The Pen Test: Putting It All Together

This chapter includes questions from the following topics:

•   Describe penetration testing, security assessments, and risk management

•   Define automatic and manual testing

•   List pen test methodology and deliverables

I’ve been exceedingly blessed in my life, in a great many ways I don’t have the time or print space here to cover. I have had opportunities to travel the world and experience things many people just flat out don’t get to. In one of my travels I wound up in Florence, Italy, and decided to go see the statue of David. Even if you’re not familiar with the background of this sculpture, I’ll bet you’ve seen a replica of it somewhere—from garden art re-creations and store displays to one very cool episode of SpongeBob SquarePants, where he had to “BE the marble!” David was carved by Michelangelo sometime between 1501 and 1504 and is universally acclaimed as one of the greatest sculptures of all time. The statue now sits in a domed atrium within the Galleria dell’Accademia in Florence. It is truly an unbelievable experience to see this work of art, displayed in all its glory in a perfect setting within a beautiful gallery, and is definitely a highlight of any visit to Florence.

What made as big an impression on me, though, were the other, unfinished works of art from Michelangelo you had to pass by in order to get to the statue of David. There’s a giant hallway leading to the atrium that is literally packed, on the right and left, with sculptures he started but, for whatever reason, never finished. Walking down the hallway (at least in your imagination anyway), we’re surrounded by stonework that is simply amazing. Here, on the right, is a giant marble stone with half a man sticking out of the left side and chisel marks leading downward to something as yet unfinished. On the left we see the front half of a horse exploding out of a rough-hewn block of granite; the rest of the beautiful animal still buried in the story Michelangelo never got to finish telling with the sculpture. Traveling down this long hallway, we see other works—a battle raging in one boulder, a face clearly defined and nearly expressionless looking out of a little, almost leftover piece of rock—all displayed left and right for us to gape at.

These unfinished works weren’t crude by any means; quite the opposite. I stood there among the crowds racing to get a glimpse of monumental talent, marveling at how a man could take a big chunk of rock and shape and smooth it into something that looked so real. But these pieces weren’t finished, and it showed. There were giant scratch marks over areas that should have been smooth, and a few sculptures simply broke off because the rock itself cracked in two.

What has this got to do with this book, you may be asking? The answer, dear reader, is because we’ve all put a lot of work into this. We’ve chipped away at giant boulders of knowledge and are on the verge of finishing. No, I’m not making some crazed corollary to this book being some work of art (anyone who really knows me can attest that’s not my bag, baby), but I am saying we, you and I, are on the verge of something good here. Keep hacking away at that stone. Keep sanding and polishing. Sooner or later you’ll finish and have your statue to display—just don’t forget all the work you put into it, and don’t throw any of it away. I promise, you’ll want to go back, sometime later, and walk through your own hallway of work to see how far you’ve come.

This chapter is, admittedly, short and sweet. The questions and answers are easier (if memorizing terms is easy for you, that is), and the write-ups on what’s correct and what’s false will reflect that as well. Sure, I might sneak in a question from earlier in the book—just to see if you’re paying attention, and to wrap up terms EC-Council throws into this section—but these are all supposed to be about the pen test itself. We’ve already covered the nuts and bolts, so now we’re going to spend some time on the finished product. And, of course, you will see most of this stuff on your exam. I just hope that you’ll be so ready for it by then it’ll be like Michelangelo wiping the dust off his last polishing of the statue of David.

Images STUDY TIPS This chapter is, by design, a little bit of a wrap-up. There are things here that just don’t seem to fit elsewhere, or that needed special attention, away from the clutter of the original EC-Council chapter they were stuck in. Most of this generally boils down to basic memorization. While that may sound easy enough to you, I think you’ll find that some of these terms are so closely related that questions on the exam referencing them will be confusing at the very least—and most likely rage-inducing by the time the exam ends. Pay close attention to risk management terminology—you’ll definitely see a few questions on it in your exam. Another area you’ll probably see at least a couple questions on is the ethics of being a professional, ethical hacker. Admittedly, some of these will be tough to answer, as real-world and EC-Council CEH definitions don’t always coincide, but hopefully we’ll have enough information here to get you through.

Lastly, and I think I’ve said this before, it’s sometimes easier to eliminate wrong answers than it is to choose the correct one. When you’re looking at one of these questions that seems totally out of left field, spend your time eliminating the choices you know aren’t correct. Eventually all that’s left must be the correct answer. After all, the mechanism scoring the test doesn’t care how you got to the answer, only that the right one is chosen.


1.   Incident response (IR) is an important part of organizational security. In what step of the incident-handling process would IR team members disable or delete user accounts and change firewall rules?

A.  Detection and Analysis

B.  Classification and Prioritization

C.  Containment

D.  Forensic Investigation

2.   A software company puts an application through stringent testing and, on the date of release, is confident the software is free of known vulnerabilities. An organization named BigBiz purchases the software at a premium cost, with a guarantee of service, maintenance, and liability. Which risk management method is in use by the BigBiz organization?

