PenTest +
A security engineer uses Netcat to listen for connections on a particular port. Which command options does the engineer use to create a persistent listener on port 53 that triggers a script? (Select all that apply.) -L -p -e -l
-L -p -e The -L option starts Netcat in the Windows-only "listen harder" mode. This mode creates a persistent listener that starts listening again when the client disconnects. The -p option specifies the port that Netcat should start listening on in listening mode. When used in client mode, this value specifies the source port. The -e option specifies the program to execute when a connection is made. This is useful for alerts and logging. The -l option starts Netcat in listen mode. This is a non-persistent mode. The default mode without this option is to act as a client.
A penetration tester suspects a firewall is blocking their scan attempts and wants to try a TCP ACK scan to get around this. What nmap switch would they use? -sT -sX -sU -sA
-sA A TCP ACK scan is used to bypass firewall rulesets, determine which ports are filtered and if a firewall is stateful or not. This scan uses the option: -sA.
A security consultant is in the reconnaissance phase of a penetration test and believes there might be a non-stateful firewall blocking the scan. What nmap parameter could try to bypass the non-stateful firewall? -sS -oX -sF -sX
-sF The -sF option sends a TCP FIN to bypass a non-stateful firewall.
A penetration tester is conducting a PCI DSS compliance report for a large company that does ten million transactions a year. What level should they comply with? 1 2 3 4
1 Level 1 is a large merchant with over six million transactions a year and must have an external auditor perform the assessment by an approved Qualified Security Assessor (QSA). Level 2 is a merchant with one to six million transactions a year. Both levels 1 and 2 must complete a Report on Compliance (RoC). Level 3 is a merchant with 20,000 to one million transactions a year. Levels 2 through 4 can either have an external auditor or submit a self-test that proves they are taking active steps to secure the infrastructure. Level 4 is a small merchant with under 20,000 transactions a year.
A rogue system is suspected to be on a large network. A PenTester uses the -sY option with the nmap command and should expect what process to happen? A TCP SYN packet is sent An ICMP type 13 is included A UDP Ping is sent A SCTP Initiation Ping Occurs
A SCTP Initiation Ping Occurs An SCTP Initiation Ping uses the Stream Control Transmission Protocol (SCTP), an alternative to using either a TCP or UDP scan to see if a host is alive. This scan requires using the -sY option. A TCP SYN (synchronize) packet starts a communication session with a host by using TCP to initiate a conversation. This is a default action with Nmap. By default, Nmap will perform a TCP scan. A UDP protocol scan can be initiated by using the -PU for port scanning. By default, a Nmap scan will use the timestamp of 32 bits of milliseconds since midnight UT during host discovery.
A PenTester succeeds with a brute force attack to crack a server password. This success indicates a vulnerability in the server's security mechanisms. Which type of vulnerability most likely allowed this brute force attack to be successful? A privilege escalation issue A session attack A server-side request forgery A business logic flaw
A business logic flaw Business logic flaws are vulnerabilities that arise from implementation and design issues that lead to unintended behavior. A missing password policy is likely to blame.
When defining the communication path, what should an IT manager establish for a PenTest team? A testing scope A testing start time A testing threshold A testing asset
A testing threshold The IT manager should establish a testing threshold and protocol for contacting the other side during a problem. Having an escalation path for communications protects PenTesters from having to make risky or potentially damaging decisions.
A penetration testing team performs post-engagement activities after a PenTest exercise. The team addresses which area? Software upgrades Hardware replacement Account cleanup Network improvements
Account cleanup Removing tester-created credentials should take place during post-engagement cleanup. It is possible that during the exercise high-level credentials were added or manipulated. The system should be returned to its previous state.
A PenTester uses the Nmap utility to scan for a particular host on the network. Without using any options, what does Nmap provide as a result to the PenTester? (Select all that apply.) ARP requests SCTP Initiation Ping UDP Ping ICMP type 13
Address Resolution Protocol (ARP) requests are sent to hosts to obtain Media Access Control (MAC) address details. The MAC address can be used for purposes such as access control. By default, Nmap will perform a TCP scan. A UDP protocol scan can be initiated by using the -PU for port scanning.
A security tester wants to disable monitor mode on a wireless interface. Which tool should they use? Aireplay-ng Airmon-ng Airodump-ng Pacu
Airmon-ng Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode.
A PenTester simulates an attack on a wireless network by capturing frames and then using the information to further an attack on a discovered Basic Service Set (ID) of an access point. What specific tool has the PenTester used to initiate the attack? Aircrack-ng Airmon-ng Airodump-ng Aireplay-ng
Airodump-ng Airodump-ng is a tool that provides the ability to capture 802.11 frames and then use the output to identify the Basic Service Set ID (MAC address) of an access point. This is a specific tool that is part of the Aircrack-ng suite. The Aircrack-ng suite of utilities is made up of several command-line tools used for wireless monitoring, attacking, testing and password cracking. Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode. Aireplay-ng Injects frames to perform an attack to obtain the authentication credentials for an access point.
