PenTest Practice

You have been hired to conduct a black box penetration test for a client. You want to use a spear phishing attack to expose the authentication credentials used by key employees of the organization. Which tools or techniques could you use to gather the information needed to conduct this attack? (Choose two.) A. Dumpster diving B. theHarvester C. nmap scan D. Nessus scan E. Shodan

A and B. Dumpster diving is a technique used to gather information about a target organization by reviewing documents found in its trash. Likewise, theHarvester can be used to search the Internet to find email addresses and employee names. This information can be used to craft an effective spear phishing campaign.

Which option causes nmap to send scans from a spoofed IP address? A. -f B. -D C. -n D. -sF

B. The -D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

A penetration tester has used SET to make a copy of a company's cloud-hosted web mail portal and then sends an email trying to obtain the president's login credentials. This is an example of what type of attack? A. An elicitation attack B. An impersonation attack C. A spear phishing attack D. A whaling attack

C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

You are a penetration tester, and your client wants you to scan their system. They want you to go to great lengths to avoid detection. The client does not want their cybersecurity team to be aware that a penetration test is taking place. What type of scan will you be performing? A. A compliance scan B. A discovery scan C. A full scan D. A stealth scan

D. During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.

You have just concluded a black box penetration test for a client. The organization's wireless network uses preshared keys. During the test, you were able to access the organization's wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.) A. Implement MAC address filtering. B. Implement 802.1x authentication. C. Upgrade to newer Wi-Fi equipment that supports modern encryption methods. D. Change the default administrative username and password on the access point. E. Reconfigure the Wi-Fi equipment to use WPA encryption.

A and B. In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates the weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server).

Which of the following characteristics distinguish between rainbow table attacks from brute-force attacks? (Choose two). A. Rainbow table attacks reduce compute cycles at attack time. B. Rainbow tables must include precompiled hashes. C. Rainbow table attacks do not require access to hashed passwords. D. Rainbow table attacks must be performed on the network. E. Rainbow table attacks bypass the maximum failed login restrictions.

A and B. Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A bruteforce attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.) A. Physical access to cardholder data is restricted. B. The cardholder data environment (CDE) is isolated from the rest of the network. C. A refund policy is in place for credit card purchases. D. A chargeback policy is in place. E. Cashiers are required to check the signature on the card with the customer's signature.

A and B. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network

You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements must be included? (Choose two.) A. A timeline for the engagement B. A review of laws that specifically govern the target C. A list of similar organizations that you have assessed in the past D. A list of the target's competitors E. A detailed map of the target's network

A and B. The rules of engagement (ROE) should always include the timeline for the engagement as well as a review of any laws that specifically govern the target to ensure you don't break them. A list of other organizations that you have tested in the past or a list of the target organization's competitors is unlikely to be specified in the rules of engagement. A detailed map of the target's network will probably not be included in a black or gray box test

You are a penetration tester, and you are putting together the rules of engagement (ROE) for an upcoming test for a new client. What items do you need to include in the ROE? (Choose two.) A. The timeline that testing will be conducted B. A review of any laws, especially any that govern the client C. A list of similar companies that you have tested previously D. A list of your client's competitors E. A detailed map of the client's network

A and B. The rules of engagement (ROE) should always include the timeline that testing will be conducted as well as a review of any laws, especially any that govern the client to ensure that you don't break any. A list of other organizations that you have previously tested or a list of the client's competition is not required to be included in the ROE document. A detailed map of the client's network would not be needed for the ROE but may be needed for the penetration testing

Which of the following methods are commonly used to harden Windows-based computer systems? (Choose two.) A. Install extra system RAM and then disable the Windows paging file. B. Grant the Administrator user the "act as part of the operating system" right. C. Disable unneeded services. D. Allow anonymous access to the registry. E. Disable automatic notification of patch availability

A and C. To harden a Windows-based computer system, you should consider installing extra system RAM and then disable the Windows paging file. This prevents sensitive data that is supposed to be stored only in unencrypted format in RAM from being written to the hard disk page file. You should also disable any unneeded services.

Which of the following techniques can be used to help retain persistence for an exploit on a Windows system? (Choose two.) A. Using scheduled tasks B. Using cold boot attacks C. Implementing Kerberoasting D. Using DLL hijacking E. Looking for kernel exploits

A and D. DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.

