SolutiongandgAnswergGuide:gWilson,gPenTest+:gGuidegtogPenetrationgTestingg2024
,
Solution and Answer Guide g g g
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357950654;
G G G G G G G
MODULE 1-13 G
MODULE 01: INTRODUCTION TO PENETRATION TESTING
G G G G G
TABLE OF CONTENTS G G
ReviewgQuestions ......................................................................................................................................... 1
Activities ....................................................................................................................................................... 5
CasegProjects ................................................................................................................................................ 5
REVIEW QUESTIONS
G G
1. Whatgaregtwogothergtermsgforgpenetrationgtesting?
a. Vulnerabilityg testing
b. Pengtesting
c. Ethicalghacking
d. Bluegteaming
Answer:gb,gc
Penetrationgtestinggisgalsogknowngasgpengtestinggorgethicalghackinggandgisgangauthorizedgseriesgofgse
curity-related,gnon-maliciousg—
attacks‖gongtargetsgsuchgasgcomputinggdevices,gapplications,gorgangorganization‘sgphysicalgresources
gandgpersonnel.
2. Thegpurposegofgpengtestinggisgtogdiscovergvulnerabilitiesgingtargetsgsogthatgthesegvulnerabilitiesgcangbe
geliminatedgorgmitigated.
a. True
b. False
Answer:ga
Thegpurposegofgpengtestinggisgtogdiscovergvulnerabilitiesgingtargetsgsogthatgthegvulnerabilitiesgcangbegeli
minatedgorgmitigatedgbeforegagthreatgactorgwithgmaliciousgintentgexploitsgthemgtogcausegdamagegtogsyste
ms,gdata,gandgthegorganizationgthatgownsgthem.
3. Pengtestinggshouldgbegperformedgundergwhichgofgthegfollowinggcircumstances?gChoosegallgthatgapply.
a. Agnewgcomputergsystemghasgbeenginstalled.
b. Agnewgsoftwaregsystemgorgangupdategtogagsoftwaregsystemghasgbeenginstalled.
c. Followinggagregulargschedulegtogmakegsuregnogunknowngchangesghavegimpactedgsecurity.
d. PerformedgasgdictatedgbygcompliancegstandardsgsuchgasgPCIgDSS.
Answer:ga,gb,gc,gd
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 1
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Pengtestinggshouldgbegperformedgasgagregulargpractice,gtogmeetgcompliancegstandards,gandgaftergagmajor
gchangegingagcomputinggenvironment,gsuchgasgtheginstallationgofgagnewgcomputergsystem,gapplication,go
rgupdate.
4. Whichgofgthegfollowinggaregpossiblegtargetsgforgpenetrationgtesting?
a. Webgapplication.
b. Computer.
c. Staff.
d. Allgofgthesegaregcorrect.
Answer:gd
Webgapplicationsgandgothergsoftware,gcomputersgandgrelatedgsystems,gandgstaffgorgothergpersonnelgcan
gbegtargetsgforgpenetrationgtesting.
5. Thegtargetsgundergtestgandgthegactionsgthatgagpengtestergisgallowedgtogperformgneedgtogbegwell-
defined,gdocumented,gandgagreedgupongbygallgpartiesgbeforegpengtestinggbegins.gTruegorgfalse?
a. True
b. False
Answer:ga
Becausegpen-
testinggactivitiesgaregthegsamegasgillegalghackinggactivities,gthoughgwithgdifferentggoals,gthegpen-
testinggtargetsgandgactionsgmustgbegwell-
defined,gdocumented,gandgagreedgupongbygallgpartiesgbeforegpengtestinggbegins.
6. Usegyourgfavoritegsearchgenginegtogresearchgbuggbounties.gFindgthreegdifferentgbuggbountiesgthatgweregpaid,
gandgingagone-
pagegreport,gsummarizegthesegbounties.gMakegsuregtogincludegthegvulnerabilitygdetails,gthegorganizationgtha
tgpaidgthegbounty,gandghowgmuchgtheygpaid.