PenTesters report that a firewall that is being tested is allowing for malicious data to be passed through. The target system on the internal side of the firewall is an email server and all related inbound email ports are scanned. Why does the malicious data pass through undetected? (Select all that apply.) An ACL is not configured properly The packet matches a permit rule The payload is not scanned The SMTP port is not being scanned
An ACL is not configured properly The packet matches a permit rule The payload is not scanned
A PenTest team reports an issue to a client that may have legal ramifications. Which of the following issues may have legal ramifications, if reported. Failed background check of a team member An incorrect network scan Improper team member credentials Use of client user accounts
An incorrect network scan It is important to be able to identify and report any criminal activity, even if the activity occurred by accident. For example, if someone on the team were to inadvertently scan the wrong network.
A Pentest team performs an exercise at a large financial firm. During the process, it is discovered that a risk exists due to missing firmware updates on several hardware-based firewalls. The team concludes a risk rating during which step of the Pentest process? Reporting Analysis Scanning Reconnaissance
Analysis Analysis occurs after a team has completed an exercise. A collection of the results of all activities are analyzed, and a summary is derived of the risk ratings for each. Reporting will deliver the results and any remediation suggestions to the stakeholders, along with a realistic timeline of reducing risk and implementing corrective actions. Scanning is a critical phase as it provides more information about available network resources. Scanning identifies live hosts, listening ports, and more. Reconnaissance focuses on gathering as much information about the target as possible. This process includes searching information on the Internet, using Open-Source Information Gathering Tools (OSINT).
A security professional is testing the Wi-Fi with MDK4 and wants to create the appearance of many wireless networks. Which of the following modes should they use? A B D W
B Mode b creates the appearance of many wireless networks. MDK4 is a powerful Linux based tool that features a wide range of attacks.
A security professional wants to use SET for a targeted attack towards personnel. Which of the following can SET NOT do? Spear phishing Badge cloning Website attacks Wireless attacks
Badge cloning is not currently a capability of The Social Engineering Toolkit (SET), but it does allow for third-party modules.
An administrator is troubleshooting the direct personal area network connection between a set of Apple AirPods and a mobile device. What kind of connection is the administrator most likely troubleshooting? (Select all that apply.) WiFi Ethernet Bluetooth BLE
Bluetooth BLE The administrator is most likely troubleshooting a Bluetooth connection as many IoT devices use Bluetooth to exchange data between personal devices and peripheral devices. The administrator is most likely troubleshooting a Bluetooth Low Energy (BLE) connection which many IoT devices use to communicate wirelessly over short distances; however, it uses less energy than Bluetooth.
An organization reviews a recommendations report after a successful PenTest exercise. The cost to mitigate the issue as outlined in the report will be costly. Which group is the report generated for? Developers Third-party stakeholders C-Suite Technical staff
C-Suite C-Suite refers to top-level management personnel, usually with "chief" in their name, such as CEO, CTO, CIO, CSO, CISO, etc. These are senior executives that are likely to be responsible for making decisions based on the results and recommendations.
A security tester has been using Shodan for several engagements but wants another source of reference similar to Shodan. Which of the following would best fit that? Censys OpenVAS Netcat ObfuscatedEmpire
Censys When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer, similar to Shodan, to identify exposed systems.
How is a PenTest report tracked while it passes through many hands before delivery? Screenshots Chain of custody Version control Document properties
Chain of custody is a process where the ownership of data is managed and tracked. As a report passes through hands, it would be documented as to who the new owner is.
After completing a PenTest engagement at a client location, a formal hand-off process to the client is initiated. What can be expected after this action? Client acceptance New vulnerabilities Mitigation implementation Client follow-up
Client acceptance During the formal hand-off process, confirmation from the client that they agree that the testing is complete and that they accept any findings as presented is important.
A PenTester performs an Nmap scan on a host and concludes that a port is not in use and responds to a probe with an RST flag. Which status does Nmap return to convince the tester of this fact? Open Closed Unfiltered Filtered
Closed When a port is closed, probes reach the system but the port itself is not reachable.
In a cloud environment, what does the combination of infrastructure, platform services, and software represent? Cloud service provider Content delivery network Identity and access management
Cloud Federation
A penetration tester likes the functionality of Armitage and wants to get a fuller paid version for use on client tests. What should they look into? MetaSploit Pro Cobalt Strike Responder Ostinato
Cobalt Strike Cobalt Strike is a commercial version of Armitage with advanced features and reporting. Armitage itself is an intuitive GUI for the Metasploit framework.
A company is expanding operations to Europe and wants to make sure that they won't run into any security issues during expansion. What type of test should they have done? Red team Blue team Goal-based Compliance
Compliance Compliance-based assessments are used as part of fulfilling the requirements of a specific law or standard, such as GDPR, HIPAA, or PCI DSS.
A PenTester bypasses an active network access control (NAC) system by using an authenticated device. How might the tester accomplish this? Use a stealth scan Turn off firewall policies Configure a rogue access point Disable the NAC device
Configure a rogue access point The tester, like a malicious actor, can use a rogue wireless access point to connect to a network with an authorized device. The attacker machine slips by the NAC appliance and relays malicious traffic into the protected network.
