1. A
The Rules of Engagement (RoE) is the document that explicitly defines the scope of the penetration test, including which systems, networks, and applications are authorized for testing. It also specifies testing methodologies, time windows, and any restrictions or limitations. This document is critical for ensuring legal and authorized testing activities.

2. B
Passive reconnaissance involves gathering information about a target without directly interacting with the target’s systems. Querying public DNS servers, searching public databases, and reviewing publicly available information are all passive techniques. This approach minimizes the risk of detection as there is no direct contact with the target infrastructure.

3. B
A Command and Control (C2) server is used to manage and control compromised systems remotely during a penetration test. It allows penetration testers to execute commands, transfer files, and maintain access to compromised hosts. C2 servers simulate real-world attacker infrastructure and techniques.

4. C
“Living off the land” refers to using legitimate system tools, utilities, and binaries that are already present on the target system for malicious purposes. This technique is stealthy because it uses trusted applications (like PowerShell, WMI, or certutil) rather than introducing suspicious foreign executables, making detection more difficult.

5. B
Burp Suite is a web application security testing tool specifically designed for intercepting, viewing, and modifying HTTP/HTTPS requests and responses. It acts as a proxy between the browser and web server, allowing penetration testers to manipulate data in transit and identify vulnerabilities such as injection flaws and authentication issues.

6. B
SQL Injection occurs when user input is directly concatenated into SQL queries without proper sanitization or parameterization. This allows attackers to manipulate the SQL query structure, potentially gaining unauthorized access to data, modifying database contents, or executing administrative operations on the database.

7. C
Establishing a baseline during a penetration test means documenting normal network behavior, traffic patterns, system performance, and typical user activities. This baseline serves as a reference point to identify anomalies, detect malicious activities, and distinguish between normal operations and potential security incidents during the testing phase.

8. A
Storing session tokens in URL parameters represents broken authentication because URLs are logged in browser history, proxy logs, and web server logs. Session tokens should be stored in secure, HTTP-only cookies. URL-based tokens can be easily stolen through shoulder surfing, log files, or referrer headers.

9. B
The correct order of penetration testing phases is: Planning (defining scope and objectives), Reconnaissance (information gathering), Exploitation (attempting to compromise systems), and Reporting (documenting findings and recommendations). This logical progression ensures systematic and thorough testing.

10. B
The primary difference is that vulnerability assessments identify and classify vulnerabilities, while penetration tests actively exploit vulnerabilities to demonstrate real-world impact. Vulnerability assessments provide a broad view of security weaknesses, whereas penetration tests show what an attacker could actually achieve by exploiting those weaknesses.

11. C
Port 445 is commonly associated with SMB (Server Message Block) protocol, which is used for file sharing, printer sharing, and inter-process communication in Windows networks. This port is frequently targeted in penetration tests as SMB vulnerabilities have been exploited in major attacks like WannaCry and EternalBlue.

12. B
WPS stands for Wi-Fi Protected Setup, a network security standard designed to make connections between routers and wireless devices easier. However, WPS has known vulnerabilities, particularly the PIN authentication method, which can be brute-forced relatively quickly, making it a common target in wireless penetration testing.

13. B
Port scanning involves sending specially crafted packets to target systems to determine which ports are open, closed, or filtered. Tools like Nmap use various scanning techniques (SYN scan, connect scan, UDP scan) to map the network services available on target systems, which is essential for identifying potential attack vectors.

14. C
Clickjacking (also known as UI redressing) is an attack where users are tricked into clicking on hidden or disguised elements on a webpage, potentially performing unintended actions. This is typically accomplished by overlaying transparent or opaque layers over legitimate page elements using HTML frames or CSS.

15. C
The penetration tester’s salary is not a scope limitation that should be documented before a penetration test. Valid scope limitations include excluded IP addresses, testing time windows, off-limits systems, prohibited testing techniques, and any regulatory or compliance constraints. Financial arrangements are separate contractual matters.

16. B
Horizontal privilege escalation involves accessing resources or functionality of another user account at the same privilege level. For example, accessing another regular user’s files or email. This differs from vertical privilege escalation, which involves gaining higher-level privileges (such as administrator or root access).

17. B
SSTI stands for Server-Side Template Injection, a vulnerability that occurs when user input is embedded into template engines without proper sanitization. Attackers can inject malicious template directives that are executed on the server, potentially leading to remote code execution, information disclosure, or server compromise. This vulnerability is found in applications using template engines like Jinja2, Freemarker, or Velocity.

18. B
Pivoting involves using a compromised system as a launching point to access other systems or network segments that are not directly accessible from the attacker’s position. This technique simulates how real attackers move laterally through networks after initial compromise, accessing systems behind firewalls or on isolated network segments.

19. A
Credential stuffing is an attack technique where stolen username and password pairs (often from previous data breaches) are automatically tested against multiple websites and services. Attackers exploit the fact that many users reuse passwords across different sites, potentially gaining unauthorized access to multiple accounts.

20. C
CSRF stands for Cross-Site Request Forgery, a vulnerability where an attacker tricks a victim’s browser into making unwanted requests to a web application where the victim is authenticated. This can result in unauthorized actions being performed on behalf of the victim without their knowledge or consent.

