English Sample Exam Ehf 201606
English Sample Exam Ehf 201606
English Sample Exam Ehf 201606
Edition 201606
Copyright © EXIN Holding B.V. 2016. All rights reserved.
EXIN® is a registered trademark.
No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic,
mechanical, or otherwise, without the prior written permission from EXIN.
Introduction 4
Sample Exam 5
Answer Key 14
Evaluation 28
This is the sample exam EXIN Ethical Hacking Foundation. The Rules and Regulations for EXIN’s
examinations apply to this exam.
This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number
of possible answers, of which only one is the correct answer.
The maximum number of points that can be obtained for this exam is 40. Each correct answer is
worth one point. If you obtain 26 points or more you will pass.
Good luck!
1 / 40
What is the primary goal of an Ethical Hacker?
A. Avoiding detection
B. Determining return on investment (ROI) for security measures
C. Resolving security vulnerabilities
D. Testing security controls
2 / 40
What are examples of network sniffing tools?
A. Bash, Nano, VI
B. Nmap, Metasploit, Nessus
C. Wireshark, Tshark, TCPdump
3 / 40
An ethical hacker is hired by an organization to gain remote access to their internal network. He has
not received any information about the internal network of the organization.
4 / 40
What is a function of the R57 shell?
5 / 40
Mary has added an apostrophe after an ?id= parameter within the URL of a webpage. She now sees
an error, saying there was a syntax error.
A. Session Hijacking
B. SQL injection
C. Cross Site Scripting (XSS)
7 / 40
What can be used to create a connection between your machine and the website you have your R57
shell running on?
A. Eval function
B. Backconnect shell
C. Reverse shell
8 / 40
While in Meterpreter, you found an interesting file named passwords.xls. You want to retrieve
this file within Meterpreter but are unsure how to do it.
9 / 40
You have found a live system on IP address 192.168.10.113.
Which nmap command lets you detect the Operating System of a target?
A. nmap -O 192.168.10.113
B. nmap -Os 192.168.10.113
C. nmap -os 192.168.10.113
10 / 40
A service scan including fingerprint showed that a target machine is running Apache 2.2.14.
A. UNION GET
B. UNION SELECT
C. UNION CONCAT
12 / 40
A hacker is trying to capture traffic from his wireless network adapter.
A. eth0
B. l0
C. wlan0
13 / 40
Before beginning the ethical hack at a client, a penetration tester should always be prepared for any
legal issues.
A. Analyze the environment of the client to see if there are any vulnerabilities that might cause
issues before the actual ethical hack.
B. Sign a contract with the client before performing the ethical hack.
C. Talk to the client before the test and make sure whether the test has to be a black, grey or white
box test.
14 / 40
At what point in the Ethical Hacking process is the attacker most likely to use a port scanning tool?
A. Attack execution
B. Attack preparation
C. Information gathering
D. Report writing
15 / 40
What is a c99 shell used for?
A. airbase-ng
B. aireplay-ng
C. wesside-ng
17 / 40
A penetration tester wants to know what IP addresses are currently active on the network. He uses
nmap to do so.
A. -sU
B. -sO
C. -sP
18 / 40
A client has said that he created a case-insensitive filter for 'script' from being inserted in any forms
to prevent an XSS PoC.
A. <sCrIPt>alert(1);</ScRiPT>
B. <javascript>alert(1);</script>
C. <img src=x onerror=alert(1)>
19 / 40
A hacker managed to find an XSS vulnerability. Now she wants to take over sessions.
A. document.session
B. session.cookie
C. document.cookie
20 / 40
When creating an XSS PoC, what is the function that provides a pop-up?
A. popup()
B. alert()
C. window.popup()
22 / 40
A website's URL contains 'index.php?page=home.php'. The page=parameter allows remote
URLs to be passed and it loads them.
23 / 40
Someone has breached a website and managed to keep it a secret. The hack was not part of an
assignment and there was no permission.
