CompTIA PenTest+ Practice Questions

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What function is used to inject the malicious library file into a macOS?

'DYLD_INSERT_LIBRARIES' function is used to inject the malicious library file.

Which of the following do 3rd party vendors need to implement to ensure their contributions do not introduce new vulnerabilities into a customer's environment?

- Ensuring their products or services meet security standards and do not compromise the customer's security posture. - Adhering to relevant regulations and industry standards applicable to their offerings.

Log injection occurs when misleading or false data is injected into the log files. If the pentester can carry out log injection, it can lead to the following:

- Falsifying log files or creating new files. This is also known as log forging. This would help throw off investigators. - Cross-site scripting attacks if the log files are viewed in a vulnerable browser. - Malicious commands can be injected and executed through a parser (such as a PHP parser).

A penetration tester has completed a penetration test and has handed off the final report to the client. What are the next steps the penetration tester should take to ensure a proper cleanup of the environment? (Select three.)

- Shut down and remove any network infrastructure created during the test, such as virtual machines, storage volumes, and firewall rules. - Delete any user accounts or credentials created during the test, and ensure that all configuration changes are reverted. - Immediately remove any tools or shells installed during the test, and verify that all persistence mechanisms are removed from the environment.

Methods to clear event logs

- Using the clearev in Metasploit's meterpreter will clear all Windows event logs. - Specific log categories can be deleted using Windows PowerShell or CLI. For example: wevtutil cl Application will clear the application log. - To clear log files on a Linux system, the same methods used to clear any text file will work. For example, to clear the syslog use: echo "" > / var/ log/ syslog.

What are two types of logs?

-Audit logs which are created by the Operating System. These logs keep track of file access, changes made to the system, and other records about events that occur on such systems. -Application logs are created by programs or applications in order to keep track of what occurs within their memory space

A penetration tester suspects a firewall is blocking their scan attempts and wants to try a TCP ACK scan to get around this. What nmap switch would they use?

-sA

What Nmap scan option is Ping Sweep, an effective way to find which hosts are currently open and listening for initial host enumeration that won't trigger firewalls?

-sP

What fast Nmap scan is also known as a "half-open" scan that sends a SYN packet to the target, and if the port is open, it receives a SYN-ACK. The connection is never fully established (no final ACK), making it a stealthy scan. It is less likely to be logged and detected compared to a full TCP scan?

-sS (TCP SYN scan)

What Nmap scan initiates a full TCP 3-way handshake, making it the noisiest scan because the connection is full established. It is easily detected by IDS and logs on the target system, making it unsuitable when attempting to minimize detection?

-sT (TCP Connect)

What Nmap scan sends packets with multiple flags set (FIN, URG, and PSH) if no response is received, the port is considered to be open. It is relatively stealthy, but may not work reliably on all systems, especially modern firewalls and systems using the latest security measures?

-sX (Xmas Tree scan)

What are the steps to carry out a Process Hollowing Attack?

1. Identify a process that can be exploited. The process will be started, but immediately paused. This can be accomplished using the Windows API function 'CreateProcess' with the 'CREATE_SUSPENDED' flag. 2. Using a function like 'ZwUnmapViewofSection' or another similar function, the legitimate code will be removed from the process. 3. The 'VirtualAllocEx' function can then be used to allocate memory in the suspended process. 4. The malicious code is injected into the allocated memory using the 'WriteProcessMemory' function. The now malicious process is then restarted and the malicious code will be executed.

You have compromised a system during a penetration test and need to exfiltrate sensitive data without raising suspicion. Considering the use of virtual drive mounting, which of the following approaches would BEST help you achieve this goal?

Create a virtual disk on the compromised system, copy the sensitive data to it, unmount the virtual drive, and then transfer it to an external drive for physical removal.

A penetration tester has joined a consulting company that performs tests for several varying clients. The company has stressed about staying within the scope of the project. What is the worst thing the tester could face if they go outside their scope?

Criminal charges

Mythic

Cross-platform C2 framework Also works with Windows, Linux, and macOS, but it contains payloads such as Apfell and Poseidon that make it a favorite for pentesting macOS. HIGHLY SUITABLE FOR DIVERSE A DIVERSE NETWORK ENVIRONMENT One great feature is that it uses Docker for all of its components. This means that features can be used without already having existing requirements on the host.

Covenant

Cross-platform C2 framework built in .NET. Being built in .NET means it's cross-platform and can run on Windows, Linux, and macOS. Includes a web-based interface that allows multiple users to access it and collaborate.

A script used for parsing log files during a penetration test contains: #!/usr/bin/perl use strict; my $file = "/var/log/auth.log"; open(my $fh, '<', $file) or die "Cannot open file: $!"; whilechains($fh); Which scripting language is this? A) Ruby B) Python C) Bash D) Perl

D) Perl

A mid-sized e-commerce company, "ShopEase," is planning to migrate its operations to a cloud hosting provider to enhance its service delivery. The company is particularly concerned about ensuring the security and availability of its services to maintain customer trust and comply with industry regulations. As the IT manager, you are responsible for selecting a hosting provider that aligns with these priorities. Based on the responsibilities of a hosting provider, which of the following actions should you prioritize when evaluating potential providers?

Ensure the provider has robust physical security measures, such as access controls and surveillance, to protect the data center.

When conducting a penetration test on a specialized system within a critical infrastructure, which of the following is the MOST important consideration to ensure the test is conducted safely and effectively?

Ensuring all stakeholders are involved and maintaining communication throughout the process

Which of the following actions must a pentester take before beginning a penetration test to ensure the assessment is legally compliant?

Define the scope of engagement, including in-scope assets like IP address ranges, APIs, and cloud resources, and ensure all parties agree on the terms.

What is a primary risk associated with improper deserialization in applications, particularly when handling data from untrusted sources?

Denial of Service (DoS) attacks

During a penetration test, the pentester discovers several applications with potential vulnerabilities. The pentester is aware that these applications have dependencies that must also be assessed for security risks. Which of the following is the BEST reason why the pentester should scan dependencies during the vulnerability assessment?

Dependencies, if vulnerable, can be exploited to gain access to sensitive data or systems.

During a penetration test, the Rules of Engagement (RoE) are established to define the guidelines and boundaries within which the test should be conducted. Which of the following is NOT typically covered by the RoE?

Detailed remediation steps for identified vulnerabilities.

You are a penetration tester tasked with assessing the security of a client's network. The scope of the pentest specifies that you must identify all active hosts within a specific subnet and ensure none of these hosts are outside the IP address allow list provided by the client. Which of the following approaches BEST applies to scripting automation to effectively fulfill this requirement?

Develop a script that takes the output of an nmap scan, checks the number of active hosts against the expected count, and identifies any hosts not on the allow list.

Which of the following actions demonstrates the MOST effective use of a script during the enumeration phase of a penetration test?

Developing a script that parses the output of an Nmap scan and alerts the pentester if the number of hosts identified does not match the expected number in the scope.

Which of the following statements BEST describes the concept of directory traversal in web applications?

Directory traversal is a technique that allows an attacker to access files outside the intended directory by manipulating the directory path, often using sequences like .. or ../

A penetration tester is attempting to perform a pass-the-hash attack on a Windows target machine. The tester successfully obtained a hash from the system but is unable to use it to gain administrative access due to restrictions. Which of the following actions should the tester take to potentially enable the attack?

Disable Windows Defender Credential Guard on the target machine

During the preparation phase of a penetration test, your team conducts a meeting with stakeholders to ensure alignment on the objectives, processes, and expected outcomes. Which of the following actions is the MOST critical for your team to perform during this meeting to minimize the risk of misunderstandings or scope violations during the test?

Discuss and document the specific systems and network segments that are in-scope and out-of-scope for the penetration test.

Which of the following is a primary responsibility of a hosting provider, such as a cloud service provider or data center operator, in ensuring the security of the infrastructure that supports their services?

Ensuring the physical security of data centers, including access controls and environmental protections.

Kernel and service exploits (Linux Privilege Escalation Techniques) Tool/Exploit: nmap -sV Metasploit module: post/multi/recon/local_exploit_suggester

Find exploits that target the kernel and privileged services.

Weak Process Permissions (Linux Privilege Escalation Techniques) Tool/Exploit: Metasploit modules: post/multi/recon/local_exploit_suggester post/multi/manage/shell_to_meterpreter Meterpreter migrate and getsystem commands

Find processes with weak controls and see if malicious code can be injected into those processes.

Weak Process Permissions (Windows Privilege Escalation Technique) Tools/Exploit: Metasploit Modules: post/multi/recon/local_exploit_suggester post/multi/manage/shell_to_meterpreter Meterpreter migrate and getsystem commands

Find processes with weak controls and see if you can inject malicious code into those processes.

A PenTester is writing a script and is using if statements, else statements, and loops to determine how the code will execute. What is this component of a script known as?

Flow control

Which of the following BEST describes the role of flow control in enhancing the efficiency and effectiveness of a penetration testing script used for network reconnaissance and port scanning?

Flow control enables the script to execute commands in a specified order, allowing for conditional actions and repeated operations based on specific criteria.

A penetration tester is attempting to gain unauthorized access to a network protected by an Intrusion Detection System (IDS). The tester decides to use packet crafting techniques to evade detection. Which of the following methods would be most effective in bypassing the IDS?

Fragmenting packets to avoid detection by the IDS.

A penetration tester is running -sT 172.16.50.0/24. What does -sT do?

Full connection TCP gives a lot of information, but is slow and firewalls pick them up.

What is Vertical Movement?

Gaining higher privileges (e.g., from user to admin).

During a penetration test, you have successfully gained access to a target network. Your next step is to stage and exfiltrate sensitive data without being detected. Which of the following actions would be the MOST appropriate first step in the staging process?

Gather and organize data from various locations on the compromised systems.

A client comments on a PenTest report by stating the amazement of how much information was found by the team. The client asks which tool was used to find subdomains and their respective directories. Which tool has the PenTester MOST likely used?

GoBuster

A penetration tester is tasked with discovering hidden directories on a web server using a brute-force method. The tester decides to use a tool that can perform DNS subdomain enumeration in addition to brute-forcing directories. Which of the following tools should the tester use, and what type of brute-force attack would be most effective for discovering these hidden directories?

GoBuster; Dictionary Attack

During a penetration test, new vulnerabilities were discovered that were not part of the original test plan. The team decides to shift their focus to address these findings immediately. What process is the team engaging in?

Goal Reprioritization

An attacker wants to maintain persistence on a compromised Windows system by configuring a program to run at startup for the current user. Which registry key would be MOST appropriate for this purpose, and what is a potential limitation of using this key?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run; the program will run at startup for the current user, but it can be disabled by removing the entry from the registry.

Which of the following BEST describes the importance of HVA in penetration testing?

HVAs are systems or data critical to an organization's operation, reputation, or compliance and should always be prioritized for testing within the defined scope.

A software development company is in the process of integrating security practices into their development workflow. They have decided to adopt a Secure Software Development Life Cycle (SDLC) approach. During the testing phase of their new application, they want to ensure that vulnerabilities are identified and addressed before deployment. Which of the following actions should the company prioritize to effectively implement the SDLC principles during the testing phase?

Implementing fuzz testing and input validation to identify potential vulnerabilities.

What is Gobuster?

A command-line tool known for its efficiency in brute-forcing directories and files on web servers. Additionally, it can perform DNS subdomain enumeration, making it the appropriate choice when the tester needs both functionalities. A dictionary attack would be more effective than a simple brute-force attack for discovering hidden directories because it uses a predefined list of potential directories (such as admin, login, etc.), which is faster and more targeted than trying every possible combination of characters (simple brute-force).

(Host-Based Attack Tool) Rubeus

A command-line tool that is used to exploit Kerberos authentication in a Windows Domain environment.

Aircrack-ng

A complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks.

OSSTMM (Open Source Security Testing Methodology Manual)

A comprehensive framework for conducting security testing and assessments. Developed by the Institute for Security and Open Methodologies (ISECOM), Provides a standardized methodology and set of guidelines for evaluating the security posture of systems, networks, and organizations.

Which of the following scenarios BEST illustrates a potential vulnerability in the implementation of JSON Web Tokens (JWTs) that could lead to unauthorized access?

A developer mistakenly uses a weak key for signing a JWT, allowing an attacker to forge a valid signature and create a token with arbitrary claims.

What is a Process Hollowing Attack?

A stealthy attack in which the pentester injects malicious code into a legitimate process that is already running on the computer. In this attack, the memory space of the process is hollowed out and replaced with malicious code. Because the malicious code is running inside of a legitimate process, this attack can be extremely difficult to detect.

STRIDE Threat Model

A structured approach for identifying and evaluating security threats, making it a valuable tool during penetration testing. It can help in prioritizing the most significant and likely threats, optimizing the use of resources. An acronym that represents the following security threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-service, Elevation of privilege

When defining the communication path, what should an IT manager establish for a PenTest team?

A testing threshold

What is PsExec?

A tool that allows for the execution of processes on remote systems, could be useful for lateral movement, but typically requires admin privileges to execute commands on remote machines.

What is Kube-Hunter (Kubernetes Scecurity)?

A tool that hunts for security weaknesses in Kubernetes clusters.

Which of the following scenarios would MOST likely lead to an Arbitrary Code Execution (ACE) attack?

A web application accepts and executes untrusted serialized data without validation.

What is the wireless Karma Attack?

A wireless attack that targets individual client devices, listens for beacon requests from a target device.

What is a Fragmentation Attack?

An attack that targets WEP networks, it abuses a weakness in the pseudorandom generastion algorithm by injecting junk data into a wireless access point, which causes a target network to reuse cryptographic data eventually.

A penetration tester is assessing a Windows Active Directory environment to identify vulnerabilities in the PKI. The tester discovers a misconfiguration in the certificate management process that allows low-privileged users to enroll for certificates without approval. Which of the following best describes the potential risk associated with this misconfiguration?

An attacker could impersonate users by forging certificates, potentially gaining unauthorized access to sensitive resources.

Which of the following scenarios BEST demonstrates Service-to-Service trust relationship abuse in a cloud environment?

An attacker gains unauthorized access by exploiting an API used for communication between two cloud services.

What is the Authentication/Network/Enterprise Attack Tool Responder?

An on-path type tool that can be used to exploit name resolution on a Windows network (intercept and poison LLMNR and NBT-NS requests).It can be used for Pass-the_Hash.