A.  Accept

B.  Transfer

C.  Avoid

D.  Mitigate

3.   Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)

A.  Metasploit

B.  Nessus

C.  Core Impact



F.  GFI Languard

4.   Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them?

A.  Penetration test

B.  Partial penetration test

C.  Vulnerability assessment

D.  Security scan

5.   You are a member of a pen test team conducting tests. Your team has all necessary scope, terms of engagement, and nondisclosure and service-level agreements in place. You gain access to an employee’s system and during further testing discover child pornography on a hidden drive folder. Which of the following is the best course of action for the ethical hacker?

A.  Continue testing without notification to anyone, but ensure the information is included in the final outbrief report.

B.  Continue testing without interruption, but completely remove all hidden files and the folder containing the pornography.

C.  Stop testing and notify law enforcement authorities immediately.

D.  Stop testing and remove all evidence of intrusion into the machine.

6.   In which phase of a pen test is scanning performed?

A.  Pre-attack

B.  Attack

C.  Post-attack

D.  Reconnaissance

7.   Which of the following describes risk that remains after all security controls have been implemented to the best of one’s ability?

A.  Residual

B.  Inherent

C.  Deferred

D.  Remaining

8.   Which of the following statements are true regarding OSSTMM? (Choose all that apply.)

A.  OSSTMM is a non-profit, international research initiative dedicated to defining standards in security testing and business integrity testing.

B.  OSSTMM recognizes ten types of controls, which are divided into two classes.

C.  ISECOM maintains the OSSTMM.

D.  OSSTMM defines three types of compliance.

9.   Which of the following is an open source project produced by OISSG (Open Information Systems Security Group) intended to provide security testing assistance?





10.   NIST SP 800-30 defines steps for conducting a risk assessment. Which of the following statements is true regarding the process?

A.  Threats are identified before vulnerabilities.

B.  Determining the magnitude of impact is the first step.

C.  Likelihood is determined after the risk assessment is complete.

D.  Risk assessment is not a recurring process.

11.   In which phase of a pen test will the team penetrate the perimeter and acquire targets?

A.  Pre-attack

B.  Attack

C.  Post-attack

D.  None of the above

12.   An organization participates in a real-world exercise designed to test all facets of their security systems. An independent group is hired to assist the organization’s security groups, assisting in the defense of assets against the attacks from the attacking group. Which of the following statements is true?

A.  The group assisting in the defense of the systems is referred to as a blue team.

B.  The group assisting in the defense of the systems is referred to as a red team.

C.  The group assisting in the defense of the systems is known as a white-hat group.

D.  The team attacking the systems must provide all details of any planned attack with the defense group before launching to ensure security measures are tested appropriately.

13.   Which of the following best describes the difference between a professional pen test team member and a hacker?

A.  Ethical hackers are paid for their time.

B.  Ethical hackers never exploit vulnerabilities; they only point out their existence.

C.  Ethical hackers do not use the same tools and actions as hackers.

D.  Ethical hackers hold a predefined scope and agreement from the system owner.

14.   Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Sally performing?

A.  External, white box

B.  External, black box

C.  Internal, white box

D.  Internal, black box

15.   Your pen test team is discussing services with a potential client. The client indicates they do not see the value in penetration testing. Which of the following is the correct response from your team?

A.  Run a few tests and display the results to the client to prove the value of penetration testing.

B.  Provide detailed results from other customers you’ve tested, displaying the value of planned testing and security deficiency discovery.

C.  Provide information and statistics regarding pen testing and security vulnerabilities from reliable sources.

D.  Perform the penetration test anyway in case they change their mind.

16.   In which phase of a penetration test would you compile a list of vulnerabilities found?

A.  Pre-attack

B.  Attack

C.  Post-attack

D.  Reconciliation

17.   Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?

A.  Nessus

B.  Hping


D.  SNMPUtil

18.   Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?

A.  Covering tracks

B.  Pre-attack

C.  Attack

D.  Post-attack

19.   Which of the following are true statements regarding a pen test? (Choose all that apply.)

A.  Pen tests do not include social engineering.

B.  Pen tests may include unannounced attacks against the network.

C.  During a pen test, the security professionals can carry out any attack they choose.

D.  Pen tests always have a scope.

E.  A list of all personnel involved in the test is not included in the final report.

20.   Which of the following causes a potential security breach?

A.  Vulnerability

B.  Threat

C.  Exploit

D.  Zero day

21.   Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up?

A.  Inline

B.  Meterpreter

C.  Staged

D.  Remote

22.   Metasploit is a framework allowing for the development and execution of exploit code against a remote host and is designed for use in pen testing. The framework consists of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework?

A.  MSF Core

B.  MSF Base

C.  MSF Interfaces

D.  Rex

23.   Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.)

