Pentest+ 10/9
Situational awareness
One of the goals of communication between the tester and the client during a penetration test is to ensure that both parties clearly understand the current security state of the network. Which of the following terms best describes this shared understanding?
Reset account lockout counter after
Which Windows Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0?
-p U:20,T:21,22
Which command option will cause nmap to scan just UDP port 20 and TCP ports 21 and 22?
Parameterizing queries
Which defense against SQL injection attacks involves using prepared SQL statements with bounded variables?
--proxies
Which nmap option causes the utility to relay connections through a proxy server?
-T5
Which nmap timing option causes it to scan in Insane mode?
-T0
Which nmap timing option causes it to scan in Paranoid mode?
-T2
Which nmap timing option causes it to scan in Polite mode?
Enforce password history
Which of the following Windows Group Policy settings can be used to prevent a user from reusing the same password over and over?
Maximum password age
Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one?
Minimum password age
Which of the following Windows Group Policy settings determines how long a user must keep the same password before being allowed to change it to a new one?
Store passwords using reversible encryption
Which of the following Windows Group Policy settings should never be enabled?
Medusa Hydra
Which of the following are commonly used to perform brute-force password attacks? (Choose two.)
Rainbow table attacks reduce compute cycles at attack time. Rainbow tables must include precompiled hashes.
Which of the following characteristics distinguish between rainbow table attacks from brute-force attacks? (Choose two).
Biometric scan + PIN
Which of the following is an example of multifactor authentication?
Username + PIN + fingerprint scan + one-time password (OTP)
Which of the following is an example of three-factor authentication (3FA)?
PIN + fingerprint scan + security token
Which of the following is an example of two-factor authentication (2FA)?
Salting
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by adding random bits to the hashing operation?
Key stretching
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by running the value to be hashed through the hash function multiple times?
Nikto W3AF
Which of the following utilities can be categorized as vulnerability scanners? (Choose two.)
-oA
Which option causes nmap to save its output in a normal text file, in an XML-formatted text file, and in a greppable text file all at once?
-oN
Which option causes nmap to save its output to a standard text file in the file system of the host where it was run?
-oG
Which option causes nmap to save its output to a text file that can be quickly searched using the grep command?
-oX
Which option causes nmap to save its output to an XML-formatted text file in the file system of the host where it was run?
-F
Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.?
-iR
Which option causes nmap to scan a specified number of random hosts?
-f
Which option causes nmap to scan using tiny, fragmented packets in an attempt to fool a packet filtering firewall?
-D
Which option causes nmap to send scans from a spoofed IP address?
Computer Emergency Response Team (CERT)
You and a colleague are discussing open source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations tackles a broad range of cybersecurity activities. It focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. Which organization are we discussing?
The Common Attack Pattern Enumeration and Classification (CAPEC)
You and a colleague are discussing open source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations uses a list as a resource intended to help identify and document attacks and attack patterns. It allows users to search attacks by their mechanism or domain and then breaks down each attack by using various attributes and prerequisites. Which organization are we discussing?
$ports = 20, 25, 80, 443
You are a penetration tester and want to create an array using a PowerShell script. Which lines of code would you use?
Expand the password length from seven to 14 characters and add special characters.
You are a penetration tester, and after performing a recent test, you discover that the client's staff is using dictionary and seasonal passwords. What is the best way to control the use of common dictionary words as being used as passwords?
To run it on different architectures
You are a penetration tester, and you are looking to cross-compile code for your penetration activity. Then you plan to deploy it. Why would you cross-compile code?
Impacket
You are a penetration tester, and you want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use?
Censys
You are a penetration tester, and you want to do a search to see your client's computers and devices that are connected to the Internet and that will show you the geoIP information, if available. Which tool can you use to accomplish this?
Conclusion
You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report?
Conclusion
You are generating a written report of findings after a penetration test. Based on the sheer number of vulnerabilities you discovered in the test, you feel that the client should undergo a follow-up penetration test within the next three months to verify that the issues have been remediated. Where should you include this recommendation in the report?
Findings and remediation
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. To fix this, the client needs to install the MS17-010 - Critical update from Microsoft. Where should you include this recommendation in your report?
Findings and remediation
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report?
Methodology
You are generating a written report of findings after a penetration test. During the test, you followed the specifications of the EC-Council for its Certified Ethical Hacker (CEH) certification. Where should this information be included in your report?
Findings and remediation
You are generating a written report of findings after a penetration test. In which section of the report should you consider the risk appetite of the client when deciding which information to include?
Metrics and measures
You are generating a written report of findings after a penetration test. You cross-reference each vulnerability you found in the test against the Common Vulnerabilities and Exposures (CVE) database to assign it a qualitative risk rating of Low, Medium, High, or Critical. Where should these risk ratings be included in the report?
Elicitation
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization's employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario?
