Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. GIAC
  3. Security Administration
  4. GPEN - GIAC Penetration Tester

GIAC GPEN GIAC Penetration Tester Exam Practice Test

Demo: 57 questions
Total 385 questions
Get GPEN Full Access Download GPEN PDF

GIAC Penetration Tester Questions and Answers

Question 1

What concept do Rainbow Tables use to speed up password cracking?

Options:

A.

Fast Lookup Crack Tables

B.

Memory Swap Trades

C.

Disk Recall Cracking

D.

Time-Memory Trade-off

Question 2

192.168.116.9 Is an IP address forvvww.scanned-server.com. Why are the results from the two scans, shown below, different?

Options:

A.

John.pot

B.

John conf

C.

John.rec

D.

John.ini

Question 3

Analyze the screenshot below. What type of vulnerability is being attacked?

Options:

A.

Windows Server service

B.

Internet Explorer

C.

Windows Powershell

D.

Local Security Authority

Question 4

You are conducting a penetration test for a private company located in the UK. The scope extends to all internal and external hosts controlled by the company. You have gathered necessary hold-harmless and non-disclosure agreements. Which action by your group can incur criminal liability under the computer Misuse Act of 1990?

Options:

A.

Sending crafted packets to internal hosts in an attempt to fingerprint the operatingsystems

B.

Recovering the SAM database of the domain server and attempting to crackpasswords

C.

Installing a password sniffing program on an employee's personal computer withoutconsent

D.

Scanning open ports on internal user workstations and exploiting vulnerableapplications

Question 5

A customer has asked for a scan or vulnerable SSH servers. What is the penetration tester attempting to accomplish using the following Nmap command?

Options:

A.

Checking operating system version

B.

Running an exploit against the target

C.

Checking configuration

D.

Checking protocol version

Question 6

You are pen testing a network and have shell access to a machine via Netcat. You try to use ssh to access another machine from the first machine. What is the expected result?

Options:

A.

The ssh connection will succeed If you have root access on the intermediate

machine

B.

The ssh connection will fail

C.

The ssh connection will succeed

D.

The ssh connection will succeed if no password required

Question 7

How can web server logs be leveraged to perform Cross-Site Scripting (XSSI?

Options:

A.

Web logs containing XSS may execute shell scripts when opened In a GUI textbrowser

B.

XSS attacks cause web logs to become unreadable and therefore are an effective DOS attack.

C.

If web logs are viewed in a web-based console, log entries containing XSS mayexecute on the browser.

D.

When web logs are viewed in a terminal. XSS can escape to the shell and executecommands.

Question 8

By default Active Directory Controllers store password representations in which file?

Options:

A.

%system roots .system 32/ntds.dit

B.

%System roots /ntds\ntds.dit

C.

%System roots /ntds\sam.dat

D.

%System roots /ntds\sam.dit

Question 9

Analyze the command output below. What information can the tester infer directly from the Information shown?

Options:

A.

Usernames for the domain tesrdomain.com

B.

Directory indexing is allowed on the web server

C.

Vulnerable versions of Adobe software in use

D.

Naming convention for public documents

Question 10

Identify the network activity shown below;

Options:

A.

A sweep of available hosts on the local subnet

B.

A flood of the local switch's CAM table.

C.

An attempt to disassociate wireless clients.

D.

An attempt to impersonate the local gateway

Question 11

How can a non-privileged user on a Unix system determine if shadow passwords are being used?

Options:

A.

Read /etc/password and look for "x" or “II” in the second colon-delimited field

B.

Read /etc/shadow and look for “x” or “II” in the second colon-delimited field

C.

Verify that /etc/password has been replaced with /etc/shadow

D.

Read /etc/shadow and look NULL values In the second comma delimited field

Question 12

While performing an assessment on a banking site, you discover the following link:

hnps://mybank.com/xfer.aspMer_toMaccount_number]&amount-[dollars]

Assuming authenticated banking users can be lured to your web site, which crafted html tag may be used to launch a XSRF attack?

Options:

A.

B.

alert('hnps:/'mybank.com/xfer.a$p?xfer_io-[attacker_account]&amoutn-[dollars]')</script>

C.

document.\write('hTtp$://mybankxom/xfer.a$p?xfer_to-[attacker.accountl

&amount-[dollars)</script>

D.

Question 13

Analyze the screenshot below. What event is depicted?

Options:

A.

An exploit that was attempted does not work against the target selected.

