CSIT 188 Midterm
Which view of the weaknesses defined by CWE focuses on supporting their academic study, largely ignoring means of detection, their location in a given code sample, and when they tend to be introduced in the software development cycle? A. Research concepts B. Architectural concepts C. Programming concepts D. Development concepts
A. Research concepts
Which of the following is not a commonly reported theme or issue in vulnerability scan results? A. Observations B. Exploits C. Vulnerabilities D. Failure to apply industry best practices
B. Exploits
Which of the following is not a vulnerability scanner a penetration tester might use? A. Nexpose B. Hashcat C. QualysGuard D. Nessus
B. Hashcat
You have been contracted for a penetration test by a private aerospace corporation. The client has requested that you begin your assessment of their environment with no information that cannot be obtained via open source methods beyond a list of in-scope networks and subnets. What testing methodology is most likely desired by this client? A. Black box B. White box C. Gray box D. Red team
A. Black box
In a penetration test, it often occurs that a great deal of information pertinent to attacking target systems and goals is provided to the penetration tester. Which of the following are often provided by the target organization? (Choose two.) A. IP addresses B. Live usernames C. Domain names D. Administrator passwords for the Exchange and Active Directory servers
A. IP addresses C. Domain names
Developed by Rapid7, which commercially available vulnerability scanner features a web-based user interface and allows users to execute both credentialed and noncredentialed scans? A. Nexpose B. Nikto C. W3AF D. OpenVAS
A. Nexpose
An organization's __________ determines if it is financially possible to support a penetration test. A. budget B. timeline C. technical constraints D. industry type
A. budget
Which command (valid in both *nix and Windows) can resolve a domain name to its IP address? A. nslookup B. ping C. dig D. host
A. nslookup
Which of the following is an identifier provided for CWE entries? A. Weakness ID B. Modes of introduction C. Likelihood of exploit D. Answers A, B, and C
D. Answers A, B, and C
Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.) A. Risk tolerance B. Point-in-time C. Comprehensiveness D. Impact tolerance
B, C. Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
In the following command, which flag is responsible for saving output to both XML and HTML files? theharvester -d example.com -b google -f foo -v -n A. -v B. -f C. -n D. -b
B. -f
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment? A. A noncompete B. An NDA C. A data security agreement D. A DSA
B. A nondisclosure agreement, or NDA, covers the data and other information that a pen-etration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.
Alex wants to use rainbow tables against a password file she has captured. How do rainbow tables crack passwords? A. Un-hashing the passwords B. Comparing hashes to identify known values C. Decrypting the passwords D. Brute-force testing of hashes
B. Comparing hashes to identify known values
Which recon-ng command can be used to identify available modules for intelligence collection? A. show workspaces B. show modules C. use modules D. set modules
B. show modules
Which of the following is not an issue to consider when performing a vulnerability scan? A. Services and protocols known to be in use in the environment B. Bandwidth limitations C. Overall topology of the network in question D. The public reputation of the developers of the software or operating system being tested
D. The public reputation of the developers of the software or operating system being tested
Tom is running a penetration test in a web application and discovers a flaw that allows him to shut down the web server remotely. What goal of penetration testing has Tom most directly achieved? A. Disclosure B. Integrity C. Alteration D. Denial
D. Tom's attack achieved the goal of denial by shutting down the web server and prevent-ing legitimate users from accessing it.
When used as part of a search through theharvester, what will be the effect of the -c flag? A. A DNS brute-force search will be conducted for the domain name provided B. A simple declaration of the domain or company name for which to search. C. A reverse DNS query will be run for all discovered ranges. D. Identified hosts will be cross-referenced with the Shodan database.
A. A DNS brute-force search will be conducted for the domain name provided
Tara recently analyzed the results of a vulnerability scan report and found that a vulner-ability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? A. False positive B. False negative C. True positive D. True negative
A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.
What does an MSA typically include? A. The terms that will govern future agreements B. Mutual support during assessments C. Micro-services architecture D. The minimum service level acceptable
A. A master services agreement (MSA) is a contract that defines the terms under which future work will be completed. Specific work is then typically handled under a statement of work or SOW
What type of assessment most closely simulates an actual attacker's efforts? A. A red-team assessment with a black box strategy B. A goals-based assessment with a white box strategy C. A red-team assessment with a crystal box strategy D. A compliance-based assessment with a black box strategy
A. A red-team assessment actively seeks to act like an attacker, and a black box strategy means the attacker has no foreknowledge or information about the organization. This best simulates an actual attacker's efforts to penetrate an organization's security.
Which of the following is an example of an observation typical of those detailed in the results of a vulnerability scan? A. OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067. B. A web application's robots.txt file specifically denies all access to the /cgi-bin/ directory. C. HTTP Strict Transport Security is not enabled on a system web application. D. SSLv2 and v3 found to be enabled.
B. A web application's robots.txt file specifically denies all access to the /cgi-bin/ directory.
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting? A. Mutation testing B. Static code analysis C. Dynamic code analysis D. Fuzzing
B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.
Which of the following is an example of static application analysis? A. Scanning a running web application with Nikto and dirbuster to identify potential flaws B. Analyzing the written code for an application outside of an actively running instance C. Using Burp to crawl through the user interface for a web application D. Fuzzing a running web application with garbage input to assess the application's reaction
B. Analyzing the written code for an application outside of an actively running instance
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force' A. He has enabled PowerShell for local users. B. He has set up PSRemoting. C. He has disabled remote command-line access. D. He has set up WSMan.
B. Cameron has enabled PowerShell remote access, known as PSRemoting, and has config-ured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it!
Charles uses the following hping command to send traffic to a remote system. hping remotesite.com -S -V -p 80 What type of traffic will the remote system see? A. HTTP traffic to TCP port 80 B. TCP SYNs to TCP port 80 C. HTTPS traffic to TCP port 80 D. A TCP three-way handshake to TCP port 80
B. Charles has issued a command that asks hping to send SYN traffic (-S) in verbose mode (-V) to remotesite.com on port 80
The National Institute of Standards and Technology (NIST) maintains what public resource for analysis on vulnerabilities published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)? A. Full Disclosure B. National Vulnerability Database (NVD) C. CWE D. OWASP
B. National Vulnerability Database (NVD)
Which of the following resources would be best to consult if you encounter difficulty while data mining for a penetration test? A. Shodan B. OSINT Framework C. dig D. theharvester
B. OSINT Framework
Which static web page is focused on information gathering, providing web links and resources that can be used during the reconnaissance process, and can greatly aid penetration testers in the data-mining process? A. Maltego B. OSINT Framework C. Shodan D. Censys
B. OSINT Framework
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the follow-ing locations will provide this list? A. /etc/shadow B. /etc/passwd C. /var/usr D. /home
B. On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for pass-word cracking, making both desirable targets for penetration testers.