A penetration test is being conducted on a Department of Motor Vehicles' vehicle. What should the testers take into consideration when performing the assessment? GLBA DPPA PTES OSSTMM
DPPA The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide to PenTesting. The PTES approaches the standard business aspect in that it doesn't have technical guidelines specifically addressed in the document. Open-Source Security Testing Methodology Manual (OSSTMM) provides a holistic structured approach to PenTesting. Written in 2000, the open-source document stresses auditing, validation, and verification.
A security analyst is preparing a presentation for an upcoming conference and will be discussing varying types of cyber attacks. What attack is used so the victim generates the required traffic needed for the malicious actor to capture the handshake? Jamming Brute force Deauthentication Dictionary
Deauthentication
A Pentester crafts a packet to test vulnerabilities on a hardware firewall. Packets are fragmented so that a malicious signature is not recognized by an IDS. Considering the packet crafting stages, which stage captures the packets sent to assist in determining how the test went? Edit Assemble Play Decode
Decode Decoding the capture of the packets sent will help to determine how the test went. The Pentester can analyze traffic generated using a packet analyzer such as Wireshark.
An employee loses a smartphone while on vacation. The device is used in a BYOD program and contains sensitive data related to the business. Which vulnerability does the company face with the loss of the phone? Strained infrastructure Forensics complications Deperimeterization Patching fragmentation
Deperimeterization The organization faces and now realizes a deperimeterization vulnerability. Employees that take sensitive data outside of the corporate perimeter and do not properly secure their devices will risk data exfiltration.
A penetration tester is conducting a test against external-facing websites. Which of the following tools is specifically geared towards website enumeration? nmap dirbuster SET WiGLE
Dirbuster is specifically geared towards website enumeration. There are numerous tools and techniques available to evaluate a website.
A security tester wants to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in a free, easy-to-use platform. Which of the following should they use? EAPHammer Fern Spooftooph SOHO
EAPHammer EAPHammer is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform.
A PenTest lead explains to a client that a PenTest is a fluid process. As such, what is a common occurrence, but not necessarily planned for? Goal reprioritization Critical findings Indicators of prior compromise Status reports
Goal reprioritization is the catalyst for possible adjustments to the engagement. The nature of a PenTest is that it is a fluid process, and the PenTest team must be able to prioritize findings as they occur.
A PenTest focuses on a particular server at a host organization. The server contains critical information and is of the highest priority to harden. What assessment type do the PenTesters utilize? (Select all that apply.) Goals Compliance Teams Objectives
Goals Objectives A goal-based approach uses assessments that have a particular purpose or reason. For example, if an organization is concerned with a sensitive server, the PenTest team will focus on that server. An objective-based approach is the same as a goal-based approach. For example, before implementing a new point of sale (PoS) system that accepts credit cards, the PenTesting team might test the system for security issues before implementation.
A client comments on a PenTest report by stating the amazement of how much information was found by the team. The client asks which tool was used to find subdomains and their respective directories. Which tool does the PenTester explain? Wapiti truffleHog Gobuster BeEF
Gobuster Gobuster can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available. Wapiti is a web application vulnerability scanner that will automatically navigate a web app looking for areas where it can inject data. TruffleHog is a Git secrets search tool. It can automatically crawl through a repository looking for accidental commits of secrets. BeEF (Browser Exploit Framework) focuses on web browser attacks by assessing the actual security posture of a target by using client-side attack vectors.
A malicious actor compromised a virtual machine host which allowed the malicious actor to gain control of the virtual environment. What type of attack does this represent? (Select all that apply.) Hyperjacking Class 1 VM escape Class 3
Hyperjacking Class 1 This represents hyperjacking which is when a malicious actor takes control of the hypervisor that manages a virtual environment and then has all the required privileges to take full control of the environment. This represents a class 1 virtual environment attack in which the attack happens outside of the virtual machine and can affect the entire virtual environment.
A city's subway system is optimizing the way equipment at each of the subway stations handles data. The new system will allow the subway system to collect data in order to automatically delay or stop trains when there's a problem down the line, as well as to determine when to dispatch more trains to manage capacity. How is the subway system optimizing? ICS SCADA IIoT IoT
IIoT The subway system is optimizing with the Industrial Internet of Things (IIoT) or Industry 4.0, which is a complement to a SCADA system and merges the control functionality with the data collecting ability of an IoT device.
An organization's legal team drafts a master service agreement (MSA) along with a PenTest team lead. What will the agreement include? (Select all that apply.) Team credentials and certifications Insurance information Safety guidelines Project scope
Insurance information Safety guidelines Project scope
While footprinting a system, a PenTester uses the finger command. What is true regarding this command? (Select all that apply.) It is used to obtain operating system information It is used on a Linux system It is used to view a user's home directory It is used on a Windows system
It is used on a Linux system It is used to view a user's home directory The finger command is a Linux command-line utility. Similar functions are possible on a Windows system by using PowerShell commands or a PowerShell script. The finger command is a command-line utility that allows the viewing of a user's home directory along with the login time and idle time.
