoid sharing sensitive information over Bluetooth-enabled devices.
Use link encryption for all Bluetooth connections.

Which of the following categories of mobile risk covers “Security Decisions via
Untrusted Inputs” and is one of the less frequently used categories?

Improper platform usage

Insecure communication
Client code quality
Code tampering

Which of the following is an attack technique used by an attacker to gain remote

access to a target Bluetooth-enabled device, use its features without the victim’s
knowledge or consent, and perform a backdoor attack before returning control to its
owner?

Agent Smith attack

Bluebugging
SMiShing
Bluesnarfing

Which of the following categories of mobile risk covers binary patching, local resource
modification, method hooking, method swizzling, and dynamic memory modification?

Client code quality

Reverse engineering
Extraneous functionality
Code tampering

Which of the following is not an OWASP Top 10 Mobile Risk?

Reverse engineering
Insecure communication
Buffer overflow
Insecure cryptography

Given below are the various steps involved in an OTP hijacking attack.
 1. The attacker performs social engineering on the telecom operator.
2. The attacker’s device receives the OTP.
3. The telecom operator transfers the victim’s SIM control.
4. The attacker logs in to the victim’s online accounts via the OTP.
5. The attacker gains the target user’s PII.
Identify the correct sequence of steps involved in an OTP hijacking attack.

5→1→3→2→4
1→3→2→4→5
4→3→1→5→2
3→1→2→5→4

In a type of attack, attackers exploit various bypass vulnerabilities on a target Android

device by tricking the victim into downloading a malicious app. When the victim starts
using the infected application, a persistent connection is established between the
victim and attacker. Identify this attack.

Cryptanalysis attack
Jamming attack
Android camera hijack attack
BlueBorne attack

Which of the following Java API framework blocks manages the data sharing between
applications?

Notification manager
Window manager
Activity manager
Content providers

Which of the following practices is NOT a countermeasure to protect an Android device

and the data stored in it from malicious users?

Customize the lock screen with user information

Enable GPS on the Android device to track it when lost or stolen
Disable two-step verification on the Android mobile device
Keep the device updated with Google Android antivirus software
Which of the following Android tools is used by attackers to listen to HTTP packets
sent via a wireless (802.11) network connection and extract the session IDs from these
packets to reuse them?

DroidSheep
LOIC
KingoRoot
Orbot Proxy

Which of the following processes allows Android users to attain privileged control
within Android’s subsystem?

Data caching
Rooting
Warchalking
Wardriving

Which of the following practices is NOT a countermeasure to secure iOS devices?

Set separate passcodes for applications containing sensitive data

Install Vault apps to hide critical data stored on the iOS mobile device
Enable JavaScript and add-ons from the web browser
Do not jailbreak or root the device if used within enterprise environments

Which of the following tools is not used for iOS Jailbreaking?

Magisk Manager
Apricot
Yuxigon
checkra1n

Which of the following processes is supposed to install a modified set of kernel patches
that allows users to run third-party applications not signed by the OS vendor?
WarDriving
JailBreaking
Spear-Phishing
Sandboxing
Given below are the various steps associated with the method swizzling technique
used by attackers to assess the security posture and identify the vulnerabilities of the
target iOS application:

6. Run the application on the device.

7. Create a new method with customized functionalities.
8. Swap the functionality of the method by providing the new method reference to
the Objective-C runtime.
9. Identify the existing method selector reference to be swapped.
Identify the correct sequence of steps involved in the method swizzling technique.

2→4→3→1
4→2→3→1
4→2→1→3
1→3→4→2

In order to avoid data loss from a mobile device, which of following Mobile Device
Management security measures should you consider?

Perform periodic backup and synchronization

Enable Remote Management
Encrypt Storage
Configure Application certification rules

Which of the following practices is NOT a countermeasure to defend against SMS

phishing attacks?

Never reply to an SMS that requires personal and financial information from the
recipient
Always reply to an SMS that urges the recipient to act or respond quickly
Check for spelling mistakes, grammatical errors, or language inconsistency in text
messages
Do not fall for scams, gifts, and offers that seem unexpected

Which of the following recommendations helps developers store critical data securely
on an Android device?

Ensure that the keys stored in the server can be accessed without proper
authentication.
Never derive keys using the passphrase provided by the user.
Use methods to store data in a readable format.
 Employ a hardware-backed Android KeyStore to ensure the security of the data
stored.

Which of the following guidelines can help administrators secure the mobile devices
connected to a corporate network?

Avoid specifying a session timeout through Access Gateway.

