Penetration Testing Bonus Content

30 questions on Penetration Testing.

Question 1: According to standard PTES methodologies, what should occur during the Threat Modeling phase of a penetration test?

A. Running automated port scans using Nmap.
B. Analyzing business processes and assets to identify high-value targets and assess threat scenarios. — (correct answer)
C. Writing exploit scripts using Python.
D. Delivering the final executive remediation report.

Explanation: Threat modeling identifies targets and maps threat profiles before active technical testing begins.

Question 2: What is the difference between horizontal and vertical privilege escalation?

A. Horizontal escalation is done on Linux, vertical is done on Windows.
B. Horizontal escalation moves across different platforms, vertical moves across networks.
C. Horizontal escalation grants access to a user with similar permissions, while Vertical escalation elevates access to higher permissions (e.g. Root/Administrator). — (correct answer)
D. Vertical escalation is executed without active scanning.

Explanation: Horizontal escalation gets access to another standard user's files. Vertical escalation elevates standard users to superuser status.

Question 3: In penetration testing, what is the purpose of 'Pivoting'?

A. Modifying the scope of the engagement mid-test.
B. Using a compromised system as a bridge or proxy to scan and attack other systems in internal, private subnets. — (correct answer)
C. Switching from manual code auditing to automated scanning tools.
D. Changing passwords on the client system to lock out other hackers.

Explanation: Pivoting routes traffic through a compromised machine to reach private networks that the tester's machine cannot query directly.

Question 4: Why is defining the 'Rules of Engagement' (RoE) mandatory before executing any penetration test?

A. To guarantee the success of the exploits.
B. To outline boundaries, authorized scopes, testing hours, and establish legal consent to prevent operational damage and legal liability. — (correct answer)
C. To document database connection passwords.
D. To set the pricing structures of the consultants.

Explanation: RoE defines strict boundaries, ensuring target organizations consent to specific testing methods to avoid unauthorized system downtime.

Question 5: What is a key difference in reporting target audiences between the Executive Summary and the Technical Report sections of a pentest report?

A. The Executive Summary is public, the Technical Report is hidden.
B. The Executive Summary targets business decision-makers (high-level risk, business impact), while the Technical Report targets developers and security engineers (exploit details, remediation steps). — (correct answer)
C. The Executive Summary contains code, the Technical Report contains financial metrics.
D. The Technical Report is written by automated tools.

Explanation: Pentest reports must address high-level risk concerns for executives and actionable, step-by-step debug listings for engineers.

Question 6: What is a 'Penetration Test'?

A. An audit of corporate financial statements.
B. An authorized, simulated attack on a computer system, network, or application to identify and verify security vulnerabilities. — (correct answer)
C. An automated database backup.
D. An inspection of local hardware routers.

Explanation: Pentesting validates risks, checking if potential vulnerabilities can be actively exploited.

Question 7: What does 'Reconnaissance' (Information Gathering) involve?

A. Applying security updates to servers.
B. Collecting metadata, DNS records, subdomains, and host profiles to map the target organization's attack surface. — (correct answer)
C. Writing exploit scripts in Python.
D. Deleting log records.

Explanation: Reconnaissance is the first phase, identifying IP ranges and tech stacks before attacks.

Question 8: What is the difference between active reconnaissance and passive reconnaissance?

A. Active recon is faster and runs in memory.
B. Active recon interacts directly with target hosts (e.g. port scans), while Passive recon gathers details without sending traffic (e.g. OSINT). — (correct answer)
C. Passive recon requires admin keys.
D. There is no difference.

Explanation: Passive recon leaves no logs on target systems, minimizing alarm risks.

Question 9: Which port scanning tool is standard for discovering open ports on target IPs?

A. Wireshark
B. Nmap — (correct answer)
C. Metasploit
D. Burp Suite

Explanation: Nmap is the default port scanner, identifying active services and protocols.

Question 10: What is 'Vulnerability Mapping'?

