What best describes the activities in the Security Testing Lifecycle?

1. Secure -> Document -> Observe -> Analyse
2. React -> Re-implement -> Restore -> Review
3. Consult -> Review -> Analyse -> Implement
4. Secure -> Monitor -> Trigger -> Improve
5. Firewall -> Policy -> Police -> Enforce

Which of the following are types of security assessment?

Select one or more:

1. Full Security Audit
2. Grey Box hacking
3. Vulnerability Penetration Audit
4. Vulnerability Assessment
5. Penetration Testing

Which sort of security assessment technique would be able to pick up poor levels of physical device security?

1. White hat testing
2. Vulnerability Auditing
3. Onsite Auditing
4. Laplass Analysis
5. Full Penetration Testing

When thinking of testing types, which type is said to be employed when the attacker has maximum knowledge of the target, while the target has full knowledge of the attack.

1. Blind
2. Joined
3. Double Grey
4. Reversal
5. Tandem

What is considered the third step in the security testing process?

1. Social Engineering
2. Exploit Vulnerabilities
3. Active Recon

Which of the following might happen during the passive gathering phase of the security testing process?

Select one or more:

1. War driving
2. Querying the whois database
3. Google hacking
4. Port Scanning
5. Spidering

What offence is section 3A of the Computer Misuse Act?

1. Unauthorised access to computer material
2. Making, supplying or obtaining articles for use in offence
3. Intent to commit of facilitate further offences
4. Reckless impairment as to detriment the lawful activities of a third party.
5. Carrying out DoS attacks

How do you perform a social engineering attack ethically?

1. You cannot lie to the target
2. You must declare the attack using a recorded message before starting the social engineering attack.
3. You are able to lie provided you record the conversation.
4. You can deceive the target so long as you do no harm
5. You must get a get-out-of-jail letter from the individual first.

In Kali, how could you stop a service called daemon1?

1. systemctl daemon1.service stop
2. service daemon1 stop
3. systemctl stop daemon1.service
4. ss daemon1.service stop
5. kill -9 daemon1

What would this command do?

1. How many lines in the file "insensitive" have the word "grep" in them but not the word "case"?
2. Case insensitive grep of stdin for "grep", and then count the lines
3. This would result in an error, as grepping for grep is recursive.
4. This would result in an error, as there is no wc option "-l".
5. How many lines in the file called "grep" are they?

How would you write a google dork to find all xls spreadsheet files anywhere at napier.ac.uk which contain the word "marks". 

1. Extension:xls http:*.napier.ac.uk marks
2. find -name *.xls @napier.ac.uk --exec grep marks
3. Marks@.*napier.ac.uk extension:xls
4. site:napier.ac.uk marks filetype:xls
5. Whois:napier.ac.uk marks *.xls

What do MX DNS records indicate?

1. Multiplexing records
2. IPv6 records
3. The servers which handle email
4. The email address of the responsible person
5. Messenger exchange records

Identify which RR in DNS the SPF framework information is stored in.

1. v=spf1
2. SPF1
3. domainkeys
4. SPF
5. TXT

1. email addresses associated with a domain
2. whois records associated with an IP
3. Web server IP numbers
4. domain names associated with an owner
5. DocumentRoot configurations

What is defined as the process of collecting information about your target(s) using publically available sources of information?

1. Active scanning
2. Passive information gathering
3. Dark observance
4. Server fingerprinting
5. Attack planning

Which of the following would be considered appropriate possible channels to consider in the planning stage of a pen test?

Select one or more:

1. Data Network
2. Telecommunications
3. Wireless
4. Physical
5. Human

Why would you normally sign a NDA with a company which is to be pen tested?

Select one or more:

1. Legally prevent you sharing confidential information about the target.
2. Legally prevent you saying how much the test cost.
3. Legally prevent the company criticizing your test.
4. Make any breach of contract criminal rather than civil.
5. Legally prevent you sharing information about the weaknesses in the target.

By receiving a "get out of jail free card" (i.e. a permission memo) from the company, which of the following laws will you be exempted from?

Select one or more:

1. Patriot Act
2. Computer Misuse Act
3. Data Retention Act
4. Data Protection Act
5. General Data Protection Regulations
6. None of the above

What issues should you be careful of when performing a port scan?

