PEN Testing Final
What comparison operator tests to see if one number is greater than or equal to another number in Bash?
-ge
Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
-oS
Steve is working from an un-privileged user account that was obtained as part of a penetration test. he has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What flag is he likely to use to successfully scan hosts from this account?
-sT
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following location will provide this list?
/etc/password
Where is the list of Linux users who can use elevated privileges via sudo typically found?
/etc/sudoers
Consider the following Python code: if 1 == 1: print("hello") elif 3 == 3: print("hello") else: print("hello")
1
What is the full range of ports that a UDP service can run on?
1-65,535
Which is the most recent version of the CVSS that is currently available?
3.0
Rick wants to look at the advertised routes to his target. What type of service should he look for to do this?
A BGP looking glass
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of PCI DSS. What type of assessment is Lucas conducting?
A compliance-based assessment
During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not recieve a full network diagram. What type of assessment is she most likely conducting?
A gray box assessment
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities specifically align with the goals of gaining control of specific systems or data?
A red-team assessment
What type of assessment most closely simulates an actual attacker's efforts?
A red-team assessment with a black box strategy
Part of Annie's penetration testing scope of work and rules of engagement allows her physical access to the facility which she is testing. If she cannot rind a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access?
A thumb drive drop
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate what is running on these ports?
A web browser
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks?
APNIC
Which of the following threat actors is the most dangerous based on the adversary tier list?
APTs
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress.
ARP spoofing to become a man in the middle
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. he is conducting a black box test. When would it be appropriate to conduct an internal scan of the network?
After compromising an internal host
Which of the following operating systems support Powershell interpreters?
All of the above
Assuming no significant changes in an organization's cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing?
Annually
What tool can white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?
Asset inventory
Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage in the penetration testing process is Beth in?
Attacking and Exploiting
Which one of the CVSS metrics would contain information about the number of times an attacker must successfully authenticate to execute and attack?
Au
What penetration testing strategy is also known as "zero knowledge" testing?
Black box testing
In what type of attack does the attacker place more information in a memory location than is allocated for that use?
Buffer overflow
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for a total compromise of a system?
C
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. What SCAP component can Jason turn to for assistance?
CPE
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task.
CVSS
Scott wants to crawl his penetration testing target's website and then build a wordlist using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?
CeWL
Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreements? (Choose two.)
Comprehensiveness Point-in-time
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?
Consult the SOW
Which of the following is NOT a reason to conduct periodic penetration tests of systems and applications?
Cost
Monica discovers that an attacker posted a message attacking users who visit a web forum that she manages. Which one of the following attack types is most likely to have occurred?
Cross-site scripting
What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML code in a browser?
DOM-based XSS
Which of the following is not a common source of information that may be correlated with vulnerability scan resorts?
Database tables
Tom is running a penetration test in a web application and discovers a flaw that allows him to shut down the web server remotely. What goal of penetration testing has Tom most directly acheived?
Denial
Lauren has acquired a list of valid user accounts but does not have the passwords for them. If she had not found any vulnerabilities but believes that the organization she is targeting has poor passwords practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?
Dictionary attacks
Edward Snowden gathered a massive quantity of sensitive information from the National Security Agency and released it to the media. What type of attack did he wage?
Disclosure
Alice has deployed physical keyloggers to target systems. What issue is most commonly associated with physical keyloggers?
Discovery
Which of the following is not a normal communications trigger for a penetration test?
Documentation of a new test
Lisa wants to enumerate possible user accounts and has discovered an accessible SMTP server. What SMTP commands are most useful for this?
EXPN and VRFY
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this?
ExifTool
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner.
ExifTool
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False positive
Which of the following is a debugging tool compatible with Linux systems?
GDB
Which one of the following debugging tools does not support Windows systems?
GDB
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?
Government agency
After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished?
He has scheduled his own executable to run weekly.
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMAN:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMAn:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force
He has set up PSRemoting
Kevin recently identified a new security vulnerability and computed the CVSSv2 base score as 6.5. Which risk category would this vulnerability fall into?
High
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?
His IP address was blacklisted.
What software component is responsible for enforcing hte separation of guest systems in a virtualized infrastructure?
Hypervisor
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
Inclusion of a public encryption key
Which of the following is NOT a benefit of using an internal penetration test team.
Independence
Which of the following approaches, when feasible, is the most effective way to defeat injection attacks?
Input whitelisting
Which of the following categories of systems is most likely to be disrupted during a vulnerability scan?
IoT device
Which of the following statements does not correctly describe the Ruby programming language?