What is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets? A. Reconnaissance B. Passive information gathering C. Web searching D. Active information gathering
B. Passive information gathering
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service? A. SQL injection B. SMB exploit C. CGI exploit D. MIB exploit
B. TCP 445 is a service port typically associated with SMB services.
Which of the following is not a publicly accessible list used for vulnerability research and analysis? A. Common Vulnerabilities and Exposures (CVE) B. The Japan Computer Emergency Response Team (JPCERT) C. Common Weakness Enumeration (CWE) D. Common Attack Pattern Enumeration and Classification (CAPEC)
B. The Japan Computer Emergency Response Team (JPCERT)
If Charles wants to build a list of additional system user accounts, which of the vulnerabili-ties is most likely to deliver that information? A. The Ruby on Rails vulnerability B. The OpenSSH vulnerability C. The MySQL vulnerability D. Both the OpenSSH and MySQL vulnerabilities
B. The OpenSSH vulnerability specifically notes that it allows user enumeration, making this the best bet for what Charles wants to accomplish.
While footprinting an organization for a penetration test, you discover that a service it relies on uses FTP across port 14147 for data transfers. How could you refine a Shodan search to only reveal FTP servers on that port? A. FTP port 14147 B. FTP:14147 C. FTP port:14147 D. FTP;port 14147
C. FTP port:14147
Android is an open-source operating system developed by Google and based on what operating system family? A. AIX B. Windows C. Linux D. HP-UX
C. Linux
Which of the following is an example of a vulnerability identification that is typical of those detailed in the results of a vulnerability scan? A. Software version numbers revealed during scanning. B. HTTP Strict Transport Security is not enabled on a system web application. C. OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067. D. SSLv2 and v3 found to be enabled.
C. OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.
In addition to serving as a method of policy compliance evaluation, __________ is a method for using specific standards for automated discovery and measurement of vulnerabilities. A. HIPAA B. FISMA C. SCAP D. PCI DSS
C. SCAP
A red team assessment is typically conducted in a manner consistent with what type of threat actor? A. Hacktivist B. Insider threat C. Script kiddie D. Advanced persistent threat
D. Advanced persistent threat
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read-only
D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner
Domain registration information returned on a WHOIS search does not include which of the following? A. Domain administrator e-mail B. Domain administrator fax C. Domain administrator organization D. Domain administrator GPS coordinates
D. Domain administrator GPS coordinates
What technique is being used in the following command: host -t axfr domain.com dns1.domain.com A. DNS query B. Nslookup C. Dig scan D. Zone transfer
D. The axfr flag indicates a zone transfer in both dig and host utilities.
Which one of the following tools is NOT a password cracking utility? A. OWASP ZAP B. Cain and Abel C. Hashcat D. Jack the Ripper
A. Cain and Abel, Hashcat, and Jack the Ripper are all password cracking utilities. OWASP ZAP is a web proxy tool.
What approach to vulnerability scanning incorporates information from agents running on the target servers? A. Continuous monitoring B. Ongoing scanning C. On-demand scanning D. Alerting
A. Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability manage-ment platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.
Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During what stage of the penetration testing process should Rich and his clients have agreed upon the tools and techniques that he would use during the test? A. Planning and Scoping B. Information Gathering and Vulnerability Identification C. Attacking and Exploiting D. Reporting and Communication Results
A. During the Planning and Scoping phase, penetration testers and their clients should agree upon the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test.
Which one of the following technologies, when used within an organization, is the LEAST likely to interfere with vulnerability scanning results achieved by external penetration testers? A. Encryption B. Firewall C. Containerization D. Intrusion prevention system
A. Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion preven-tion systems may block inbound scanning traffic before it reaches target systems. Contain-erized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment.
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this? A. ExifTool B. Grep C. PsTools D. Nginx
A. Exiftool is designed to pull metadata from images and other files. Grep may be useful to search for specific text in a file, but won't pull the range of possible metadata from the file. PsTools is a Windows Sysinternals package that includes a variety of process-oriented tools. Nginx is a web server, load balancer, and multipurpose application services stack.
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system? A. Windows B. Android C. Linux D. iOS
A. Lauren knows that TCP ports 139, 445, and 3389 are all commonly used for Windows services. While they could be open on a Linux, Android, or iOS device, Windows is her best bet.
Which one of the following tools is an exploitation framework commonly used by penetration testers? A. Metasploit B. Wireshark C. Aircrack-ng D. SET
A. Metasploit is the most popular exploitation framework used by penetration testers. Wireshark is a protocol analyzer. Aircrack-ng is a wireless network security testing tool. The Social Engineer's Toolkit (SET) is a framework for conducting social engineering attacks.
Which one of the following debugging tools does not support Windows systems? A. GDB B. OllyDbg C. WinDbg D. IDA
A. OLLYDBG, WinDBG, and IDA are all debugging tools that support Windows environ-ments. GDB is a Linux-specific debugging tool.
Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up his scan? A. Only scan via UDP to improve speed. B. Change the scan timing to 3 or faster. C. Change to a SYN scan. D. Use the default port list.
A. Only scanning via UDP will miss any TCP services. Since the great majority of services in use today are provided as TCP services, this would not be a useful way to conduct the scan. Setting the scan to faster timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the number of ports tested are all valid ways to speed up a scan. Charles needs to remain aware of what those changes can mean, as a fast scan may be detected or cause greater load on a network, and scanning fewer ports may miss some ports.
Edward Snowden gathered a massive quantity of sensitive information from the National Security Agency and released it to the media. What type of attack did he wage? A. Disclosure B. Denial C. Alteration D. Availability
A. Snowden released sensitive information to individuals and groups who were not autho-rized to access that information. That is an example of a disclosure attack.
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task? A. CVSS B. CVE C. CPE D. XCCDF
A. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine? A. VM escape B. Management interface brute force C. LDAP injection D. DNS amplification
A. VM escape vulnerabilities are the most serious issue that can exist in a virtualized envi-ronment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine.
