GIAC GPEN Exam Practice Questions Answers

GIAC Penetration Tester Questions and Answers

Question 1

You run the following PHP script:

$password = mysql_real_escape_string($_POST["password"]);?>

What is the use of the mysql_real_escape_string() function in the above script.

Each correct answer represents a complete solution. Choose all that apply

Options:

It escapes all special characters from strings $_POST["name"] and $_POST["password"].

It escapes all special characters from strings $_POST["name"] and $_POST["password"] except ' and ".

It can be used to mitigate a cross site scripting attack.

It can be used as a countermeasure against a SQL injection attack.

Buy Now

Question 2

Which of the following Web authentication techniques uses a single sign-on scheme?

Options:

NTLM authentication

Microsoft Passport authentication

Basic authentication

Digest authentication

Question 3

Which of the following tools is used to verify the network structure packets and confirm that the packets are constructed according to specification?

Options:

snort_inline

EtherApe

Snort decoder

AirSnort

Question 4

Which of the following can be used as a countermeasure against the SQL injection attack?

Each correct answer represents a complete solution. Choose two.

Options:

mysql_real_escape_string()

Prepared statement

mysql_escape_string()

session_regenerate_id()

Question 5

Ryan wants to create an ad hoc wireless network so that he can share some important files with another employee of his company. Which of the following wireless security protocols should he choose for setting up an ad hoc wireless network?

Each correct answer represents a part of the solution. Choose two.

Options:

WPA2 -EAP

WPA-PSK

WPA-EAP

WEP

Question 6

You work as a Network Administrator in the Secure Inc. You often need to send PDF documents that contain secret information, such as, client password, their credit card details, email passwords, etc. through email to your customers. However, you are making PDFs password protected you are getting complaints from customers that their secret information is being misused. When you analyze this complaint you get that however you are applying the passwords on PDFs, they are not providing the maximum protection. What may be the cause of this security hole?

Options:

PDFs can be read easily in the plain-text form by applying a sniffer.

PDFs are sent in email in the plain-text form.

PDF passwords can easily be cracked by brute force attacks.

You are applying easily guessed passwords.

Question 7

Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether?

Options:

Man-in-the-middle

ARP spoofing

Port scanning

Session hijacking

Question 8

John works as an Ethical Hacker for uCertify Inc. He wants to find out the ports that are open in uCertify's server using a port scanner. However, he does not want to establish a full TCP connection. Which of the following scanning techniques will he use to accomplish this task?

Options:

TCP FIN

Xmas tree

TCP SYN/ACK

TCP SYN

Question 9

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Website. The we-are-secure.com Web server is using Linux operating system. When you port scanned the we-are-secure.com Web server, you got that TCP port 23, 25, and 53 are open. When you tried to telnet to port 23, you got a blank screen in response. When you tried to type the dir, copy, date, del, etc. commands you got only blank spaces or underscores symbols on the screen. What may be the reason of such unwanted situation?

Options:

The we-are-secure.com server is using honeypot.

The we-are-secure.com server is using a TCP wrapper.

The telnet service of we-are-secure.com has corrupted.

The telnet session is being affected by the stateful inspection firewall.

Question 10

John works as a Professional Penetration Tester. He has been assigned a project to test the Website security of Inc. On the We-are-secure Website login page, he enters= 'or''=' as a username and successfully logs on to the user page of the Web site. Now, John asks the we-are-secure Inc. to improve the login page PHP script. Which of the following suggestions can John give to improve the security of the we-are-secure Website login page from the SQL injection attack?

Options:

Use the session_regenerate_id() function

Use the escapeshellcmd() function

Use the mysql_real_escape_string() function for escaping input

Use the escapeshellarg() function

Question 11

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Web site. For this, you want to perform the idle scan so that you can get the ports open in the we-are-secure.com server. You are using Hping tool to perform the idle scan by using a zombie computer. While scanning, you notice that every IPID is being incremented on every query, regardless whether the ports are open or close. Sometimes, IPID is being incremented by more than one value. What may be the reason?

Options:

The zombie computer is the system interacting with some other system besides your comp uter.

The firewall is blocking the scanning process.

The zombie computer is not connected to the we-are-secure.com Web server.