21. B
Insecure deserialization occurs when applications accept serialized objects from untrusted sources and deserialize them without proper validation. Attackers can manipulate serialized data to achieve remote code execution, privilege escalation, or authentication bypass. This vulnerability is particularly dangerous in Java, PHP, and Python applications.

22. B
Responder is a tool designed to capture NTLM hashes by poisoning LLMNR, NBT-NS, and MDNS protocols on a network. When systems attempt to resolve names, Responder responds and captures authentication attempts, allowing penetration testers to collect password hashes that can then be cracked offline or used in pass-the-hash attacks.

23. B
A “black box” penetration test simulates an external attacker with no prior knowledge of the target environment. The tester starts with minimal or no information about the internal network, systems, or applications, and must discover everything through reconnaissance and enumeration, providing the most realistic assessment of external threats.

24. B
OSINT stands for Open Source Intelligence, which involves gathering information from publicly available sources such as social media, search engines, public records, websites, and forums. OSINT is crucial in the reconnaissance phase of penetration testing for understanding the target’s digital footprint and identifying potential attack vectors.

25. B
Remote File Inclusion (RFI) is a vulnerability that allows attackers to include files from remote servers into a web application. This can lead to remote code execution, data theft, or website defacement. RFI typically occurs when applications use user input to construct file paths without proper validation or sanitization.

26. B
Dynamic analysis involves executing malware samples in a controlled environment (sandbox) to observe their runtime behavior, network connections, file system changes, registry modifications, and process activities. This approach reveals what the malware actually does when executed, complementing static analysis which examines code without execution. Dynamic analysis is essential for understanding sophisticated malware that employs anti-analysis techniques.


27. B
Fuzzing is a software testing technique that involves sending malformed, unexpected, or random input to an application to discover vulnerabilities such as buffer overflows, injection flaws, or error handling issues. Automated fuzzing tools can generate thousands of test cases to identify potential security weaknesses in software.

28. B
A SYN scan (-sS) in Nmap sends a SYN packet to initiate a TCP connection but never completes the three-way handshake. If the target responds with SYN-ACK, the port is open; if it responds with RST, the port is closed. This “stealth” scan is less likely to be logged than a full TCP connect scan.

29. C
Tailgating (also called piggybacking) is a physical security breach where an unauthorized person follows an authorized person into a restricted area. This social engineering technique exploits human courtesy and trust, as people often hold doors open for others or don’t challenge unfamiliar individuals who appear to belong.

30. B
A “watering hole” attack involves compromising websites that are frequently visited by members of the target organization. Rather than attacking the target directly, attackers infect websites the target’s employees are likely to visit, waiting for victims to become infected. This technique is named after predators waiting near watering holes for prey.

31. B
“A01:2021-Broken Access Control” in the OWASP Top 10 refers to failures in properly enforcing restrictions on what authenticated users are allowed to do. This includes issues like bypassing access control checks, viewing or editing someone else’s account, or accessing API endpoints without proper authorization. It’s distinct from authentication failures.

32. B
Persistence refers to techniques used to maintain access to a compromised system across reboots, credential changes, or other interruptions. This includes creating backdoor accounts, installing remote access tools, modifying startup scripts, or establishing scheduled tasks. Persistence simulates advanced persistent threat (APT) scenarios in penetration testing.

33. C
Mimikatz is a post-exploitation tool primarily used for extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory on Windows systems. It can also perform pass-the-hash, pass-the-ticket, and golden ticket attacks. Mimikatz is one of the most powerful credential theft tools in penetration testing.

34. D
The actual source code of exploits used during the penetration test is typically NOT included in the report. Reports should include executive summaries, methodologies, detailed findings with evidence (screenshots, logs), risk ratings, and remediation recommendations. Including exploit source code could enable malicious actors if the report is compromised.

35. B
REST stands for Representational State Transfer, an architectural style for designing networked applications. RESTful APIs use HTTP methods (GET, POST, PUT, DELETE) to perform operations on resources. In API penetration testing, REST APIs are assessed for authentication flaws, injection vulnerabilities, and improper access controls.

36. A
Obfuscation involves encoding, encrypting, or otherwise disguising payloads and exploit code to evade detection by security controls such as antivirus software, intrusion detection systems, and web application firewalls. Techniques include base64 encoding, string concatenation, variable substitution, and using alternative character sets.

37. A
Canary tokens (also called honeytokens) are digital assets designed to detect when an attacker accesses specific resources. When triggered, they alert security teams to potential breaches. Examples include fake database records, email addresses, AWS keys, or documents. In penetration testing, they help identify if attackers have accessed sensitive areas.

38. B
XML External Entity (XXE) vulnerabilities occur when XML parsers process external entity references within XML documents without proper validation. Attackers can exploit XXE to read local files, perform server-side request forgery (SSRF), conduct denial-of-service attacks, or exfiltrate data from the server.

39. B
ARP stands for Address Resolution Protocol, which maps IP addresses to MAC (Media Access Control) addresses on local networks. In penetration testing, ARP can be exploited through ARP spoofing/poisoning attacks to intercept network traffic, perform man-in-the-middle attacks, or conduct denial-of-service attacks on local networks.