Tom is reviewing a vulnerability scan report and finds that one of the servers on his net-work suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability? A. TLS B. NAT C. SSH D. VPN
B. Although the network can support any of these protocols, internal IP disclosure vulner-abilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language? A. His testing may create changes. B. The environment is unlikely to be the same in the future. C. Attackers may use the same flaws to change the environment. D. The test will not be fully comprehensive.
B. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant basis. Greg's point-in-time validity state-ment is a key element in penetration testing engagement contracts.
Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? A. Confidentiality B. Integrity C. Alteration D. Availability
B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server? A. Use of an untrusted CA B. Inclusion of a public encryption key C. Expiration of the certificate D. Mismatch in certificate name
B. Digital certificates are intended to provide public encryption keys, and this would not cause an error. The other circumstances are all causes for concern and would trigger an alert during a vulnerability scan.
Alan is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Alan participating? A. Planning and Scoping B. Reporting and Communicating Results C. Attacking and Exploiting D. Information Gathering and Vulnerability Identification
B. During the final stage of a penetration test, Reporting and Communicating Results, the testers provide mitigation strategies for issues identified during the test.
Which one of the following is not a common source of information that may be correlated with vulnerability scan results? A. Logs B. Database tables C. SIEM D. Configuration management system
B. It is unlikely that a database table would contain information relevant to assessing a vulnerability scan report. Logs, SIEM reports, and configuration management systems are much more likely to contain relevant information.
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows there are no network protection devices in place and that there are devices that should respond to SNMP queries, what problem does he most likely have? A. The SNMP private string is set. B. There is an incorrect community string. C. SNMP only works on port 25. D. SNMP sweeps require the network to support broadcast traffic
B. Most modern SNMP deployments use a non-default community string. If Greg does not have the correct community string, he will not receive the information he is looking for. If port 25 looked like an attractive answer, you're likely thinking of SMTP. Having an SNMP private string set will not stop Greg's query if he has the proper community string, but not having the right community string will!
Why would a penetration tester look for expired certificates as part of an information-gathering and enumeration exercise? A. They indicate improper encryption, allowing easy decryption of traffic. B. They indicate services that may not be properly updated or managed. C. Attackers install expired certificates to allow easy access to systems. D. Penetration testers will not look for expired certificates; they only indicate procedural issues.
B. Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in!
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next? A. Report the vulnerability to the client's IT manager B. Consult the SOW C. Report the vulnerability to the developer D. Exploit the vulnerability
B. Penetration testers should always consult the statement of work (SOW) for guidance on how to handle situations where they discover critical vulnerabilities. The SOW may require reporting these issues to management immediately, or it may allow the continuation of the test exploiting the vulnerability.
Which one of the following is NOT a reason to conduct periodic penetration tests of systems and applications? A. Changes in the environment B. Cost C. Evolving threats D. New team members
B. Repeating penetration tests periodically does not provide cost benefits to the organiza-tion. In fact, it incurs costs. However, penetration tests should be repeated because they can detect issues that arise due to changes in the tested environment and the evolving threat landscape. The use of new team members also increases the independence and value of sub-sequent tests.
What type of adversary is most likely to use only prewritten tools for their attacks? A. APTs B. Script kiddies C. Hacktivists D. Organized crime
B. Script kiddies are most likely to only use prebuilt attack tools and techniques. More advanced threats will customize existing tools or even build entirely new tools and tech-niques to compromise a target.
Which one of the following metrics is not included in the calculation of the CVSS exploit-ability score? A. Access vector B. Vulnerability age C. Access complexity D. Authentication
B. The CVSS exploitability score is computed using the access vector, access complexity, and authentication metrics.
Which one of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process? A. Weaponization B. Reconnaissance C. Installation D. Actions on Objectives
B. The Reconnaissance stage of the Cyber Kill Chain maps to the Information Gathering and Vulnerability Identification step of the penetration testing process. The remaining six steps of the Cyber Kill Chain all map to the Attacking and Exploiting phase of the penetra-tion testing process.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester? A. -oA B. -oS C. -oG D. -oX
B. The Script Kiddie output format that Nmap supports is entirely for fun—you should never have a practical need to use the -oS flag for an actual penetration test.
During an early phase of his penetration test, Mike recovers a binary executable file that he wants to quickly analyze for useful information. Which of the following tools will quickly give him a view of potentially useful information in the binary? A. NETCAT B. strings C. Hashmod D. Eclipse
B. The Strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files, since you can quickly check for useful information with a single quick command-line tool. NETCAT, while often called a pen-tester's Swiss Army knife, isn't useful for this type of analysis. Eclipse is an IDE and would be useful for editing code or for managing a full decompiler in some cases.
What term describes an organization's willingness to tolerate risk in their computing environment? A. Risk landscape B. Risk appetite C. Risk level D. Risk adaptation
B. The organization's risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
What does a result of * * * mean during a traceroute? A. No route to host. B. All hosts queried. C. No response to the query, perhaps a timeout, but traffic is going through. D. A firewall is blocking responses.
C. A series of three asterisks during a traceroute means that the host query has failed but traffic is passing through. Many hosts are configured to not respond to this type of traffic but will route traffic properly.
What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract? A. NDA B. MSA C. SOW D. MOD
C. A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondis-closure agreement, and the acronym MOD was made up for this question.
Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit? A. High B. Medium C. Low D. Severe
C. An access complexity of Low indicates that exploiting the vulnerability does not require any specialized conditions.
Grace is investigating a security incident where the attackers left USB drives containing infected files in the parking lot of an office building. What stage in the Cyber Kill Chain describes this action? A. Weaponization B. Installation C. Delivery D. Command and Control
C. Distributing infected media (or leaving it in a location where it is likely to be found) is an example of the Delivery phase of the Cyber Kill Chain. The process moves from Delivery into Installation if a user executes the malware on the device.
What is the final stage of the Cyber Kill Chain? A. Weaponization B. Installation C. Actions on Objectives D. Command and Control
C. During the Actions on Objectives stage, the attacker carries out the activities that were the purpose of the attack. As such, it is the final stage in the chain.
During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not receive a full network diagram. What type of assessment is she most likely conducting? A. A white box assessment B. A crystal box assessment C. A gray box assessment D. A black box assessment
C. Lauren has limited information about her target, which means she is likely conducting a gray box assessment. If she had full knowledge, she would be conducting a white, or crys-tal, box assessment. If she had no knowledge, it would be a black box assessment.
Which one of the following security assessment tools is not commonly used during the Information Gathering and Vulnerability Identification phase of a penetration test? A. Nmap B. Nessus C. Metasploit D. Nslookup
C. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan? A. Run the scan against production systems to achieve the most realistic results possible. B. Run the scan during business hours. C. Run the scan in a test environment. D. Do not run the scan to avoid disrupting the business.