A. Copying database tables to cloud instances.
B. The process of cross-referencing discovered open ports and services against known vulnerabilities and CVE databases. — (correct answer)
C. Writing HTML stylesheets.
D. Compiling model weights.

Explanation: Mapping links target services to exploits, identifying potential entry vectors.

Question 11: What is the difference between vulnerability scanning and penetration testing?

A. Scanning is manual, testing is automated.
B. Scanning identifies potential flaws automatically, while testing actively exploits them to confirm risk severity and business impact. — (correct answer)
C. Testing works only on NoSQL tables.
D. There is no difference.

Explanation: Scanning produces lists of possible bugs; testing verifies which bugs are actually exploitable.

Question 12: What does 'Exploitation' mean in pentesting?

A. Reporting bugs to the vendor.
B. The act of using a vulnerability to gain unauthorized access, bypass security controls, or execute code on target systems. — (correct answer)
C. Backing up system settings.
D. Setting up local firewalls.

Explanation: Exploitation moves from theoretical risk to validated compromised status.

Question 13: What does 'Post-Exploitation' focus on?

A. Formatting database tables.
B. Evaluating the compromised host's value, establishing persistence, and identifying paths to other internal network assets. — (correct answer)
C. Compiling final executive reports.
D. Re-routing router channels.

Explanation: Post-exploitation assesses what data is exposed and how far an attacker could penetrate.

Question 14: Why is 'Clearing Tracks' (Log Cleaning) done in penetration tests?

A. To hide bugs from development teams.
B. To evaluate the organization's security monitoring, logging, and detection capabilities (simulating advanced threat evasion). — (correct answer)
C. To speed up system response times.
D. To clear database storage.

Explanation: Cleaning tracks tests if security operation centers (SOC) detect log modifications.

Question 15: What is a 'Scope' limit in Rules of Engagement?

A. The price of the consultant contract.
B. The list of IP ranges, subdomains, and servers that the tester is legally authorized to target. — (correct answer)
C. The list of developer accounts.
D. The testing schedules of employees.

Explanation: Operating outside the scope boundary is unauthorized and exposes testers to legal liabilities.

Question 16: What is an 'Evil Twin' attack?

A. Injecting SQL statements to replicate tables.
B. A rogue Wi-Fi access point set up to mimic a legitimate network, intercepting client data. — (correct answer)
C. Creating duplicate admin accounts.
D. A double compiler run.

Explanation: Evil twins lure users into connecting, sniffing their unencrypted traffic.

Question 17: What is a 'Social Engineering' assessment?

A. Optimizing network configurations.
B. Testing employee security awareness by attempting to trick them into revealing credentials or running attachments (e.g. Phishing). — (correct answer)
C. Auditing source code syntax.
D. Restricting folder permissions.

Explanation: Social engineering bypasses technical controls, evaluating the human risk factor.

Question 18: Which tool is a famous exploitation framework containing pre-compiled exploits and payloads?

A. Wireshark
B. Metasploit — (correct answer)
C. Nmap
D. Burp Suite

Explanation: Metasploit simplifies exploitation, providing a modular framework for testing vulnerabilities.

Question 19: What does an intercepting proxy (like Burp Suite) allow testers to do?

A. Sniff raw Wi-Fi packets.
B. Intercept, inspect, and modify HTTP requests and responses between browsers and target web servers. — (correct answer)
C. Route SQL queries.
D. Compress JSON payloads.

Explanation: Intercepting proxies are standard for AppSec, allowing testers to manipulate inputs.

Question 20: What is 'Lateral Movement'?

A. Moving files between folders.
B. The technique of navigating from a compromised host to other systems within the same internal subnet. — (correct answer)
C. Switching between scripting languages.
D. Deleting logs files.

Explanation: Lateral movement expands the attacker footprint inside corporate internal networks.

Question 21: What is a 'Shell'?

A. A design template.
B. A command-line interface that allows users to send commands directly to the host operating system. — (correct answer)
C. A database indexing format.
D. A server port designation.