Hping does not perform idle scanning.

Question 12

Which of the following standards is used in wireless local area networks (WLANs)?

Options:

IEEE 802.4

IEEE 802.3

IEEE 802.11b

IEEE 802.5

Question 13

Which of the following tools connects to and executes files on remote systems?

Options:

Spector

Hk.exe

PsExec

GetAdmin.exe

Question 14

You want to search the Apache Web server having version 2.0 using google hacking. Which of the following search queries will you use?

Options:

intitle:"Test Page for Apache Installation" "You are free"

intitle:"Test Page for Apache Installation" "It worked!"

intitle:test.page "Hey, it worked !" "SSl/TLS aware"

intitle:Sample.page.for.Apache Apache.Hook.Function

Question 15

You are concerned about war driving bringing hackers attention to your wireless network. What is the most basic step you can take to mitigate this risk?

Options:

Implement WEP

Implement MAC filtering

Don't broadcast SSID

Implement WPA

Question 16

Which of the following best describes a server side exploit?

Options:

Attack on the physical machine

Attack of a service listening on a network port

Attack that escalates user privilege to root or administrator

Attack of a client application that retrieves content from the network

Question 17

You are pen testing a Windows system remotely via a raw netcat shell. You want to quickly change directories to where the Windows operating system resides, what command could you use?

Options:

cd systemroot

cd-

cd /systemroot/

cd %systemroot%

Question 18

While scanning a remote system that is running a web server with a UDP scan and monitoring the scan with a sniffer, you notice that the target is responding with ICMP Port Unreachable only once a second What operating system is the target likely running?

Options:

Linux

Windows

OpenBSD

Mac OS X

Question 19

Which of the following best describes a client side exploit?

Options:

Attack of a client application that retrieves content from the network

Attack that escalates user privileged to root or administrator

Attack of a service listening on a client system

Attack on the physical machine

Question 20

What command will correctly reformat the Unix passwordcopy and shadowcopy Tiles for input to John The Ripper?

Options:

/Un shadow passwd copy shadowcopy > johnfile

/Unshadow passwdcopy shadowcopy > johnfile

/Unshadow shadowcopy passwdcopy >john file

/Unshadow passwdcopy shadowcopy > johnfile

Question 21

Raw netcat shells and telnet terminals share which characteristic?

Options:

Ability to send commands to a target machine.

Ability to adapt output to the size of display window

Shells and terminals are exactly the same.

Ability to process standard output control sequences.

Question 22

In the screen shot below, which selections would you need click in order to intercept and alter all http traffic passing through OWASP ZAP?

Options:

Trap response and continue

Set Break and Continue

Trap request and continue

Continue and drop

Question 23

Which of the following best explains why you would warn to clear browser slate (history. cache, and cookies) between examinations of web servers when you've been trapping and altering values with a non-transparent proxy?

Options:

Values trapped and stored in the browser will reveal the techniques you've used toexamine the web servers.

Trapping and changing response values is beneficial for web site testing but usingthe same cached values in your browser will prevent you from being able to changethose values.

Trapping and changing response values is beneficial for web site testing but willcause browser instability if not cleared.

Values trapped and changed in the proxy, such as a cookie, will be stored by thebrowser and may impact further testing.

Question 24

A client has asked for a vulnerability scan on an internal network that does not have internet access. The rules of engagement prohibits any outside connection for the Nessus scanning machine. The customer has asked you to scan for a new critical vulnerability, which was released after the testing started, winch of the following methods of updating the Nessus plugins does not violate the rules of engagement?

Options:

Connect the scanning machine via wireless bridge and download the updateddirectly

Change the routing and connect through an alternative gateway

Proceed with the test and note the limitation of updating the plugins

Download the updates on an alternative machine and manually load on scanningmachine

Question 25

Identify the network activity shown below;

Options:

A sweep of available hosts on the local subnet

A flood of the local switch's CAM table.

An attempt to disassociate wireless clients.

An attempt to impersonate the local gateway

Question 26

Which of the following is a method of gathering user names from a Linux system?

