Pentest2
Line 08
The following line-numbered Python code snippet is being used in reconnaissance: Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS? A. Line 01 B. Line 02 C. Line 07 D. Line 08 E. Line 12
This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.
The results of an Nmap scan are as follows: Which of the following would be the BEST conclusion about this device? A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory. B. This device is most likely a gateway with in-band management services. C. This device is most likely a proxy server forwarding requests over TCP/443. D. This device may be vulnerable to remote code execution because of a buffer overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.
Active scanning
Which of the following assessment methods is MOST likely to cause harm to an ICS environment? A. Active scanning B. Ping sweep C. Protocol reversing D. Packet analysis
chmod u+x script.sh
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh
To remove tools from the server
Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system
Code context for instances of unsafe typecasting operations
Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience? A. Executive summary of the penetration-testing methods used B. Bill of materials including supplies, subcontracts, and costs incurred during assessment C. Quantitative impact assessments given a successful software compromise D. Code context for instances of unsafe typecasting operations
The existence of default passwords
Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords
MITRE ATT&CK framework
Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations? A. NIST SP 800-53 B. OWASP Top 10 C. MITRE ATT&CK framework D. PTES technical guidelines
Metasploit
Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types? A. Nessus B. Metasploit C. Burp Suite D. Ethercap
When most of the vulnerabilities have been remediated
Which of the following situations would MOST likely warrant revalidation of a previous security assessment? A. After detection of a breach B. After a merger or an acquisition C. When an organization updates its network firewall configurations D. When most of the vulnerabilities have been remediated
OWASP ZAP Burp Suite
Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.) A. OWASP ZAP B. Nmap C. Nessus D. BeEF E. Hydra F. Burp Suite
Shodan
Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance? A. Shodan B. Nmap C. WebScarab-NG D. Nessus
nc 127.0.0.1 5555
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine: Which of the following would be the BEST command to use for further progress into the targeted network? A. nc 10.10.1.2 B. ssh 10.10.1.2 C. nc 127.0.0.1 5555 D. ssh 127.0.0.1 5555
SET
A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees. Which of the following tools can help the tester achieve this goal? A. Metasploit B. Hydra C. SET D. WPScan
The type of scan
A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan? A. The timing of the scan B. The bandwidth limitations C. The inventory of assets and versions D. The type of scan
Asset inventory
A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment? A. Asset inventory B. DNS records C. Web-application scan D. Full scan
Whether sensitive client data is publicly accessible
A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data. Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible B. Whether the connection between the cloud and the client is secure C. Whether the client's employees are trained properly to use the platform D. Whether the cloud applications were developed using a secure SDLC
WPS
A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router. Which of the following is MOST vulnerable to a brute-force attack? A. WPS B. WPA2-EAP C. WPA-TKIP D. WPA2-PSK
Testing restrictions
A consulting company is completing the ROE during scoping. Which of the following should be included in the ROE? A. Cost of the assessment B. Report distribution C. Testing restrictions D. Liability
Establish the threshold of risk to escalate to the client immediately.
A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Which of the following is most important for the penetration tester to define FIRST? A. Establish the format required by the client. B. Establish the threshold of risk to escalate to the client immediately. C. Establish the method of potential false positives. D. Establish the preferred day of the week for reporting.
Nikto
A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987. Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL? A. SQLmap B. Nessus C. Nikto D. DirBuster
Mapping a share to a remote system Executing a file on the remote system
A penetration tester gains access to a system and is able to migrate to a user process: Given the output above, which of the following actions is the penetration tester performing? (Choose two.) A. Redirecting output from a file to a remote system B. Building a scheduled task for execution C. Mapping a share to a remote system D. Executing a file on the remote system E. Creating a new process on all domain systems F. Setting up a reverse shell from a remote system G. Adding an additional IP address on the compromised system
nmap -sS -O 192.168.1.2/24 -T1
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap -sT -vvv -O 192.168.1.2/24 -PO B. nmap -sV 192.168.1.2/24 -PO C. nmap -sA -v -O 192.168.1.2/24 D. nmap -sS -O 192.168.1.2/24 -T1
Recon-ng
A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet. Which of the following tools or techniques would BEST support additional reconnaissance? A. Wardriving B. Shodan C. Recon-ng D. Aircrack-ng
Utilize a pass-the-hash attack.