Shoulder surfing Business email compromise
You have been hired to conduct a gray box penetration test for a client. You managed to walk by just as she was logging on to her email account and watch the keystrokes she typed on her computer. Later that evening, after the employee has gone home for the day, you log on to her email account and send requests for information to other employees. Which exploits were used in this scenario? (Choose two.)
nmap -iL /root/targets.txt
You have created a list of target hosts that you want to scan with nmap and saved it to a text file named /root/targets.txt. Which command should you use to run the scan using this file?
Normalization of data
You have just completed a penetration test for a client. During the test, you used a variety of different tools to collect data and conduct exploits. Now you need to aggregate all of the data generated by these tools into a format that is consistent, correlated, and readable. What is this process called?
Technological
You have just concluded a penetration test for a client that makes extensive use of work-at-home employees. The employees use a VPN connection. During the test, you were able to use social engineering to compromise an employee's VPN connection and gain access to the internal network. As a mitigation strategy, you recommend that the client implement multifactor authentication for all VPN connections. What type of solution is this?
chage
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their works is complete. Given that the client user Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts after a certain time?
Process
You have just concluded a penetration test for a client. During the test, you discovered that the organization's employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this?
Technological
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client's physical facility by tailgating with a group of employees. To address this vulnerability, you recommend that the client implement a man-trap locking door at the entrance to the facility. What type of solution is this?
Technological
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client's wireless network using Aircrack-ng while sitting in your car in a parking lot across the street. To address this vulnerability, you recommend that the client implement directional wireless network antennas and also manipulate the power level of the access points to prevent signal emanation. What type of solution is this?
Technological
You have just concluded a penetration test for a client. During the test, you were able to use John the Ripper to brute force an administrative password on a sensitive Windows file server. To address this vulnerability, you recommend that the client implement Group Policy settings that require complex passwords as well as lock the system after three incorrect logon attempts. What type of solution is this?
Process
You have just concluded a penetration test for a client. During the test, you were able to use social engineering to convince the organization's accounts payable clerk to send a large ACH payment to a fictitious bank account. To address this vulnerability, you recommend that the client implement division of duties such that two individuals must sign off on all payouts. What type of solution is this?
Process
You have just concluded a penetration test for a client. During the test, you were able to use stale user accounts associated with former employees to gain access to a sensitive file server. To address this vulnerability, you recommend that the client remove user accounts whenever an employee leaves the organization. What type of solution is this?
Randomize the local Administrator credentials.
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. What could you recommend to remediate this problem?
Implement LAPS.
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. When you report this to the client, they indicate that are aware of this and that they did this deliberately to reduce management complexity. What solution could you recommend that would remediate the vulnerability without increasing management complexity?
Uninstall all unnecessary services from the server.
You have just concluded a penetration test for a client. In your findings, you report that a Linux web server in the data center has the Apache web server, MySQL database, DNS, CUPS, DHCP, IMAP, and POP3 services running. What should you recommend the client do to remediate this situation?
Escape data.
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
Rewrite the code to sanitize user input.
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
Account lockout threshold
You have just concluded a penetration test for a client. In your findings, you report that brute-force password attacks against Windows domain user accounts were successful because nothing stopped the password-cracking software from trying password after password for a given user. Which of the following Windows domain Group Policy settings could you recommend the client implement to remediate this issue?
chage
You have just concluded a penetration test for a client. In your findings, you report that users are allowed to keep the same password indefinitely, which increases the likelihood that they will be compromised at some point. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to fix this issue?
Password must meet complexity requirements. Minimum password length.
You have just concluded a penetration test for a client. In your findings, you report that you were able to compromise several users' Windows accounts because they used passwords such as password, aaa, and 1234. Which of the following domain Group Policy settings could you recommend they implement to prevent weak password complexity? (Choose two.)
chage
You have just concluded a penetration test for a client. In your findings, you report that, while users are trained to change their passwords every 45 days, few of them actually do it because there is no mechanism in place to enforce this policy. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts if users don't change their passwords after 45 days?
Depends on the client contract
You have just finished writing a report of findings for a client after a penetration test. How long is your organization required to store the document after the test is complete?
Burn the report to an optical disk and store it in a locked safe bolted to your desk.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Save it to an encrypted file on a file server.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Save the file to an encrypted flash drive and store it in a locket cabinet.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Shred the report in a cross-cut shredder.
You need to dispose of several penetration test reports from old clients. Hard copies of the reports are stored in a locked filing cabinet that has been bolted to the floor. Which of the following is the best way to do this?
Use disk wiping software on the drive.
You need to dispose of several penetration test reports from old clients. The files are stored on a removable hard drive that is stored in a locked safe. Which of the following is the best way to do this?
Smash the drives with a hammer.
You need to dispose of several penetration test reports from old clients. The files are stored on flash drives that are stored in a locked cabinet. Which of the following is the best way to do this?
