Weekend Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo
  1. Home
  2. GIAC
  3. Security Administration
  4. GPEN
  5. GPEN - GIAC Penetration Tester

GIAC GPEN GIAC Penetration Tester Exam Practice Test

Page: 1 / 39
Total 385 questions
Get GPEN Full Access Download GPEN PDF

GIAC Penetration Tester Questions and Answers

Question 1

Which of the following statements are true about NTLMv1?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

It uses the LANMAN hash of the user's password.

B.

It is mostly used when no Active Directory domain exists.

C.

It is a challenge-response authentication protocol.

D.

It uses the MD5 hash of the user's password.

Question 2

You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query:

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'attacker@somehwere.com'; DROP TABLE members; --'

What task will the above SQL query perform?

Options:

A.

Performs the XSS attacks.

B.

Deletes the entire members table.

C.

Deletes the rows of members table where email id is 'attacker@somehwere.com' given.

D.

Deletes the database in which members table resides.

Question 3

You want to scan your network quickly to detect live hosts by using ICMP ECHO Requests. What type of scanning will you perform to accomplish the task?

Options:

A.

Idle scan

B.

TCP SYN scan

C.

Ping sweep scan

D.

XMAS scan

Question 4

Which of the following is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards and also detects wireless networks marking their relative position with a GPS?

Options:

A.

NetStumbler

B.

Tcpdump

C.

Kismet

D.

Ettercap

Question 5

Which of the following tasks can be performed by using netcat utility?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Firewall testing

B.

Creating a Backdoor

C.

Port scanning and service identification

D.

Checking file integrity

Question 6

Which of the following can be used as a countermeasure against the SQL injection attack?

Each correct answer represents a complete solution. Choose two.

Options:

A.

mysql_real_escape_string()

B.

Prepared statement

C.

mysql_escape_string()

D.

session_regenerate_id()

Question 7

Which of the following tools connects to and executes files on remote systems?

Options:

A.

Spector

B.

Hk.exe

C.

PsExec

D.

GetAdmin.exe

Question 8

You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based network. Rick, your assistant, is configuring some laptops for wireless access. For security, WEP needs to be configured for wireless communication. By mistake, Rick configures different WEP keys in a laptop than that is configured on the Wireless Access Point (WAP). Which of the following statements is true in such situation?

Options:

A.

The laptop will be able to access the wireless network but the security will be compromised

B.

The WAP will allow the connection with the guest account's privileges.

C.

The laptop will be able to access the wireless network but other wireless devices will be unable to communicate with it.

D.

The laptop will not be able to access the wireless network.

Question 9

You have obtained the hash below from the /etc/shadow file. What are you able to discern simply by looking at this hash?

Question # 9

Options:

A.

A4XD$B4COCqWaEpFjLLDe. is a SHAI hash that was created using the salt $1

SuWeOhL6k$ 1

B.

A4XD$B4COCqWaEpFjLLDe. is an MD5 hash that was created using the salt $1

SuWeOhL6k$

C.

A4XDsB4COGqWaEpFjLLDe. is an MD5 hash that was created using the salt

uWeOhL6k

D.

A4XDsB4COCqWaEpFjLLDe. is a SHAI hash that was created using the salt

uweohL6k

Question 10

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully performed the following steps of the preattack phase to check the security of the We-are-secure network:

l Gathering information

l Determining the network range

l Identifying active systems

Now, he wants to find the open ports and applications running on the network. Which of the following tools will he use to accomplish his task?

Options:

A.

APNIC

B.

SuperScan

C.

RIPE

D.

ARIN

Question 11

Which of the following tools can be used as a Linux vulnerability scanner that is capable of identifying operating systems and network services?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Cheops

B.

Fport

C.

Elsave

D.

Cheops-ng

Question 12

Ryan wants to create an ad hoc wireless network so that he can share some important files with another employee of his company. Which of the following wireless security protocols should he choose for setting up an ad hoc wireless network?

Each correct answer represents a part of the solution. Choose two.

Options:

A.

WPA2 -EAP

B.

WPA-PSK

C.

WPA-EAP

D.

WEP

Question 13

You want to run the nmap command that includes the host specification of 202.176.56-57.*. How many hosts will you scan?

Options:

A.

512

B.

64

C.

1024

D.

256

Question 14

What will the following scapy commands do?

Question # 14

Options:

A.

Perform a SYN-ACK scan against TCP ports 80 and 3080 on host 192.168.1.24.

B.

Perform a SYN scan against ports 80 through 8080 for all hosts on the192.168.1.0/24 network.

