,Solution manual for CompTIA PenTest+ Guide To
Penetration Testing, 1st Edition Rob S. Wilson
Notes
1- All Chapters are step by step.
2- We have shown you 10 pages.
3- The file contains all Appendix and Excel
sheet if it exists.
4- We have all what you need, we make
update at every time. There are many new
editions waiting you.
5- If you think you purchased the wrong file
You can contact us at every time, we can
replace it with true one.
Our email:
, Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357950654; MODULE 01:
INTRODUCTION TO PENETRATION TESTING
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
Activities ...................................................................................................................................................... 5
Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS
1. What are two other terms for penetration testing?
a. Vulnerability testing
b. Pen testing
c. Ethical hacking
d. Blue teaming
Answer: b, c
Penetration testing is also known as pen testing or ethical hacking and is an authorized series of
security-related, non-malicious “attacks” on targets such as computing devices, applications, or an
organization’s physical resources and personnel.
2. The purpose of pen testing is to discover vulnerabilities in targets so that these vulnerabilities can be
eliminated or mitigated.
a. True
b. False
Answer: a
The purpose of pen testing is to discover vulnerabilities in targets so that the vulnerabilities can be
eliminated or mitigated before a threat actor with malicious intent exploits them to cause damage to
systems, data, and the organization that owns them.
3. Pen testing should be performed under which of the following circumstances? Choose all that apply.
a. A new computer system has been installed.
b. A new software system or an update to a software system has been installed.
c. Following a regular schedule to make sure no unknown changes have impacted security.
d. Performed as dictated by compliance standards such as PCI DSS.
Answer: a, b, c, d
Pen testing should be performed as a regular practice, to meet compliance standards, and after a major
change in a computing environment, such as the installation of a new computer system, application, or
update.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
, Solution and Answer Guide:
4. Which of the following are possible targets for penetration testing?
a. Web application.
b. Computer.
c. Staff.
d. All of these are correct.
Answer: d
Web applications and other software, computers and related systems, and staff or other personnel can
be targets for penetration testing.
5. The targets under test and the actions that a pen tester is allowed to perform need to be well-defined,
documented, and agreed upon by all parties before pen testing begins. True or false?
a. True
b. False
Answer: a
Because pen-testing activities are the same as illegal hacking activities, though with different goals, the
pen-testing targets and actions must be well-defined, documented, and agreed upon by all parties
before pen testing begins.
6. Use your favorite search engine to research bug bounties. Find three different bug bounties that were paid,
and in a one-page report, summarize these bounties. Make sure to include the vulnerability details, the
organization that paid the bounty, and how much they paid.
Answers will vary, but a good report will follow the instructions and have exactly three bug bounty
examples. It will also describe the vulnerability details, the organization that paid the bounty, and the
amount.
7. The CIA triad expresses how the cornerstones of confidentiality, integrity, and accessibility are linked
together to provide security for computer systems and their data.
a. True
b. False
Answer: a
In the CIA triad, confidentiality of information dictates that an object should only be accessible to
authorized entities. Integrity of information or systems ensures that an object has not been corrupted or
destroyed by unauthorized entities. Availability requires that objects and services must be accessible to
authorized entities when needed and should not be made unavailable by threat actors or system
failures.
8. Which triad is the antithesis of the CIA triad?
a. BAD
b. SAD
c. ADD
d. DAD
Answer: d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 2
website, in whole or in part.
, Solution and Answer Guide:
The DAD (disclosure, alteration, destruction) triad is the antithesis of the CIA triad because it
expresses the goals of disclosing confidential information, altering or corrupting the integrity of
information, and destroying or denying the availability of access to resources.
9. Which of the following are needed to properly maintain the ethical hacking mindset?
a. Pen testers must be careful to conduct themselves ethically with professionalism and integrity.
b. Pen testers must not accidentally stray into the realm of the malicious hacker and cause damage to
systems or data.
c. Pen testers must do no harm and stay within the boundaries of what activities have been specified
and sanctioned in the penetration testing agreement documents.
d. All of these are correct.