Shred the discs.
You need to dispose of several penetration test reports from old clients. The files are stored on rewritable optical discs that are stored in a locked cabinet. Which of the following is the best way to do this?
Hyper-V Active Directory Federation Services
A Windows server is functioning as an Active Directory domain controller for an organization's network. Which of the following services are not required for it to fulfill this role? (Choose two.)
Limited network access Storage access
A penetration tester has completed a simple compliance scan of a client's network. The results indicate that there is a subset of assets on a network. This information differs from what was shown on the network architecture diagram that was given to the tester prior to testing. What is most likely the cause for the discrepancy? (Choose two.)
Begin an SNMP password brute-force attack
A penetration tester has discovered a Supervisory Control and Data Acquisition (SCADA) device in one of the VLANs in scope. What action best creates a potentially damaging outcome against the device?
Secure Shell (SSH) Wireshark
A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.)
Open source intelligence (OSINT)
A penetration tester is in the middle of a penetration test and is gathering information without actively scanning the client. What type of information is being gathered?
Mimikatz
A penetration tester is performing a gray box test for a client. The tester wants to try to generate a Kerberos "golden ticket" to compromise services within the target Active Directory domain. Which utility could be used to do this?
nmap hping
As a part of a penetration test, you need to establish an active connection to the computer systems and devices at the target organization to enumerate and fingerprint them. Which tools could you use to do this? (Choose two.)
John the Ripper Cain and Abel
As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.)
OWASP ZAP Nessus
As a part of a penetration test, you need to perform an in-depth scan of a target to identify vulnerabilities, such as missing updates or misconfigured security settings. Which utilities could you use to do this?
whois nslookup
As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.)
nmap 192.168.1.200 -p http,https nmap 192.168.1.200 -p 80,443
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network and see whether it has a web server installed and running. Which nmap commands will do this? (Choose two.)
nmap 192.168.1.200 --top-ports 1000 --exclude-ports 53
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network for the 1000 most popular network services to see whether they are installed and running. However, you already know this host is running the DNS service, so you want to skip this port in the scan. Which nmap command will do this?
De-escalation
During a penetration test, the client organization begins to receive complaints from customers indicating that the organization's web server is very slow to respond or even crashes at times. The network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company's web server. Sales are being lost, so the administrator calls the penetration tester and asks them to stop the attack. What is this communication path called?
De-confliction
During a penetration test, the client organization's network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company's web server. The administrator calls the penetration tester to verify that the attack is part of the penetration test and not coming from a real attacker. What is this process called?
Rewrite the application to encrypt passwords before they are saved in the database.
During a penetration test, you discover that your client uses a web application that was developed in-house that stores user passwords as clear text within a MySQL database. What should you recommend?
Fear
During a penetration test, you send an email to the CFO of the target organization. The email claims that the webcam on the CFO's laptop has been clandestinely used to record him viewing pornography. The email threatens to post this video and notify his family, his employer, and the police if he doesn't respond with certain sensitive information about his company. Which motivation factor was used in this scenario?
Responder
During an internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. A tester wants to impersonate network resources and collect authentication requests. What tool should be used?
PIN
In terms of multifactor authentication, which of the following is an example of something you know?
Hardwire connection to the organization's internal LAN
In terms of multifactor authentication, which of the following is an example of somewhere you are?
RFID proximity reader
In terms of multifactor authentication, which of the following is an example of somewhere you are?
Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out
In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing?
use auxiliary/server/socks4a
A penetration tester is using Metasploit. What command would allow the tester to access a private network from the Internet?
-T3
A penetration tester runs an nmap scan without specifying a timing option. Which one is used by default?
Scarcity
A penetration tester sends a phishing email to the employees of the target organization. The email purports to be offering iPads for an absurdly low price. However, there are only 25 left at this price. The link in the email leads to a fake website that uses a drive-by-download script that drops a keylogger on the employee's computer. What motivation factor did the penetration tester use in this scenario?
Social proof Urgency
A penetration tester sends email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that she forgot her VPN password and now it is locked because she tried too many wrong ones. She asks the employee for his VPN username and password so she can log on and update the customer database with a huge new order. She mentions in the email that one of the target employee's coworkers has done this for her in the past and it wasn't a big deal. What motivation factors did the penetration tester use in this scenario? (Choose two.)
nmap 192.168.1.0/24 -Pn
A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use?
-iL -sV
A penetration tester, using nmap, has been asked to conduct OS fingerprinting using a company-provided text file that contains a list of all the IP addresses. What switches would you need to include in your code to conduct OS fingerprinting using the text file? (Choose two.)
The device is tuned more toward false positives.
After several attempts, a tester was able to gain unauthorized access through a biometric sensor by using the tester's own fingerprint without exploitation. What happened with the biometric device that allowed the tester to gain access?