A student is studying cyber security and reads about a tool called Responder. The student sets it up on their home network to test on devices that they own. Which protocols should they filter during packet captures to see what is happening? (Select all that apply.) LLMNR NBT-NS SSH VNC
LLMNR NBT-NS Responder is a man-in-the-middle type tool that can be used to exploit name resolution on a Windows network which poisons LLMNR. Responder is also designed to intercept and poison NBT-NS. Once a request is intercepted, Responder will return the attacker's host IP as the name record.
Businesses that process credit card transactions are required to follow guidelines to ensure compliance. Under standard PCI DSS compliance requirements, which levels of businesses are required to complete a Report on Compliance (RoC) or may be required to by a financial institution? (Select all that apply.) Level 1 Level 3 Level 2 Level 4
Level 1 Level 2 Level 1 merchants process over 6 million transactions annually, which categorizes them as high-risk. The PCI DSS mandates a RoC for these merchants, requiring a formal assessment by a Qualified Security Assessor (QSA) due to the high volume of transactions. Level 2 merchants process 1 to 6 million transactions annually and typically complete a Self-Assessment Questionnaire (SAQ), but an acquiring bank may require an audit and ROC. Level 3 merchants process 20,000 to 1 million transactions annually. They are not required to complete a RoC and typically do not choose this option. Level 4 merchants process fewer than 20,000 e-commerce transactions annually. They are low-risk and do not complete a RoC for PCI DSS compliance.
A project manager is preparing documentation that covers recurring costs and any unforeseen additional charges that may occur during a project without the need for an additional contract. Which of the following should they prepare? SOW MSA SLA NVD
MSA The Master Service Agreement (MSA) is a contract that establishes guidelines for any business documents executed between two parties. It can be used to cover recurring costs and any unforeseen additional charges. The Statement of Work (SOW) is a document that defines the expectations for a specific business arrangement. It typically includes a list of deliverables, responsibilities of both parties, and others. A service-level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details.
A new junior administrator is learning about IoT devices at a manufacturing company. The senior administrator explains that IoT devices can communicate and pass data in what basic ways? (Select all that apply.) Machine-to-machine Machine-to-API Machine-to-Ethernet Machine-to-person
Machine-to-machine (M2M) is communication between the IoT device and other traditional systems. This could be a sensor that is sending analytics to a database server. Machine-to-person (M2P) is communication between the IoT device and the user. This would include a dashboard for monitoring or a smartphone for messaging.
A security engineer discovers that a malware injection attack has occurred on a server in a cloud infrastructure. What does the engineer discover has happened? (Select all that apply.) Malicious code was concealed in a wrapper. A website experienced cross-site scripting. An origin network was identified behind a proxy. The hardware leaked sensitive information.
Malicious code was concealed in a wrapper. A website experienced cross-site scripting.
A vulnerability has just gone through the mitigation phase of the vulnerability lifecycle. What is the next phase? Manage Document Discover Coordinate
Manage Manage is when the patch has been released. It's now up to each organization to take the next step and apply the patch in order to remediate or mitigate the vulnerability.
An organization plans to apply numerous software patches to remedy vulnerabilities found during a recent PenTest exercise. The PenTest team returns to assist and test that systems are secure. Which vulnerability lifecycle phase does the team participate in? Document Coordinate Discover Manage
Manage The manage phase is where the patch has been released. As such, the next step is to apply the patch in order to remediate or mitigate the vulnerability.
A security expert uses a tool to scan and exploit a system from the command line while using a default Kali Linux install. Which tool does the expert use? Armitage Metasploit Framework Cobalt Strike Metasploit Pro
Metasploit Framework Metasploit Framework is a free open-source command-line version of a popular PenTest tool. By default, it is installed with a fresh install of the popular Kali Linux image.
An organization is using a testing framework to provide oversight and minimize risk with mobile devices. Which of the following are common elements of the testing framework when used on mobile devices? (Select all that apply.) COBO Approval Mobile Device Assessment Secure App Development Mobile App Testing
Mobile Device Assessment Secure App Development Mobile App Testing A common element of the testing framework is mobile device assessment which provides an overview of compliance and business logic issues. A common element of the testing framework is secure app development which creates organization-specific apps that are in line with organizational policy. A common element of the testing framework is mobile app testing which includes Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
A team is conducting a physical assessment and uses a simple mechanism such as Styrofoam to bypass a certain control. Which control are they likely bypassing? Motion sensor Fences Security badges Locks
Motion sensor The team can attempt to block the motion detector by using a piece of cardboard or Styrofoam over the sensor.
A new PenTester looks for a command and control (C2) tool that will provide consistently good results with Mac OS. Which tool does an experienced penetration tester suggest? Mythic Covenant Nishang Empire
Mythic Mythic is a C2 framework that contains payloads such as Apfel and Poseidon that provide consistently good results when PenTesting MacOS. Covenant is a .NET command and control framework and, in a similar fashion to Empire, it aims to show the attack surface of .NET and make attacks through this vector easier. Nishang is a specific PowerShell tool that includes a large set of scripts for Windows that can be post-exploitation. Empire is a C2 framework that makes use of PowerShell for common post-exploitation tasks on Windows. It also has a Python component for Linux.