Answer: d
Pen testers must conduct themselves ethically with professionalism and integrity, cannot accidentally
stray into the realm of the malicious hacker and cause damage to systems or data, and must do no harm
by staying within the boundaries of the specified activities.
10. Which penetration testing team is responsible for launching “authorized attacks” against an organization’s
resources/targets?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: a
The red team launches authorized attacks against an organization’s resources or targets to discover
vulnerabilities and prove a vulnerability exists.
11. Which penetration testing team consists of defenders trying to detect and thwart attacks?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: b
Blue team members are the defenders trying to detect, identify, and thwart red team attacks.
12. Which penetration testing team helps coordinate the pen- testing activities by providing an oversight role to
bridge between other teams?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: c
The purple team helps coordinate the pen testing activities. It provides oversight by observing red and
blue team activities, offers guidance on how to make the teams and their operations more effective, and
reports the results of pen testing activities.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 3
website, in whole or in part.
, Solution and Answer Guide:
13. Which of the following groups are considered to be other stakeholders? Choose all that apply.
a. Management
b. Development
c. Legal
d. IT Department
Answer: a, b, c
Other stakeholders are members of the organization with expertise in management, development, and
legal areas.
14. Which phase of the pen-testing process includes activities such as active reconnaissance, vulnerability
scanning, and social engineering?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: b
The information gathering and vulnerability scanning phase includes active reconnaissance (also called
footprinting), vulnerability scanning and analysis, and social engineering.
15. Which phase of the pen-testing process includes activities such as getting written authorization,
determining targets, defining goals, and building teams?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: a
The planning and scoping phase lays the groundwork for all the activities that follow and includes
securing written authorization, determining targets, defining goals, and building teams.
16. You are a member of the penetration-testing red team. You are trying to get into the server room without
authorization. What phase of pen testing are you in?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: c
The attacking and exploiting phase includes activities such as password cracking, SQL injection,
circumventing security settings to access data, and physical attacks such as trying to break into the
server room.
17. Using your favorite search engine, search for security products that use the cyber kill chain concept. In a
one-page report, describe one of these products and its features. Be sure to highlight the product’s
capabilities and how they relate to specific cyber kill chain phases.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 4
website, in whole or in part.
, Solution and Answer Guide:
Answers will vary, but a good report will be exactly one-page long and will cover the requirements of
naming the product, describing its features and capabilities, and relating these to the cyber kill chain
phases.
18. Choose one of the tools from Table 1-3: Penetration-testing tools and create a one-page report detailing
what it does and how to use it. Include one small graphic that exemplifies this tool. The graphic can be no
more than 1/6 of a page in size.
Answers will vary, but a good report will be exactly one-page long and will describe what the tool is used
for and how to use it. Good reports will contain one small graphic that shows the tool’s interface or a
command line capture of it being used.
ACTIVITIES
ACTIVITY 1-3: IDENTIFYING COMPUTER STATUTES IN YOUR STATE, PROVINCE,
OR COUNTY
Solution: Answers will vary. The memo should include state laws that might affect how a penetration test
could be conducted as well as problems that might arise because of state laws. The memo could also ask
that management draw up a contract addressing any risks or possible network degradation that might occur
during testing.
ACTIVITY 1-4: EXAMINING FEDERAL AND INTERNATIONAL COMPUTER CRIME
LAWS
Solution: Answers will vary. The summary should mention some key elements, such as (a)(2)
“…intentionally accesses a computer without authorization or exceeds authorized access, and thereby
obtains….” Section (g) states: “Any person who suffers damage or loss by reason of a violation of this
section may maintain a civil action against the violator…” The summary might also mention the possibility
of a lawsuit. Students need to understand that this federal law addresses government computers and
financial systems. Students should mention what nations are part of The Convention on Cybercrime
(Budapest Convention).
CASE PROJECTS
CASE PROJECT 1-1: DETERMINING LEGAL REQUIREMENTS FOR PENETRATION
TESTING
Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has
contracted your computer consulting company to perform a penetration test on its computer network. The
company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Melinda
May, the vice president, is your only contact at the company. To avoid undermining the tests you’re
conducting, you won’t be introduced to any IT staff or employees. Melinda wants to determine what you
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 5
website, in whole or in part.
