CertMaster Pentest+ Practice
A security consultant is trying to redirect traffic at Layer 2 to conduct MitM attacks. Which of the following are they trying to perform?
ARP Poisoning - This attack deliberately maps an incorrect MAC address to a correct IP address, which poisons the ARP cache. ARP poisoning is used to redirect traffic for malicious purposes.
A security tester is conducting an assessment on a new network where NAC is employed. What is the most common way to bypass NAC?
Access an authenticated device - The most common way to bypass NAC is by accessing an authenticated device and using the device to slip by the NAC appliance.
A penetration tester is currently reviewing the adherence to organizational policies and procedures. Which controls help to monitor this?
Administrative - Administrative controls are security measures implemented to monitor the adherence to organizational policies and procedures. These include activities such as hiring and termination policies, employee training.
A security tester wants to disable monitor mode on a wireless interface. Which tool should they use?
Airmon-ng - Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode.
A security professional is testing the Wi-Fi with MDK4 and wants to create the appearance of many wireless networks. Which of the following modes should they use?
B - Mode b creates the appearance of many wireless networks. MDK4 is a powerful Linux based tool that features a wide range of attacks.
A security professional wants to use SET for a targeted attack towards personnel. Which of the following can SET NOT do?
Badge cloning - Badge cloning is not currently a capability of The Social Engineering Toolkit (SET), but it does allow for third-party modules.
A security researcher is analyzing various on-path attack techniques to develop detection mechanisms against them. Which of the following is NOT an on-path attack?
Biometric spoofing - Biometric spoofing is not an example of an on-path attack. An on-path attack is when a malicious actor sits in the middle or in the path of a connection.
A security student is analyzing how nmap determines a particular operating system. Which of the following is NOT a component of how the operating system is determined?
CName - The Canonical Name (CName) string is the username that is to be authenticated. This is not a component of how nmap determines what operating system is on a machine.
A security analyst is looking at a packet capture in Wireshark and trying to find activity based on a certain user. Which of the following would represent a user field?
CName - When assessing traffic on a Windows machine in an Active Directory (AD) environment, we can find user account names found in Kerberos traffic. The Canonical Name (CName) string is the username that is to be authenticated.
A security professional is checking for domains based on certificates that are no longer allowed. What could they check for this?
CRL - The Certification Revocation List (CRL) is a list of certificates that in some way have been deemed invalid. Although effective, most online services have moved to the newer OCSP to check the validity of the certificate.
A security tester has been using Shodan for several engagements but wants another source of reference similar to Shodan. Which of the following would best fit that?
Censys - When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems.
A company has contracted an independent penetration testing company to do API testing. Which of the following are they most likely testing?
Cloud resources - API testing is common with cloud resources. Companies recognize the vulnerabilities that exist when dealing with cloud assets. Many have turned to penetration testers to test the strength of the security mechanisms.
A security penetration tester wants to try exfiltrating data by synthesizing images into .wav files. Which tool should they use to do this?
Coagula - Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to download Coagula and Audacity, which are both free programs.
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into?
Cobalt Strike - Cobalt Strike is a commercial version of Armitage with advanced features and reporting. Armitage itself is an intuitive GUI for the Metasploit framework.
A company is expanding operations to Europe and wants to make sure that they won't run into any security issues during expansion. What type of test should they have done?
Compliance - Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS.
A penetration test is being conducted on a financial institution. Which of the following is geared to ensure the security and confidentiality of client information?
GLBA - The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure.
During a penetration testing engagement, one of the team members presents a fictitious situation as real. What is this tactic called?
Hoax - A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. A hoax could be a link that leads to malicious code.
A security researcher is testing the disruption of a Wi-Fi signal by broadcasting on the same frequency as the target WAP. What is this called?
Jamming - Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as the target WAP, and any signals that a wireless transceiver is attempting to send or receive will be blocked.
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening? (Select all that apply.)