C. Ryan should first run his scan against a test environment to identify likely vulnerabili-ties and assess whether the scan itself might disrupt business activities.
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server? A. Nessus B. Nikto C. Sqlmap D. OpenVAS
C. Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Ryan might discover the same vulnerabilities using the general-purpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the -T0 flag, what issue is he likely to encounter? A. The scan will terminate when the host count reaches 0. B. The scan will not scan IP addresses in the .0 network. C. The scan will progress at a very slow speed. D. The scan will only scan for TCP services.
C. The -T flag in Nmap is used to set scan timing. Timing settings range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very, very long time on a /16 network.
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to need to check for information about his client's networks? A. RIPE B. ARIN C. APNIC D. LACNIC
C. The Asia Pacific NIC covers Asia, Australia, New Zealand, and other countries in the region. RIPE covers central Asia, Europe, the Middle East, and Russia, and ARIN covers the United States, Canada, parts of the Caribbean region, and Antarctica.
During what phase of the Cyber Kill Chain does an attacker steal information, use comput-ing resources, or alter information without permission? A. Weaponization B. Installation C. Actions on Objectives D. Command and Control
C. The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.
Which one of the CVSS metrics would contain information about the number of times an attacker must successfully authenticate to execute an attack? A. AV B. C C. Au D. AC
C. The authentication metric describes the authentication hurdles that an attacker would need to clear to exploit a vulnerability.
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed? A. Jack whitelisting B. Jack blacklisting C. NAC D. 802.15
C. The organization that Cassandra is testing has likely deployed network access control, or NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.
Kevin recently identified a new security vulnerability and computed its CVSSv2 base score as 6.5. Which risk category would this vulnerability fall into? A. Low B. Medium C. High D. Critical
C. Vulnerabilities with a CVSSv2 score higher than 6.0 but less than 10.0 fall into the High risk category.
Which one of the following activities is not part of the vulnerability management life cycle? A. Detection B. Remediation C. Reporting D. Testing
C. While reporting and communication are important parts of vulnerability management, they are not included in the life cycle. The three life-cycle phases are detection, remediation, and testing.
Charles has completed the scoping exercise for his penetration test and has signed the agree-ment with his client. Whose signature should be expected as the counter signature? A. The information security officer B. The project sponsor C. The proper signing authority D. An administrative assistant
C. While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization's proper signing authority. That means this person must have the authority to commit the organization to a penetration test. Unfortunately, it isn't a legal term, so Charles may have to do some home-work with his project sponsor to ensure that this happens correctly.
Which one of the following is not an open-source intelligence gathering tool? A. WHOIS B. Nslookup C. Nessus D. FOCA
C. Whois and Nslookup are tools used to gather information about domains and IP addresses. Foca is used to harvest information from files. All three of those tools are OSINT tools. Nessus is a commercial vulnerability scanner.
Which of the following tools provides information about a domain's registrar and physical location? A. Nslookup B. Host C. WHOIS D. Traceroute
C. Whois provides information that can include the organization's physical address, regis-trar, contact information, and other details. Nslookup will provide IP address or hostname information, while Host provides IPv4 and IPv6 addresses as well as email service informa-tion. Traceroute attempts to identify the path to a remote host as well as the systems along the route.
Gary is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test? A. Stealth internal scan B. Full internal scan C. Stealth external scan D. Full external scan
D. A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data? A. An objectives-based assessment B. A compliance-based assessment C. A black-team assessment D. A red-team assessment
D. A red-team assessment is intended to simulate an actual attack or penetration, and tes-ters will focus on finding ways in and maximizing access rather than comprehensively iden-tifying and testing all the vulnerabilities and flaws that they can find.
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner? A. Hping B. NETCAT C. Telnet D. ExifTool
D. All of these tools except ExifTool are usable as port scanners with some clever usage: Hping: hping example.com -V --scan 1-1024 NETCAT: nc -zv example.com 1-2014 Telnet: Telnet to each port, looking for a blank screen
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system? A. N B. A C. P D. C
D. If any of these measures is marked as C, for Complete, it indicates the potential for a complete compromise of the system.
Monica discovers that an attacker posted a message attacking users who visit a web forum that she manages. Which one of the following attack types is most likely to have occurred? A. SQL injection B. Malware injection C. LDAP injection D. Cross-site scripting
D. In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a web-site that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.
Which one of the following vulnerability scanners is specifically designed to test the security of web applications against a wide variety of attacks? A. OpenVAS B. Nessus C. sqlmap D. Nikto
D. Nikto is an open-source web application security assessment tool. Sqlmap does test web applications, but it only tests for SQL injection vulnerabilities. OpenVAS and Nessus are general-purpose vulnerability scanners. While they can detect web application security issues, they are not specifically designed for that purpose.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly
D. PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans much more frequently.
Which one of the following protocols should never be used on a public network? A. SSH B. HTTPS C. SFTP D. Telnet
D. Telnet is an insecure protocol that does not make use of encryption. The other protocols mentioned are all considered secure.
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened? A. His IP address was whitelisted. B. The server crashed. C. The network is down. D. His IP address was blacklisted.
D. The IP address or network that Alex is sending his traffic from was most likely black-listed as part of the target organization's defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting? A. An objectives-based assessment B. A red-team assessment C. A black-team assessment D. A compliance-based assessment
D. The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance-based assessment.
Steve is working from an un-privileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed and wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag is he likely to have to use to successfully scan hosts from this account? A. -sV B. -u C. -oA D. -sT
D. The TCP connect scan is often used when an un-privileged account is the tester's only option. Linux systems typically won't allow an un-privileged account to have direct access to create packets, but they will allow accounts to send traffic. Steve probably won't be able to use a TCP SYN scan, but a connect scan is likely to work. The other flags shown are for version testing (-sV) and output type selection (-oA), and -u doesn't do anything at all.
What is the full range of ports that a UDP service can run on? A. 1-1024 B. 1-16,383 C. 1-32,767 D. 1-65,535
D. The full range of ports available to both TCP and UDP services is 1-65,535. While port 0 exists, it is a reserved port and shouldn't be used
What is the most recent version of CVSS that is currently available? A. 1.0 B. 2.0 C. 2.5 D. 3.0
D. Version 3.0 of CVSS is currently available but is not as widely used as the more common CVSS version 2.0.
Which HTTP status code family is used to indicate a successful operation? A. 2XX B. 1XX C. 3XX D. 5XX
A. 2XX
Which of the following threat actors is the most dangerous based on the adversary tier list? A. APTs B. Hacktivists C. Insider threats D. Organized crime
A. Advanced persistent threats are often nation state-sponsored organizations with signifi-cant resources and capabilities. They provide the highest level of threat on the adversary tier list.