C.

Combine the answered and unanswered results of a previous scan into the sr(packet)variable.

D.

Perform a SYN-ACK scan against TCP ports 80 and 8080 for all hosts on the192.16S.1.0/24 network.

Question 15

Which of the following statements are true about firewalking?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall.

B.

Firewalking works on the UDP packets.

C.

In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall.

D.

A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall.

Question 16

John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are connected to the server or not. Which of the following will he use to ping these computers?

Options:

A.

PING

B.

TRACEROUTE

C.

Ping sweeping

D.

NETSTAT

Question 17

You work as a Network Administrator in the Secure Inc. Your company is facing various network attacks due to the insecure wireless network. You are assigned a task to secure your wireless network. For this, you have turned off broadcasting of the SSID. However, the unauthorized users are still able to connect to the wireless network. Which of the following statements can be the reason for this issue?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

You have forgotten to turn off DHCP.

B.

You are using WPA2 security scheme.

C.

The SSID is still sent inside both client and AP packets.

D.

You are using the default SSID.

Question 18

You are concerned about war driving bringing hackers attention to your wireless network. What is the most basic step you can take to mitigate this risk?

Options:

A.

Implement WEP

B.

Implement WPA

C.

Don't broadcast SSID

D.

Implement MAC filtering

Question 19

One of the sales people in your company complains that sometimes he gets a lot of unsolicited messages on his PDA. After asking a few questions, you determine that the issue only occurs in crowded areas like airports. What is the most likely problem?

Options:

A.

Blue snarfing

B.

Blue jacking

C.

A virus

D.

Spam

Question 20

John works as a professional Ethical Hacker. He has been assigned a project to test the security of www.we-are-secure.com. On the We-are-secure login page, he enters = 'or''=' as a username and successfully logs in to the user page of the Web site. The We-are-secure login page is vulnerable to a __________.

Options:

A.

Replay attack

B.

Land attack

C.

SQL injection attack

D.

Dictionary attack

Question 21

John works as a Professional Ethical Hacker for we-are-secure Inc. The company is using a Wireless network. John has been assigned the work to check the security of WLAN of we-aresecure.

For this, he tries to capture the traffic, however, he does not find a good traffic to analyze data. He has already discovered the network using the ettercap tool. Which of the following tools can he use to generate traffic so that he can crack the Wep keys and enter into the network?

Options:

A.

ICMP ping flood tool

B.

Kismet

C.

Netstumbler

D.

AirSnort

Question 22

Which of the following can be used as a countermeasure against the SQL injection attack?

Each correct answer represents a complete solution. Choose two.

Options:

A.

mysql_escape_string()

B.

session_regenerate_id()

C.

mysql_real_escape_string()

D.

Prepared statement

Question 23

Which of the following are considered Bluetooth security violations?

Each correct answer represents a complete solution. Choose two.

Options:

A.

Bluebug attack

B.

SQL injection attack

C.

Cross site scripting attack

D.

Social engineering

E.

Bluesnarfing

Question 24

When you conduct the XMAS scanning using Nmap, you find that most of the ports scanned do not give a response. What can be the state of these ports?

Options:

A.

Closed

B.

Open

C.

Filtered

Question 25

You want to search the Apache Web server having version 2.0 using google hacking. Which of the following search queries will you use?

Options:

A.

intitle:Sample.page.for.Apache Apache.Hook.Function

B.

intitle:"Test Page for Apache Installation" "It worked!"

C.

intitle:test.page "Hey, it worked !" "SSl/TLS aware"

D.

intitle:"Test Page for Apache Installation" "You are free"

Question 26

You work as a Network Security Analyzer. You got a suspicious email while working on a forensic project. Now, you want to know the IP address of the sender so that you can analyze various information such as the actual location, domain information, operating system being used, contact information, etc. of the email sender with the help of various tools and resources. You also want to check whether this email is fake or real. You know that analysis of email headers is a good starting point in such cases. The email header of the suspicious email is given below:

Question # 26

What is the IP address of the sender of this email?

Options:

A.

172.16.10.90

B.

209.191.91.180

C.

141.1.1.1

D.

216.168.54.25

Question 27

GSM uses either A5/1 or A5/2 stream cipher for ensuring over-the-air voice privacy. Which of the following cryptographic attacks can be used to break both ciphers?

Options:

A.

Man-in-the-middle attack

B.

Ciphertext only attack

C.

Known plaintext attack

D.

Replay attack

Question 28

Which of the following are the countermeasures against WEP cracking?

Each correct answer represents a part of the solution. Choose all that apply.