24 / 40
You are performing a penetration test and are asked to test the authentication strength of a storage
device. You have not received the IP address of the host, but you were told that the system sends a
message to the network's broadcast every five minutes.
A. Ncrack
B. Netdiscover
C. Wireshark
26 / 40
Penetration testers sometimes use shells to communicate and find vulnerabilities in systems. One
type of shells is so-called 'Bind Shells'. In certain scenario's these are ineffective.
Why is that?
A. Firewalls will block any traffic on a port the Bind Shells tries to communicate on.
B. Windows 7 and above cannot run shell commands anymore if the user is not an administrator.
C. Bind Shells only run on terminal based operating systems.
27 / 40
A penetration tester is testing a web application. To check for vulnerabilities she decides to check if
SQL injections are possible.
A. Dollar sign
B. Semicolon
C. Single quote
28 / 40
You are not sure what the MAC address is of your WiFi network.
After being advised to use Airodump-NG, what network should you look for?
A. BSSID
B. ESSID
C. SSID
29 / 40
You are trying to find out which of your plugged in network adapters supports WiFi.
A. iwconfig
B. wificards
C. wireshark
31 / 40
A tester is conducting a penetration test on a web server. She begins the test with a banner grabbing
attack. She has already verified that the web server is running a Linux distribution. However, the
HTTP banner reports that it is running IIS version 8.
A. Folder redirection
B. Port obfuscation
C. Process redirection
D. Service spoofing
32 / 40
You have saved the output of an Nmap scan in XML format.
What should you use to import the scan results within Metasploit?
A. db_import
B. nmap_import
C. scan_import
33 / 40
Metasploit makes use of several modules in order to test for vulnerabilities. One of these modules
allows the penetration tester to automatically serve browser exploits.
A. browser_exploiter
B. browser_autopwn
C. metasploit_autopwn
35 / 40
A network administrator noticed some suspicious traffic on the company's network. He decides to
investigate it. After successfully pinging the source of the traffic he uses a utility to find the
associated MAC address.
A. ARP
B. DNSSpoof
C. PSExec
36 / 40
When typing exploit in Metasploit, the exploit module fails to run and gives an error that says a target
has not been selected.
37 / 40
When looking at webserver log files, Pete wants to know what browser was used during the attack
against his website. Pete should look for information that is generally being sent through the
<answer> header.
A. Accept-Language:
B. Host:
C. User-Agent:
A. DNS Lookup
B. GeoIP Location Lookup
C. WHOIS Lookup
39 / 40
A penetration tester is scanning the network environment of his client with a tool. This tool has the
following properties:
- It uses a ranking to show the impact of a vulnerability.
- It detects all sorts of vulnerabilities on various operating systems such as Windows, Linux
and Mac OS.
- It is able to detect bots, trojans and other malware that might be installed on the computers
connected to the network.
A. Nessus
B. Nmap
C. Nikto
40 / 40
What is the name of the Metasploit modules that are not used for exploitation?
A. Auxiliaries
B. Payloads
C. shellcodes
1 / 40
What is the primary goal of an Ethical Hacker?
A. Avoiding detection
B. Determining return on investment (ROI) for security measures
C. Resolving security vulnerabilities
D. Testing security controls
A. Incorrect. Avoiding detection is one part of Ethical Hacking but not the primary goal.
B. Incorrect. ROI calculation is part of control selection and risk mitigation.
C. Incorrect. Ethical Hacking is finding and documenting vulnerabilities, not resolving them.
D. Correct. The primary job of Ethical Hackers is security testing.
2 / 40
What are examples of network sniffing tools?
A. Bash, Nano, VI
B. Nmap, Metasploit, Nessus
C. Wireshark, Tshark, TCPdump
3 / 40
An ethical hacker is hired by an organization to gain remote access to their internal network. He has
not received any information about the internal network of the organization.
A. Correct. The ethical hacker doesn't know anything about the internal network. He simulates being
a black hat hacker, working from outside the company.