(Host-Based Attack Tool) Mimikatz

An open-source command-line tool used to extract credentials from Windows systems. It can dump passwords and hashes from sources like LSASS, the SAM database, and Active Directory. It also supports advanced attacks like pass-the-hash and Kerberos manipulation. For example, the lsadump::lsa /patch module dumps all hashes stored in LSASS.

What is the Authentication Attack Tool BloodHound?

An open-source tool that is used to scan Win AD and map out AD objects that an attacker can use to perform privilege escalation, lateral movement and more. It provides detailed visualizations of potential attack paths.

What is ScoutSuite?

An open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud

You are conducting a penetration test for a financial institution and are in the process of documenting your findings. During the test, you successfully exploited a vulnerability that allowed you to access sensitive customer data. You need to document this finding in a way that will be credible and useful for the client, who must present the report to a regulatory body. Which of the following actions should you take to ensure your documentation is both credible and compliant with industry standards?

Document the attack path with a detailed narrative and include screenshots, but censor or remove parts of the sensitive information while leaving enough evidence to prove the attack was successful.

During the scoping phase of a penetration testing exercise, a cross-functional team is responsible for defining the scope, including which systems and data will be tested. Which of the following actions should be taken to ensure compliance with industry regulations and protect sensitive data during the testing process?

Document the specific laws and regulations applicable to the data involved, and establish guidelines for data encryption and disposal.

In a penetration test, an organization often provides a great deal of information pertinent to attacking target systems and goals to the penetration tester. Which of the following are often provided by the target organization? (Select two.)

Domains and IP Addresses

What is the primary purpose of Drozer in the context of specialized system attacks?

Drozer is an open-source software used for testing vulnerabilities on Android devices.

This wireless attack/exploit tool is a Python-based toolkit with a wide range of features. It provides several options that the team can attack WPA2-Enterprise 802.11a or 802.11n networks in an easy -to-use platform?

EAPHammer

Why do End-of-Life (EOL) systems pose a significant security risk to organizations, and what should a penetration tester prioritize when encountering them during a pentest?

EOL systems no longer receive security patches, making them vulnerable to known exploits, so penetration testers should prioritize testing them for vulnerabilities.

A penetration tester is explaining a USB drop key attack to a client, emphasizing how it exploits human curiosity. In this type of attack, an attacker drops a malicious USB drive near a workplace, hoping an employee will plug it into their computer. Which of the following techniques is NOT a common way attackers disguise malicious files to entice users into running them?

Embedding the malware in a document within an encrypted email attachment.

This tool is a post-exploitation framework that allows the tester to maintain access and execute further attacks using PowerShell, leveraging built-in Windows functions while bypassing some security mechanisms. This makes it suitable for maintaining access in a stealthy manner.

Empire

A non-disclosure agreement (NDA) prohibits an employee from disclosing certain information. Which of the following is NOT one of the items included as protected information?

Employee profiles

During a penetration test, a tester discovers that an organization's internal web application stores user passwords in cleartext within its database. To enhance the security of password storage, the penetration tester recommends the use of technical control factors. Which of the following would be the MOST appropriate action to mitigate the identified risk?

Encrypt the passwords using a secure hashing algorithm with salting.

A pentester is tasked with assessing the physical security of an organization's facility as part of a penetration test. The team is planning to attempt tasks such as bypassing security cameras, accessing restricted systems, and stealing proprietary equipment. What should the pentester do before initiating the physical security breach to ensure the test is conducted effectively and within the scope?

Conduct a site survey to assess physical security measures such as fences and motion detection systems.

Which of the following responsibilities is crucial for a penetration tester to ensure the security assessment is conducted properly and ethically?

Conducting tests lawfully, respecting privacy, and not causing any unnecessary damage.

A penetration tester is attempting to perform a VLAN hopping attack to gain unauthorized access to a restricted VLAN. Which of the following actions should the tester take to successfully execute this attack?

Configure the attacker's machine interface to become a trunk port.

During a penetration test, you have identified multiple vulnerabilities in a target system. One of the vulnerabilities could potentially be exploited to gain root access, while another could be used for a distributed denial-of-service (DDoS) attack. How should you proceed in selecting the appropriate exploit using Metasploit?

Consult the scope of the contract to determine which exploit is appropriate to use.

Which of the following statements BEST describes how containers operate and how they can be tested for vulnerabilities during a penetration test?

Containers rely on operating system-level resource separation rather than a hypervisor, and typical container vulnerabilities include configuration issues, application flaws, and network policy misconfigurations.

When performing a penetration test, which of the following factors must the testing team consider to ensure legal and regulatory compliance?

Country, state, and local laws, as well as the organization's policies that restrict the use of certain tools and methods.

As a penetration tester, you are tasked with assessing the security of an AI system used by an organization for customer support. You need to explain potential vulnerabilities and attacks that could be exploited. Which of the following BEST describes a prompt injection attack on an AI system?

Crafting inputs to bypass security measures and extract sensitive information.

You are a penetration tester tasked with assessing the security of a company's internal network. During your engagement, you gain access to a low-privilege user account on a Windows machine. Your objective is to move laterally within the network to access a high-value target server that stores sensitive financial data. Which of the following tools would be the MOST appropriate to use for this task, considering your current access level and the need to remain stealthy?

LOLbins

(Host-Based Attack Tool) Living off the land binaries (LOLbins)

LOLbins refer to legitimate binaries that are a part of the Operating System, but have been exploited to carry out and hide malicious activity

A PenTester was able to gain access to an employee's computer from the outside and then used the computer to set up a connection to the application server. The PenTester then used it to open access to a database server. What is this process called?

Lateral Movement

A security engineer is conducting an Open-source Intelligence (OSINT) recon against the organization to find out its public-facing exposure. The security engineer wants to visualize the gathered information using a GUI to help process the information. Which of the following tools is BEST suited for this?

Maltego

During a penetration test, the pentester identifies multiple pathways that an attacker could exploit to gain access to the internal network. The pentester decides to use a tool to help visualize these paths, making it easier to identify vulnerabilities and assess the attack surface. Which of the following tools would be the MOST appropriate for mapping out these potential attack paths?

Maltego

What tool for Recon searches the internet for a specified target (domain, company, person etc.) for all related information on the target including social media links, IP addresses, DNS servers and more. It has a GUI to help users visualize the gathered data and help determine the relationships between gathered data.

Maltego

Which of the following tools would be MOST effective for a pentester to use when they need to visualize and analyze connections between various data points collected during user enumeration?

Maltego

Which combination of operational control factors is MOST effective in reducing the risk of unauthorized access to critical systems while also improving detection of malicious activities during penetration testing?

Mandatory vacations and time-of-day restrictions

What is Forced Browsing?

Manually guessing a URL that would give access to restricted data. If the resource is not properly protected and the user guesses the right URL, they can potentially gain access.

An organization is reviewing the contents of a report and has questions about the framework that the PenTesters used to conduct the penetration test. What section of the report is the organization referring to?

Methodology

During a penetration test, the pentester gains access to a Windows machine and wants to retrieve user credentials for further analysis. Which tool would be MOST appropriate for dumping credentials stored in locations such as the SAM database, LSASS, or Active Directory?

Mimikatz

A penetration tester is assessing a Windows system for potential service misconfigurations that could be exploited to gain unauthorized access or elevate privileges. After identifying the running services using Nmap, which of the following techniques should the tester apply to exploit a misconfigured service?

Modify the service executable path to point to a malicious executable.

In a PenTest environment, Bash scripting is frequently utilized due to its ability to automate tasks and manage processes on Unix-like operating systems. Which of the following is NOT a typical use case for Bash scripting during a penetration test?

Modifying kernel parameters directly through Bash scripts

During a penetration test on an industrial environment, a tester is assessing the security of Operational Technology (OT) components, including Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems. Which of the following actions would be considered a significant risk if an attacker gains access to these OT systems?

Modifying register values in a PLC

What is Lateral Movement?

Moving sideways across systems on a network to find valuable targets.

During a penetration test, you decide to use a command and control (C2) framework to manage compromised systems. Which of the following C2 frameworks would be MOST suitable for executing post-exploitation tasks on a network with a mix of Windows, Linux, and macOS systems?

Mythic

Which contractual document, signed by two consenting parties, aims to protect each other's competitive advantages?

NDA

Which of the following BEST describes the benefit of using Nmap Scripting Engine (NSE) in a penetration test?

NSE scripts enable the customization of Nmap scans to perform tasks such as discovering vulnerabilities, detecting malware, and performing protocol queries.

A security student wants to start conducting vulnerability scans on their own network. The student wants to be able to use a commercial tool, but that is available for free for home use. Which of the following could the security student use?

Nessus

A penetration tester is conducting attacks against web servers and wants a tool that helps automate part of the process and completes comprehensive testing. Which tool would BEST meet these requirements?

Nikto

What open-source Web Server Vulnerability Scanner is built into Kali Linux. Tests for outdated versions of more than 1,250 servers, scans more than 6,000 files and programs that can be exploited, checks for version-specific problems on more than 270 servers, but creates a large footprint by leaving a high-volume of entries in the Web Servers log files?

Nikto

Which of the following tools is BEST suited for scanning a web server for outdated versions, vulnerable files, and programs, but may leave a large footprint in the server's log files?

Nikto

Based on the following characteristics, identify the correct language/tool -Environment: Cross-platform, used for network scanning -Path Separator: N/A (focuses on network commands, not file paths). -Case Sensitivity: Yes, command-line options are case-sensitive (e.g., -sS ≠ -ss). -Variable Notation: No variables in typical usage; uses flags/options. -Key Features: Command-line tool with flags (e.g., -sS for TCP SYN scan, -p for ports).

Nmap

A penetration tester is performing host enumeration on 172.16.50.0/24. What command would the penetration tester run?

Nmap -sP 172.16.50.0/24

A penetration tester is tasked with conducting a security assessment on a network and needs to use a combination of tools to scan for vulnerabilities, exploit them, and analyze network traffic. Which of the following combinations of tools would best suit the tester's needs for scanning, exploiting, and traffic analysis?

Nmap, Metasploit, Wireshark

A penetration tester is tasked with assessing the security of a client's cloud environment, which includes both AWS and Kubernetes clusters. The tester needs to evaluate the security configurations of the AWS account, audit Kubernetes clusters for vulnerabilities, and ensure that the Docker containers follow industry best practices. Which combination of tools should the tester use to perform these tasks efficiently?

Pacu, Prowler, Kube-hunter

A penetration tester is simulating a relay attack to gain unauthorized access to a network. The tester captures authentication data and uses it to impersonate a legitimate user.

Pass-the-Hash Attack to use captured hashed credentials for authentication

A penetration tester is simulating a relay attack to gain unauthorized access to a network. The tester captures authentication data and uses it to impersonate a legitimate user. Which of the following techniques is the tester most likely using in this scenario?

Pass-the-Hash Attack to use captured hashed credentials for authentication.

A penetration tester is trying to determine the operating systems running on several hosts within a network. The tester wants to avoid detection by firewalls and intrusion detection systems (IDS). Which method should the tester use, and what is a potential drawback of this method?

Passive OS fingerprinting; less accurate in identifying the OS.

During questioning of a client, a project manager discovers that the network they are looking at is a very sensitive industrial control network. Which of the following techniques should they start with?

Passive information gathering

In the initial stages of a penetration test, your team gathers information about the target organization. What is the primary difference between passive reconnaissance and active reconnaissance during this process?

Passive reconnaissance involves gathering information without interacting directly with the target, while active reconnaissance involves direct interaction and can be detected.

A penetration tester is tasked with assessing a wireless access point (WAP) in a coffee shop offering free Wi-Fi. The tester discovers that the connection is not encrypted, and decides to intercept the 4-way handshake to attempt a brute-force attack on the pre-shared key. Which of the following is the most appropriate first step the penetration tester should take in this scenario?

Passively listen for network traffic to capture the 4-way handshake using a wireless sniffer.

After searching the website "Have I been pwned" a penetration tester finds that an administrator's credentials are compromised. Where could the password be found?

Password Dump

While performing an internal assessment, a PenTester uses the following command: crackmapexec smb 192.168.1.0/24 -u user.txt -p password123@ What is the primary purpose of this command?

Password spraying is an attack where a single password is tested across multiple accounts to avoid account lockouts. This is different from brute force attacks, which try multiple passwords on a single account, triggering security controls. The script -p password123@ is an attempt to try the password "password123@" against all users in user.txt

Based on the following characteristics, identify the correct language/tool -Environment: Windows (also cross-platform with PowerShell Core) -Path Separator: Backslash (\) on Windows, though forward slash (/) is often supported. -Case Sensitivity: Generally case-insensitive for cmdlets and variables (e.g., Get-Process = get-process). -Variable Notation: Uses $ for variables (e.g., $var), set with $var = value. -Key Features: Noun-Verb cmdlet naming (e.g., Get-Service), pipeline (|) for object passing.

PowerShell

Using automated tools to scan for vulnerabilities in the live web application during production

PowerShell cmdlets are used for automating tasks in Windows environments, while Python is often used for developing custom penetration testing tools and is cross-platform.

Which of the following statements BEST describes the differences between PowerShell and Python in the context of penetration testing?

PowerShell cmdlets are used for automating tasks in Windows environments, while Python is often used for developing custom penetration testing tools and is cross-platform.

(Host-Based Attack Tool) PowerShell/PowerShell Integrated Scripting Environment (ISE)

PowerShell is a command-line tool in Windows that can be used to run standard commands, tiny applications called cmdlets, and scripts. The PowerShell ISE provides a GUI environment to develop and test PowerShell scripts.

This tool is more focused on pre-exploitation tasks such as gaining persistence and executing code.

PowerSploit

Primarily focused on Microsoft SQL Server exploitation, including credential gathering and enumeration

PowerUpSQL

This tool is specifically designed for enumerating information in a Windows domain, such as users, groups and network shares making it ideal for gathering information within a Windows domain environment?

PowerView

A penetration tester is tasked with gathering information on a Windows domain environment and performing post-exploitation activities. The tester needs to enumerate network shares, users, groups, and gather additional information to maintain access while avoiding detection. Which combination of tools would be most appropriate for this scenario?

PowerView and Empire

You are preparing to conduct a penetration test using the Penetration Testing Execution Standard (PTES). Which of the following steps would you perform first to ensure the engagement follows the structured approach outlined in PTES?

Pre-engagement interactions

During a recent penetration test, you discovered that multiple persistence mechanisms were set up on a client's Windows and Linux systems. As part of the cleanup and restoration process, you need to ensure these mechanisms are removed to prevent potential exploitation by malicious attackers. Which of the following actions should you prioritize to effectively remove these persistence mechanisms?

