Pen 151-200
A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report? A. Add a dependency checker into the tool chain. B. Perform routine static and dynamic analysis of committed code. C. Validate API security settings before deployment. D. Perform fuzz testing of compiled binaries.
A. Add a dependency checker into the tool chain.
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:...;; ANSWER SECTIONcomptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.Which of the following potential issues can the penetration tester identify based on this output? A. At least one of the records is out of scope. B. There is a duplicate MX record. C. The NS record is not within the appropriate domain. D. The SOA records outside the comptia.org domain.
A. At least one of the records is out of scope.
Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools? A. Dictionary B. Directory C. Symlink D. Catalog E. For-loop
A. Dictionary
A penetration tester discovers during a recent test that an employee in the accounting department had been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to discourage this type of activity in the future? A. Enforce mandatory employee vacations. B. Implement multifactor authentication. C. Install video surveillance equipment in the office. D. Encrypt passwords for bank account information.
A. Enforce mandatory employee vacations.
A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task? A. GDB B. Burp Suite C. SearchSpliot D. Netcat
A. GDB
User credentials were captured from a database during an assessment and cracked using rainbow tables Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database? A. MD5 B. bcrypt C. SHA-1 D. PBKDF2
A. MD5
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings? A. Manually check the version number of the VoIP service against the CVE release. B. Test with proof-of-concept code from an exploit database on a non-production system. C. Review SIP traffic from an on-path position to look for indicators of compromise. D. Execute an nmap -sV scan against the service.
A. Manually check the version number of the VoIP service against the CVE release.
Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables? A. SOW B. SLA C. MSA D. NDA
A. SOW
Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks? A. Scraping social media for personal details B. Registering domain names that are similar to the target company's C. Identifying technical contacts at the company D. Crawling the company's website for company information
A. Scraping social media for personal details
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task? A. Steganography B. Metadata removal C. Encryption D. Encode64
A. Steganography
Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.) A. The CVSS score of the finding B. The network location of the vulnerable device C. The vulnerability identifier D. The client acceptance form E. The name of the person who found the flaw F. The tool used to find the issue
A. The CVSS score of the finding B. The network location of the vulnerable device
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision? A. The tester had the situational awareness to stop the transfer. B. The tester found evidence of prior compromise within the data set. C. The tester completed the assigned part of the assessment workflow. D. The tester reached the end of the assessment time frame.
A. The tester had the situational awareness to stop the transfer.
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run? A. nmap -sA 192.168.0.1/24 B. nmap -sS 192.168.0.1/24 C. nmap -oG 192.168.0.1/24 D. nmap 192.168.0.1/24
A. nmap -sA 192.168.0.1/24
The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine? A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt B. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d "" -f5 > live-hosts.txt C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service D. nmap -sS -Pn -n -iL target.txt -oA target_txtl
A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
The following output is from reconnaissance on a public-facing banking website:Based on these results, which of the following attacks is MOST likely to succeed? A. A birthday attack on 64-bit ciphers (Sweet32) B. An attack that breaks RC4 encryption C. An attack on a session ticket extension (Ticketbleed) D. A Heartbleed attack
B. An attack that breaks RC4 encryption
A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake? A. Key reinstallation B. Deauthentication C. Evil twin D. Replay
B. Deauthentication
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT? A. Deny that the vulnerability existed B. Investigate the penetration tester. C. Accept that the client was right. D. Fire the penetration tester.
B. Investigate the penetration tester.
The results of an Nmap scan are as follows:Which of the following device types will MOST likely have a similar response? A. Active Directory domain controller B. IoT/embedded device C. Exposed RDP D. Print queue
B. IoT/embedded device
A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations? A. OWASP Top 10 B. MITRE ATT&CK framework C. NIST Cybersecurity Framework D. The Diamond Model of Intrusion Analysis
B. MITRE ATT&CK framework
Which of the following is the MOST important information to have on a penetration testing report that is written for the developers? A. Executive summary B. Remediation C. Methodology D. Metrics and measures
B. Remediation
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited? A. Cross-site request forgery B. Server-side request forgery C. Remote file inclusion D. Local code inclusion
B. Server-side request forgery
PCI DSS requires which of the following as part of the penetration-testing process? A. The penetration tester must have cybersecurity certifications. B. The network must be segmented. C. Only externally facing systems should be tested. D. The assessment must be performed during non-working hours.
B. The network must be segmented.
During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred? A. The SSL certificates were invalid. B. The tester IP was blocked. C. The scanner crashed the system. D. The web page was not found.
B. The tester IP was blocked.
A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step? A. Terminate the contract. B. Update the ROE with new signatures. C. Scan the 8-bit block to map additional missed hosts. D. Continue the assessment.
B. Update the ROE with new signatures.
A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:python -c 'import pty; pty.spawn("/bin/bash")'Which of the following actions Is the penetration tester performing? A. Privilege escalation B. Upgrading the shell C. Writing a script for persistence D. Building a bind shell
B. Upgrading the shell
After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file:Which of the following actions should the tester perform FIRST? A. Change the file permissions. B. Use privilege escalation. C. Cover tracks. D. Start a reverse shell.