It is a compiled language
Charles want to deploy a wireless intrusion detection system. Which of the following tools is best suited for that purpose?
Kismet
Examine the following network diagram. What is the most appropriate location for a web application firewall (WAF) on this network?
Location D
Cameron is preparing to travel to another state to perform a physical penetration test. What penetration testing fear should he review the legality of before leaving for that state?
Lockpicks
Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit?
Low
Mika runs the following Nmap scan: nmap -sU -sT -p 1-65535 example.com What information will she NOT recieve?
MOD
Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Identification phase of a penetration test?
Metasploit
Which one of the following tools is an exploitation framework commonly used by penetration testers?
Metasploit
Selah wants to use a brute-force attack against the SSH service provided by one of her targets. Which of the following tools is not designed to brute-force services like this?
Minotaur
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
Moderate impact
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?
NAC
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
NAT
Which one of the following is not an open source intelligence gathering tool?
Nessus
Which one of the following techniques is not an appropriate remediation activity for a SQL injection vulnerability?
Network firewall
Which of the following vulnerability scanners is specifically designed to test the security of web applications against a wide variety of attacks?
Nikto
What does a result of * * * mean during a traceroute?
No response to the query, perhaps a timeout, but traffic is going through.
Which one of the following is NOT a password cracking utility?
OWASP ZAP
What built-in Windows server administration tool can allow command-line PowerShell access from other systems?
PSRemote
What is required for Jason to conduce a cold-boot attack against a system?
Physical access
Analyze the following segment of code: Do { $test='mike' + $i $cracked = Test-Password $test $i++ } While ($cracked -eq 0) In what language is this code written?
PowerShell
Examine the following line of code. In what programming language is it written?
PowerShell
The Dirty COW attack is an example of what type of vulnerability?
Privilege escalation
Examine the code snippet below. IN what language is this code written? begin system 'nmap' + ip rescue puts "An error occurred.' end
Python
Examine the following line of code. In what programming language is it written? print("The system contains several serious vulnerabilities.")
Python
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Quarterly
Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods is typically the fastest, presuming he knows the hashing method and has the appropriate files and tools to take advantage of each tool?
Rainbow Crack
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
Read-only
Which of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process?
Reconnaissance
Which one of the following activities is not commonly performed during the post engagement cleanup phase?
Remediation of vulnerabilities
Which of the following activities is not part of the vulnerability management lifecyle?
Reporting
What term describes an organization's willingness to tolerate risk in their computing environment?
Risk appetite
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would the best approach be for the initial scan?
Run the scan in a test environment
Alice discovers a rating that her vulnerability scanner lists as a 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service?
SMB exploit
What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract?
SOW
Alan is reviewing web server logs after an attack and finds many records that contain semi-colons and apostrophes in queries from end users. What type of attack should he suspect?
SQL injection
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hots if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?
SSH tunnelling
During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings?
SSIDs
Which one of the following is not an example of a vulnerability scanning tool?
Snort
Biometric authentication technology fits into what multifactor authentication category?
Something you are
Chris sends a phishing email specifically to Susan, the CEO at his target company. What type of phishing attack is he conducting?
Spear phishing
Adam is conducting a penetration test of an organization and is reviewing source code of an application for vulnerabilities. What type of code testing is Adam conducting?
Static code analysis
Charles uses the following hping command to send traffic to a remote system: hping remotesite.com -S -V -p 80 What type of traffic will the remote system see?
TCP SYNs to TCP port 80
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice?
TLS 1.1
Which of the following attacks is an example of a race condition exploitation?
TOCTTOU
Which one of the following protocols should never be used on a public network?
Telnet
Which one of the following is not a common category of remediation activity?
Testing
Where are the LSA Secrets stored on a Windows system?
The Registry
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language?
The environment is unlikely is to be the same in the future
Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?
The indicate services that may not be properly updated or managed.
Charles has completed the scoping exercise for his penetration test and has signed the agreement with hsi client. Whose signature should be expected as the counter signature?
The proper signing authority
Chris runs an Nmap scan against the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?
The scan will progress at a very slow speed.
During an Nmap scan, Casey uses the -O flag. The scan identified the host as follows: RunningL Linux 2.6.xOS CPE: cpe:/o:linux:linux_kernel:2.6OS Details: Linux 2.6.9 - 2.6.33
The system is running a Linux 2.6 kernel between .9 and .33
What occurs during a quid pro quo social engineering attempt?
The target is made to feel indebted
What does an MSA typically include?
The terms that will govern future agreements.
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are not network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?
There is an incorrect community string.
Who is the most effective person to facilitate a lessons learned session after a penetration test?