Remove any values added to the HKLM and HKCU Run Registry keys on Windows systems.

DLL Hijacking (Windows Privilege Escalation Technique) Tools/Exploit: Evil-WinRM

Replace legitimate DLLs with malicious ones

What must an organization do if a penetration test uncovers a breach involving unauthorized access to sensitive data?

Report the breach to regulatory authorities and affected individuals promptly.

During a penetration test, a pentester discovers several network devices with default credentials still enabled. What should the pentester do first to mitigate this security vulnerability?

Report the findings to the network administrator for remediation.

You are conducting a penetration test and have identified several services running on a target system using Nmap and OpenVAS. After identifying the service versions, you research potential vulnerabilities and use Metasploit to select appropriate exploits. Based on this process, which of the following best evaluates the next step in exploiting the vulnerabilities?

Research each identified service and version further to determine if the vulnerability is exploitable in the current system configuration, then test the exploit in a controlled manner.

After completing a penetration test, you are tasked with reverting configuration changes made on the target systems to restore them to their original state. Which of the following actions should you take to effectively revert these changes and ensure the systems function normally?

Revert any changes made to firewall rules and network configurations.

A PenTester is about to begin a formalized penetration testing engagement for a large organization. Before starting, the PenTester outline the terms of the contract, discuss the scope of the test, and review legal considerations with the stakeholders. Which of the following should the PenTester evaluate as the most critical step in ensuring the testing process remains legal and compliant throughout the engagement?

Review all relevant local, state, and international laws that may restrict certain testing activities or tools.

Which of the following best describes the relationship between threats, vulnerabilities, and risk?

Risk is the result of a threat exploiting a vulnerability,

When briefing an assessment to co-workers, a PenTester references multiple level one and level three vulnerabilities on the network. What is the tester using to describe the vulnerabilities?

Risk rating (reference framework)

Which of the following actions poses a significant risk to the security of a mobile device by potentially allowing malicious applications to gain root access and execute unauthorized code?

Rooting or jailbreaking the device

A penetration tester is assessing a Windows environment and wants to utilize a tool that can exploit Kerberos authentication. Which tool should the tester choose for this purpose?

Rubeus

Based on the following characteristics, identify the correct language/tool -Environment: Cross-platform, often Linux/Unix -Path Separator: Forward slash (/) typically. -Case Sensitivity: Yes, variables and methods are case-sensitive. -Variable Notation: No leading $ for local variables (e.g., var), but uses $ for global variables (e.g., $var), @ for instance variables, and @@ for class variables. -Key Features: Object-oriented, uses puts for output, require for libraries, and shebang (#!/usr/bin/ruby).

Ruby

A PenTester gains full access to an application's source code during a PenTest of a web application. The application repository includes thousands of code files. Considering the assessment timeline is very short, approach would allow the tester to identify hard-coded credentials most effectively?

Run TruffleHog against a local functional replica of the application

During a penetration test, a pentester successfully gains access to an employee's workstation with limited privileges. Which of the following techniques should the pentester prioritize to effectively move laterally through the network and escalate privileges?

Run a network scan to discover other hosts and services.

A PenTester wants to quickly check the running processes on a Windows computer but only has access via a reverse_powershell session. How will the PenTester find this information?

Run the Get-Process cmdlet

You are a penetration tester who has successfully compromised a system within a company's internal network. Your next objective is to discover additional devices and potential attack vectors within this network. You decide to perform enumeration to gather more information. During this process, you aim to identify services running on other machines that could be exploited to gain further access. Which of the following actions should you take to effectively perform service discovery in this scenario?

Run the db_nmap -sV -sC <IP address of target host> command in Metasploit to perform a service discovery scan on the target host. It uses Nmap through Metasploit to identify services running on the target host, which can potentially be exploited to gain further access to the network. This aligns directly with the goal of discovering additional devices and attack vectors.

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

SCA (Software Composition Analysis)

A penetration tester is attempting to perform an on-path attack by intercepting and manipulating traffic between a client and server. The tester decides to use a tool to downgrade the secure connection from HTTPS to HTTP. Which of the following techniques is the tester applying in this scenario?

SSL/TLS downgrading/stripping to weaken the encryption.

A threat actor has accessed a web server and is compromising the trust from the server to reach back-end resources. What type of attack is this?

SSRF

During a penetration test, you discover that an organization's web application is vulnerable to SQL injection attacks. Which of the following technical control factors would be the MOST effective in mitigating this vulnerability and securing the application?

Sanitizing user input and using parameterized queries to prevent SQL injection attacks.

A penetration tester is examining a digital certificate used for TLS communications on a target web server. The certificate includes a Subject Alternative Name (SAN) field with a wildcard entry, and the pentester plans to investigate further using Certificate Transparency (CT) logs. Which of the following actions is the pentester MOST likely to take based on the information gathered?

Scan for subdomains not covered by the wildcard in the SAN and investigate whether they are vulnerable

A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?

Scapy

This powerful tool is used for crafting custom packets, including fragmented packets, which can be used to test IDS and firewall responses. By sending fragmented packets, you can attempt to evade detection and analyze how the network devices handle them

Scapy

You are conducting a penetration test on a variety of specialized systems, including mobile devices, network equipment, and custom applications. Which tool would be the MOST appropriate to use if you need to craft and send custom packets to a network device in order to identify potential vulnerabilities?

Scapy

A penetration tester wants to set up automated data exfiltration by creating a scheduled task on a Windows system that runs a Netcat command silently in the background every day. Which of the following BEST describes the benefits and considerations of using scheduled tasks for persistence during a penetration test?

Scheduled tasks can automate repetitive tasks silently, but they may still leave traces in system logs, making detection possible.

Which of the following BEST evaluates the effectiveness of using scripts to validate scan results during a penetration test?

Scripts can automate tasks, reducing the time needed for validation, but they may introduce errors if not properly maintained.

Which of the following BEST describes the use of scripts during the enumeration and scanning phases of a penetration test?

Scripts can help automate the validation of scan results by confirming the presence of vulnerabilities without needing to perform disruptive tests.

Which of the following BEST describes how using scripts during enumeration can improve the process in a penetration test?

Scripts reduce the need for manual intervention by automating repetitive tasks and improving scalability.

Missing Patches & Configurations (Windows Privilege Escalation Technique) Tools/Exploit: Seatbelt

Search for missing patches or common misconfigurations that can lead to privilege escalation.

Missing patches and configurations (Linux Privilege Escalation Techniques)

Search for missing patches or common misconfigurations that can lead to privilege escalation.

Shared folders (Linux Privilege Escalation Techniques) Tool/Exploit: Metasploit module: auxiliary/scanner/smb/smb_enumshare enum4linux

Search for sensitive information in Samba shared folders, as it is common for them to have few or no restrictions.

Shared Folders (Windows Privilege Escalation Technique) Tools/Exploit: smbclient smbmap Metasploit Module: auxiliary/scanner/smb/smb_enumshare

Search for sensitive information in shared folders, as it is common for them to have few or no restrictions. Elevate privileges by exploiting weak folder permissions, unquoted service paths, or applications that run from network shares.

Before conducting a penetration test, a detailed planning phase is required to ensure alignment between the penetration testing team and the client. Which of the following is NOT a key element of the pre-engagement planning process?

Selecting the specific vulnerabilities that will be exploited during the test.

While performing a penetration test, you identify a firewall protecting the internal network. You decide to test its rules to see if it can be bypassed by sending specially crafted packets. Which method would be the MOST effective to evaluate the firewall's weaknesses?

Send packets with a hidden payload using allowed ports.

As a security consultant, you are educating employees about the risks associated with Bluetooth-enabled devices. Which of the following BEST describes a Bluejacking attack?

Sending unwanted messages or notifications to a device via Bluetooth.

Server - Target (SSRF)

Server makes bad request

A company is receiving complaints about a recent outage. They resolved the issue within the contracted expectation. Although they will need to smooth over relationships with their clients, what kind of document did their clients sign that helps protect them legally?

Service Level Agreement (SLA)

A threat actor has induced a user to authenticate their session with a pre-determined session ID (SID) which the threat actor also knows. The threat actor is now using this known SID to impersonate the user. What type of session attack is this?

Session fixation

As a penetration tester, you are tasked with evaluating the security of a public Wi-Fi network that uses a captive portal for user authentication. Your objective is to demonstrate how a malicious actor could exploit this setup to compromise user credentials and personal information. Which of the following steps should you take to effectively simulate this attack?

Set up a rogue access point to redirect users to a fake captive portal page.

As a penetration tester, you are tasked with demonstrating the risk of an evil twin attack on a corporate Wi-Fi network. Your goal is to create a rogue access point that mimics the legitimate network and captures user data. Which of the following steps should you take to effectively execute this attack?

Set up a rogue access point with the same SSID as the legitimate network and use WiFi-Pumpkin to manage the attack.

A malicious actor slips in through a secure area while covertly following an authorized employee who is unaware that anyone is behind them. What action is the actor using to breach the organization's security protocols?

Tailgating

A penetration tester covertly follows an authorized employee who is unaware that anyone is behind them. What is this called?

Tailgating

Credential Attack (Windows Privilege Escalation Technique) Tools/Exploit: Mimikatz Responder Metasploit Meterpreter

Targeting logins and/or dump cleartext or hashed passwords from different sources. Attacks may include hash cracking, password spraying, pass the hash, pass the ticket, etc.

When evaluating the effectiveness of an attack path map in a penetration testing process, which of the following criteria is most crucial?

The attack path map should be detailed and comprehensive, utilizing tools like Maltego to visualize complex pathways and identify vulnerabilities.

What is XSS?

The attacker injects malicious scripts into a website that runs in the user's browser.

What is SSRF?

The attacker tricks the server into making a request to another internal or external system

What is CSRF?

The attacker tricks the user's browser into making unauthorized actions on a site where the user is already logged in.

A penetration tester is analyzing various hashing algorithms to determine their suitability for securing sensitive data. Which of the following statements accurately reflects the properties and vulnerabilities of this type of hashing algorithm?

The birthday attack is less effective against SHA-256 because its larger output size increases the number of possible hash values.

When evaluating the effectiveness of network mapping tools in the penetration testing process, which of the following features is most critical for ensuring a comprehensive understanding of the network's structure and vulnerabilities?

The capability to interrogate ARP caches, routing, and MAC tables to gather detailed network information

When selecting an exploit using Metasploit, which of the following considerations is MOST crucial to ensure the action remains within the scope of a penetration testing contract?

The exploit's alignment with the objectives outlined in the penetration testing contract.

During a security assessment, you identify a suspicious browser extension installed on a client's system. Which of the following characteristics would MOST likely indicate that the browser extension is being used to maintain persistence and perform malicious activities?

The extension requests excessive permissions and runs background scripts even when the browser is closed.

A PenTest team prepares a test for a global company with offices in several countries. What procedural information should the PenTest team include in the documented scope before starting?

The regulation and use of tools

Implementing fuzz testing and input validation to identify potential vulnerabilities.

Which of the following responsibilities would fall under the customer's scope when using a hosting provider's services?

Implementing secure coding practices for deployed applications

Why is ongoing documentation, including the use of screenshots, considered a critical practice during a penetration testing engagement?

It helps in providing proof for the findings, ensuring the credibility of the penetration test report.

Which of the following BEST describes the importance of Root Cause Analysis (RCA) in a penetration test?

It helps uncover root issues and recurring conditions that lead to security vulnerabilities, providing a comprehensive understanding of the environment's weaknesses.

A penetration test report should clearly outline the limitations and assumptions associated with the testing. Which of the following statements BEST explains why this information is important for stakeholders?

It informs stakeholders about resource constraints and access restrictions that may have impacted the thoroughness of the testing.

A penetration tester wants to use a Bash script to automate the extraction of an Administrator's LM/NTLM hash from a dump file during a pentest. The script is intended to search for the line containing "Administrator" in a hash dump file and extract the relevant hash information: Which of the following best describes what this script does?

It searches the specified file for the term "Administrator" and extracts the third and fourth fields of each matching line, saving them to a new file.

How does a Deauthentication Attack work?

It works by disconnecting a client, which allows an attacker to sniff wireless traffic for the four-way handshake when the client renegotiates a new connection to the access point, determining the PSK for the access point in question.

Which attack is a DoS method specifically used to target wireless communication protocols?

Jamming

A penetration tester suspects that a compromised system may be infected with a rootkit that intercepts and manipulates system calls while maintaining a high level of control over the hardware. The rootkit appears to be hidden in a device driver. Which type of rootkit is MOST likely involved in this scenario?

Kernel-Level Rootkit

When performing OSINT Gathering, What useful information can be found on LinkedIn?

Key Contacts

When performing Open Source Intelligence Gathering, what useful information can be found on LinkedIn?

Key Contacts

A pentester needs to assess the security of a client's wireless network by monitoring network traffic and detecting potential intrusions in real time. Which tool would be the MOST appropriate choice for this task?

Kismet

What is a tool that can search for rogue WAPs?

Kismet

A penetration tester has successfully gained access to a target system and identified sensitive customer data. The tester now needs to exfiltrate the data covertly to avoid detection. Which of the following methods would be the MOST appropriate for ensuring the data is both hidden and protected during the exfiltration process?

Use Steghide to embed the data within an image file and transfer the image to an external server controlled by the tester.

A malicious actor targets the CEO's email for a phishing campaign. What type of phishing attack is the malicious actor using?

Whaling

During the reconnaissance phase of a penetration test, a pentester is tasked with gathering initial information about a target network. Which of the following tools or techniques would be MOST effective for discovering domain registration details, such as the domain's registrant and name servers?

Whois query

This wireless attack/exploit tool is an auditing tool that can be used to assess the WLAN, it can launch a variety of attacks including WPS attacks?

WiFite2

Which of the following best describes the effectiveness of using Windows Remote Management (WinRM) for remote system administration in a secure network environment?

WinRM is effective because it requires initial configuration, including firewall exceptions, which enhances security before allowing remote access.

(Host-Based Attack Tool) Evil-WinRM

Windows Remote Management shell tool used for pentesting. Evil-WinRM contains many tools for carrying out specific attacks against Windows host machines.

In the context of penetration testing, what is one significant difference between Windows services and Unix-like daemons regarding their functionality and impact on system performance?

Windows services consume memory even when not in use, while Unix-like daemons do not impact system performance when idle.

Kismet

Wireless network detector, packet sniffer, and intrusion detection system. It is designed for monitoring and analyzing wireless network traffic in real-time.

InSSIDer

Wireless network scanner and analyzer. Can be used to discover, map, and assess wireless networks. Wardriving

A Pentester uses a tool during a Security Assessment to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. What tool is the PenTester using?