A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server? A. Perform vertical privilege escalation. B. Replay the captured traffic to the server to recreate the session. C. Use John the Ripper to crack the password. D. Utilize a pass-the-hash attack.
nmap -sn 10.12.1.0/24
A penetration tester is attempting to discover live hosts on a subnet quickly. Which of the following commands will perform a ping scan? A. nmap -sn 10.12.1.0/24 B. nmap -sV -A 10.12.1.0/24 C. nmap -Pn 10.12.1.0/24 D. nmap -sT -p- 10.12.1.0/24
Spawned shells Created user accounts
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) A. Spawned shells B. Created user accounts C. Server logs D. Administrator accounts E. Reboot system F. ARP cache
A dedicated point of contact at the client The paperwork documenting the engagement
A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.) A. A handheld RF spectrum analyzer B. A mask and personal protective equipment C. Caution tape for marking off insecure areas D. A dedicated point of contact at the client E. The paperwork documenting the engagement F. Knowledge of the building's normal business hours
Understanding the tactics of a security intrusion can help disrupt them.
A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel. Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time.
Perform a credentialed scan with Nessus.
A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: ✑ Have a full TCP connection ✑ Send a `hello` payload ✑ Wait for a response ✑ Send a string of characters longer than 16 bytes Which of the following approaches would BEST support the objective? A. Run nmap -Pn -sV --script vuln <IP address>. B. Employ an OpenVAS simple scan against the TCP port of the host. C. Create a script in the Lua language and use it with NSE. D. Perform a credentialed scan with Nessus.
Exploiting a configuration weakness in the SQL database
A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position. Which of the following actions, if performed, would be ethical within the scope of the assessment? A. Exploiting a configuration weakness in the SQL database B. Intercepting outbound TLS traffic C. Gaining access to hosts by injecting malware into the enterprise-wide update server D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates E. Establishing and maintaining persistence on the domain controller
Reprioritizing the goals/objectives
A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place? A. Maximizing the likelihood of finding vulnerabilities B. Reprioritizing the goals/objectives C. Eliminating the potential for false positives D. Reducing the risk to the client environment
Identify all the vulnerabilities in the environment.
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish? A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings.
nmap ג€"T0 192.168.0.1
An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection? A. nmap ג€"T3 192.168.0.1 B. nmap ג€"P0 192.168.0.1 C. nmap ג€"T0 192.168.0.1 D. nmap ג€"A 192.168.0.1
Direct object reference
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited? A. Command injection B. Broken authentication C. Direct object reference D. Cross-site scripting
Dump the user address book on the device.
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames. Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform? A. Sniff and then crack the WPS PIN on an associated WiFi device. B. Dump the user address book on the device. C. Break a connection between two Bluetooth devices. D. Transmit text messages to the device.
Rainbow table attack
During an engagement, a penetration tester found the following list of strings inside a file: Which of the following is the BEST technique to determine the known plaintext of the strings? A. Dictionary attack B. Rainbow table attack C. Brute-force attack D. Credential-stuffing attack
Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address
A penetration tester is reviewing the following SOW prior to engaging with a client. `Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.` Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.) A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement. C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team. D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address E. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop. F. Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements
nmap 192.168.1.1-5 -PS22-25,80
A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? A. nmap 192.168.1.1-5 -PU22-25,80 B. nmap 192.168.1.1-5 -PA22-25,80 C. nmap 192.168.1.1-5 -PS22-25,80 D. nmap 192.168.1.1-5 -Ss22-25,80
Unknown environment testing
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment? A. Partially known environment testing B. Known environment testing C. Unknown environment testing D. Physical environment testingv
*range(1, 1025) on line 1 populated the portList list in numerical order.
A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS? A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds. B. *range(1, 1025) on line 1 populated the portList list in numerical order. C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM D. The remoteSvr variable has neither been type-hinted nor initialized.
Remove the tester-created credentials.
A penetration tester ran the following commands on a Windows server: Which of the following should the tester do AFTER delivering the final report? A. Delete the scheduled batch job. B. Close the reverse shell connection. C. Downgrade the svsaccount permissions. D. Remove the tester-created credentials.
Wireshark
A penetration tester received a .pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the .pcap file? A. Nmap B. Wireshark C. Metasploit D. Netcat
Windows Server
A penetration tester receives the following results from an Nmap scan: Which of the following OSs is the target MOST likely running? A. CentOS B. Arch Linux C. Windows Server D. Ubuntu
FOCA
A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use? A. Netcraft B. CentralOps C. Responder D. FOCA
Stronger algorithmic requirements
A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables. Which of the following should be included as a recommendation in the remediation report? A. Stronger algorithmic requirements B. Access controls on the server C. Encryption on the user passwords D. A patch management program
This URI returned a server error.
A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error.
The tester input the incorrect IP address.
After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results: The tester then runs the following command from the previous exploited system, which fails: Which of the following explains the reason why the command failed? A. The tester input the incorrect IP address. B. The command requires the ג€"port 135 option. C. An account for RDP does not exist on the server. D. PowerShell requires administrative privilege