Explanation: Gaining a shell on target systems is the primary objective of exploitation.

Question 22: What is a 'Bind Shell'?

A. A shell that is encrypted.
B. A shell where the target system opens a listening port, waiting for the attacker to connect to get command access. — (correct answer)
C. A shell that runs only on Windows.
D. A backup database script.

Explanation: Bind shells are often blocked by inbound firewalls, making reverse shells preferred.

Question 23: What is the difference between a Vulnerability Scan report and a Pentest report?

A. Scanning reports contain code, testing reports contain metrics.
B. Scanning reports are automated lists of potential issues, while Pentest reports outline verified exploits, business risks, and remediation paths. — (correct answer)
C. Testing reports are public.
D. There is no difference.

Explanation: Pentest reports prioritize risk based on actual exploitability and business impacts.

Question 24: What does CVSS stand for?

A. Common Vulnerability Scoring System — (correct answer)
B. Core Vulnerability Security Standard
C. Client Variable Security Setup
D. Common Vector Server System

Explanation: CVSS is the standard scoring system evaluating vulnerability severity from 0 to 10.

Question 25: What does a CVSS score of 9.8 represent?

A. A minor configuration warning.
B. A critical-severity vulnerability, representing high risk and requiring immediate remediation. — (correct answer)
C. A database index error.
D. A page rendering delay.

Explanation: CVSS scores above 9.0 indicate critical vulnerabilities like RCE or auth bypass.

Question 26: In pentesting, what is the role of an 'Exploit'?

A. A documentation template.
B. A piece of software, data, or command sequence that leverages a vulnerability to cause unintended behavior on target hosts. — (correct answer)
C. A database check utility.
D. An encryption module.

Explanation: Exploits trigger security bugs, delivering payloads (like shells) to systems.

Question 27: What is the purpose of 'Remediation' in a pentest lifecycle?

A. Writing exploit scripts.
B. The process of patching, fixing, or mitigating identified security vulnerabilities to secure systems. — (correct answer)
C. Changing contract prices.
D. Deleting logs folders.

Explanation: Remediation is the ultimate goal, transforming test findings into defensive hardening.

Question 28: What is 'Active Directory' (AD) harvesting?

A. Scraping contact emails from webpages.
B. Extracting user lists, domain groups, and trust relationships from compromised AD controllers. — (correct answer)
C. Modifying settings.py.
D. Deleting database log files.

Explanation: AD harvesting maps corporate identity structures, locating privileged domain accounts.

Question 29: What does a 'Privilege Escalation' path map?

A. The path to backup servers.
B. The specific sequence of vulnerabilities exploited to advance from standard user access to domain administrator controls. — (correct answer)
C. The layout of the website navigation.
D. The API routing sequence.

Explanation: Mapping escalation paths helps security teams identify and block systemic breach routes.

Question 30: What is 'OSINT' (Open Source Intelligence)?

A. An open-source database engine.
B. Collecting and analyzing publicly available data (social media, public files, DNS records) for reconnaissance. — (correct answer)
C. A python coding style.
D. A server container configuration.

Explanation: OSINT provides passive reconnaissance details without alerting target security systems.

Penetration Testing Bonus Content

Test your knowledge with interactive questions.

Ready to test your skills?

You are about to start a comprehensive quiz containing questions covering Penetration Testing. You have 30 minutes to complete it.

Discussion (0)

Comments are reviewed before appearing.

No comments yet — be the first!

Featured

Browse All 21+ Subject Areas

Popular Topics

More Topics

Quick Links

Featured

Visual Algorithm Labs

Sorting Algorithms

Data Structures

Featured

Frontend Dev

Career Paths

Skill Tracks

Featured

The Future of Web Architecture in 2026

Categories

Community

Practice Quizzes

Penetration Testing Bonus Content

Ready to test your skills?

Correct!

Incorrect

Explanation

Quiz Navigator /

Current Score

Discussion (0)

Send Feedback / Bug

Feedback Submitted!