A.  Enforce elevated privilege control.

B.  Secure all dumpsters and shred collection boxes.

C.  Enforce good physical security practice and policy.

D.  Perform background checks on all employees.


1.   C

2.   B

3.   A, C, D

4.   C

5.   C

6.   A

7.   A

8.   B, C, D

9.   D

10.   A

11.   B

12.   A

13.   D

14.   D

15.   C

16.   C

17.   A

18.   D

19.   B, D

20.   B

21.   B

22.   D

23.   A, B, C, D


1.   Incident response (IR) is an important part of organizational security. In what step of the incident-handling process would IR team members disable or delete user accounts and change firewall rules?

A.  Detection and Analysis

B.  Classification and Prioritization

C.  Containment

D.  Forensic Investigation

Images   C. In a refrain you’ve heard over and over again throughout this book, sometimes real life and EC-Council don’t see eye to eye. However, when it comes to IR, ECC kind of gets it right. Almost. Lots of organizations define the incident-handling response in different ways, with different phases for actions taken. Generally speaking, though, all incident handling falls into four sets of actions: Identify, Contain, Eradicate, and Recover. Most organizations will define a Preparation phase beforehand and a Lessons Learned phase at the end for a full incident process. ECC defines eight phases:

•   Preparation Defining rules, processes, and toolsets, and testing them (usually with some regularly scheduled exercises at a minimum).

•   Detection and Analysis This is where alerting functions (toolsets, IDS, IPS, users notifying of strange events, and so on) and initial research into the event take place.

•   Classification and Prioritization Decision making on whether to elevate as an incident and at what level to elevate is made here (ramping up an IR event for a false alarm serves no one). Levels of categorization vary from organization to organization, but usually assign response time frames to levels.

•   Notification Alerting appropriate teams and organizations to assist in the event occurs here.

•   Containment Steps to contain the incident occur here. This may include steps to revoke or suspend user accounts and blocking system or even subnet access via firewall or other methods.

•   Forensic Investigation In this stage, if possible, pull live memory and disk captures for evaluation and analysis. This does not have to wait until the conclusion of the event but, depending on the assets involved and the nature of the incident, forensics may have to wait.

•   Eradication and Recovery This encompasses all steps taken to remove the incident cause (malware, malicious code, backdoors, rootkits, viruses, and so on) and to return the assets involved to baseline standards before putting them back into production.

•   Post-Incident This is where reporting, follow-up analysis, and lessons learned are put together. Evaluation from this step is fed into the preparation phase for the next event.

Questions on incident response and incident handling can be pretty vague. For the most part, common sense should guide you on anything truly weird, but most questions will be like this one: fairly easy to figure out on your own.

Images   B, C, and D are incorrect because the actions listed in the question do not occur in these incident-handling phases.

2.   A software company puts an application through stringent testing and, on the date of release, is confident the software is free of known vulnerabilities. An organization named BigBiz purchases the software at a premium cost, with a guarantee of service, maintenance, and liability. Which risk management method is in use by the BigBiz organization?

A.  Accept

B.  Transfer

C.  Avoid

D.  Mitigate

Images   B. Depending on who you talk to, there are as many as seven different methods in risk management. Of primary concern for you and EC-Council, however, are these four: Accept, Avoid, Transfer, and Mitigate. In this example, the organization has paid a cost to the software developer, trusting them that they’ve tested the software and that they will assume responsibility and liability for it. In effect, the organization has transferred the risk to the software company for this application. Transferring risk is all about finding a different entity to take responsibility for managing the risk, and accepting the liability of an exploitation or loss resulting from the risk.

Images   A is incorrect because this does not describe acceptance. Acceptance of a risk means the organization is aware a risk is present but due to a variety of reasons (such as cost of mitigation or the unlikeliness the risk can ever be exploited), they decide to do nothing about it. Basically, the owner decides they will just deal with the fallout if the risk is ever realized.

Images   C is incorrect because this does not describe risk avoidance. In risk avoidance, the organization recognizes the risk and eliminates anything and everything that has to do with it. If a particular service, application, or technology is useful to an organization but the cost and effort to deal with the risks involved in its use are too high, they can simply choose to not use the service or application altogether.

Images   D is incorrect because this does not describe mitigation. Risk mitigation is exactly what it sounds like: the organization needs the technology or service despite the risk involved, so they take all steps necessary to lower the chance it will ever be exploited. Purchasing and using antivirus and practicing strong patch management are examples.

3.   Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)

A.  Metasploit

B.  Nessus

C.  Core Impact



F.  GFI Languard

Images   A, C, D. Automated tool suites for pen testing can be viewed as a means to save time and money by the client’s management, but (in my opinion and in the real world, at least) these tools don’t do either. They do not provide the same quality results as a test performed by security professionals and are extremely expensive. Automated tools can provide a lot of genuinely good information but are also susceptible to false positives and false negatives and don’t necessarily care what your agreed-upon scope says is your stopping point. Metasploit has a free, open source version and an insanely expensive “Pro” version for developing and executing exploit code against a remote target machine. Metasploit offers an autopwn module that can automate the exploitation phase of a penetration test.