Select one or more:

1. Avoiding breaking the data protection act
2. Discovering machines outside the engagement zone.
3. Causing passwords to become locked
4. Duration of the scan
5. Traffic bandwidth generated

When would arp-based sweeping be considered superior to ping-based sweeping?

1. Sweeps across the internet when ICMP is blocked.
2. When the target is disconnected.
3. When traffic loads need to be kept low.
4. Sweeps via the gateway server
5. A directly connected ethernet network.

What feature of IP packets does traceroute rely on for its functionality?

1. The Dont Fragment flag.
2. TTL
3. The URGENT flag
4. The ACK flag
5. Multicast packets

1. Host Unreachable
2. filtered
3. closed
4. blocked
5. Port Unreachable

In netcat, what does the -w flag do?

1. Switches off I/O mode
2. Defines the number of seconds to wait before timing out.
3. Switches on debug warning messages
4. Forces netcat to wait for a response from the target
5. Makes netcat watch for incoming connections.

During a TCP session the server sends back RST. What would this indicate?

1. Packet should be resent.
2. The packets should be considered resident
3. Target is ending the session gracefully.
4. The session is already closed.
5. A receipt is needed for a packet

What order by default are the ports scanned using nmap?

1. Low to high numbered ports
2. Registered ports below 1024 first.
3. High to low numbered ports
4. Common port numbers first
5. Random order

What flag would be needed to run a Half Open/SYN scan?

1. -sH
2. -sS
3. -ho
4. -nP
5. -sT

How is passive OS fingerprinting undertaken?

1. By sending packets to the target to elicit a response
2. By sending non-active packets to the target
3. By sending active queries to the target indirectly via a reflection attack..
4. Only by listening to traffic related to independent requests
5. By using normal request packets rather than abusive ones to elicit a response.

Which option in nmap will perform OS fingerprinting of a target?

1. -oP
2. -oF
3. -O
4. -F
5. -oS

Which of the following services have banners which appear without having to send any data to the service?

Select one or more:

1. HTTP on port 5000
2. DNS on port 53
3. SSH
4. Email on port 25
5. Apache on port 80

In netcat banner grabbing, how would -w1 be useful?

1. Limits the overall subnet scan to 1 minute
2. Only waits for 1 second before moving to the next target
3. Shows level 1 warning messages about service issues
4. Supports only character widths of 1 byte, disabling UTF-8
5. Switches on fast banner negotiation

In DNS cache poisoning, what fixes were actually implemented in DNS servers in order to mitigate the issue? Check all that apply.

Select one or more:

1. Increase the transaction ID field to 32 bits
2. Traffic throttling
3. Encourage the update of DNSSEC
4. Use random source ports
5. SYN Cookies

Consider the following email hops

What suggests this is not from the royal bank of Scotland?

1. The second hop has a sender host name unrelated to hop 1.
2. Email cannot travel two hops in less than 1 second.
3. Esmtp is a non existent protocol
4. Email datestamps always have the same time zones between hops.
5. The utc time zone is invalid

What is meant by a zero day exploit?

1. Vulnerability which has been attacking for less than 24 hours
2. A vulnerability which will on average only be effective for less than 1 day
3. A vulnerability patched only today
4. Vulnerability which was only discovered today
5. Vulnerability not yet published

If a user on a machine triggers an exploit by using their web browser, what sort of exploit would it be?

1. Local exploit
2. Passive exploit
3. Client-side exploit
4. Reverse exploit
5. Server-side exploit

When considering exploit code, what is meant by an executable stack?

1. Code stored in the stack can be executed.
2. Stack maximum length in controlled from the executable.
3. The stack is predefined in an executable.
4. Running code can use the stack
5. Shared libraries can dynamically use the stack

In code, when a subroutine is called, where does the return address get stored?

1. In the .text segment
2. In the stack
3. In the heap
4. In the JMP register
5. Is statically compiled into the code.

If you have a subroutine which has two variables:

32 bit integer called X

4 byte char array called Y

Y appears immediately after X in the stack. What hex codes would you need to write into Y to cause a buffer overflow which sets X to 1. X is stored natively in little endian.