LLMNR/NBT-NS - Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network which poisons LLMNR. Responder is also designed to intercept and poison NBT-NS. Once a request is intercepted, Responder will return the attacker's host IP as the name record.
A penetration tester is conducting a PCI DSS compliance report for a large company that does ten million transactions a year. What level should they comply with?
Level 1 - Level 1 is a large merchant with over six million transactions a year and must have an external auditor perform the assessment by an approved Qualified Security Assessor (QSA).
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase?
Manage - Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability.
A team is conducting a physical assessment and uses a simple mechanism such as cardboard to bypass a certain control. Which control are they likely bypassing?
Motion sensor - The team can attempt to block the motion detector by using a piece of cardboard or Styrofoam over the sensor.
A security researcher is testing the effects of a network scan with no flags set. What is this referred to as?
NULL - A null scan is a packet sent without any flags set. This is not an actual stealth scan as security systems are set to look for these.
A security professional is researching the latest vulnerabilities that have been released. Where is a good resource they can go to in order to look at these?
NVD - To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details.
A penetration tester wants to test exfiltrating data via encrypted mechanisms. What could they use to accomplish this?
Ncat - Ncat is an Interactive CLI tool written for the Nmap Project. Ncat is used to read and write raw data over a network and includes support for proxy connections along with IPv6 and SSL communications.
A security student wants to start conducting vulnerability scans on their own network. They want to be able to use a commercial tool, but that is available for free for home use. Which of the following could they use?
Nessus - Nessus is a powerful scanning tool that can scan either enterprise or home networks. Nessus for home or personal use is free. If running on an enterprise network, you will need to purchase the product.
A student is studying penetration testing methodologies and is trying to narrow in their skill sets to web application testing. Which of the following should they focus on?
OWASP - The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process.
A security engineer is trying to avoid Antivirus on a company's systems. Which tool could they use to modify the hash of their payloads?
ObfuscatedEmpire - Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality.
A systems administrator for a small company is tasked with performing a vulnerability scan inside their network. They are not given a budget but instead are asked to find open-source tools. Which of the following could they use?
OpenVAS - A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS will list the vulnerabilities along with a risk rating that summarizes the overall state of the site that was tested.
A penetration test is being conducted on a Department of Motor Vehicles' vehicle. What should the testers take into consideration when performing the assessment?
DPPA - The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
A client for a security assessment is worried about corruption of company information and wants to perform a health check. What is this called?
Data modification - Data modification or corruption is when data has been altered in some way, which is a violation of integrity.
A security researcher is setting up an evil twin as part of a security conference demonstration. Which type of attack does an evil twin typically perform?
Deauthentication - Getting users to join an evil twin is often accomplished by using a deauthentication attack. Once the client is kicked off the network, they may be able to trick them into reconnecting to the rogue AP.
A penetration tester wants to try keeping multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. They want to employ this method on a test server to see how much they will be able to handle before needing to scale outwards. What type of attack should they use to test this?
Slowloris - A slowloris attack keeps multiple fake web connections open for as long as possible until the maximum number of allowed connections is reached.
A military unit has adopted sending communications hidden in the white space of images as a standard operating procedure. Which of the following tools uses white space to conceal data payloads?
Snow - Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text file that uses the ASCII format.
A penetration tester is conducting a physical test on-premise and is attempting to exploit human errors. What type of risk is the pen tester trying to exploit?
Social Engineering - Human errors can also be seen as Social Engineering, which attempts to leverage human mistakes to gain information used in attacks or breaches.
A penetration tester is conducting a nmap scan but wants to conserve bandwidth. Which setting should they use to perform this?
T2 - T2 slows the scan to conserve bandwidth. In some cases, network devices enforce rate limiting, which limits the data flow by either policing or shaping the traffic.
A systems administrator wants to conduct a scan to identify which services are open on their machines in an attempt to try to disable unused services. Which of the following should they perform?