Core Impact is probably the best-known, all-inclusive automated testing framework. Per its website (, Core Impact “takes security testing to the next level by safely replicating a broad range of threats to the organization’s sensitive data and mission-critical infrastructure—providing extensive visibility into the cause, effect, and prevention of data breaches.” Core Impact tests everything from web applications and individual systems to network devices and wireless.

Per the Immunity Security website (, CANVAS “makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals.” Additionally, the company claims CANVAS’s Reference Implementation (CRI) is “the industry’s first open platform for IDS and IPS testing.”

For you real-world purists out there and for those reading this who don’t have any experience with any of this just quite yet, it’s important to note that no automated testing suite provides anything close to the results you’d gain from a real pen test. Core Impact provides a one-step automated pen test result feature (and probably offers the best result and report features), Metasploit offers autopwn, and CANVAS has a similar “run everything” mode; however, all lack the ability to provide results that a true pen test would provide. In the truest sense of “automated pen test,” you simply can’t do it in the real world (for your exam, stick with the three listed here).

Images   B, E, and F are incorrect for the same reason: they are all vulnerability assessment tool suites, not automated pen test frameworks. Nessus is probably the most recognizable of the three, but SAINT and GFI Languard are both still listed as top vulnerability assessment applications.

4.   Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them?

A.  Penetration test

B.  Partial penetration test

C.  Vulnerability assessment

D.  Security audit

Images   C. A vulnerability assessment is exactly what it sounds like: the search for and identification of potentially exploitable vulnerabilities on a system or network. These vulnerabilities can be poor security configurations, missing patches, or any number of other weaknesses a bad guy might exploit. The two keys to a vulnerability assessment are that the vulnerabilities are identified, not exploited, and the report is simply a snapshot in time. The organization will need to determine how often they want to run a vulnerability assessment. Lastly, it’s important to note that there are some vulnerabilities that simply can’t be confirmed without exploiting them. For example, the act of infecting SQL statements to expose a SQL injection vulnerability may very well constitute an exploit action, but it’s the only way to prove it exists. For your exam, though, stick with no exploitation during this assessment and move on with your life.

Images   A is incorrect because team members on a pen test not only discover vulnerabilities but also actively exploit them (within the scope of their prearranged agreement, of course).

Images   B is incorrect because this is not a valid term associated with assessment types and is included as a distractor.

Images   D is incorrect because a security audit is designed to test the organization’s security policy itself. It should go without saying the organization must have a security policy in place to begin with before a security audit can take place.

5.   You are a member of a pen test team conducting tests. Your team has all necessary scope, terms of engagement, and nondisclosure and service-level agreements in place. You gain access to an employee’s system and during further testing discover child pornography on a hidden drive folder. Which of the following is the best course of action for the ethical hacker?

A.  Continue testing without notification to anyone, but ensure the information is included in the final outbrief report.

B.  Continue testing without interruption, but completely remove all hidden files and the folder containing the pornography.

C.  Stop testing and notify law enforcement authorities immediately.

D.  Stop testing and remove all evidence of intrusion into the machine.

Images   C. If you’ve ever taken any philosophy studies in high school or college, you’ve undoubtedly read some of the ethical dilemmas presented to challenge black-and-white thinking on a matter. For example, theft is undoubtedly bad and is recognized as a crime in virtually every law system on the planet, but what if it’s the only way to save a child’s life? In ethical hacking, there are fine lines on actions to take when you discover something, and sometimes hard edges where there is no choice in the matter. Possession of child porn is a crime, so this case would seem relatively easy to discern. To be fair, and to make the assumption you’ll need to on questions like this on the exam, your course of action is straightforward and simple: notify the authorities and let them handle it.

In the real world, things might be a little more difficult. How do you really know what you’re looking at? Are you positive that what you see is illegal in nature (regardless of what it is—pornography, documentation, letters, and so on)? If you’re not and you falsely accuse someone, what kind of liability do you have now? What about your team? It’s not an easy question to answer in the real world, and you’ll have to largely depend on good, solid pen test agreements up front. Let the client know what actions will be taken when suspected fill-in-the-blank is discovered, and agree upon actions both sides will take. Otherwise you, and your client, could be in for very difficult times.

Images   A is incorrect because the discovery of child porn automatically necessitates the cessation of test activities and contacting the authorities. Waiting until the outbrief is not the appropriate course of action and can get you in hot water.

Images   B is incorrect because this is not only unethical behavior and outside the scope and test agreement bounds, but it’s against the law. You’ve tampered with evidence and obstructed justice at a minimum.

Images   D is incorrect because removing evidence of your actions is not the correct action to take and is unethical in the least (and can actually be considered illegal, depending on the circumstances).

6.   In which phase of a pen test is scanning performed?

A.  Pre-attack

B.  Attack

C.  Post-attack

D.  Reconnaissance

Images   A. I know you’re sick of CEH definitions, terms, and phases of attacks, but this is another one you’ll just need to commit to memory. Per EC-Council, there are three phases of a pen test: pre-attack, attack, and post-attack. The pre-attack phase is where you’d find scanning and other reconnaissance (competitive intelligence, website crawling, and so on).