B. Incorrect. In this case the ethical hacker is given a minimum of information.
C. Incorrect. In a white box test, all the relevant information about the system/network is available to
the hacker.
A. Incorrect. There is no web-based version of Metasploit that you can use out-of-the-box. Metasploit
is a framework that makes use of database for vulnerability exploitation.
B. Correct. That is a function of the R57 shell.
C. Incorrect. This is not possible with the R57 Shell. This could be done with a tool in combination
with Metasploit.
5 / 40
Mary has added an apostrophe after an ?id= parameter within the URL of a webpage. She now sees
an error, saying there was a syntax error.
A. Incorrect. Using an apostrophe [’] to close the SQL query will cause the application to throw a SQL
syntax error (if a SQLi vulnerability is present).
B. Incorrect. Using an apostrophe [’] to close the SQL query will cause the application to throw a SQL
syntax error (if a SQLi vulnerability is present).
C. Correct. Using an apostrophe [’] to close the SQL query will cause the application to throw a SQL
syntax error (if a SQLi vulnerability is present).
6 / 40
A site uses dynamically generated content. By making use of a specific technique, it is possible to
steal login credentials of the user.
A. Session Hijacking
B. SQL injection
C. Cross Site Scripting (XSS)
A. Incorrect. Session Hijacking is something the hacker might want to do after using XSS.
B. Incorrect. SQL injection is creating new queries and trying to get private information from the
database.
C. Correct. XSS code makes it possible to place java script code into a site without the user noticing
it. The code can show a fake login window that sends the credentials to the hacker. Penetration
Testing - A Hands-On Introduction to Hacking, chapter 14, Cross Site Scripting.
A. Eval function
B. Backconnect shell
C. Reverse shell
A. Incorrect. Eval function has nothing to do with the R57 shell. It does not prompt anything.
B. Correct. R57 is also called "Backconnect shell". It is used for sending malware, spam, etc.
C. Incorrect. R57 is also called "Backconnect shell". It is used for sending malware, spam, etc.
8 / 40
While in Meterpreter, a hacker finds an interesting file named passwords.xls. He wants to
retrieve this file within Meterpreter but is unsure how to do it.
9 / 40
You have found a live system on IP address 192.168.10.113.
Which nmap command lets you detect the Operating System of a target?
A. nmap -O 192.168.10.113
B. nmap -Os 192.168.10.113
C. nmap -os 192.168.10.113
A. Correct. The -O tries to get the information of the OS that is used. Penetration Testing - A Hands-
On Introduction to Hacking, chapter 5.
B. Incorrect. The -Os is not even a key for nmap.
C. Incorrect. The -os is not even a key for nmap.
11 / 40
You know the table and column names from a database, you can expand your SQL Injection to
retrieve data.
A. UNION GET
B. UNION SELECT
C. UNION CONCAT
A. Incorrect. The SQL UNION operator combines the result of two or more SELECT statements.
B. Correct. The SQL UNION operator combines the result of two or more SELECT statements.
C. Incorrect. The CONCAT function is used to concatenate two strings to form a single string (when
we have only one field to receive the data).
12 / 40
A hacker is trying to capture traffic from his wireless network adapter.
A. eth0
B. l0
C. wlan0
A. Incorrect. eth0 is always a wired Ethernet adapter. wlan0 is the only wireless adapter choice.
B. Incorrect. wlan0 is the only wireless adapter choice.
C. Correct. wlan0 is the only wireless adapter choice. Penetration Testing – A Hands-On Introduction
to Hacking, chapter 7.
A. Analyze the environment of the client to see if there are any vulnerabilities that might cause
issues before the actual ethical hack.
B. Sign a contract with the client before performing the ethical hack.
C. Talk to the client before the test and make sure whether the test has to be a black, grey or white
box test.
A. Incorrect. Analyzing the environment of the client comes after signing all legal documents such as
the NDA. Using hacking tools does not make it legal or not.