1. 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01
2. 0x00 0x00 0x00 0x00 0x00 0x01 0x00 0x00
3. 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 0x00
4. 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00
5. 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00

If executable code is written into a character array on the stack during a function call, how can the exploit be triggered so that the injected code is executed?

1. If the last 4 bytes of the injected code is a JMP command, then the CPU will automatically jump to that location on the stack.
2. Any characters which are really assembly code is written to an array in the stack then that code is automatically executed when you return from that subroutine.
3. If the array overflows and allows the return pointer in the stack to be changed to point to the code inserted in the stack.
4. The first 4 bytes in an array always indicate the return address for a subroutine, and so setting that to point further into the array allows code injection to occur.
5. Code in the stack can only be located using heap spraying, and so the code written in the array must contain NOP instructions.

In the gdb debugger, how you you see what is in the stack frame?

1. print info stack
2. info frame
3. break stack
4. print stack
5. print &info-stack

In an executable, how does Data Execution Protection help guard against exploits?

1. CRC checks are performed by the MMU on data segments to ensure they have not been modified.
2. Code is stored in random locations, and so code injection can not easily find the buffer they overflowed.
3. The memory management unit marks data segments so that code in those segments cannot be executed.
4. Code in data segments can only be called from code in code segments, and so cannot be reached by rewriting the stack return pointer.
5. The return pointer of each subroutine is marked read-only and thus cannot be changed by a buffer overflow.

Question 1

Describe briefly the process by which the hostname "linuxzoo.net" would be converted into an IPv4 address. Include in your discussion the local nameserver, recursion, root servers, and delegation.

Question 2

Consider the following:

Briefly describe what has been performed to generate this output, against which machines, including details on the total number of services which have been found, and what else can be concluded from this.

Question 3

On a testers machine with address 192.168.100.99, the following command is executed:

On a target machine, the following command was executed in a shell:

Briefly describe what this achieves, and what this might be used for in terms of a penetration test.

Question 4

If I performed an nmap scan using "-Pn" and "--reason", what effect would those flags have on the scan?

Question 5

When an email traverses the network from source to destination server, hop information is added to the body of the email. Discuss 4 pieces of information which each hop holds.

Question 6

When considering the implications of the results of performing a vulnerability scan on a target it is often useful to combine that with a risk assessment. Discuss why this might be useful.

Question 7

If the attacker has no knowledge of the target, and the tester has no knowledge of the attack, what is the name of the testing type being employed, and discuss the implications of this type of test.

Question 8

How would you perform a nmap scan which does not first do host discover, and instead goes directly to a port scan involving the ports 137, 138 and 139 using tcp. Only scan 192.168.1.1

Question 9

Reflect on the difference between a half open and a fully open type scan. What situations would one be better than the other, or vice-verse?

Question 10

As part of a security testing process, discuss how Google hacking could be employed as part of passive reconnaissance.

In metasploit, what is the significance of LHOST?

1. The IP number of the target as seen from the target.
2. The server running the metasploit server
3. The target of the attack.
4. The server to download the payload from
5. The host to be connected to by the exploit payload

What key risk should be considered before running a metasploit attack?

1. The amount of traffic generated during an attack will be very large.
2. Metasploit will deactivate all firewalls, which in turn makes all targets more vulnerable.
3. Using metasploit is illegal even with permission.
4. You may detect issues which you were not aware of.
5. The target service may be rendered inoperative.

In an attack payload, what is a bind shell?

1. A shell connects to a different machine to receive commands
2. Bind shells lock all ports in the target making the machine non-operational.
3. A shell which spreads across all systems in the target network using secondary attacks
4. A shell listens on the target for commands..
5. A shell which binds itself to other executables on the target.

Which of the following are metasploit interfaces?

Select one or more:

1. msfcli
2. msfconsole
3. msfcmd
4. msfweb
5. msfshell

What is the function of a metasploit encoder?

1. Encoders will convert an exploit for one service to make it effective for other services.
2. Encoders will compress payloads to make them more efficient.
3. To disguise a payload and thus evade detection.
4. Convert shells to use the local keyboard mappings.
5. To convert exploits to different CPU architectures

Why might a multistage payload be useful in metasploit?

