Summer Sale Coupon - 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sbfdisc

GPEN PDF

$44

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

GPEN PDF + Testing Engine

$70.4

$175.99

3 Months Free Update

  • Exam Name: GIAC Penetration Tester
  • Last Update: Apr 17, 2024
  • Questions and Answers: 385
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

GPEN Engine

$52.8

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

GPEN Practice Exam Questions with Answers GIAC Penetration Tester Certification

Question # 6

During a penetration test you discover a valid set of SSH credentials to a remote system. How can this be used to your advantage in a Nessus scan?

A.

This information can be entered under the 'Hydra' tab to launch a brute-forcepassword attack.

B.

There isn't an advantage as Nessus will ultimately discover this information.

C.

The "SSH' box can be checked to let Nessus know the remote system is running

D.

This information can be entered under the 'credentials' tab to allow Nessus to log into the system

Full Access
Question # 7

You've been contracted by the owner of a secure facility to try and break into their office in the middle of the night. Your client requested photographs of any sensitive information found as proof of your accomplishments. The job you've been hired to perform is an example of what practice?

A.

Penetration Testing

B.

Ethical Hacking

C.

Vulnerability Assessing

D.

Security Auditing

Full Access
Question # 8

Which of the following TCP packet sequences are common during a SYN (or half-open) scan?

A.

The source computer sends SYN and the destination computer responds with RST

B.

The source computer sends SYN-ACK and no response Is received from the destination computer

C.

The source computer sends SYN and no response is received from the destination computer

D.

The source computer sends SYN-ACK and the destination computer responds with RST-ACK

E.

A,B and C

F.

A and C

G.

C and D

Full Access
Question # 9

You have been contracted to perform a black box pen test against the Internet facing servers for a company. They want to know, with a high level of confidence, if their servers are vulnerable to external attacks. Your contract states that you can use all tools available to you to pen test the systems. What course of action would you use to generate a report with the lowest false positive rate?

A.

Use a port scanner to find open service ports and generate a report listing allvulnerabilities associated with those listening services.

B.

Use a vulnerability or port scanner to find listening services and then try to exploitthose services.

C.

Use a vulnerability scanner to generate a report of vulnerable services.

D.

Log into the system and record the patch levels of each service then generate areport that lists known vulnerabilities for all the running services.

Full Access
Question # 10

By default Active Directory Controllers store password representations in which file?

A.

%system roots .system 32/ntds.dit

B.

%System roots /ntds\ntds.dit

C.

%System roots /ntds\sam.dat

D.

%System roots /ntds\sam.dit

Full Access
Question # 11

Analyze the excerpt from a packet capture between the hosts 192.168.116.9 and 192.168.116.101. What factual conclusion can the tester draw from this output?

GPEN question answer

A.

Port 135 is filtered, port 139 is open.

B.

Pons 135 and 139 are filtered.

C.

Ports 139 and 135 are open.

D.

Port 139 is closed, port 135 is open

Full Access
Question # 12

If the privacy bit is set in the 802.11 header, what does it indicate?

A.

SSID cloaking is being used.

B.

Some form of encryption is In use.

C.

WAP is being used.

D.

Some form of PEAP is being used.

Full Access
Question # 13

The resulting business impact, of the penetration test or ethical hacking engagement is explained in what section of the final report?

A.

Problems

B.

Findings

C.

Impact Assessment

D.

Executive Summary

Full Access
Question # 14

Which of the following is a method of gathering user names from a Linux system?

A.

Displaying the owner information of system-specific binaries

B.

Reviewing the contents of the system log files

C.

Gathering listening services from the xinetd configuration files

D.

Extracting text strings from the system password file

Full Access
Question # 15

What is the MOST important document to obtain before beginning any penetration testing?

A.

Project plan

B.

Exceptions document

C.

Project contact list

D.

A written statement of permission

Full Access
Question # 16

Which of the following are the countermeasures against WEP cracking?

Each correct answer represents a part of the solution. Choose all that apply.

A.

Using the longest key supported by hardware.

B.

Using a 16 bit SSID.

C.

Changing keys often.

D.

Using a non-obvious key.

Full Access
Question # 17

Which of the following techniques are NOT used to perform active OS fingerprinting?