B. Correct. Sign a contract. That way both parties (the pentester and client) know what is mutually
expected. Penetration Testing - A Hands-On Introduction to Hacking, chapter 0.
C. Incorrect. Although this has to be done this has nothing to do with any legal issues.
14 / 40
At what point in the Ethical Hacking process is the attacker most likely to use a port scanning tool?
A. Attack execution
B. Attack preparation
C. Information gathering
D. Report writing
15 / 40
What is a c99 shell used for?
A. airbase-ng
B. aireplay-ng
C. wesside-ng
17 / 40
A penetration tester wants to know what IP addresses are currently active on the network. He uses
nmap to do so.
A. -sU
B. -sO
C. -sP
18 / 40
A client has said that he created a case-insensitive filter for 'script' from being inserted in any forms
to prevent an XSS PoC.
A. <sCrIPt>alert(1);</ScRiPT>
B. <javascript>alert(1);</script>
C. <img src=x onerror=alert(1)>
A. Incorrect. This script will not run because the clients form checks on case sensitive scripts.
B. Incorrect. This will not run because script cannot be run in the form.
C. Correct. This will run. Penetration Testing – A Hands- on Introduction to Hacking, chapter 14.
A. document.session
B. session.cookie
C. document.cookie
20 / 40
When creating an XSS PoC, what is the function that provides a pop-up?
A. popup()
B. alert()
C. window.popup()
21 / 40
A penetration tester is asked to scan a machine, but is only allowed to check if TCP/IP ports 21, 22,
80 and 443 are open.
A. Incorrect. It is not possible to scan on a specific type like https or ssh. The tester will have to
know which ports are used.
B. Correct. By checking the ports it is possible to see which services (https, ssh, etc.) are running.
C. Incorrect. It is not possible to scan on a specific type like https or ssh. The tester will have to
know which ports are used.
A. Correct. Penetration Testing – A Hands-On Introduction to Hacking, chapter 14, Remote File
Inclusion.
B. Incorrect. This is not the correct term.
C. Incorrect. This is not the correct term.
23 / 40
Someone has breached a website and managed to keep it a secret. The hack was not part of an
assignment and there was no permission.
A. Correct. A person who hacks without permission is called a Black hat hacker.
B. Incorrect. Valid hacker type, but does not match the description.
C. Incorrect. Valid hacker type, but does not match the description.
D. Incorrect. Valid hacker type, but does not match the description.
24 / 40
You are performing a penetration test and are asked to test the authentication strength of a storage
device. You have not received the IP address of the host, but you were told that the system sends a
message to the network's broadcast every five minutes.
A. Ncrack
B. Netdiscover
C. Wireshark
A. Correct. Minimal information is provided to the penetration tester during a black box test.
B. Incorrect. A black hat is a type of hacker, not a type of test.
C. Incorrect. Moderate to advanced details are provided to the penetration tester during a white box
test.
26 / 40
Penetration testers sometimes use shells to communicate and find vulnerabilities in systems. One
type of shells is so-called 'Bind Shells'. In certain scenario's these are ineffective.
Why is that?
A. Firewalls will block any traffic on a port the Bind Shells tries to communicate on.
B. Windows 7 and above cannot run shell commands anymore if the user is not an administrator.
C. Bind Shells only run on terminal based operating systems.
A. Correct. A bind shell instructs the target machine to open a command shell and listen on a local
port. The attack machine then connects to the target machine on the listening port. However, with
the advent of firewalls, the effectiveness of bind shells has fallen because any correctly configured
firewall will block traffic to some random port like 4444. Penetration Testing - A Hands-On
Introduction to Hacking, chapter 4 - Types of shells
B. Incorrect. Bind shells have nothing to do with the user being an administrator.
C. Incorrect. Bind shells run on any operating system or website.
A. Dollar sign
B. Semicolon
C. Single quote
28 / 40
You are not sure what the MAC address is of your WiFi network.