, Solution and Answer Guide:
can find out about the company’s network infrastructure, network topology, and any discovered
vulnerabilities without any assistance from her or company personnel.
Based on this information, write a report outlining the steps you should take before beginning penetration
tests of the Alexander Rocco Corporation. Research the laws applying to the state where the company is
located, and be sure to reference any federal laws that might apply to what you have been asked to do.
Solution: Answers will vary but the report could include the following possible steps:
1. Prepare a statement of work detailing what the penetration tests would include.
2. Verify that a contract exists between both companies authorizing you to perform the penetration test.
3. Review state laws for Hawaii and any applicable federal laws.
4. Discuss with management the formation of a red team.
CASE PROJECT 1-2: RESEARCHING HACKTIVISTS AT WORK
Prompt: Hacktivism is hacking for the purpose of supporting an activist cause, such as hacking the
computer systems of a repressive regime that violates human rights. A hacktivist is a person who uses
hacktivism techniques. A recent U.S. News & World Report article discusses how a new wave of hacktivism
is adding a twist to cybersecurity woes. At a time when U.S agencies and companies are fighting off
hacking campaigns originating in Russia and China, activist hackers looking to make a political point are
reemerging.
The government’s response shows that officials regard the return of hacktivism with alarm. An acting U.S.
Attorney was quoted as saying, “Wrapping oneself in an allegedly altruistic motive does not remove the
criminal stench from such intrusion, theft, and fraud.”
A recent counterintelligence strategy states, “ideologically motivated entities such as hacktivists,
leaktivists, and public disclosure organizations, are now viewed as ‘significant threats’, alongside five
countries, three terrorist groups, and transnational criminal organizations.”
Previous waves of hacktivism, notably by the collective known as Anonymous in the early 2010s, have
largely faded away due to law enforcement pressure. Now a new generation of youthful hackers, angry
about how the cybersecurity world operates and upset about the role of tech companies in spreading
propaganda, is joining the fray.
Research hacktivism, and write a one-page paper that answers the following questions:
• Is hacktivism an effective political tool?
• Did any of the hacktivists you researched go too far?
• Can hacktivism ever be justified?
Solution: The paper is subjective in nature. The simple answer to the questions posed would be hacking is
never justified. However, this should generate discussion and debates amongst the students.
Answers to questions:
1. Subjective question. Some might reference hacktivisim as civil disobedience.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 6
website, in whole or in part.
, Solution and Answer Guide:
2. Subjective. What is too far for someone might be not far enough for someone else.
3. The simple answer is no. Hacking is illegal.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 7
website, in whole or in part.
, Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 02: SETTING
UP A PENETRATION TESTING LAB
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
REVIEW QUESTIONS
1. What is VirtualBox?
a. A vulnerability testing tool.
b. A virtualization platform.
c. A set of cloud-based hacking tools.
d. An online file storage solution.
Answer: b
VirtualBox is a software package provided free-of-charge by the Oracle company. It is arguably the
best of the free-of-charge virtualization options.
2. Kali Linux is widely used by pen testers because it’s free and comes with many pen-testing tools already
installed.
a. True
b. False
Answer: a
Kali Linux is a free, open-sourced variant of Debian Linux and is popular with pen testers because it
includes built-in pen-testing tools.
3. What is an OVA?
a. An Open Virus Attack.
b. An Online Virtual Application.
c. An Oracle Virtual Appliance.
d. An Open Virtual Appliance.
Answer: d
Open virtual appliances are preconfigured virtual machines that can be imported into virtualization
platforms such as VirtualBox and VMware Workstation.
4. What is Metasploitable2?
a. A purposefully vulnerable virtual machine useful for practicing pen testing.
b. A pen-testing framework.
c. A type of malware.
d. A pen-testing application.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
Penetration Testing, 1st Edition Rob S. Wilson
Notes
1- All Chapters are step by step.
2- We have shown you 10 pages.
3- The file contains all Appendix and Excel
sheet if it exists.
