Pentest+ 2-6
What approach to vulnerability scanning incorporates information from agents running on the target servers? A. Continuous monitoring B. Ongoing scanning C. On‐demand scanning D. Alerting
A. Continuous monitoring Continuous monitoring incorporates data from agent‐based approaches to vulnerability detection and reports security‐related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.
John wants to retain access to a Linux system. Which of the following is not a common method of maintaining persistence on Linux servers? A. Scheduled tasks B. Cron jobs C. Trojaned services D. Modified daemons
A. Scheduled tasks The Windows task schedule is used for scheduled tasks. On Linux, cron jobs are set to start applications and other events on time. Other common means of creating persistent access to Linux systems include modifying system daemons, replacing services with Trojaned versions, or even simply creating user accounts for later use.
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment? A. A noncompete B. An NDA C. A data security agreement D. A DSA
B. An NDA A nondisclosure agreement, or NDA, covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.
The Dirty COW attack is an example of what type of vulnerability? A. Malicious code B. Privilege escalation C. Buffer overflow D. LDAP injection
B. Buffer overflow In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of affected systems.
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server? A. Use of an untrusted CA B. Inclusion of a public encryption key C. Expiration of the certificate D. Mismatch in certificate name
B. Inclusion of a public encryption key Digital certificates are intended to provide public encryption keys and this would not cause an error. The other circumstances are all causes for concern and would trigger an alert during a vulnerability scan.
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? A. Low B. Medium C. High D. Critical
B. Medium Vulnerabilities that have a CVSS base score between 4.0 and 6.9 fall into the Medium rating category.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? A. Low impact B. Moderate impact C. High impact D. Severe impact
B. Moderate impact Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability? A. TLS B. NAT C. SSH D. VPN
B. NAT Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.
Jen wants to conduct a penetration test and includes mobile application testing. Which standard or methodology is most likely to be useful for her efforts? A. NIST B. OWASP C. KALI D. ISSAF
B. OWASP The Open Web Application Standards Project provides mobile application testing guidelines as part of their documentation, making it the best option on this list for Jen. NIST provides high‐level guidance about what tests should include, KALI is a security‐focused Linux distribution, and ISSAF is a dated penetration testing standard.
Annie is using a collection of leaked passwords to attempt to log in to multiple user accounts belonging to staff of the company she is penetration testing. The tool she is using attempts to log into each account using a single password, then moves on to the next password, recording failures and successes. What type of attack is Annie conducting? A. A firehose attack B. Password spraying C. Pass the hash D. A cloned password attack
B. Password spraying Annie is using a password spraying attack, which uses the same password against a variety of accounts, then tries the next password in a series, continuing through each password in its list for all the targeted accounts. Firehose and cloned password attacks were made up for this question, and pass‐the‐hash attacks use captured hashes to attempt to use existing sessions.
Elaine wants to ensure that the limitations of her red‐team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.) A. Risk tolerance B. Point‐in‐time C. Comprehensiveness D. Impact tolerance
B. Point-in-time C. Comprehensiveness Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
What term describes an organization's willingness to tolerate risk in their computing environment? A. Risk landscape B. Risk appetite C. Risk level D. Risk adaptation
B. Risk appetite The organization's risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk‐averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Alice discovers a rating that her vulnerability scanner lists as 9.3 out of 10 on its severity scale. The service that is identified runs on TCP 445. What type of exploit is Alice most likely to use on this service? A. SQL injection B. SMB exploit C. CGI exploit D. MIB exploit
B. SMB exploit TCP 445 is a service port typically associated with SMB services.
Which one of the following is not an example of a vulnerability scanning tool? A. Qualys B. Snort C. Nessus D. OpenVAS
B. Snort QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting? A. Mutation testing B. Static code analysis C. Dynamic code analysis D. Fuzzing
B. Static code analysis Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.
Charles uses the following hping command to send traffic to a remote system: hping remotesite.com -S -V -p 80 What type of traffic will the remote system see? A. HTTP traffic to TCP port 80 B. TCP SYNs to TCP port 80 C. HTTPS traffic to TCP port 80 D. A TCP three‐way handshake to TCP port 80
B. TCP SYNs to TCP port 80 Charles has issued a command that asks hping to send SYN traffic ( ‐S ) in verbose mode ( ‐V ) to remotesite.com on port 80.
