PenTest+ Review
What levels of business are required to complete a Report on Compliance for PCI DSS requirements? (Select all that apply) - Level 1 - Level 2 - Level 3 - Level 4 - Level 5
1 & 2
A penetration tester is looking for something that provides structured machine-to-machine communication for the automation of processes. What can the tester use to complete this task? - Network - API - Cloud - Wireless networks
API
What does NMap provide when scanning a host without the use of any options? (Select all that apply) - UDP Ping - ARP Requests - ICMP type 13 - SCTP initiation ping
ARP Requests & ICMP type 13
A PenTester simulates an attack on a wireless network by capturing frames and then using the information to further an attack on a discovered Basic Service Set (ID) of an access point. What specific tool has the PenTester used to initiate the attack? - Aircrack - Airmon - Airodump - Aireplay
Airodump
What is a distinctive feature of Recon-ng? - Searches company's visible threat landscape - Search engine for IoT devices - Specializes in visualization of data - Allows for customization using different modules
Allows for customization using different modules
Where might screenshots of network activity and printouts of test results be found? - Conclusion - Executive summary - Attack narrative - Appendix
Appendix
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic? - Stateful packet inspection - Application-aware firewall - Stateless packet inspection - Intrusion detection system
Application-aware firewall
What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system? - Using the -O option in NMap & UDP response timing - Banner grabbing & comparing response fingerprints - Banner grabbing & UDP response times - Comparing response fingerprints and registry scanning
Banner grabbing & comparing response fingerprints
A target's machine has its ports configured to listen for communication sent from a hacker's computer. Which of the following best describes the program the hacker is using? - Snow - Blind shell - Evil twin - Session hijacking
Blind shell
A software engineer is creating code that can be used by most scripting languages to leverage true/false logic. What is the engineer using in the script writing? - Conditionals - Boolean operator - Comma-separated-value (CSV) - Classes
Boolean operator
What tool allows interpreted results from NMap to automatically start Medusa against the unauthorized open ports? - mitm6 - Brutespray - Patator - Hydra
Brutespray
What vulnerability does "strcopy" introduce? (BONUS: How do you negate it?) - Stack overflow - Buffer overflow - Integer overflow - Insecure object reference
Buffer overflow (BONUS ANSWER: ASLR)
A PenTesting team is using a proxy that gathers more data to check for security issues that occur during a web transaction. What is the PenTesting team using to test web applications? - Zenmap - Zonefile - Burp Suite - NMap
Burp Suite
What tool is an online resource that helps mask reconnaissance efforts? - Ostinato - packETH - Snow - Censys
Censys
Which of the following attacks can be used to retrieve encryption keys given physical access and a limited timeframe? - Connect to the serial console - Cold boot attack - Credential brute forcing - JTAG debugging
Cold boot attack
Which tools make it easier for PenTesters to automate the process of exploiting the Registry, Active Directory objects, group policy, the Windows network stack, and more? (Select all that apply) - Covenant - Trojan - Empire - Mystic
Covenant, Empire, & Mystic
Which of the following best helps identify vulnerabilities in an Active Directory environment? - CrackMapExec - w3af - SCAP - OpenVAS
CrackMapExec
Which of the following should the penetration tester perform to verify compliance with a baseline? - Credentialed scan - Full scan - Stealth scan - Discovery scan
Credentialed scan
An employee loses a smartphone while on vacation. The device is used in a BYOD program and contains sensitive data related to the business. Which vulnerability does the company face with the loss of the phone? - Forensics complications - Deperimeterization - Patching fragmentation - Compromise
Deperimeterization
You are conducting a wireless penetration test against an organization. You have been monitoring the WPA2 encrypted network for almost an hour but have been unable to successfully capture a handshake. Which of the following exploits should you use to increase your chances of capturing a handshake? - Downgrade - Fragmentation - Karma - Deuathentication
Deuathentication
What is an NSE script used for? @@@ - Changing OS versions = Crawling a website - Deliver malware - Discover vulnerabilities
Discover vulnerabilities
Which of the following helps reduce repetition and increase reach by ensuring the team is not missing important areas to scan or that two team members are not working on the same exploitation path simultaneously? @@@ - Metasploit - Nessus - Cobalt strike - Dradis
Dradis
What does the PHP HTML Purifier library look for exactly? - Null bytes - Escaping - XSS (Cross-Site Scripting) - Parameterized queries