TCP - TCP Scans will check for open and listening TCP ports to determine what services are in use.
A security auditor is assessing SMB vulnerabilities and conducting a scan against the services. In order to speed up the scan, what port should they specify?
TCP 139 - Server Message Block (SMB) is TCP port 139. The tester can retrieve directory information, list, and transfer files. SMB is also over port 445 and is a common file and print service.
A security engineer is trying to understand the default behavior of nmap scans during host discovery. What does nmap send to port 80?
TCP ACK - During host discovery, nmap sends a TCP ACK packet to port 80. Because every network is unique, the team may need to use a variety of scans to get a solid grasp on the environment.
A security researcher has detected anomalous timestamp entries where a system's log event microseconds have all been set to 0, and they suspect the system has been compromised and the timestamps modified. Which tool did the attacker probably use?
TimeStomp - Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files.
A penetration tester is gathering OSINT in an attempt to conduct a phishing campaign against an executive. Which of the following would be the least effective in an OSINT campaign?
Web server vulnerabilities - Web server vulnerabilities are not as useful for a targeted phishing campaign. Campaigns are more effective with information like who they manage, email addresses, and profiles.
A penetration tester wants to become more efficient and effective at penetration testing. What standard provides a comprehensive overview of the proper structure of a complete PenTest and includes discussion on several topics, such as pre-engagement interactions, threat modeling, vulnerability analysis, exploitation, and reporting?
PTES - The Penetration Testing Execution Standard (PTES) has seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest. Some of the sections include details on topics such as pre-engagement interactions, threat modeling, vulnerability analysis, exploitation, and reporting.
An attacker has sent an email where the victim navigates to a malicious web page that has been set up to look official. What is this called?
Pharming - Pharming is when an attacker entices the victim into navigating to a malicious web page that has been set up to look official.
A marketing coordinator meets with many high-profile companies to discuss penetration testing engagements. Which of the following is NOT something they might want to show to ensure confidence and trust in their team?
Pre-Discovered information - Penetration testing companies should never do work before entering into an agreement including scope. This could possibly lead to prosecution.
A social engineer is communicating, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood. What is this tactic called?
Pretexting - One social engineering tactic is to use pretexting, whereby the team will communicate, whether directly or indirectly, a lie or half-truth in order to get someone to believe a falsehood.
A new penetration tester is creating a summary of their first upcoming process and wants to follow the standard process. What step takes place after planning?
Recon - Reconnaissance is next and focuses on gathering as much information about the target as possible. This process includes searching information on the Internet, using Open-Source Information Gathering Tools (OSINT), and websites.
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers?
Reddit - Reddit is less likely to contain code from developers, though it is possible it could exist on here. The other three options are specifically geared towards shared code repositories.
A penetration tester is conducting an OSINT reconnaissance against key employees to try to find avenues into the network and notice that they belong to specific communities. Which of the following would most likely help them target these niche areas?
Reddit - Reddit is often used to target marketing efforts toward specific communities.
A security professional is looking for interesting targets on a public-facing web server. What would show them areas of the server that are not supposed to be crawled?
Robots - The robots.txt file is a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search.
A security assessor is trying to set up automated scans that check against a predetermined security baseline that checks for vulnerabilities. Which of the following should they set up for this?
SCAP - The Security Content Automation Protocol (SCAP) is a US standard used to ensure applications are in line with mandated security requirements.
A project manager for a penetration company has received a notice about a contract being terminated. The project manager wants to review the documentation to see specifically what is allowed under the termination clauses. Which document should they look at?
SLA - A service-level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated.
A network administrator is looking at the security of their Domain Name System servers and is researching common attacks against DNS. Which of the following is NOT as common of an attack geared towards DNS services?
SMB attacks - SMB attacks would not be conducted against the DNS service itself since they are inherently different services. SMB attacks could be conducted against the host itself but DNS should be hardened and any unnecessary services turned off.