Options:

A.

Using the longest key supported by hardware.

B.

Using a non-obvious key.

C.

Using a 16 bit SSID.

D.

Changing keys often.

Question 29

Which of the following attacks can be overcome by applying cryptography?

Options:

A.

Web ripping

B.

Sniffing

C.

DoS

D.

Buffer overflow

Question 30

Which of the following tools can be used to automate the MITM attack?

Options:

A.

Hotspotter

B.

Airjack

C.

Kismet

D.

IKECrack

Question 31

Which of the following tools is a wireless sniffer and analyzer that works on the Windows operating system?

Options:

A.

Void11

B.

Airsnort

C.

Kismet

D.

Aeropeek

Question 32

Which of the following is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards and also detects wireless networks marking their relative position with a GPS?

Options:

A.

Kismet

B.

NetStumbler

C.

Ettercap

D.

Tcpdump

Question 33

Which of the following techniques are NOT used to perform active OS fingerprinting?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

ICMP error message quoting

B.

Analyzing email headers

C.

Sniffing and analyzing packets

D.

Sending FIN packets to open ports on the remote system

Question 34

In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie?

Options:

A.

Cross-site scripting

B.

Session sidejacking

C.

ARP spoofing

D.

Session fixation

Question 35

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

Question # 35

Which of the following tools is John using to crack the wireless encryption keys?

Options:

A.

Kismet

B.

AirSnort

C.

Cain

D.

PsPasswd

Question 36

You want to run the nmap command that includes the host specification of 202.176.56-57.*. How many hosts will you scan?

Options:

A.

256

B.

512

C.

1024

D.

64

Question 37

Which of the following tools allow you to perform HTTP tunneling?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

BackStealth

B.

HTTPort

C.

Tunneled

D.

Nikto

Question 38

Which of the following is a web ripping tool?

Options:

A.

Netcat

B.

NetBus

C.

SuperScan

D.

Black Widow

Question 39

Which of the following Penetration Testing steps includes network mapping and OS fingerprinting?

Options:

A.

Gather information

B.

Exploit

C.

Verify vulnerabilities

D.

Planning stage

Question 40

Which of the following does NOT use a proxy software to protect users?

Options:

A.

Stateful inspection

B.

Packet filtering

C.

Application layer gateway

D.

Circuit level proxy server

Question 41

You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task?

Options:

A.

Remoxec

B.

Hk.exe

C.

PSExec

D.

GetAdmin.exe

Question 42

You want to retrieve password files (stored in the Web server's index directory) from various Web sites. Which of the following tools can you use to accomplish the task?

Options:

A.

Sam spade

B.

Nmap

C.

Whois

D.

Google

Question 43

Which of the following is a tool for SSH and SSL MITM attacks?

Options:

A.

Ettercap

B.

Cain

C.

Dsniff

D.

AirJack

Question 44

Which of the following tools is based on the SATAN tool?

Options:

A.

Retina

B.

Internet scanner

C.

GFI LANguard

D.

SAINT

Question 45

In which layer of the OSI model does a sniffer operate?

Options:

A.

Network layer

B.

Session layer

C.

Presentation layer

D.

Data link layer

Question 46

Analyze the command output below. What action is being performed by the tester?

Question # 46

Options:

A.

Creating user accounts on 10.0.1.4 and testing privileges

B.

Collecting password hashes for users on 10.0.1.4

C.

Attempting to exploit windows File and Print Sharing service

D.

Gathering Security identifiers for accounts on 10.0.1.4

Question 47

You are conducting a penetration test for a private company located in the UK. The scope extends to all internal and external hosts controlled by the company. You have gathered necessary hold-harmless and non-disclosure agreements. Which action by your group can incur criminal liability under the computer Misuse Act of 1990?

Options:

A.

Sending crafted packets to internal hosts in an attempt to fingerprint the operatingsystems

B.

Recovering the SAM database of the domain server and attempting to crackpasswords

C.

Installing a password sniffing program on an employee's personal computer withoutconsent

D.

Scanning open ports on internal user workstations and exploiting vulnerableapplications

Question 48

A penetration tester wishes to stop the Windows Firewall process on a remote host running Windows Vista She issues the following commands:

Question # 48

A check of the remote host indicates that Windows Firewall is still running. Why did the command fail?

Options:

A.

The kernel prevented the command from being executed.

B.

The user does not have the access level needed to stop the firewall.

C.

The sc command needs to be passed the IP address of the target.

D.

The remote server timed out and did not complete the command.