Escaping
Which of the following is NOT part of the MSA? - Environmental concerns - Project scope - Compensation specifics - Executive report
Executive report
What kind of scan can limit a target's ability to track the malicious attack? (Select three) - FIN - SYN - Curl - NULL
FIN, SYN, & NULL
Which tool helps recover WEP/WPS/WPA keys? - IDA - EAPHammer - Fern - Netcat
Fern
An attacker is not using a virus to perform an attack. Instead, the attacker uses tools that are part of the OS or the administration tools to launch an attack. What is the attacker using? - Windows Management Instrumentation (WMI) - Steghide - Fileless malware - Exposing sensitive data
Fileless Malware
A security manager considers implementing job rotation between various analysts and engineers. How does job rotation help? (Select two) - Less chance for mistakes - Flexibility - Retention - Reduce insider threat
Flexibility & Retention
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? - Full packet capture - SIEM event log monitoring - Net flow capture - Software design documentation review
Full packet capture
Which of the following produce modular, reusable code in scripting and programming? - Objects - Functions - Variables - Classes
Functions
Which of the following is an NSA-created tool based on GNU Debugger (GDB)? - Immunity - OllyDbg - WinDbg - Ghidra
Ghidra
What tool is used to find subdomains and their respective directories? - truffleHog - GoBuster - BeEF - Wapiti
GoBuster
Which of the following are effective tools in conducting reconnaissance against directories and files ON WEB SERVERS? - Gobuster - TruffleHog - Dirbuster - ZAP
Gobuster & Dirbuster
Which of the following are used to craft custom packets? - Immunity - Hping - Scapy - Kismet
Hping & Scapy
Which of the following tools provides a penetration tester with Python classes with low-level program access to packets, protocols, and their implementation? - Responder - Empire - Searchsploit - Impacket
Impacket
What is the main caveat to consider when using a WPS PIN attack? - It can only occur on Android OS, Blackberry and Windows-based systems - It disguises the communication source - It takes the credentials from a badge and duplicates them - It serves as the mediator in a data exchange
It can only occur on Android OS, Blackberry and Windows-based systems
What is the main caveat associated with the use of the Nmap tool? - It determines if the network can handle flooded traffic - It is a technique that uses every possible option - It does not require the user to break away from the session - It sits as a man-in-the-middle
It does not require the user to break away from the session
What is the main caveat regarding cloud malware injection attacks? - It allows a malicious actor to circumvent the organization's use of reverse proxy protection and attacks - It occurs when the malicious actor injects malicious code into an application - There are discrepancies between infrastructure, platform services, and software - It can target a protocol, device, OS, or service, and consume all available resources resulting in degradation or failure.
It occurs when the malicious actor injects malicious code into an application
What is a main caveat to Blind SQLs? - Its response does not contain the results of the query - It tests the SQL injection to determine if true or false results are achieved - It is good at identifying web server vulnerabilities - It is comprised of vulnerabilities that come from design or implementation issues
Its response does not contain the results of the query
Which of the following is an open standard data encoding format that uses data representation and manipulates easily with scripts? - JavaScript Object Notation - Python - PowerShell - Bash
JavaScript Object Notation
What tool searches for rogue APs? - Maletgo - Kismet - Recon-ng - Kali Linux
Kismet
What tool detects a load balancer? - NMap - Metasploit - LBD - Shodan
LBD
An organization plans to apply numerous software patches to remedy vulnerabilities found during a recent PenTest exercise. The PenTest team returns to assist and test that systems are secure. Which vulnerability lifecycle phase does the team participate in? - Discover - Coordinate - Document - Manage
Manage
Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? - Screened subnet - External zone - Internal zone - Management network
Management network
A software tester uses a tool that serves as a parallel brute forcer for network logins. What tool demonstrates these capabilities? @@@ - Metasploit - Mimkiatz - Mitm6 - Medusa
Medusa
Which of the following is a password cracker for Linux? - Mimikatz - CeWL - Medusa - W3AF
Medusa
A security expert uses a tool to scan and exploit a system from the command line while using a default Kali Linux install. Which tool does the expert use? @@@ - Cobalt Strike - Armitage - Metasploit Pro - Metasploit Framework
Metasploit Framework
What attack is facilitated using Nessus? - OSINT - Phishing - MiTM - Stealing data