Wireshark to sniff and capture the plaintesxt credentials from the unencrypted network traffic

You are tasked with clearing the event logs on a Windows server named Server02 as part of your penetration test to cover your tracks. You decide to use PowerShell to accomplish this. Which of the following PowerShell scripts would allow you to clear the Security and Application logs on the specified server and verify that the operation was successful?

Write-Host "Clearing event log..."Clear-EventLog -logname Security, Application -computername Server02 Write-Host "Event log cleared!"

A penetration testing team is preparing to conduct an engagement with a client. After initial meetings, scoping the project, and gathering all necessary requirements, the team is now preparing the legal documentation to obtain formal permission to attack the client's systems. Which of the following is the MOST important document to finalize first before proceeding with the penetration testing exercise?

Written Authorization to Test (WATT)

Web Proxy Auto-Discovery (WPAD)

a protocol and technology used in networks to automatically determine the proxy settings that clients should use.

You are the security manager at a corporate facility that uses RFID badges for employee access. Recently, there have been reports of unauthorized access to secure areas, and you suspect that badge cloning might be the cause. You decide to investigate and implement measures to prevent further incidents. Based on the information provided in the document, which of the following actions would be the MOST effective first step to mitigate the risk of badge cloning?

Upgrade all RFID badges to use higher frequency technology with encryption.

During a penetration test, the tester wants to use a process hollowing technique to inject malicious code into a legitimate process on a Windows machine. Which of the following steps should be taken to successfully execute this attack?

Use 'CreateProcess' with the 'CREATE_SUSPENDED' flag, unmap the original code with 'ZwUnmapViewOfSection,' allocate memory with 'VirtualAllocEx,' write malicious code using 'WriteProcessMemory,' and resume the process.

A penetration tester has been tasked with capturing network traffic to identify hosts, services, and sensitive data. The network uses switches, and the penetration tester wants to maximize their ability to capture traffic from multiple devices. Which of the following approaches is the MOST effective for achieving this goal?

Use ARP poisoning to reroute traffic to the penetration tester's device

During a web application penetration test, you are tasked with identifying vulnerabilities in the organization's web server. You decide to use a proxy tool to intercept and analyze the traffic between the client and the server. Which of the following options will provide the BEST insights into potential vulnerabilities during a web transaction?

Use Burp Suite to intercept and capture HTTP requests and responses.

You are a penetration tester tasked with exfiltrating sensitive data from a target network without being detected. The network is closely monitored, and traditional methods of data transfer are likely to be flagged by security systems. You decide to use a covert channel to achieve your goal. Which of the following methods would be the MOST appropriate to use in this situation?

Use DNS tunneling to encode the data into DNS queries and send it to a DNS server you control.

During a penetration test, the pentester encounters multiple security tools running on a host device, including antivirus software and a host-based firewall. What is the MOST appropriate method for the pentester to bypass these security tools?

Use LOLbins to execute commands and disable specific security tools.

During a penetration test, a pentester is attempting to perform a DLL injection attack on a Windows machine. Which of the following steps would the pentester perform first to inject the malicious code into the target process?

Use OpenProcess to get a handle to the target process.

As a penetration tester, you are tasked with evaluating the security of a network's intrusion detection system (IDS) and firewall by crafting custom packets to test their responses. Which of the following tools and techniques should you use to perform this task effectively?

Use Scapy to craft and send fragmented packets to evade IDS detection.

A pentester is performing a security assessment on an FTP server and decides to use fuzzing to identify potential vulnerabilities. Which of the following actions should the pentester take first?

Use Scapy to send crafted packets with random or malformed inputs to the FTP server.

During a penetration test of a cloud environment, you discover that network segmentation is improperly configured, and there is a misconfiguration of access settings for cloud storage buckets. The storage buckets are configured with public read/write permissions, and there are weak CORS policies in place. Which of the following actions should you take to validate these findings and assess the security posture of the cloud environment?

Use ScoutSuite to audit the cloud environment for misconfigurations in network segmentation, storage bucket permissions, and IAM roles.

Which of the following BEST describes the purpose of network vulnerability scans in penetration testing?

To discover weaknesses in network infrastructure devices and protocols that could be used by attackers to gain unauthorized access or disrupt network operations.

What is the primary purpose of documenting pre-engagement activities in a penetration test?

To establish a clear understanding and agreement on the testing process between all stakeholders.

What is the primary function of Metasploit's 'Payload' modules?

To execute code remotely on a target system.

Once a penetration tester has gained access to a network, they often proceed to stage and exfiltrate data. What is the primary purpose of the staging process in this context?

To gather and organize data on compromised systems for exfiltration or destruction.

Which of the following BEST describes the primary purpose of a penetration test report?

To highlight vulnerabilities and offer remediation guidance for various stakeholders.

What is the primary purpose of conducting web assessments during a penetration test?

To identify and exploit vulnerabilities in web applications and evaluate their security posture.

Which of the following is the primary purpose of a wireless assessment in penetration testing?

To identify potential attack vectors in a wireless infrastructure.

What is the primary purpose of the Open Source Security Testing Methodology Manual (OSSTMM)?

To offer a standardized methodology for evaluating security postures.

Which of the following BEST describes the primary purpose of using a penetration testing framework in an organization?

To provide a structured approach to identifying and mitigating vulnerabilities.

Which of the following BEST explains the importance of organizing a penetration test report into different sections such as an Executive Summary and Detailed Findings?

To provide different audiences with the appropriate level of detail suited to their roles.

Which of the following BEST describes the primary purpose of an authorization letter in a penetration test?

To provide legal protection, define the scope of the test, and ensure accountability between the PenTesting team and the client.

What is the purpose of using advanced search operators in the context of Google Hacking (Google Dorking), and how do they enhance the effectiveness of search queries?

To refine search results by focusing on specific types of information and reducing irrelevant results

Which of the following statements best describes the purpose of a penetration test?

To simulate real-world attacks to identify and exploit vulnerabilities in systems, networks, or applications.

Once a penetration test report has been written, what is the primary purpose of conducting a technical peer review?

To validate the findings, reduce personal bias, and improve the overall quality of the report through feedback from other PenTest professionals.

A penetration tester is assessing a web application that uses OpenID for authentication. The tester notices that the web app improperly stores authentication tokens in the browser's local storage without encryption. Which potential vulnerability is the application exposed to due to this misconfiguration?

Token impersonation

What open-source Web Application Attack tool is an automated tool designed for secrets scanning in various locations like code repositories, Docker images, and ticket systems. It also has other developer tools for secrets, passwords, and sensitive keys?

TruffleHog

A penetration tester has gained access to a remote machine and finds themselves in a restricted shell. What should the tester do first to understand the shell environment they are working in before attempting to escalate their privileges?

USe the command env to check the SHELL vairable and identify the type of shell environment

During a penetration test, you are tasked with identifying active hosts on a network without performing a full port scan. You need to quickly identify live hosts on the network and check for any potential firewall rules blocking your discovery. Which of the following Nmap scan options should you use?

nmap -sn 192.168.1.1/24

During a penetration test, a tester gains access to a Linux system using a covert account named backdr. To avoid detection and maintain stealth, the tester wants to remove only the log entries related to this backdoor account from /var/log/auth.log without deleting the entire file. Which of the following tools or commands would allow the tester to efficiently delete all lines containing the term backdr from the log file while keeping the rest of the file intact?

sed -i '/backdr/d' /var/log/auth.log

You are tasked with gathering information on a network for a penetration test. The network devices are using SNMP for monitoring. You want to enumerate SNMP agents and collect details such as routing tables and ARP tables. During your scan, you discover that several devices still use default community strings. Which of the following Nmap scripts should you use to extract the necessary information?

snmp-netstat

What is a ChopChop Attack?

An attack that targets WEP networks and reveals the plaintext data of packets sent in a WEP network.

Dynamic Link Library (DLL) in Windows are special files that contain code that can be used by multiple programs at the same time. Steps for injection:

1. Identifying the process to inject. This will typically be a process that is running with higher level permissions. 2. Write the malicious DLL that will perform the desired actions. 3. Gain access with the needed permissions to interact with the target process. This can be done through any technique to gain elevated privileges. 4. Insert the malicious library into the target process: The following steps are followed in a Windows machine: 1. Use the 'OpenProcess' function to get a handle to the target process. 2. Use 'VirtualAllocEx' to allocate memory in the target process. 3. The 'WriteProcessMemory' function is used to write the path of the DLL to the allocated memory. 4. Execute the DLL by creating a remote thread using the 'CreateRemoteThread' function that will call the 'LoadLibrary' function.

Shared Object (.so) files in Linux, are special files that contain code that can be used by multiple programs at the same time. Injection process:

1. Identifying the process to inject. This will typically be a process that is running with higher level permissions. 2. Write the malicious DLL that will perform the desired actions. 3. Gain access with the needed permissions to interact with the target process. This can be done through any technique to gain elevated privileges. 4. Insert the malicious library into the target process: In a Unix based machine, the following steps are used: Before starting the targeted process, set the 'LD_PRELOAD' environment variable to the path of the shared object file. The 'ptrace' system call is used to attach to the target process, allocate the memory, and inject the shared object.

Writable Services (Windows Privilege Escalation Technique) Tools/Exploit: AccessChk.exe Metasploit Module: exploit/windows/local/service_permission

: Edit the startup parameters of a service, including its executable path and account. Unquoted service paths can also be used to inject a malicious app that the service will run during startup.

Which DNS record type is used to map a domain name to its corresponding IPv4 address during DNS enumeration?

(Host-Based Attack Tool) Seatbelt Seatbelt.exe -group=all

A C# tool that can be used to scan a Windows machine for potential misconfigurations. Note that this tool must be compiled first. Scan Misconfigured Enpoints: Credentials, Processes and Services, Network information, User Information

(Host-Based Attack Tool) Certify

A C# tool that is used to exploit weaknesses in Active Directory Certificate Services.

What is TruffleHog?

A Git secrets search tool, it can automatically crawl through a repository looking for accidental commits of secrets.

During a penetration test, a PenTester captures information about an SPN (Service Principal Name) account. Which of the following attacks requires this information as a prerequisite to proceed?

A Kerberoasting attack targets Service Principal Names (SPNs) in an Active Directory (AD) environment. SPNs are unique identifiers for services running under domain accounts, and attackers abuse them to extract hashed credentials for offline cracking.

What is SET (Social Engineering Toolkit)?

A Python-based collection of tools used when conducting a social engineering PenTest

What might a PenTester find using strategic search engine enumeration?

A Word document saved as "passwords"

A mid-sized technology company has been experiencing issues with fraudulent activities in their finance department. To address this, the company decides to implement job rotation among its employees. As a security consultant, you are tasked with evaluating the effectiveness of this new policy. Which of the following outcomes BEST demonstrates the successful application of job rotation in mitigating fraud risk?

A discrepancy in financial records is discovered by an employee who recently rotated into the finance department, leading to the identification of fraudulent activities.

MASVS (Mobile Application Security Verification Standard)

A framework developed by OWASP to provide a comprehensive and consistent set of security requirements for mobile applications. The primary goal is to help developers, architects, and security professionals ensure that mobile applications are designed, developed, and deployed with appropriate security measures in place.

Purdue Model, also known as the Purdue Enterprise Reference Architecture (PERA)

A framework traditionally used in industrial control systems (ICS) and operational technology (OT) environments to segment networks and enhance security. It divides the architecture into six levels, each representing different functionalities and systems within an organization

You are a data scientist working on an AI model that classifies images of animals. Recently, the model has started misclassifying images, and you suspect model manipulation has occurred. Which of the following scenarios best illustrates a model evasion attack?

A malicious actor subtly alters pixels in images of cats, causing the AI to misclassify them as dogs

A pentester is attempting to crack a password using a mask attack in Hashcat. The password policy requires passwords to be 8-12 characters long, must include at least one uppercase letter, one number, and allows special characters !, @, and #. Which of the following configurations would be the most efficient mask to use in this situation?

A mask that specifies positions for uppercase letters, numbers, and special characters based on the password policy.

What is the Authentication/Network/Enterprise Tool Hydra?

A parallel brute-force tool for network logins, It supports parallel testing of several network authentications. Comes bundled with a tool called pw-inspect that allows for analyzing a dictionary and printing only the ones that match password requirements. Pass/Crack Hashes. Breaks attack space into chunks and randomly select chunks to target.

What is the Authentication/Network/Enterprise Attack Tool CrackMapExec(CME)?

A post-exploitation tool used to identify vulnerabilities in AD environments. Also used for enumerating WIN domain services

During a penetration test, you need to establish a remote shell on a compromised target. You are considering using either a bind shell or a reverse shell. What is a key reason why a reverse shell is generally more effective for bypassing firewall restrictions compared to a bind shell?

A reverse shell connection is initiated by the target machine, which is less likely to be blocked by firewalls because it mimics outbound traffic

OCTAVE Threat Model

A risk-based strategic assessment and planning technique for security. Three Phases: -Build asset-based threat profiles -Identify infrastructure vulnerabilities -Develop security strategy and plans

What is Docker Bench (Docker Container Security)?

A script that scans Docker containers for dozens of common security best-practices. The script is based on the CIS benchmark v1.6.0.

You are tasked with developing documentation and diagrams to plan a penetration test. Which of the following is the MOST appropriate evaluation of how to effectively use diagrams and visual representations to plan and communicate the stages of a penetration test to the client?

An attack path map should be used to visualize potential attack paths and techniques, helping both the pentester and the client understand the steps to compromise high-value targets

Can enumerate Active Directory using the LDAP protocol, making it less detectable

ADSearch

What is Pacu?

AWS security tool designed as an exploitation framework to assess the security configuration of an AWS account.

During a penetration test, a penetration tester is trying to access a restricted data center. Which physical control would be MOST effective in preventing tailgating and ensuring that only authorized individuals can access the secure area?

Access control vestibule

What is Horizontal Movement?

Accessing other users' accounts with the same privilege level.

A penetration testing team performs post-engagement activities after a PenTest exercise. The team addresses which area?

Account cleanup

During a penetration test, a pentester uses Seatbelt to perform a scan on a network endpoint. The scan reveals an unquoted service path on the device. What should the pentester do next to exploit this vulnerability?

Add a malicious executable to the service path and wait for the service to restart.

A penetration tester is reviewing the logging configuration of a cloud-based system and discovers that sensitive information, such as usernames, passwords, and IP addresses, is being stored in log files. Which of the following actions should the penetration tester recommend to address this logging information exposure?