B.

A payload was used that is not compatible with the chosen exploit.

C.

The exploit is designed to work against the local host only.

D.

The payload Is designed to create an interactive session.

Question 14

While reviewing traffic from a tcpdump capture, you notice the following commands being sent from a remote system to one of your web servers:

C:\>sc winternet.host.com create ncservicebinpath- "c:\tools\ncexe -I -p 2222 -e cmd.exe"

C:\>sc vJnternet.host.com query ncservice.

What is the intent of the commands?

Options:

A.

The first command creates a backdoor shell as a service. It is being started on TCP2222 using cmd.exe. The second command verifies the service is created and itsstatus.

B.

The first command creates a backdoor shell as a service. It is being started on UDP2222 using cmd.exe. The second command verifies the service is created and itsstatus.

C.

This creates a service called ncservice which is linked to the cmd.exe command andits designed to stop any instance of nc.exe being run. The second command verifiesthe service is created and its status.

D.

The first command verifies the service is created and its status. The secondcommand creates a backdoor shell as a service. It is being started on TCP 2222connected to cmd.exe.

Question 15

Analyze the excerpt from a packet capture between the hosts 192.168.116.9 and 192.168.116.101. What factual conclusion can the tester draw from this output?

Options:

A.

Port 135 is filtered, port 139 is open.

B.

Pons 135 and 139 are filtered.

C.

Ports 139 and 135 are open.

D.

Port 139 is closed, port 135 is open

Question 16

In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie?

Options:

A.

Cross-site scripting

B.

Session sidejacking

C.

ARP spoofing

D.

Session fixation

Question 17

Which of the following techniques are NOT used to perform active OS fingerprinting?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

ICMP error message quoting

B.

Analyzing email headers

C.

Sniffing and analyzing packets

D.

Sending FIN packets to open ports on the remote system

Question 18

Which of the following Trojans does not use TCP protocol?

Options:

A.

Donald Dick

B.

Beast

C.

Back Oriffice

D.

NetBus

Question 19

You want to run the nmap command that includes the host specification of 202.176.56-57.*. How many hosts will you scan?

Options:

A.

256

B.

512

C.

1024

D.

64

Question 20

Which of the following tools is not a BlueSnarf attacking tool?

Options:

A.

Blooover

B.

Redsnarf

C.

BlueSnarfer

D.

Freejack

Question 21

Which of the following ports is used for NetBIOS null sessions?

Options:

A.

130

B.

139

C.

143

D.

131

Question 22

You want to perform an active session hijack against Secure Inc. You have found a target that allows Telnet session. You have also searched an active session due to the high level of traffic on the network. What should you do next?

Options:

A.

Use a sniffer to listen network traffic.

B.

Guess the sequence numbers.

C.

Use brutus to crack telnet password.

D.

Use macoff to change MAC address.

Question 23

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully performed the following steps of the preattack phase to check the security of the We-are-secure network:

Gathering information

Determining the network range

Identifying active systems

Now, he wants to find the open ports and applications running on the network. Which of the following tools will he use to accomplish his task?

Options:

A.

APNIC

B.

SuperScan

C.

ARIN

D.

RIPE

Question 24

Which of the following Penetration Testing steps includes network mapping and OS fingerprinting?

Options:

A.

Gather information

B.

Exploit

C.

Verify vulnerabilities

D.

Planning stage

Question 25

You want to search Microsoft Outlook Web Access Default Portal using Google search on the

Internet so that you can perform the brute force attack and get unauthorized access. What search string will you use to accomplish the task?

Options:

A.

intitle:index.of inbox dbx

B.

intext:"outlook.asp"

C.

allinurl:"exchange/logon.asp"

D.

intitle:"Index Of" -inurl:maillog maillog size

Question 26

You want that some of your Web pages should not be crawled. Which one of the following options will you use to accomplish the task?

Options:

A.

Use HTML NO Crawl tag in the Web page not to be crawled

B.

Place the name of restricted Web pages in the private.txt file

C.

Place the name of restricted Web pages in the robotes.txt file

D.

Enable the SSL

Question 27

In which of the following attacks is a malicious packet rejected by an IDS, but accepted by the host system?

Options:

A.

Insertion

B.

Evasion

C.

Fragmentation overwrite

D.

Fragmentation overlap

Question 28

Which of the following techniques is used to monitor telephonic and Internet conversations by a third party?

Options:

A.

War driving

B.