4- We have all what you need, we make
update at every time. There are many new
editions waiting you.
5- If you think you purchased the wrong file
You can contact us at every time, we can
replace it with true one.
Our email:
, Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357950654; MODULE 01:
INTRODUCTION TO PENETRATION TESTING
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
Activities ...................................................................................................................................................... 5
Case Projects ............................................................................................................................................... 5
REVIEW QUESTIONS
1. What are two other terms for penetration testing?
a. Vulnerability testing
b. Pen testing
c. Ethical hacking
d. Blue teaming
Answer: b, c
Penetration testing is also known as pen testing or ethical hacking and is an authorized series of
security-related, non-malicious “attacks” on targets such as computing devices, applications, or an
organization’s physical resources and personnel.
2. The purpose of pen testing is to discover vulnerabilities in targets so that these vulnerabilities can be
eliminated or mitigated.
a. True
b. False
Answer: a
The purpose of pen testing is to discover vulnerabilities in targets so that the vulnerabilities can be
eliminated or mitigated before a threat actor with malicious intent exploits them to cause damage to
systems, data, and the organization that owns them.
3. Pen testing should be performed under which of the following circumstances? Choose all that apply.
a. A new computer system has been installed.
b. A new software system or an update to a software system has been installed.
c. Following a regular schedule to make sure no unknown changes have impacted security.
d. Performed as dictated by compliance standards such as PCI DSS.
Answer: a, b, c, d
Pen testing should be performed as a regular practice, to meet compliance standards, and after a major
change in a computing environment, such as the installation of a new computer system, application, or
update.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
, Solution and Answer Guide:
4. Which of the following are possible targets for penetration testing?
a. Web application.
b. Computer.
c. Staff.
d. All of these are correct.
Answer: d
Web applications and other software, computers and related systems, and staff or other personnel can
be targets for penetration testing.
5. The targets under test and the actions that a pen tester is allowed to perform need to be well-defined,
documented, and agreed upon by all parties before pen testing begins. True or false?
a. True
b. False
Answer: a
Because pen-testing activities are the same as illegal hacking activities, though with different goals, the
pen-testing targets and actions must be well-defined, documented, and agreed upon by all parties
before pen testing begins.
6. Use your favorite search engine to research bug bounties. Find three different bug bounties that were paid,
and in a one-page report, summarize these bounties. Make sure to include the vulnerability details, the
organization that paid the bounty, and how much they paid.
Answers will vary, but a good report will follow the instructions and have exactly three bug bounty
examples. It will also describe the vulnerability details, the organization that paid the bounty, and the
amount.
7. The CIA triad expresses how the cornerstones of confidentiality, integrity, and accessibility are linked
together to provide security for computer systems and their data.
a. True
b. False
Answer: a
In the CIA triad, confidentiality of information dictates that an object should only be accessible to
authorized entities. Integrity of information or systems ensures that an object has not been corrupted or
destroyed by unauthorized entities. Availability requires that objects and services must be accessible to
authorized entities when needed and should not be made unavailable by threat actors or system
failures.
8. Which triad is the antithesis of the CIA triad?
a. BAD
b. SAD
c. ADD
d. DAD
Answer: d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 2
website, in whole or in part.
, Solution and Answer Guide:
The DAD (disclosure, alteration, destruction) triad is the antithesis of the CIA triad because it
expresses the goals of disclosing confidential information, altering or corrupting the integrity of
information, and destroying or denying the availability of access to resources.
9. Which of the following are needed to properly maintain the ethical hacking mindset?
a. Pen testers must be careful to conduct themselves ethically with professionalism and integrity.
b. Pen testers must not accidentally stray into the realm of the malicious hacker and cause damage to
systems or data.
c. Pen testers must do no harm and stay within the boundaries of what activities have been specified
and sanctioned in the penetration testing agreement documents.
d. All of these are correct.
Answer: d
Pen testers must conduct themselves ethically with professionalism and integrity, cannot accidentally
stray into the realm of the malicious hacker and cause damage to systems or data, and must do no harm
by staying within the boundaries of the specified activities.