Each correct answer represents a complete solution. Choose all that apply.

A.

ICMP error message quoting

B.

Analyzing email headers

C.

Sniffing and analyzing packets

D.

Sending FIN packets to open ports on the remote system

Full Access
Question # 18

Which of the following wireless security standards supported by Windows Vista provides the highest level of security?

A.

WPA2

B.

WPA-PSK

C.

WEP

D.

WPA-EAP

Full Access
Question # 19

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He performs a Teardrop attack on the we-are-secure server and observes that the server crashes. Which of the following is the most likely cause of the server crash?

A.

The spoofed TCP SYN packet containing the IP address of the target is filled in both the source and destination fields.

B.

The we-are-secure server cannot handle the overlapping data fragments.

C.

The ICMP packet is larger than 65,536 bytes.

D.

Ping requests at the server are too high.

Full Access
Question # 20

Which of the following tools can be used to automate the MITM attack?

A.

Hotspotter

B.

Airjack

C.

IKECrack

D.

Kismet

Full Access
Question # 21

Which of the following tools can be used to find a username from a SID?

A.

SNMPENUM

B.

SID

C.

SID2User

D.

SIDENUM

Full Access
Question # 22

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully performed the following steps of the preattack phase to check the security of the We-are-secure network:

Gathering information

Determining the network range

Identifying active systems

Now, he wants to find the open ports and applications running on the network. Which of the following tools will he use to accomplish his task?

A.

APNIC

B.

SuperScan

C.

ARIN

D.

RIPE

Full Access
Question # 23

Which of the following statements about Fport is true?

A.

It works as a process viewer.

B.

It works as a datapipe on Windows.

C.

It works as a datapipe on Linux.

D.

It is a source port forwarder/redirector.

Full Access
Question # 24

In which of the following attacks is a malicious packet rejected by an IDS, but accepted by the host system?

A.

Insertion

B.

Evasion

C.

Fragmentation overwrite

D.

Fragmentation overlap

Full Access
Question # 25

Which of the following techniques are NOT used to perform active OS fingerprinting?

Each correct answer represents a complete solution. Choose all that apply.

A.

ICMP error message quoting

B.

Analyzing email headers

C.

Sniffing and analyzing packets

D.

Sending FIN packets to open ports on the remote system

Full Access
Question # 26

Which of the following is the most common method for an attacker to spoof email?

A.

Back door

B.

Replay attack

C.

Man in the middle attack

D.

Open relay

Full Access
Question # 27

Which of the following layers of TCP/IP model is used to move packets between the Internet Layer interfaces of two different hosts on the same link?

A.

Internet layer

B.

Application layer

C.

Transport Layer

D.

Link layer

Full Access
Question # 28

In which of the following attacks is a malicious packet rejected by an IDS, but accepted by the host system?

A.

Insertion

B.

Evasion

C.

Fragmentation overwrite

D.

Fragmentation overlap

Full Access
Question # 29

Which of the following is the second half of the LAN manager Hash?

A.

0xAAD3B435B51404BB

B.

0xAAD3B435B51404CC

C.

0xAAD3B435B51404EE

D.

0xAAD3B435B51404AA

Full Access
Question # 30

In which layer of the OSI model does a sniffer operate?

A.

Network layer

B.

Session layer

C.

Presentation layer

D.

Data link layer

Full Access
Question # 31

Which of the following tools is used for vulnerability scanning and calls Hydra to launch a dictionary attack?

A.

Whishker

B.

Nmap

C.

Nessus

D.

SARA

Full Access
Question # 32

You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based network. Rick, your assistant, is configuring some laptops for wireless access. For security, WEP needs to be configured for wireless communication. By mistake, Rick configures different WEP keys in a laptop than that is configured on the Wireless Access Point (WAP). Which of the following statements is true in such situation?

A.

The laptop will be able to access the wireless network but the security will be compromised

B.

The WAP will allow the connection with the guest account's privileges.

C.

The laptop will be able to access the wireless network but other wireless devices will be unable to communicate with it.

D.

The laptop will not be able to access the wireless network.

Full Access
Question # 33

Write the appropriate attack name to fill in the blank.

In a _____________ DoS attack, the attacker sends a spoofed TCP SYN packet in which the IP address of the target is filled in both the source and destination fields.

Full Access
Question # 34

Which of the following tools is spyware that makes Windows clients send their passwords as clear text?

A.

Pwddump2

B.

SMBRelay

C.

KrbCrack

D.

C2MYAZZ

Full Access
Question # 35

Which of the following tools is used to verify the network structure packets and confirm that the packets are constructed according to specification?

A.

snort_inline

B.

EtherApe

C.

Snort decoder

D.

AirSnort

Full Access
Question # 36

You run the following PHP script:

$password = mysql_real_escape_string($_POST["password"]);?>

What is the use of the mysql_real_escape_string() function in the above script.

Each correct answer represents a complete solution. Choose all that apply

A.

It escapes all special characters from strings $_POST["name"] and $_POST["password"].

B.

It escapes all special characters from strings $_POST["name"] and $_POST["password"] except ' and ".

C.

It can be used to mitigate a cross site scripting attack.

D.

It can be used as a countermeasure against a SQL injection attack.

Full Access
Question # 37

Which of the following tools can be used to perform Windows password cracking, Windows enumeration, and VoIP session sniffing?

A.

Cain

B.

L0phtcrack

C.

Pass-the-hash toolkit

D.

John the Ripper

Full Access
Question # 38

The scope of your engagement is to include a target organization located in California with a /24 block of addresses that they claim to completely own. Which site could you utilize to confirm that you have been given accurate information before starting reconnaissance activities?

A.

www.whois.net

B.

www.arin.nei

C.

www.apnic.net

D.

www.ripe.net

Full Access
Question # 39

John works as a professional Ethical Hacker. He has been assigned a project to test the security of www.we-are-secure.com. He performs Web vulnerability scanning on the We-are-secure server.

The output of the scanning test is as follows:

C:\whisker.pl -h target_IP_address

-- whisker / v1.4.0 / rain forest puppy / www.wiretrip.net -- = - = - = - = - =

= Host: target_IP_address

= Server: Apache/1.3.12 (Win32) ApacheJServ/1.1

mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22

+ 200 OK: HEAD /cgi-bin/printenv

John recognizes /cgi-bin/printenv vulnerability ('Printenv' vulnerability) in the We_are_secure server. Which of the following statements about 'Printenv' vulnerability are true?

Each correct answer represents a complete solution. Choose all that apply.

A.

'Printenv' vulnerability maintains a log file of user activities on the Website, which may be useful for the attacker.

B.

The countermeasure to 'printenv' vulnerability is to remove the CGI script.

C.

This vulnerability helps in a cross site scripting attack.

D.

With the help of 'printenv' vulnerability, an attacker can input specially crafted links and/or other malicious scripts.

Full Access
Question # 40

Which of the following tasks can be performed by using netcat utility?

Each correct answer represents a complete solution. Choose all that apply.

A.

Firewall testing

B.

Creating a Backdoor

C.

Port scanning and service identification

D.

Checking file integrity

Full Access
Question # 41

Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether?

A.

Man-in-the-middle

B.

ARP spoofing

C.

Port scanning

D.

Session hijacking

Full Access
Question # 42

Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers?

Each correct answer represents a complete solution. Choose all that apply.

A.

Java applications

B.

Secure protocols

C.

ActiveX controls

D.

JavaScript

E.

Plugins

Full Access
Question # 43

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Web site. For this, you want to perform the idle scan so that you can get the ports open in the we-are-secure.com server. You are using Hping tool to perform the idle scan by using a zombie computer. While scanning, you notice that every IPID is being incremented on every query, regardless whether the ports are open or close. Sometimes, IPID is being incremented by more than one value. What may be the reason?

A.

The zombie computer is the system interacting with some other system besides your comp uter.

B.

The firewall is blocking the scanning process.

C.

The zombie computer is not connected to the we-are-secure.com Web server.

D.

Hping does not perform idle scanning.

Full Access
Question # 44

Which of the following vulnerability scanner scans from CGI, IDA, Unicode, and Nimda vulnerabilities?

A.

Hackbot

B.

SARA

C.

Nessus

D.