A network engineer is measuring a wireless signal level in relation to any background noise to ensure efficient wireless communications. Which of the following should they look at?
SNR - The goal is to have a good Signal-to-Noise Ratio (SNR), which is the measurement of a wireless signal level in relation to any background noise.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this?
SOCKS - Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS).
A security tester is looking at vulnerabilities regarding shared accounts. Which of the following environments are shared accounts more likely to be found?
SOHO - A shared account can be used in a small office home office (SOHO) environment, as many SOHO networking devices do not allow you to create multiple accounts.
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets?
SRV - Service (SRV) record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM).
A Linux systems administrator is concerned about data exfiltration from one of their DMZ servers through an encrypted connection. What common service should they disable on these DMZ servers for externally facing assets?
SSH - When communicating with a remote, Linux-based machine, it's common to use Secure Socket Shell (SSH), a protocol that provides a way to communicate securely via a CLI (shell) over an encrypted connection.
The Social Engineering Toolkit is being employed for a targeted attack towards personnel. Which of the following can SET NOT do?
Scaling - Scaling is a physical security attack that applies to perimeter security such as natural barriers or fences, to deter someone from simply entering the property.
A penetration tester needs to craft a custom packet in order to bypass an Intrusion Prevention System (IPS). What tools could they use to craft custom packets? (Select all that apply.)
Scapy/Hping3 - Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted will be dependent on security products and rules. Hping3 is also a tool to craft and send a malformed packet to your target. For example, the Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict interpretation of RFC 793.
A security tester is conducting war driving for several sites. Which of the following tools could they use to help in this effort?
WiGLE - WiGLE is a site dedicated to mapping and indexing access points. With improved devices and user education, there are significantly less open access points today.
A penetration tester discovers a device during an engagement and needs to try conducting a Pixie attack or attempt to crack PMKID offline. Which tool should they use?
Wifite2 - Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more.
A security firm is looking at expanding operations outside the United States. Which of the following tools might be illegal to use due to U.S. encryption export regulations?
Wireshark - Wireshark is a powerful open-source protocol analysis tool that can decrypt many of the protocols used to conceal data, such as IPsec, Kerberos, and SSL/TLS. It falls under the U.S. encryption export regulations, and it may be illegal to use in certain countries.
A security analyst is trying to find older versions of a company's website which contained sensitive information. They are worried that attackers might still be able to find older versions, so they want to try using commands. Which command would help them search?
cache - Use a standard cache search on a site, and you will see a recent view of the website. To do a quick check simply type cache: in the address bar. For example, cache:https://comptia.org.
A network technician is reviewing signal strengths of wireless antennas to ensure that the signal does not extend beyond the buildings for anyone to attempt to gain access. What are they measuring?
dBi - The signal strength of a wireless antenna is referred to as decibels per isotropic (dBi) and can vary according to the design.
A penetration tester is conducting a test against external-facing websites. Which of the following tools is specifically geared towards website enumeration?
dirbuster - Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website.
A penetration tester has been contracted to do a test for a hospital and is looking at computerized electronic patient records. What are these referred to as?
e-PHI - Computerized electronic patient records are referred to as electronic protected health information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or the organization can face a hefty fine.
A penetration tester has landed a shell on a Linux box and wants to find out more about the users' login and idle time. Which built-in bash command should they use?
finger - The finger command views a user's home directory along with login and idle time. You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services.
A security consultant is attempting to look for default passwords for a client's D-Link phones. Which of the following should they use?
intitle:"DPH" "web login setting" - intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system.
A penetration tester is trying to use Google Hacking to find more instances of Cisco CallManager. What should they use?
inurl:"ccmuser/logon.asp" - inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack.
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use?
metagoofil -t - metagoofil -t pdf scans for pdf documents. Metagoofil scrapes the metadata, and then displays the information using Hypertext Markup Language (HTML).