War dialing

C.

Web ripping

D.

Wiretapping

Question 29

Which of the following tasks is NOT performed into the enumeration phase?

Options:

A.

Discovering NetBIOS names

B.

Obtaining Active Directory information and identifying vulnerable user accounts

C.

Injecting a backdoor to the remote computer to gain access in it remotely

D.

Establishing NULL sessions and queries

Question 30

Which of the following wireless security standards supported by Windows Vista provides the highest level of security?

Options:

A.

WPA2

B.

WPA-PSK

C.

WEP

D.

WPA-EAP

Question 31

You want to search the Apache Web server having version 2.0 using google hacking. Which of the following search queries will you use?

Options:

A.

intitle:Sample.page.for.Apache Apache.Hook.Function

B.

intitle:"Test Page for Apache Installation" "It worked!"

C.

intitle:test.page "Hey, it worked !" "SSl/TLS aware"

D.

intitle:"Test Page for Apache Installation" "You are free"

Question 32

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com network. Now, when you have finished your penetration testing, you find that the weare- secure.com server is highly vulnerable to SNMP enumeration. You advise the we-are-secure Inc. to turn off SNMP; however, this is not possible as the company is using various SNMP services on its remote nodes. What other step can you suggest to remove SNMP vulnerability?

Each correct answer represents a complete solution. Choose two.

Options:

A.

Change the default community string names.

B.

Install antivirus.

C.

Close port TCP 53.

D.

Upgrade SNMP Version 1 with the latest version.

Question 33

You have changed the RestrictAnonymous registry setting from 0 to 1 on your servers to secure your Windows 2000 system so that any malicious user cannot establish a null session on the server. However, when you test the security using userinfo tool, you got that you can still establish the null session. What may be its reason?

Options:

A.

You cannot disable establishing null sessions.

B.

You need to disable the promiscuous mode of network Ethernet card.

C.

You need to set the RestrictAnonymous key value to 2 instead of 1.

D.

You need to install a firewall.

Question 34

The employees of EWS Inc. require remote access to the company's Web servers. In order to provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which of the following statements are true about EAP-TLS?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

It is supported by all manufacturers of wireless LAN hardware and software.

B.

It uses a public key certificate for server authentication.

C.

It uses password hash for client authentication.

D.

It provides a moderate level of security.

Question 35

Which of the following attacks allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream?

Options:

A.

SYN flood attack

B.

Rainbow attack

C.

Zero Day attack

D.

FMS attack

Question 36

Which of the following tools is used for vulnerability scanning and calls Hydra to launch a dictionary attack?

Options:

A.

Whishker

B.

SARA

C.

Nmap

D.

Nessus

Question 37

Which of the following tools are used for footprinting?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Brutus

B.

Sam spade

C.

Whois

D.

Traceroute

Question 38

Network mapping provides a security testing team with a blueprint of the organization. Which of the following steps is NOT a part of manual network mapping?

Options:

A.

Collecting employees information

B.

Gathering private and public IP addresses

C.

Performing Neotracerouting

D.

Banner grabbing

Question 39

Which of the following password cracking tools can work on the Unix and Linux environment?

Options:

A.

Brutus

B.

Cain and Abel

C.

Ophcrack

D.

John the Ripper

Question 40

You are using the dsniff tool to intercept communications between two entities and establish credentials with both sides of the connections. These entities do not notice that you were retrieving the information between these two. Which of the following attacks are you performing?

Options:

A.

Man-in-the-middle

B.

ARP poisoning

C.

Session hijacking

D.

DoS

Question 41

Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the wireless network of the company. He uses a tool that is a free open-source utility for network exploration.

The tool uses raw IP packets to determine the following:

What ports are open on our network systems.

What hosts are available on the network.

Identify unauthorized wireless access points.

What services (application name and version) those hosts are offering.

What operating systems (and OS versions) they are running.

What type of packet filters/firewalls are in use.

Which of the following tools is Victor using?

Options:

A.

Nmap

B.

Kismet

C.

Sniffer

D.

Nessus

Question 42

You run the following command while using Nikto Web scanner:

perl nikto.pl -h 192.168.0.1 -p 443

What action do you want to perform?

Options:

A.

Updating Nikto.

B.

Seting Nikto for network sniffing.

C.

Port scanning.

D.

Using it as a proxy server.