Answersgwillgvary,gbutgaggoodgreportgwillgfollowgtheginstructionsgandghavegexactlygthreegbuggbountygex
amples.gItgwillgalsogdescribegthegvulnerabilitygdetails,gthegorganizationgthatgpaidgthegbounty,gandgthegam
ount.
7. ThegCIAgtriadgexpressesghowgthegcornerstonesgofgconfidentiality,gintegrity,gandgaccessibilitygareglinked
gtogethergtogprovidegsecuritygforgcomputergsystemsgandgtheirgdata.
a. True
b. False
Answer:ga
IngthegCIAgtriad,gconfidentialitygofginformationgdictatesgthatgangobjectgshouldgonlygbegaccessiblegtogauth
orizedgentities.gIntegritygofginformationgorgsystemsgensuresgthatgangobjectghasgnotgbeengcorruptedgorgdest
royedgbygunauthorizedgentities.gAvailabilitygrequiresgthatgobjectsgandgservicesgmustgbegaccessiblegtogaut
horizedgentitiesgwhengneededgandgshouldgnotgbegmadegunavailablegbygthreatgactorsgorgsystemg failures.
8. WhichgtriadgisgthegantithesisgofgthegCIAgtriad?
a. BAD
b. SAD
c. ADD
d. DAD
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 2
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Answer:gd
ThegDADg(disclosure,galteration,gdestruction)gtriadgisgthegantithesisgofgthegCIAgtriadgbecausegitgexp
ressesgtheggoalsgofgdisclosinggconfidentialginformation,galteringgorgcorruptinggthegintegritygofginfor
mation,gandgdestroyinggorgdenyinggthegavailabilitygofgaccessgtogresources.
9. Whichgofgthegfollowinggaregneededgtogproperlygmaintaingthegethicalghackinggmindset?
a. Pengtestersgmustgbegcarefulgtogconductgthemselvesgethicallygwithgprofessionalismgandgintegrity.
b. Pengtestersgmustgnotgaccidentallygstraygintogthegrealmgofgthegmaliciousghackergandgcausegdamagegto
gsystemsgorgdata.
c. Pengtestersgmustgdognogharmgandgstaygwithingthegboundariesgofgwhatgactivitiesghavegbeengspecified
gandgsanctionedgingthegpenetrationgtestinggagreementgdocuments.
d. Allgofgthesegaregcorrect.
Answer:gd
Pengtestersgmustgconductgthemselvesgethicallygwithgprofessionalismgandgintegrity,gcannotgaccidentallygs
traygintogthegrealmgofgthegmaliciousghackergandgcausegdamagegtogsystemsgorgdata,gandgmustgdognogharmg
bygstayinggwithingthegboundariesgofgthegspecifiedgactivities.
10. Whichgpenetrationgtestinggteamgisgresponsiblegforglaunchingg—
authorizedgattacks‖gagainstgangorganization‘sgresources/targets?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:ga
Thegredgteamglaunchesgauthorizedgattacksgagainstgangorganization‘sgresourcesgorgtargetsgtogdiscovergvulnerab
ilitiesgandgprovegagvulnerabilitygexists.
11. Whichgpenetrationgtestinggteamgconsistsgofgdefendersgtryinggtogdetectgandgthwartgattacks?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:gb
Bluegteamgmembersgaregthegdefendersgtryinggtogdetect,gidentify,gandgthwartgredgteamgattacks.
12. Whichgpenetrationgtestinggteamghelpsgcoordinategthegpen-
gtestinggactivitiesgbygprovidinggangoversightgrolegtogbridgegbetweengothergteams?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:gc
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 3
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Thegpurplegteamghelpsgcoordinategthegpengtestinggactivities.gItgprovidesgoversightgbygobservinggredgandg
bluegteamgactivities,goffersgguidancegonghowgtogmakegthegteamsgandgtheirgoperationsgmoregeffective,gand
greportsgthegresultsgofgpengtestinggactivities.