Images   B is incorrect because scanning is completed in the pre-attack phase. The attack phase holds four areas of work: penetrate the perimeter, acquire targets, execute attack, and escalate privileges.

Images   C is incorrect because scanning is completed long before the post-attack phase. Actions accomplished in post-attack include removing all uploaded files and tools, restoring (if needed) to the original state, analyzing results, and preparing reports for the customer.

Images   D is incorrect because reconnaissance is not a phase of pen testing.

7.   Which of the following describes risk that remains after all security controls have been implemented to the best of one’s ability?

A.  Residual

B.  Inherent

C.  Deferred

D.  Remaining

Images   A. Risk management has all sorts of terminology to remember, and identifying risk before and after security control implementation is what this question is all about. The inherent risk of the system is that which is in place if you implement no security controls whatsoever: in other words, there are risks inherent to every system, application, technology, and service. After you recognize these inherent risks and implement security controls, you may have some residual risks remaining. In other words, residual risk is what is left in the system after you implement security controls.

Images   B is incorrect because inherent risk is what was on the system before you started implementing security controls.

Images   C and D are incorrect because these terms are included merely as distractors.

8.   Which of the following statements are true regarding OSSTMM? (Choose all that apply.)

A.   OSSTMM is a non-profit, international research initiative dedicated to defining standards in security testing and business integrity testing.

B.  OSSTMM recognizes ten types of controls, which are divided into two classes

C.  ISECOM maintains the OSSTMM.

D.  OSSTMM defines three types of compliance.

Images   B, C, D. The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for a thorough security test (also known as an OSSTMM audit). It’s maintained by ISECOM (Institute for Security and Open Methodologies; and is a peer-reviewed manual of security testing and analysis that results in fact-based actions that can be taken by an organization to improve security. OSSTMM recognizes ten types of controls, split into two different classes:

•   Class A: Interactive Authentication, Indemnification, Resilience, Subjugation, and Continuity

•   Class B: Process Nonrepudiation, Confidentiality, Privacy, Integrity, and Alarm

An OSSTMM audit tests for three different types of compliance: legislative, contractual, and standards-based compliance.

Images   A is incorrect because this is actually the description of ISECOM—the group responsible for the creation and maintenance of OSSTMM.

9.   Which of the following is an open source project produced by OISSG (Open Information Systems Security Group) intended to provide security testing assistance?





Images   D. The following is from OISSG’s site: “The Information Systems Security Assessment Framework (ISSAF) is produced by the Open Information Systems Security Group, and is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX404, CoBIT, SAS70 and COSO, thus adding value to the operational aspects of IT related business transformation programmes. It is designed from the ground up to evolve into a comprehensive body of knowledge for organizations seeking independence and neutrality in their security assessment efforts.”

Images   A is incorrect because OSSTMM is a peer-reviewed manual of security testing and analysis maintained by ISECOM that results in fact-based actions that can be taken by an organization to improve security.

Images   B is incorrect because OWASP (Open Web Application Security Project) is an open source web application security project.

Images   C is incorrect because COBIT (Control Objectives for Information and Related Technologies) is a good-practice governance framework and supporting toolset created by ISACA for information technology (IT) management and governance.

10.   NIST SP 800-30 defines steps for conducting a risk assessment. Which of the following statements is true regarding the process?

A.  Threats are identified before vulnerabilities.

B.  Determining the magnitude of impact is the first step.

C.  Likelihood is determined after the risk assessment is complete.

D.  Risk assessment is not a recurring process.

Images   A. NIST 800-30 Guide for Conducting Risk Assessments ( describes in detail how to perform a risk assessment. The publication defines four overall steps for an assessment, as shown in the following illustration.

Questions on incident response and incident handling can be pretty vague. For the most part, common sense should guide you on anything truly weird, but most questions will be like this one: fairly easy to figure out on your own.


Even if you knew nothing about this publication, though, you could probably work your way into the correct answer here. Of the choices provided, only answer A makes any sense.

Images   B is incorrect because you can’t possibly determine the magnitude of anything until you define what it is.

Images   C is incorrect because the likelihood of risk exploitation is a key part of the risk assessment effort and equation.

Images   D is incorrect because assessing your risk level is a recurring, always ongoing process.

11.   In which phase of a pen test will the team penetrate the perimeter and acquire targets?

A. Pre-attack

B.  Attack

C.  Post-attack

D.  None of the above

Images   B. EC-Council splits a pen test into three phases: pre-attack, attack, and post-attack. In the attack phase, the team will attempt to penetrate the network perimeter, acquire targets, execute attacks, and elevate privileges. Getting past the perimeter might take into account things such as verifying ACLs by crafting packets as well as checking the use of any covert tunnels inside the organization. Attacks such as XSS, buffer overflows, and SQL injections will be used on web-facing applications and sites. After specific targets are acquired, password cracking, privilege escalation, and a host of other attacks will be carried out.