Question 49

Analyze the command output below. Given this information, which is the appropriate next step for the tester?

Starting Nmap4.53 (hnp://insecure.org I at2010-09-30 19:13 EDT interesting ports on 192.163.116.101:

PORT STATE SERVICE

130/tcp filtered cisco-fna

131/tcp filtered cisco-tna

132/tcp filtered cisco-sys

133/tcp filtered statsrv

134/tcp filtered Ingres-net

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp open netbios-ssn

140/tcp filtered emfis-data

MAC Address: 00:30:1&:B8:14:8B (Shuttle)

warning: OSS can results may be unreliable because we could not find at least l open and l

closed port

Device type, general purpose

Running: Microsoft Windows XP

OS details: Microsoft Windows XP SP2

Network Distance : 1 hop

Nmap done: I IP address (I host up) scanned in l .263 seconds

Options:

A.

Determine the MAC address of the scanned host.

B.

Send a single SYN packet to port 139/tcp on the host.

C.

Send spoofed packets to attempt to evade any firewall

D.

Request a list of shares from the scanned host.

Question 50

You have been contracted to penetration test an e-mail server for a client that wants to know for sure if the sendmail service is vulnerable to any known attacks. You have permission to run any type of test, how will you proceed to give the client the most valid answer?

Options:

A.

Run all known sendmail exploits against the server and see if you can compromisethe service, even if it crashed the machine or service

B.

Run a banner grabbing vulnerability checker to determine the sendmail version andpatch level, then look up and report all the vulnerabilities that exist for that versionand patch level

C.

Run all sendmail exploits that will not crash the server and see if you cancompromise the service

D.

Log into the e-mail and determine the sendmail version and patch level, then lookup and report all the vulnerabilities that exist for that version and patch level

Question 51

You suspect that system administrators In one part of the target organization are turning off their systems during the times when penetration tests are scheduled, what feature could you add to the ' Rules of engagement' that could help your team test that part of the target organization?

Options:

A.

Un announced test

B.

Tell response personnel the exact lime the test will occur

C.

Test systems after normal business hours

D.

Limit tests to business hours

Question 52

What is the main difference between LAN MAN and NTLMv1 challenge/responses?

Options:

A.

NTLMv1 only pads IS bytes, whereas LANMAN pads to 21 bytes

B.

NTLMv1 starts with the NT hash, whereas LANMAN starts with the LANMAN hash

C.

NTLMv1utilizes DES, whereas LANMAN utilizes MD4

D.

NTLMv1 splits the hash into 3 eight-byte pieces, whereas LAN MAN splits the hash Into 3 seven-byte pieces

Question 53

How does OWASP ZAP function when used for performing web application assessments?

Options:

A.

It is a non-transparent proxy that sits between your web browser and the targetapplication.

B.

It is a transparent policy proxy that sits between Java servers and |SP web pages.

C.

It is a non-transparent proxy that passively sniffs network traffic for HTTPvulnerabilities.

D.

It is a transparent proxy that sits between a target application and the backenddatabase.

Question 54

What is the MOST important document to obtain before beginning any penetration testing?

Options:

A.

Project plan

B.

Exceptions document

C.

Project contact list

D.

A written statement of permission

Question 55

Approximately how many packets are usually required to conduct a successful FMS attack onWEP?

Options:

A.

250.000

B.

20.000

C.

10.000,000

D.

l (with a weak IV)

Question 56

Which of the following best describes a client side exploit?

Options:

A.

Attack of a client application that retrieves content from the network

B.

Attack that escalates user privileged to root or administrator

C.

Attack of a service listening on a client system

D.

Attack on the physical machine

Question 57

A junior penetration tester at your firm is using a non-transparent proxy for the first time to test a web server. He sees the web site In his browser but nothing shows up In the proxy. He tells you that he just installed the non-transparent proxy on his computer and didn't change any defaults. After verifying the proxy is running, you ask him to open up his browser configuration, as shown in the figure, which of the following recommendations will correctly allow him to use the transparent proxy with his browser?

Question # 57

Options:

A.

He should change the PORT: value to match the port used by the non-transparentproxy.

B.

He should select the checkbox "use this proxy server for all protocols" for theproxy to function correctly.

C.

He should change the HTTP PROXY value to 127.0.0.1 since the non-transparentproxy is running on the same machine as the browser.

D.

He should select NO PROXY instead of MANUAL PROXY CONFIGURATION as thissetting is only necessary to access the Internet behind protected networks.

Load More GPEN Questions 
Page: 1 / 39
Total 385 questions
Get GPEN Full Access Download GPEN PDF