Avoid publishing an enterprise policy for the cloud.
Disable all the required security settings for mobile devices before issuing them to
users.
Use a management console to restrict access to open public Wi-Fi.

Which of the following IoT technology components collects data that undergoes data
analysis, from the gateway?

Cloud server/data storage

Remote control using mobile app
Sensing technology
IoT gateway

Which of the following IoT architecture layers carries out communication between two
end points such as device-to-device, device-to-cloud, device-to-gateway, and back-
end data-sharing?

Access gateway layer

Edge technology layer
Internet layer
Middleware layer
Application layer

Which of the following layers in the IoT architecture has security issues such as
validation of the inputted string, AuthN, AuthZ, no automatic security updates, and
default passwords?

Mobile
Cloud
Network
Application

Name the IoT security vulnerability that gives rise to issues such as weak credentials,
lack of account lockout mechanism, and account enumeration?

Insufficient authentication/authorization
Insecure web interface
Privacy concerns
Insecure network services

What is the name of the code that is used in locking or unlocking a car or a garage
and prevents replay attacks?

Unicode
Polymorphic code
Hex code
Rolling code

Identify the Enemybot malware attack stage in which it borrows modules such as
scanner and bot killer from Mirai’s source code.

Gaining access
Persistence
Launching attack
Creating exploits

Given below are the different phases involved in IoT hacking

1. Vulnerability scanning
2. Information gathering
3. Maintaining access
4. Launching Attacks
5. Gaining remote access

What is the correct sequence of steps involved in IoT hacking?

1 -> 2 -> 3 -> 4 -> 5

5 -> 2 -> 3 -> 1 -> 4
2 -> 1 -> 5 -> 3 -> 4
2 -> 1 -> 4 -> -> 3

Given below are the steps used by the attackers to perform firmware analysis and
reverse engineering.
 1. Extract the file system
2. Emulate firmware for dynamic testing
3. Obtain firmware
4. Analyze the file-system content
5. Mount the file system
6. Analyze firmware

What is the correct sequence of steps used by attackers to perform firmware analysis
and reverse engineering?

3 -> 6 -> 1 -> 5 -> 4 -> 2

3 -> 1 -> 6 -> 5 -> 2 -> 4
2 -> 1 -> 5 -> 3 -> 4 -> 6
5 -> 6 -> 3 -> 1 -> 4 -> 2

Information such as IP address, protocols used, open ports, device type, and geo-
location of a device is extracted by an attacker in which of the following phases of IoT
hacking?

Launch attacks
Vulnerability scanning
Information gathering
Gain access

If an attacker wants to gather information such as IP address, hostname, ISP, device’s

location, and the banner of the target IoT device, which of the following tools should
he use to do so?
Foren6
Nmap
RIoT vulnerability scanner
Shodan

Which of the following tools is used to perform a rolling code attack by obtaining the
rolling code sent by the victim?

RFcrack
Zigbee framework
HackRF one
RIoT vulnerability scanning

Which of the following online tools allows attackers to collect real-time IoT data across
dozens of verticals, including weather, environment, smart cities, energy, and
transport?

Startpage
MetaGer
eTools.ch
Thingful

Which of the following commands is executed by an attacker on the UART console to

gain root access to an IoT device?

reaver –i wlan0mon -b B4:75:0E:89:00:60 -vv

gobuster -u <target URL> -w common.txt
btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

In order to prevent an illegitimate user from performing a brute force attack, what
security mechanism should be implemented to the accounts?

Account lockout mechanism

Use of strong passwords
Use of SSL/TLS
Secure boot chain mechanism

Encrypted communications, strong authentication credentials, secure web interface,

encrypted storage, and automatic updates are the security considerations for which of
the following components?

Mobile
Edge
Gateway
Cloud platform
OT

Which of the following components of an industrial control system contains a

centralized supervisory control unit used to control multiple local controllers,
thousands of input/output (I/O) points, and various other field devices that are part of
the overall production process?

BPCS
SCADA
SIS
 DCS

Which of the following phases of MITRE ATT&CK for ICS involves the use of
techniques by an attacker to damage, disrupt, or gain control of the data and systems
of the targeted ICS environment and its surroundings?

Impair process control

Impact
Inhibit response function
Discovery

Which of the following commands helps attackers gather information and identify
critical network activities of an ICS network?

run post/windows/gather/arp_scanner RHOSTS <target subnet range>

Invoke-Mimikatz -command '"lsadump::dcsync /domain:<Target Domain>
/user:<krbtgt>\<Any Domain User>"
python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs --restart smartplug
msfvenom -p windows/shell_reverse_tcp lhost=<Target IP Address> lport=444 -f
exe > /home/attacker/Windows.exe

Which of the following security solutions is known as honeypots and used in OT

environments to lure attackers into revealing their presence and activities?