Adjust logging configurations to exclude sensitive data and ensure secore storage

During a penetration test, you discover that a network uses a load balancer to distribute traffic across several servers. You notice that some of your probes are returning inconsistent results. Based on this observation, you suspect the load balancer is misdirecting your probes. What action should you take to continue your testing and ensure accurate results?

Adjust your scan to target specific IP addresses of individual servers behind the load balancer

What makes SysAdmin contacts a valuable target of Open-Source Information Gathering Tools (OSINT)?

Administrators have elevated privileges

What is a distinctive feature of Recon-ng?

Allows for customization usifn different modules

After completing a penetration test, you need to preserve important artifacts for documentation and future reference. Which of the following actions should you take to ensure that these artifacts are properly preserved?

Archive network traffic capture files and tool output logs for future analysis.

Which of the following considerations is the MOST critical when conducting penetration testing on IoT (Internet of Things) devices?

Assessing the broader network ecosystem that IoT devices interact with

A PenTester is conducting a cloud assessment to evaluate the security of an organization's cloud infrastructure. During this assessment, the PenTester performs a simulated attack to uncover potential vulnerabilities. Which of the following should be the primary focus area during this cloud assessment?

Assessing the configuration and effectiveness of identity and access management (IAM) within the organization's cloud environment.

During a penetration test, several vulnerabilities are discovered on a company's web application. To effectively communicate the most critical issues to the organization, you are tasked with conducting risk scoring for these vulnerabilities. Which of the following steps should you prioritize when scoring the risks and reporting them in the penetration test report?

Assign numerical values to each vulnerability's impact and likelihood using the Common Vulnerability Scoring System (CVSS) to calculate a risk score, and prioritize vulnerabilities based on these scores.

Which of the following is a common IAM misconfiguration in cloud environments that a pentester should look for?

Assigning broad permissions that grant users more access than needed.

During a penetration test, you have successfully gained access to a company's cloud environment. You want to exfiltrate sensitive data without being easily detected. Which of the following methods would be the MOST effective way to achieve this while minimizing the risk of detection?

Assume an IAM role in the target account, encrypt and compress the data, and then exfiltrate it to another cloud service.

What is Code Injection?

Attacker inserts and runs programming code (JS, PHP, SQL) in an application.

What is Command Injection?

Attacker runs system commands on the server (Linux/Windows commands)

During a penetration test, the pentester decides to use a password spraying attack against an organization's user accounts. Which approach would be the most effective way to carry out this attack while minimizing the risk of detection?

Attempt the same password across multiple accounts over a long period.

Which of the following techniques is the simplest method a pentester can use to discover secrets during the enumeration phase?

Attempting default login credentials on discovered devices

What is Prowler (Cloud audit tool)?

Audit tool for use with AWS only. AWS CIS Benchmarks, compliance, Industry Best-Practices. Can be used to evaluate cloud infrastructure against Internet CIS Benchmarks for AWS, Plus additional GDPR and HIPAA compliance checks.

An organization is planning to perform a security assessment to identify vulnerabilities in its network. Which of the following approaches will provide the MOST detailed information about internal system configurations, installed software, and user-specific settings?

Authenticated scan

During the creation of a penetration test report, several key sections must be addressed to ensure the report is comprehensive and adheres to industry standards. One of these sections focuses on legal considerations. Which of the following elements should be included in the legal considerations section of a penetration test report to ensure that all actions taken were within legal boundaries?

Authorization and Consent

During a penetration test, you encounter a script used to enumerate local users on a Linux system. The script contains the following snippet: #!/bin/bash USERS=$(cat /etc/passwd | cut -d: -f1) for user in $USERS; do echo "Found user: $user" done Which scripting language is this? A) Python B) Bash C) PowerShell D) Ruby

B) Bash

During a network scan, you see the following command executed: ```bash nmap -sS -p 22,80,443 -T4 --open 192.168.1.0/24 Which tool is this? A) Netcat B) Nmap C) Wireshark D) Metasploit

B) Nmap

You discover a script used to automate a web scraping task during a penetration test: #!/usr/bin/ruby require 'net/http' uri = URI('http://target.com') response = Net::HTTP.get(uri) puts "Response code: #{response.code}" Which scripting language is this? A) Perl B) Ruby C) Python D) Bash

B) Ruby

When selecting the right capabilities for a penetration test, which of the following steps is MOST essential to ensure that a pentester can effectively identify vulnerabilities and provide valuable insights for improving security?

Define the scope and objectives of the pentest clearly.

Which of the following statements BEST describes the primary purpose of Breach and Attack Simulation (BAS) platforms?

BAS platforms are designed to simulate real-world attack scenarios and identify security vulnerabilities before they can be exploited.

An organization uses RFID badges to control access to its facilities. Each badge contains an RFID tag that communicates with a reader to authenticate the user and unlock the door. Which of the following represents a significant security risk associated with RFID technology?

Badge cloning using RFID writers to create unauthorized duplicates

Based on the following characteristics, identify the correct language/tool -Environment: Linux/Unix -Path Separator: Forward slash (/) -Case Sensitivity: Yes, commands and variables are case-sensitive (e.g., VAR ≠ var). -Variable Notation: Uses $ for variable access (e.g., $VAR), set with VAR=value (no spaces). -Key Features: Shell scripting with commands like echo, if, and for. Often uses shebang (#!/bin/bash)

Bash

Your organization has recently implemented a Breach and Attack Simulation (BAS) platform to enhance its cybersecurity posture. During a simulation, the BAS tool identifies a potential vulnerability in your network's lateral movement defenses. As a security analyst, what should be your next step to address this finding?

Conduct a detailed analysis of the identified vulnerability and implement necessary patches or configuration changes

A pentester is tasked with identifying potential attack paths within a Windows Active Directory environment to determine how an attacker could perform privilege escalation or lateral movement. Which tool would be the most appropriate to use for this task?

BloodHound

As a penetration tester, you are tasked with assessing the security of Bluetooth-enabled devices within a corporate environment. You need to identify vulnerabilities and test the resilience of these devices against potential attacks. Given the unique characteristics of Bluetooth technology, which of the following tools would be most appropriate to use in order to disrupt the communication channel of targeted Bluetooth devices and assess their vulnerability to disconnection attacks?

Bluestrike

Target User XSS

Browser suns bad script

Target User CSRF

Browswer sends bad request

A penetration tester is attempting to gain access to a secure system by trying every possible password combination. The tester is using a tool that divides the attack space into chunks and targets them randomly. Which type of attack is the tester performing?

Brute Force Attack

An organization is reviewing a report from a recent PenTest. Which section of the report will help the organization understand the relationship between the PenTest findings and their implications to the organization?

Business impact analysis

How can a hidden text document within an NTFS Alternate Data Stream be accessed?

By using the command notepad "c:file1:file2.txt"

Local UAC bypass (Windows Privilege Escalation Technique) Tools/Exploit: Metasploit modules: post/windows/gather/win_privs exploit/windows/local/bypassuac Meterpreter getsystem command

Bypass local UAC. Example: use process injection to leverage a trusted publisher certificate.

You find a script on a Windows system used to list running services. The script includes: $services = Get-Service | Where-Object {$_.Status -eq "Running"} foreach ($service in $services) { Write-Output "Service: $($service.Name)" } Which scripting language is this? A) Bash B) Perl C) PowerShell D) Python

C) PowerShell

An organization reviews a recommendations report after a successful PenTest exercise. The cost to mitigate the issue as outlined in the report will be costly. Which group is the report generated for?

C-Suite

A PenTester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which technique should the tester use? A. Ping Sweep B. TCP/UDP Scanning C. Sniffing D. Banner Grabbing

C. Sniffing The only technique here that is part of the passive recon techniques. The other may trigger logging system. TCP/UDP scan may work but by using tools such as Nmap with specific parameters yo keep the noise as low as possible.

Which technique forces client devices to disconnect from a network momentarily by attacking wireless access points or the devices connecting to them?

Deauthentication attack

A penetration testing team is in the process of defining the scope of an engagement for a large healthcare organization. The stakeholders emphasize the need to ensure compliance with HIPAA regulations and want the assessment to simulate real-world attack scenarios. The team has limited information about the internal environment and must focus on identifying vulnerabilities that could affect the confidentiality of patient data. Which type of assessment and strategy should the team choose to BEST meet the stakeholders' objectives?

Compliance-based assessment with an unknown environment testing strategy

User Application Compromise (Windows Privilege Escalation Technique) Tools/Exploit: Metasploit Modules: exploit/windows/http/sharepoint_unsafe exploit/windows/local/anyconnect_lpe exploit/windows/fileformat/nitro_reader_jsapi exploit/windows/fileformat/adobe_pdf_embedded_exe

Compromise applications such as SharePoint, Cisco AnyConnect, browsers, or PDF viewers to gain access to a workstation and/or escalate privileges. These attacks may require a victim to open a file or web page through social engineering.

Empire

C2 framework focused on PowerShell for post-exploitation tasks on Windows. It has a Python component for Linux, and also contains a GUI called Starkiller which makes it even easier to use this framework. Has many modules, including: - Mimikatz - Seatbelt - Rubeus - Certify and more ***DOES NOT SUPPORT macOS

Which of the following BEST describes the difference between a CSRF and a SSRF attack?

CSRF targets the user's browser to execute unwanted actions, while SSRF forces the server to make unauthorized requests.

Kiosk Escape keyboard shortcuts

CTRL + N opens a new browser tab. With this, the pentester may be able to access File Explorer and launch a command shell. CTRL+ P will open the print utility. File Explorer can be accessed by going to the Find Printer function. The pentester can also use the Save as PDF or Print to PDF option to open File Explorer. CTRL + S will open the Save As function which will allow the pentester to navigate through the system. CTRL + O opens the Open File function which also acts as a File Explorer. CTRL +J will give the pentester access to the Downloads folder. Once the pentester has access to a File Explorer window, they can navigate through the system and access applications, open a command shell, and perform a variety of tasks. For example: The pentester uses the CTRL + O shortcut to access the Open File function. In the address bar, the pentester types shell:System. The File Explorer will now move to the Windows\System32 folder.

User Application Compromise (Linux Privilege Escalation Techniques) Tool/Exploit: Metasploit modules: exploit/multi/vnc/vnc_keyboard_exec auxiliary/fileformat/odt_badodt exploit/multi/misc/openoffice_document exploit/multi/browser/adobe_flash_hacking_team_uaf exploit/multi/browser/adobe_flash_nellymoser_bof

Compromise end user applications and plug-ins such as OpenOffice, VNC, and Adobe Flash Player. Some require social engineering to get the end user to open a file or browser page.

How is a PenTest report tracked while it passes through many hands before delivery?

Chain of custody

A penetration tester is unable to identify the Wi-Fi SSID on a client's cell phone. Which of the following techniques would be most effective to troubleshoot this issue?

Channel Scanning involves scanning through the different Wi-Fi channels to identify active networks, including hidden SSIDs. This technique is effective for troubleshooting issues related to detecting Wi-Fi networks.

A penetration tester is conducting a vulnerability assessment and finds a CVE code associated with a critical vulnerability in the scan results. To assess the severity and prioritize remediation, the penetration tester looks up the CVE in the National Vulnerability Database (NVD) and finds the associated Common Vulnerability Scoring System (CVSS) score. Which of the following actions should the penetration tester take next to better understand the exploitability and environmental impact of this vulnerability?

Check the Exploit Prediction Scoring System (EPSS) to estimate the likelihood of exploitation in the next 30 days.

After completing a PenTest engagement at a client location, a formal hand-off process to the client is initiated. What can be expected after this action?

Client acceptance

If a company runs all services through a cloud provider, the PenTester needs to negotiate the project scope with whom?

Cloud Provider

A threat actor passed input to a web server which the system shell then executed. What type of attack did the threat actor execute?

Command injection

During a penetration test, you are tasked with identifying devices on the network that are running with default configurations. Which of the following default configurations would pose the highest security risk and should be addressed immediately?

Default login credentials are left unchanged after installation.

Which of the following BEST describes how the DREAD threat model is utilized in a penetration testing environment?

DREAD provides a structured approach to identify and rank threats by evaluating factors such as damage potential and exploitability, helping testers focus on the most critical vulnerabilities.

A security analyst is preparing a presentation for an upcoming conference and will be discussing varying types of cyber attacks. What attack is used so the victim generates the required traffic needed for the malicious actor to capture the handshake?

Deauthentication

A penetration tester is conducting a social engineering test to assess an organization's vulnerability to phishing attacks. The tester decides to use the Social Engineering Toolkit (SET) to craft a phishing email campaign aimed at harvesting credentials. What is the first step the tester should take before launching the phishing campaign?

Evaluate the target to determine the best methods and approach to crafting the attack

As users negotiate a connection, they pass authentication information to a malicious access point, enabling attackers to recover victim device user traffic or access credentials. This attack frequently abuses the fact that wireless networks are typically presented in order of signal strength and can benefit from high-gain wireless antennae or close physical proximity to a connecting client. Which method of attacking Wi-Fi networks occurs when an attacker creates a wireless access point with an ESSID identical to one to which an unwitting user intends to connect?

Evil Twin

As a penetration tester, you are tasked with conducting a social engineering assessment to evaluate the susceptibility of an organization to phishing attacks. You need to choose a tool that allows you to perform phishing campaigns and potentially bypass multi-factor authentication (MFA). Which of the following tools should you use to achieve this objective?

Evilginx

: Which section of a penetration test report is designed to provide a high-level overview for non-technical stakeholders, summarizing the scope, key findings, overall risk assessment, and strategic recommendations without delving into technical details?

Executive Summary

Exploit cron jobs (Linux Privilege Escalation Techniques)

Exploit badly configured cron jobs to gain root access.

A penetration tester is assessing a network and identifies a multihomed host configured as a web server. The tester plans to exploit a vulnerability in the web server to gain access to the internal network. Which of the following actions should the tester take to effectively utilize the multihomed host for network penetration?

Exploit the web server vulnerability to pivot into the internal network.

A penetration tester is using Responder to perform an on-path attack on a Windows network. The tester aims to exploit name resolution services to redirect traffic to the attacker's machine. Which of the following methods is the tester utilizing?

Exploiting LLMNR/NBT-NS to poison name resolution requests.

Which advanced technique, requiring a deep understanding of the protocol and tools like nbtstat or Nmap scripts, can reveal sensitive information such as domain computer names, file shares, and possibly usernames?

