PenTest+
What uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata and then display the information using HTML?
Metagoofil
record lists the authoritative DNS server for a particular domain.
NS, Nameserver
A penetration tester is conducting an OSINT reconnaissance against key employees to try to find avenues into the network and notice that they belong to specific communities. Which of the following would most likely help them target these niche areas?
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers? Reddit Github Bitbucket CloudForge
What are the two best options to select in a nmap scan for IDS evasion?
T0, T1
A penetration tester is conducting a nmap san but wants to conserve bandwidth. What setting should they use?
T2
What is the recommended choice for a fast scan that is still pretty stable in nmap?
T4
Malicious actors circumvent proxy protections by identifying the origin network or IP address and then launching a direct attack.
direct-to-origin attack (D2O)
Nmap switch to fingerprint the operating system and interrogate its services
-O or -sV
String that is the username to be authenticated
CName, Canonical Name
A security professional is checking for domains based on certificates that are no longer allowed. What could they check for this?
CRL
contains a list of 14 documents that relate to PenTesting, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance
ISSAF
A penetration tester is trying to become more efficient and effective by looking at standards for best practice guides on penetration testing. Which of the following should they look at?
PTES Penetration Testing Execution Standard
A new penetration tester is creating a summary of their first upcoming process and wants to follow the standard process. What step takes place after planning?
Reconnaissance
What is the most stable option in nmap?
T3
What is the site that is dedicated to mapping and indexing access points?
WiGLE
A penetration tester is conducting a test against external-facing websites. Which of the following tools is specifically geared towards website enumeration?
dirbuster
threat x vulnerability =
risk
What parameter in nmap creates a grepable file that can be searched?
-oG
A security professional is conducting a nmap scan during a reconnaissance phase of a project and wants to save the results to a text file for later analysis. Which parameter is used?
-oN
Nmap switch that uses a full TCP Connect scan using the 3-way handshake
-sT
A penetration tester is currently reviewing the adherence to organizational policies and procedures. Which controls help to monitor this?
Administrative
A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wirelessIDS solutions?
Aircrack-ng
A security researcher is analyzing various on-path attack techniques to develop detection mechanisms against them. Which of the following is NOT an on-path attack? DNS poisoning ARP poisoning MAC spoofing Biometric spoofing
Biometric spoofing
A security professional is conducting network reconnaissance and is trying to use advanced nmap scripts. Which of the following is NOT one of the main categories of nmap scripts? Malware Discovery Vulnerabilities Brute forcing
Brute forcing
A penetration tester is asked to conduct an assessment for security issues that occur during a web transaction. What tool could they use to interact as a local proxy to intercept and capture the HTTP requests?
Burp
A security student is analyzing how nmap determines a particular operating system. Which of the following is NOT a component of how the operating system is determined? CName DF WS TTL
CName
A company has contracted an independent penetration testing company to do API testing. Which of the following are they most likely testing?
Cloud resources
A penetration tester gains access to a system and establishes persistence, and then runs the following commands: cat /dev/null > temp touch ג€"r .bash_history temp mv temp .bash_historyWhich of the following actions is the tester MOST likely performing?
Covering tracks by clearing the Bash history
Sending bogus records to a DNS resolver, when the victim requests an IP address, the DNS server will send the wrong IP address.
DNS cache poisoning
A penetration test is being conducted on a Department of Motor Vehicles' vehicle. What should the testers take into consideration when performing the assessment?
DPPA, driver's privacy protection act
governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles
DPPA, driver's privacy protection act
Identify the application exploit: A common type target a protocol, device, an operating system, or a service
DoS Attack
A security tester is looking for custom scripts against uncommon services which they can't find in MetaSploit. Which of the following could they look at to possibly find what they need?
ExploitDB
What party hosted includes assets that are hosted by the client organization.
First-party hosted
A project manager is reviewing the scope of a penetration test. Which of the following is least likely to be included? Location Target exclusions Framework Tools
Framework
A penetration test is being conducted on a financial institution. Which of the following is geared to ensure the security and confidentiality of client information?
GLBA
requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure
GLBA, Gramm-Leach, Bliley Act
A company is setting up a new PoS system and wants to scan to be able to test the system for any security issues prior to implementation. What type of test should they have done?
Goal-based
A systems administrator is looking at migrating to the cloud and hears a bunch of new terminologies they are not familiar with. What makes up a cloud federation?
Infrastructure, platform services, and software
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening?
LLMNR, NBT-NS
A penetration tester is conducting a PCI DSS compliance report for a large company that does ten million transactions a year. What level should they comply with?
Level 1
What PCI Level should a company comply with if they have over 6 million transactions a year?
Level 1
What PCI Level should a company comply with if they have 1 million - 6 million transactions a year?
Level 2
What PCI Level should a company comply with if they have 20,000 - 1 million transactions a year?
Level 3
What PCI Level should a company comply with if they have under 20,000 transactions a year?
Level 4
A project manager is preparing documentation that covers recurring costs and any unforeseen additional charges that may occur during a project without the need for an additional contract. Which of the following should they prepare?
MSA
record provides the mail server that accepts email messages for a particular domain.
MX, mail exchange
An audit tool for use with Amazon Web Services only. It can be used to evaluate cloud infrastructure against the Center for Internet Security (CIS) benchmarks.
Powler
A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT?