Images   A is incorrect because these actions do not occur in the pre-attack phase. Per EC-Council, pre-attack includes planning, reconnaissance, scanning, and gathering competitive intelligence.

Images   C is incorrect because these actions do not occur in the post-attack phase. Per EC-Council, post-attack includes removing all files, uploaded tools, registry entries, and other items installed during testing of the targets. Additionally, your analysis of findings and creation of the pen test report will occur here.

Images   D is incorrect because there is an answer for the question listed.

12.   An organization participates in a real-world exercise designed to test all facets of their security systems. An independent group is hired to assist the organization’s security groups, assisting in the defense of assets against the attacks from the attacking group. Which of the following statements is true?

A.  The group assisting in the defense of the systems is referred to as a blue team.

B.  The group assisting in the defense of the systems is referred to as a red team.

C.  The group assisting in the defense of the systems is known as a white-hat group.

D.  The team attacking the systems must provide all details of any planned attack with the defense group before launching to ensure security measures are tested appropriately.

Images   A. Many organizations run full “war game” scenarios, including defense and attack groups, to test security measures. Generally speaking, the group doing the attacking is known as a red team, while the group assisting with the defense is known as a blue team. The red team is the offense-minded group, simulating the bad guys in the world, actively attacking and exploiting everything they can find in the environment. In a traditional war game scenario, the red team is attacking “black-box” style, given little to no information to start things off. A blue team, on the other hand, is defensive in nature. They’re not out attacking things; rather, they’re focused on shoring up defenses and making things safe. Unlike red teams, blue teams are responsible for defense against the bad guys, so they usually operate with full knowledge of the internal environment.

Blue teams are almost always independent in terms of the target, but their goal is to assist the defenders and to do so with whatever information is available. The difference between blue and red in this scenario is in the cooperative versus adversarial nature: red is there to be the bad guys, do what they would do, look for the impacts they would want to have, and to test the organization’s defense/response, whereas blue is there to help.

Images   B, C, and D are incorrect because these are not true statements. The attacking group is known as a red team. I suppose an argument could be made that members of the blue team are all, in effect, white hats, but there is no such term as a “white-hat group.” And if you’re really testing the true security of a system, alerting the defense teams of everything you plan to do and when you plan on doing it makes little sense.

13.   Which of the following best describes the difference between a professional pen test team member and a hacker?

A.  Ethical hackers are paid for their time.

B.  Ethical hackers never exploit vulnerabilities; they only point out their existence.

C.  Ethical hackers do not use the same tools and actions as hackers.

D.  Ethical hackers hold a predefined scope and agreement from the system owner.

Images   D. This one is a blast from the book’s past and will pop up a couple of times on your exam. The only true difference between a professional pen test team member (an ethical hacker) and the hackers of the world is the existence of the formally approved, agreed-upon scope and contract before any attacks begin.

Images   A is incorrect because although professional ethical hackers are paid for their efforts during the pen test, it’s not necessarily a delineation between the two (ethical and nonethical). Some hackers may be paid for a variety of illicit activities. For one example, maybe a company wants to cause harm to a competitor, so they hire a hacker to perform attacks.

Images   B and C are incorrect for the same reason. If a pen test team member never exploited an opportunity and refused to use the same tools and techniques that the hackers of the world have at their collective fingertips, what would be the point of an assessment? A pen test is designed to show true security weaknesses and flaws, and the only way to do that is to attack it just as a hacker would.

14.   Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Sally performing?

A.  External, white box

B.  External, black box

C.  Internal, white box

D.  Internal, black box

Images   D. Sally was provided a network drop inside the organization’s network, so we know it’s an internal test. Additionally, no information of any sort was provided—from what we can gather, she knows nothing of the inner workings, logins, network design, and so on. Therefore, this is a black-box test—an internal black-box test.

Images   A and B are incorrect because this is an internal test, not an external one.

Images   C is incorrect because a white-box test would have included all the information Sally wanted about the network—designed to simulate a disgruntled internal network or system administrator.

15.   Your pen test team is discussing services with a potential client. The client indicates they do not see the value in penetration testing. Which of the following is the correct response from your team?

A.  Run a few tests and display the results to the client to prove the value of penetration testing.

B.  Provide detailed results from other customers you’ve tested, displaying the value of planned testing and security deficiency discovery.

C.  Provide information and statistics regarding pen testing and security vulnerabilities from reliable sources.

D.  Perform the penetration test anyway in case they change their mind.

Images   C. Ethical behavior will definitely find its way to your exam, and this cheesy question is an example. Your potential client may or may not be convinced when presented with the undeniable proof of pen test value from industry leaders (and possibly the U.S. government), but as the saying goes, “you can lead a horse to water, but you can’t make him drink.” An ethical hacker does not proceed without authorization, and doing so not only calls your integrity into question but also makes you a criminal. Documentation for an ethical test team will include scope (of what you can touch, how far you can go with testing, and how much time you’ll spend doing it), terms of engagement, nondisclosure, liability statements, and all sorts of other goodies.