A security professional is researching the latest vulnerabilities that have been released. Where is a good resource they can go to in order to look at these? CVSS CVE NVD ISSAF
NVD To learn more about the vulnerabilities, you can often click on CVE names, which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there, you can read more details.
A penetration tester wants to test exfiltrating data via encrypted mechanisms. What could they use to accomplish this? Netcat Ncat Coagula Yersinia
Ncat Ncat is an Interactive CLI tool written for the Nmap Project. Ncat is used to read and write raw data over a network and includes support for proxy connections along with IPv6 and SSL communications.
A security student wants to start conducting vulnerability scans on their own network. They want to be able to use a commercial tool, but that is available for free for home use. Which of the following could they use? OpenVAS SAST Scapy Nessus
Nessus is a powerful scanning tool that can scan either enterprise or home networks. Nessus for home or personal use is free. If running on an enterprise network, you will need to purchase the product.
A security professional is performing an assessment against web servers and is currently in the reconnaissance phase. They are performing initial service enumeration by attempting to open a session with a service and getting the service to identify itself. Which of the following tools are suited for this? (Select all that apply.) netcat SET wget Shodan
Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org 80|grep Server. Wget can be used to grab a banner using the following syntax: wget -S. When using this command, -S will print the HTTP headers that are sent by the server.
A PenTest team considers which issue as part of the lessons learned phase? Client follow-up Mitigation implementation Client acceptance New vulnerabilities
New vulnerabilities It is possible that the team found new unknown vulnerabilities during the testing. Additional personnel training or updated tools may be part of a lessons learned report.
A security professional is trying to evaluate a website for web-specific vulnerabilities. Which of the following is the tool most suited towards this objective? OpenVAS Nikto SQLmap Censys
Nikto is an open-source web server scanner that can complete comprehensive testing on web servers for a variety of vulnerabilities, such as anticlickjacking X-Frame-options header, and dangerous files and CGIs.
A security engineer is trying to avoid Antivirus on a company's systems. Which tool could they use to modify the hash of their payloads? Wget theHarvester Dirbuster ObfuscatedEmpire
Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of Empire that has Invoke-Obfuscation baked directly into its functionality.
A PenTest technician sanitizes systems from a completed engagement. When overwriting data on disks, which statements are true regarding SSD drives? (Select all that apply.) Overwriting an SSD is more reliable than with an HDD Overwriting an HDD is more reliable than with an SSD An SSD uses a write algorithm to reduce wear An HDD uses a write algorithm to reduce wear
Overwriting an HDD is more reliable than with an SSD An SSD uses a write algorithm to reduce wear Overwriting data on an HDD is more reliable than with an SSD. With an HDD, the target location is overwritten while on an SSD the data might be written elsewhere. Trying to write data onto the same location on an SSD may not always work, due to the nature of SSD write algorithms optimized to reduce wear.
A security auditor reviews a small retailer's credit card data protection strategy. In which area would the auditor likely request more detailed information to see that industry recommendations are followed? Hardware firewall Password Policies Software firewall Principle of least privilege
Password Policies
An employee refuses to apply updates to their mobile device for fear that it will change things on the device that will be annoying. What threat is the employee introducing? Deperimeterization Strained infrastructure Patching fragmentation Forensics complications
Patching fragmentation occurs when device owners do not implement updates in a timely manner. This fragmented approach can lead to individuals using unsupported versions that leave the system vulnerable.
An attacker is attempting to access a WPS device at a site in order to gain entry to a larger corporate network. Which of the following could they do? (Select all that apply.) HTTP flood Physical Side channel Brute force
Physical Brute Force A physical attack takes advantage of the "push to connect" feature found on many routers. When launching this attack, the malicious actor will need to be physically close to the device. In addition to a physical attack, a malicious actor can gain access to the network by determining the PIN number of the WPS device, using an online or offline brute force attack.
A security professional is looking for an organization's code that might have been posted publicly by developers. Which of the following sources is least likely to contain accidental posts by a company's developers? Reddit GitHub Bitbucket Inanchor
Reddit is less likely to contain code from developers, though it is possible it could exist on here. The other three options are specifically geared towards shared code repositories.
A new receptionist at a financial firm answers a call from someone that claims to be a remote employee. The caller tries to obtain user account information of another employee with a claim that such information is allowed to be given to a Vice President of the firm. Which social engineering techniques does the caller use? (Select all that apply.) Survey Observation Request Interrogation
Request Interrogation With a request, an attacker or social engineer pretends to be someone that is considered to be in a trusted position. Using the position, the attacker asks the target for information to be used in an attack. In an interrogation technique, the attacker or social engineer poses as an authority figure to obtain actionable intel. In this case, claiming to be a Vice President is an exercise of authority.