13. Whichgofgthegfollowingggroupsgaregconsideredgtogbegothergstakeholders?gChoosegallgthatgapply.
a. Management
b. Development
c. Legal
d. ITgDepartment
Answer:ga,gb,gc
Othergstakeholdersgaregmembersgofgthegorganizationgwithgexpertisegingmanagement,gdevelopment,gandgl
egalgareas.
14. Whichgphasegofgthegpen-
testinggprocessgincludesgactivitiesgsuchgasgactivegreconnaissance,gvulnerabilitygscanning,gandgsocialgen
gineering?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:gb
Theginformationggatheringgandgvulnerabilitygscanninggphasegincludesgactivegreconnaissanceg(alsogcalled
gfootprinting),gvulnerabilitygscanninggandganalysis,gandgsocialgengineering.
15. Whichgphasegofgthegpen-
testinggprocessgincludesgactivitiesgsuchgasggettinggwrittengauthorization,gdetermininggtargets,gdef
iningggoals,gandgbuildinggteams?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:ga
Thegplanninggandgscopinggphaseglaysgtheggroundworkgforgallgthegactivitiesgthatgfollowgandgincludesg
securinggwrittengauthorization,gdetermininggtargets,gdefiningggoals,gandgbuildinggteams.
16. Yougaregagmembergofgthegpenetration-
testinggredgteam.gYougaregtryinggtoggetgintogthegservergroomgwithoutgauthorization.gWhatgphasegofgpengtest
inggaregyougin?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:gc
Thegattackinggandgexploitinggphasegincludesgactivitiesgsuchgasgpasswordgcracking,gSQLginjection,g
circumventinggsecuritygsettingsgtogaccessgdata,gandgphysicalgattacksgsuchgasgtryinggtogbreakgintogthe
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 4
le
website,gingwholegorgingpart.
,
Solution and Answer Guide g g g
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357950654;
G G G G G G G
MODULE 1-13 G
MODULE 01: INTRODUCTION TO PENETRATION TESTING
G G G G G
TABLE OF CONTENTS G G
ReviewgQuestions ......................................................................................................................................... 1
Activities ....................................................................................................................................................... 5
CasegProjects ................................................................................................................................................ 5
REVIEW QUESTIONS
G G
1. Whatgaregtwogothergtermsgforgpenetrationgtesting?
a. Vulnerabilityg testing
b. Pengtesting
c. Ethicalghacking
d. Bluegteaming
Answer:gb,gc
Penetrationgtestinggisgalsogknowngasgpengtestinggorgethicalghackinggandgisgangauthorizedgseriesgofgse
curity-related,gnon-maliciousg—
attacks‖gongtargetsgsuchgasgcomputinggdevices,gapplications,gorgangorganization‘sgphysicalgresources
gandgpersonnel.
2. Thegpurposegofgpengtestinggisgtogdiscovergvulnerabilitiesgingtargetsgsogthatgthesegvulnerabilitiesgcangbe
geliminatedgorgmitigated.
a. True
b. False
Answer:ga
Thegpurposegofgpengtestinggisgtogdiscovergvulnerabilitiesgingtargetsgsogthatgthegvulnerabilitiesgcangbegeli
minatedgorgmitigatedgbeforegagthreatgactorgwithgmaliciousgintentgexploitsgthemgtogcausegdamagegtogsyste
ms,gdata,gandgthegorganizationgthatgownsgthem.
3. Pengtestinggshouldgbegperformedgundergwhichgofgthegfollowinggcircumstances?gChoosegallgthatgapply.
a. Agnewgcomputergsystemghasgbeenginstalled.
b. Agnewgsoftwaregsystemgorgangupdategtogagsoftwaregsystemghasgbeenginstalled.
c. Followinggagregulargschedulegtogmakegsuregnogunknowngchangesghavegimpactedgsecurity.
d. PerformedgasgdictatedgbygcompliancegstandardsgsuchgasgPCIgDSS.