You are defining the rules of engagement (ROE) for an upcoming penetration test. You are working on the problem resolution section of the document. Which elements should be included in this section? (Choose two.) A. Clearly defined problem escalation procedures B. A timeline for the engagement C. In-scope systems, applications, and service providers D. Out-of-scope systems, applications, and service providers E. Acknowledgment that penetration testing carries inherent risks

A and E. When documenting problem handling and resolution in a rules of engagement document, you should clearly define escalation procedures on both sides of the agreement to help minimize downtime for the target organization. You should also include verbiage that requires the client to acknowledge that penetration testing carries inherent risks. A timeline for the engagement, along with scoping information, is also included in the ROE, just not in the problem resolution section.

By using phishing, a penetration tester was able to retrieve the initial VPN user domain credentials from a member of the IT department. Then the tester obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. The tester should recommend which of the following remediation steps to the client? (Choose three.) A. Recommend increased password complexity requirements. B. Recommend implementing two-factor authentication for remote access. C. Recommend installing an intrusion prevention system. D. Recommend installing a security information event monitoring solution. E. Recommend preventing members of the IT department from interactively logging in as administrators. F. Recommend requiring that all employees take security awareness training. G. Recommend upgrading the cipher suite used for the VPN solution.

A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution

You are a penetration tester, and you are conducting a test for a new client. While attempting phishing, you were able to retrieve the initial VPN user domain credentials from a member of the IT department. Then you obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. What remediation steps should you recommend to the client? (Choose three.) A. Recommend increased password complexity requirements. B. Recommend implementing two-factor authentication for remote access. C. Recommend installing an intrusion prevention system. D. Recommend installing a security information event monitoring solution. E. Recommend preventing members of the IT department from interactively logging in as administrators. F. Recommend requiring that all employees take security awareness training. G. Recommend upgrading the cipher suite used for the VPN solution.

A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Which type of vulnerability scan is least likely to be detected by an intrusion prevention system (IPS) or intrusion detection system (IDS)? A. Discovery B. Full C. Stealth D. Compliance

A. A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

Which type of penetration test best focuses the tester's time and efforts while still providing an approximate view of what a real attacker would see? A. Gray box assessment B. Black box assessment C. Goals-based assessment D. White box assessment

A. A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers' time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying networ

You are a penetration tester, and you have just completed testing for a new client. You are meeting with your client to discuss the penetration test. During this meeting, you provide the client with a document stating that you have conducted testing and that the client is in compliance with the rules and regulations set forth by one of the client's government contracts. What is this called? A. Attestation of findings B. Client acceptance C. Follow-up actions/retest D. Lessons learned

A. An attestation of findings is a document provided by the penetration testers to document that they conducted a test and the results for compliance purposes. It serves as record of the tester performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your client's organization, to show proof that a penetration test was performed and to highlight the test results.

While performing a gray box penetration test, you have discovered that the target organization uses many different operating systems on their computers. You've fingerprinted Windows, Mac OS, and Linux systems. You even found one UNIX server system. In addition, employees are bringing their mobile devices to work and connecting them to the organization's wireless network, so you found many Android and iOS devices. At this point in the test, you need to identify operating system vulnerabilities that exist with high-value devices. What should you do? A. Research the Common Vulnerabilities and Exposures (CVE) database. B. Research the Common Attack Pattern, Enumeration and Classification (CAPEC) database. C. Research the Computer Emergency Response Team (CERT) website. D. Post a question on a penetration testing forum.

A. An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.

Which of the following best describes the term disclosure within the context of penetration testing? A. Gaining unauthorized access to information B. Making unauthorized changes to information C. Preventing the legitimate use of information D. Publicly acknowledging that a security breach has occurred and information has been compromised

A. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.

You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration? A. Any additional rates B. Any company policies C. The industry type D. The impact tolerance

A. Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.