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this? SOCKS masscan Ostinato Snow
SOCKS Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS).
The Social Engineering Toolkit is being employed for a targeted attack towards personnel. Which of the following can SET NOT do? Mass mail attacks Infectious media Scaling PowerShell attacks
Scaling Scaling refers to a type of physical security breach where an individual overcomes physical barriers such as fences or walls to gain unauthorized access to a property. This kind of physical intrusion falls outside the scope of the Social Engineering Toolkit, which is designed for digital social engineering attacks.
A penetration tester needs to craft a custom packet in order to bypass an Intrusion Prevention System (IPS). What tools could they use to craft custom packets? (Select all that apply.) OpenVAS Metagoofil Scapy Hping3
Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted will be dependent on security products and rules. Hping3 is also a tool to craft and send a malformed packet to your target. For example, the Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict interpretation of RFC 793.
What are some ways in which a malicious actor can compromise cloud storage containers? (Select all that apply.) Secrets management Misconfiguration Power Consumption OS Images
Secrets management Misconfiguration OS Images Improperly managed secrets such as API keys, tokens, and passwords, can cause container security risks and vulnerabilities that a malicious actor can take advantage of to compromise cloud storage containers. A misconfiguration when setting up or administering a cloud storage container can create a risk for unauthorized access. Improperly constructed OS images that contain non-essential software can cause container security risks and vulnerabilities that a malicious actor can take advantage of to compromise cloud storage containers.
A penetration tester is working on a project and sees a fairly recent VoIP vulnerability has come out. Which of the following records would best help them narrow down potential targets? TXT NS SRV MX
Service (SRV) record provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM).
A project manager is researching migrating to the cloud, specifically a PaaS model. Which of the following attacks is PaaS particularly subject to? Malware injection Direct-to-origin Side-channel DNS Poisoning
Side-channel
A PenTester uses Nmap to scan a network. In an effort to evade an intrusion detection system, the tester uses a timing option. Which option works best in this situation? T5 T3 T1 T4
T1 In some cases, network devices enforce rate limiting. Using the Nmap command with a time option of T0 and T1 are the best choices for IDS evasion but are extremely slow. T5 is the fastest option but can be unstable and should only be used on a network that can handle the speed. Nmap has a timing option which can be modified to suit any needs. T3 is the default timing and is the most stable option. The team will need to be aware of overburdening a network and may have to adjust the timing of the scans to run during off-hours or to be less intrusive. T4 is the recommended choice for a fast scan that is still relatively stable.
A penetration tester is conducting a Nmap scan but wants to conserve bandwidth and has no concern for IDS evasion. Which setting should they use to perform this? T1 T2 T3 T4
T2 slows the scan to conserve bandwidth. In some cases, network devices enforce rate limiting, which limits the data flow by either policing or shaping the traffic.
The PenTest team has been conducting network scans using the default timing setting of T3 with no disruptions to the organization's network or systems. The team now wants to modify the timing template to a recommended faster yet stable level. Which Nmap timing option should the team choose to achieve this goal? T0 T5 T4 T1
T4 The team will need to be aware of overburdening a network but can take advantage of a robust network.T4 is the recommended choice for a fast scan that is still relatively stable. In some cases, network devices enforce rate limiting. Using the Nmap command with a time option of T0 and T1 are the best choices for IDS evasion but are extremely slow. T5 is the fastest option but can be unstable and should only be used on a network that can handle the speed. T1 would not be recommended |for increasing the scan timing from the default T3 setting because T1 is an extremely slow option.
A digital forensics expert works for a large corporation and doesn't have enough time to manually analyze all the employee-returned mobile devices before administrators issue them to new employees. What tool can the forensics expert use to automate the evaluation of code and malware analysis on mobile devices? MSTG MobSF OWASP Kali
The Mobile Security Framework (MobSF) can provide an automated evaluation of code and malware analysis using both static analysis and dynamic analysis.
A public school system wishes to educate its student population with cybersecurity knowledge. They're particularly interested in a resource that provides a holistic, structured approach to PenTesting and offers its core materials without any cost. Which of the following is most suitable? OWASP NIST OSSTMM PTES
The Open-source Security Testing Methodology Manual (OSSTMM) provides a holistic, structured approach to PenTesting and is open-source, meaning its core materials are available without cost. This makes it suitable for a public school system looking to provide cybersecurity education without incurring additional expenses.
Steganography requires three basic elements to work. Which elements are valid? (Select all that apply.) Carrier Decoder Payload Tool
The carrier must be able to pass as the original and appear harmless. A carrier might be music or an image file. The payload can contain any number of things, such as trade secrets or command and control activity. Once the payload is hidden, no one outside of the sender and the receiver should suspect anything. There are hundreds of steganography tools available that can conceal the activity. Most are freely available and have similar functions in that they can conceal and encrypt data using a wide range of carriers.