Tom wants to find metadata about an organization using a search engine. What tool from the following list should he use? A. ExifTool B. MetaSearch C. FOCA D. Nmap
C. FOCA FOCA, or Fingerprinting Organizations with Collected Archives, is a useful tool for searching for metadata via search engines. ExifTool is used for individual files. MetaSearch was made up for this question, and although Nmap has many functions, it isn't used for metadata searches via search engines.
During an on‐site penetration test, what scoping element is critical for wireless assessments when working in shared buildings? A. Encryption type B. Wireless frequency C. SSIDs D. Preshared keys
C. SSIDs Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal repercussions for a careless penetration tester!
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened? A. His IP address was whitelisted. B. The server crashed. C. The network is down. D. His IP address was blacklisted.
D. His IP address was blacklisted The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization's defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.
What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure? A. Guest operating system B. Host operating system C. Memory controller D. Hypervisor
D. Hypervisor In a virtualized data center, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly
D. Quarterly PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read‐only
D. Read-only Credentialed scans only require read‐only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
What type of assessment most closely simulates an actual attacker's efforts? A. A red‐team assessment with a zero knowledge strategy B. A goals‐based assessment with a full knowledge strategy C. A red‐team assessment with a full knowledge strategy D. A compliance‐based assessment with a zero knowledge strategy
A. A red-team assessment with a zero knowledge strategy A red‐team assessment with zero knowledge will attempt a penetration test as though they were actual attackers who do not have prior or insider knowledge of the organization. Full knowledge assessments provide more knowledge than attackers can be expected to have, and goals‐based assessments target specific systems or elements of an organization rather than the broader potential attack surface that actual attackers may target.
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data? A. An objectives‐based assessment B. A compliance‐based assessment C. A black‐team assessment D. A red‐team assessment
A. An objectives-based assessment An objectives‐based assessment specifically targets goals like gaining access to specific systems or data. A compliance‐based assessment is conducted as part of compliance efforts and will focus on whether systems are properly secured or meet standards. A red‐team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find. Black‐team assessments are not a commonly used penetration testing term.
What tool can white‐box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans? A. Asset inventory B. Web application assessment C. Router D. DLP
A. Asset inventory An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. It is appropriate to share this information with penetration testers during a white‐box penetration test.
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task? A. CVSS B. CVE C. CPE D. XCCDF
A. CVSS The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.
Rick wants to describe flaws found in an organization's internally developed web applications using a standard model. Which of the following is best suited to his need? A. CWE B. The Diamond Model C. CVE D. OWASP
A. CWE The Common Weakness Enumeration is a community‐developed list of hardware and software weaknesses. Although OWASP provides a massive amount of application security knowledge, it is not in and of itself a listing or standard for listing flaws. The Diamond Model is a model designed to evaluate intrusions, and CVE, the Common Vulnerabilities and Exposures database, focuses on vulnerabilities for commercial and open source projects and thus will not typically be used for internal applications and code.
Which one of the following technologies, when used within an organization, is the least likely to interfere with vulnerability scanning results achieved by external penetration testers? A. Encryption B. Firewall C. Containerization D. Intrusion prevention system
A. Encryption Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment.
Angela recovered a PNG image during the early intelligence‐gathering phase of a penetration test and wants to examine it for useful metadata. What tool could she most successfully use to do this? A. ExifTool B. Grep C. PsTools D. Nginx
A. ExifTool ExifTool is designed to pull metadata from images and other files. Grep may be useful to search for specific text in a file, but it won't pull the range of possible metadata from the file. PsTools is a Windows Sysinternals package that includes a variety of process‐oriented tools. Nginx is a web server, load balancer, and multipurpose application services stack.
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? A. False positive B. False negative C. True positive D. True negative
A. False positive A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.
Mike discovers a number of information exposure vulnerabilities while preparing for the exploit phase of a penetration test. If he has not been able to identify user or service information beyond vulnerability details, what priority should he place on exploiting them? A. High priority; exploit early. B. Medium priority; exploit after other system and service exploits have been attempted. C. Low priority; only exploit if time permits. D. Do not exploit; information exposure exploits are not worth conducting.
A. High priority; exploit early Although it may seem odd, exploiting information gathering exploits early can help provide useful information for other exploits. In addition, most information gathering exploits leave very little evidence and can provide information on service configurations and user accounts, making them a very useful tool in a situation like the scenario described.
Charles runs an Nmap scan using the following command: nmap -sT -sV -T2 -p 1-65535 example.com After watching the scan run for over two hours, he realizes that he needs to optimize the scan. Which of the following is not a useful way to speed up his scan? A. Only scan via UDP to improve speed. B. Change the scan timing to 3 or faster. C. Change to a SYN scan. D. Use the default port list.