Answer:ga,gb,gc,gd
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 1
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Pengtestinggshouldgbegperformedgasgagregulargpractice,gtogmeetgcompliancegstandards,gandgaftergagmajor
gchangegingagcomputinggenvironment,gsuchgasgtheginstallationgofgagnewgcomputergsystem,gapplication,go
rgupdate.
4. Whichgofgthegfollowinggaregpossiblegtargetsgforgpenetrationgtesting?
a. Webgapplication.
b. Computer.
c. Staff.
d. Allgofgthesegaregcorrect.
Answer:gd
Webgapplicationsgandgothergsoftware,gcomputersgandgrelatedgsystems,gandgstaffgorgothergpersonnelgcan
gbegtargetsgforgpenetrationgtesting.
5. Thegtargetsgundergtestgandgthegactionsgthatgagpengtestergisgallowedgtogperformgneedgtogbegwell-
defined,gdocumented,gandgagreedgupongbygallgpartiesgbeforegpengtestinggbegins.gTruegorgfalse?
a. True
b. False
Answer:ga
Becausegpen-
testinggactivitiesgaregthegsamegasgillegalghackinggactivities,gthoughgwithgdifferentggoals,gthegpen-
testinggtargetsgandgactionsgmustgbegwell-
defined,gdocumented,gandgagreedgupongbygallgpartiesgbeforegpengtestinggbegins.
6. Usegyourgfavoritegsearchgenginegtogresearchgbuggbounties.gFindgthreegdifferentgbuggbountiesgthatgweregpaid,
gandgingagone-
pagegreport,gsummarizegthesegbounties.gMakegsuregtogincludegthegvulnerabilitygdetails,gthegorganizationgtha
tgpaidgthegbounty,gandghowgmuchgtheygpaid.
Answersgwillgvary,gbutgaggoodgreportgwillgfollowgtheginstructionsgandghavegexactlygthreegbuggbountygex
amples.gItgwillgalsogdescribegthegvulnerabilitygdetails,gthegorganizationgthatgpaidgthegbounty,gandgthegam
ount.
7. ThegCIAgtriadgexpressesghowgthegcornerstonesgofgconfidentiality,gintegrity,gandgaccessibilitygareglinked
gtogethergtogprovidegsecuritygforgcomputergsystemsgandgtheirgdata.
a. True
b. False
Answer:ga
IngthegCIAgtriad,gconfidentialitygofginformationgdictatesgthatgangobjectgshouldgonlygbegaccessiblegtogauth
orizedgentities.gIntegritygofginformationgorgsystemsgensuresgthatgangobjectghasgnotgbeengcorruptedgorgdest
royedgbygunauthorizedgentities.gAvailabilitygrequiresgthatgobjectsgandgservicesgmustgbegaccessiblegtogaut
horizedgentitiesgwhengneededgandgshouldgnotgbegmadegunavailablegbygthreatgactorsgorgsystemg failures.
8. WhichgtriadgisgthegantithesisgofgthegCIAgtriad?
a. BAD
b. SAD
c. ADD
d. DAD
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 2
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Answer:gd
ThegDADg(disclosure,galteration,gdestruction)gtriadgisgthegantithesisgofgthegCIAgtriadgbecausegitgexp
ressesgtheggoalsgofgdisclosinggconfidentialginformation,galteringgorgcorruptinggthegintegritygofginfor
mation,gandgdestroyinggorgdenyinggthegavailabilitygofgaccessgtogresources.
9. Whichgofgthegfollowinggaregneededgtogproperlygmaintaingthegethicalghackinggmindset?
a. Pengtestersgmustgbegcarefulgtogconductgthemselvesgethicallygwithgprofessionalismgandgintegrity.
b. Pengtestersgmustgnotgaccidentallygstraygintogthegrealmgofgthegmaliciousghackergandgcausegdamagegto
gsystemsgorgdata.
c. Pengtestersgmustgdognogharmgandgstaygwithingthegboundariesgofgwhatgactivitiesghavegbeengspecified
gandgsanctionedgingthegpenetrationgtestinggagreementgdocuments.
d. Allgofgthesegaregcorrect.
