Chapter 84 · Quiz

Penetration Testing — Quiz

10-question assessment covering rules of engagement, the four attack phases, lateral movement, persistence, pivoting, responsible disclosure, and bug bounty programs.

Question 1 of 6
Before a penetration testing firm begins an engagement, they meet with the client to discuss and document the scope and constraints of the test. The resulting document specifies which IP ranges may be tested, that testing is only permitted between 10 PM and 6 AM, that three specific production database servers are excluded, that emergency contacts are listed for both parties, and that any discovered credentials must be stored in an encrypted vault and destroyed after the engagement. What is this document called, and why is it required before any testing begins?
Question 2 of 6
A penetration tester has successfully compromised an internet-facing web server via a SQL injection vulnerability. From this position, she uses the web server's database credentials to connect to an internal database server, then uses a built-in SQL Server feature to execute operating system commands on the database server, and from there establishes access to an internal file server that was completely unreachable from the internet. Which penetration testing phase does this sequence most accurately demonstrate?
Question 3 of 6
A penetration tester has gained administrative access to a domain controller during an engagement. Before the engagement's conclusion, the tester creates two new user accounts with names designed to blend with legitimate service accounts, modifies a scheduled task on three servers to run a callback script hourly, and installs a remote access tool that beacons to an external server. The next week, the client's security team discovers and patches the original vulnerability that gave the tester initial access. The tester's access to the environment remains uninterrupted. Which penetration testing phase accounts for this continued access?
Question 4 of 6
During a penetration test, the testing team discovers that the in-scope web application shares a database server with three other applications, one of which handles payment processing and is explicitly listed as out-of-scope in the rules of engagement. Following the database connection reveals that the payment processing database is directly accessible from the test environment. What is the correct action for the penetration testing team?
Question 5 of 6
A security researcher discovers a critical remote code execution vulnerability in a widely used authentication library. She privately reports it to the maintainers with full documentation and proof-of-concept code. The maintainers respond within 24 hours, confirm the issue, and begin working on a patch. Forty-two days later, the patched version is released, and the vulnerability details are published publicly along with a CVE identifier. The researcher is credited in the advisory. No exploitation of the vulnerability is detected before the public disclosure. What process did the researcher follow?
Question 6 of 6
A software company wants to improve the security of its flagship web application by having independent security researchers test it. The company is willing to pay for valid findings. They define a list of authorized target systems, require that researchers document reproduction steps and impact, and prohibit researchers from accessing or exfiltrating real user data beyond what is necessary to demonstrate a vulnerability. Which program model does this describe, and what is its primary benefit to the company?

Matching

ndash;10. Match each penetration testing scenario to the phase it best represents.

1. A penetration tester sends a carefully crafted phishing email to five employees. One employee clicks the link, a payload is executed, and the tester receives a reverse shell from the employee's workstation. This is the first access the tester has gained to any internal system in the engagement.
2. From a compromised workstation, the tester uses Mimikatz to extract password hashes from memory, then uses those hashes to authenticate to the HR server, the finance file server, and ultimately the domain controller — none of which required additional exploitation because the captured credentials were valid across all systems.
3. After compromising the domain controller, the tester creates a hidden administrator account, installs a scheduled task that runs a callback script every 30 minutes, and verifies that the default password on a service account has never been changed. All three mechanisms continue to provide access one week after the engagement's active phase ends.
4. The tester has compromised a workstation in the corporate network. The workstation cannot directly reach the manufacturing control network — a separate VLAN with firewall rules preventing direct access. However, the workstation has an authorized connection to a SCADA management server that bridges both VLANs. The tester routes their attack traffic through this management server to reach control systems that were architecturally designed to be unreachable from the corporate network.
A. Initial exploitation
B. Lateral movement
C. Persistence
D. The pivot