A. Only scan via UDP to improve speed. Only scanning via UDP will miss any TCP services. Since the great majority of services in use today are provided as TCP services, this would not be a useful way to conduct the scan. Setting the scan to faster timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the number of ports tested are all valid ways to speed up a scan. Charles needs to remain aware of what those changes can mean, since a fast scan may be detected or cause greater load on a network, and scanning fewer ports may miss some ports.
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect? A. SQL injection B. LDAP injection C. Cross‐site scripting D. Buffer overflow
A. SQL injection In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of these attacks.
Matt wants to pivot from a Linux host to other hosts in the network but is unable to install additional tools beyond those found on a typical Linux server. How can he leverage the system he is on to allow vulnerability scans of those remote hosts if they are firewalled against inbound connections and protected from direct access from his penetration testing workstation? A. SSH tunneling B. Netcat port forwarding C. Enable IPv6 D. Modify browser plug‐ins
A. SSH tunneling Matt can safely assume that almost any modern Linux system will have SSH, making SSH tunneling a legitimate option. If he connects outbound from the compromised system to his and creates a tunnel allowing traffic in, he can use his own vulnerability scanner through the tunnel to access the remote systems.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following listing: 1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows) - 7.5 (High) - 80% - 10.0.2.7 - 3000/tcp 2. OpenSSH Denial of Service and User Enumeration Vulnerabilities (Windows) - 7.8 (High) - 80% - 10.0.2.7 - 22/tcp 3. MySQL/MariaDB weak password - 9.0 (High) - 95% - 10.0.2.7 - 3306/tcp Which of the entries should Charles prioritize from this list if he wants to gain access to the system? A. The Ruby on Rails vulnerability B. The OpenSSH vulnerability C. The MySQL vulnerability D. None of these; he should find another target
A. The Ruby on Rails vulnerability The Ruby on Rails vulnerability is the only vulnerability that specifically mentions remote code execution, which is most likely to allow Charles to gain access to the system.
What does an MSA typically include? A. The terms that will govern future agreements B. Mutual support during assessments C. Microservices architecture D. The minimum service level acceptable
A. The terms that will govern future agreements. A master service agreement (MSA) is a contract that defines the terms under which future work will be completed. Specific work is then typically handled under a statement of work (SOW).
Ruchika has been asked to conduct a penetration test against internal business systems at a mid‐sized company that operates only during a normal day shift. The test will be run against critical business systems. What restriction is most likely to be appropriate for the testing? A. Time of day B. Types of allowed tests C. Types of prohibited tests D. The physical locations that can be tested
A. Time of day Time‐of‐day restrictions can be used to ensure tests occur when the systems are not in use, allowing time for recovery or restoration if something goes wrong. Types of allowed tests or denied tests are less likely to be used since they can limit the value of a test, and restricting physical locations is uncommon for smaller organizations that don't have many distinct locations.
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine? A. VM escape B. Management interface brute force C. LDAP injection D. DNS amplification
A. VM escape VM escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine.
Madhuri has been asked to run BloodHound as part of her penetration testing efforts. What will she be able to do with the tool? A. Visualize Active Directory environments. B. Capture encrypted network traffic. C. Visualize network traffic flows. D. Find encrypted files in network share drives.
A. Visualize Active Directory environments BloodHound ingests Active Directory forest or tree data and displays, allowing penetration testers to visualize the data and analyze it by looking for elements like privileged accounts. It does not capture encrypted network traffic, visualize network flows, or search for encrypted files on shared drives.
After running an Nmap scan of a system, Zarmeena discovers that TCP ports 139, 443, and 3389 are open. What operating system is she most likely to discover running on the system? A. Windows B. Android C. Linux D. iOS
A. Windows Zarmeena knows that TCP ports 139, 445, and 3389 are all commonly used for Windows services. Although those ports could be open on a Linux, Android, or iOS device, Windows is her best bet.
Which one of the following operating systems should be avoided on production networks? A. Windows Server 2003 B. Red Hat Enterprise Linux 8 C. CentOS 8 D. Ubuntu 22.04
A. Windows Server 2003 Microsoft discontinued support for Windows Server 2003, and it is likely that the operating system contains unpatchable vulnerabilities. The other operating systems listed here all have active support.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester? A. ‐oA B. ‐oS C. ‐oG D. ‐oX
B. -oS The Script Kiddie output format that Nmap supports is entirely for fun—you should never have a practical need to use the ‐oS flag for an actual penetration test.