Firewall
Decoy
Asset inventory
OT access management

Given below are the various steps involved in implementing a zero-trust model for an
ICS network.

10. Monitoring and maintaining

11. Architecting the network
12. Mapping the traffic
13. Defining the network
14. Developing a ZT policy
Identify the correct sequence of steps involved in implementing a zero-trust model.

1 -> 4 -> 3 -> 2 -> 5

 2 -> 1 -> 3 -> 4 -> 5
4 -> 3 -> 2 -> 5 -> 1
5 -> 2 -> 4 -> 1 -> 3

Which of the following is a not-for-profit international regulatory authority that aims to

assure the effective and efficient reduction of risks to the reliability and security of
electric grids?

Censys
CSA
NERC
CVE

Which of the following cloud services provides features such as single sign-on, multi-
factor authentication, identity governance and administration, access management,
and intelligence collection?

IDaaS
IaaS
SaaS
PaaS

Which of the following types of cloud platforms is most secure?

Hybrid
Internal
Public
Private

In which of the following cloud deployment models does the provider make services
such as applications, servers, and data storage available to the public over the
Internet?

Public cloud
Hybrid cloud
Community cloud
Private cloud

Identify the cloud computing service that protects users and organizations from both
internal and external threats by filtering network traffic and includes the ability to detect
malware attacks, in addition to security functionalities such as packet filtering, network
analyzing, and IPsec.

FWaaS
CaaS
IDaaS
FaaS

Which of the following is a docker remote driver that is a network plugin used to build
a virtual network for connecting docker containers spread across multiple clouds?

Contiv
Kuryr
MACVLAN
Weave

Which of the following constructs of the container network model comprises the
container network stack configuration for the management of container interfaces,
routing tables, and DNS settings?

Sandbox
Bridge
Endpoint
Network

Which of the following is the property of container technology that makes it less secure
than virtual machines?
Created and launched in minutes
Heavyweight
Process-level isolation
Complete isolation

Which of the following components of the container network model is connected to a

network and is abstracted away from an application so that services can implement
different network drivers?

Endpoint
Network
Bridge
Sandbox
Through which of the following Kubernetes vulnerabilities can an attacker exploit the
kube-apiserver with the disabled debug mode to directly interact with it and perform
various malicious activities?

Log rotation is not atomic

No back-off process for scheduling
Exposed bearer tokens in logs
No non-repudiation

In which of the following attacks does an attacker abuse cloud file synchronization
services, such as Google Drive and DropBox, for data compromise, command and
control, data exfiltration, and remote access?

Cloud cryptojacking
Cloud hopper attack
Man-in-the-cloud attack
Cloudborne attack

Which of the following cloud computing threats arises from the ignorance of the CSP’s
cloud environment and poses risks in operational responsibilities such as security,
encryption, and incident response?

Loss of operational and security logs

Unsynchronized system clocks
Insufficient due diligence
Insecure interfaces and APIs

Which of the following cloud computing threats is caused by incomplete and non-
transparent terms of use, hidden dependencies created by cross-cloud applications,
inappropriate CSP selection, and lack of supplier redundancy?

Supply chain failure

Isolation failure
Hardware failure
Subpoena and e-discovery

An attacker creates anonymous access to the cloud services to carry out various
attacks such as password and key cracking, hosting malicious data, and DDoS attack.
Which of the following threats is he posing to the cloud platform?

Data breach/loss
Abuse and nefarious use of cloud services
 Insufficient due diligence
Insecure interface and APIs

Out of the following, which is not a type of side-channel attack?

Acoustic cryptanalysis
Cybersquatting
Data remanence
Timing attack

Identify the attack in which attackers exploit a zero-day vulnerability on the target
application server or use information leaked via a reverse proxy implemented by
administrators to gain unauthorized access to network resources by compromising
cloud instances.

CDN cache poisoning attack

Cloud snooper attack
IMDS attack
Cloudborne attack

Which of the following attacks is triggered at AWS security groups (SGs) to

compromise the target server and extract sensitive data stealthily?

Cloud snooper attack

SYN flood attack
Man-in-the-cloud attack
Cloud hopper attack

Which of the following is cloud malware designed to exploit misconfigured kubelets in

a Kubernetes cluster for infecting all the containers in the Kubernetes environment?

Dreambot
Hildeagard
Necurs
njRA

Which of the following information can be enumerated when an attacker runs the
command # ps -ef | grep apiserver in Kubernetes etcd?