Question 43

You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. The company has recently provided laptops to its sales team members. You have configured access points in the network to enable a wireless network. The company's security policy states that all users using laptops must use smart cards for authentication. Which of the following authentication techniques will you use to implement the security policy of the company?

Options:

A.

IEEE 802.1X using EAP-TLS

B.

IEEE 802.1X using PEAP-MS-CHAP

C.

Pre-shared key

D.

Open system

Question 44

Which of the following commands can be used for port scanning?

Options:

A.

nc -z

B.

nc -t

C.

nc -w

D.

nc –g

Question 45

Adam, a malicious hacker, hides a hacking tool from a system administrator of his company by using Alternate Data Streams (ADS) feature. Which of the following statements is true in context with the above scenario?

Options:

A.

Alternate Data Streams is a feature of Linux operating system.

B.

Adam's system runs on Microsoft Windows 98 operating system.

C.

Adam is using FAT file system.

D.

Adam is using NTFS file system.

Question 46

Which of the following tools is an automated tool that is used to implement SQL injections and to retrieve data from Web server databases?

Options:

A.

Fragroute

B.

Absinthe

C.

Stick

D.

ADMutate

Question 47

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using the Linux operating system. He wants to use a wireless sniffer to sniff the We-are-secure network. Which of the following tools will he use to accomplish his task?

Options:

A.

NetStumbler

B.

Snadboy's Revelation

C.

WEPCrack

D.

Kismet

Question 48

Which of the following is the frequency range to tune IEEE 802.11a network?

Options:

A.

1.15-3.825 GHz

B.

5.15-5.825 GHz

C.

5.25-9.825 GHz

D.

6.25-9.825 GHz

Question 49

Which of the following standards is used in wireless local area networks (WLANs)?

Options:

A.

IEEE 802.4

B.

IEEE 802.3

C.

IEEE 802.11b

D.

IEEE 802.5

Question 50

Which of the following tools can be used to perform Windows password cracking, Windows enumeration, and VoIP session sniffing?

Options:

A.

Cain

B.

L0phtcrack

C.

Pass-the-hash toolkit

D.

John the Ripper

Question 51

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully completed the following pre-attack phases while testing the security of the server:

Footprinting Scanning Now he wants to conduct the enumeration phase. Which of the following tools can John use to conduct it?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

PsFile

B.

PsPasswd

C.

UserInfo

D.

WinSSLMiM

Question 52

The scope of your engagement is to include a target organization located in California with a /24 block of addresses that they claim to completely own. Which site could you utilize to confirm that you have been given accurate information before starting reconnaissance activities?

Options:

A.

www.whois.net

B.

www.arin.nei

C.

www.apnic.net

D.

www.ripe.net

Question 53

This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:

It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.

It is commonly used for the following purposes:

a. War driving

b. Detecting unauthorized access points

c. Detecting causes of interference on a WLAN

d. WEP ICV error tracking

e. Making Graphs and Alarms on 802.11 Data, including Signal Strength

This tool is known as __________.

Options:

A.

Absinthe

B.

THC-Scan

C.

NetStumbler

D.

Kismet

Question 54

You want to create a binary log file using tcpdump. Which of the following commands will you use?

Options:

A.

tcpdump -B

B.

tcpdump -dd

C.

tcpdump -w

D.

tcpdump –d

Question 55

You run the rdisk /s command to retrieve the backup SAM file on a computer. Where should you go on the computer to find the file?

Options:

A.

%systemroot%\password\sam._

B.

%systemroot%\sam._

C.

%systemroot%\repair\sam._

D.

%systemroot%\backup\sam._

Question 56

You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query:

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'attacker@somehwere.com'; DROP TABLE members; --'

What task will the above SQL query perform?

Options:

A.

Performs the XSS attacks.

B.

Deletes the entire members table.

C.

Deletes the rows of members table where email id is 'attacker@somehwere.com' given.

D.

Deletes the database in which members table resides.

Question 57

You work as a Web developer in the IBM Inc. Your area of proficiency is PHP. Since you have proper knowledge of security, you have bewared from rainbow attack. For mitigating this attack, you design the PHP code based on the following algorithm:

key = hash(password + salt)

for 1 to 65000 do

key = hash(key + salt)

Which of the following techniques are you implementing in the above algorithm?

Options:

A.

Key strengthening

B.

Hashing

C.

Sniffing

D.

Salting

Load More GPEN Questions
Demo: 57 questions
Total 385 questions
Get GPEN Full Access Download GPEN PDF