Skip to content

Chapter 16 Quiz: Penetration Testing Methodology

Test your knowledge of structured penetration testing phases, scoping, tooling, and professional standards.

Questions

1. A client asks a penetration tester to test "everything on the network" without providing a written contract. What is the tester's correct first action?

  • A) Begin reconnaissance since broad scope was verbally authorized
  • B) Refuse to proceed until a signed Rules of Engagement document is obtained
  • C) Perform only passive reconnaissance to avoid legal risk
  • D) Submit a findings report immediately for the verbal scope
Answer

B — Refuse to proceed until a signed Rules of Engagement document is obtained

Legal authorization is the foundation of every engagement. Without a signed Rules of Engagement (RoE) document defining scope, permitted techniques, emergency contacts, and exclusions, a tester is exposed to criminal liability. Verbal authorization provides no legal protection under the Computer Fraud and Abuse Act or equivalent statutes.

2. During a penetration test, an assessor discovers a SQL injection vulnerability and successfully extracts a database dump containing live customer PII. Per professional standards, what is the correct immediate action?

  • A) Continue exploitation to demonstrate full impact
  • B) Delete the extracted data and continue
  • C) Stop exploitation, document the finding, and notify the client per RoE escalation procedures
  • D) Encrypt the dump and include it as an appendix to the final report
Answer

C — Stop exploitation, document the finding, and notify the client per RoE escalation procedures

PTES and professional ethics require that once PII or sensitive data is confirmed accessible, the tester stops further extraction, documents the proof of access (screenshot, query used), and notifies the client immediately per the escalation contacts defined in the RoE. Exfiltrating real PII is never required to prove impact.

3. Which CVSS v3.1 metric vector represents the highest severity: an unauthenticated network attack with no user interaction, low attack complexity, and full compromise of confidentiality, integrity, and availability?

  • A) AV:L/AC:H/PR:H/UI:R/C:L/I:L/A:L
  • B) AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H
  • C) AV:A/AC:L/PR:L/UI:N/C:H/I:H/A:L
  • D) AV:N/AC:H/PR:N/UI:N/C:H/I:N/A:N
Answer

B — AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H

This vector scores 9.8 (Critical). Network attack vector (AV:N), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full CIA impact (C:H/I:H/A:H) all maximize the CVSS base score. This pattern describes vulnerabilities like unauthenticated remote code execution.

4. What is the primary distinction between a white-box penetration test and a gray-box penetration test?

  • A) White-box tests use only open-source tools; gray-box tests use commercial tools
  • B) White-box provides full source code, architecture diagrams, and credentials; gray-box provides partial information such as user-level access or network diagrams
  • C) White-box tests internal networks only; gray-box tests perimeter systems
  • D) White-box is performed by external consultants; gray-box by internal staff
Answer

B — White-box provides full source code, architecture diagrams, and credentials; gray-box provides partial information such as user-level access or network diagrams

The box classification refers to knowledge level: black-box simulates an external attacker with zero prior knowledge; gray-box simulates an insider or authenticated user; white-box gives complete system knowledge. Each provides a different risk perspective and efficiency trade-off.

5. During the scanning phase of the PTES methodology, a tester runs nmap -sS -p- -T4 --script=default 10.10.10.0/24. What does the -sS flag specifically invoke?

  • A) A full TCP connect scan that completes the three-way handshake
  • B) A TCP SYN (half-open) scan that sends RST before completing the handshake
  • C) A UDP scan of all ports
  • D) An SCTP INIT scan
Answer

B — A TCP SYN (half-open) scan that sends RST before completing the handshake

A SYN scan (stealth scan) sends a SYN packet and identifies open ports by receiving SYN-ACK, but immediately sends RST to avoid completing the connection. This is faster than a full connect scan (-sT) and generates fewer log entries on the target, making it the default Nmap scan mode when run with root privileges.

6. Which phase of the penetration testing lifecycle is responsible for cleaning up implanted tools, removing created accounts, and restoring modified configurations?

  • A) Post-exploitation
  • B) Reporting
  • C) Remediation validation
  • D) Cleanup (part of post-exploitation)
Answer

D — Cleanup (part of post-exploitation)

Post-exploitation encompasses lateral movement, privilege escalation, and persistence demonstrations, but the cleanup sub-phase specifically requires testers to remove all artifacts — backdoors, created users, modified files — to return systems to their pre-engagement state. Failure to clean up can leave organizations exposed after the engagement ends.

7. A penetration test report contains an "Executive Summary" section and a "Technical Findings" section. Which audience is the Executive Summary specifically written for?

  • A) SOC analysts who will implement remediations
  • B) Senior leadership and board members who need risk context without technical detail
  • C) Network engineers who will patch vulnerable systems
  • D) Legal counsel reviewing the engagement contract
Answer

B — Senior leadership and board members who need risk context without technical detail

The Executive Summary translates technical findings into business risk language — financial exposure, reputational impact, regulatory implications — for non-technical decision makers. The Technical Findings section provides reproduction steps, tool output, and remediation guidance for engineers. Both sections are essential deliverables in a professional pentest report.

8. Metasploit's use exploit/multi/handler is commonly configured during which pentest phase and for what purpose?

  • A) Reconnaissance — to enumerate open ports passively
  • B) Scanning — to fingerprint services
  • C) Exploitation — to catch reverse shells from executed payloads
  • D) Reporting — to generate automated vulnerability summaries
Answer

C — Exploitation — to catch reverse shells from executed payloads

The multi/handler module acts as a listener that receives incoming connections from payloads (e.g., Meterpreter reverse shells) executed on compromised targets. It is set up before payload delivery during the exploitation phase and is paired with the same payload type (e.g., windows/x64/meterpreter/reverse_tcp) used in the attack.

9. What distinguishes a penetration test from a red team assessment in terms of primary objective?

  • A) Red teams use more expensive tools than penetration testers
  • B) Penetration tests aim to find and document as many vulnerabilities as possible; red teams test the organization's detection and response capabilities against a targeted objective
  • C) Penetration tests are always external; red team assessments are always internal
  • D) Red teams are performed annually; penetration tests are performed quarterly
Answer

B — Penetration tests aim to find and document as many vulnerabilities as possible; red teams test the organization's detection and response capabilities against a targeted objective

A pentest is breadth-focused — identify and report all exploitable vulnerabilities within scope. A red team engagement is objective-focused — reach a specific goal (e.g., access the domain controller) while testing whether defenders detect the intrusion. Red teams intentionally avoid setting off alerts to mimic real adversaries; pentesters do not have this constraint.

10. Under the PTES (Penetration Testing Execution Standard), which phase involves gathering intelligence through DNS enumeration, WHOIS lookups, and job postings — without sending packets to the target?

  • A) Exploitation
  • B) Post-exploitation
  • C) Intelligence Gathering (passive reconnaissance)
  • D) Vulnerability Analysis
Answer

C — Intelligence Gathering (passive reconnaissance)

PTES Phase 2, Intelligence Gathering, subdivides into passive and active reconnaissance. Passive recon collects information from public sources (WHOIS, DNS records, Google dorking, LinkedIn, job postings, certificate transparency logs) without direct interaction with target systems. This phase shapes the attack surface model used in later vulnerability analysis and exploitation phases.

Scoring

Score Performance
9–10 Expert — Penetration testing methodology concepts fully internalized
7–8 Proficient — Ready to operate on structured pentest engagements
5–6 Developing — Review Chapter 16 PTES phases and scoping sections
<5 Foundational — Re-read Chapter 16 before proceeding

Return to Chapter 16 | Next: Chapter 17