After gaining access to a Linux system through a vulnerable service, Cassandra wants to list all of the user accounts on the system and their home directories. Which of the following locations will provide this list? A. /etc/shadow B. /etc/passwd C. /var/usr D. /home
B. /etc/passwd On most Linux systems, the /etc/passwd file will contain a list of users as well as their home directories. Capturing both /etc/passwd and /etc/shadow are important for password cracking, making both desirable targets for penetration testers.
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next? A. Report the vulnerability to the client's IT manager. B. Consult the SOW. C. Report the vulnerability to the developer. D. Exploit the vulnerability.
B. Consult the SOW Penetration testers should always consult the statement of work (SOW) for guidance on how to handle situations where they discover critical vulnerabilities. The SOW may require reporting these issues to management immediately, or it may allow the continuation of the test exploiting the vulnerability.
Which one of the following is not a common source of information that may be correlated with vulnerability scan results? A. Logs B. Database tables C. SIEM D. Configuration management system
B. Database tables It is unlikely that a database table would contain information relevant to assessing a vulnerability scan report. Logs, SIEM reports, and configuration management systems are much more likely to contain relevant information.
Tina has acquired a list of valid user accounts but does not have passwords for them. If she has not found any vulnerabilities but believes that the organization she is targeting has poor password practices, what type of attack can she use to try to gain access to a target system where those usernames are likely valid? A. Rainbow tables B. Dictionary attacks C. Thesaurus attacks D. Meterpreter
B. Dictionary attacks Tina may want to try a brute‐force dictionary attack to test for weak passwords. She should build a custom dictionary for her target organization, and she may want to do some social engineering work or social media assessment up front to help her identify any common password selection behaviors that members of the organization tend to display.
Cameron runs the following command via an administrative shell on a Windows system he has compromised. What has he accomplished? $command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force' A. He has enabled PowerShell for local users. B. He has set up PSRemoting. C. He has disabled remote command‐line access. D. He has set up WSMan.
B. He has set up PSRemoting Cameron has enabled PowerShell remote access, known as PSRemoting, and has configured it to allow unencrypted sessions using basic auth. This configuration should worry any Windows administrator who finds it!
Which one of the following terms is not typically used to describe the connection of physical devices to a network? A. IoT B. IDS C. ICS D. SCADA
B. IDS Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICS) are all associated with connecting physical world objects to a network.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following listing: 1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows) - 7.5 (High) - 80% - 10.0.2.7 - 3000/tcp 2. OpenSSH Denial of Service and User Enumeration Vulnerabilities (Windows) - 7.8 (High) - 80% - 10.0.2.7 - 22/tcp 3. MySQL/MariaDB weak password - 9.0 (High) - 95% - 10.0.2.7 - 3306/tcp If Charles wants to build a list of additional system user accounts, which of the vulnerabilities is most likely to deliver that information? A. The Ruby on Rails vulnerability B. The OpenSSH vulnerability C. The MySQL vulnerability D. Both the OpenSSH and MySQL vulnerabilities
B. The OpenSSH vulnerability The OpenSSH vulnerability specifically notes that it allows user enumeration, making this the best bet for what Charles wants to accomplish.
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language? A. His testing may create changes. B. The environment is unlikely to be the same in the future. C. Attackers may use the same flaws to change the environment. D. The test will not be fully comprehensive.
B. The environment is unlikely to be the same in the future. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant basis. Greg's point‐in‐time validity statement is a key element in penetration testing engagement contracts.
Why would a penetration tester look for expired certificates as part of an information‐gathering and enumeration exercise? A. They indicate improper encryption, allowing easy decryption of traffic. B. They indicate services that may not be properly updated or managed. C. Attackers install expired certificates to allow easy access to systems. D. Penetration testers will not look for expired certificates; they only indicate procedural issues.
B. They indicate services that may not be properly updated or managed. Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in.
Lin believes that the organization she is scanning may have load balancers in use. Which of the following techniques will help her detect them if they are DNS‐based load balancers? A. Use Nmap and look for service port differences. B. Use ping and check for TTL and IP changes. C. Use Nessus and check for service version differences. D. Use WHOIS to check for multiple hostnames.
B. Use ping and check for TTL and IP changes. Checking for DNS load balancing via ping requires checking time to live (TTL) and IP address differences. Using Nmap or Nessus is less likely to be successful, because most devices in a pool should provide the same services and service versions. WHOIS records do not show load balancing details.