Answer:gd
Pengtestersgmustgconductgthemselvesgethicallygwithgprofessionalismgandgintegrity,gcannotgaccidentallygs
traygintogthegrealmgofgthegmaliciousghackergandgcausegdamagegtogsystemsgorgdata,gandgmustgdognogharmg
bygstayinggwithingthegboundariesgofgthegspecifiedgactivities.
10. Whichgpenetrationgtestinggteamgisgresponsiblegforglaunchingg—
authorizedgattacks‖gagainstgangorganization‘sgresources/targets?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:ga
Thegredgteamglaunchesgauthorizedgattacksgagainstgangorganization‘sgresourcesgorgtargetsgtogdiscovergvulnerab
ilitiesgandgprovegagvulnerabilitygexists.
11. Whichgpenetrationgtestinggteamgconsistsgofgdefendersgtryinggtogdetectgandgthwartgattacks?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:gb
Bluegteamgmembersgaregthegdefendersgtryinggtogdetect,gidentify,gandgthwartgredgteamgattacks.
12. Whichgpenetrationgtestinggteamghelpsgcoordinategthegpen-
gtestinggactivitiesgbygprovidinggangoversightgrolegtogbridgegbetweengothergteams?
a. Redgteam
b. Bluegteam
c. Purplegteam
d. Othergstakeholders
Answer:gc
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 3
le
website,gingwholegorgingpart.
, SolutiongandgAnswergGuide:
Thegpurplegteamghelpsgcoordinategthegpengtestinggactivities.gItgprovidesgoversightgbygobservinggredgandg
bluegteamgactivities,goffersgguidancegonghowgtogmakegthegteamsgandgtheirgoperationsgmoregeffective,gand
greportsgthegresultsgofgpengtestinggactivities.
13. Whichgofgthegfollowingggroupsgaregconsideredgtogbegothergstakeholders?gChoosegallgthatgapply.
a. Management
b. Development
c. Legal
d. ITgDepartment
Answer:ga,gb,gc
Othergstakeholdersgaregmembersgofgthegorganizationgwithgexpertisegingmanagement,gdevelopment,gandgl
egalgareas.
14. Whichgphasegofgthegpen-
testinggprocessgincludesgactivitiesgsuchgasgactivegreconnaissance,gvulnerabilitygscanning,gandgsocialgen
gineering?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:gb
Theginformationggatheringgandgvulnerabilitygscanninggphasegincludesgactivegreconnaissanceg(alsogcalled
gfootprinting),gvulnerabilitygscanninggandganalysis,gandgsocialgengineering.
15. Whichgphasegofgthegpen-
testinggprocessgincludesgactivitiesgsuchgasggettinggwrittengauthorization,gdetermininggtargets,gdef
iningggoals,gandgbuildinggteams?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:ga
Thegplanninggandgscopinggphaseglaysgtheggroundworkgforgallgthegactivitiesgthatgfollowgandgincludesg
securinggwrittengauthorization,gdetermininggtargets,gdefiningggoals,gandgbuildinggteams.
16. Yougaregagmembergofgthegpenetration-
testinggredgteam.gYougaregtryinggtoggetgintogthegservergroomgwithoutgauthorization.gWhatgphasegofgpengtest
inggaregyougin?
a. Planninggandgscoping
b. Informationggatheringgandgvulnerabilitygscanning
c. Attackinggandgexploiting
d. Reportinggandgcommunicatinggresults
Answer:gc
Thegattackinggandgexploitinggphasegincludesgactivitiesgsuchgasgpasswordgcracking,gSQLginjection,g
circumventinggsecuritygsettingsgtogaccessgdata,gandgphysicalgattacksgsuchgasgtryinggtogbreakgintogthe
©g2022gCengage.gAllgRightsgReserved.gMaygnotgbegscanned,gcopiedgorgduplicated,gorgpostedgtogagpubliclygaccessib 4
le
website,gingwholegorgingpart.