You are a penetration tester, and you are conducting a black box penetration test for a large organization. You want to probe the client's web server IP address. You want to see what information may be associated with it, such as what cipher suite it uses. What tool should you use to complete this task? A. Censys B. Nslookup C. Maltego D. Shodan

A. Censys is a web-based tool that probes a given IP address. It is a search engine that helps penetration testers discover, monitor, and analyze devices that are accessible from the Internet. Censys lets researchers find specific hosts and create summative reports on how devices, web sites, certificates, and ciphers used are deployed

You are a penetration tester and have been asked to test an organization that uses an authentication method that associates hosts with their public keys. What type of authentication technique is the organization using? A. Certificate pinning B. Self-signed server authentication C. SSL handshake D. X.509 bypassing

A. Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

You are a penetration tester, and you are conducting a test for a new client. You notice that there are several high-numbered ports listening in on a public web server. The client indicates that they are only using port 443 for an application. What should you recommend to the client? A. That they disable the unneeded services B. That they filter port 443 to specific IP addresses C. That they implement a web application firewall D. That they transition the application to another port

A. In this scenario, there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client uses only port 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system

You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first? A. Purchase order (PO) B. Nondisclosure agreement (NDA) C. Master service agreement (MSA) D. Statement of work (SOW)

A. Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially "trying" your services, an MSA would not yet be required, although it may be in the future

You are a penetration tester and have run the following Nmap scan on a computer: nmap -sV 192.168.10.5. The client indicated that it had disabled Telnet from its environment. However, the Nmap scan results show that port 22 is closed and that port 23 is open to SSH. What might have happened to cause this? A. The organization did not disable Telnet. B. The nmap results contain a false positive for port 23. C. The service is running on a nonstandard port. D. Port 22 is filtered.

A. Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client's systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

You are a penetration tester and want to create an array using a PowerShell script. Which lines of code would you use? A. $ports = 20, 25, 80, 443 B. ports = (20,25,80,443) C. ports = [20,25,80,443] D. $ports= [20,25,80,443]

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it's for setting, changing, or retrieving the value stored in that variable.

You are a penetration tester, and you are conducting a test for a new client. You want to create an array by using a PowerShell script. Which line of code would you use? A. $ports = 20, 25, 80, 443 B. ports = (20,25,80,443) C. ports = [20,25,80,443] D. $ports= [20,25,80,443]

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with a $, whether it's for setting, changing, or retrieving the value stored in that variable

You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? A. A password policy must be in place. B. Close all ports except for 80 and 443 in the firewall that protects the cardholder data environment (CDE). C. All hosts on a network must have a default gateway. D. All hosts on a network must have a unique host address.

A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.

You are a penetration tester, and you have just completed testing for a new client. You are creating a written report of your findings after the testing. In what section of the report should you provide the reader with an in-depth outline of the testing performed and the results found? A. In the Executive Summary section B. In the Findings and Remediation section C. In the Methodology section D. In the Metrics and Measures section

A. The executive summary is the most important section of the report. Most times, it is the only section that many individuals will read, so it should be written in a manner that conveys all the important conclusions of the report in "layman's terms," in other words, in a clear manner that is understandable to everyone. The executive summary serves as a highlevel view of both risk and business impact in plain English. Its purpose is to be concise and clear. It should be nontechnical so readers can review and gain insight into the security concerns that are highlighted in the report.

A consultant has been hired by an organization to perform a black box penetration test. She wants to perform a detailed scan of the target organization's public-facing web server to see what she can learn. Which utility should she use to accomplish this? A. nmap B. Shodan C. whois D. Maltego

A. The nmap utility is a widely used scanner. You can use it to scan a single host, such as the web server mentioned in this scenario, or even an entire network. To be a successful penetration tester, you should be familiar with the various ways in which nmap can be employed to discover information.

You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You need to discover which IP addresses are associated with the organization's domain. Which tool in your penetration testing toolkit should you use? A. nslookup B. whois C. theHarvester D. Fingerprinting Organizations with Collected Archives (FOCA)

A. The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization's domain name into its associated IP addresses.

During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester views the data in the packets but does not modify it before forwarding the data on to the server. What kind of exploit is this? A. Relay attack B. DNS cache spoofing C. Pass the hash D. Replay attack

A. This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.

During a gray box penetration test, the tester is able to intercept packets being transmitted from a client to a server. The tester's workstation poses as the server to the client. The tester is able to modify the data in the packets and then send it on to the server. The tester's workstation poses as the client to the server. What kind of exploit is this? A. Relay attack B. DNS cache spoofing C. Pass the hash D. Replay attack

A. This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server

Which of the following methods is commonly used to harden Linux-based server systems? A. Enable and configure iptables. B. Enable Ctrl+Alt+Del in inittab. C. Grant all users read-write access to the /boot directory. D. Configure the IP protocol to respond to ICMP requests.