1. To chain two exploits together when one single exploit would not work.
2. To carry an payload shell over an encrypted reverse connection
3. An exploit can be wrapped in an email and sent as a targeted attack.
4. To run multiple shells on the target
5. A secondary stage can instigate attacks on other targets in the network.

What various ways are available to hold session state in an HTTP session?

Select one or more:

1. URL path unique to each user
2. Browser serial number
3. Cookies
4. Source IP
5. UserAgent field

If you have a need to put in a character into a URL which would normally be illegal, how would this be achieved? Specifically, how would a space character be inserted?

1. Using an HTML escape, i.e. &space;
2. Using the hex value of the ASCII code, i.e. x20
3. Using the hex value of the ASCII code, i.e. %20
4. Using the hex value of the ASCII code, i.e. 0x20
5. Using the hex value of the ASCII code, i.e. &#20

What is the likely way that the following data was encoded?

R29yZG9uIHdhcyBoZXJlCg==

1. uuencode
2. sha512
3. md5
4. URL escaped
5. base64

What exploit issue is defined as XSRF?

1. Causing new content to appear on a trusted site via SQL injection.
2. Forging session variables through brute force.
3. Masquerading as a trusted website using DNS manipulation
4. Triggering unwanted actions on one website via the user's browser by visiting an evil website.
5. Injecting new content into a trusted website so it appears to be trusted content.

If a HEAD request returns a etag entry, what is this suggestive of?

1. The server is running Apache.
2. The underlying filesystem uses inodes
3. The server OS is linux.
4. The page is an actual file on the webserver.
5. The page has not changed since the last visit.

In avoiding length extension attacks involving hashes on md5, which of the following would be considered an effective defense?

1. hash(data + key)
2. Use a longer secret key before performing any hashes.
3. Referrer field analysis
4. SHA512
5. HMAC

What disadvantage is there with automatic spidering?

1. Cannot navigate pages with more than one link.
2. Frequently requests the same pages multiple times.
3. Hard to configure
4. Cannot easily handle javascript menus
5. Slow

In a Debian-based linux distribution, where would the site-specific files be located?

1. /etc/httpd/conf.d/
2. /etc/apache2/conf.d/
3. /var/httpd/conf.d/
4. /etc/httpd/sites-available/
5. /etc/apache2/sites-available/

In an Debian Linux distribution, how do you enable public_html user directories?

1. Edit httpd.conf and set "UserDir public_html".
2. Edit http.conf and set "UserDir public_html".
3. a2enmod userdir
4. Edit .htaccess and set "UserDir public_html".

In an Debian-based distribution, how do you restart the apache2 service?

1. servicectl restart apache2
2. systemctl apache2 restart
3. systemctl restart apache2
4. service apache2 restart
5. service restart apache2

In mysql, what does the following query do:

SELECT DATABASE()

1. Returns rows containing all the database names defined in the system.
2. Allows the user to select the database they wish to send queries to.
3. Is an invalid statement as it does not have a FROM.
4. Displays the version number of the database.
5. Returns data which identified the current database name.

In a database there is a table called INTEREST, which has an attribute called RATE. Possible RATE values include 1.5%, 10%, 105%. The field is a string (a varchar), and includes the percentage sign in the data.

How would you find all the rows with RATES equal to 10%.

1. SELECT * from INTEREST where RATES == 10
2. SELECT * from INTEREST where RATES = '10%'
3. SELECT * from INTEREST where RATES = 10
4. SELECT * from INTEREST where RATES LIKE '10%'
5. SELECT * from INTEREST where RATES = 10%

Consider the following query which is used in a web script:

SELECT password

FROM accountinfo

WHERE user = 'theuser'

In this case, the script is executed on the server by substituting the value of the URL parameter THEUSER into the query instead of the word theuser.

How could you set the parameter THEUSER so that the query would return with password for all the rows stored in the database?

1. THEUSER=' OR user is NOT NULL
2. THEUSER='%'
3. THEUSER=' OR user != '
4. THEUSER=' OR user is NULL
5. THEUSER='' (two single quotes)

Consider the following query which is used in a web script:

SELECT password

FROM accountinfo

WHERE user = 'theuser'

In this case, the script is executed on the server by substituting the value of the URL parameter THEUSER into the query instead of the word theuser.