An expert in digital forensics frequently works with both iOS and Android devices and utilizes a versatile open-source toolkit. This toolkit enables the expert to dump process memory, conduct in-process fuzzing, and modify a program's behavior dynamically. Which tool is the expert likely using? APK Studio Drozer Objection Frida
The forensics expert is using Frida which is an open-source tool that can work with a wide range of operating systems and allows the forensics expert to dump process memory, in-process fuzzing, and change a program's behavior.
A network engineer is measuring a wireless signal level in relation to any background noise to ensure efficient wireless communications. Which of the following should they look at? dBi SCAP SNR WAF
The goal is to have a good Signal-to-Noise Ratio (SNR), which is the measurement of a wireless signal level in relation to any background noise.
A security professional has just finished setting up a new public-facing web server for their organization. They want to ensure that search engine crawlers and other automated bots don't index or access certain pages or directories on the site. What is the most effective step the security professional can take to achieve this goal? Set up a robots.txt file to exclude certain pages or directories Use an access control list (ACL) to restrict access to certain directories Configure the web server to block specific user agents Create a noindex meta tag on each page to be excluded
The most common and recommended way to request search engine crawlers not to index specific pages or directories is to set up a robots.txt file. However, it's important to understand that a robots.txt file does not secure these pages or directories. It merely requests compliant bots to avoid indexing them. A robots.txt file can be easily created and updated as needed.
A PenTest team creates a file on an organization with the goal of showing upper management how employees can be targeted. Which open-source intelligence (OSINT) resources does the team utilize to gather information? (Select all that apply.) The organization's website Twitter feed An employee's office location Internal network group memberships
The organization's website is an open-source resource that may reveal a good deal of information on the company and its employees. Information might include job promotions, personal bios, and more. The company's social media presence is an open-source resource that may reveal both organization and employee information. The company's Twitter feed may share company blog articles that reveal information about employees.
A penetration tester is looking for secrets in Git repositories that will allow the tester to modify code. What tool is the penetration tester using? Brakeman SearchSploit BeEF truffleHog
The penetration tester is using truffleHog which can automatically crawl through a repository looking for accidental commits of secrets that will allow an attacker to modify code in a Git repository.
A network technician is reviewing signal strengths of wireless antennas to ensure that the signal does not extend beyond the buildings for anyone to attempt to gain access. What are they measuring? MSA SNR dBi NVD
The signal strength of a wireless antenna is referred to as decibels per isotropic (dBi) and can vary according to the design.
A Jr. PenTester has difficulty using a Bash script. The script contains the following line: $my_str = "Password" , which keeps throwing an error. What does a senior PenTester identify as the problem? (Select all that apply.) The use of '$' The use of '"Password"' The use of ' = ' The use of '_'
The use of '$' The use of ' = ' When using Bash for scripting in Linux, a variable is not designated with a leading $. A leading $ is required when using PowerShell in a Windows environment. When scripting in Bash, there is strict use of the equals sign (=). In Bash, the equals sign must not have a leading or trailing space, also known as whitespace.
A security engineer uses Google hacking to gain knowledge about an organization's employees. What search results does the engineer retrieve by using the syntax: link:comptia.org about while practicing the command? To search for any pages whose anchor text includes the text "about" To search for any pages whose URLs include the text "about" To search for any pages that lead to the website with the text "about" on the page To search the website only for results including the text "about"
To search for any pages that lead to the website with the text "about" on the page To find a link to a specified page, the link operator is used. Searching link:comptia.org about will search for pages that link to CompTIA's website and have the text "about" on the page.
A security team plans a lateral move within a client's Windows network. The intent is to exploit a flaw in the Distributed Component Object Model (DCOM) during the move. How does the team achieve this? Issue commands using SMB Use RPC as a transport mechanism Install the WinRM service Use remote access services
Use RPC as a transport mechanism The Remote Procedure Call (RPC) enables inter-process communications between local and remote systems. DCOM applications use RPC as a transport mechanism.
An engineer scans a network for information that can be used in a mock exploit and discovers that all traffic is not visible on a switch and/or router. How can the engineer fix this issue? (Select all that apply.) Use port monitoring Use switched port analysis Use an ARP cache Use promiscuous mode
Use port monitoring Use switched port analysis Use promiscuous mode
A PenTest team prepares for an engagement at a customer site. Which assets could the team inventory as being in-scope for the test? (Select all that apply.) Users Domains Passwords Service Set Identifiers (SSID)
Users are an in-scope asset, as they are susceptible to social engineering, and are generally considered to be the easiest attack vector. Domains and/or subdomains within the organization are a prime target for malicious activity and are an in-scope asset. Domains and subdomains are examples such as example.com and ftp.example.com. Service Set Identifiers (SSID) can be targeted when an attacker is attempting to access a wireless network. As such, they are an in-scope asset.
A reconnaissance technique used to identify a client website returns the response <address>Apache/2.4.29 (Ubuntu) Server at comptia.org Port 8080</address>. How does a PenTester focus any testing efforts? (Select all that apply.) Using Linux tools On a standard HTTP port Using Window tools On a non-standard HTTP port
Using Linux tools On a non standard http port As the response includes information stating that Apache for Ubuntu is being used, the PenTester should use tools and techniques that are specific to Linux operating systems. The PenTester should not focus on a standard HTTP port, but rather port 8080 as indicated in the response output.