A. To harden a Linux-based server system, you should make sure a host-based firewall is running by enabling and configuring iptables. You should first close all network ports in the firewall and then open only those required by specific services running on the system.

You are performing a black box penetration test. You want to perform an evil twin attack to capture wireless user data. Which of the following tasks would you need to complete? (Choose two.) A. Implement a fragmentation attack. B. Send deauth frames to deauthenticate wireless clients. C. Reconnect wireless clients to an access point with the same SSID as the target organization. D. Use a brute-force attack to break the WPS pin. E. Repeat the wireless network signal.

B and C. In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims' wireless devices from the real network. These devices then automatically reconnect to the tester's wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin's radios because most wireless network interfaces will default to the access point with the strongest signal.

You have just concluded a penetration test for a client. During the test, you were able to gain access to the server room by masquerading as a technician from an IT vendor. You were able to plug your laptop into the serial connector on the organization's Cisco router and access its configuration. In your final report, what should you recommend the client do to remediate this issue? (Choose two.) A. Disable DHCP on the wired network. B. Run the enable secret command on the router. C. Implement procedures to vet representatives from vendors. D. Implement MAC address filtering on the router.

B and C. In this scenario, the router can be hardened by creating an encrypted password for privileged access. This is done using the enable secret command on the router. In addition, procedures should be set in place to vet visitors who claim to be representatives of IT vendors.

A Windows server is functioning as an Active Directory domain controller for an organization's network. Which of the following services are not required for it to fulfill this role? (Choose two.) A. Group Policy Management B. Hyper-V C. Role Administration Tools D. Active Directory Federation Services

B and D. Every network service enabled on a server expands that server's attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn't be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to ("federated") with a different Active Directory domain.

You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. You discover that the organization still uses several older unsupported Windows 2000 Server systems. After performing some research, you identify several vulnerabilities associated with these systems that could be exploited. You modify the source code for a particular exploit such that it will work on these older systems and then you compile it. What are the processes you used in this scenario called? (Choose two.) A. Cross-compiling the code B. Exploit modification C. Exploit chaining D. Mapping vulnerabilities to potential exploits E. Proof-of-concept development

B and D. In this scenario, you first mapped vulnerabilities you found in your scans to possible exploits. Then you modified those exploits to work on the older server operating systems

You are a penetration tester, and you are planning an engagement for a new client. Which of the following are the most important things to know prior to starting testing? (Choose two.) A. Architectural diagrams B. Company policies C. Goals/objectives D. Storage time for a report E. Tolerance to impact

B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important as well, but in this scenario the question is which are the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment

You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.) A. Use only hardware certified by Microsoft to be Windows 10-compatible. B. Encrypt the transmission of cardholder data. C. Ensure that only one user account is used by all employees to access network resources and cardholder data. D. Use a NAT router to isolate the cardholder data environment (CDE) from the rest of the network. E. Remove all default passwords from software and hardware devices.

B and E. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that all cardholder data be encrypted before being transmitted on a network medium and that all default passwords be removed from hardware and software deployed.

You are conducting a white box penetration test for a client. During the test, you notice outgoing network traffic consistent with a distributed denial of service (DDoS) attack. You suspect that internal systems have been infected with malware, creating an amplifier network for the attack. Instead of waiting until the end of the test, you immediately communicate with the client to warn them. Which type of communication trigger was used in this scenario? A. Stages B. Indicators of prior compromise C. Findings and remediation D. Critical findings

B. An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete

A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario? A. Black box B. Gray box C. White box D. Red box

B. Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test

You are a penetration tester, and you have been asked to perform a black box penetration test for a new client. Which phase of the assessment will most likely take the longest to complete? A. The attacking and exploiting phase B. The information gathering and vulnerability identification phase C. The planning and scoping phase D. The reporting and results communication phase

B. In this scenario, the client has requested that you perform a black box penetration test. Since this is a black box test, you will most likely spend most of your time performing the information gathering and vulnerability identification phase. Black box tests, sometimes called zero-knowledge tests, are intended to duplicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, so they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems just as an attacker would. This can be time-consuming for the penetration tester.