What tool can white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans? A. Asset inventory B. Web application assessment C. Router D. DLP
A. An asset inventory supplements automated tools with other information to detect sys-tems present on a network. The asset inventory provides critical information for vulnerabil-ity scans. It is appropriate to share this information with penetration testers during a white box penetration test.
Which support resource details an organization’s network or software design and infrastructure as well as defines the relationships between those elements? A. Architecture diagram B. WADL C. XSD D. Engagement scope
A. Architecture diagram
Rick wants to look at the advertised routes to his target. What type of service should he look for to do this? A. A BGP looking glass B. A RIP-off C. An IGRP relay D. A BGP tunnel
A. BGP looking glasses are publicly available services that allow for route inspection. Rick should find a BGP looking glass service and query the routes for his target.
What penetration testing strategy is also known as 'zero knowledge' testing? A. Black box testing B. Grey box testing C. Red-team testing D. White box testing
A. Black box testing
What penetration testing strategy is also known as "zero knowledge" testing? A. Black box testing B. Grey box testing C. Red-team testing D. White box testing
A. Black box testing is often called "zero knowledge" testing because testers do not have any knowledge of the systems or their settings as they would with white box or even the limited knowledge provided by a gray box test.
Cynthia wants to find a Metasploit framework exploit that will not crash the remote service she is targeting. What ranking must the exploit she chooses meet or exceed to ensure this? A. Excellent B. Great C. Good D. Normal
A. Cynthia needs to use an exploit with a rating of Excellent, the highest level that Metasploit exploits can be ranked. Exploits that are lower than this level can run the risk of crashing a service.
Which password-cracking method leverages wordlists that are expanded with discovered real-world passwords as they are discovered? A. Dictionary attack B. Brute force C. Calling the owner of the account and posing as a member of the IT department to get them to reveal the password D. Rainbow tables
A. Dictionary attack
Alan is reviewing web server logs after an attack and finds many records that contain semi-colons and apostrophes in queries from end users. What type of attack should he suspect? A. SQL injection B. LDAP injection C. Cross-site scripting D. Buffer overflow
A. In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of these attacks.
A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization’s mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first? A. Insider threat B. Advanced persistent threat (APT) C. Hacktivist D. Script kiddie
A. Insider threat
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation? A. SSH tunneling B. NETCAT port forwarding C. Enable IPv6 D. Modify browser plug-ins
A. Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
Which one of the following operating systems should be avoided on production networks? A. Windows Server 2003 B. Red Hat Enterprise Linux 7 C. CentOS 7 D. Ubuntu 16
A. Microsoft discontinued support for Windows Server 2003, and it is likely that the oper-ating system contains unpatchable vulnerabilities.
The types of threats identified during the threat modeling process include which of the following? (Choose three.) A. Network threats B. Host threats C. Operating system threats D. Answer Application threats
A. Network threats B. Host threats D. Answer Application threats
Which of the following applications is most likely to be useful in exploit development? (Choose two.) A. OllyDBG B. WinDBG C. Patator D. Mimikatz
A. OllyDBG B. WinDBG
Which of the following is not a detail of CVEs maintained by the CVE Numbering Authority? A. PoC exploit code B. CVE ID C. Brief description of the vulnerability D. External references or advisories
A. PoC exploit code
Which attack tactic as detailed by MITREÎ"ÇÃ-s ATT&CK matrix details actions that may be used to obtain an additional level of permissions within a system? A. Privilege escalation B. Persistence C. Credentialed access D. Command and control
A. Privilege escalation
Which of the following is not a security weakness category as maintained by CWE? A. Programming concepts B. Development concepts C. Research concepts D. Architectural concepts
A. Programming concepts
Use the following scenario for questions 2 through 4. Charles has recently completed a vulnerability scan of a system, and needs to select the best vulnerability to exploit from the following listing: {Picture} Which of the entries should Charles prioritize from this list if he wants to gain access to the system? A. The Ruby on Rails vulnerability B. The OpenSSH vulnerability C. The MySQL vulnerability D. None of these; he should find another target.
A. The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers? A. Scheduled tasks B. Cron jobs C. Trojaned services D. Modified daemons
A. The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with tro-janed versions, or even simply creating user accounts for later use.
Which of the following is a major benefit of running a credentialed vulnerability scan over a uncredentialed scan? A. Uncredentialed vulnerability scans are known to more commonly produce false positives. B. Credentialed vulnerability scans more accurately represent real-world conditions when facing an outside threat actor. C. Uncredentialed vulnerability scans tend to reveal more issues, so credentialed scans are easier to report. D. Credentialed vulnerability scans are usually faster.
A. Uncredentialed vulnerability scans are known to more commonly produce false positives.
Which term is defined as a methodical approach used to validate the presence of a vulnerability on a target system? A. Vulnerability analysis B. Vulnerability scanning C. Scan validation D. Configuration validation
A. Vulnerability analysis
Which term describes the process of detailing identified security flaws and their locations? A. Vulnerability mapping B. Cross-compiling C. Cross-building D. Exploit modification
A. Vulnerability mapping
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service infor-mation beyond vulnerability details, what priority should he place on exploiting them? A. High priority; exploit early. B. Medium priority; exploit after other system and service exploits have been attempted. C. Low priority; only exploit if time permits. D. Do not exploit; information exposure exploits are not worth conducting.
A. While it may seem odd, exploiting information gathering exploits early can help pro-vide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described.
Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Beth in? A. Planning and Scoping B. Attacking and Exploiting C. Information Gathering and Vulnerability Identification D. Reporting and Communicating Results
B. Attacking and Exploiting
During a penetration test, you identify and harvest encrypted user passwords from a web application database. You do not have access to a rainbow table for the encryption algorithm used, and do not have any success with dictionary attacks. What remaining attack method—typically one of last resort—could you leverage as an attacker to attempt to decrypt the passwords you have harvested? A. Strategic guessing B. Brute force C. XSS D. CSRF
B. Brute force
Which vulnerability research and analysis resource consists of thousands of known attack patterns and methodologies, categorized by both the domain of attack and the mechanism of attack? It is focused on application security and describes common techniques used by adversaries in exploiting known weaknesses. A. CVE B. CAPEC C. CWE D. Full Disclosure
B. CAPEC
Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using? A. Key boxing B. Certificate pinning C. X.509 locking D. Public key privacy
B. Certificate pinning associates a host with an X.509 certificate or public key. The rest of the answers were made up!
What is the function of an organization's IT department in relation to a penetration test? A. Patching systems before the penetration testers can launch exploits B. Communication of security policies and remediation of incidental outages C. Providing penetration testers with software tools needed for the assessment D. Providing final, written authorization for the penetration test
B. Communication of security policies and remediation of incidental outages
Which free and GNU-licensed tool written for the Windows operating system family gathers information by scraping metadata from Microsoft Office documents, which can include usernames, e-mail addresses, and real names? A. Maltego B. FOCA C. recon-ng D. theharvester
B. FOCA
This key aspect of requirements management is the formal approach to assessing the potential pros and cons of pursuing a course of action. A. Executive management B. Impact analysis C. Scheduling D. Technical constraint identification
B. Impact analysis
The Dirty COW attack is an example of what type of vulnerability? A. Malicious code B. Privilege escalation C. Buffer overflow D. LDAP injection
B. In October 2016, security researchers announced the discovery of a Linux kernel vulner-ability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of affected systems.
Which one of the following terms is not typically used to describe the connection of physi-cal devices to a network? A. IoT B. IDS C. ICS D. SCADA
B. Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICSs) are all associated with connecting physical world objects to a network.
Lauren has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid? A. Rainbow tables B. Dictionary attacks C. Thesaurus attacks D. Meterpreter
B. Lauren may want to try a brute-force dictionary attack to test for weak passwords. She should build a custom dictionary for her target organization, and she may want to do some social engineering work or social media assessment up front to help her identify any com-mon password selection behaviors that members of the organization tend to display.
Which of the following is not a potential characteristic of weak authentication credentials? A. Password is a dictionary word B. Password is over 50 characters long with a large character set. C. Password length is less than eight characters total. D. Password is identical to username.
B. Password is over 50 characters long with a large character set.
Which one of the following is not an example of a vulnerability scanning tool? A. QualysGuard B. Snort C. Nessus D. OpenVAS
B. QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.
Alex wants to use rainbow tables against a password file she has captured. How do rain-bow tables crack passwords? A. Un-hashing the passwords B. Comparing hashes to identify known values C. Decrypting the passwords D. Brute-force testing of hashes
B. Rainbow tables are lists of pre-computed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a relatively fast database lookup, allowing fast "cracking" of hashed passwords, even though hashes aren't reversible.
As defined by the OWASP Mobile Security Testing Guide, which core feature of iOS security architecture serves as a restricted area from which applications are executed? A. Hardware security B. Sandbox C. Secure Boot D. Encryption and data protection
B. Sandbox
You have been contracted to perform a penetration test for an organization. The initial meetings went well, and you have well-defined rules of engagement (ROE) and target-scoping documents. Two weeks later, you are asked if you can “squeeze in another /22 subnet†for the given assessment time frame. This is a potential example of: A. Impact analysis B. Scope creep C. Objective-based assessment D. Black box assessment
B. Scope creep
Which CAPEC-recognized domain of attack focuses on the manipulation of computer hardware and software within their respective lifecycles? A. Software B. Supply Chain C. Physical Security D. Communications
B. Supply Chain
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? A. Low impact B. Moderate impact C. High impact D. Severe impact
B. Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organiza-tional operations, organizational assets, or individuals.
Charles uses the following hping command to send traffic to a remote system.hping remotesite.com -S -V -p 80What type of traffic will the remote system see? A. HTTP traffic to TCP port 80 B. TCP SYNs to TCP port 80 C. HTTPS traffic to TCP port 80 D. A TCP three-way handshake to TCP port 80
B. TCP SYNs to TCP port 80
Which of the following is not a benefit of performing vulnerability scanning during a penetration test? A. Aids penetration testers in prioritizing attack vectors for manual testing based on those most likely to produce findings B. Thorough review of application code outside of a running system for details on the vulnerability C. Assists in time management during a penetration test by automating vulnerability discovery D. Improves the overall quality of the penetration test and the resulting report by providing the penetration tester a sense of focus on higher priority (that is, higher risk) vulnerabilities
B. Thorough review of application code outside of a running system for details on the vulnerability
Which one of the following activities assumes that an organization has already been compromised? A. Penetration testing B. Threat hunting C. Vulnerability scanning D. Software testing
B. Threat hunting assumes that an organization has already been compromised and searches for signs of successful attacks.
What type of language is WSDL based on? A. HTML B. XML C. WSML D. DIML
B. Web Services Description Language is an XML-based language used to describe the functionality that a web service provides. XML is a common basis for many descriptive lan-guages used for a variety of documents and service definitions that a penetration tester may encounter.
Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration test-ing process is Beth in? A. Planning and Scoping B. Attacking and Exploiting C. Information Gathering and Vulnerability Identification D. Reporting and Communication Results
B. While Beth is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gather-ing and Vulnerability Identification and moves into the realm of Attacking and Exploiting.
During what phase of the Cyber Kill Chain does an attacker steal information, use computing resources, or alter information without permission? A. Weaponization B. Installation C. Actions on Objectives D. Command and Control
C. Actions on Objectives
Open-source intelligence (OSINT) collection frameworks are used to effectively manage sources of collected information. Which of the following best describes open-source intelligence? A. Company documentation labeled "Confidential" on an internal company storage share requiring authentication B. Press release drafts found on an undocumented web page inside a company's intranet C. Any information or data obtained via publicly available sources that is used to aid or drive decision-making processes D. Information gained by source code analysis of free and open-source software (FOSS)
C. Any information or data obtained via publicly available sources that is used to aid or drive decision-making processes
Which of the following is not a potential consequence of a lack of error handling or excessively verbose error handling in servers, web applications, and databases? A. OS or software version disclosure B. Disclosure of the username context for the application or database C. Clickjacking D. Disclosure of directory information for the application or database
C. Clickjacking
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL
C. Common Product Enumeration (CPE) is an SCAP component that provides standard-ized nomenclature for product names and versions.