A PenTest team looks to map a network for a customer. Which tools would be useful in creating a map? (Select all that apply.) WMI SNMP ARP SMTP
WMI SNMP ARP Many mapping tools use Windows Management Instrumentation (WMI) to map and manage a network. WMI can help provide a system inventory that includes system statics and other information. The Simple Network Management Protocol (SNMP) is useful for managing many devices including those that are not computer workstations or laptops. The ARP (Address Resolution Protocol) command is a useful Windows command-line tool that can provide IP to MAC address mapping information for a host on a network.
A penetration tester discovers a device during an engagement and needs to try conducting a Pixie attack or attempt to crack PMKID offline. Which tool should they use? Airmon-ng Spooftooph ScoutSuite Wifite2
Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more.
A security firm is looking at expanding operations outside the United States. Which of the following tools might require careful consideration for legal compliance due to its encryption capabilities? InterMapper Nmap OpenVAS Wireshark
Wireshark Wireshark is a powerful open-source protocol analysis tool that can decrypt numerous protocols, such as IPsec, Kerberos, and SSL/TLS. While not restricted by U.S. export regulations, its use in countries with strict encryption import laws should be approached with caution due to its encryption capabilities.
A mobile user in a food court of a shopping mall suddenly receives a video on their device advertising a new store opening. The user checks settings on the device to see Bluetooth is enabled. What kind of attack was the mobile user subjected to? Rootkit Bluesnarfing Bluejacking Worm
bluejacking The mobile user was the victim of a bluejacking attack which attackers use to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection.
A security analyst is trying to find older versions of a company's website which contained sensitive information. They are worried that attackers might still be able to find older versions, so they want to try using web search commands. Which web search command would help them search? inanchor inurl site cache
cache Use a standard cache search on a site, and you will see a recent view of the website. To do a quick check simply type cache: in the address bar. For example, cache:https://comptia.org.
A penetration tester has been contracted to do a test for a hospital and is looking at computerized electronic patient records. What are these referred to as? HIPAA e-PHI CCPA GDPR
e-PHI Computerized electronic patient records are referred to as electronic protected health information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or the organization can face a hefty fine.
During a penetration testing engagement, a script is employed to collect critical information within a LAN segment to facilitate effective pivoting. Which types of details is this script likely to enumerate? (Select all that apply.) host names usernames subnets closed ports
host names usernames
A security consultant is attempting to look for default passwords for a client's D-Link phones. Which of the following should they use? intitle:"DPH" "web login setting" inurl:"ccmuser/logon.asp" intitle:"Grandstream Device Configuration" password inurl:"CallManager"
intitle:"DPH" "web login setting" intitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they don't have the password, they can search online for the default password to try on the targeted system.
A penetration tester is trying to use Google Hacking to find more instances of Cisco CallManager. What should they use? intitle:"DPH" "web login setting" inurl:"ccmuser/logon.asp" intitle:"Grandstream Device Configuration" password inurl:"CallManager"
inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try some other Google Hacking to find more information on VoIP phones that you can use to launch the attack.
A security researcher wants to scan documents against a website for only pdf documents. What metagoofil parameter could they use? metagoofil -d metagoofil -t metagoofil -l metagoofil -n
metagoofil -t metagoofil -t pdf scans for pdf documents. Metagoofil scrapes the metadata, and then displays the information using Hypertext Markup Language (HTML). metagoofil -d comptia.org scans for documents on Comptia.org. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir. metagoofil -l 75 searches for 75 documents. The output can then be viewed in a standard browser. Another valuable tool is FOCA, which can discover metadata from a variety of sources. metagoofil -n 25 downloads 25 files. You can download a copy of Metagoofil from GitHub. In addition, the tool is built into Kali Linux.
A PenTester shows a client how a cleartext password and other information can be extracted from system memory. Which tool does the PenTester demonstrate? medusa mimikatz brutespray hydra
mimikatz The mimikatz tool can be used to gather credentials by extracting key elements from memory such as cleartext passwords, hashes, and PIN codes. The medusa tool is a parallel brute-forcer for network logins. Its focus is to support numerous network services that allow remote authentication. The brutespray tool allows for the interpretation of results from an Nmap scan to automatically start medusa against the identified open ports. It can also use results from nmap with option "-sV" to identify and target services on non-standard ports. The hydra tool is similar to medusa, in that it supports parallel testing of several network authentications. It comes bundled with a tool called pw-inspect.
A PenTester remotely adds a user to a Windows system on one box and elevates a Linux user account to root on another. Which approach does the tester use? (Select all that apply.) net user jjones /add editing a file and changing the user's user ID (UID) and group ID net localgroup Administrators jjones /add useradd jjones
net user jjones /add editing a file and changing the user's user ID (UID) and group ID
A penetration tester wants to gather email information for a targeted phishing campaign. Which of the following tools could they use to collect this? Shodan Dirbuster Metagoofil theHarvester
theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners.
