• Tutorials
  • Courses
  • Tracks

Cyber Quiz Day 24

Last Updated :
Discuss
Comments

Question 1

A login page shows “Invalid login!” on failure. In a Hydra web form attack, what is the primary reason to capture that exact string?

  • To speed up requests by caching responses

  • To let Hydra detect failed attempts during matching

  • To bypass rate limiting with pattern masking

  • To auto-extract valid usernames from HTML

Discuss it

Question 2

You intercepted a password hash dump from a web app (unsalted MD5). Which approach is MOST efficient?

  • Offline dictionary/rule-based cracking with John the Ripper

  • Online brute force with Hydra against /login

  • Rainbow tables against salted hash set

  • Aircrack-ng with a large wordlist

Discuss it

Question 3

You must verify a Wi-Fi passphrase from a captured handshake file using a wordlist. Which tool fits best?

  • John the Ripper

  • Medusa

  • Hydra

  • Aircrack-ng

Discuss it

Question 4

During a Hydra http-post-form attack, which part below is the failure indicator Hydra uses to decide a login failed?

hydra -l admin -P rockyou.txt target.tld https-post-form \
"/login.php:user=^USER^&pass=^PASS^:Invalid credentials"

  • /login.php

  • user=^USER^&pass=^PASS^

  • ^USER^ and ^PASS^ placeholders

  • Invalid credentials

Discuss it

Question 5

In Medusa, which flag pairing correctly specifies a username and a password list file?

  • -U (user) and -p (password file)

  • -u (user) and -P (password file)

  • -l (user file) and -P (password file)

  • -L (user) and -p (password file)

Discuss it

Question 6

Which scenario best describes a reverse brute force attack?

  • Trying many passwords against one username

  • Trying one/few common passwords against many usernames

  • Trying precomputed hash chains against salted passwords

  • Trying wordlist + numeric suffix rules against a single target

Discuss it

Question 7

Which scenario makes rainbow tables largely useless even for weak passwords?

  • Legacy NTLM hashes

  • Unsalted MD5 hashes

  • Properly salted SHA-256 hashes

  • Hashes truncated to 8 chars

Discuss it

Question 8

You’re brute-forcing a web form that includes a mutable anti-CSRF token. How do you adapt Hydra?

  • Use http-post-form with a pre-request or cookie capture script to fetch a fresh token per try

  • Ignore the token; Hydra bypasses CSRF by default

  • Use -I interactive mode to paste cookies manually per attempt

  • Switch to https-get-form to avoid tokens

Discuss it

Question 9

You captured a WPA2 handshake and want to test a hybrid attack (dictionary + mutations). What’s the best tool/approach?

  • Medusa with -M wifi

  • Aircrack-ng (or Hashcat) with rules to mutate the dictionary

  • Hydra with http-post-form

  • John with LM hash mode

Discuss it

Question 10

Which prevention strategy specifically raises the work factor for offline cracking against leaked hashes?

  • Using CAPTCHAs on the login form

  • Employing strong, unique passwords with MFA

  • Using slow, memory-hard KDFs (e.g., bcrypt/Argon2) with unique salts

  • Displaying generic error messages only


Discuss it

There are 10 questions to complete.

Take a part in the ongoing discussion