Images   A and D are incorrect because an ethical hacker does not proceed without prior, written permission.

Images   B is incorrect because ethical hackers do not disclose findings, procedures, or any other information about a test to anyone not specified in the agreement without authorization. This is usually covered in the nondisclosure agreement portion of the test team documentation.

16.   In which phase of a penetration test would you compile a list of vulnerabilities found?

A.  Pre-attack

B.  Attack

C.  Post-attack

D.  Reconciliation

Images   C. This is another simple definition question you’re sure to see covered on the exam. You compile the results of all testing in the post-attack phase of a pen test so you can create and deliver the final report to the customer.

Images   A and B are incorrect because this action does not occur in the pre-attack or attack phase.

Images   D is incorrect because reconciliation is not a phase of a pen test as defined by EC-Council.

17.   Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?

A.  Nessus

B.  Hping


D.  SNMPUtil

Images   A. Nessus is probably the best-known, most utilized vulnerability assessment tool on the planet—even though it’s not necessarily free anymore. Nessus works on a server-client basis and provides “plug-ins” to test everything from Cisco devices, Mac OS, and Windows machines to SCADA devices, SNMP, and VMware ESX (you can find a list of plug-in families here: It’s part of virtually every security team’s portfolio, and you should definitely spend some time learning how to use it.

As an aside—not necessarily because it has anything to do with your test but because I am all about informing you on how to become a good pen tester—Openvas ( is the open source community’s attempt at a free vulnerability scanner. Nessus was a free scanner for the longest time. However, once Nessus was purchased by Tenable Network Security, it, for lack of a better term, angered a lot of people in the security community because Nessus became a for-profit entity instead of a for-security one. Don’t get me wrong—Nessus is outstanding in what it does; it just costs you money. Openvas is attempting to do the same thing for free because the community wants security over profit.

Just keep in mind that most vulnerabilities that are actually capable of causing harm to your systems probably won’t be found by any scanner. The recent Heartbleed vulnerability, which takes advantage of an SSL issue, is a prime example: scanners simply can’t find vulnerabilities we don’t already know about.

Images   B is incorrect because Hping is not a vulnerability assessment tool. Per Hping’s website (, it is “a command-line-oriented TCP/IP packet assembler/analyzer” used to test firewalls, to fingerprint operating systems, and even to perform man-in-the-middle (MITM) attacks.

Images   C is incorrect because Low Orbit Ion Cannon (LOIC) is a distributed interface denial-of-service tool. It’s open source and can be used, supposedly legitimately, to test “network stress levels.”

Images   D is incorrect because SNMPUtil is an SNMP security verification and assessment tool.

18.   Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?

A.  Covering tracks

B.  Pre-attack

C.  Attack

D.  Post-attack

Images   D. Cleaning up all your efforts occurs in the post-attack phase, alongside analyzing the findings and generating the final report. The goal is to put things back exactly how they were before the assessment.

Images   A is incorrect because “covering tracks” is part of the phases defining a hacking attack, not a phase of a pen test.

Images   B and C are incorrect because these steps do not occur in the pre-attack or attack phase.

19.   Which of the following are true statements regarding a pen test? (Choose all that apply.)

A.   Pen tests do not include social engineering.

B.  Pen tests may include unannounced attacks against the network.

C.  During a pen test, the security professionals can carry out any attack they choose.

D.  Pen tests always have a scope.

E.  A list of all personnel involved in the test is not included in the final report.

Images   B, D. Pen tests are carried out by security professionals who are bound by a specific scope and rules of engagement, which must be carefully crafted, reviewed, and agreed on before the assessment begins. This agreement can allow for unannounced testing, should upper management of the organization decide to test their IT security staff’s reaction times and methods.

Images   A, C, and E are incorrect because these are false statements concerning a pen test. Unless expressly forbidden in the scope agreement, social engineering is a big part of any true pen test. The scope agreement usually defines how far a pen tester can go—for example, no intentional denial-of-service attacks and so on. Clients are provided a list of discovered vulnerabilities after the test, even if the team did not exploit them: there’s not always time to crack into every security flaw during an assessment, but that’s no reason to hide it from the customer. Lastly, the final report includes a list of all personnel taking part in the test.

20.   Which of the following causes a potential security breach?

A.  Vulnerability

B.  Threat

C.  Exploit

D.  Zero day

Images   B. So which came first—the chicken or the egg? This question is right along those same lines and can be really confusing, but if you key on the “cause” portion of the question, you should be okay. Sure, a vulnerability would need to be present; however, a vulnerability on its own doesn’t cause anything. A threat is something that could potentially take advantage of an existing vulnerability. Threats can be intentional, accidental, human, or even an “act of God.” A hacker is a threat to take advantage of an open port on a system and/or poor password policy. A thunderstorm is a threat to exploit a tear in the roof, leaking down into your systems. Heck, a rhinoceros is a threat to bust down the door and destroy all the equipment in the room. Whether those threats have intent, are viable, and are willing/able to take up the vulnerability is a matter for risk assessment to decide; they’ll probably beef up password policy and fix the roof, but I doubt much will be done on the rhino front.