Security Content Automation Protocol (SCAP) aware scanners, such as Tenable's Nessus, test the implementation of best-practice security configuration baselines from the Center for Internet Security (CIS). For which type of scan are these baselines most helpful? A. Full scan B. Discovery scan C. Compliance scan D. Stealth scan
C. Compliance scan
Chris cross compiles code for his exploit and then deploys it. Why would he cross-compile code? A. To make it run on multiple platforms B. To add additional libraries C. To run it on a different architecture D. To allow him to inspect the source code
C. Cross-compiling code is used when a target platform is on a different architecture. Chris may not have access to a compiler on his target machine, or he may need to compile the code for an exploit from his primary workstation, which is not the same architecture as his target.
Which attack tactic as detailed by MITREÎ"ÇÃ-s ATT&CK matrix covers methods for the transfer of sensitive information from a system? A. Lateral movement B. Defense evasion C. Exfiltration D. Execution
C. Exfiltration
After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished? A. He has set up a weekly antivirus scan. B. He has set up a job called "weekly." C. He has scheduled his own executable to run weekly. D. Nothing; this command will only run on Linux.
C. Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith's user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.
After gaining access to a Windows system, Fred uses the following command:SchTasks /create /SC Weekly /TN 'Antivirus' /TR C:\Users\SSmith\av.exe' /ST 09:00 What has he accomplished? A. He has set up a weekly antivirus scan. B. He has set up a job called 'weekly.' C. He has scheduled his own executable to run weekly. D. Nothing; this command will only run on Linux.
C. He has scheduled his own executable to run weekly.
In Microsoft’s guidance on threat modeling, which step involves the categorization of external and internal threats to an organization? A. Rate the threats B. Decompose the application C. Identify threats D. Identify assets
C. Identify threats
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan? A. External web server B. Internal web server C. IoT device D. Firewall
C. Internet of Things (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and fire-walls are typically designed for exposure to wider networks and are less likely to fail during a scan
Shodan and Censys are examples of __________, which enable secure discovery of publicly accessible Internet-connected devices. (Fill in the blank.) A. Google dorks B. Maltego transforms C. Internet of Things (IoT) search engines D. Data miners
C. Internet of Things (IoT) search engines
During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings? A. Encryption type B. Wireless frequency C. SSIDs D. Preshared keys
C. Knowing the SSIDs that are in scope is critical when working in shared buildings. Pen-etrating the wrong network could cause legal or even criminal repercussions for a careless penetration tester!
If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit vulnerability? A. CVE B. BID C. MSF D. EDB
C. Metasploit searching supports multiple common vulnerability identifier systems, includ-ing CVE, BID, and EDB, but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole.
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast messages? A. Metasploit B. Responder C. Impacket D. Wireshark
C. Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work, but would be possible. Now you're down to a 50/50 chance!
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened? A. A malware scan discovered Meterpreter and removed it. B. The system was patched. C. The system was rebooted. D. Meterpreter crashed.
C. Meterpreter is a memory resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory resident Meter-preter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.
Which of the following is a public, vendor-neutral forum and mailing list that publishes vulnerability analysis details, exploitation techniques, and other relevant information for the security community? A. US-CERT B. MITRE C. NIST D. Full Disclosure
C. NIST
Which of the following are advantages of first-party hosting in a penetration test? (Choose two.) A. Ease of monitoring penetration test activities B. Ease of access to target systems C. No requirement for third-party authorization D. No requirement to adhere to third-party acceptable use policies
C. No requirement for third-party authorization D. No requirement to adhere to third-party acceptable use policies
Part of Annie's penetration testing scope of work and rules of engagement allows her physi-cal access to the facility she is testing. If she cannot find a remotely exploitable service, which of the following social engineering methods is most likely to result in remote access? A. Dumpster diving B. Phishing C. A thumb drive drop D. Impersonation on a help desk call
C. Of the options listed, Annie's best bet is likely a thumb drive drop. Delivering thumb drives with malware on them to various locations around her target is likely to result in one or more being plugged in, and careful design can encourage staff at the target organization to click on her chosen malware packages. Once a local workstation is compromised with a tool that can reach out to her, she will have a means past the existing security, possibly allowing her to find other vulnerabilities inside the organization's network.
Assuming no significant changes in an organization's cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing? A. Monthly B. Semiannually C. Annually D. Biannually
C. PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any signifi-cant change in the cardholder data environment.
What built-in Windows server administration tool can allow command-line PowerShell access from other systems? A. VNC B. PowerSSHell C. PSRemote D. RDP
C. PSRemote, or PowerShell Remote, provides command-line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, includ-ing use of dedicated PowerShell exploit tools.
The last step in threat modeling (per Microsoft's threat modeling process) is: A. Document the threats B. Identify assets C. Rate the threats D. Architecture overview
C. Rate the threats
User Account Control (UAC) is a security mechanism found in Microsoft Windows operating systems, starting with Windows Vista. How does UAC enhance system security? A. Prevents users from accessing files and directories belonging to other users of the system B. Prevents applications from launching until a low-privilege user opens an executable C. Restricts user applications and software to low-privilege execution unless a system administrator authorizes escalation of privilege for a given running application D. Locks user accounts after a set number of failed logins
C. Restricts user applications and software to low-privilege execution unless a system administrator authorizes escalation of privilege for a given running application
Which contractual document would detail acceptable times for testing activity for penetration testers? A. Written authorization letter B. Master service agreement C. Rules of engagement D. Nondisclosure agreement
C. Rules of engagement
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred? A. Malfeasance B. Pivoting C. Scope creep D. Target expansion
C. Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.
Of the following options, which contractual document would contain specific payment terms and details? A. Rules of engagement B. Nondisclosure agreement C. Statement of work D. Written authorization letter
C. Statement of work
You have been contracted for a penetration test by a U.S. government office. The client has requested a longer-term assessment, meant to simulate the actions of a highly skilled adversary. Portions of the contract require that all penetration testers on the engagement be U.S. citizens with active security clearances. Additionally, a series of illustrations that detail the design of the client network has been included in the contract as a support document. Which of the following contractual documents would most likely detail the requirement that testers all be U.S. citizens with active security clearances? A. Nondisclosure agreement B. Master service agreement C. Statement of work D. Rules of engagement
C. Statement of work
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans? A. Bank B. Hospital C. Government agency D. Doctor's office
C. The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers finan-cial institutions.
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information? A. Black box B. Gray box C. White box D. Red box
C. White box testing, also known as "crystal box" or "full knowledge" testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
A stealth scan in nmap is denoted by the __________ flag and leverages the use of __________ when probing ports. A. -sT, TCP Connect() calls B. -sT, SYN packets C. -sU, RST packets D. -sS, SYN and RST packets
D. -sS, SYN and RST packets
When used as part of a search through theharvester, what will be the effect of the -n flag? A. A DNS brute-force search will be conducted for the domain name provided. B. Identified hosts will be cross-referenced with the Shodan database. C. A simple declaration of the domain or company name for which to conduct the search. D. A reverse DNS query will be run for all discovered ranges.