Secrets stored in the Kubernetes cluster

Location of the etcd server and PKI information
Retrieve a key and convert it into the YAML format
 Decoding keys

In which of the following techniques does an attacker use lambda functions such as
rabbit_lambda, cli_lambda, and backdoor_created_users_lambda to install a
backdoor to AWS infrastructure?

Creating new EC2 instances

Manipulating access keys
Manipulating user data
Encrypting the cloud trials using a new key
Given below are the different steps to exploit misconfigured AWS S3 buckets.

1. Setup the AWS command-line interface

2. Identify S3 buckets
3. Configure aws-cli
4. Exploit S3 buckets
5. Extract access keys
6. Identify vulnerable S3 buckets

What is the correct sequence of steps involved in exploiting misconfigured AWS S3

buckets?

3 -> 1 -> 4 -> 5 -> 6 -> 2

3 -> 2 -> 4 -> 6 -> 5 -> 1
1 -> 2 -> 3 -> 4 -> 5 -> 6
2 -> 1 -> 5 -> 3 -> 6 -> 4

Given below are the various steps involved in abusing AWS Lambda functions using
a white-box scenario.

1. The attacker obtains information about the roles and other policies associated
with that compromised cloud account. Here, the attacker strictly focuses on the
specific misconfigured S3 bucket.
2. The attacker can now list the Lambda functions and obtain additional
information about any function.
3. With the additional information and obtained user credentials, the attacker
downloads the associated Lambda code for detecting and exploiting potential
vulnerabilities.
4. The Lambda function can now be exploited by the attacker to launch further
attacks.
5. An attacker obtains sensitive information such as user credentials through
phishing or other social engineering methods.
What is the correct sequence of steps involved in abusing AWS Lambda functions
using a white-box scenario?

5 -> 2 -> 3 -> 4 -> 1

5 -> 1 -> 2 -> 3 -> 4
3 -> 1 -> 2 -> 5 -> 4
2 -> 3 -> 4 -> 1 -> 5

Given below are the various steps involved in abusing AWS Lambda functions using
a black-box scenario.

1. Once the files are uploaded, the tags of the individual files can be calculated
using a Lambda function.
2. The attacker uploads files to S3 and then rechecks their configurations.
3. The attacker exfiltrates the cloud credentials of an account and starts
enumeration for higher privileges with the acquired AWS credentials.
4. An attacker accesses a misconfigured S3 bucket that was not implemented with
any credentials. The misconfigured buckets that the attacker gains access to
may contain various organizational files.

What is the correct sequence of steps involved in abusing AWS Lambda functions
using a black-box scenario?

3 -> 1 -> 2 -> 4

4 -> 3 -> 2 -> 1
1 -> 4 -> 2 -> 3
4 -> 2 -> 1 -> 3

Which of the following cloud security control layers includes security controls such as
governance-risk-compliance, IAM, VA/VM, patch management, configuration
management, and monitoring?

Application layer
Information layer
Management layer
Network layer

Which of the following best practices should be followed for securing a cloud
environment?

Verify one’s own cloud in public domain blacklists

 Do not disclose applicable logs and data to customers
Allow unauthorized server access using security checkpoints
Do not enforce legal contracts in employee behavior policy

Which of the following measures is NOT a best practice for securing a container
environment?

Store sensitive data externally and allow dynamic access at runtime

Use a single database for all applications
Configure orchestrators to deploy a set of hosts separately based on their
sensitivity level
Perform regular scanning of the images in the repository

Which of the following measures is NOT a best practice for securing a Kubernetes
environment?

Use a separate encoding format for each configuration task

Use kube-apiserver instances that maintain CRLs
Use offensive security certified professional stapling
Use the copy-then-rename method for log rotation

Identify the services provided by the application layer of the cloud security control
model?

SDLC, binary analysis, scanners, web app firewalls, transactional sec

Physical plant security, CCTV, guards
DLP, CMF, database activity monitoring, encryption
Hardware and software RoT and APIs

The components such as NIDS/NIPS, firewalls, DPI, Anti-DDoS, QoS, DNSSEC, and
OAuth are included in which of the following cloud security control layers?

Network layer
Management layer
Computer and storage
Applications layer

In which of the following cloud security control layers do the security controls
DNSSEC, OAuth operates?

Information layer
 Network layer
Management layer
Computation and storage layer

Which of the following practices helps security professionals in protecting a serverless

computing environment from various cyberattacks?

