1 | Page
GFACT CERTIFICATION EXAM 2025 UPDATED
ACTUAL EXAM WITH CORRECT SOLUTIONS.
(B2, Pg122) What does it mean when a computer program is
"multi-threaded"?
A) It calls multiple external libraries
B) It has multiple serial number for different users
C) It can run multiple chunks of code concurrently
D) It has multiple functions defined in the program - correct
answer- It can run multiple chunks of code concurrently
(B3, Pg162) Which of the following is a common result of a
reflected cross-site scripting attack?
A)Tricking a user into making an authenticated transaction
B)Sending a website user's session cookie to an attacker
C) Embedding the attacker's malware in web application source
code
D) Stealing password hashes from a website's back end
database
*HINT* It may be under the session guessing section, but if you
read further into it, you will see where it mentions XSS attack. -
,2 | Page
correct answer- Sending a website user's session cookie to an
attacker
(B3, Pg90) What tool can be used to fingerprint the operating
system of a host?
A)netstat
B)dig
C)nslookup
D)nmap - correct answer- Nmap
(B3, Pg151) What type of vulnerability is illustrated where there
is code in the web page?
A)File Inclusion
B) Clickjacking
C)Cross-Site Scripting
D) SQL injection
*HINT* While it doesn't exactly say "code in the web page", it
mentions how you can sometimes view a page that looks like
PHP code and how that code can gain you access to the
access logs of the server. - correct answer- File Inclusion
,3 | Page
(B3, Pg88-89) An alert indicates that a compromised host was
used by an attacker to run the command below. What was the
attacker attempting to do?
$ nmap -sS 192.168.10.0/24
A)Map a network drive to a remote host
B)Identify services running on network hosts
C)Execute a script on a remote host
D)Send Spoofed packets to network hosts - correct answer-
Identify services running on network hosts
What type of artifact can a blue team member use to identify
the name that is associated to the file?
A)Metadata
B)Windows security logs
C)Prefetch
D)File Ownership - correct answer- Metadata
(B3, Pg307-308) What is
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Run considered to be?
A)Domain Name
, 4 | Page
B)Log File Path
C) Registry Key
D) Yo Mama's Number - correct answer- A Registry Key
(B1, Pg236) If a user agent is used, where would it be found in
the HTTP Protocol?
A)In the response header
B)In the response body
C)Delimited by an h1 tag
D) In a GET Request - correct answer- In a GET Request
What benefit does moving from local logging to using a log
server provide organizations?
A) Enables the use of network intrusion detection systems
(NIDS)
B) Harder for attackers to overwrite logs
C) Attackers will have to pivot through an extra server to
infiltrate the network
D)Less complex logging infrastructure - correct answer- Harder
for attackers to overwrite logs
GFACT CERTIFICATION EXAM 2025 UPDATED
ACTUAL EXAM WITH CORRECT SOLUTIONS.
(B2, Pg122) What does it mean when a computer program is
"multi-threaded"?
A) It calls multiple external libraries
B) It has multiple serial number for different users
C) It can run multiple chunks of code concurrently
D) It has multiple functions defined in the program - correct
answer- It can run multiple chunks of code concurrently
(B3, Pg162) Which of the following is a common result of a
reflected cross-site scripting attack?
A)Tricking a user into making an authenticated transaction
B)Sending a website user's session cookie to an attacker
C) Embedding the attacker's malware in web application source
code
D) Stealing password hashes from a website's back end
database
*HINT* It may be under the session guessing section, but if you
read further into it, you will see where it mentions XSS attack. -
,2 | Page
correct answer- Sending a website user's session cookie to an
attacker
(B3, Pg90) What tool can be used to fingerprint the operating
system of a host?
A)netstat
B)dig
C)nslookup
D)nmap - correct answer- Nmap
(B3, Pg151) What type of vulnerability is illustrated where there
is code in the web page?
A)File Inclusion
B) Clickjacking
C)Cross-Site Scripting
D) SQL injection
*HINT* While it doesn't exactly say "code in the web page", it
mentions how you can sometimes view a page that looks like
PHP code and how that code can gain you access to the
access logs of the server. - correct answer- File Inclusion
,3 | Page
(B3, Pg88-89) An alert indicates that a compromised host was
used by an attacker to run the command below. What was the
attacker attempting to do?
$ nmap -sS 192.168.10.0/24
A)Map a network drive to a remote host
B)Identify services running on network hosts
C)Execute a script on a remote host
D)Send Spoofed packets to network hosts - correct answer-
Identify services running on network hosts
What type of artifact can a blue team member use to identify
the name that is associated to the file?
A)Metadata
B)Windows security logs
C)Prefetch
D)File Ownership - correct answer- Metadata
(B3, Pg307-308) What is
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Run considered to be?
A)Domain Name
, 4 | Page
B)Log File Path
C) Registry Key
D) Yo Mama's Number - correct answer- A Registry Key
(B1, Pg236) If a user agent is used, where would it be found in
the HTTP Protocol?
A)In the response header
B)In the response body
C)Delimited by an h1 tag
D) In a GET Request - correct answer- In a GET Request
What benefit does moving from local logging to using a log
server provide organizations?
A) Enables the use of network intrusion detection systems
(NIDS)
B) Harder for attackers to overwrite logs
C) Attackers will have to pivot through an extra server to
infiltrate the network
D)Less complex logging infrastructure - correct answer- Harder
for attackers to overwrite logs