A security professional is performing an assessment against web servers and is currently in the reconnaissance phase. They are performing initial service enumeration by attempting to open a session with service and getting the service to identify itself. Which of the following tools are suited for this? (Select all that apply.)
netcat/wget - Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. Wget can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A penetration tester wants to gather email information for a targeted phishing campaign. Which of the following tools could they use to collect this?
theHarvester - theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners.
A secret double agent on a top-secret mission needs to conceal a payload in an audio file using tools built into Kali. What tool could they use to do this?
Steghide - Steghide is an open-source tool used to conceal a payload in either an image or audio file. The software can compress, conceal, and encrypt data.
A security professional is conducting a nmap scan during a reconnaissance phase of a project and wants to save the results to a text file for later analysis. Which parameter should they use?
-oN - Normal output (-oN) is similar to interactive; however, with this format, you can save the results of an Nmap scan to a text file for later analysis.
A penetration tester suspects a firewall is blocking their scan attempts and wants to try a TCP ACK scan to get around this. What nmap switch would they use?
-sA - A TCP ACK scan is used to bypass firewall rulesets, determine which ports are filtered and if a firewall is stateful or not. This scan uses the option: -sA.
A security consultant is in the reconnaissance phase of a penetration test and believes there might be a non-stateful firewall blocking the scan. What nmap parameter could try to bypass the non-stateful firewall?
-sF - The -sF option sends a TCP FIN to bypass a non-stateful firewall.
A security professional is setting up a netcat listener but they want to start up in UDP instead of TCP. What parameter should they use?
-u - The -u parameter starts Netcat in UDP mode. The default is to use TCP. Netcat is a command-line utility used to read from or write to a TCP or UDP network connection.
A security professional is conducting network reconnaissance and is trying to use advanced nmap scripts. Which of the following is NOT one of the main categories of nmap scripts?
Brute forcing - While brute forcing is not a category of scripts, nmap scripts are capable of attempting brute force after service discovery.
A penetration tester is asked to conduct an assessment for security issues that occur during a web transaction. What tool could they use to interact as a local proxy to intercept and capture the HTTP requests?
Burp - Acting as a local proxy, Burp Suite can intercept and capture the HTTP requests and responses so the team can analyze the traffic. When discovered, Burp Suite will list the vulnerabilities.
A penetration tester has joined a consulting company that performs tests for several varying clients. The company has stressed about staying within the scope of the project. What is the worst thing the tester could face if they go outside their scope?
Criminal charges - Even though a PenTest is performed with the mutual consent of the customer, the team may inadvertently violate a local, state, or regional law. This could result in up to criminal charges.
A penetration tester is analyzing entry to a network utilizing 802.1X authentication. Which of the following is NOT one of the three main components of this setup?
EAP - The Extensible Authentication Protocol (EAP) creates an encrypted tunnel between the supplicant and authentication server. This is not one of the main components but is a part of the process.
A security tester wants to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in a free, easy-to-use platform. Which of the following should they use?
EAPHammer - EAPHammer is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform.
A security tester is looking for custom scripts against uncommon services which they can't find in MetaSploit. Which of the following could they look at to possibly find what they need?
ExploitDB - While there are many repositories available, the team can use the Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database.
A project manager is reviewing the scope of a penetration test. Which of the following is least likely to be included?
Framework - The penetration testing framework is not likely to be included in scoping discussions. However, this can be beneficial outside the scope.
A company is setting up a new PoS system and wants to scan to be able to test the system for any security issues prior to implementation. What type of test should they have done?
Goal-based - Goal-based / objective-based assessments have a particular purpose or reason. A point of sale (PoS) system would be an example of a goal-based assessment.
A systems administrator is looking at migrating to the cloud and hears a bunch of new terminologies they are not familiar with. What makes up a cloud federation?