Options:

Displaying the owner information of system-specific binaries

Reviewing the contents of the system log files

Gathering listening services from the xinetd configuration files

Extracting text strings from the system password file

Question 27

When sniffing wireless frames, the interface mode plays a key role in successfully collecting traffic. Which of the mode or modes are best used for sniffing wireless traffic?

Options:

Master Ad-hoc

RFMON

RFMON. Ad-hoc

Ad-hoc

Question 28

Analyze the command output below. What information can the tester infer directly from the Information shown?

Options:

Usernames for the domain tesrdomain.com

Directory indexing is allowed on the web server

Vulnerable versions of Adobe software in use

Naming convention for public documents

Question 29

Why is OSSTMM beneficial to the pen tester?

Options:

It provides a legal and contractual framework for testing

It provides in-depth knowledge on tools

It provides report templates

It includes an automated testing engine similar to Metasploit

Question 30

You are pen testing a network and have shell access to a machine via Netcat. You try to use ssh to access another machine from the first machine. What is the expected result?

Options:

The ssh connection will succeed If you have root access on the intermediate

machine

The ssh connection will fail

The ssh connection will succeed

The ssh connection will succeed if no password required

Question 31

Which of the following are considered Bluetooth security violations?

Each correct answer represents a complete solution. Choose two.

Options:

Bluebug attack

SQL injection attack

Cross site scripting attack

Social engineering

Bluesnarfing

Question 32

You are a Web Administrator of Millennium Inc. The company has hosted its Web site within its network. The management wants the company's vendors to be able to connect to the corporate site from their locations through the Internet. As a public network is involved in this process, you are concerned about the security of data transmitted between the vendors and the corporate site.

Which of the following can help you?

Options:

EAP

WEP

Smart card

VPN

Question 33

The employees of EWS Inc. require remote access to the company's Web servers. In order to provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which of the following statements are true about EAP-TLS?

Each correct answer represents a complete solution. Choose all that apply.

Options:

It is supported by all manufacturers of wireless LAN hardware and software.

It uses a public key certificate for server authentication.

It uses password hash for client authentication.

It provides a moderate level of security.

Question 34

You want to retrieve password files (stored in the Web server's index directory) from various Web sites. Which of the following tools can you use to accomplish the task?

Options:

Nmap

Sam spade

Whois

Google

Question 35

Which of the following commands can be used for port scanning?

Options:

nc -z

nc -t

nc -w

nc –g

Question 36

You work as a Network Administrator for Tech Perfect Inc. The company requires a secure wireless network. To provide security, you are configuring ISA Server 2006 as a firewall. While configuring ISA Server 2006, which of the following is NOT necessary?

Options:

Configuration of VPN access

Setting up of monitoring on ISA Server

Defining ISA Server network configuration

Defining how ISA Server would cache Web contents

Question 37

Which of the following techniques are NOT used to perform active OS fingerprinting?

Each correct answer represents a complete solution. Choose all that apply.

Options:

Analyzing email headers

Sniffing and analyzing packets

ICMP error message quoting

Sending FIN packets to open ports on the remote system

Question 38

Adam, a malicious hacker, hides a hacking tool from a system administrator of his company by using Alternate Data Streams (ADS) feature. Which of the following statements is true in context with the above scenario?

Options:

Alternate Data Streams is a feature of Linux operating system.

Adam's system runs on Microsoft Windows 98 operating system.

Adam is using FAT file system.

Adam is using NTFS file system.

Question 39

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He wants to perform a stealth scan to discover open ports and applications running on the We-are-secure server. For this purpose, he wants to initiate scanning with the IP address of any third party. Which of the following scanning techniques will John use to accomplish his task?

Options:

UDP

TCP SYN/ACK

IDLE

RPC

Question 40

Which of the following tools can be used to automate the MITM attack?

Options:

Hotspotter

Airjack

Kismet

IKECrack

Question 41

John works as a Professional Ethical Hacker for we-are-secure Inc. The company is using a Wireless network. John has been assigned the work to check the security of WLAN of we-aresecure.

For this, he tries to capture the traffic, however, he does not find a good traffic to analyze data. He has already discovered the network using the ettercap tool. Which of the following tools can he use to generate traffic so that he can crack the Wep keys and enter into the network?