Exploiting NetBIOS

During the reconnaissance phase of a penetration test, a pentester is tasked with gathering Open-Source Intelligence (OSINT) about a target organization. The pentester finds several job postings on public job boards, which list positions related to network administration and cloud technologies. In addition, social media profiles of the company's C-suite executives reveal recent acquisitions and upcoming projects. Which of the following would be the MOST effective next step in the OSINT process to develop a comprehensive profile of the organization?

Extract metadata from publicly available documents on the organizations website.

During a penetration test, a pentester needs to crack a large number of password hashes obtained from a network breach. Which tool would be the most effective for this task if the pentester wishes to utilize a GPU for parallel processing to speed up the cracking process?

Hashcat

During a penetration testing engagement, one of the team members presents a fictitious situation as real. What is this tactic called?

Hoax

What is Insecure Direct Object Reference (IDOR), and how can it potentially be exploited in a web application?

IDOR occurs when an application fails to properly validate user permissions, allowing attackers to manipulate URLs or input parameters to access unauthorized data.

An Open-source resource available to cybersecurity professionals. It is comprised of documents that relate to PenTesting, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance

ISSAF (Information Systems Security Assessment Framework

As a penetration tester, you are tasked with simulating a watering hole attack to demonstrate the potential risks to an organization's network. Which of the following steps should you take to effectively carry out this attack?

Identify a website frequently visited by the target organization and inject malicious code into it.

What is the primary benefit of having an escalation path for communications during a penetration test?

It allows penetration testers to involve relevant experts to address complex issues.

Meterpreter upgrade (Linux Privilege Escalation Techniques) Tool/Exploit: Metasploit modules: post/multi/manage/shell_to_meterpreter

If the pentester has a Bash shell from Metasploit, they can attempt to upgrade it to a Meterpreter shell.

Netcat upgrade (Linux Privilege Escalation Techniques)

If the pentester has a Netcat shell, they can attempt to upgrade it to a Meterpreter shell.

During a penetration test, a team member accidentally scans a network outside the scope of the test. What is the MOST appropriate immediate action that the team member should take in this scenario?

Immediately report the incident to the team leader and halt further testing of that network.

During a penetration test, a tester accidentally accesses a third-party system that was not included in the scope of the test. What is the BEST course of action for the tester to take?

Immediately stop testing and report the incident to the client and their own management.

A malicious actor calls the IT department, stating to be the lead in one of the departments, and convinces a new employee into giving the actor confidential details regarding a new network project. What type of action did the actor use to get the desired information?

Impersonation

An organization is using RFID badges for physical access control to its secure facility. During a security audit, it is discovered that several RFID badges using the 125kHz EM4100 technology have been cloned, potentially allowing unauthorized access. Which of the following actions would BEST help to reduce the risk of RFID badge cloning in the future?

Implement a higher frequency RFID system that supports encryption.

A cybersecurity consultant is advising a company on how to protect their users from credential stuffing attacks. Which of the following recommendations should the consultant prioritize to effectively reduce the risk of such attacks?

Implement a password manager for users to create and store unique passwords.

An organization is reviewing its security policies and has identified that its current password practices are inadequate, leading to frequent unauthorized access incidents. To address this, the organization decides to implement minimum password requirements. Which of the following actions should the organization prioritize to effectively enhance password security and align with best practices?

Implement a policy requiring passwords to be at least 12 characters long and include a mix of uppercase, lowercase, numbers, and special characters.

During a penetration test, an attacker gains access to a user's password and then begins sending repeated multifactor authentication (MFA) requests to the user in hopes of gaining access to a secure system. The user, overwhelmed by the requests, eventually approves one, allowing the attacker to gain entry. What could the organization do to mitigate the risk of this type of attack in the future?

Implement adaptive or risk-based authentication that increases security measures based on unusual login behavior.

You are a security consultant hired by a mid-sized company that has recently migrated its operations to a cloud service provider. During your assessment, you discover that the company has not implemented encryption for its sensitive customer data stored in the cloud. Based on the shared responsibility model, what should be your primary recommendation to the company to address this security gap?

Implement encryption and access controls for the sensitive customer data.

During a penetration test, the pentester uses a software jammer to disrupt the Wi-Fi signals of specific clients in a targeted area, causing a denial of service (DoS). What would be the MOST appropriate recommendation to prevent or mitigate the effects of such jamming attacks on a wireless network?

Implement frequency hopping or spread spectrum techniques.

During a security assessment, a pentester discovers that a web application allows users to access other users' data by changing the user ID parameter in the URL. What should the pentester recommend as the first step to mitigate this vulnerability?

Implement proper access control checks on the server-side.

A company is using a cloud service provider to host its web applications. As part of the shared responsibility model, the company must ensure the security of its applications and data. Which of the following actions should the company take to fulfill its responsibilities?

Implement secure coding practices and encrypt sensitive data.

A penetration tester is assessing a company's SAML-based single sign-on (SSO) implementation. During testing, they observe that intercepted SAML assertions can be replayed without any additional verification. Which action should the penetration tester recommend to mitigate this vulnerability?

Implement time-based expiration for SAML assertions.

Unquoted Service Path Vulnerability (Windows)

In Windows, services are managed by the Service Control Manager (SCM) and often have executable paths with spaces (e.g., C:\Program Files\CompTIA\example.exe). If these paths are not enclosed in quotes, Windows will stop reading the path at the first space, which can be exploited. A pentester can take advantage of this misconfiguration by placing a malicious executable (e.g., Program.exe) in a higher-priority location like C:\. When the service runs, Windows may execute the attacker's file instead of the intended one, leading to privilege escalation.

During a PenTest, the scope must be clearly defined due to time constraints. Which of the following strategies is the MOST effective approach to ensure that critical vulnerabilities are identified while aligning with the organization's security objectives?

Include a comprehensive range of assets, such as IP addresses, CIDR ranges, domains, URLs, users, SSIDs, and both on-site and off-site locations, while involving stakeholders in defining the scope and any restrictions.

A penetration tester is conducting an assessment of cloud workloads and identifies a vulnerable API that could potentially be exploited during the workload runtime. Which of the following actions would BEST help the tester leverage this vulnerability?

Inject malicious code into the vulnerable API to achieve Remote Code Execution (RCE).

When conducting a penetration test on a web application, the pentester must be aware of common vulnerabilities and methods for exploiting them. Which of the following vulnerabilities and attacks can be mitigated by implementing proper security configurations and using a Web Application Firewall (WAF)?

Injection and Security Misconfiguration

A penetration tester is assessing a web application that interfaces with an LDAP server for user authentication. The tester suspects that the application is vulnerable to LDAP injection. Which of the following actions should the tester take to confirm the presence of an LDAP injection vulnerability, and what potential impact could this have?

Input a specially crafted query to bypass authentication and gain unauthorized access

A penetration tester has gained access to a target network and needs to maintain persistence to continue monitoring user activity over an extended period of time. Which of the following techniques would BEST support this goal while remaining undetected?

Installing a keylogger to capture keystrokes on a high-traffic machine used by administrators.

A penetration tester has completed a scan on a target network and discovered several potential vulnerabilities. However, some of the scan results seem inconsistent with previous tests. The penetration tester suspects that some of the identified vulnerabilities may be false positives. What should the tester do to validate the results and ensure they are accurate?

Investigate each vulnerability further by manually testing whether the vulnerability exists on the target system

Purpue Model Architecture Levels

Level 0: Physical process Level 1: Local control—Devices and systems that interact directly with level 0 devices. Level 2: Supervisory control—Supervisory systems that manage and monitor level 1 controllers. Level 3: Operations management—Systems that manage production workflows and operations. Level 4: Enterprise/business planning and logistics—Corporate IT systems including ERP (enterprise resource planning) systems that handle business-related data and operations. Level 5: Enterprise network- Higher-level business functions

In the context of the Purdue Model (Purdue Enterprise Reference Architecture), which level primarily focuses on managing production workflows and operations in an industrial control system (ICS) environment?

Level 3 - Operations Management

A penetration tester is tasked with evaluating the security of a company's wireless network, including potential risks at remote contractor offices. The company suspects that an unsecured access point may be in use. Which approach would be the most effective first step for identifying potentially open access points at the remote location?

Leverage an OSINT tool like WiGLE to search for access points near the contractor's office.

A penetration tester is preparing to conduct a penetration test for an organization. Which of the following scope limitations should they prioritize to ensure the test is conducted safely and ethically?

Limiting the test to specific in-scope subnets and systems, ensuring no critical infrastructure or production environments are affected.

SetUID binaries (Linux Privilege Escalation Techniques) Tool/Exploit: In a terminal, enter: sudo find / -perm -04000

Locate applications that can be run as root

Services running as root (Linux Privilege Escalation Techniques) Tool/Exploit: List current user: whoami List all processes owned by current user: ps -x Locate processes owned by root: ps -fU List all processes and their owners: ps -

Locate services that are owned by (running as) root and see if they can be compromised

Which of the following encryption methods is no longer considered secure due to vulnerabilities that can be easily exploited?

MD5 (Message Digest Algorithm 5)

During a security audit, an IT professional discovers that an attacker has been using a method to repeatedly send authentication requests to a user's device, causing the user to accidentally approve an access request. Which type of authentication attack does this scenario describe?

MFA Fatigue Attack

When conducting penetration testing on Information Technology (IT) systems compared to Operational Technology (OT) systems, which of the following considerations is the MOST critical for OT environments?

Maintaining the continuity of physical processes and avoiding disruptions

A company wants to evaluate their web applications. Which of the following frameworks would be MOST tailored for this?

OWASP

: /etc/passwd /etc/shadow (Linux Privilege Escalation Techniques) Tool/Exploit: Metasploit module: post/linux/gather/hashdump Password cracking tools such as John the Ripper

Obtain a copy of these files to crack root or privileged user passwords.

During a penetration test on an Active Directory network, a pentester aims to gain access to the Kerberos Distribution Center by exploiting the Kerberos authentication protocol. The pentester decides to perform a Kerberoasting attack. Which of the following steps must the pentester take to successfully carry out this attack?

Obtain a list of Service Principal Names (SPNs) and extract service tickets for offline password cracking.

During a penetration test, a pentester aims to perform a pass-the-token attack against a target organization using Azure Active Directory. Which of the following actions should the pentester take to gain access to the primary refresh token (PRT) and conduct the attack?

Obtain administrative privileges on the user's local machine to access the Local Security Authority Subsystems Service (LSASS)

A software developer wants to ensure he is performing adequate security testing of the software at each stage of development. What organization's website can the software developer visit for open-source tools and testing guidelines?

Open Web Application Security Project (OWASP)

A PenTester provides a client a high level of details on the company and its employees in a report. The PenTester mentions the use of Twitter, Facebook, and the company's website as its sources. What category of intelligence does the PenTester utilize during research?

Open-source

Which of the following tools is specifically designed to scan individual host devices on a network for vulnerabilities and generate a report based on severity rankings?

OpenVAS

A penetration test team is looking for a referral source that provides a comprehensive overview of the proper structure of a complete PenTest. What can be leveraged as a source of information?

PTES

A security analyst is researching penetration testing frameworks and comes across one which contains seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest. Which framework is the analyst looking at?

PTES

Which of the following BEST describes the purpose of using the robots.txt file on a website?

To direct web crawlers on which parts of the website should not be accessed or indexed.

A PenTester is preparing to conduct a security assessment on an organizations network. During the Prep Phase, tester noticesd that the Documented Scope of the test includes IP addresses that belong to a 3rd party vendor. Tester realizes that testing these IP addesses could lead to Unauth access to systems not owned by the Org. What action should tester take to address this issue, and which documentation needs to be reviewed and potentially updated to ensure compliance with ethical and legal standards?

Pause the test and immediately notify senior management. Review and update the Scope Definition document to ensure that only the Org's assets are included.

A penetration tester is preparing to conduct a security assessment on an organization's network. During the preparation phase, the tester notices that the documented scope of the test includes IP addresses that belong to a third-party vendor. The tester realizes that testing these IP addresses could lead to unauthorized access to systems not owned by the organization. Which of the following actions should the tester take to address this issue, and which documentation needs to be reviewed and potentially updated to ensure compliance with ethical and legal standards?

Pause the test and immediately notify senior management. Review and update the Scope Definition document to ensure that only the organization's assets are included.

A pentester is conducting a security assessment on an organization's wireless network to evaluate potential risks. Which of the following actions should the pentester take to test for the presence of a rogue access point?

Perform a Wardriving exercise to locate available networks and analyze their configurations.

What is the purpose of the command Nmap -sP 172.16.50.0/24?

Performing host enumeration

Based on the following characteristics, identify the correct language/tool -Environment: Cross-platform, common in Unix/Linux -Path Separator: Forward slash (/) typically, but can handle platform-specific separators. -Case Sensitivity: Yes, variables and commands are case-sensitive. -Variable Notation: Uses $ for scalar variables (e.g., $var), @ for arrays, % for hashes. -Key Features: Regular expressions, my for variable scoping, and shebang (#!/usr/bin/perl).

Perl

A penetration tester has successfully compromised a system within a network and now wants to use the compromised system as a launching point to access other internal systems. Which of the following techniques would be the MOST appropriate for the tester to use in this situation?

Pivoting

You are a penetration tester tasked with assessing the security of a corporate network. After successfully compromising an initial host within the network, your next objective is to access a sensitive database server that is not directly reachable from your current position. Which technique would be MOST effective for achieving this goal?

Pivoting

In the context of network penetration testing, which of the following BEST describes the purpose of pivoting?

Pivoting allows a pentester to access and exploit vulnerabilities in network segments that are not directly accessible from the initial point of compromise.

During a penetration test, a pentester identifies a Windows service with an unquoted service path that includes spaces. The service path is defined as follows:C:\Program Files\Comptia\example.exe What is the best approach for the pentester to exploit this misconfiguration?

Place a malicious executable named Program in the root of the C:\ drive.

A pentester has successfully compromised a web server within a corporate network. The pentester's objective is to access a sensitive database server located on a different subnet within the same network. The pentester decides to use a technique that allows them to forward traffic from the compromised web server to the database server. Which of the following methods should the pentester use to achieve this objective?

Port Forwarding

As a penetration tester, you are tasked with evaluating the susceptibility of an organization to social engineering attacks. You decide to use pretexting as part of your assessment. Which of the following actions BEST exemplifies the use of pretexting in this context?

Posing as an IT support technician and calling an employee to request their login credentials for a system update.

As a security analyst, you are using Metasploit to test the security of a web application. You need to perform additional tasks on a compromised host after successfully exploiting it. Which Metasploit module type should you use?