Cgichk

Full Access
Question # 45

You work as a Web developer in the IBM Inc. Your area of proficiency is PHP. Since you have proper knowledge of security, you have bewared from rainbow attack. For mitigating this attack, you design the PHP code based on the following algorithm:

key = hash(password + salt)

for 1 to 65000 do

key = hash(key + salt)

Which of the following techniques are you implementing in the above algorithm?

A.

Key strengthening

B.

Hashing

C.

Sniffing

D.

Salting

Full Access
Question # 46

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Website. The we-are-secure.com Web server is using Linux operating system. When you port scanned the we-are-secure.com Web server, you got that TCP port 23, 25, and 53 are open. When you tried to telnet to port 23, you got a blank screen in response. When you tried to type the dir, copy, date, del, etc. commands you got only blank spaces or underscores symbols on the screen. What may be the reason of such unwanted situation?

A.

The we-are-secure.com server is using honeypot.

B.

The telnet session is being affected by the stateful inspection firewall.

C.

The telnet service of we-are-secure.com has corrupted.

D.

The we-are-secure.com server is using a TCP wrapper.

Full Access
Question # 47

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

A.

nmap -O -p

B.

nmap -sS

C.

nmap -sU -p

D.

nmap –sT

Full Access
Question # 48

You work as an IT Technician for uCertify Inc. You have to take security measures for the wireless network of the company. You want to prevent other computers from accessing the company's wireless network. On the basis of the hardware address, which of the following will you use as the best possible method to accomplish the task?

A.

MAC Filtering

B.

SSID

C.

RAS

D.

WEP

Full Access
Question # 49

How many bits does SYSKEY use for encryption?

A.

32

B.

64

C.

512

D.

128

Full Access
Question # 50

Which of the following characters will you use to check whether an application is vulnerable to an SQL injection attack?

A.

Single quote (')

B.

Semi colon (;)

C.

Double quote (")

D.

Dash (-)

Full Access
Question # 51

Which of the following statements are true about session hijacking?

Each correct answer represents a complete solution. Choose all that apply.

A.

It is used to slow the working of victim's network resources.

B.

TCP session hijacking is when a hacker takes over a TCP session between two machines.

C.

Use of a long random number or string as the session key reduces session hijacking.

D.

It is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

Full Access
Question # 52

LM hash is one of the password schemes that Microsoft LAN Manager and Microsoft Windows versions prior to the Windows Vista use to store user passwords that are less than 15 characters long. If you provide a password seven characters or less, the second half of the LM hash is always

__________.

A.

0xBBD3B435B51504FF

B.

0xAAD3B435B51404FF

C.

0xBBC3C435C51504EF

D.

0xAAD3B435B51404EE

Full Access
Question # 53

You have changed the RestrictAnonymous registry setting from 0 to 1 on your servers to secure your Windows 2000 system so that any malicious user cannot establish a null session on the server. However, when you test the security using userinfo tool, you got that you can still establish the null session. What may be its reason?

A.

You cannot disable establishing null sessions.

B.

You need to disable the promiscuous mode of network Ethernet card.

C.

You need to set the RestrictAnonymous key value to 2 instead of 1.

D.

You need to install a firewall.

Full Access
Question # 54

Which of the following is generally practiced by the police or any other recognized governmental authority?

A.

Spoofing

B.

Wiretapping

C.

Phishing

D.

SMB signing

Full Access
Question # 55

You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

A.

Immediately shut down your laptop.

B.

Do nothing.

C.

Traverse to all of your drives, search new.com files, and delete them.

D.

Clean up your laptop with antivirus.

Full Access
Question # 56

John, a novice web user, makes a new E-mail account and keeps his password as "apple", his favorite fruit. John's password is vulnerable to which of the following password cracking attacks?

Each correct answer represents a complete solution. Choose all that apply.

A.

Brute Force attack

B.

Dictionary attack

C.

Hybrid attack

D.

Rule based attack

Full Access
Question # 57

Adam is a novice Internet user. He is using Google search engine to search documents of his interest. Adam wants to search the text present in the link of a Website. Which of the following operators will he use in his query to accomplish the task?

A.

inanchor

B.

info

C.

link

D.

site

Full Access