Options:

ICMP ping flood tool

Kismet

Netstumbler

AirSnort

Question 42

Fill in the blank with the appropriate word.

____is a port scanner that can also be used for the OS detection.

Options:

Question 43

John, a novice web user, makes a new E-mail account and keeps his password as "apple", his favorite fruit. John's password is vulnerable to which of the following password cracking attacks?

Each correct answer represents a complete solution. Choose all that apply.

Options:

Brute Force attack

Dictionary attack

Hybrid attack

Rule based attack

Question 44

Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection using his computer running on Windows XP operating system. Which of the following are the most likely threats to his computer?

Each correct answer represents a complete solution. Choose two.

Options:

Attacker by creating a fake wireless network with high power antenna cause Victor's computer to associate with his network to gain access.

Information of probing for networks can be viewed using a wireless analyzer and may be used to gain access.

Attacker can use the Ping Flood DoS attack if WZC is used.

It will not allow the configuration of encryption and MAC filtering. Sending information is not secure on wireless network.

Question 45

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of In order to do so, he performs the following steps of the preattack phase successfully:

Information gathering

Determination of network range

Identification of active systems

Location of open ports and applications

Now, which of the following tasks should he perform next?

Options:

Perform OS fingerprinting on the We-are-secure network.

Map the network of We-are-secure Inc.

Fingerprint the services running on the we-are-secure network.

Install a backdoor to log in remotely on the We-are-secure server.

Question 46

In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie?

Options:

Cross-site scripting

Session sidejacking

ARP spoofing

Session fixation

Question 47

Which of the following statements about SSID is NOT true?

Options:

Default settings of SSIDs are secure.

All wireless devices on a wireless network must have the same SSID in order to communicate with each other.

It acts as a password for network access.

It is used to identify a wireless network.

Question 48

What does APNIC stand for?

Options:

Asia-Pacific Network Information Center

American-Pacific Network Information Center

American Private Network Information Center

Asian Private Network Information Center

Question 49

In which of the following attacks is a malicious packet rejected by an IDS, but accepted by the host system?

Options:

Insertion

Evasion

Fragmentation overwrite

Fragmentation overlap

Question 50

Which of the following is the correct syntax to create a null session?

Options:

c:\>net view \\IP_addr\IPC$ "" /u: ""

c:\>net view \\IPC$\IP_addr "" /u: ""

c:\>net use \\IP_addr\IPC$ "" /u: ""

c:\>net use \\IPC$\IP_addr "" /u: ""

Question 51

Which of the following tools is used for SNMP enumeration?

Options:

SARA

Userinfo

Getif

Enum

Question 52

Which of the following penetration testing phases involves gathering data from whois, DNS, and network scanning, which helps in mapping a target network and provides valuable information regarding the operating system and applications running on the systems?

Options:

Post-attack phase

Attack phase

On-attack phase

Pre-attack phase

Question 53

If a password is seven characters or less, the second half of the LM hash is always

___________________.

Options:

0xAAD3B4EE

0xAAD3B4FF

0xAAD3B435B51404FF

0xAAD3B435B51404EE

Question 54

Which of the following is the correct sequence of packets to perform the 3-way handshake method?

Options:

SYN, ACK, ACK

SYN, ACK, SYN/ACK

SYN, SYN/ACK, ACK

SYN, SYN, ACK

Question 55

Which of the following Web authentication techniques uses a single sign-on scheme?

Options:

Basic authentication

Digest authentication

NTLM authentication

Microsoft Passport authentication

Question 56

Which of the following syntaxes is the correct syntax for the master.dbo.sp_makewebtask procedure?

Options:

sp_makewebtask [@inputfile =] 'inputfile', [@query =] 'query'

sp_makewebtask [@outputfile =] 'outputfile', [@query =] 'query'

sp_makewebtask [@query =] 'query', [@inputfile =] 'inputfile'

sp_makewebtask [@query =] 'query', [@outputfile =] 'outputfile'

Question 57

Which of the following is the most common method for an attacker to spoof email?

Options:

Back door

Replay attack

Man in the middle attack

Open relay

Halloween Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

GIAC GPEN Dumps

GIAC Penetration Tester Questions and Answers

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer: