Question 1

A penetration tester is tasked with discovering devices and services on a corporate network using both active and passive methods. Which scenario is most likely to yield comprehensive results while minimizing disruption to network operations?

Options :

A : Utilizing SNMP enumeration to gather device information from publicly accessible SNMP agents, identifying hardware, software, and open services without triggering IDS or IPS alerts

B : Running a network mapping tool like ZMap in combination with Wireshark to capture active network communications, passively identifying devices and services without injecting traffic

C : combining passive traffic monitoring with active network scans to discover both active devices and services without causing significant disruptions to the network environment

D : Running a stealth scan with a reduced packet rate and randomized IP addresses to avoid detection while enumerating services across a large network range, minimizing the chance of triggering security devices

Answer: C

Question 2

Fill in the blank: When performing fuzz testing on software, a common fuzzing framework is ___ which supports generation and mutation based techniques.

Options :

A : Peach

B : FL (American Fuzzy Lop)

C : oofuzz

D : LibFuzzer

Answer: A

Question 3

During a penetration testing exercise, you suspect a session hijacking attempt due to unusual session token patterns. What is a suitable initial command to investigate this anomaly on the network?

Options :

A : Run tcpdump -nnxi eth0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' to capture and analyze HTTP session tokens.

B : xecute netstat -an | grep :80 | grep ESTABLISHED to view active connections to port 80 and identify any anomalies.

C : Use wireshark -k -i eth0 -f 'tcp port 80' -a duration:60 to sniff traffic on port 80 for one minute and review sessions.

D : Implementing snort -dev -l ./log -c snort.conf to monitor for signatures associated with session hijacking.

Answer: A

Question 4

After identifying a remote code execution vulnerability in a custom software, what is the best approach to develop an exploit that bypasses standard security defenses?

Options :

A : Use an existing exploit from a public database and modify it for the specific application version.

B : develop a payload that utilizes a zero-day exploit found in the application-s network protocol.

C : Incorporate shellcode encryption and polymorphic techniques to alter the payload signature dynamically.

D : execute a man-in-the-middle attack to intercept and modify data to the vulnerable application.

Answer: C

Question 5

Fill in the blank: The most effective software for reverse engineering PLC code is typically ____.

Options :

A : IDA Pro

B : hidra

C : inary Ninja

D : OllyDbg

Answer: A