Which one of the following metrics is not included in the calculation of the CVSS exploitability score? A. Attack vector B. Vulnerability age C. Attack complexity D. Privileges Required
B. Vulnerability age The CVSS exploitability score is calculated using the Attack Vector, Attack Complexity, Privileges Required, and User Interaction metrics.
During an early phase of his penetration test, Mike recovers a binary executable file that he wants to quickly analyze for useful information. Which of the following will quickly give him a view of potentially useful information in the binary? A. Netcat B. strings C. Hashmod D. Eclipse
B. strings The strings command parses a file for strings of text and outputs them. It is often useful for analyzing binary files, since you can quickly check for information with a single quick command‐line tool. Netcat, while often called a pentester's Swiss Army knife, isn't useful for this type of analysis. Eclipse is an IDE and would be useful for editing code or for managing a full decompiler in some cases.
Megan wants to gather data from a service that provides data to an application. What type of documentation should she look for from the application's vendor? A. Database credentials B. System passwords C. API documentation D. Network configuration settings
C. API documentation Megan should look for API documentation. If the application uses an API, she may be able to use default API credentials or methods to gather data. The problem does not mention a database, and system passwords and network configuration settings are not as useful here.
Jack is conducting a penetration test for a customer in Japan. What NIC will he most likely have to check for information about his client's networks? A. RIPE B. ARIN C. APNIC D. LACNIC
C. APNIC The Asia‐Pacific NIC covers Asia, Australia, New Zealand, and other countries in the region. RIPE covers central Asia, Europe, the Middle East, and Russia, and ARIN covers the United States, Canada, parts of the Caribbean region, and Antarctica.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL
C. CPE Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
During a penetration test scoping discussion, Charles is asked to test the organization's SaaS‐based email system. What concern should he bring up? A. Cloud‐based systems require more time and effort. B. Determining the scope will be difficult due to the size of cloud‐hosted environments. C. Cloud service providers do not typically allow testing of their services. D. Testing cloud services is illegal.
C. Cloud service providers do not typically allow testing of their services. Cloud service providers don't typically allow testing to be conducted against their services. Charles may recommend that the company ask for third‐party security audit information instead. Cloud systems and large environments can be difficult to scope and may require more time, but the primary issue here is the ability to even legitimately conduct the assessment that is being requested.
Ian's penetration test rules of engagement specify that he cannot add tools to the systems he compromises in a specific target environment. What techniques will he have to use to meet this requirement? A. Compromise using a fileless malware package, then cover his tracks and clean up any files he uses. B. Compromise using a known exploit and dropper from Metasploit, then use living‐off‐the‐land techniques. C. Compromise using a fileless malware package, then use living‐off‐the‐land techniques. D. Compromise using a known exploit and dropper from Metasploit, then clean up the dropped files and only use system utilities for further work.
C. Compromise using a fileless malware package, then use a living-off-the-land tequniques A combination of fileless malware and living‐off‐the‐land techniques that use native tools and utilities will help Ian to ensure that he meets the rules of engagement of the penetration test he is conducting. Even cleaning up files will violate those rules, meaning that Ian should not add tools even if he is confident in his ability to clean them up after he is done. A Metasploit dropper leaves files behind, which means both answers that use this do not meet the requirements.
Ben is performing a penetration test as part of a PCI DSS engagement. What technique is he most likely to use as part of network segmentation testing? A. Testing for 802.1q trunking on the Internet connection B. Testing for physical segmentation of networks C. Firewall rule validation between segments D. Antimalware rule validation between segments
C. Firewall rule validation between segments PCI‐DSS network segmentation assessments typically focus on ensuring that traffic cannot go from a lower‐security segment to a higher‐security segment. Thus, Ben will be validating firewall rules preventing this. Trunking at the ISP connection and physical segmentation testing are not common tests for this type of engagement, and antimalware tools are more likely to search for malware than to apply differing rules between network segments.
Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability scans? A. Bank B. Hospital C. Government agency D. Doctor's office
C. Government agency The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does the Gramm-Leach-Bliley Act, which covers financial institutions.
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system? A. N B. A C. H D. L
C. H If any of these measures is marked as H, for High, it indicates the potential for a complete compromise of the system.
After gaining access to a Windows system, Fred uses the following command: SchTasks /create /SC Weekly /TN "Antivirus" /TR "C:\Users\SSmith\av.exe" /ST 09:00 What has he accomplished? A. He has set up a weekly antivirus scan. B. He has set up a job called "weekly." C. He has scheduled his own executable to run weekly. D. Nothing; this command will only run on Linux.