Infrastructure/Platform services/Software - A combination of all these - Infrastructure is one component of cloud federation. With cloud computing, an organization can access and manage data and applications from any host, anywhere in the world. Platform services are another component of cloud federation. In a cloud environment, the attacker may simply need to have an internet connection and a dictionary of stolen password hashes to cause a breach. Software is the last component of cloud federation. A lack of oversight in the security procedures of cloud providers can dramatically increase the risk an organization takes.
A security consultant is evaluating a website and finds out that the administrator has set up a device to stabilize network traffic across two or more servers. What is this called?
Load balancer - A load balancer is used to stabilize network traffic across two or more servers. Balancing the load prevents any one server from getting too many requests.
A project manager is preparing documentation that covers recurring costs and any unforeseen additional charges that may occur during a project without the need for an additional contract. Which of the following should they prepare?
MSA - The Master Service Agreement (MSA) is a contract that establishes guidelines for any business documents executed between two parties. It can be used to cover recurring costs and any unforeseen additional charges.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective?
Nikto - Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anticlickjacking X-Frame-options header, and dangerous files and CGIs.
An attacker is attempting to access a WPS device at a site in order to gain entry to a larger corporate network. Which of the following could they do? (Select all that apply.)
Physical/Brute force - A physical attack takes advantage of the "push to connect" feature found on many routers. When launching this attack, the malicious actor will need to be physically close to the device. In addition to a physical attack, a malicious actor can gain access to the network by determining the PIN number of the WPS device, using an online or offline brute force attack.
A social engineering attack observes a target's behavior without them noticing in order to gain passwords and unauthorized entry to systems. What is this called?
Shoulder surfing - Shoulder surfing is a social engineering attack in which the malicious actor observes a target's behavior without them noticing.
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to?
Side-channel - In a side-channel attack, this exploit is possible because of the shared nature of the cloud infrastructure, especially in a PaaS model.
A security consultant needs to gain information about executives during a penetration test. One method they want to attempt is by cloning Bluetooth devices of the executive personnel. Which of the following tools could they use to perform this?
Spooftooph - One tool that can either spoof or clone a Bluetooth device is Spooftooph. Keep in mind, before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges.
A penetration tester covertly follows an authorized employee who is unaware that anyone is behind them. What is this called?
Tailgating - Tailgating is an attack where the malicious actor slips in through a secure area while covertly following an authorized employee who is unaware that anyone is behind them.
A security professional is reviewing the results of a recent SYN scan and trying to understand the response results. What will happen if the port is open?
Target sends SYN ACK - If the port is open for a SYN scan, the target will return a SYN ACK. This is called a "half-open" scan because the attacker does not complete the TCP three-way handshake.
A company is contracting a penetration test because they want to save money by going with a smaller, newer hosting company. However, they are worried the company may have fewer resources and less security expertise and may be easier to attack than larger, more mature providers. What is this called?
Third-party hosted - Third-party hosted includes assets that are hosted by a vendor or partner of the client organization, such as cloud-based hosting.
A security consultant is attempting to see users and potential passwords by using the following URL: http://comptia.com/resources/../../../../etc/passwd but receives a dropped packet. What is most likely preventing this?
WAF - A web application firewall (WAF) is specifically designed to monitor web applications and guard against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks.
A network contractor is setting up wireless for a small coffee shop and wants to make sure they are secured with a standard that uses 192-bit encryption. Which of the following should they use?
WPA3 - WPA3 includes advanced features to secure wireless transmissions such as 192-bit encryption when using WPA3-Enterprise mode (used in business LANs).
A medium-sized company is worried about their access points at various field sites and has asked their employees to drive around to search for open access points using a laptop or smartphone. What is this referred to as?
War driving - War driving is a technique that involves driving around to search for open access points using a laptop or smartphone.
A network administrator is refreshing their network inventory after several major changes and wants to create an updated visual of the network topology. Which of the following tools could they use to create one?
Zenmap - Zenmap can create a visual of the network topology. Using Zenmap is intuitive, and you can run scans within the application just as you would when using Nmap.