10. Which penetration testing team is responsible for launching “authorized attacks” against an organization’s
resources/targets?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: a
The red team launches authorized attacks against an organization’s resources or targets to discover
vulnerabilities and prove a vulnerability exists.
11. Which penetration testing team consists of defenders trying to detect and thwart attacks?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: b
Blue team members are the defenders trying to detect, identify, and thwart red team attacks.
12. Which penetration testing team helps coordinate the pen- testing activities by providing an oversight role to
bridge between other teams?
a. Red team
b. Blue team
c. Purple team
d. Other stakeholders
Answer: c
The purple team helps coordinate the pen testing activities. It provides oversight by observing red and
blue team activities, offers guidance on how to make the teams and their operations more effective, and
reports the results of pen testing activities.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 3
website, in whole or in part.
, Solution and Answer Guide:
13. Which of the following groups are considered to be other stakeholders? Choose all that apply.
a. Management
b. Development
c. Legal
d. IT Department
Answer: a, b, c
Other stakeholders are members of the organization with expertise in management, development, and
legal areas.
14. Which phase of the pen-testing process includes activities such as active reconnaissance, vulnerability
scanning, and social engineering?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: b
The information gathering and vulnerability scanning phase includes active reconnaissance (also called
footprinting), vulnerability scanning and analysis, and social engineering.
15. Which phase of the pen-testing process includes activities such as getting written authorization,
determining targets, defining goals, and building teams?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: a
The planning and scoping phase lays the groundwork for all the activities that follow and includes
securing written authorization, determining targets, defining goals, and building teams.
16. You are a member of the penetration-testing red team. You are trying to get into the server room without
authorization. What phase of pen testing are you in?
a. Planning and scoping
b. Information gathering and vulnerability scanning
c. Attacking and exploiting
d. Reporting and communicating results
Answer: c
The attacking and exploiting phase includes activities such as password cracking, SQL injection,
circumventing security settings to access data, and physical attacks such as trying to break into the
server room.
17. Using your favorite search engine, search for security products that use the cyber kill chain concept. In a
one-page report, describe one of these products and its features. Be sure to highlight the product’s
capabilities and how they relate to specific cyber kill chain phases.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 4
website, in whole or in part.
, Solution and Answer Guide:
Answers will vary, but a good report will be exactly one-page long and will cover the requirements of
naming the product, describing its features and capabilities, and relating these to the cyber kill chain
phases.
18. Choose one of the tools from Table 1-3: Penetration-testing tools and create a one-page report detailing
what it does and how to use it. Include one small graphic that exemplifies this tool. The graphic can be no
more than 1/6 of a page in size.
Answers will vary, but a good report will be exactly one-page long and will describe what the tool is used
for and how to use it. Good reports will contain one small graphic that shows the tool’s interface or a
command line capture of it being used.
ACTIVITIES
ACTIVITY 1-3: IDENTIFYING COMPUTER STATUTES IN YOUR STATE, PROVINCE,
OR COUNTY
Solution: Answers will vary. The memo should include state laws that might affect how a penetration test
could be conducted as well as problems that might arise because of state laws. The memo could also ask
that management draw up a contract addressing any risks or possible network degradation that might occur
during testing.
ACTIVITY 1-4: EXAMINING FEDERAL AND INTERNATIONAL COMPUTER CRIME
LAWS
Solution: Answers will vary. The summary should mention some key elements, such as (a)(2)
“…intentionally accesses a computer without authorization or exceeds authorized access, and thereby
obtains….” Section (g) states: “Any person who suffers damage or loss by reason of a violation of this
section may maintain a civil action against the violator…” The summary might also mention the possibility
of a lawsuit. Students need to understand that this federal law addresses government computers and
financial systems. Students should mention what nations are part of The Convention on Cybercrime
(Budapest Convention).
CASE PROJECTS
CASE PROJECT 1-1: DETERMINING LEGAL REQUIREMENTS FOR PENETRATION
TESTING
Prompt: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has
contracted your computer consulting company to perform a penetration test on its computer network. The
company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Melinda
May, the vice president, is your only contact at the company. To avoid undermining the tests you’re
conducting, you won’t be introduced to any IT staff or employees. Melinda wants to determine what you
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 5
website, in whole or in part.