D. A reverse DNS query will be run for all discovered ranges.
Which of the following is a danger associated with the use of default authentication credentials on a system or service? A. Admin passwords may be easily guessed. B. Admin passwords are almost guaranteed to be in any major wordlist used in dictionary attacks. C. Admin passwords will be found with a brief Internet search for the service in question. D. All of the above.
D. All of the above.
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black box test. When would it be appropriate to conduct an internal scan of the network? A. During the planning stage of the test B. As soon as the contract is signed C. After receiving permission from an administrator D. After compromising an internal host
D. Because this is a black box scan, Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.
In what type of attack does the attacker place more information in a memory location than is allocated for that use? A. SQL injection B. LDAP injection C. Cross-site scripting D. Buffer overflow
D. Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a differ-ent process running on the system.
You have been contracted for a penetration test by a local hospital. The client has requested a third-party security assessment to provide confirmation that they are adhering to HIPAA guidelines. In addition, the client requests that you perform a detailed penetration test of a proprietary web application that they use to manage their inventories. To further assist this effort, they have provided a detailed map of their network architecture in addition to authorized administrative credentials, source code, and related materials for the web application. Your master service agreement with the client indicates that your written authorization is to be a separately delivered document, and that it should be digitally delivered one week before the scheduled start date of the engagement. It is currently three days before the start date agreed upon in preliminary meetings, and you do not yet have a signed authorization letter. Of the following choices, which member or members of a client organization are most likely authorized to provide a signed authorization letter prior to the start date of the penetration test? A. The IT department B. Human resources C. Organizational security personnel D. Executive management and legal personnel
D. Executive management and legal personnel
The CAPEC details thousands of known attack patterns and methodologies. Which of the following is not an attack domain recognized by CAPEC? A. Social Engineering B. Supply Chain C. Physical Security D. Firmware
D. Firmware
Which of the following is not a vulnerability scanner commonly used in penetration testing? A. Nessus B. OpenVAS C. SQLmap D. IDA
D. IDA
What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure? A. Guest operating system B. Host operating system C. Memory controller D. Hypervisor
D. In a virtualized data center, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.
Angela wants to run John the Ripper against a hashed password file she has acquired from a compromise. What information does she need to know to successfully crack the file? A. A sample word list B. The hash used C. The number of passwords D. None of the above
D. John includes automatic hash type detection, so Angela can simply feed John the Ripper the hashed password file. If it is in a format that John recognizes, it will attempt to crack the passwords.
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate running on these ports? A. SSH B. SFTP C. Telnet D. A web browser
D. Karen knows that many system administrators move services from their common ser-vice ports to alternate ports and that 8080 and 8443 are likely alternate HTTP (TCP 80) and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports to check them. She could use Telnet for this testing, but it requires significantly more manual work to gain the same result, making it a poor second choice unless she doesn't have another option.
Mika runs the following Nmap scan: nmap -sU -sT -p 1-65535 example.com What information will she NOT receive? A. TCP services B. The state of the service C. UDP services D. MOD
D. MOD was made up for this question, so the Nmap scan will not produce that. The Nmap scan will show the state of the ports, both TCP and UDP.
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic. After attempting the exploit, he receives the following output. What went wrong? {Picture} A. The remote host is firewalled. B. The remote host is not online. C. The host is not routable. D. The remote host was not set.
D. Metasploit needs to know the remote target host, known as rhost, and this was not set. Tim can set it by typing set rhost [ip address] with the proper IP address. Some pay-loads require lhost, or local host, to be set as well, making it a good idea to use the show options command before running an exploit.
During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows: Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 What can she determine from this information? A. The Linux distribution installed on the target B. The patch level of the installed Linux kernel C. The date the remote system was last patched D. That the system is running a Linux 2.6 kernel between .9 and .33
D. OS identification in Nmap is based on a variety of response attributes. In this case, Nmap's best guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more specific. It does not specify the distribution, patch level, or when the system was last patched.
Nessus incorporates NVD's CVSS when producing vulnerability severity information. Which of the following is not a use for this information for a penetration tester? A. Mapping vulnerabilities to potential exploits B. Informing the penetration tester's plan of attack C. Identifying potential exploits as appropriate for the software versions in use on a target D. Populating graphs with data for press releases
D. Populating graphs with data for press releases
This document plainly states the guidelines and constraints to be observed during the execution of a penetration test, and it clearly lays out what systems are and are not authorized for testing. It may be delivered as part of the SOW or as its own separate document. A. Master service agreement (MSA) B. Nondisclosure agreement (NDA) C. Statement of work (SOW) D. Rules of engagement (ROE)
D. Rules of engagement (ROE)
Which one of the following factors is least likely to impact vulnerability scanning schedules? A. Regulatory requirements B. Technical constraints C. Business constraints D. Staff availability
D. Scan schedules are most often determined by the organization's risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.
Which of the following is the multistep process of identifying vulnerabilities in software due to flaws in programming logic? A. SAST B. Jailbreaking C. DAST D. Software assurance testing
D. Software assurance testing
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice? A. SSL 2.0 B. SSL 3.0 C. TLS 1.0 D. TLS 1.1
D. TLS 1.1 is a secure transport protocol that supports web traffic. The other protocols listed all have flaws that render them insecure and unsuitable for use.
In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization’s network or systems? A. The tester might not have sufficient time within the testing period to find all vulnerabilities present on the target system or network. B. The tester needs to be able to verify that export control regulations are adhered to. C. The tester needs sufficient time to be able to accurately emulate an advanced persistent threat (APT). D. The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.
D. The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.
Which one of the following is NOT a benefit of using an internal penetration testing team? A. Contextual knowledge B. Cost C. Subject matter expertise D. Independence
D. The use of internal testing teams may introduce conscious or unconscious bias into the penetration testing process. This lack of independence is one reason organizations may choose to use an external testing team.
Which of the following is an access control mechanism that denies all connections that are not explicitly permitted? A. Limited access B. Blacklist C. Privileged-level access D. Whitelist
D. Whitelist
Which of the following is not a module category in recon-ng? A. Reporting modules B. Importing modules C. Discovery modules D. Exporting modules
D. Exporting modules