MiTM
What tool can extract a cleartext password from system memory? - Mimikatz - Hydra - Medusa - Brutespray
Mimikatz
A new PenTester looks for a command and control (C2) tool that will provide consistently good results with Mac OS. Which tool does an experienced penetration tester suggest? - Nishang - Covenant - Mythic - Empire
Mythic
A new Penetration Testing team is looking for guidance on cybersecurity policies, procedures, and guidelines. Where can the team look to find these details? - NIST - OWASP - PTES - OSSTMM
NIST
Which of the following is NOT a compliance standard that requires organizations to maintain a secure environment? - NIST - CCPA - HIPAA - PCI DSS
NIST
A penetration tester is wanting to use a tool that reads and writes raw data over a network and includes support for proxy connections along with IPv6 and SSL communications. What tool can the tester use to read and write this data? - Netcat - Nikto - Ncat - Nessus
Ncat
Which of the following commands provides information about other systems on a Windows network? - Net group - Net user - Net view - Net config
Net view
A PenTest team considers which issue as part of the lessons learned phase? - Client acceptance - New vulnerabilities - Mitigation implementation - Client follow-up
New vulnerabilities
What is scanned when using Nmap -sV? @@@ - Web logs - Software - Ports - OS Fingerprints
OS Fingerprints
Which resource provides a holistic, structured approach to PenTesting and offers its core materials without any cost? - PTES - NIST - OWASP - OSSTMM
OSSTMM
A team is using a tool that is a scriptable debugger that allows them to perform various security-related tasks on unencrypted iOS applications. What type of tool is the team using? - MDM - Frida - Objection - Reverse engineering
Objection
What kind of attack is an example of IP spoofing? - On-path attack - Cross-site scripting - SQL injections - ARP poisoning
On-path attack
Which standard helps pentesters formalize reports for engagements? - HKCU - W3AF - PTES - ZAP
PTES
What can be leveraged to find a comprehensive overview of the proper structure of a pentest? (BONUS: What does the answer stand for?) - ISSAF - OWASP - PTES - NIST
PTES (BONUS ANSWER: Penetration Testing Execution Standard)
Which of the following can be used to retrieve information about an organization's network without causing an IPS alert? (BONUS: Why is it not anything revolving NMap?) - Use a NMap ping sweet - Perform DNS zone transfer - Use NMap stealth scan - Perform DNS brute-force attack
Perform DNS brute-force attack (BONUS ANSWER: NMap is easily discoverable by the IPS as it sets off many alerts.)
Created in the late 1980s, this programming language was a general-purpose Unix scripting language for text manipulation. - Python - PowerShell - Perl - Ruby
Perl
Which Nmap switch can the sysadmin use to treat all targets as online? - sP - sV - O - Pn
Pn
A U.S. based company has collected data on European Union citizens and wants to transfer the data outside the EU. What US regulation should the data be protected by? - CCPA - Privacy Shield - PCI DSS - NIST
Privacy Shield
Instead of writing scripts and code from scratch for each penetration test, a PenTester might create modular and reusable code to use over and over again, involving what? @@@ - Variables - Objects - Procedures - Classes
Procedures
A penetration test team manager is looking for a command-line tool that enables PenTesters to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. What tool is the manager looking to acquire? - ProxyChains - Responder - Reaver - Recon-ng
ProxyChains
What program uses Server Message Block (SMB) to issue commands to a remote system? - WMI - Powershell - PsExec - Bloodhound
PsExec
Which might a security engineer use to illustrate the logic and functions of a script in a generic way? - Trees - Flow control - Psuedocode - Operators
Psuedocode
Which of the following is used to exploit the NETBIOS name service? @@@ - John the ripper - Nessus - Arpspoof - Responder
Responder
What is one of the most informative parts of a SSL/TLS certificate? (BONUS: What does the answer stand for?) - SAN(s) - Valid date - Location - Serial number
SAN (BONUS ANSWER: Subject Alternate Name)
Which type of testing is done early in the development lifecycle? - SAST - DAST
SAST
Which of the following is specifically suited to help an organization ensure they are in line with mandatory security requirements? (BONUS: What does it stand for?) - Retina - OpenVAS - Nessus - SCAP
SCAP (BONUS ANSWER: Security Content Automation Protocol)
A PenTest team looks to map a network for a customer. Which tools would be useful in creating a map? (Select all that apply.) - SMTP - ARP - WMI - SNMP - Nessus - Wireshark
SNMP, ARP, & WMI
Which standard focuses on remote management services on Windows systems? - SOAP - Session fixation - XML-RPC - Directory traversal
SOAP
Which of the following is used to enumerate a website's backend? - GDB - Yersinia - SQLMap - Medusa
SQLMap