Third party
Which one of the following activities assumes that an organization has already been compromised?
Threat hunting
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Timing-based SQL injection
What technique is required to use LSASS to help compromise credentials on a modern Windows system?
Turn on WDigest
During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?
VLAN hopping
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
VM escape
Which of the following tools provides information about a domain's registrar and physical location?
WHOIS
Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?
Whaling
When should system hardening activities take place?
When the system is initially built and periodically during its life
Which one of the following terms in not typically used to describe the connection of physical devices to a network?
Which one of the following terms in not typically used to describe the connection of physical devices to a network?
Which of the following types of penetration test would provide testers with complete visibility into the configuation of a web server without having to compromise the web server to gain that information?
White Box
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?
Windows
Which one of the following operating systems should be avoided on production networks?
Windows Server 2003
What type of language is WSDL based on?
XML
Which of the following is a static code analysis tool?
YASCA
What technique is being used in the following command: host -t axfr domain.com dns1.domain.com
Zone transfer
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass?
a MAC address filter
Allan wants to gain entrance to a target company's premises but discovers that his original idea of jumping the fence probably isn't practical. Which factor is least likely to prevent him from trying to jump the fence?
a gate
Mike wants to enter an organization's high-security data center. Which of the following techniques is most likely to stop his tailgating attempt?
a mantrap
Andrew know that the employees at his target company frequently visit a football discussion site popular in the local area. As part of his penetration testing, he successfully places malware on the site and takes over multiple PCs belonging to employees. What type of attack has he used?
a watering hole attack
During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission?
actions on objectives
What is the final stage of the Cyber Kill Chain?
actions on objectives
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Chris wants to set up a false AP, which tool is best sutied to his needs?
aircarck-ng
What type of legal assessment typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?
an NDA
Tom recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?
attestation of findings
What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?
bluejacking
Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using?
certificate pinning
Which one of the following commands will allow the file owner to execute a Bash script?
chmod u+x script.sh
What approach to vulnerability scanning incorporates information from agents running on the target serrvers?
continuous monitoring
What type of attack depends upon the fact that users are often logged into many websites simultaneously in the same browser?
cross-site request forgery
Grace is investigating a security incident where attackers left USB drives containing infected files in the parking lot of an office building. What stage in the Cyber Kill Chain describes this action?
delivery
Which one of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers?
encryption
Gary is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information withing the bounds of his test?
full external scan
Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity?
integrity
Jacob runs ls -l on a file and sees the following listing. What does he know about chsh? -rwsr -xr x root root 40432 Sep 27 2017 chsh
it is a SUID executable
Chris wants to acquire a copy of the Windows SAM database from a system that he has compromised and is running the Metasploit Meterpreter on. What Mimikatz command will allow him to do this?
meterpreter> mimikatz_command -f samdump::hashes
Which of the following tools will not allow Alice to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack?
mimikatz
What Unix command can you use to listed for input on a network port?
nc
Jessica wants to list the domain password policy for a Windows domain. What net command can she use to do this?
net accounts /domain
Angela wants to run John the Ripper against a hashed password file she acquired from a compromise. What information does she need to know to successfully crack the file?
none of the above
Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -P 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up the scan?
only scan via UDP to improve speed
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: https://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ;DROP TABLE Services;--
parameter pollution
Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During which stage of the penetration testing process should Rich and his clients have agreed upon the tools and techniques that he would use during the test?
planning and scoping
What is the default read-only community string for many SNMP devices?
public
Alan is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Alan participating?
reporting and communicating results
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What had occurred?
scope creep
What type of adversary is most likely to use only prewritten tools for their attacks?
script kiddies
Alexa carefully pays attention to an employee as they type in their security code to her target organization's high security area and writes down the code that she observes. What type of attack has she conducted?
shoulder surfing
Which of the following technologies is most resistant to badge cloning attacks if implemented properly?
smart cards
Tom's organization currently sues password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
smartphone app
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?
sqlmap
Which one of the following factors is least likely to impact vulnerability scanning schedules?
staff availability
During an early phase of his penetration test, Mike recovers a binary executable file that he wants to analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary?
strings
Which one of the following function calls is closely associated with Linux command injection attacks?
system()
Which of the following items is not appropriate for the executive summary of a penetration testing report?
technical detail
While Frank is performing a physical penetration test, he notices the exit doors to the data center automatically open as an employee approaches them with a cart. What should he record in his notes?
the presence of an egress sensor
Chris cross-compiles code for his exploit and deploys it. Why would he cross-compile code?
to run it on a different architecture
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
vulnerability age