B. Use privilege escalation.
A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use? A. nmap -sn 192.168.0.1/16 B. nmap -sn 192.168.0.1-254 C. nmap -sn 192.168.0.1 192.168.0.1.254 D. nmap -sN 192.168.0.0/24
B. nmap -sn 192.168.0.1-254
Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data? A. An unknown-environment assessment B. A known-environment assessment C. A red-team assessment D. A compliance-based assessment
C. A red-team assessment
A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected? A. Pick a lock. B. Disable the cameras remotely. C. Impersonate a package delivery worker. D. Send a phishing email.
C. Impersonate a package delivery worker.
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task? A. tcpdump B. Snort C. Nmap D. Netstat E. Fuzzer
C. Nmap
A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take? A. Segment the firewall from the cloud. B. Scan the firewall for vulnerabilities. C. Notify the client about the firewall. D. Apply patches to the firewall.
C. Notify the client about the firewall.
A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose? A. Hashcat B. Mimikatz C. Patator D. John the Ripper
C. Patator
A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement? A. Prying the lock open on the records room B. Climbing in an open window of the adjoining building C. Presenting a false employee ID to the night guard D. Obstructing the motion sensors in the hallway of the records room
C. Presenting a false employee ID to the night guard
A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:1;SELECT Username, Password FROM Users;Which of the following injection attacks is the penetration tester using? A. Blind SQL B. Boolean SQL C. Stacked queries D. Error-based
C. Stacked queries
A penetration tester is testing a new API for the company's existing services and is preparing the following script:Which of the following would the test discover? A. Default web configurations B. Open web ports on a host C. Supported HTTP methods D. Listening web servers in a domain
C. Supported HTTP methods
A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT? A. The penetration tester conducts a retest. B. The penetration tester deletes all scripts from the client machines. C. The client applies patches to the systems. D. The client clears system logs generated during the test.
C. The client applies patches to the systems.
In Python socket programming, SOCK_DGRAM type is: A. reliable. B. matrixed. C. connectionless. D. slower.
C. connectionless.
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider? A. inurl: B. link: C. site: D. intitle:
C. site:
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit? A. Patch installations B. Successful exploits C. Application failures D. Bandwidth limitations
D. Bandwidth limitations
A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection? A. Configure wireless access to use a AAA server. B. Use random MAC addresses on the penetration testing distribution. C. Install a host-based firewall on the penetration testing distribution. D. Connect to the penetration testing company's VPS using a VPN.
D. Connect to the penetration testing company's VPS using a VPN.
A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:✑ following:Port State Service Version22/tcp open ssh Cisco SSH 1.25 (protocol 2.080/tcp open http Cisco IOS http config|_https-title: Did not follow redirect to https://10.50.100.16443/tcp open https Cisco IOS https configWhich of the following would be BEST to add to the recommendations section of the final report? (Choose two.) A. Enforce enhanced password complexity requirements. B. Disable or upgrade SSH daemon. C. Disable HTTP/301 redirect configuration. D. Create an out-of-band network for management. E. Implement a better method for authentication. F. Eliminate network management and control interfaces.
D. Create an out-of-band network for management. E. Implement a better method for authentication.
A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:Which of the following represents what the penetration tester is attempting to accomplish? A. DNS cache poisoning B. MAC spoofing C. ARP poisoning D. Double-tagging attack
D. Double-tagging attack
A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence.Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.) A. MX records B. Zone transfers C. DNS forward and reverse lookups D. Internet search engines E. Externally facing open ports F. Shodan results
D. Internet search engines F. Shodan results
A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server:x' OR role LIKE '%admin%Which of the following should be recommended to remediate this vulnerability? A. Multifactor authentication B. Encrypted communications C. Secure software development life cycle D. Parameterized queries
D. Parameterized queries
Given the following script:Which of the following BEST characterizes the function performed by lines 5 and 6? A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10 B. Performs a single DNS query for www.comptia.org and prints the raw data output C. Loops through variable b to count the results returned for the DNS query and prints that count to screen D. Prints each DNS query result already stored in variable b
D. Prints each DNS query result already stored in variable b
A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.) A. Remove the logs from the server. B. Restore the server backup. C. Disable the running services. D. Remove any tools or scripts that were installed. E. Delete any created credentials. F. Reboot the target server.
D. Remove any tools or scripts that were installed. E. Delete any created credentials.
A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network? A. Set up a captive portal with embedded malicious code. B. Capture handshakes from wireless clients to crack. C. Span deauthentication packets to the wireless clients. D. Set up another access point and perform an evil twin attack.
D. Set up another access point and perform an evil twin attack.
A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary? A. To meet PCI DSS testing requirements B. For testing of the customer's SLA with the ISP C. Because of concerns regarding bandwidth limitations D. To ensure someone is available if something goes wrong
D. To ensure someone is available if something goes wrong
Deconfliction is necessary when the penetration test: A. determines that proprietary information is being stored in cleartext. B. occurs during the monthly vulnerability scanning. C. uncovers indicators of prior compromise over the course of the assessment. D. proceeds in parallel with a criminal digital forensic investigation.
D. proceeds in parallel with a criminal digital forensic investigation.