Images   A is incorrect because a vulnerability is a weakness in security. A vulnerability may or may not necessarily be a problem. For example, your system may have horribly weak password policy or even a missing security patch, but if it’s never on the network and is locked in a guarded room accessible by only three people who must navigate a biometric system to even open the door, the existence of those vulnerabilities is moot.

Images   C is incorrect because an exploit is what is or actually can be done by a threat agent to utilize the vulnerability. Exploits can be local or remote, a piece of software, a series of commands, or anything that actually uses the vulnerability to gain access to, or otherwise affect, the target.

Images   D is incorrect because a zero-day exploit is simply an exploit that most of us don’t really know much about at the time of its use. For instance, a couple years back some bad guys discovered a flaw in Adobe Reader and developed an exploit for it. From the time the exploit was created to the time Adobe finally recognized its existence and built a fix action to mitigate against it, the exploit was referred to as zero day.

21.   Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up?

A.  Inline

B.  Meterpreter

C.  Staged

D.  Remote

Images   B. For those of you panicking over this question, relax. You do not have to know all the inner workings of Metasploit, but it does appear enough—in the variety of study materials available for the version 7 exam—that EC-Council wants you to know some basics, and this question falls in that category. There are a bunch of different payload types within Metasploit, and meterpreter (short for meta-interpreter) is one of them. The following is from Metasploit’s website: “Meterpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard anti-virus detection.”

Images   A is incorrect because inline payloads are single payloads that contain the full exploit and shell code for the designed task. They may be more stable than other payloads, but they’re easier to detect and, because of their size, may not be viable for many attacks.

Images   C is incorrect because staged payloads establish a connection between the attacking machine and the victim. Once the connection is established, the payload is revisited to execute on the remote machine.

Images   D is incorrect because “remote” isn’t a recognized payload type.

22.   Metasploit is a framework allowing for the development and execution of exploit code against a remote host and is designed for use in pen testing. The framework consists of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework?

A. MSF Core

B. MSF Base

C. MSF interfaces

D. Rex

Images   D. Once again, this is another one of those weird questions you may see (involving any of the framework components) on your exam. It’s included here so you’re not caught off guard in the actual exam room and freak out over not hearing it before. Don’t worry about learning all the nuances of Metasploit and its architecture before the exam—just concentrate on memorizing the basics of the framework (key words for each area will assist with this), and you’ll be fine.

Metasploit, as you know, is an open source framework allowing all sorts of automated (point-and-shoot) pen test methods. The framework is designed in a modular fashion, with each library and component responsible for its own function. The following is from Metasploit’s development guide ( “The most fundamental piece of the architecture is the Rex library, which is short for the Ruby Extension Library. Some of the components provided by Rex include a wrapper socket subsystem, implementations of protocol clients and servers, a logging subsystem, exploitation utility classes, and a number of other useful classes.” Rex provides critical services to the entire framework.

Images   A is incorrect because the MSF Core “is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins.” It interfaces directly with Rex.

Images   B is incorrect because the MSF Base “is designed to provide simpler wrapper routines for dealing with the framework core as well as providing utility classes for dealing with different aspects of the framework, such as serializing module state to different output formats.” The Base is an extension of the Core.

Images   C is incorrect because the MSF interfaces are the means by which you (the user) interact with the framework. Interfaces for Metasploit include Console, CLI, Web, and GUI.

23.   Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.)

A.  Enforce elevated privilege control.

B.  Secure all dumpsters and shred collection boxes.

C.  Enforce good physical security practice and policy.

D.  Perform background checks on all employees.

Images   A, B, C, D. All of the answers are correct. Admittedly, there’s nothing you can really do to completely prevent an inside attack. There’s simply no way to ensure every single employee is going to remain happy and satisfied, just as there’s no way to tell when somebody might just up and decide to turn to crime. It happens all the time, in and out of Corporate America, so the best you can do is, of course, the best you can do.

Enforcing elevated privilege control (that is, ensuring users have only the amount of access, rights, and privileges to get their job done, and no more) seems like a commonsense thing, but it’s amazing how many enterprise networks simply ignore this. After all, a disgruntled employee with administrator rights on his machine can certainly do more damage than one with just plain user rights. Securing dumpsters and practicing good physical security should help protect against an insider who wants to come back after hours and snoop around. And background checks on employees, although by no means a silver bullet in this situation, can certainly help to ensure you’re hiring the right people in the first place (in many companies a background check is a requirement of law). Other steps include, but are not limited to, the following:

•   Monitoring user network behavior

•   Monitoring user computer behavior

•   Disabling remote access

•   Disabling removable drive use on all systems (USB drives and so on)

•   Shredding all discarded paperwork

•   Conducting user education and training programs