After being advised to use Airodump-NG, what network should you look for?
A. BSSID
B. ESSID
C. SSID
A. Correct. The BSSID is the wireless equivalent of a MAC address. Penetration Testing, A Hands-On
Introduction to Hacking.
B. Incorrect. The ESSID is the friendly broadcast network name, not the MAC address.
C. Incorrect. This is similar to the ESSID and not the MAC address.
29 / 40
You are trying to find out which of your plugged in network adapters supports WiFi.
A. Iwconfig
B. wificards
C. wireshark
31 / 40
A tester is conducting a penetration test on a web server. She begins the test with a banner grabbing
attack. She has already verified that the web server is running a Linux distribution. However, the
HTTP banner reports that it is running IIS version 8.
A. Folder redirection
B. Port obfuscation
C. Process redirection
D. Service spoofing
32 / 40
You have saved the output of an Nmap scan in XML format.
What should you use to import the scan results within Metasploit?
A. db_import
B. nmap_import
C. scan_import
A. Correct. The 'db_import' command is used to import the scan results in the Metasploit database.
B. Incorrect. The 'nmap_import' command is used to run an Nmap against the targets and the scan
results would then be stored automatically in the database.
C. Incorrect. The 'db_import' command is used to import the scan results in the Metasploit database.
A. browser_exploiter
B. browser_autopwn
C. metasploit_autopwn
34 / 40
An ethical hacker is trying to breach a website through SQL Injection. He also changed his User-
Agent HTTP header, sent by his browser.
35 / 40
A network administrator noticed some suspicious traffic on the company's network. He decides to
investigate it. After successfully pinging the source of the traffic he uses a utility to find the
associated MAC address.
A. ARP
B. DNSSpoof
C. PSExec
A. Correct. ARP shows the MAC addresses for all IP addresses of which network traffic was
received. Penetration Testing - A Hands-On Introduction to Hacking, chapter 7.
B. Incorrect. DNSSpoof doesn't provide information on MAC addresses.
C. Incorrect. PSExec doesn't provide information on MAC addresses.
37 / 40
When looking at webserver log files, Pete wants to know what browser was used during the attack
against his website. Pete should look for information that is generally being sent through the
<answer> header.
A. Accept-Language:
B. Host:
C. User-Agent:
A. Incorrect. User-Agent tells a web server the type and version of the client's browser.
B. Incorrect. User-Agent tells a web server the type and version of the client's browser.
C. Correct. User-Agent tells a web server the type and version of the client’s browser. Penetration
Testing, A Hands-On Introduction to Hacking, chapter 7.
38 / 40
A company has suffered from a DDoS attack. They have the IP address of the attacker and want to
contact their Internet Service Provider to report an abuse.
A. DNS Lookup
B. GeoIP Location Lookup
C. WHOIS Lookup
A. nessus
B. nmap
C. nikto
A. Correct. Nessus is a vulnerability scanner that uses all the things stated in the question.
Penetration Testing, A Hands-On Introduction to Hacking, chapter 6 - Nessus
B. Incorrect. Nmap doesn't scan for vulnerabilities. It is a version scanner.
C. Incorrect. Nikto is a web application scanner only.
40 / 40
What is the name of the Metasploit modules that are not used for exploitation?
A. auxiliaries
B. payloads
C. shellcodes
A. Correct. Some modules that are not used for exploitation are known as auxiliary modules; they
include vulnerability scanners, fuzzers, and even denial of service modules. A good rule of thumb to
remember is that exploit modules use a payload and auxiliary modules do not. Penetration Testing -
A Hands-On Introduction to Hacking, chapter 4 - using an auxiliary module.
B. Incorrect. Payloads are the same as shellcode and are used to exploit.
C. Incorrect. Shellcodes are the same as payloads and are used to exploit.
The table below shows the correct answers to the questions in this sample exam.
www.exin.com