, Solution and Answer Guide:
can find out about the company’s network infrastructure, network topology, and any discovered
vulnerabilities without any assistance from her or company personnel.
Based on this information, write a report outlining the steps you should take before beginning penetration
tests of the Alexander Rocco Corporation. Research the laws applying to the state where the company is
located, and be sure to reference any federal laws that might apply to what you have been asked to do.
Solution: Answers will vary but the report could include the following possible steps:
1. Prepare a statement of work detailing what the penetration tests would include.
2. Verify that a contract exists between both companies authorizing you to perform the penetration test.
3. Review state laws for Hawaii and any applicable federal laws.
4. Discuss with management the formation of a red team.
CASE PROJECT 1-2: RESEARCHING HACKTIVISTS AT WORK
Prompt: Hacktivism is hacking for the purpose of supporting an activist cause, such as hacking the
computer systems of a repressive regime that violates human rights. A hacktivist is a person who uses
hacktivism techniques. A recent U.S. News & World Report article discusses how a new wave of hacktivism
is adding a twist to cybersecurity woes. At a time when U.S agencies and companies are fighting off
hacking campaigns originating in Russia and China, activist hackers looking to make a political point are
reemerging.
The government’s response shows that officials regard the return of hacktivism with alarm. An acting U.S.
Attorney was quoted as saying, “Wrapping oneself in an allegedly altruistic motive does not remove the
criminal stench from such intrusion, theft, and fraud.”
A recent counterintelligence strategy states, “ideologically motivated entities such as hacktivists,
leaktivists, and public disclosure organizations, are now viewed as ‘significant threats’, alongside five
countries, three terrorist groups, and transnational criminal organizations.”
Previous waves of hacktivism, notably by the collective known as Anonymous in the early 2010s, have
largely faded away due to law enforcement pressure. Now a new generation of youthful hackers, angry
about how the cybersecurity world operates and upset about the role of tech companies in spreading
propaganda, is joining the fray.
Research hacktivism, and write a one-page paper that answers the following questions:
• Is hacktivism an effective political tool?
• Did any of the hacktivists you researched go too far?
• Can hacktivism ever be justified?
Solution: The paper is subjective in nature. The simple answer to the questions posed would be hacking is
never justified. However, this should generate discussion and debates amongst the students.
Answers to questions:
1. Subjective question. Some might reference hacktivisim as civil disobedience.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 6
website, in whole or in part.
, Solution and Answer Guide:
2. Subjective. What is too far for someone might be not far enough for someone else.
3. The simple answer is no. Hacking is illegal.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 7
website, in whole or in part.
, Solution and Answer Guide: Wilson, PenTest+: Guide to Penetration Testing 2024,
Solution and Answer Guide
WILSON, PENTEST+: GUIDE TO PENETRATION TESTING 2024, 9780357445266; MODULE 02: SETTING
UP A PENETRATION TESTING LAB
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
REVIEW QUESTIONS
1. What is VirtualBox?
a. A vulnerability testing tool.
b. A virtualization platform.
c. A set of cloud-based hacking tools.
d. An online file storage solution.
Answer: b
VirtualBox is a software package provided free-of-charge by the Oracle company. It is arguably the
best of the free-of-charge virtualization options.
2. Kali Linux is widely used by pen testers because it’s free and comes with many pen-testing tools already
installed.
a. True
b. False
Answer: a
Kali Linux is a free, open-sourced variant of Debian Linux and is popular with pen testers because it
includes built-in pen-testing tools.
3. What is an OVA?
a. An Open Virus Attack.
b. An Online Virtual Application.
c. An Oracle Virtual Appliance.
d. An Open Virtual Appliance.
Answer: d
Open virtual appliances are preconfigured virtual machines that can be imported into virtualization
platforms such as VirtualBox and VMware Workstation.
4. What is Metasploitable2?
a. A purposefully vulnerable virtual machine useful for practicing pen testing.
b. A pen-testing framework.
c. A type of malware.
d. A pen-testing application.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