Post

A PenTester initiates a testing exercise by enumerating network hosts. Which Windows-native tool will provide the tester with valid operating system information for Windows computers?

PowerShell

A penetration tester is preparing to prioritize targets before attempting to gain access to network resources. The tester first reviews the scope of the penetration test, which focuses on a customer information database. After analyzing scan results, the pentester identifies two key machines: one is an old, unpatched Windows 7 machine vulnerable to the EternalBlue exploit, and the other is a fully patched Windows 10 machine. What should be the pentester's primary focus when prioritizing targets?

Prioritize the Windows 7 machine, as it has a known vulnerability (EternalBlue) that could provide high-level access to the network.

Which of the following tactics would a malicious actor most likely use during an impersonation attack to gain a victim's trust?

Promoting a sense of urgency by stating the situation is time-sensitive.

A script for enumerating network hosts is found on a compromised system: #!/usr/bin/python3 import socket host = "192.168.1.1" socket

Python

Based on the following characteristics, identify the correct language/tool -Environment: Cross-platform -Path Separator: Forward slash (/) typically, or os.path for platform independence. -Case Sensitivity: Yes, variables and functions are case-sensitive. -Variable Notation: No leading $ (e.g., var = value). -Key Features: Uses import for modules/libraries, indentation for blocks, and shebang (#!/usr/bin/python3).

Python

During a penetration test, the importance of administrative control factors is highlighted to establish a security framework. One key factor is role-based access control (RBAC), which assigns permissions based on roles to ensure restricted access to resources. Which of the following BEST explains how RBAC helps strengthen security in an organization?

RBAC helps prevent unauthorized access by enforcing the least privilege principle and segregation of duties.

What technologies are used with Badge Cloning?

RFID & NFC

Which of the following documents should describe the specific systems or range of IP addresses to assess? (Select two.)

ROE SOW

A penetration tester is performing a test against wireless access points and discovers that the organization uses WPS. Which tools will help the tester to brute force this? (Select two.)

Reaver and WiFite2

When evaluating the qualifications of a penetration testing (PenTest) team for a potential engagement, which of the following credentials and considerations are typically necessary to ensure the team's appropriateness and reliability?

Recent certifications and experience in cybersecurity and ethical hacking, including PenTest+ and CEH, along with up-to-date background checks.

A project manager is drafting up requirements for a penetration test. Which of the following is LEAST likely to be included during the planning phase?

Recommended solutions

What Linux-based command-line tool for OSINT that uses modules to customize search options to gather information on targets such as web applications, IoT devices, and domains. Some modules include Whois query, PGP key search, file crawler and DNS record enumerator?

Recon-ng

What open source intelligence tool (OSINT) allows for customization using different modules?

Recon-ng

A company is assessing the security of its cloud infrastructure and wants to implement strategies to mitigate potential vulnerabilities. Given the following scenarios, which strategy should the company prioritize to address the risk of IAM misconfigurations?

Regularly audit IAM policies and permissions to ensure they align with the principle of least privilege

In a penetration test of a cloud environment, you are tasked with assessing the security of third-party integrations. Which of the following actions would best mitigate the risk of third-party vulnerabilities in this context?

Regularly monitoring the third-party's security posture and ensuring they adhere to the same security standards as your organization.

During a penetration test, which of the following communication practices is the MOST critical to ensure the success of the engagement and compliance with organizational requirements?

Regularly update the client on progress, findings, and challenges while maintaining clear and transparent documentation.

During a penetration test, a pentester aims to perform a pass-the-ticket attack in an Active Directory environment. Which step should the pentester take to successfully execute this attack and gain lateral movement in the network?

Steal the ticket-granting ticket (TGT) from the target system and use it to authenticate to other resources.

A PenTest exercise has concluded. The PenTest team now addresses which area?

Shell Removal

What tool would search for internet-connected industrial control systems?

Shodan

Which of the following BEST describes how Shodan can assist a penetration tester during an assessment involving IoT devices?

Shodan enables penetration testers to locate and identify IoT devices connected to the Internet by indexing their service banners, which may include information about vulnerabilities.

An attacker records video and captures pictures of a victim's device screen that has sensitive information on it, which the attacker can later go back to review the recording. What type of attack is this?

Shoulder surfing

Following a penetration test, you are responsible for spinning down any temporary infrastructure that was set up during the test to ensure no unnecessary resources remain active. Which of the following actions should you prioritize to effectively spin down this infrastructure?

Shut down and remove any local and cloud-based virtual machines used during the test

A pentester is tasked with simulating a social engineering attack to test an organization's security awareness. The pentester decides to gather information on a specific employee's job role and interests to craft a customized email containing a malicious link. What type of social engineering attack is the pentester preparing?

Spear phishing

Which of the following tools is specifically designed to automate the process of gathering intelligence about a given target, including IP addresses, domain names, and network subnets?

SpiderFoot

This wireless attack/exploit tool can either spoof or clone Bluetooth, before making changes to a Bluetooth adapater, this must be ran with root privileges?

Spooftooph

A penetration tester notices an area of interest that they were not initially planning to target. However, after discussing with the client, the client would like to add the new area to the targets as well. What should they update in order to ensure that the new work will be paid extra?

Statement of Work (SOW)

When finalizing a penetration test report before delivery to a client, a technician should consult which document to ensure that all acceptance criteria are satisfied?

Statement of work (SOW)

Which of the following documents might a security professional consult if the client has an issue with accepting a provided penetration test report?

Statement of work (SOW)

A penetration tester is conducting a security assessment for a company located in New York. During the engagement, they discover sensitive customer data that may fall under specific privacy laws. The company requests a PenTest of their web applications, internal systems, and a social engineering assessment. Given the details, which privacy law is most likely to apply, and what ethical considerations should the penetration tester prioritize?

Stop Hacks and Improve Electronic Data Security (SHIELD) Act; ensure the company's cybersecurity methods align with New York's requirements and follow agreed-upon laws between the tester and company.

During the post-engagement phase of a penetration test, you need to ensure the secure handling and storage of the PenTest report. Which of the following actions would best address both the confidentiality and integrity of the report while allowing necessary access to specific parts of the report?

Store the report on a secure server with role-based access controls and encryption, allowing different levels of access to various sections of the report

During a web application assessment, a PenTester identifies an input field that allows JS injection. The tester inserts a line of JS that results in a prompt, presenting a text box when browsing to the page going forward. Which attack is this?

Stored XSS: The tester injects JavaScript into an input field, and the injected code (which triggers a prompt with a text box) is executed whenever the page is loaded going forward. This indicates the JavaScript is stored on the server (e.g., in a database) and served to users, characteristic of a Stored XSS attack. XSS Overview: XSS occurs when an attacker injects malicious scripts into a web application, which are then executed in a user's browser. In this case, the script creates a prompt, but it could potentially steal cookies, redirect users, or perform other malicious actions

A penetration tester has completed a security assessment and is preparing the final penetration test report. The report will be read by various stakeholders, including executives, technical staff, and end-users. How should the penetration tester structure the report to ensure that the information is clear and actionable for all intended audiences?

Structure the report with separate sections, including an Executive Summary, Detailed Findings, and an Appendix, ensuring that each audience receives relevant information at the appropriate level of detail.

During a penetration test, a pentester is attempting to gain access to a Wi-Fi network that uses Wi-Fi Protected Setup (WPS). The pentester decides to use the Reaver tool to perform a brute-force attack on the WPS PIN. However, the access point has a lockout mechanism that activates after several failed attempts. What should the pentester do to improve the chances of successfully exploiting WPS?

Switch to an offline attack using the Pixie Dust method to exploit random number generation weaknesses.

Which of the following BEST describes the primary objectives of a network assessment during a penetration testing engagement?

Systematically identifying and exploiting vulnerabilities in network components and testing the effectiveness of security controls.

What Nmap timing option is a slow scan designed for minimizing detection and is best for IDS evasion?

What Nmap timing option is the default timing option, offering a stable and balanced scan?

During a network scan at the beginning of a penetration test, a pentester uses Nmap to discover open ports, services, and protocols on a target network. The pentester must ensure network stability while balancing the need for fast and thorough scanning. Which of the following Nmap timing options would be the MOST appropriate for achieving fast scans without significantly compromising network stability?

What Nmap timing option is the fastest, but the most unstable and can overwhelm the network and cause instability?

Which of the following scan types is the MOST appropriate to bypass firewall rulesets and determine whether a firewall is stateful or not?

TCP ACK Scan (-sA)

When conducting a penetration test, a pentester wants to identify open ports and running services on a target while minimizing the risk of detection. Which of the following scanning techniques would be the MOST effective in this scenario?

TCP SYN Scan

You have been contracted to conduct a Penetration Testing (PenTest) exercise for an organization. After gathering all the project requirements and scoping the engagement, you proceed to obtain formal permission to begin testing. The PenTest will involve testing internal resources, including Active Directory, which could potentially disrupt services if breached. Additionally, you need to ensure that sensitive information accessed during the PenTest is protected, and all parties involved are clear on their responsibilities and liabilities. Which of the following documents should be signed and reviewed to ensure a clear understanding of the scope, responsibilities, and legal protections before conducting the PenTest?

During a penetration test of a large industrial facility using SCADA systems, the pentester identifies that the ICS devices are not segmented from the main organizational network and are using outdated protocols. The pentester uses Shodan and Nmap to discover vulnerabilities in these systems. What is the MOST critical risk that the pentester should report to the organization, and why?

The ICS devices are not segmented from the rest of the network and are vulnerable to attack

A PenTest technician is looking for a list of all publicly disclosed common vulnerabilities and exposures (CVE). What can the technician reference to find this list?

The MITRE organization's website

Which of the following BEST describes the role of the SNMP agent in the Simple Network Management Protocol (SNMP)?

The SNMP agent is responsible for sending management information to the SNMP management station and resides on each network device.

A penetration tester wants to use Windows Remote Management (WinRM) to access a remote system for managing and monitoring. What does the tester need to do to enable this functionality?

The WinRM service must be activated using the winrm quickconfig command on both systems

A penetration tester is tasked with testing the effectiveness of a firewall. The pentester sends specially crafted packets to determine if they can bypass the firewall. After several tests, the tester discovers that some packets are allowed through the firewall. Which of the following is the MOST likely reason for this, and what should the pentester include in their report?

The firewall is not inspecting the payload of the packets, allowing malicious data to pass over an allowed port.

Alex recently purchased a new Android smartphone and is excited to customize it. He decides to download a popular game from a third-party website instead of the Google Play Store. After installing the game, Alex notices that his phone starts behaving erratically, and some of his personal data seems to be compromised. What is the MOST likely reason for Alex's phone issues?

The game app contained malicious code that exploited vulnerabilities due to rooting.

After DLL injection of malicious code into a library, when will the code be run?

The next time the library file is called.

A penetration tester is tasked with evaluating the security of a containerized cloud environment. The goal is to identify vulnerabilities that could lead to a container escape attack. The tester uses tools such as Docker Bench and Kube-hunter to scan for misconfigurations and vulnerabilities. Which of the following scenarios MOST likely represents a successful container escape attack?

The penetration tester leverages a CVE vulnerability in the container runtime to gain access to the host file system.

A pentester has gained initial access to a network and is planning their next steps to explore and exploit the network further. The tester needs to decide between lateral and horizontal movement techniques to achieve their objectives. Which of the following scenarios BEST illustrates the use of horizontal movement within the network?

The pentester accesses shared folders on other systems using the same user account privileges and searches for sensitive documents.

A pentester has successfully compromised a host within a target network and is considering the next steps to explore additional network segments that are not directly accessible from their current position. Which of the following BEST describes the process the pentester should use to achieve this goal?

The pentester uses the compromised host as a relay to access other network subnets that are not directly reachable from their current position.

An organization is concerned about the potential for brute force attacks on their systems. They want to understand the factors that limit the effectiveness of such attacks. Which of the following is a primary limitation of brute force attacks?

The processing power available

Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?

The tester is creating a threat model

During a penetration test, the tester identifies a vulnerability flagged by both OpenVAS and Nmap scans with a CVE number. After retrieving the details from the National Vulnerability Database (NVD), the tester sees that the vulnerability has a CVSS base score of 8.5 (High), but the Exploit Prediction Scoring System (EPSS) score is only 0.2. When evaluating whether to prioritize fixing this vulnerability immediately, what should the tester consider?

The tester should combine the CVSS score with an analysis of the specific environment to determine urgency.

During a penetration test, you want to conceal a malicious executable inside a seemingly harmless text file using NTFS Alternate Data Streams (ADS). Which of the following commands would you use to achieve this?

The type c:\malware.exe > c:\comptia.txt:malware.exe command uses the type command to read the contents of malware.exe and then redirects (>) that content into a new alternate data stream named malware.exe linked to the file comptia.txt. This effectively hides the executable within the text file's ADS, making it invisible to standard file listing commands

During a penetration test, a pentester has identified several potential vulnerabilities in the target system. To proceed, the pentester needs to select the appropriate exploit from Metasploit. Which of the following considerations is the MOST important when choosing an exploit?

The type of outcome the pentester wants to achieve (e.g., denial of service, root access)

A Jr. PenTester has difficulty using a Bash script. The script contains the following line: $my_str="Password" , which keeps throwing an error. What does a senior PenTester identify as the problem?

The use of $

Which of the following BEST describes the benefit of using modules, functions, and classes in Python when performing tasks such as reconnaissance and enumeration in penetration testing?

They enable the organization of code into reusable, modular components, improving code maintenance and scalability

An organization underwent a penetration test and insisted that the PenTesters include the organization's investor on the reported findings. What group does the investor belong to?

Third-Party stakeholders

Which of the following best describes the purpose of the post-activity Business Impact Analysis (BIA) section in a penetration test report?

To assess how the vulnerabilities identified could affect the client's business operations and prioritize remediation efforts.

Why is it important for a pentester to document all activities, attempted attacks, and discovered vulnerabilities during an enterprise penetration test?

To assist the organization in strengthening its security posture and implementing stricter policies.

A PenTester needs to determine if it's possible to disrupt wireless communications for Workstations deployed in the client's offices. What technique should the PenTester leverage?

To determine whether it's possible to disrupt wireless communications, a penetration tester would typically start by scanning wireless channels to: • Identify active wireless networks • Detect the channels in use • Understand signal strength and interference • Locate access points and clients This process is known as channel scanning, and it's a precursor to more advanced wireless attacks like jamming, deauthentication, or rogue AP deployment.

