4. Social Engineering Attacks

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 04. Social Engineering Attacks

1 / 36

What is one way attackers can perform a badge cloning attack?

A. By using a 3D printer to replicate the physical badge

B. By using specialized software and hardware

C. By hacking into the company’s database to download the badge design

D. By bribing security personnel to gain entry

2 / 36

Which of the following is an effective measure against dumpster diving?

A. Ignoring old storage media

B. Leaving documents in trash for extended periods

C. Storing sensitive documents safely and shredding when no longer required

D. Leaving recycling containers unattended

3 / 36

What can the Social-Engineer Toolkit (SET) be used for?

A. To launch numerous social engineering attacks

B. To generate passwords

C. To analyze code

D. To predict network traffic

4 / 36

Which of the following statements about the Social-Engineer Toolkit (SET) is incorrect?

A. SET is installed by default in Kali Linux and Parrot Security

B. SET can be used to launch numerous social engineering attacks

C. SET can be used to create a spear phishing email

D. SET is incompatible with third-party tools and frameworks

5 / 36

Which of the following is NOT a motivation technique/method of influence used by social engineers?

A. Authority

B. Sympathy

C. Scarcity and urgency

D. Social proof

6 / 36

What is the main function of the Social-Engineer Toolkit (SET) in penetration testing?

A. To scan for open ports on a machine

B. To conduct social engineering attacks

C. To encrypt communication channels

D. To test server configurations

7 / 36

What is Vishing?

A. Voice phishing through a phone conversation

B. An attack vector that uses malicious software

C. A physical intrusion of a secure location

D. A type of cyber attack using email services

8 / 36

What sets whaling apart from other phishing attacks?

A. It targets high-profile business executives and key individuals

B. It uses malware to compromise the victim’s system

C. It leverages emails designed to mimic banking warnings

D. It is used to collect sensitive information from victims

9 / 36

Which option should be selected in the Social-Engineer Toolkit (SET) to generate a normal PDF with an embedded EXE for a social engineering attack?

A. Create a FileFormat Payload

B. Use built-in BLANK PDF for attack

C. Adobe PDF Embedded EXE Social Engineering

D. Windows Reverse TCP Shell

10 / 36

What is pretexting in the context of social engineering attacks?

A. It’s a type of attack where the threat actor redirects a victim from a valid website to a malicious one

B. An attacker presents as someone else to gain access to information

C. It involves incorporating malicious ads on trusted websites

D. It’s a method where an attacker asks open-ended questions to learn about a victim’s viewpoints

11 / 36

Which of the following best describes the function of the Social-Engineer Toolkit (SET) in penetration testing?

A. It is only used for backing up system data before a penetration test.

B. It executes brute force attacks to test password strength.

C. It supports the creation and management of phishing emails and payloads.

D. It assists in network enumeration and scanning.

12 / 36

What is the purpose of using the Social-Engineer Toolkit (SET) in a social engineering attack?

A. To decompile the application code

B. To protect the network from external attacks

C. To launch numerous social engineering attacks and integrate with other tools such as Metasploit

D. To repair the vulnerabilities in the system

13 / 36

Which of the following methods is NOT known to be used by social engineers as a form of manipulation?

A. Use of authority

B. Being unlikable

C. Use of fear

D. Creating scarcity and urgency

14 / 36

What is the definition of ’Social proof’ in the context of social engineering attacks?

A. Creating urgency or scarcity in a decision-making context.

B. Manipulating a person with fear to act promptly.

C. A psychological phenomenon in which an individual mimics the behavior of others due to uncertainty.

D. Social engineers ensuring that their appearance, behavior, and language are appealing and likable.

15 / 36

Which of the following prevention techniques is NOT effective against shoulder surfing social engineering attacks?

A. User awareness and training

B. Installing special screen filters for computer displays

C. Frequently changing passwords

D. Using small hidden cameras and microphones

16 / 36

Which of the following social engineering methods involves using the fear of losing out on an opportunity to manipulate the victim?

A. Authority

B. Scarcity and urgency

C. Social proof

D. Fear

17 / 36

Which technique/method does a social engineer use to make a person act promptly by playing with their fears?

A. Authority

B. Scarcity and urgency

C. Social proof

D. Fear

18 / 36

What is a key feature of the Social-Engineer Toolkit (SET) in the context of Spear-Phishing attack vectors?

A. SET can only be installed on Windows operating systems.

B. SET allows for integration with third-party tools and frameworks like Metasploit.

C. SET can only launch phishing attacks and no other type of social engineering attacks.

D. SET cannot generate a normal PDF with embedded EXE.

19 / 36

What are the post-exploitation activities that the Social-Engineer Toolkit (SET) allows?

A. Spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell

B. Installing a backdoor into the victim’s system

C. Hijacking the victim’s system

D. Writing an exploit for the victim’s system

20 / 36

What are some of the actions that the Social-Engineer Toolkit (SET) can perform after a successful exploitation?

A. Spawn a command shell on the victim machine.

B. Launch a Windows Shell Bind_ TCP.

C. Create a Windows Meterpreter Reverse HTTPS.

D. All of the above

21 / 36

In the given email phishing example, why might the recipient be coaxed into disclosing their confidential information?

A. The email requests a payment confirmation

B. The email presents a familiar situation of delayed payments from the accounts department

C. The email includes an attachment that appears like a valid document

D. The email includes an MD5 Checksum

22 / 36

What element does a social engineering attack primarily leverage?

A. The hardware in the network

B. The vulnerabilities in the software

C. The human users in the organization

D. The weaknesses in the network structure

23 / 36

Which of the following best describes how spear phishing operates according to the provided passage?

A. Spear phishing is a random attempt to gain unauthorized access to systems across different organizations.

B. Spear phishing relies on sending threatening emails to the victim’s organization.

C. In spear phishing, the threat actor impersonates trusted users within the company to make emails appear legitimate.

D. Spear phishing is a type of phishing where the attacker impersonates the victim.

24 / 36

Which of the following call spoofing tools can be used to change your voice, record calls, generate different background noises, and send calls straight to voicemail?

A. SpoofApp

B. SpoofCard

C. Asterisk

D. Turbulence

25 / 36

Which of the following call spoofing tools is a legitimate voice over IP (VoIP) management tool that can also be used to impersonate caller ID?

A. SpoofApp

B. SpoofCard

C. Asterisk

D. None of the above

26 / 36

What is the method called when an attacker impersonates someone else in order to gain access to information?

A. Pharming

B. Pretexting

C. Malvertising

D. Elicitation

27 / 36

What is the primary purpose of a watering hole attack in the context of a computer network?

A. To scan the network for any possible vulnerabilities

B. To profile users of specific organizations and gain a foothold in the network

C. To compromise a website by injecting JavaScript or other similar code

D. To redirect users to another website

28 / 36

Which call spoofing tool can be used to generate different background noises?

A. SpoofApp

B. SpoofCard

C. Asterisk

D. None of the above

29 / 36

What is the main purpose of a Universal Serial Bus (USB) drop key attack?

A. To physically damage the computer system

B. To convince the user to enter their personal information

C. To convince the user to use lost USB drives and install malware on their system

D. To steal the user’s hardware equipment

30 / 36

Which among the following call spoofing tools is capable of generating different background noises and sending calls straight to voicemail during social engineering attacks?

A. SpoofApp

B. SpoofCard

C. Asterisk

D. None of the above

31 / 36

Which of the following best describes the technique of pretexting in the context of social engineering attacks?

A. Asking loaded questions to elicit information from the victim

B. Monitoring the victim’s body language and voice for signs of discomfort

C. Impersonating a different individual or role to gain access to information

D. Redirecting a victim from a legitimate website to a malicious one

32 / 36

What is the purpose of the Browser Exploitation Framework (BeEF)?

A. To redirect users to legitimate websites

B. To manipulate users by leveraging XSS vulnerabilities

C. To protect web applications from XSS and CSRF vulnerabilities

D. To test the robustness of session tokens on websites

33 / 36

Which social engineering influence technique involves manipulating the victim’s concern that a disadvantageous or harmful outcome may occur?

A. Authority

B. Scarcity and urgency

C. Social proof

D. Fear

34 / 36

How can one help mitigate SMS phishing attacks?

A. Clicking on links from unknown message senders

B. Clicking on the link in a random message about a problem with an Amazon order

C. Avoiding clicking on any links sent via text messages if not expected

D. Clicking on a link when a message says that there is a problem with a credit card transaction

35 / 36

What type of attack would a penetration tester simulate in order to evaluate an organization’s physical security measures?

A. Social Engineering Attack

B. DDoS Attack

C. SQL Injection

D. Physical Attack

36 / 36

What is the difference between piggybacking and tailgating in the context of social engineering?

A. Piggybacking requires the authorized person’s consent while tailgating does not.

B. Tailgating occurs in server rooms while piggybacking occurs in general areas.

C. Tailgating requires advanced technical skills but piggybacking does not.

D. Piggybacking involves multiple people, while tailgating involves one person.

Your score is

Free CompTIA Pentest+ Anki decks are now available!

Click the download button after filling out the form below
to get your free practice exam Anki deck!

4. Social Engineering Attacks

Press the Start button to begin the practice test.

Free CompTIA Pentest+ Anki decks are now available!

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER