Pentest+ Book Questions

After installing a customer's mobile application from the Google Play Store to your jailbroken iPhone, your next step is to dump the application bundle into an IPA using Clutch so you can use it to conduct static analysis. By default, where does Clutch store IPA files postprocessing? A. /var/tmp/clutch B. /var/tmp C. /tmp D. /storage

A. /var/tmp/clutch Answer: A - By default, Clutch will store all IPA files in the /var/tmp/clutch directory

Match the following concepts to the right contract or document. A. Acceptable Criteria B. Dispute Resolution C. Terms of information disclosure D. Indemnification statements E. Deliverables schedule F. Testing authorization G. Authorized methods for testing H. Communication and escalation paths i. Nondisclosure agreement (NDA) ii. Statement of work (SOW) iii. Master service agreement (MSA) iv. Rules of engagement (RoE) v. Permission to test

A. Acceptable Criteria - SOW B. Dispute Resolution - MSA C. Terms of information disclosure - NDA D. Indemnification statements - MSA E. Deliverables schedule - SOW F. Testing authorization - Permission to test G. Authorized methods of testing - RoE H. Communication and escalation paths - RoE ANSWER: C. The NDA defines the terms of confidentiality, including when and how information can be shared and disclosed A, E. The SOW defined the work activities to be completed, when deliverables are scheduled, and what acceptance criteria apply B, D. The MSA defines indemnification and other elements of the business relationship, including processes for dispute resolution G, H. The RoE clarifies items from the SOW, such as allowed tests, targets, and details of the communication plan F. Permission to test provides proof that you are authorized to test

Match the following concepts to the appropriate standard or framework A. Associates tools with testing tasks B. Contains matrices of TTPs C. Provides certification options D. Associated with U.S. government E. Guidance for pentest metrics F. Web application attacks G. Focused exclusively on pentesting, community-driven methodology encompassing other frameworks and standards i. MITRE ATT&CK ii. OWASP Top Ten iii. NIST iv. PTES v. OSSTMM vi. ISSAF

A. Associates tools with testing tasks - ISSAF B. Contains matrices of TTPs - MITRE ATT&CK C. Provides certification options - OSSTMM D. Associated with U.S. government - NIST E. Guidance for pentest metrics - OSSTMM F. Web application attacks - OWASP Top Ten G. Focused exclusively on pentesting, community driven methodology encompassing other frameworks and standards - PTES ANSWER: B. MITRE ATT&CK is a framework referenced by matrices containing tactics, techniques, and sub-techniques F. The OWASP Top Ten is associated with enumerating web application attacks D. NIST standards are often used by the U.S. government G. PTES focuses exclusively on pentesting and consits of community-driven standards, It freely incorporates other frameworks and technical guides as supplemental resources C,E. OSSTMM has certification options via ISECOM, and OSSTMM provides a methodology for measuring and reporting risk values (pentest metrics) A. ISSAF, while designed for security assessment more than pentesting, has best practices for engagement and lists testing tasks with their associated tools for each task

Before executing an STP discovery, your team asks how to determine which version of STP type a root switch is using (i.e., RSTP, MSTP). How do you reply? A. By inspecting the Bridge Protocol Data Units in the update frame B. By looking at the TSP header of the packet C. By inspecting the Bridge Protocol Data Units in the data frame D. By inspecting the Bridge Protocol Data Units in the management frame

A. By inspecting the Bridge Protocol Data Units in the update frame Answer: A - Wireshark will provide you with the version of the STP type (STP, RSTP, or MST) by inspecting he Bridge Protocol Data Units (BPDUs), which are the update frames that are multicast between switched over the network every so often to determine if a port is in a forwarding or blocking state (prevents looping) and to determine the root bridge during the election process

Match the following concepts to the appropriate regulation. A. Cardholder data environment B. Personally identifiable information C. Privacy of people in the European Union D. Industry enforced E. Government enforced i. PCI-DSS ii. GDPR

A. CDE - PCI-DSS B. PII - GDPR / PCI-DSS C. Privacy of people in the EU - GDPR D. Industry enforced - PCI-DSS E. Government enforced - GDPR ANSWER: A,B,D - PCI-DSS concerns PII when it is cardholder data (CHD) and involves testing of the security of the card data environment and is regulated by the industry B,C,E - GDPR is an EU regulation pertaining to the privacy rights of people in the EU. It covers PII as part of this and is enforced by the government

Which of the following are valid client-side attacks? (Select all that apply) A. Clickjacking B. Command injection C. Directory traversal D. Reflected HTML injection E. DOM-based XSS F. Session hijacking

A. Clickjacking D. Reflected HTML injection E. DOM-based XSS F. Session hijacking Answer: A,D,E,F - All the answers are correct, with the exception of command injection and directory traversal. those types of attacks are for server-side vulnerabilities

Select two methods you can use to install third-party applications to a jailbroken iDevice. A. Cydia B. idb C. Impactor tool D. Clutch

A. Cydia C. Impactor tool Answer: A,C - The two correct answers are Cydia application store, when you have internet connectivity and can use the Cydia mobile app on the iDevice to download and install packages, and the Impactor tool, when you are either first jailbreaking the phone or when you don't have Internet connectivity available. You can connect over USB, drag-and-drop IPA files, and install directly to the device through Impactor

Which protocols provide name resolution? (Select all that apply) A. DNS B. ARP C. LLMNR D. DIG

A. DNC C. LLMNR Answer: A, C - The Address Resolution Protocol (ARP) is used to resolve MAC addresses to IP addresses, not hostnames, and DIG is a program used to interrogate DNS name servers and is not a protocol

In order to crack the WPA or WPA2 PSK, you will need to capture the four-way handshake. During a pentest, your team identifies multiple clients on the target network. What is the best way to capture the handshake? A. Deauthenticate one of the clients B. Send multiple ARP requests over the network C. Deauthenticate all the clients on the network D. Send multiple ARP requests to the access point

A. Deauthenticate one of the clients Answer: A - Deauthentication tells the client to disassociate from the wireless network. Deauthenticating one client at a time until you capture the handshake would be the recommended choice of action, as it helps to remain quiet in your approach and would be the method that would cause the least amount of resistance from customers during an engagement

What effective methods can ensure the secure delivery of the customer's pentest? (Select two.) A. Encrypted file B. Encrypted file system C. E-mail D. Encrypted e-mail

A. Encrypted file D. Encrypted e-mail Answer: A,D - The delivery method for the report should be agreed to by all parties identified in the RoE. The delivery methods may include encrypting the report and using a secure transport mechanism like encrypted e-mail to deliver it

One important step during post-exploitation is to gain situational awareness to gather important knowledge of the host and internal network. Which of the following techniques from the MITRE ATT&CK framework are identified as "discovery" tactics? (Select all that apply) A. Enumerate files and directories on the local or shared file system B. Search for local or domain-level groups and permission settings C. Timestomp files and directories after exploitation D. Use a protocol native to the operating system like SSH or FTP to transfer files

A. Enumerate files and directories on the local or shared file system B. Search for local or domain-level groups and permission settings Answer: A,B - Enumerating files and directories on local or shared file systems (File and Directory Discovery: T1083) and searching for local or domain-level groups and permission settings (Permission Groups Discovery: T1069) are two techniques related to gaining situational awareness

You're pentesting a small domain with several hundred user and service accounts. You want to try to Kerberoast the domain. Which of the following should you do? A. Identify a handful of vulnerable accounts to start with B. Grab as many vulnerable accounts as possible C. Attempt to get as much information as possible about all domain accounts D. Check the MSA to make sure that Kerberoasting is allowed

A. Identify a handful of vulnerable accounts to start with ANSWER: A. Start with as narrow a scope as possible

What is on advantage of developing a mobile application in Swift versus Objective-C? A. It is a modern-day language that closely resembles English B. It makes it easier for programmers who have developed code for many years C. Objective-C is a newer language than Swift. D. Objective-C is open source and Swift is not.

A. It is a modern-day language that closely resembles English Answer: A - Swift is a modern-day language, and its code is more easily readable than Objective-C

What will this Bash output? grep derp.pro /proc/cpuinfo || grep processor /proc/cpuinfo && echo "Success" A. It will return all of the processors in /proc/cpuinfo and echo the word "success" B. It will show the entry from /proc/cpuinfo that matches the search for "derp.pro," display all the processors in /proc/cpuinfo, and echo "success" C. Nothing, since the first two commands can never match the third command D. It will display the processors in /proc/cpuinfo E. it will echo "success"

A. It will return all the processors in/proc/cpuinfo and echo the word "success" Answer: A - The first condition fails. The first decision is a logical OR, meaning that it will execute if the two conditions have opposite conditions. Since there are processors listed in/proc/cpuinfo, that will succeed. Since the second decision is a logical AND, it will execute if the condition before it is successful (which it is).

An IEEE standard used to address the issue of debugging and connecting to embedded devices on a circuit board is called what? A. JTAG B. RMF C. XCode D. Clutch

A. JTAG Answer: A - JTAG is an industry standard and common hardware interface for verifying designs and testing methodologies. Typically added (and sometimes hidden) by the manufacturer, the JTAG interface could be used to connect to a console and get command-line access to an embedded device.

The evil twin access point is aa type of attack used to duplicate the existence of a legitimate access point in order to entice victims to connect for the purpose of targeting end-user devices or communications. Another way to imitate all possible access points from client beacon requests is called what? A. Karma attack B. Replay attack C. AP replay attack D. Social engineering attack

A. Karma Attack Answer: A - The karma attack will target any SSID it discovers in order to increase the likelihood for exploitation

The Social-Engineer Toolkit (SET) is a Python-based framework that can do which of the following? (Select all that apply) A. Send e-mails to targets B. Scan IP addresses C. Produce SMS attacks D. Engage in Wi-Fi calling

A. Send e-mails to targets C. Produce SMS attacks Answer: A, C - SET helps facilitate various types of social engineering attacks. Two types of attacks it can be used for are e-mail and SMS-based social engineering attacks

WEP uses an encryption algorithm called RC4, which was developed by Ronald Rivest. RC4 is a ____________ cipher, which is a symmetric key cipher used to expand a short key into an infinite pseudo-random keystream. A. Stream B. Asymmetric C. Block D. Secret

A. Stream Answer: A - RC4 is an older encryption algorithm that helps encrypt WEP networks. RC4 is a stream cipher used to combine plaintext with a pseudo-random keystream

What is the purpose of the Document Object Model (DOM) within a user's web browser? A. Structuring content in the browser B. Passing messages to other entities C. Storing encrypted values followed by the "#" sign D. Helping to mitigate against XSS attacks

A. Structuring content in the browser Answer: A - During runtime, the application will pass down the DOM structure content within the browser. DOM modules may include JavaScript code that can execute locally within the user's browser

XML files use which of the following to delimit fields in their records? A. Tags B. Commas C. Curly braces and colons D. Square brackets

A. Tags Answer: A - XML uses <tags> to delimit data

The Physical and Environmental Security domain from NIST SP 800-53 (rev 4) provides 20 different access controls that can be applied at different impact levels. All controls applicable to an organization's physical security scheme need to be assessed; however, when would a control require a technical assessment? A. When you need to ensure implementation of the control is effective B. Controls do not require a technical assessment, as all controls can be assessed by reviewing the organizational policy C. The results of the penetration test will determine which controls require a technical assessment D. After technically assessing the controls in a policy

A. When you need to ensure implementation of the control is effective Answer: A - The Physical and Environment Security controls found in NIST SP 800-53 (rev 4) offer supplemental guidance on how a control can be assessed. in some cases, the control can be assessed by reviewing a policy control document. If the policy provides substantial evidence that the control is implemented, the control is satisfied. However, some controls can be assessed from a technical perspective, where the assessment is done against the security control mechanism to determine its effectiveness and identify any implementation weaknesses that may need to be mitigated

Which of the following modules would you use to enumerate AWS account data, and which tools implements it? A. aws__enum_account in Pacu B. Account - detect logins in Cloud Custodian C. ec2_enum in Pacu D. - aws profile in Scout Suite

A. aws__enum_account in Pacu Answer: A - Pacu implements modules, and the enum module that focuses on the AWS account details is aws__enum_account

Which of the following options could be an IDOR, given the following URLs? (Select all that apply) A. http://example.com/index.php?emp_id=12345 B. http://example.com/index.php C. http://example.com/sales.php?acct=4532345 D. http://example.com/profile.php?state=CA&zip=90001

A. http://example.com/index.php?emp_id=12345 C. http://example.com/sales.php?acct=4532345 Answer: A,C - the "acct=" and "emp_id" parameters are somewhat of a dead giveaway, in that they may be linked to another user's information that could be retrieved without the necessary access controls with the web application or database

During a pentest, you use the wmic command to identify unquoted service paths. You were able to find a path at C:\Program Files\(x86)\data\sharedfiles\vulnerable.exe and used accesschk.exe to find that you have write privileges in the "data" directory. To escalate privileges the next time the service is executed, you need to lay down an executable that will execute within the service path. What is the correct name for the executable that you should create? A. shared.exe B. filed.exe C. shared_files.exe D. Program.exe

A. shared.exe Answer: A - When the service starts, it will follow the execution path to C:\ Program Files(x86)\data\shared files\vulnerable.exe to run the executable. Since the path is not in quotations in the registry, it will first look to load C:\Program Files(x86)\data\sahred.exe because there is a space between the directory "shared files."

During a pentest, you come across an SSH private key (id_rsa) in a user's home directory and suspect that this key can be used to remotely log in to other Linux hosts. However, before you try to use the key, you want to compare the key to the contents of the authorize_keys file to ensure it matches one of the public keys stored in the file. Which command would you run to generate a public key from the private key? A. ssh-keygen -y -f id_rsa B. ssh-keygen -t rsa -b 2048 C. diff id_rsa.pub id_rsa D. openssl rsa -in id_rsa | cat id_rsa.pub

A. ssh-keygen -y -f id_rsa Answer: A - the ssh-keygen command is used to generate keys. To compare the private and public key values, you would generate a public key from the private key using the following syntax: ssh-keygen -y -f <private key>. Then, you could read the contents of the authorized_keys file and compare and contrast the differences, if any.

A user-defined function can help facilitate command execution during a pentest if the compromised database user has admin rights (e.g., root) or elevated privileges and the database is configured with the sys_exec( ) and ________ functions A. sys_eval ( ) B. system_eval ( ) C. exec_sys ( ) D. sys_udf ( )

A. sys_eval ( ) Abswer: A - The sys_eval ( ) and sys_exec ( ) functions are required to be configured on the database server in order for a user-defined function (UDF) to be created, which can ultimately lead to command execution against the operating system with the privileges of the operating system user that owns the process

You find that the user account "user1" you just compromised might be permitted to execute privileged commands on the system using sudo. After you suspend command recording in your terminal window, you execute the sudo -1 command and are not prompted for a passwords. To your surprise, the account can execute all commands on the operating system and you still are not promoted for a password. Which setting in the /etc/sudoers file would allow the user to execute commands without a password? A. %sudo ALL=(ALL:ALL) ALL B. %sudo ALL=(ALL:ALL) NOPASSWD:ALL C. user1 ALL=(ALL:ALL) ALL D. user ALL=(ALL:ALL) NOPASSWD:ALL

B. %sudo ALL=(ALL:ALL) NOPASSWD:ALL Answer: B - The account "user1" is likely in the sudoers group called "sudo." The NOPASSWRD:ALL option will allow any command on the operating system to be executed without the need to prompt for a passwords. Using the groups OR id -a command syntax, you would be able to see which groups the user was a part of. In the /etc/suboers file, groups or user can be configured with specific sudo privileges on the local operating system

Which command flag tells hping3 to use a random-source IP address? A. --random-course B. --rand-source C. -S D. --S

B. --rand-source Answer: B - the --rand-source command flag can be used to randomize the source address

When conducting a port scan against a target, which Nmap flag is used to specify a port range? A. --p B. -p C. -Pn D. -ports

B. -p Answer: B - The -p flag option in Nmap will specify the port range. On the other hand, using -p- will initiate a full port scan, targeting all possible ports (65,535) that could be open.

Given the following URL, which two methods could be used to test for SQL injection against the database within the web parameters? (select two) http://example.com/page.php?id=1&acct=162;jsessionid=567323456798 A. ?id=1'&acct=144;jsessionid=567323456798 B. ?id=1'&acct=162';jsessionid=567323456798 C. ?id=1;--&acct=162;jsessionid=567323456798 D. ?id=1'&acct=144';jsessionid=567323456798

B. ?id=1'&acct=162';jsessionid=567323456798 D. ?id=1'&acct=144';jsessionid=567323456798 Answer: B,D - The "", "--" , and "," are all definitely ways to help trigger an error response from a database that lacks application or database filtering

CRC-32 is an algorithm used to verify the integrity of network packets for WEP and is also found in different applications to detect changes in hardware. CRC_32 is based on the original cyclic redundancy check and is not recommended for verifying the integrity of modern-day technology due to the fact that _________ . A. It is an older form of integrity checking software that has multiple vulnerabilities. B. CRC-32 is a variant of CRC, which is based on a noncryptographic algorithm that offers very little assurance with regard to data manipulation. C. CRC is a variant of CRC-32, which is based on cryptographic algorithm that offer every little assurance with regard to data manipulation D. It is an older form of integrity checking software that has few to no vulnerabilities

B. CRC-32 Answer: B - CRC-32 is a noncryptographic algorithm based off of CRC (cyclic redundancy check). Since the algorithm is based on code generation and cryptography, it provides little value with regard to integrity, as this value can easily be reproduced

What is the purpose of the following PHP code? do { $data = fread($handle , 8192) ; if (strlen($data) == 0) { Break; } echo ($data) ; } while (true) ; A. Creates a loop to echo the contents of $data until it reaches 0 length B. Creates a loop, declares $data, and validates the size of the variable C. Creates a loop to echo the contents of the data D. Creates a loop but kills the process if the data is less than 8192 bytes

B. Creates a loop, declares $data, and validates the size of the variable Answer: B - The PHP code declares the $data variable by reading 8192 bytes of $handle. Then, if the length of $data is equal to 0, the script either terminates or will continue to echo the contents of $data and complete the loop.

The following suggests a cloud asset may be vulnerable to which kind of attack? Assume that 10.0.0.1 is confirmed within the target organization's owned IP range. $ curl - H "Host: www.derp.pro" -k -i https://10.0.0.1 HTTP/2 200 date: Wed, 12 May 2021 05:38:27 GMT expires: -1 content-type: text/html ; charset=ISO-8859-1 server: www <normal web page source, same as request to www.derp.pro> A. xss B. Direct-to-origin attack C. Volumnetric DDoS D. SSRF

B. Direct-to-origin attack Answer: B - Getting back the legitimate website by requesting the direct IP suggests you have successfully requested directly to the origin server when the IP you requested is not owned by another organization (such as a cloud mitigation provider). loader balancers and other equipment may perform a redirect or serve error pages rather than expected web content.

Selecting the two techniques that can be used to conduct VLAN hopping? A. ARP spoofing B. Double tagging C. DNS spoofing D. Switch spoofing

B. Double tagging D. Switch spoofing Answer: B,D - VLAN hopping is an attack vector used to gain access to resources on another VLAN. The MITRE ATT&CK framework identified VLAN hopping as a network based hiding technique (ID: PRE-T1092). Two methods are used to accomplish VLAN hopping: switching spoofing and double tagging

Match the appropriate recommendation to the contents of the following finding: <a href="http://legitimatesite/fundsxfer.php?acct=evilacct&amount=1000"> Claim Your Bonus Here!</a> A. Sanitize user inputs to avoid the use of the following characters: <,>, ; , and & B. Implement CSRF tokens for sensitive requests C. Parameterize queries before submitting them to back-end systems. D. Implement policies to prevent password reuse across accounts

B. Implement CSRF tokens for sensitive requests Answer: B - This is an example of a CSRF attack, attempting to redirect a legitimate session to transfer funds by using a disguised link

Nessus plugins are written in which type of proprietary language? A. NCE B. NASL C. NSAL D. Nessus

B. NASL Answer: B - The Nessus Attack Scripting Language (NASL) is the correct answer.

Property list (plist) files contain configuration data about an app installed on iOS. By default, Apple best security practices implement a security feature called App Transport Security (ATS) to improve data privacy and integrity. however, there is a way to bypass this within the application settings in the plist file. What is the name of the key used to control the behavior of HTTP connections? A. NSAppleScriptEnabled B. NSAppTransportSecurity C. NSAllowsLocalNetworking D. NETestAppMapping

B. NSAppTransportSecurity Answer: B - NSAppTransportSecurity specifies the changes to the default HTTP connection security behavior in iOS and macOS apps

Using the following code, select the best option to fill in the missing blanks: A. /usr/bin/ssh and cmdexec( ); B. Net: :SSH2- >new( ) ; and sub cmdexec C. new SSH2 and def(cmdexec) : D. SSH2.new( ) and def cmdexec($_)

B. Net: :SSH2- >new( ) ; and sub cmdexec Answer: B - This is a Perl script, and this is the correct syntax for the assignment and a function declaration

_________ is a type of social engineering technique that can be used to exploit physical access controls in order to gain unauthorized access to a restricted area when an authorized individual consented to the entry. A. Tailgating B. Piggybacking C. Lock bumping D. Bypassing

B. Piggybacking Answer: B - Piggybacking is the correct answer, as the person opening the door consented to allow the intruder to enter

The pentest team has come to you and asked what they should do with the remaining draft copies of the report. Which document would you suggest the team reference for proper report handling instructions? A. SOW B. RoE C. SLA D. MSA

B. RoE Answer: B - Once the customer has provided confirmation of successful delivery and extraction of the report, the pentest team should consider storing a single digital copy of the report in an encrypted vault to prevent against unauthorized disclosure. All remaining digital or written copies of the report should be marked for proper disposal and deletion, based on agreed-upon methods outlined in the RoE.

Criminal impersonation if governed by state laws and is a crime that can involve identity theft, impersonating an officer or legal counsel, and many other avenues of attack that involve a plot to defraud another by pretending to be someone you are not. Which two documents could you consult to determine if the social engineering attack you would like to use during an engagement is approved by the organization? (Select all that apply) A. Rules of enhancement (RoE) B. Rules of engagement (RoE) C. Statement of work (SOW) D. Service level agreement (SLA)

B. Rules of Engagement (RoE) C. Statement of work (SOW) Answer: B, C - Before engaging in a social engineering attack, it is best to ensure that the organization undergoing this type of assessment approves any and all web, e-mail, SMS, etc., templates prior to executing the test. The RoE and SOQ are two documents that can provide guidance on what may or may not be allowed during a social engineering attack

Select two types of social engineering attacks that use URLs to send targets to web pages for further attacks against the computer network. A. Vanishing B. SMS phishing C. Spear phishing D. Pretexting

B. SMS phishing C. Spear phishing Answer: B,C - SMS phishing and spear phishing send URLs in text messages and e-mails to send victims to web pages for further attacks against their computer network

While drafting the pentest report, your team asked for your input on what topics should be included in the executive summary. Your team has identified a few of those topics. Which of the following topics should not be in the executive summary? (Select two) A. Timeline B. Technical details C. References D. Methodology E. Observations

B. Technical details C. References Answer: B,C - The executive summary provides high-level details concerning the pentest and the findings. Typically, only high-level or critical findings are talked about in this section, with little to no technical details that are not required for the audience to understand the problems. References are used to address other areas of research and accompany the findings and are not included in the executive summary.

One of the members of your pentest team is trying to insert a malicious record in the MySQL database that will execute some proof-of-concept code to steal cookies from the user's web browser. However, the INSERT statement is not working. Looking at the following syntax, what is the likely cause of the error? mysql> INSERT into app.data (header, body, message, webForm) VALUES ("HACK", 404, "HACK") ; A. The second column value is missing quotations B. The INSERT statement is missing a value for the fourth column and it can't be null C. One of the field values exceeds the size limitation D. There is no error in the INSERT statement

B. The INSERT statement is missing a value for the fourth column and it can't be null Answer: B - The INSERT statement is missing a value for the fourth column. Each column identified within the INSERT statement needs to have a field value. If one of the fields is a required field, that field is not allowed to be null, such as an empty value.

Your team successfully used Responder to poison LLMR request for an SMB mount request and recovered a username and password hash. However, your team is trying to use a pass-the-hash (PtH) technique and it is not working. What is the likely reason for this failure? A. They are using the LM hash value and not the NTLM hash B. They are using the NTLMv2 hash value, which cannot be used to "pass the hash" C. The LM and NTLM hash is likely missing the "." between the values D. The NTLMv2 hash is padded with additional characters

B. They are using the NTLMv2 hash value, which cannot be used to "pass the hash" Answer: B - The NTLMv2 hash cannot be passed like the NTLM hash. The NTLMv2 hash is a derivative of the NTLM but is based off of a challenge-response algorithm. You must first decrypt the NTLMv2 hash and use the plaintext value for authentication

What is one of the most common ways to gain access to cloud resources? A. Password spraying B. Unsecured information in software repositories C. SQL injection D. Phishing

B. Unsecured information in software repositories Answer: B - Insecurely stored keys and other authentication material are frequently an easy way to gain initial access to cloud resources during a pentest

During a pentest, your team identifies an access point that is broadcasting the SSID value and is protected with only WEP encryption. Your team attempts to use aireplay-ng to replay an injected ARP packet over the network; however, the tool has not captured any ARP replies over the network. This is likely due to the fact that no clients are talking over the network. In order to speed up the cracking process, what could you recommend your team to do? A. Use an MiTM tool in order to attack clients actively listening on the network B. Use the ping command and ping nonexistent hosts on the network C. Try and telnet or remotely log in to other hosts over the network D. Navigate to web pages in your browser in order to generate some network traffic

B. Use the ping command and ping nonexistent hosts on the network Answer: B - The repeated use of ping against nonexistent hosts will generate multiple IVs with the AP as the host, but will never be identified, and the request will continue to propagate throughout the network

Which of the following are examples of conditional statements? (Select all that apply.) A. for each loop B. if/then/else C. Mathematical operators such as those used for addition, subtraction, division, and multiplication D. let name = person ? person.name : 'unknown'

B. if/then/else D. let name = person ? person.name : 'unknown' Answer: B,D - If statements are conditional statements, as are ternary operators

Apple uses code signing to ensure only approved applications are installed on the iDevice. This is one of the core security features of iOS. Which method can you use on a supported iDevice to gain privileged-level access? A. Rooting B. Jailbreaking C. SETUID D. JTAG

B. jailbreaking Answer: B - Jailbreaking is the method used to exploit a software vulnerability in the phone to escalate privilege's on the device. Rooting is a software exploit for Android-based phones to gain privileged-level execution

SSH and iProxy are two ways of connecting a jailbroken iDevice. If the iDevice fails and you have to re-establish connectivity, what is the easiest way to ensure there are no iProxy processes still running on your macOS laptop? A. iproxy stop B. killall iproxy C. kill iproxy D. kill -9 <process id>

B. killall iproxy Answer: B - killall iproxy is the easiest way. kill -9 <process id> is still a valid way to end the process, but its not the easiest when there are multiple processes

During a pentest, you successfully compromised user-level access to a linux host within your customer's network. The user's default shell is bash. Which command syntax would you use to suspend command recording for your terminal session? A. unset HIST B. unset HISTFILE C. set +o history D. export HIST=0

B. unset HISTFILE C. set +o history Answer: B,C - The unset HISTFILE technique will allow temporary history but will prevent the command history from being written to $HOME/.bash_history. The set +0 history will prevent temporary command history and subsequently prevent any command history from being written to disk

You come across a web page that requires authentication with a valid username and login. Using CeWL, you decide to build your won wordlist using content derived from the website. The website has many pages, and you decide to start from the index.html page and o five pages deeper into the site to identify word lengths that are a minimum of eight characters. Which command options will help you build the wordlist you are looking for? A. -d 5 -8 B. -w 8 -d 5 C. -m 8 -d 5 D. -a 8 -d 5

C. -m 8 -d 5 Answer: C - The -d option is used to specify how deep to traverse into the website, and -m is used to specify the minimum amount of words the tools identifies

In order to crack WEP, you need to capture enough initialization vectors (IVs) in the network packets to recover the secret key. WEP secret keys can be one of the two different length. Ten-digit keys are 64 bits in lengths. How many digits are in a key length of 128 bits? A. 24 B. 16 C. 26 D. 28

C. 26 Answer: C - A WEP key of 64 bits in length is 10 digits, and a 128-bit key length is 26 digits

The Android platform provides core components that are sued to enhance the user's experience with the product. Which type of component is sometimes visible to the user and helps provide a cohesive user experience in mobile applications? A. Services B. Broadcast receivers C. Activities D. Intents

C. Activities Answer: C - Al of the answers are components of the Android application; however, activities are used specifically to help enhance the user's experience

Establishing a policy or standard to define and require lengthy, complex passwords is an example of which type of control? A. Operational control B. Technical control C. Administrative control D. Physical control

C. Administrative control Answer: C - Password requirement best practices defined in policies or standards are administrative controls

What is the name of the user interface framework that enables developers to build software applications on the iOS platform? A. Core OS B. Media C. Cocoa Touch D. Objective-C

C. Cocoa Touch Answer: C - The user interface for building applications to run on the iOS platform is called Cocoa Touch

Active information gathering is best used during which of the following scenarios? A. During planning, to verify the target scope B. During testing, when avoiding detection is a critical testing goal C. During testing, when avoiding detection is not a critical testing goal D. When all else has failed

C. During testing, when avoiding detection is not a critical testing goal Answer: C - Active information gathering involves interacting directly with the target. Therefore, you should only use it after you are under contract and during your testing window, when you are least concerned about detection.

Select the DoS technique that an adversary would use to consume the resources of a target by rapidly engaging in a large number of interactions with the target A. Resource leak exposure B. Excessive allocation C. Flooding D. Sustained client engagement

C. Flooding Answer: C - In a flooding attack, the attacker will consume the resources of a target by rapidly engaging in a large number of interactions with the target

Group Policy Preferences (GPP) was introduced in Windows 2008 Server and allows domain administrators to create domain policies to automate tedious tasks, such as changing the local Administrator account password on the host operating system. Each policy is created with an encrypted password (cPassword) embedded within the policy, and each policy is stored in SYSVOL, which is accessible to any user that is a member of the domain. During a pentest, you successfully mount the SYSVOL volume using user-level privileges on the domain. The domain server is a Windows 2012 server. Which file will contain the cPassword entry? A. Group.xml B. Users.xml C. Groups.xml D. Policy.xml

C. Groups.xml Answer: C - The groups.xml file will contain the encrypted cPassword entry. The AES 256-bit key was disclosed online from Microsoft, which allows the cPassword entry to be decrypted, thus disclosing the sensitive password

Your Nmap scan identifies port 445/tcp open on a Windows server with one of the common shares available and accessible anonymously. This share allowed the scanner to enumerate additional users and services on the domain. Which network share were you likely to have enumerated during the scan? A. ADMIN$ B. C$ C. IPC$ D. HOME$

C. IPC$ Answer: C - The IPC$ share is a null session connection. Microsoft allows anonymous used to do things like enumerate users and network shares with this connection. The ADMIN$ and C$ shares are hidden administrative shares restricted to privileged users. Although it sounds believable, the HOME$ share is not typical share

Which of the following are used by programs to handle decision making logic? A. Trees B. Data structures C. Logic constructs D. Libraries

C. Logic constructs Answer: C - Logic constructs are what programs use to take actions based on decisions within the code.

The methodology covers testing activities documented in the _________ . A. MSA B.NDA C. SOW D. None of the above

C. SOW Answer: C - The SOW is the statement of work, which identifies the scope of work and testing activities to be completed during the pentest.

Pentesters can use different motivational techniques for social engineering attacks. During a pentest, the customer requests that a specific e-mail template be used to entice their employees to try and buy something in response to a specific sale just for their organization. This type of motivational technique is known as what? A. Authority B. Likeness C. Scarcity D. Social Proof

C. Scarcity Answer: C - Enticing targets to click on a link in response to a sale is a form of scarcity

You were able to successfully mount an NFS share over the network with restricted privileges. When going through the network file system, you notice that the files and directories are not showing the owner or group name of the files and directories. What is the likely cause of this? A. You are not mounting the file system with root permission, so your system can't interpret the UID values. B. The NFS file system is not configured correctly, which means you could probably take advantage of the weakness. C. The UID and GID values assigned to the files and directories on the NFS share are not mapping to your local host D. The NFS server only knows that the UID 0 maps to the root account. If you create an account on your local host with a UID value of one of the NFS files, the NFS server will no longer be able to read the file

C. The UID and GID values assigned to the files and directories on the NFS share are not mapping to your local host Answer: C - NFSc3 and earlier will map numeric UIDs and GIDs to files and directories on an NFS file system. When you mount an NFS share from a client using NFSv3, you may see a UID or GID in place of a username or group because your local operating system cannot map to them, either because you are not on the domain (i.e., LDAP) or the user does not exist.

With a valid token and access to the metadata service, which of the following would you likely attempt to do? A. Change firewall rules within an instance B. Extract user information from IAM C. Use the rights of the service or system you have compromised for further access D. Place a backdoor in an AMI for persistence and remote access

C. Use the rights of the service or system you have compromised for further access Answer: C - The metadata service will allow you to get the instance's tokens, but it won't necessarily enable you to perform the other actions mentioned. Even though you may have privileges to do some of these, you wouldn't necessarily use the metadata service to do that

What is the correct command option to use with the Android Debug Bridge (ADB) that enables you to download files from the Android device? A. download B. copy C. pull D. push

C. pull Answer: C - the pull command is used to download files from the device, while the push command can be used to transfer files to the device

During a pentest, you discover a sitemap.xml file and a crossdomain.xml file. These files can provide useful information for mapping out web directories and files that would otherwise have to be brute-forced. What is the name of another file that can provide URLs and URI locations that restricts search engines from crawling certain locations? A. policy.xml B. site.txt C. robots.txt D. crossdomain.policy

C. robots.txt Answer: C - The robots.txt file is the correct answer.

While testing a web application running on Windows Server 2016, you find a web parameter vulnerability to a path traversal attack. Which of the following choices would be the best choice at demonstrating a path traversal attack? A. ?id=C:\Windows\system32\etc/passwd B. ?id=../../../../C:/Windows/etc/passwd C. ?id=%20.%20C:/Windows/boot.ini D. ?id=..\..\..\..\C:/Windows/boot.ini

D. ?id=..\..\..\..\C:/Windows/boot.ini Answer: D - the best answer is D, as it can help escape a basic forward-slash content filter and potentially show the contents of the boot.ini file

Many types of countermeasures can help organizations prepare for and mitigate potential social engineering attacks. Which of the following are valid countermeasures for social engineering attacks? (Select all that apply) A. Training B. Cameras C. Shredders D. All of the above

D. All of the above Answer: D - All of these options help mitigate physical and electronic methods of social engineering attacks

An employee gets out of the car and notices a USB drive lying on the parking lot. The drive appears to be new and has "My music files" written on the side of it in small font. The employee takes the drive into work and attempts to play one of the music files. The antivirus software alerts the user about potential malware after the computer started acting a little strange. This type of social engineering method is commonly known as what? A. Luring B. Shoulder surfing C. Waterholing D. Baiting

D. Baiting Answer: D - Baiting is the correct answer and is a tactic used to lure victims into doing something for a tangible award

Using Drozer to conduct an Android assessment of two separate applications that share the same vendor, you execute the command run app package.list to the list the permissions of the applications are permitted to read and write filed on external storage. Which component of the application would you want to test for injection flaws? A. Receivers B. Activities C. Services D. Content Provider

D. Content Provider Answer: D - Content providers could provide an injection point from within the application. Some mobile applications share the same external storage locations. Thus, if an injection point could be exploited, it could enable a malicious user to read content outside of the sandbox environment of the application

Older versions of the Android operating system (5.0 and earlier) do not use Android Runtime (ART); they use the Dalvik Virtual Machine. Smali files, which are written in a type of assembly, are created during which process? A. Compiling B. Server site testing C. Dynamic analysis D. Disassembling DEX executables

D. Disassembling DEX executables Answer: D - DEX files, when compiled, are converted to .smali extensions. Smali is a type of assembler, and Smali files are created when disassembling Dalvik executables (DEX), which are included in APKs.

During an Nmap scan, you receive a "host prohibited" reason in the scan results. Which protocol is responsible for delivering that message back to your scan host? A. TCP B. UDP C. ARP D. ICMP

D. ICMP Answer: D - The Internet Control Message Protocol (ICMP) is used to communicate messages between hosts over the network and uses different types (e.g., type: 3 - destination unreachable) and codes (i.e., code: 10 - host administratively prohibited) to address breakdowns in the communication path

Your client is requesting a penetration test as part of their requirement for PCI compliance. Which of the following scoping considerations is appropriate? A. Perform a vulnerability scan against all Internet-exposed interfaces owned by the company B. List where PII and PHI data are collected and stored in the environment, and validate security controls only on those systems C. Request the customer list for all transactions in the last 12 months in order to validate credit card processing transactions you may find during testing D. Identify boundaries that limit the CDE and make sure to test security of those boundaries from inside and outside that environment