C. He has set up a job called "weekly". Fred has used the scheduled tasks tool to set up a weekly run of av.exe from a user directory at 9 a.m. It is fair to assume in this example that Fred has gained access to SSmith's user directory and has placed his own av.exe file there and is attempting to make it look innocuous if administrators find it.
Jacob wants to capture user hashes on a Windows network. Which tool could he select to gather these from broadcast messages? A. Metasploit B. Responder C. Impacket D. Wireshark
C. Impacket Metasploit's SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn't build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you're wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work but would be possible. Now you're down to a 50/50 chance!
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan? A. External web server B. Internal web server C. IoT device D. Firewall
C. IoT device Internet of Things (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and firewalls are typically designed for exposure to wider networks and are less likely to fail during a scan.
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information? A. Unknown environment B. Partial knowledge C. Known environment D. Zero knowledge
C. Known environment Known environment testing, often also known as "crystal box" or "white box" testing, provides complete access and visibility. Unknown environment, or black‐box testing, provides no information, whereas partial knowledge, or gray‐box testing, provides limited information.
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit? A. High B. Medium C. Low D. Severe
C. Low An access complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions. A value of "high" indicates that specialized conditions are required. High and low are the only two possible values for this metric.
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server? A. Nessus B. Nikto C. SQLmap D. OpenVAS
C. SQLmap SQLmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Ryan might discover the same vulnerabilities using the general‐purpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
Charles has recently completed a vulnerability scan of a system and needs to select the best vulnerability to exploit from the following listing: 1. Ruby on Rails Action Pack Remote Code Execution Vulnerability (Windows) - 7.5 (High) - 80% - 10.0.2.7 - 3000/tcp 2. OpenSSH Denial of Service and User Enumeration Vulnerabilities (Windows) - 7.8 (High) - 80% - 10.0.2.7 - 22/tcp 3. MySQL/MariaDB weak password - 9.0 (High) - 95% - 10.0.2.7 - 3306/tcp If Charles selects the Ruby on Rails vulnerability, which of the following methods cannot be used to search for an existing Metasploit vulnerability? A. CVE B. BID C. MSF D. EDB
C. MSF Metasploit searching supports multiple common vulnerability identifier systems, including CVE, BID, and EDB, but MSF was made up for this question. It may sound familiar, as the Metasploit console command is msfconsole .
While performing an on‐site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed? A. Jack whitelisting B. Jack blacklisting C. NAC D. 802.15
C. NAC The organization that Cassandra is testing has likely deployed network access control (NAC). Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.
Which one of the CVSS metrics would contain information about the type of user account an attacker must use to execute an attack? A. AV B. C C. PR D. AC
C. PR The Privileges Required (PR) vector describes whether the attacker needs no user privileges, normal user privileges, or administrative user privileges to conduct the attack. The other vectors described in this question are the Attack Vector (AV), Attack Complexity (AC), and Confidentiality (C) vectors. They would not contain information about user authentication.
What built‐in Windows server administration tool can allow command‐line PowerShell access from other systems? A. VNC B. PowerSSHell C. PSRemote D. RDP
C. PSRemote PSRemote, or PowerShell Remote, provides command‐line access from remote systems. Once you have established a remote trust relationship using valid credentials, you can use PowerShell commands for a variety of exploit and information gathering activities, including use of dedicated PowerShell exploit tools.
The company that Ian is performing a penetration test for uses a wired network for their secure systems and does not connect it to their wireless network. What environmental consideration should Ian note if he is conducting a partial knowledge penetration test? A. He needs to know the IP ranges in use for the secure network. B. He needs to know the SSIDs of any wireless networks. C. Physical access to the network may be required. D. Physical access a nearby building may be required.
C. Physical access to the network may be required. Access to a wired network can require physical access, which could be provided as part of a partial knowledge penetration test. In an unknown environment test, Ian might have to identify a way to compromise a system connected to the network remotely or to gain physical access to the building where the systems are. Knowing the IP ranges or the SSIDs of wireless networks is not required for this type of test. IP ranges can be determined once he is connected, and the test specifically notes that wired networks are not connected.
Which one of the following activities is not part of the vulnerability management life cycle? A. Detection B. Remediation C. Reporting D. Testing
C. Reporting Although reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life‐cycle phases are detection, remediation, and testing.
Ryan is planning to conduct a vulnerability scan of a business‐critical system using dangerous plug‐ins. What would be the best approach for the initial scan? A. Run the scan against production systems to achieve the most realistic results possible. B. Run the scan during business hours. C. Run the scan in a test environment. D. Do not run the scan to avoid disrupting the business.