How could you set the parameter THEUSER so that the query would return with user for all the rows stored in the database?

1. THEUSER=' UNION SELECT user from accountinfo where user LIKE '%
2. THEUSER='password'
3. THEUSER=' OR user is NULL
4. THEUSER='' ORDER BY user (two single quotes)
5. THEUSER='' UNION SELECT user from accountinfo

                          ^ (two single quotes)

You can enter text into an html form and submit it.

You can assume the hex code 21 relates to the ASCII character "!", and that "--" is the comment string for SQL. If you enter the following text into the web form and submit it, what gets sent to the web server?

Demo %21 -- extra

1. Demo %21 --
2. Demo !
3. Demo ! -- extra
4. Demo %21
5. Demo %21 -- extra

Consider the following query which is used in a web script:

SELECT password

FROM accountinfo

WHERE user = 'theuser'

AND accounttype = 6

In this case, the script is executed on the server by substituting the value of the URL parameter THEUSER into the query instead of the word theuser.

How could you set the parameter THEUSER so that the query would return with password for all the rows stored in the database, even for rows where the accounttype is not 6?

THEUSER=' OR user is NULL OR

THEUSER=' OR user is not null --

THEUSER=' OR user is NOT NULL

THEUSER='' OR user != 'theuser' (two single quotes)

THEUSER='%'&ACCOUNTTYPE=%

Given that you can inject SQL into a parameter, what would you inject to confirm that the number of columns being returned in that SQL statement was 3?

1. ' UNION SELECT NULL,NULL,NULL --
2. ' UNION SELECT COUNT(*) == 3 --
3. ' UNION SELECT * HAVING 3 --
4. UNION SELECT count(database_schema.rows) where database_schema.table = self() --
5. ' UNION SELECT COUNT(*) HAVING 3 --

In terms of an SQL injection attack, which of the following is true concerning a Blind SQL Injection attack?

1. Used only when you do not know the name of the tables involved.
2. The result of injecting is knowing that either the query found data or found nothing.
3. Used in blind and double blind testing procedures
4. A technique used on encrypted channels, as you cannot understand the encrypted answer returned.
5. Only needed when you do not know the name of the columns

Which of the following statements are true in a brute force password attack.

1. Butterfly tables are used to crack the login details.
2. Hash tables are used to generate passwords
3. Dictionaries are used to generate passwords
4. All possible combinations of characters and password lengths are used.
5. Passwords are tried multiple times until they are accepted

In a Hybrid password attack, which of the following statements are true:

1. Starts with brute force, and as passwords are cracked it stores them in a dictionary.
2. Starts with a dictionary attack, but when the dictionary is all used up switches to brute force.
3. Performs a dictionary attack, but varies the attack speed to mimic a real-world user.
4. Mixes dictionary and brute force attacks.
5. Performs a brute force attack but varies the username being targetted.

What is the reduce function for in a rainbow table?

1. Takes a hash and maps it to a string which looks like an appropriate password.
2. Reduces a password to an equivalent hash
3. Reduces the length of a password to that permitted by the target.
4. Takes a hash and reduces the bits required to hold that hash
5. Reverses a hash and produces the password which created that hash

In a Rainbow Table, what is the concept of Chain Merging?

1. Where a password is formed by merging two other passwords
2. Passwords with the same characters but written in a different order are merged together.
3. Where a hash reduces to two different passwords
4. Where the first and last password in a chain is identical, merging avoids cyclic chain traversal.
5. Where more than one chain holds similar information

If a file of hash passwords have been obtained which were built using a per-machine salt, comment on the use of Rainbow Tables to help crack the passwords.

1. It is worthwhile building a rainbow table just for this one problem.
2. A Rainbow Table would only be useful if it had already been built using the same salt.
3. Rainbow tables build without a salt would still be effective here.
4. Rainbow Tables are effective as they already contain every possible salted password.
5. Only a Hybrid Rainbow Table using Markov chains is known to be effective.

In NTLM, which of the following is true regarding its hashing algorithm?

Select one or more:

1. It splits the password up into 7 character chunks
2. It preserves the case of the passwords
3. Passwords can be up to 128 characters long
4. It uses a salt
5. The hash is based on MD4