A penetration tester is testing the penetration of a client's network and managed to obtain access to a laptop. What would be the tester's next step to obtain credentials from the laptop? A. Brute force the user's password. B. Conduct a LLMNR/NETBIOS-NS query. C. Leverage the BeEF framework to capture credentials. D. Perform an ARP spoofing poisoning.

B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

What are the risks of enabling serial console connections on network devices such as routers and switches? A. Network administrators tend to not secure them properly. B. They are prone to data emanation. C. It is easy for attackers to connect to them. D. It is easy for attackers to sniff data from them.

B. The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don't configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.

You are a penetration tester, and you are conducting a black box penetration test against your client's network and are in the process of gathering vulnerability scanning results. What type of scan will provide you with important information within the scope of your testing? A. A compliance scan B. A discovery scan C. A full scan D. A stealth scan

C. A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would best to run a full scan on the network

You want to generate sample application requests for an in-house developed web application that a client's users use every day to complete their day-to-day tasks. How should this be done? A. Enter exactly the same data into the web application that end users enter. B. Enter data that is similar to the data that end users enter into the application. C. Enter completely unexpected data into the application. D. Ask the system administrator to generate the samples for you.

C. Applications developed in-house aren't usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this poor error handling behavior to insert and run malicious code on the web server hosting the application.

Jessica is performing a white box penetration test. She needs to run an invasive vulnerability scan on the target organization's customer database server. What should she do? A. Run the scan on the live system during peak business hours. B. Run the scan around 9 a.m. on a typical workday. C. Run a test scan in a lab environment first. D. Skip scanning this system.

C. Because this is a mission-critical server, it may be a good idea to run a test scan in a lab environment before scanning the live system. This will help the tester assess the impact the scan will have before running it on the live system.

You are a penetration tester, and while conducting a test, you are trying to maintain persistence on a Windows system that has limited privileges. What registry key should you use? A. HKEY_CLASSES_ROOT B. HKEY_CURRENT_CONFIG C. HKEY_CURRENT_USER D. HKEY_LOCAL_MACHINE

C. If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_ CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.

You are a penetration tester, and you are completing the test for a new client. Once the testing is done, you are prioritizing the findings and recommendations for an executive summary. Which one of the following considerations would be the most beneficial to your client? A. The availability of patches and other remediations B. The levels of difficulty to exploit the identified vulnerabilities C. The risk tolerance of the client's organization D. The time it took to accomplish each step

C. In this scenario, it would be important to put the risk tolerance of the client's organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

You are a penetration tester, and you are conducting a penetration test for a new client. After performing a recent test, you discover that the client's staff is using dictionary and seasonal passwords. What is the best way to control the use of common dictionary words from being used as passwords? A. Configure password filters. B. Disable the accounts after three incorrect attempts. C. Expand the password length from seven to 14 characters and add special characters. D. Implement password history restrictions.

C. In this scenario, since the client's employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !"#$%&'()*+,-./:;<=>?@ [\]^_'{|}~. This will make it harder for attackers to break into your client's system.

You and a colleague are discussing commonly used special network devices. Which of the following is not a commonly used special network devices used to control manufacturing equipment and environmental systems? A. Industrial control systems (ICS) B. Programmable logic controller (PLC) C. Real-time operating system (RTOS) D. Supervisory control and data acquisition (SCADA)

C. In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer

A web application developer included the following HTML code within a form page: <input type=hidden> This is an example of which unsecure code practice? A. Comments in source code B. Hidden elements C. Unauthorized use of functions/unprotected APIs D. Race conditions

C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user's browser (the DOM).