C. Run the scan in a test environment. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.
What term describes a document created to define project‐specific activities, deliverables, and timelines based on an existing contract? A. NDA B. MSA C. SOW D. MOD
C. SOW A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred? A. Malfeasance B. Known environment testing C. Scope creep D. Target contraction
C. Scope creep Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.
Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature? A. he information security officer B. The project sponsor C. The proper signing authority D. An administrative assistant
C. The proper signing authority While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization's proper signing authority. That means this person must have the authority to commit the organization to a penetration test. Unfortunately, it isn't a legal term, so Charles may have to do some homework with his project sponsor to ensure that this happens correctly.
Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal network range for the entire organization. If he uses the ‐T0 flag, what issue is he likely to encounter? A. The scan will terminate when the host count reaches 0. B. The scan will not scan IP addresses in the .0 network. C. The scan will progress at a very slow speed. D. The scan will only scan for TCP services.
C. The scan will only scan for TCP services. The ‐T flag in Nmap is used to set scan timing. Timing settings range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal. With timing set to a very slow speed, Chris will run his scan for a very, very long time on a /16 network.
A few days after exploiting a target with the Metasploit Meterpreter payload, Robert loses access to the remote host. A vulnerability scan shows that the vulnerability that he used to exploit the system originally is still open. What has most likely happened? A. A malware scan discovered Meterpreter and removed it. B. The system was patched. C. The system was rebooted. D. Meterpreter crashed.
C. The system was rebooted Meterpreter is a memory‐resident tool that injects itself into another process. The most likely answer is that the system was rebooted, thus removing the memory‐resident Meterpreter process. Robert can simply repeat his exploit to regain access, but he may want to take additional steps to ensure continued access.
What does a result of * * * mean during a traceroute? A. No route to the host exists. B. All hosts are queried. C. There is no response to the query, perhaps a timeout, but traffic is going through. D. A firewall is blocking responses.
C. There is no response to the query, perhaps a timeout, but traffic is going through. A series of three asterisks during a traceroute means that the host query has failed but that traffic is passing through. Many hosts are configured to not respond to this type of traffic but will route traffic properly.
Megan runs the following Nmap scan: nmap -sU -sT -p 1-65535 example.com What information will she not receive? A. TCP services B. The state of the service C. UDP services D. A list of vulnerable services
D. A list of vulnerable services This is a port scan, not a vulnerability scan, so Megan will not be able to determine if the services are vulnerable just from this scan. The Nmap scan will show the state of the ports, both TCP and UDP.
Angela wants to exfiltrate data from a Windows system she has gained access to during a penetration test. Which of the following exfiltration techniques is least likely to be detected? A. Send it via outbound HTTP as plaintext to a system she controls. B. Hash the data, then send the hash via outbound HTTPS. C. Use PowerShell to base64‐encode the data, then post to a public HTTPS‐accessible code repository. D. Use PowerShell to base64‐encode the data, then use an SSH tunnel to transfer the data to a system she controls.
C. Use PowerShell to base64-encode the data, then post to a public HTTPS-accessible code repository. Encoding data will make it less likely that intrusion prevent and data loss prevention systems will identify acquired data, meaning that encoding is a useful technique. Sending the data to a public repository like GitHub is less likely to look unusual than an internal system opening a SSH tunnel to a previously unknown system. Sending via HTTP instead of HTTPS will make inspection of the outbound, unencoded data trivial for defenders, and hashing the data will not leave it in a recoverable state when it arrives.
Which of the following provides information about a domain's registrar and physical location? A. Nslookup B. host C. WHOIS D. traceroute
C. WHOIS WHOIS provides information that can include the organization's physical address, registrar, contact information, and other details. Nslookup will provide IP address or hostname information, whereas the host command provides IPv4 and IPv6 addresses as well as email service information. traceroute attempts to identify the path to a remote host as well as the systems along the route.
Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed, and he wants to scan other hosts in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag will Steve probably have to use to successfully scan hosts from this account? A. ‐sV B. ‐u C. ‐oA D. ‐sT
D. -sT The TCP connect scan is often used when an unprivileged account is the tester's only option. Linux systems typically won't allow an unprivileged account to have direct access to create packets, but they will allow accounts to send traffic. Steve probably won't be able to use a TCP SYN scan, but a connect scan is likely to work. The other flags shown are for version testing ( ‐sV ) and output type selection ( ‐oA ), and ‐u doesn't do anything at all.