Maximize serverless permissions in the development phase to reduce the attack

surface area.
Use timeouts to limit how longer serverless functions can execute.
Disable signed requests for cloud vendors to protect the data in transit and to
prevent HTTP replay attacks.
Never use third-party security tools.
Which of the following terms refers to on-premises or cloud-hosted solutions for
enforcing security, compliance, and governance policies in cloud applications?

Cluster
CASB
Kubernetes
Container

Which of the following encryption algorithms is a Feistel cipher that uses 64 rounds as
well as a 128-bit key operating on 64-bit blocks?

Serpent
TEA
Threefish
Twofish

Which of the following cryptographic algorithms has been proposed as a replacement

for the RSA algorithm to minimize the key size?

HMAC
Quantum cryptography
ECC
RIPEMD-160

Which of the following hardware encryption devices is an additional external security

device used in a system for crypto-processing and can be used for managing,
generating, and securely storing cryptographic keys?

Hard-drive encryption
 HSM
USB encryption
TPM

Which of the following is optimized for confidential communications, such as

bidirectional voice and video?

MD4
MD5
RC4
RC5

In a mode of authenticated encryption, a hash code is first generated. Next, the

plaintext is encrypted using a secret key. Finally, both the cipher text and hash value
are combined and transmitted. Identify this mode of authenticated encryption.

Encrypt-and-MAC (E&M)
MAC-then-Encrypt (MtE)
Authenticated encryption with associated data (AEAD)
Encrypt-then-MAC (EtM)

Which of the following is a partially decentralized blockchain in which a group of

individuals or organizations create and manage separate blockchain networks?

Private blockchain
Federated blockchain
Hybrid blockchain
Public ledger

Which of the following is an example of a public ledger or public blockchain that has
no central authority or administration to manage the blocks or ledgers?

Ripple (XRP)
IBM Food Trust
Ethereum
Hyperledger

Which of the PKI components is responsible for issuing and verifying digital certificate?

Validation authority (VA)

Registration authority (RA)
 End user
Certificate authority (CA)

Which of the following processes of PKI (public key infrastructure) ensures that a trust
relationship exists and that a certificate is still valid for specific operations?

Certificate validation
Certificate issuance
Certificate revocation
Certificate cryptography
Which of the following tools is used by a security professional to encrypt a disk partition
to provide confidentiality to the sensitive information stored on it so that the chances
of compromising the information are minimized?

Akamai
Nexpose
Vindicate
FileVault

Which of the following techniques is used for converting Outlook email messages so
that senders and the designated receivers can access them without compromising the
integrity of the message?

Transform domain techniques

Disk encryption
Least-significant-bit insertion
S/MIME encryption

Given below are the various steps involved in encrypting email messages using
S/MIME encryption.

1. Choose the Email Security option from the left pane.

2. In the Change Security Settings pop-up window, under the Certificates and
Algorithms section, choose the S/MIME certificate for the Signing certificate and
Encryption certificate options and click OK.
3. Select File a Options a Trust Center a Trust Center Settings.
4. In the Encrypted email section, click on the Settings option beside Default
Setting.
Identify the correct sequence of steps involved in encrypting messages using S/MIME.

3 -> 1 -> 2 -> 4

 4 -> 2 -> 1 -> 3
2 -> 4 -> 3 -> 1
3 -> 1 -> 4 -> 2

Given below are the various steps involved in encrypting all outgoing email messages
using Office 365 Message Encryption (OME).

1.Choose the Email Security option from the left pane.

2. In the Encrypted email section, check the Encrypt contents and attachments for all
outgoing messages option and click OK.
3. In an email message body, select the Options menu, go to Encrypt, and choose the
encryption that includes the required constraints such as Encrypt-Only or Do Not
Forward.
4. Select File a Options a Trust Center a Trust Center Settings.
Identify the correct sequence of steps involved in encrypting all outgoing email
messages.

3 -> 4 -> 1 -> 2

2 -> 4 -> 3 -> 1
4 -> 2 -> 1 -> 3
3 -> 1 -> 2 -> 4

An attacker breaks an n bit key cipher into 2 n/2 number of operations in order to
recover the key. Which cryptography attack is he performing?

Timing attack
Known-plaintext attack
Rubber hose attack
Chosen-key attack

Which of the following practices helps security professionals protect an organization’s

data from various cryptographic attacks?

Passphrases and passwords must not be used to encrypt the key, if stored on the
disk.
Enforce hardware-backed security such as hardware security modules (HSMs) to
enhance the cryptographic key security.
Access to cryptographic keys should not be given directly to an application or a
user.
Keys should be present inside the source code or binaries.