Which of the following issues could enable a penetration tester to execute a DLL hijacking exploit on a Windows system? A. Failure to install the latest Windows updates B. Using out-of-date virus definitions C. Using unsecure file and folder permissions D. Failure to configure user account restrictions in Group Policy

C. To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish

The president of your organization reports that he has been receiving a huge number of phone calls from an individual claiming to be with the help desk department. This individual is asking the president to verify his network authentication credentials because his computer is broadcasting across the network. What type of attack is this individual attempting? A. Impersonation B. Interrogation C. Vishing D. Whaling

C. Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the president is receiving telephone calls, this is a vishing attack.

You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven't been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report? A. Executive summary B. Methodology C. Findings and remediation D. Metrics and measures E. Conclusion

C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.

Which of the following should be used if a penetration tester is attempting to achieve persistence by compromising a Windows server? A. net session server | dsquery -user | net use c$ B. powershell && set-executionpolicy unrestricted C. reg save HKLM\System\CurrentControlSet\Services\Sv.reg D. schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run

C. reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.

A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.) A. Cain and Abel B. Netcat C. Nmap D. Secure Shell (SSH) E. Tcpdump F. Wireshark

D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks

You are a penetration tester, and you are conducting a test for a new client. You have successfully exploited a DM2 server that seems to be listening to an outbound port. You want to forward that traffic back to a device. What are the best tools to do this? (Choose two.) A. Cain and Abel B. Netcat C. Nmap D. Secure Shell (SSH) E. Tcpdump F. Wireshark

D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

A junior technician in an organization's IT department runs a penetration test on a corporate web application. During testing, the technician discovers that the application can disclose a SQL table with all user account and password information. How should the technician notify management? A. The technician should connect to the SQL server using this information and change the passwords of a few noncritical accounts to demonstrate a proof of concept to management. B. The technician should document the findings using an executive summary including recommendations and screenshots to provide to management. C. The technician should notify the development team of the discovery and suggest that input validation be enforced on the web application's SQL query strings. D. The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.

D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company's best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

A penetration tester is using Metasploit. What command would allow the tester to access a private network from the Internet? A. db_nmp -iL /tmp/privatentwk.txt B. run autoroute -a 192.168.1.10/24 C. set rhost 192.168.1.10 D. use auxiliary/server/socks4a

D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

You are a penetration tester, and you are attempting to identify vulnerabilities in a customer's web application without affecting the system or its data. What best describes the type of vulnerability scan being performed? A. Aggressive scan B. Compliance scan C. Noncredentialed scan D. Passive scan

D. Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn't cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

You are a penetration tester, and you are conducting a test for a new client. You have found a few unquoted service paths during your testing of the client's network. How can you use these vulnerabilities to your advantage? A. By attempting to crack the service account passwords B. By attempting DLL hijacking attacks C. By attempting to locate weak file and folder permissions D. By attempting privilege escalation attacks

D. Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization's proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? A. Objective-based assessment B. Goal-based assessment C. Compliance-based assessment D. Red team assessment

D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization. Compliance-based assessments are designed to test compliance with specific laws.

A penetration tester is using nmap to scan hosts on the target network. The client has a lax security posture and employs a relatively inexperienced IT staff. Which timing option could she consider using with nmap to speed up her scans? A. -T1 B. -T2 C. -T3 D. -T4

D. The -T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target's IT staff.

You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly? A. Yes, proper penetration test planning and scoping procedures were followed. B. No, new clients should be properly vetted before beginning an assessment. C. No, a master service agreement (MSA) should be signed before testing begins. D. No, the rules of engagement (ROE) for the test should be documented and signed by both parties

D. The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.

A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this? A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v UseLogoCredential /t REG-DWORD /d 0 B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\ WDigest /v UseLogoCredential /t REG_DWORD /d 1 C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\ WDigest /v UseLogoCredential /t REG_DWORD /d 1 D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\ WDigest /v UseLogoCredential /t REG_DWORD /d 1

D. Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add <KeyName> /v <ValueName> /t <DataType> /d <Data> KeyName specifies the full path of the subkey or entry to be added. /v <ValueName> specifies the name of the registry entry to be added under the specified subkey. /t <DataType> specifies the type for the registry entry. /d <Data> specifies the data for the new registry entry. Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.

You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report? A. Executive summary B. Methodology C. Findings and remediation D. Metrics and measures E. Conclusion

E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section