Use Steghide to embed the data within an image file and transfer the image to an external server controlled by the tester. While compressing and encrypting the data protects it, directly uploading it to a cloud storage service is likely to be detected by network monitoring tools, as such activities may trigger alerts, it doesn't adequately conceal the data transfer, making it less suitable for covert exfiltration.

A penetration tester has successfully gained unauthorized access to a network and is now planning to move laterally through the network to escalate privileges. Which of the following techniques should the tester apply to bypass network segmentation and access other network segments?

Use VLAN Hopping to bypass network segmentation and access other segments.

A penetration tester has successfully exfiltrated a file containing hashed passwords from a target system. The tester plans to perform an offline password attack. Which of the following techniques should the tester use to increase the chances of successfully cracking the passwords?

Use a Dictionary Attack with a comprehensive wordlist

During a PenTest, a scan indicates that a client machine is running an outdated version of a web application, potentially exposing it to known vulnerabilities. Which scripting approach should the PenTester use to confirm the application's version?

Use a PowerShell script to verify the application version reported by the scan.

During a penetration test, you need to automate the identification of hosts within a target subnet and validate the number of hosts against a predefined list. Which approach would BEST enhance the efficiency and accuracy of this task?

Use a script that configures nmap to perform a host scan and automatically outputs a warning if the identified number of hosts does not match the expected value.

After completing a penetration test, you are tasked with securely destroying sensitive data collected during the test to prevent unauthorized recovery. Which of the following actions should you take to ensure secure data destruction?

Use a secure data shredding tool to overwrite the data multiple times.

A penetration tester is in the enumeration phase and has been tasked with creating a detailed network map of the target environment. The tester needs to document and capture all relevant information, including services, IP addresses, and device types. Which of the following actions should the penetration tester prioritize to ensure a complete and accurate map of the network is built?

Use a tool like Nmap to scan the network and export results in multiple formats using the -oA switch.

You are conducting a penetration test on a cloud environment and have identified the possibility of image and artifact tampering attacks. Which of the following actions would be the MOST appropriate way to mitigate these types of attacks during the testing phase?

Use a trusted registry and inforce image signing to verify the integrity of container images before deployment

As a penetration tester, you are tasked with capturing the WPA/WPA2 handshake of a target wireless network to assess its security. You decide to perform a deauthentication attack to force a client to reconnect and capture the necessary handshake. Which of the following steps should you take to successfully execute this attack?

Use aireplay-ng to send deauthentication frames and capture the handshake with airodump-ng.

In a cloud environment, supply chain attacks are becoming more prevalent, targeting vulnerabilities in third-party services. Which of the following measures would best apply the guidelines provided by the Supply-chain Levels for Software Artifacts (SLSA) to protect against these types of attacks?

Use code signing and cryptographic techniques to verify the integrity and provenance of third-party software components.

During a penetration test on a kiosk system, the pentester notices that the kiosk is configured with a full-screen web browser displaying information and has a field for user input. Which of the following should the pentester attempt to do first in order to try escaping the restricted environment?

Use keyboard shortcuts to open a File Explorer window or command shell.

A PenTester is using Python to write a script in preparation for a PenTest. What can the PenTester do to complete the script quickly as well as take advantage of work that others have already completed? (Select three.)

Use modules Use classes Use pre-built libraries

Which of the following actions should users take to minimize the risk of their passwords being compromised after a data breach, such as the RockYou hack?

Use password-checking services like haveibeenpwned.com

During a penetration test, a pentester has successfully gained access to a company's network. They have collected sensitive files from various systems, dumped databases, and performed credential dumping attacks. Now, they need to exfiltrate the data without being detected. Which of the following methods should the pentester use to ensure the data is covertly moved from the target machines?

Use steganography to hide the data within an image file and transfer it.

A pentester has compromised a host within a target network and intends to use it as a relay to access additional systems within the network. The tester plans to use Metasploit to discover accessible hosts and then establish a relay to perform further reconnaissance. Which of the following sequences of actions should the pentester take to achieve this goal effectively?

Use the ARP scanner module in Metasploit to discover hosts, modify the routing table on the pivot host to reach different subnets, and use VPN pivoting to perform additional reconnaissance.

A penetration tester is assessing a web application hosted on a cloud platform and discovers that the application accepts user input to fetch the content of a URL. After reviewing the code, the tester finds that the input is not properly sanitized. The tester crafts a URL that targets the Instance Metadata Service (IMS) to obtain sensitive information. What is the next step the penetration tester should take after retrieving temporary credentials from the metadata service?

Use the AWS Command Line Interface (CLI) to perform AWS operations based on the permissions of the retrieved credentials.

During a red team operation, a penetration tester compromises a Windows system and uses Meterpreter to escalate privileges. To remain stealthy and evade forensic detection, the tester wants to make it appear as though a privileged user performed certain actions. They also want to alter file timestamps to disrupt timeline-based forensic analysis. Which of the following best describes the tools or techniques the tester could use within Metasploit's Meterpreter to achieve both privilege impersonation and timestamp manipulation?

Use the Incognito tool to impersonate a privileged token and the timestomp module to alter file MACE values meterpreter > timestomp example.txt - v

Use the Metasploit module auxiliary/scanner/smb/smb_enumshares to list all shared resources on the network and attempt to access them.

During a penetration test, you have successfully gained access to a network and are now tasked with moving laterally to other systems within the network. You notice that several machines are running the Server Message Block (SMB) protocol. Which of the following actions would BEST allow you to exploit this service to gain further access to other systems?

Use the Metasploit module auxiliary/scanner/smb/smb_enumshares to list all shared resources on the network and attempt to access them.

A penetration tester is tasked with gaining access to a local machine by cracking a user's password. Before password cracking can begin, they need to enumerate usernames within the organization. The organization uses a domain-based email format ([email protected]). After conducting OSINT and obtaining potential email addresses, the tester needs to identify valid usernames. Which of the following is the MOST effective method to proceed with user enumeration in a Windows-based domain?

Use the Nmap krb5-enum-users script to brute-force username enumeration via Kerberos

You are a penetration tester tasked with gathering information about remote systems within a corporate network. You need to determine the status and model of disk drives on a remote system with the IP address 192.168.1.50. You have the option to use either the deprecated WMIC command-line tool or PowerShell's Get-CimInstance cmdlet. Considering the need for future-proofing and flexibility in data handling, which approach should you choose and why?

Use the PowerShell cmdlet: Get-CimInstance -ClassName Win32_diskdrive | Select-Object status, model (The PowerShell's Get-CimInstance cmdlet is not deprecated and offers more flexibility. It returns an object that can be easily manipulated or converted to other formats like JSON, making it a more robust and future-proof solution.)

During a penetration test, a pentester gains administrative access to a target system and decides to cover their tracks. Which of the following techniques would be the BEST option to minimize suspicion while still making it difficult for a forensic investigator to uncover the pentester's activity?

Use the sed command to remove specific log entries related to the pentester's login activity on a Linux system.

A penetration tester needs to gather information about remote systems without using an interactive shell. Which of the following methods would allow the tester to query system information on a Windows machine?

Use the wmic command-line tool to query the system

A PenTest team prepares for an engagement at a customer site. Which assets could the team inventory as being in-scope for the test? (Select three.)

Users Service Set Identifiers (SSID) Domains

During a penetration test, you discover that a system has been compromised using a backdoor. Which of the following methods would MOST likely allow the attacker to maintain persistent access to the system while remaining undetected?

Using a remote access tool (RAT) with rootkit capabilities

When performing a secrets scanning task during a penetration test, which of the following is the MOST appropriate approach to efficiently identify sensitive information such as credentials, API keys, and encryption keys?

Using an automated tool like TruffleHog to scan code repositories and other assets

A penetration tester is assessing a web application for vulnerabilities. After initial manual testing, the pentester decides to use automated tools to speed up the process. The assessment includes scanning for exposed API keys, examining form fields, and looking for vulnerabilities such as SQL Injection and insecure server configurations. The pentester uses both SAST and DAST methods to test the application, and SCAP to ensure compliance with security standards. Which of the following actions best exemplifies the pentester's dynamic testing process?

Using automated tools to scan for vulnerabilities in the live web application during production

A penetration tester is attempting to move laterally within a network by using legitimate binaries that are already present on the system (LOLbins). Which of the following techniques is an example of using a LOLbin to evade detection while moving laterally?

Using net.exe to add a new user account to the local administrators group and then connecting to another system. net.exe is a legitimate Windows binary that can be used to manipulate network configurations and user accounts. In this case, using it to add a new user account or adjust group memberships can help a penetration tester gain elevated privileges or access to other systems without relying on third-party tools, making it a classic example of using a LOLbin to evade detection.

Which of the following methods is commonly used by attackers to tamper with security controls on a target system to maintain access and prevent detection of malware?

Using scripts to modify registry keys and group policies to disable Windows Defender and UAC. Attackers often modify system settings, such as registry keys and group policies, to weaken or disable security features like Windows Defender and User Account Control (UAC). This tampering helps them prevent detection of their malware and maintain persistence on the target system.

Which security standard simplifies the connection process for consumer devices and home wireless networks but is vulnerable to remote and local attacks if the PIN feature is enabled (default setting on many home routers) or the wireless access point is not physically secured?

WPS

A penetration tester is performing website enumeration on a public-facing web server. The tester uses Nmap with the http-enum script and discovers that the server is running Apache with WordPress installed. The pentester decides to further investigate the plugins used by WordPress and evaluates the site's robots.txt file. Which of the following is would be the MOST effective combination of tools and techniques for identifying vulnerable plugins and unprotected resources on this server?

WPScan, Forced Browsing, Spiderfoot

A pentester is assessing the physical security of a client's facility by attempting to gain unauthorized access to secure areas. The pentester plans to use tailgating during the test. Which of the following would be the most effective way for the pentester to attempt a successful tailgating attack?

Wait near the secure entrance for a distracted employee to enter the area and follow them closely without being noticed.

A security engineer walks through a shopping plaza with a mobile device searching for insecure wireless access points. Which method of reconnaissance is the engineer using?

War driving

A malicious actor identified an insecure website frequented by an employee. The actor injects malicious code onto the visited site. When the employee revisits the site, the payload gets triggered and infects the computer. This new exploit opens a communication channel between the actor and the employee's device. What type of attack did the malicious actor use on the employee?

Watering hole attack

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine. Which of the following commands should the tester use to do this task from the tester's host?

attacker_host$ proxychains nmap -sT <target_cidr> ProxyChains routes all traffic through a compromised host (pivoting). This allows a pentester to scan other network segments while avoiding direct detection. Commonly used for internal reconnaissance and lateral movement after compromising a foothold.

Which command, used to view the NetBIOS name table of a remote computer and gather network-related information, is more specific than attempting default login credentials but may reveal valuable details?

nbtstat -A <IP Address>

A penetration tester has successfully gained access to a target machine and wants to maintain persistence by creating a new user account with administrative privileges. Which of the following commands would achieve this on a Windows system?

net user jsmith <password> /add followed by net localgroup Administrators jsmith /add

You have been tasked with gathering information about a target system to identify potential vulnerabilities. You decide to use banner grabbing to obtain information about the services running on the system. Which of the following commands would you use to gather banner information from a web server running on port 80?

curl -I <target IP>

After obtaining the operating system of the target of a PenTest, where can a team member find specific opportunities for exploitation?

cve.mitre.org

A PenTester gains initial access to a server and needs to enumerate all DNS records on the Corporate Domain. Which command should the tester use?

dig afxr @local.dns.server This script is an attempt for DNS zone transfer (AXFR). Zone transfers retrieve all DNS records, including subdomains, IP mappings, MX (mail), and TXT records. This requires a misconfigured DNS server that allows unauthorized transfers

A cybersecurity analyst is conducting a forensic investigation on a compromised Windows system. During the investigation, the analyst suspects that an attacker has hidden malicious files using NTFS Alternate Data Streams (ADS). The analyst finds a suspicious text file named report.txt and wants to check if there are any hidden streams attached to it. Which of the following commands should the analyst use to list all streams associated with report.txt?

dir /r report.txt The dir /r report.txt command is used to display alternate data streams associated with files in NTFS. The /r switch in the dir command reveals any hidden streams linked to report.txt, making it the correct choice for listing all streams.

What does this script do? grep "Administrator" <dumpfile> | cut -d: -f3,4 > admin-hash.txt

grep "Administrator" <dumpfile>Searches the dump file for any lines containing the word "Administrator". | Pipes the output of grep (i.e., the matching lines) into the next command. cut -d: -f3,4 cut: Extracts specific fields from each line. -d:: Uses the colon : as the delimiter (standard in hash dump formats like those from pwdump). -f3,4: Extracts the 3rd and 4th fields, which in most password dump formats correspond to the LM hash and NTLM hash, respectively. > admin-hash.txtRedirects the extracted hash fields to a file called admin-hash.txt.

A PenTester wants to use pre-existing libraries in a Python script. Which of the following will allow the PenTester to do that?

import

A penetration tester wants to gather email information for a targeted phishing campaign. Which of the following tools could they use to collect this?

theHarvester

What Recon OSINT tool uses a command-line interface that gathers information from a wide range of public resources to discover names, emails, IP addresses, URLs, subdomain names, employee names, PGP key entries, and service banners? It can search a company's visible threat landscape.

theHarvester

Lihat semua set pelajaran

Set pelajaran terkait

Ch. 5 How to Form a Business

FIN 360 Exam 3

Chapter 17 - 18 Study Questions

Musculoskeletal Practice Questions

International Accounting final exam

Chapter 16 Complications OB

FTCE: Subject Area K-6: Math problems

PSY 150 chapter 13If you take a class in personality psychology, which of the following topics is most likely to come up? Multiple choice question. The influence of conscientiousness on grades The cause of developmental disorders such as autism The

CompTIA PenTest+ Practice Questions

Set pelajaran terkait

Ch. 5 How to Form a Business

FIN 360 Exam 3

Chapter 17 - 18 Study Questions

Musculoskeletal Practice Questions

International Accounting final exam

Chapter 16 Complications OB

FTCE: Subject Area K-6: Math problems

PSY 150 chapter 13If you take a class in personality psychology, which of the following topics is most likely to come up? Multiple choice question. The influence of conscientiousness on grades The cause of developmental disorders such as autism The

Anatomy and Physiology- Final Exam

audit quiz #13

Chapter 37 2 of 3

FURNITURE EP. 2 (WOOD, DEFFECTS, FINISHES)

CH. 29 sections quiz questions

Radiology Exam

Honors Chemistry Chapter 13 (Sister C.)

Econ Final: 1-9

Geology final

Fin 303 Final Ch. 18

ugh ugh ugh ugh

Level 4 F&E