What is the full range of ports that a UDP service can run on? A. 1-1024 B. 1-16,383 C. 1-32,767 D. 1-65,535
D. 1-65,535 The full range of ports available to both TCP and UDP services is 1-65,535. Although port 0 exists, it is a reserved port and shouldn't be used.
What is the most recent version of CVSS that is currently available? A. 1.0 B. 2.0 C. 2.5 D. 3.0
D. 3.0 Version 3.0 of CVSS is currently available and is the version described in this chapter.
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting? A. An objectives‐based assessment B. A red‐team assessment C. A black‐team assessment D. A compliance‐based assessment
D. A compliance-based assessment The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance‐based assessment.
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan. What tool is her best option to manually validate the services running on these ports? A. SSH B. SFTP C. Telnet D. A web browser
D. A web browser Karen knows that many system administrators move services from their common service ports to alternate ports and that 8080 and 8443 are likely alternate HTTP (TCP 80) and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports to check them. She could use Telnet for this testing, but it requires significantly more manual work to gain the same result, making it a poor second choice unless Karen doesn't have another option.
Maria wants to build a penetration testing process for her organization and intends to start with an existing standard or methodology. Which of the following is not suitable for that purpose? A. ISSAF B. OSSTM C. PTES D. ATT&CK
D. ATT&CK PTES, OSSTMM, and ISSAF are all penetration testing methodologies or standards. MITRE's ATT&CK framework describes adversary tactics and techniques but does not outline how to perform a penetration test.
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black‐box test. When would it be appropriate to conduct an internal scan of the network? A. During the planning stage of the test B. As soon as the contract is signed C. After receiving permission from an administrator D. After compromising an internal host
D. After compromising an internal host Because this is a black‐box scan, Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.
In what type of attack does the attacker place more information in a memory location than is allocated for that use? A. SQL injection B. LDAP injection C. Cross‐site scripting D. Buffer overflow
D. Buffer overflow Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
Monica discovers that an attacker posted a message attacking users who visit a web forum that she manages. Which one of the following attack types is most likely to have occurred? A. SQL injection B. Malware injection C. LDAP injection D. Cross‐site scripting
D. Cross-site scripting In a cross‐site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.
John has gained access to a system that he wants to use to gather more information about other hosts in its local subnet. He wants to perform a port scan but cannot install other tools to do so. Which of the following tools isn't usable as a port scanner? A. Hping B. Netcat C. Telnet D. ExifTool
D. ExifTool All of these tools except ExifTool are usable as port scanners with some clever use of command‐line flags and options.
Gary is conducting a black‐box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test? A. Stealth internal scan B. Full internal scan C. Stealth external scan D. Full external scan
D. Full external scan A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black‐box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
Which one of the following factors is least likely to impact vulnerability scanning schedules? A. Regulatory requirements B. Technical constraints C. Business constraints D. Staff availability
D. Staff availability Scan schedules are most often determined by the organization's risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice? A. SSL 2.0 B. SSL 3.0 C. TLS 1.0 D. TLS 1.3
D. TLS 1.3 TLS 1.3 is a secure transport protocol that supports web traffic. The other protocols listed all have flaws that render them insecure and unsuitable for use.
Which one of the following protocols should never be used on a public network? A. SSH B. HTTPS C. SFTP D. Telnet
D. Telnet Telnet is an insecure protocol that does not make use of encryption. The other protocols mentioned are all considered secure.
During an Nmap scan, Casey uses the ‐O flag. The scan identifies the host as follows: Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 What can she determine from this information? A. The Linux distribution installed on the target B. The patch level of the installed Linux kernel C. The date the remote system was last patched D. That the system is running a Linux 2.6 kernel between .9 and .33
D. That the system is running a Linux 2.6 kernel between .9 and .33 OS identification in Nmap is based on a variety of response attributes. In this case, Nmap's best guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more specific. It does not specify the distribution, the patch level, or when the system was last patched.
Tim has selected his Metasploit exploit and set his payload as cmd/unix/generic . After attempting the exploit, he receives the following output. What went wrong? msf exploit(unix/misc/distcc_exec) > exploit [-] Exploit failed: The following options failed to validate: RHOST. [*] Exploit completed, but no session was created. A. The remote host is firewalled. B. The remote host is not online. C. The host is not routable. D. The remote host was not set.
D. The remote host was not set Metasploit needs to know the remote target host, known as rhost , and this was not set. Tim can set it by typing set rhost [ ip address ] with the proper IP address. Some payloads require lhost , or local host, to be set as well, making it a good idea to use the show options command before running an exploit.