D. Identify boundaries that limit the CDE and make sure to test security of those boundaries from inside and outside that environment ANSWER: D. The cardholder data environment (CDE) is specifically protected by PCI-DSS standards, and pentests should evaluate the security of controls that isolate that environment from other systems

With WPA, the wireless client and the access point both know the preshared key in order to join the network. During the authorization process, each device will use the PSK to generate a pairwise master key (PMK) in order to derive a _________ , which is used to encrypt packets sent to the receiving host. What is the type of key called? A. Preshared key B. Pairwise share key C. Pairwise transfer key D. Pairwise transient key

D. Pairwise transient key Answer: D - The PMK is never exposed over the network; instead, the pairwise transient key (PTK) is derived from the PMK and used to encrypt network communication

What language is this, and what does this do? Get-Process | where Name -like "*Exploit*" A. Bash, it is creating a process called Exploit B. Perl, it is redirecting an Exploit shell to a new process C. JavaScript, it is searching for processes containing "Exploit" in the name D. PowerShell, it is finding all processes containing "Exploit" in their name

D. PowerShell, it is finding all processes containing "Exploit" in their name Answer: D - This is a PowerShell command

The CVE Dictionary is a standard used for documenting which type of vulnerabilities? A. Public B. Privately Allowed C. Privately Disclosed D. Publicly Disclosed

D. Publicly Disclosed Answer: D - The correct answer is publicly disclosed. Although CVE numbers can be reserved for nonpublicly disclosed vulnerabilities, it is the standard used for publicly known vulnerabilities.

Which of the following are prone to a cloning attack? A. BLE B. UDP C. WEP D. RFID

D. RFID Answer: D - RFID tags that transmit a static value may be intercepted and replayed or placed onto a cloned device to thwart certain access controls systems

Which of the following tools would you use to identify cloud assets for a target organization using Azure? A. Pacu B. Scout Suite C. Hydra D. CloudBrute

D. SSRF Answer: D - CloudBrute can identify resources based on dictionaries and wordlists in multiple cloud providers

Which port scan method is also known as a half-open scan that never establishes a true connection with the target host over the network? A. TCP scan B. UDP scan C. SYN ACK D. SYN scan

D. SYN scan Answer: D - The TCP SYN scan is also known as the half-open scan, as it never completes the three-way handshake.

A mission-critical web application only supports case-insensitive eight-character passwords. The web application controls assembly-line systems that only a handful of users should be accessing, but the manufacturer has gone out of business and no upgrades are available. What is the best recommendation? A. Turn off the server B. Implement a password policy that requires users to pick hard-to-guess passwords C. Replace the assembly-line system with newer technology and ensure it is kept updated and maintained. D. Segment the server from the network so that only specific hosts can access the system

D. Segment the server from the network so that only specific hosts can access the system Answer: D - Turning off the server is not reasonable, as the system is needed, and it must be accessed. Passwords that are only eight characters and case-insensitive are trivial to brute-force based on keyspace limitations, so this is not adequate to fix the problem. Replacing the system is not cost-effective or necessarily achievable.

A __________ is unique and is used to identify each instance of a Windows service. In Windows, Kerberos requires that ______ be associated with at least one service logon account (i.e., the account that runs the service) A. Hostname B. Domain name C. Unique identifier D. Service principal name

D. Service principal name Answer: D - The service principal name (SPN) is unique and is used to identify each instance of a Windows service. in Windows, kerberos requires that the SPN be associated with at least one service logon account

During a pentest, you compromise a vulnerable web application and drop a webshell. When you list the contents of the directory, you see several other files that appear to be webshells. Which of the following should you do? A. Gather as much information as possible from the machine, including when the webshells were created and what other actions have occurred B. Take evidence screenshots and continue testing C. Establish persistence and then reach out to your point of contact to them know you've made a critical finding D. Stop testing immediately and initiate communication according to the communication plan

D. Stop testing immediately and initiate communication according to the communication plan ANSWER: D - Taking any further action may taint the digital evidence the customer must gather in order to potentially take legal action

All of the following layers in the Bluetooth protocol stack except for which one? A. LMP B. SDP C. L2CAP D. TC2 E. RCOMM

D. TC2 Answer: D - TC2 is not a valid layer of Bluetooth protocol stack. TCS is, however, a valid layer in the protocol stack and is sued for controlling telephone functions on the mobile device

PBKDF2 is used to calculate the PMK using the following values, except for which one? A. The password/passphrase (PSK) B. The access point SSID or ESSID C. The length of the SSID or ESSID D. The hostname of the device

D. The hostname of the device Answer: D - The PMK is derived from all of the options, with the exception of the device hostname. the missing values are 256 (length of the PMK) and 4096 (number of hashing iterations)

Alice owns a very profitable consultant firm that handles a great deal of privacy information for her clients. The company has over 50 employees but outsources their IT services to another company. One afternoon while Alice was at lunch, her receptionist received a phone call from a person claiming to be from the IT service provider and saying that they are trying to work on a service ticket of Alice and that they need her personal cell phone number in order to ask some questions of a private nature. The receptionist knows that Alive doesn't have any computer problems. What type of social engineering attack did Alice's receptionist receive? A. Spear phishing B. Whaling C. Baiting D. Vishing

D. Vishing Answer: D - This is a common example of vishing, or voice phishing, where the attacker attempts to play the role of another person who has an urgent matter to discuss or requires the immediate attention of a target in order to pressure the victim into providing the information requested