Reach out to the primary point of contact
An attack where a malicious actor sits in the middle or in the path of a connection
on-path attack
A security professional is conducting a nmap scan during a reconnaissance phase of a project and wants to save the results to be converted into HTML later. Which parameter is used?
-oX
A security professional is conducting a nmap scan during a reconnaissance phase of a project and wants to save the results to be imported into a database later. Which parameter is used?
-oX
A security professional is conducting a nmap scan during a reconnaissance phase of a project and wants to save the results to be studied in Zenmap later. Which parameter is used?
-oX
A penetration tester suspects a firewall is blocking their scan attempts and wants to try a TCP ACK scan to get around this. What nmap switch would they use?
-sA
Nmap switch used to run a UDP scan
-sU
Nmap switch that conducts a Christmas tree scan be sending TCO segments with the FIN, PSH, URG flags raised to bypass a firewall or IDS
-sX
Provides an intuitive framework that steps you through the assessment process and includes a dashboard, security recommendations, and specifications for testing resiliency.
MSTG Mobile Security Testing Guide
A security professional is researching the latest vulnerabilities that have been released. Where is a good resource they can go to in order to look at these?
NVD National Vul Database
A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds? Nmap tcpdump Scapy hping3
Nmap
A student is studying penetration testing methodologies and is trying to narrow in their skill sets to web application testing. Which of the following should they focus on?
OWASP
An organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process.
OWASP Open Web Application Security Project
What operating system would most likely return a packet with a 128 TTL?
Windows
A security firm is looking at expanding operations outside the United States. Which of the following tools might be illegal to use due to U.S. encryption export regulations?
Wireshark
What application creates a visual of the network topology?
Zenmap
Identify the application exploit: During an attack, a threat actor is able to use a back door and gain system level access
privilege escalation
Identify the application exploit: An attack is performed on a server by using numerous fragmented requests
resource exhaustion
Identify the application exploit: in this attack, the hardware leaks sensitive information such as cryptographic keys
side-channel attack
Linux command that displays the OS name, version, and other details.
uname -a
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into?
Cobalt Strike
A company is expanding operations to Europe and wants to make sure that they won't run into any security issues during expansion. What type of test should they have done?
Compliance
What attack uses seemingly legitimate HTTP GET or POST requests to attack a web server. It does not require spoofing or malformed packets but can consume a high number of resources with a single request.
HTTP Flood
What program will list the vulnerabilities along with the risk rating that summarizes the overall state of the site that was tested?
OpenVAS
A security professional is looking for interesting targets on a public-facing web server. What would show them areas of the server that are not supposed to be crawled?
Robots
What protocol or technology would provide in-transit confidentiality protection for emailing the final security assessment report?
S/MIME
A project manager for a penetration company has received a notice about a contract being terminated. The project manager wants to review the documentation to see specifically what is allowed under the termination clauses. Which document should they look at?
SLA
A network administrator is looking at the security of their Domain Name System servers and is researching common attacks against DNS. Which of the following is NOT as common of an attack geared towards DNS services? Flood attacks Cache Poisoning Zone transfer SMB attacks
SMB attacks
A security tester is looking at vulnerabilities regarding shared accounts. Which of the following environments are shared accounts more likely to be found?
SOHO
What document describes specific activities, deliverables, and schedules for a penetration tester?
SOW - Statement of Work
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets?
SRV, Service
record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM).
SRV, Service
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to?
Side-channel
A penetration tester wants to try keeping multiple fake web connections open for as long as possible, until the maximum number of allowed connections is reached. They want to employ this method on a test server to see how much they will be able to handle before needing to scale outwards. What type of attack should they use to test this?
Slowloris
A security auditor is assessing SMB vulnerabilities and conducting a scan against the services. In order to speed up the scan, what port should they specify?
TCP 139
A security engineer is trying to understand the default behavior of nmap scans during host discovery. What does nmap send to port 80?
TCP ACK
record provides information about a resource such as a server or network in human readable form.
TXT, text
A company is contracting a penetration test because they want to save money by going with a smaller, newer hosting company. However, they are worried the company may have fewer resources and less security expertise and may be easier to attack than larger, more mature providers. What is this called?
Third-party hosted
A penetration tester is conducting a physical test on-premise and is attempting to exploit human errors. What is this called?
Vulnerability
Identify the application exploit: An attacker uses stolen user credentials to mass email fraudulent information
account takeover
Identify the application exploit: in this attack, the focus is on saturating the bandwidth of the network resource
amplification attack
Linux command that lists all users on the system
cat /etc/passwd
Identify the application exploit: A user receives an email that contains a link to reset an expired account password
credential harvesting
Identify the application exploit: in this attack, safeguards such as reverse proxies are circumvented
direct-to-origin attack
A penetration tester has been contracted to do a test for a hospital and is looking at computerized electronic patient records. What are these referred to as?
e-PHI
A penetration tester has landed a shell on a Linux box and wants to find out more about the users' login and idle time. Which built-in bash command should they use?
finger
Identify the application exploit: Weakly configured policies that are intended to trust domains expose the site to XXS attacks
incorrect origin settings
Identify the application exploit: A malicious actor discovers a web-based container where malicious code can easily be stored
incorrect permissions
Identify the application exploit: A common type of this includes Cross Site Scripting XSS
injection attack
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use?
metagoofil -t
Identify the application exploit: a malicious actor sits in the middle of an ongoing conversation
on-path attack