What exploit can be used to capture all browsing traffic in an unencrypted format? - Deauthentication - SSL downgrade - On-path - SSL stripping
SSL stripping attack
An organization's legal team drafts a master service agreement (MSA) along with a PenTest team lead. What will the agreement include? (Select all that apply.) - Safety guidelines - Project scope - Team credentials & certifications - Contacts - Insurance information
Safety guidelines, project scope, & insurance information
Which of the following should you perform if your goal is to conduct a successful spear phishing attack? (BONUS: Why is it NOT D?) - Call the CTO's assistant using a pretext to gather information about their schedule - Send a text message with a malicious link to the organization's executives - Send targeted emails with malicious attachments to the sales team - Send a targeted email with a malicious attachment to the CEO
Send targeted emails with malicious attachments to the sales team (BONUS ANSWER: Because D is whaling, not spear phishing)
A software engineer must use a search engine to locate and index IoT devices that are connected to the Internet. What engine is the engineer using to conduct this test? - Shodan - Responder - Snow - Nessus
Shodan
What tool would search for internet-connected industrial control systems? - Shodan - Maltego - Recon-ng - theHarvester
Shodan
Which of the following is an attack-type on the cloud computing infrastructure? (Select all that apply) - Privilege escalation - Side-channel - Malware injection - Direct-to-origin (D2O)
Side-channel, malware injection, & D2O
A PenTester performs active reconnaissance as part of an exercise. The goal is to identify possible query formats for a web app that uses SQL. What method does the PenTester use when using a select query? @@@ - Blind SQL - Stack multiple - Time-based blind SQLi - Single quote
Single quote
What is one feature of Nmap that can help in reconnaissance? - Sniffing - Scoping - Scanning logs - Scraping websites
Sniffing
Which of the following tools uses the combination "Message, Password, Text File, Output" to conceal data in the white spaces of the text? - StegHide - Coagula - Snow - OpenStego
Snow
A malicious actor initiates an attack that injects malicious code or links into a website's forums, databases, or other data. What type of attack is the actor initiating? (Select two) - Word lists - Command injections - Stored - Persistent
Stored & Persistent
Which of the following is a major concern regarding pentesters removing credentials as part of their cleanup procedures? - Setting off alerts - Locking out employees - Breaking production dependencies - System corruption
System corruption
Where should you look for persistence in a WINDOWS system? @@@ - crontab - systemd - Task Scheduler - HKLM
Task Scheduler & HKLM
When defining the communication path, what should an IT manager establish for a PenTest team? - Testing threshold - Testing asset - Testing start time - Testing scope
Testing threshold
A PenTest team discovers that a DNS server responds to dynamic DNS updates without authentication. What causes this action? - The server contains invalid records - The server is authoritative - The server has a poisoned cache - The server uses recursion
The server uses recursion
What tool can be used to ensure you are not exposing sensitive information within a code repository to the public? - Burp Suite - ZAP - Wapiti - TruffleHog
TruffleHog
What is the finger command used for? (BONUS: What OS is it used on?) - View a user's home directory - Obtain OS information - View devices on the network - Packet inspection
View a user's home directory (BONUS ANSWER: Linux)
Which of the following helps conduct OSINT gathering regarding administrative and technical contacts? - Whois - WMI - Censys - Shodan
Whois
A software architect is looking to acquire a site dedicated to mapping and indexing access points. What can the architect obtain to get this desired mapping? - WiGLE - Aircrack-ng suite - WPScan - Wireshark
WiGLE
Which of the following tools is most likely to be limited in use due to differing confidentiality laws? - Nessus - NMap - Wireshark - SSH
Wireshark
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? - The server assumed you are conducting a DDoS attack - The scan will not produce any useful information - You are scanning a CDN-hosted copy of the site - Nothing can be determined with the information provided
You are scanning a CDN-hosted copy of the site
Which of the following is used to set the command history to zero? - history -c - ech """ >-/bash_history - ALT+F7 - export HISTSIZE = 0
export HISTSIZE = 0
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? - ftp - wget - netcat - telnet
ftp
Which Nmap switch can help determine open ports? - sV - sU - sn - PR
sU
What is the best way to stop remote root logins from occurring while still allowing normal users to connect using SSH? - Add root to the sudoers group - Network IPS rule to block root logins - sshd_config to deny root login - IPtables rule blocking root login
sshd_config to deny root login
